rootcheck options are available in the the following installation types:
All rootcheck options must be configured in the /var/ossec/etc/ossec.conf or /var/ossec/etc/shared/agents.conf and used within the <ossec_config> tag.
XML excerpt to show location if part of ossec.conf:
<ossec_config>
<rootcheck>
<!--
rootcheck options here
-->
</rootcheck>
</ossec_config>
XML excerpt to the Location if part of agent.conf
<agent_config>
<rootcheck>
<!--
rootcheck options here
-->
</rootcheck>
</agent_config>
base_directory
¶The base directory that will be appended to the following options:
Allowed: Path to a directory Default: /var/ossec
rootkit_files
¶This option can be used to change the location of the rootkit files database.
Allowed: A file with the rootkit files signatures
Default: /etc/shared/rootkit_files.txt
rootkit_trojans
¶This option can be used to change the location of the rootkit trojans database.
Default: /etc/shared/rootkit_trojans.txt
Allowed: A file with the trojans signatures
windows_audit
¶system_audit
¶windows_apps
¶windows_malware
¶scanall
¶Tells rootcheck to scan the whole system (may lead to some false positives).
Default: no
Allowed: yes/no
frequency
¶Frequency that the rootcheck is going to be executed (in seconds).
Defaults: 36000 (10 hours)
Allowed: Time (in seconds)
disabled
¶Disables the execution of rootcheck.
Default: no
Allowed: yes/no
check_dev
¶Enable or disable the checking for files in the `/dev` filesystem
Default: yes
Allowed: yes or no
check_files
¶Enable or disable the checking based on the rootkit files
Default: yes
Allowed: yes or no
check_if
¶Enable or disable the checking the network interfaces
Default: yes
Allowed: yes or no
check_pids
¶Enable or disable the checking of process IDs
Default: yes
Allowed: yes or no
check_ports
¶Enable or disable the checking of network ports.
Default: yes
Allowed: yes or no
check_sys
¶Enable or disable the checking the filesystem looking for possible issues
Default: yes
Allowed: yes or no
check_trojans
¶Enable or disable the checking of trojans.
Default: yes
Allowed: yes or no
check_unixaudit
¶Enable or disable the checking of unix issues
Default: yes
Allowed: yes or no
check_winapps
¶Enable or disable the checking of Windows apps
Default: yes
Allowed: yes or no
check_winaudit
¶Enable or disable the checking of Windows issues
Default: 1
Allowed: 1 or 0
check_winmalware
¶Enable or disable the checking of Windows malware.
Default: yes
Allowed: yes or no
skip_nfs
¶New in version 2.9.0.
Specifies if rootcheck should scan network mounted filesystems. Works on Linux and FreeBSD. Currently skip_nfs will abort checks running against CIFS or NFS mounts.
Default: no
Allowed: yes/no
Note
This option was added in OSSEC 2.9.0.