The rootcheck_control tool allows you to manage the policy monitoring and system auditing database that is stored on the server (manager) side. You can list anomalies detected by the rootcheck functionality, categorized into resolved and outstanding issues. Moreover you can find out when ossec-rootcheck was run the last time.
-h
¶Display the help message.
-l
¶List available agents.
-lc
¶List only currently connected agents.
-u
<id>
¶Updates (clear) the database for the agent. <id> can be an agent ID or all to cleare the database for all agents.
-i
AGENT_ID
¶Prints database for the agent.
-r
¶Used with -i, prints all the resolved issues.
-q
¶Used with -i, prints all the outstanding issues.
-L
¶Used with -i, prints the last scan.
-s
¶Changes the output to CSV (comma delimited).
To get a list of all auditing/policy monitoring events for a specific agent, you can run rootcheck_control -i <agent_id>. To retrieve the agent id you can use any of the following commands:
# /var/ossec/bin/rootcheck_control -i 002
Policy and auditing events for agent 'ossecagent (002) - 192.168.1.86':
Resolved events:
2010 Jun 15 13:01:22 (first time detected: 2009 Dec 10 18:48:43)
System Audit: System Audit: CIS - Debian Linux 8.8 - GRUB Password not set. File: /boot/grub/menu.lst. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
Outstanding events:
2010 Jun 17 17:34:37 (first time detected: 2009 Dec 10 18:48:43)
System Audit: System Audit: CIS - Testing against the CIS Debian Linux Benchmark v1.0. File: /etc/debian_version. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
2010 Jun 17 17:34:37 (first time detected: 2009 Dec 10 18:48:43)
System Audit: System Audit: CIS - Debian Linux 1.4 - Robust partition scheme - /tmp is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
2010 Jun 17 17:34:37 (first time detected: 2009 Dec 10 18:48:43)
System Audit: System Audit: CIS - Debian Linux 2.3 - SSH Configuration - Root login allowed. File: /etc/ssh/sshd_config. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
As you can see the detected events are shown in two categories, resolved events and outstanding event. To only show resolved events, run rootcheck_control -ri AGENT_ID. To only show outstanding events, run rootcheck_control -qi AGENT_ID. To only show the results of the last scan and time of that scan, run rootcheck_control -Li AGENT_ID.
To gain that kind of information for the OSSEC server, run rootcheck_control -i 000.
To clear the system auditing/policy monitoring database for a certain agent run the following command:
# /var/ossec/bin/rootcheck_control -u 002
** Policy and auditing database updated.
To clear the database for all agents and the server run the following command:
# /var/ossec/bin/rootcheck_control -u all
** Policy and auditing database updated.
The next time rootcheck is run, the database will be populated again.