OSSEC 3.3

ossec.conf: Rootcheck options

Overview

Supported types

rootcheck options are available in the the following installation types:

  • server
  • local
  • agent

Location

All rootcheck options must be configured in the /var/ossec/etc/ossec.conf or /var/ossec/etc/shared/agents.conf and used within the <ossec_config> tag.

XML excerpt to show location if part of ossec.conf:

<ossec_config>
    <rootcheck>
        <!--
        rootcheck options here
        -->
    </rootcheck>
</ossec_config>

XML excerpt to the Location if part of agent.conf

<agent_config>
    <rootcheck>
        <!--
        rootcheck options here
        -->
    </rootcheck>
</agent_config>

Options

base_directory

The base directory that will be appended to the following options:

  • rootkit_files
  • rootkit_trojans
  • windows_malware
  • windows_audit
  • windows_apps
  • systems_audit

Allowed: Path to a directory Default: /var/ossec

rootkit_files

This option can be used to change the location of the rootkit files database.

Allowed: A file with the rootkit files signatures

Default: /etc/shared/rootkit_files.txt

rootkit_trojans

This option can be used to change the location of the rootkit trojans database.

Default: /etc/shared/rootkit_trojans.txt

Allowed: A file with the trojans signatures

windows_audit
system_audit
windows_apps
windows_malware
scanall

Tells rootcheck to scan the whole system (may lead to some false positives).

Default: no

Allowed: yes/no

frequency

Frequency that the rootcheck is going to be executed (in seconds).

Defaults: 36000 (10 hours)

Allowed: Time (in seconds)

disabled

Disables the execution of rootcheck.

Default: no

Allowed: yes/no

check_dev

Enable or disable the checking for files in the `/dev` filesystem

Default: yes

Allowed: yes or no

check_files

Enable or disable the checking based on the rootkit files

Default: yes

Allowed: yes or no

check_if

Enable or disable the checking the network interfaces

Default: yes

Allowed: yes or no

check_pids

Enable or disable the checking of process IDs

Default: yes

Allowed: yes or no

check_ports

Enable or disable the checking of network ports.

Default: yes

Allowed: yes or no

check_sys

Enable or disable the checking the filesystem looking for possible issues

Default: yes

Allowed: yes or no

check_trojans

Enable or disable the checking of trojans.

Default: yes

Allowed: yes or no

check_unixaudit

Enable or disable the checking of unix issues

Default: yes

Allowed: yes or no

check_winapps

Enable or disable the checking of Windows apps

Default: yes

Allowed: yes or no

check_winaudit

Enable or disable the checking of Windows issues

Default: 1

Allowed: 1 or 0

check_winmalware

Enable or disable the checking of Windows malware.

Default: yes

Allowed: yes or no

skip_nfs

New in version 2.9.0.

Specifies if rootcheck should scan network mounted filesystems. Works on Linux and FreeBSD. Currently skip_nfs will abort checks running against CIFS or NFS mounts.

Default: no

Allowed: yes/no

Note

This option was added in OSSEC 2.9.0.