[ossec-list] Re: issue with installing ossec agent

["Thanh Han The" <hanthethanh@xxxxxxxxx>]

Hi Daniel,

it seems that if there is no <directories> entries in the
config file, then syscheckd won't start even the rootkit
module is used.

I don't run log monitoring and integrity checking since
this is a setup for a virtual machine (openvz) and I am
also running ossec on the real host which can do log
monotoring and integrity checking for the virtual machines
too. If you could extend the rootkit module so that can be
run on the real host to check the virtual machines, it would
be terrific. This is my dream now :)

Regards the script: can you please add following lines?

,--------
| # a simple script to uninstall ossec (tested on debian)
| # Author: Han The Thanh <hanthethanh@xxxxxxxxx>
| # Public domain.
`--------


Regards,
Thanh

PS: I also made a vim script to change the ossec config file
ossec.conf so it can monitor files on virtual machines too
(it's rather tedious to do that manually). I am happy to
share in case anyone else needs it.


On Tue, Apr 17, 2007 at 01:22:22AM -0300, Daniel Cid wrote:
> Hi Thanh,
>
> If you want to disable log monitoring, just remove any "localfile"
> entry from your
> ossec.conf at the agent. That way you will have only the rootkit detection
> running... However, I tend to suggest to always run the integrity checking
> with
> rootkit detection, since they complement each other.
>
> Btw, thanks for sharing your uninstall script. I am sure it can be useful to
> quite some people. **If you release it under the GPL (or any less
> restrictive
> license), we can package it with ossec.
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net