Manual -> tools ->Rootcheck control tool
The rootcheck_control tool allows you to manage the policy monitoring and system auditing database that is stored on the server (manager) side. You can list the alerts, resolved issues and get detailed information from each of them.
How to use it? Let’s learn by examples:
Example 1: Getting help and listing all available agents
Exactly like the agent_control, you can use the “-l” (or -lc) flag to list the agents and the “-h” flag to get the command line help.
# /var/ossec/bin/rootcheck_control -h
OSSEC HIDS rootcheck_control: Manages the policy and auditing database.
Available options:
-h This help message.
-l List available (active or not) agents.
-lc List only active agents.
-uUpdates (clear) the database for the agent.
-u all Updates (clear) the database for all agents.
-iPrints database for the agent.
-r Used with -i, prints all the resolved issues.
-q Used with -i, prints all the outstanding issues.
-L Used with -i, prints the last scan.
-s Changes the output to CSV (comma delimited).# /var/ossec/bin/rootcheck_control -lc
OSSEC HIDS rootcheck_control. List of available agents:
ID: 000, Name: enigma.ossec.net (server), IP: 127.0.0.1, Active/Local
ID: 165, Name: esqueleto2, IP: 192.168.2.99, Active
ID: 174, Name: lili3win, IP: 192.168.2.0/24, Active
ID: 185, Name: winhome2, IP: 192.168.2.0/24, Active
Example 2: Getting a list of system auditing/policy monitoring events
To get a list of events, just run the command with the “-i” flag followed by the agent id you want:
# /var/ossec/bin/rootcheck_control -i 165
Policy and auditing events for agent system ‘brrkey – xyz’:
Resolved events:
2008 Nov 22 06:00:05 (first time detected: 2008 Nov 21 09:48:01)
System Audit: File ‘/dev/fake-fle’ present on /dev. Possible hi
dden file.2008 Nov 22 06:00:05 (first time detected: 2008 Nov 21 09:48:01)
System Audit: File ‘/dev/fake-file2′ present on /dev. Possible hi
dden file.Outstanding events:
2009 Feb 20 10:47:55 (first time detected: 2008 Oct 01 10:10:05)
System Audit: System Audit: CIS – Testing against the CIS Debian Linux Benchmark v1.0. File: /etc/debian_version. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .2009 Feb 20 10:47:55 (first time detected: 2008 Oct 01 10:10:05)
System Audit: System Audit: CIS – Debian Linux 1.4 – Robust partition scheme – /tmp is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .2009 Feb 20 10:47:55 (first time detected: 2008 Oct 01 10:10:05)
System Audit: System Audit: CIS – Debian Linux 1.4 – Robust partition scheme – /opt is not on its own partition. File: /opt. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
You will get two separated lists, one with the outstanding issues and one with the resolved ones.
Example 3: Getting a detailed list of system auditing/policy monitoring events
If you want to only see the outstanding issues, use the “-q” flag or if you want only to see the results of the last scan, use the “-L” one:
# /var/ossec/bin/rootcheck_control -i 165 -q
Outstanding events:
2009 Feb 20 10:47:55 (first time detected: 2008 Oct 01 10:10:05)
System Audit: System Audit: CIS – Testing against the CIS Debian Linux Benchmark v1.0. File: /etc/debian_version. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .2009 Feb 20 10:47:55 (first time detected: 2008 Oct 01 10:10:05)
System Audit: System Audit: CIS – Debian Linux 1.4 – Robust partition scheme – /tmp is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .2009 Feb 20 10:47:55 (first time detected: 2008 Oct 01 10:10:05)
System Audit: System Audit: CIS – Debian Linux 1.4 – Robust partition scheme – /opt is not on its own partition. File: /opt. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .