[ossec-list] Re: A few comments on installation

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Stephen,

Thanks for the ideas. I just fixed the documentation and english problems
(1-4) you mentioned. Regarding the syscheck values, they need to be attributes
of the "directory" element. For example:

<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>

or

<directories check_owner="yes" check_perm="yes">/var/log</directories>

To just check the owner and permissions of the /var/log directory.

Regarding the rootkit signatures, they do not change too often, but generally
between releases I update them. Next version will have a lot of
rootkit detection
improvements (specially related to kernel level rootkits) and I will try to keep
them updated more often too. I will send instructions later on how to keep
them up to date (including log analysis rules).

Btw, if you installed version 0.8, you should try the 0.8-6:

http://www.ossec.net/files/ossec-hids-0.8-6.tar.gz


Hope it helps..

--
Daniel B. Cid
dcid ( at ) ossec.net


On 7/11/06, Stephen Bunn <sbunn@xxxxxxxxxxxxxxxxx> wrote:
>
> I have recently setup ossec 0.8 on my Ubuntu machine and would like to
> make the following comments for improvement.
>
> 1.  The installation documentation refers to this address
> http://www.ossec.net/files/ossec-hids-latest_sum.txt for the MD5 and
> SHA1 checksums, however this document does not exist.  I found only the
> ossec-hids-0.8-latest_sum.txt existing.  This is fine, however the
> documentation needs to be updated.
>
> 2. Just a minor note, on both my Gentoo and Ubuntu boxes the commands
> for md5 and sha1 are called md5sum and sha1sum.  The installation
> documentation might want to make a Note: about this, however its not
> that important. If you are installing a HIDS then you should probably
> know how to calculate a MD5 sum on your box.
>
> 3.  tar -zxvf ossec-hids-* doesn't work because of the MD5/SHA1 text
> file is there.  The documentation has you download the checksums making
> the untar command ambiguous.
>
> 4.  During the last part of installation the world "below" is misspelled
> (as pointed out below).
>
> "Press ENTER to finish (maybe more information bellow)"
>
>
> 5.  none of the syscheck check_xxx values seem to work as described in
> the documentation.  For example the documentation says check_sum should
> take a yes or no value, however
> <check_sum>yes</check_sum> is listed as an invalid value upon startup.
> This applies to all the check_xxx values listed in the documentation.  I
> couldn't get any of them to work.
>
>
> 6. The one question that I can't find an answer to is; Where can you get
> updated txt files for the rootcheck program?  Several points in the
> documentation point out a "the signature files are here" but I could not
> find a link to the actual signatures anywhere.  I'm assuming that ossec
> is not going to update the signatures by it's self.  So how do I go
> about making sure that rootcheck's signature files are up to date?
>
> Overall I'm very impressed, and find the installation very easy.
>
> Thanks.
>
> --
> Stephen Bunn
> http://sbunn.roguesoftware.net
>
>
> >
>

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---