[ossec-list] Re: issue with installing ossec agent

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Thanh,

If you want to disable log monitoring, just remove any "localfile"
entry from your
ossec.conf at the agent. That way you will have only the rootkit detection
running... However, I tend to suggest to always run the integrity checking with
rootkit detection, since they complement each other.

Btw, thanks for sharing your uninstall script. I am sure it can be useful to
quite some people. **If you release it under the GPL (or any less restrictive
license), we can package it with ossec.

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On 4/16/07, Thanh Han The <hanthethanh@xxxxxxxxx> wrote:
> Hi,
>
> I tried to install ossec in agent mode on an debian machine,
> with the module rootkit only (I said 'no' to the system
> integrity module). After importing a key from the server, I
> started ossec and got the following warnings:
>
> ,--------
> | # /etc/init.d/ossec start
> | Starting OSSEC HIDS v1.1 (by Daniel B. Cid)...
> | 2007/04/13 16:16:05 ossec-syscheckd(1702): No directory provided for
> 'directories' element.
> | Started ossec-execd...
> | Started ossec-agentd...
> | Started ossec-logcollector...
> | 2007/04/13 16:16:05 ossec-syscheckd(1702): No directory provided for
> 'directories' element.
> | 2007/04/13 16:16:05 ossec-syscheckd: Syscheck disabled.
> | Exiting.
> | Started ossec-syscheckd...
> | Completed.
> `--------
>
> and 'ps ax' shows
>
> ,--------
> | 13673 ?        S      0:00 /opt/ossec/bin/ossec-agentd
> | 13677 ?        S      0:00 /opt/ossec/bin/ossec-logcollector
> `--------
>
> I have 2 questions please:
>
>  - during installation I didn't see an option not to install
>    the log monitoring module. Is there a way to leave out
>    that module, or is it always required?
>
>  - since ossec-syscheckd is not running, I am not sure whether
>    the rootkit module is being activated. How can I verify
>    it?
>
>
> Thanks,
> Thanh
>
> PS: I wrote a little script to uninstall ossec in case one
> needs to upgrade or reinstall ossec. I post it here, in case
> someone might find it useful.
>
> ,--------
> | #!/bin/sh
> |
> | . /etc/ossec-init.conf
> |
> | dirs="$DIRECTORY"
> | files=`ls /etc/init.d/ossec /etc/rc[0-9S].d/[SK][0-9][0-9]ossec`
> | users=`egrep '^ossec' /etc/passwd | sed 's/:.*//'`
> | groups=`egrep '^ossec' /etc/group | sed 's/:.*//'`
> |
> | echo ""
> | echo "I am going to remove the following:"
> |
> | echo ""
> | echo ">>> Files:"
> | for f in $files; do
> |     ls -l $f
> | done
> |
> | echo ""
> | echo ">>> Directory:"
> | for f in $dirs; do
> |     ls -ld $f
> | done
> |
> | echo ""
> | echo ">>> Users:"
> | echo $users
> |
> | echo ""
> | echo ">>> Group:"
> | echo $groups
> |
> | echo ""
> | echo "If you have not backed up your config file(s), they will be
> lost forever!"
> |
> | read -p "Is this want you want (yes/no)? "
> | if [ "$REPLY" = "yes" ]; then
> |     /etc/init.d/ossec stop
> |     rm -f $files
> |     rm -rf $dirs
> |     for u in $users; do
> |         deluser $u
> |     done
> |     for g in $groups; do
> |         delgroup $g
> |     done
> | fi
> `--------