exceptions in rootcheck??

474 views
Skip to first unread message

rosgos

unread,
Dec 21, 2009, 3:58:32 AM12/21/09
to ossec-list
Hi everyone,

I am using ossec v2.3 on server and I have a exception in module
rootchchek:

<rootcheck>
..............
<ignore>/tmp/</ignore>
</rootcheck>

I have restarted de daemon, but I am receiving alerts about changes in
directory /tmp.
It isn't incorrect this sitaxy in osssec.conf ?

Thanks.
Albert.

Wim Remes

unread,
Dec 21, 2009, 3:58:27 PM12/21/09
to ossec...@googlegroups.com
Hi,

rootcheck doesn't discriminate as it's goal is to look for files and configuration that would be consistent with the presence of a rootkit.
The ignore setting is only valid in the <syscheck> directive, like this

<syscheck>
<directories check_all=yes>/etc,/usr/bin,/usr/sbin</directories>

<ignore>/tmp/</ignore>
</syscheck>

however, the ignore would only make sense if you want to ignore a directory deeper in the hierarchy, like this
<syscheck>
<directories check_all="yes">/tmp</directories>
...
<ignore>/tmp/dir1/dir2/dir3</ignore>
</syscheck>

because you don't care about file changes in that specific location, but you do in all other subfolders of /tmp.

Hope this helps,

Kind Regards,

Wim

Albert Ros

unread,
Dec 24, 2009, 3:21:18 AM12/24/09
to ossec...@googlegroups.com
Dear Wim,

But if I have a filesystem with directory .snapshot, I must add exception for this, or constantly I am receiving alerts about possible rootkit

'/opt/.snapshot/hourly.5/....  ...../format'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.

I think that would be a method for doesn't check for rootkits in /opt/.snapshot.

Thanks for your response,
Albert.

2009/12/21 Wim Remes <wre...@gmail.com>

Wim Remes

unread,
Dec 24, 2009, 5:06:19 PM12/24/09
to ossec...@googlegroups.com
Hi,

can you provide me with the exact alert you are receiving ? 
We can possibly put a specific rule in local_rules.xml to ignore this event.

Kind Regards,

Wim

Albert Ros

unread,
Jan 12, 2010, 2:54:10 AM1/12/10
to ossec...@googlegroups.com
Hi,

I'm receiving this alert:

OSSEC HIDS Notification.
2010 Jan 12 07:53:45

Received From: server->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."

Portion of the log(s):

File '/tmp/home_nfs/.snapshot/hourly.5/home/xxx/file.txt' is owned by root and has written permissions to anyone.




 --END OF NOTIFICATION


and I want that exclude the directory .snapshot for all agents. It is possible as You said, adding a rule in local_rules.xml ??

Thanks,
Albert.


2009/12/24 Wim Remes <wre...@gmail.com>

Albert Ros

unread,
Jan 12, 2010, 3:08:35 AM1/12/10
to ossec...@googlegroups.com
I also have other alerts as this:
Received From: xxx->rootcheck

Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

File '/dev/cpuset/xx@575792/memory_spread_slab' present on /dev. Possible hidden file.

Received From: xxx->rootcheck

Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

File '/dev/cpuset/xx@575792/memory_spread_page' present on /dev. Possible hidden file.


2010/1/12 Albert Ros <ros...@gmail.com>

Daniel Cid

unread,
Jan 15, 2010, 2:04:29 PM1/15/10
to ossec...@googlegroups.com
Hi Albert,

A rule would be better for this:

<rule id="100201" level="0">
<if_sid>510<if_sid>
<match>File '/tmp/home_nfs/.snapshot</match>
<description>Ignoring .snapshot dir..</description>
</rule>

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

Albert Ros

unread,
Jan 21, 2010, 1:36:44 AM1/21/10
to ossec...@googlegroups.com
Daniel, thanks for your response. 

We wouldn't include this line inside the rule?
<group>rootcheck,</group>



2010/1/15 Daniel Cid <danie...@gmail.com>
Reply all
Reply to author
Forward
0 new messages