[ossec-list] Re: What does it means this alert??

[carlopmart <carlopmart@xxxxxxxxx>]

Scott Speirs wrote:
> carlopmart wrote:
>> Hi all,
>>
>>  I have install ossec 1.3 on two rhel5 servers. On both servers ossec 
>> generates this alert??
>>
>> OSSEC HIDS Notification.
>> 2007 Sep 12 09:51:32
>>
>> Received From: xenhost->rootcheck
>> Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
>> Portion of the log(s):
>>
>> File '/sys/module/sbs/parameters/capacity_mode' is owned by root and has written permissions to anyone.
>>
>>
>> What does it means???
>>
>>   
> Ah, I expect, if you check the permissions on that file, you will find 
> that the owner is root and the everyone has write permissions. Not being 
> that familiar with RHEL per se, I would guess that's a system file and 
> giving everyone write permissions invites, er, damage. :-)
> 

But it isn't correct:

[carlos@xenhost parameters]$ pwd
/sys/module/sbs/parameters
[carlos@xenhost parameters]$ ls -la
total 0
drwxr-xr-x 2 root root    0 Sep 13 09:14 .
drwxr-xr-x 4 root root    0 Sep 13 09:14 ..
--------wx 1 root root 4096 Sep 13 09:14 capacity_mode
--------w- 1 root root 4096 Sep 13 09:14 update_mode
----rwxr-- 1 root root 4096 Sep 13 09:14 update_time
[carlos@xenhost parameters]$

As a user I can't manipulate this file:

[carlos@xenhost parameters]$ cat capacity_mode
cat: capacity_mode: Permission denied
[carlos@xenhost parameters]$

Somebody knows how can I do about this alert?


-- 
CL Martinez
carlopmart {at} gmail {d0t} com