Basic usage

To configure the options for rootcheck, go to the Rootcheck section in ossec.conf. The most common configuration options are: frequency and system-audit

Basic example to configure audit polices:


Configure periodic scans

This is a basic configuration to run a scan every 10 hours.


Root access to SSH

1. First you need to create your custom audit file (audit_test.txt):

# PermitRootLogin not allowed
# PermitRootLogin indicates if the root user can log in by ssh.

[SSH Configuration - 1: Root can log in] [any] [1]
f:$sshd_file -> !r:^# && r:PermitRootLogin\.+yes;
f:$sshd_file -> r:^#\s*PermitRootLogin;

2. Reference our new file in the rootcheck options: