OSSEC 3.6.0

ossec.conf: Rootcheck options

Overview

Supported types

rootcheck options are available in the the following installation types:

  • server
  • local
  • agent

Location

All rootcheck options must be configured in the /var/ossec/etc/ossec.conf or /var/ossec/etc/shared/agents.conf and used within the <ossec_config> tag.

XML excerpt to show location if part of ossec.conf:

<ossec_config>
    <rootcheck>
        <!--
        rootcheck options here
        -->
    </rootcheck>
</ossec_config>

XML excerpt to the Location if part of agent.conf

<agent_config>
    <rootcheck>
        <!--
        rootcheck options here
        -->
    </rootcheck>
</agent_config>

Options

  • base_directory

    The base directory that will be appended to the following options:

    • rootkit_files
    • rootkit_trojans
    • windows_malware
    • windows_audit
    • windows_apps
    • systems_audit

    Allowed: Path to a directory Default: /var/ossec

  • rootkit_files

    This option can be used to change the location of the rootkit files database.

    Allowed: A file with the rootkit files signatures

    Default: /etc/shared/rootkit_files.txt

  • rootkit_trojans

    This option can be used to change the location of the rootkit trojans database.

    Default: /etc/shared/rootkit_trojans.txt

    Allowed: A file with the trojans signatures

  • windows_audit

  • system_audit

  • windows_apps

  • windows_malware

  • scanall

    Tells rootcheck to scan the whole system (may lead to some false positives).

    Default: no

    Allowed: yes/no

  • frequency

    Frequency that the rootcheck is going to be executed (in seconds).

    Defaults: 36000 (10 hours)

    Allowed: Time (in seconds)

  • disabled

    Disables the execution of rootcheck.

    Default: no

    Allowed: yes/no

  • check_dev

    Enable or disable the checking for files in the `/dev` filesystem

    Default: yes

    Allowed: yes or no

  • check_files

    Enable or disable the checking based on the rootkit files

    Default: yes

    Allowed: yes or no

  • check_if

    Enable or disable the checking the network interfaces

    Default: yes

    Allowed: yes or no

  • check_pids

    Enable or disable the checking of process IDs

    Default: yes

    Allowed: yes or no

  • check_ports

    Enable or disable the checking of network ports.

    Default: yes

    Allowed: yes or no

  • check_sys

    Enable or disable the checking the filesystem looking for possible issues

    Default: yes

    Allowed: yes or no

  • check_trojans

    Enable or disable the checking of trojans.

    Default: yes

    Allowed: yes or no

  • check_unixaudit

    Enable or disable the checking of unix issues

    Default: yes

    Allowed: yes or no

  • check_winapps

    Enable or disable the checking of Windows apps

    Default: yes

    Allowed: yes or no

  • check_winaudit

    Enable or disable the checking of Windows issues

    Default: 1

    Allowed: 1 or 0

  • check_winmalware

    Enable or disable the checking of Windows malware.

    Default: yes

    Allowed: yes or no

  • skip_nfs

    New in version 2.9.0.

    Specifies if rootcheck should scan network mounted filesystems. Works on Linux and FreeBSD. Currently skip_nfs will abort checks running against CIFS or NFS mounts.

    Default: no

    Allowed: yes/no

    Note

    This option was added in OSSEC 2.9.0.