Configuration

  1. Basic example

  2. Ignoring false positives

Basic example

To configure the options for syscheck and rootcheck, go to ossec.conf. If you want more information about the exact configuration options that are available, go to the Syscheck section and Rootcheck section. Also, see the following sections: frequency, rootkit_files and rootkit_trojans.

Here is a basic example of how to configure the database for rootkits (files and trojans):

<rootcheck>
  <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
  <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>

Ignoring false positives

<rule id="100100" level="0">
    <if_group>rootcheck</if_group>
    <match>/dev/.blkid.tab</match>
    <description>Ignore false positive for /dev/.blkid.tab</description>
</rule>