rootcheck¶
XML section name
<rootcheck>
</rootcheck>
Configuration options for policy monitoring and anomaly detection.
Options¶
base_directory¶
The base directory that will be appended to the following options:
rootkit_files
rootkit_trojans
systems_audit
Default value (UNIX) |
/ |
Default value (Windows) |
C:\ |
Allowed values |
Path to a directory |
rootkit_files¶
Change the location of the rootkit files database.
Default value |
/var/ossec/etc/shared/rootkit_files.txt |
Allowed values |
A file with the rootkit files signatures |
rootkit_trojans¶
Change the location of the rootkit trojans database.
Default value |
/var/ossec/etc/shared/rootkit_trojans.txt |
Allowed values |
A file with the trojans signatures |
windows_audit¶
Specifies the path to a Windows audit definition file.
Default value |
n/a |
Allowed values |
Path to a Windows audit definition file |
system_audit¶
Specifies the path to an audit definition file for Unix-like systems.
Default value |
n/a |
Allowed values |
Audit definition file for Unix-like systems |
windows_apps¶
Specifies the path to a Windows application definition file.
Default value |
n/a |
Allowed values |
Path to a Windows application def. file |
windows_malware¶
Specifies the path to a Windows malware definitions file.
Default value |
n/a |
Allowed values |
Path to a Windows malware definitions file |
scanall¶
Tells rootcheck to scan the entire system. This option may lead to some false positives.
Default value |
no |
Allowed values |
yes, no |
frequency¶
Frequency that the rootcheck is going to be executed (in seconds).
Default value |
36000 |
Allowed values |
A positive number (seconds) |
check_if¶
Enable or disable the checking of network interfaces.
Default value |
yes |
Allowed values |
yes, no |
check_pids¶
Enable or disable the checking of process ID’s.
Default value |
yes |
Allowed values |
yes, no |
check_ports¶
Enable or disable the checking of network ports.
Default value |
yes |
Allowed values |
yes, no |
check_sys¶
Enable or disable checking for anomalous file system objects.
Default value |
yes |
Allowed values |
yes, no |
check_unixaudit¶
Enable or disable the checking of unixaudit.
Default value |
yes |
Allowed values |
yes, no |
check_winmalware¶
Enable or disable checking for Windows malware.
Default value |
yes |
Allowed values |
yes, no |
skip_nfs¶
Enable or disable the scanning of network mounted filesystems (Works on Linux and FreeBSD). Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.
Default value |
yes |
Allowed values |
yes, no |
Default Unix configuration¶
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>