OSSEC HIDS will perform rootkit detection on every system where the agent is installed. The rootcheck (rootkit detection engine) will be executed every X minutes (user specified - by default every 2 hours) to detect any possible rootkit installed. Used with the log analysis and the integrity checking engine, it will become a very powerful monitoring solution.
These configuration options can be specified in each agent’s ossec.conf, except
auto_ignore
and alert_new_file
which are manager side options. If the
ignore
option is specified on the manager the setting becomes global for all agents.
base_directory
¶The base directory that will be appended to the following options:
Allowed: Path to a directory Default: /var/ossec
rootkit_files
¶This option can be used to change the location of the rootkit files database.
Allowed: A file with the rootkit files signatures
Default: /etc/shared/rootkit_files.txt
rootkit_trojans
¶This option can be used to change the location of the rootkit trojans database.
Default: /etc/shared/rootkit_trojans.txt
Allowed: A file with the trojans signatures
windows_audit
¶system_audit
¶windows_apps
¶windows_malware
¶scanall
¶Tells rootcheck to scan the whole system (may lead to some false positives).
Default: no
Allowed: yes/no
frequency
¶Frequency that the rootcheck is going to be executed (in seconds).
Defaults: 36000 (10 hours)
Allowed: Time (in seconds)
disabled
¶Disables the execution of rootcheck.
Default: no
Allowed: yes/no
check_dev
¶Enable or disable the checking for files in the `/dev` filesystem
Default: yes
Allowed: yes or no
check_files
¶Enable or disable the checking based on the rootkit files
Default: yes
Allowed: yes or no
check_if
¶Enable or disable the checking the network interfaces
Default: yes
Allowed: yes or no
check_pids
¶Enable or disable the checking of process IDs
Default: yes
Allowed: yes or no
check_ports
¶Enable or disable the checking of network ports.
Default: yes
Allowed: yes or no
check_sys
¶Enable or disable the checking the filesystem looking for possible issues
Default: yes
Allowed: yes or no
check_trojans
¶Enable or disable the checking of trojans.
Default: yes
Allowed: yes or no
check_unixaudit
¶Enable or disable the checking of unix issues
Default: yes
Allowed: yes or no
check_winapps
¶Enable or disable the checking of Windows apps
Default: yes
Allowed: yes or no
check_winaudit
¶Enable or disable the checking of Windows issues
Default: 1
Allowed: 1 or 0
check_winmalware
¶Enable or disable the checking of Windows malware.
Default: yes
Allowed: yes or no
skip_nfs
¶New in version 2.9.0.
Specifies if rootcheck should scan network mounted filesystems. Works on Linux and FreeBSD. Currently skip_nfs will abort checks running against CIFS or NFS mounts.
Default: no
Allowed: yes/no
Note
This option was added in OSSEC 2.9.0.