[ossec-list] Re: ignoring directories for rootkit detection

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Meir,

The purpose of the rootkit engine is not only to detect known rootkits,
but also to find kernel-level and user-level anomalies. So, a file owned by
root with full written access to everyone is a user-level anomaly (or
a problem). It does not indicate a rootkit, but may be a problem.
There is no way to disable specific directories on rootcheck right now,
but I can sure add an option for that in the future. However, you will
only see these alerts once,  since ossec does not send repeated
alerts for rootcheck.

*btw, very nice report script you sent. Do you mind If I add it to
ossec (in the official package) under contrib?

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On 7/3/06, Meir Michanie <meirgotroot@xxxxxxxxx> wrote:
> Hi list.
> in my config I have ignore tag inside the syscheck
> There is no option to use the same tag under rootkit
> the rootkit search engine searchs for files owned by root and worldwide
> writable ( I know is a security risk)
> 1. I do not see how a file owned by root and o+w is a rootkit alarm. (it may
> be a hardening issue)
> 2. I tried using <scanall>no</scanall> and still got the rootkit engine
> alarming of files under /usr/local/myfiles/
>
> Did I say that ossec rocks?
>
>  >
>

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---