RootCheck disableing
237 views
Skip to first unread message
eyal gershon
Apr 14, 2016, 6:54:29 AM4/14/16
to ossec-list
Hey,
I tried to disabled the rootcheck on one of the servers.
I have added the following line to the agent.conf file -
<rootcheck>
<disabled>yes</disabled>
</rootcheck>
and after I am restarting the service I get the following output -
Starting ossec-hids: 2016/04/14 06:16:27 ossec-rootcheck: Rootcheck disabled. Exiting.
ossec-syscheckd: WARN: Rootcheck module disabled.
and a few min later I see in the logs that the rootcheck is running again.
any one have an idea why did I miss?
dan (ddp)
Apr 14, 2016, 7:57:36 AM4/14/16
to ossec...@googlegroups.com
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
eyal gershon
Apr 14, 2016, 8:38:47 AM4/14/16
to ossec-list
2016/04/14 06:03:17 ossec-rootcheck: INFO: Started (pid: 30101).
2016/04/14 06:06:05 ossec-rootcheck: INFO: Starting rootcheck scan.
2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_files file configured.
2016/04/14 06:06:05 ossec-rootcheck: No rootcheck_trojans file configured.
2016/04/14 06:17:38 ossec-rootcheck: INFO: Ending rootcheck scan.
The start of the scan is right after the restart of the ossed-hids restart from the original post
Pedro S
Apr 15, 2016, 8:08:23 AM4/15/16
to ossec-list
I have reproduced your configuration on my labs, rootcheck is not starting again. Could you re-verify that agent.conf file is right on your agent?
joe.co...@wazuh.com
Apr 15, 2016, 1:26:47 PM4/15/16
to ossec-list
Also try using verify-agent-conf. It might help with trouble shooting.
eyal gershon
Apr 17, 2016, 4:53:00 AM4/17/16
to ossec-list
I ran the verify agent tool,
It did not return any errors
eyal gershon
Apr 17, 2016, 4:56:15 AM4/17/16
to ossec-list
I checked again the logs -
2016/04/16 18:37:27 ossec-rootcheck: INFO: Starting rootcheck scan.
2016/04/16 18:37:27 ossec-rootcheck: No rootcheck_files file configured.
2016/04/16 18:37:27 ossec-rootcheck: No rootcheck_trojans file configured.
2016/04/16 18:45:52 ossec-rootcheck: INFO: Ending rootcheck scan.
The log says the check did run,
Is there another configuration file I might be missing?
joe.co...@wazuh.com
Apr 18, 2016, 3:14:00 PM4/18/16
to ossec-list
Interesting... that should be the only config that you need to update in order to disable the root check. I tried it in my lab and disabled it properly as well.
Santiago Bassett
Apr 19, 2016, 8:06:11 PM4/19/16
to ossec...@googlegroups.com
Hi Eyal,
try setting syscheck.debug=2 in internal_options.conf file. It looks like there are some rootchecks that still run, unless you set those to no, like check_pids, check_dev, check_ports,... see more info at:
Santiago Bassett
Apr 19, 2016, 8:06:46 PM4/19/16
to ossec...@googlegroups.com
was meaning to paste this link before sending last email:
eyal gershon
Apr 24, 2016, 4:03:00 AM4/24/16
to ossec-list
Thanks for all the Help,
I managed to disable the rootcheck manually.
It appeared that I had a problem with publishing the document and the permissions of the file.
Reply all
Reply to author
Forward
0 new messages