OSSEC HIDS will perform rootkit detection on every system where the agent is installed. The rootcheck (rootkit detection engine) will be executed every X minutes (user specified - by default every 2 hours) to detect any possible rootkit installed. Used with the log analysis and the integrity checking engine, it will become a very powerful monitoring solution.
These configuration options can be specified in each agent’s ossec.conf, except auto_ignore and alert_new_file which are manager side options. If the ignore option is specified on the manager the setting becomes global for all agents.
The base directory that will be appended to the following options:
Allowed: Path to a directory Default: /var/ossec
This option can be used to change the location of the rootkit files database.
Allowed: A file with the rootkit files signatures
Default: /etc/shared/rootkit_files.txt
This option can be used to change the location of the rootkit trojans database.
Default: /etc/shared/rootkit_trojans.txt
Allowed: A file with the trojans signatures
Tells rootcheck to scan the whole system (may lead to some false positives).
Default: no
Allowed: yes/no
Frequency that the rootcheck is going to be executed (in seconds).
Defaults: 36000 (10 hours)
Allowed: Time (in seconds)
Disables the execution of rootcheck.
Default: no
Allowed: yes/no
Enable or disable the checking for files in the `/dev` filesystem
Default: yes
Allowed: yes or no
Enable or disable the checking based on the rootkit files
Default: yes
Allowed: yes or no
Enable or disable the checking the network interfaces
Default: yes
Allowed: yes or no
Enable or disable the checking of process IDs
Default: yes
Allowed: yes or no
Enable or disable the checking of network ports.
Default: yes
Allowed: yes or no
Enable or disable the checking the filesystem looking for possible issues
Default: yes
Allowed: yes or no
Enable or disable the checking of trojans.
Default: yes
Allowed: yes or no
Enable or disable the checking of unix issues
Default: yes
Allowed: yes or no
Enable or disable the checking of Windows apps
Default: yes
Allowed: yes or no
Enable or disable the checking of Windows issues
Default: 1
Allowed: 1 or 0
Enable or disable the checking of Windows malware.
Default: yes
Allowed: yes or no
New in version 2.9.0.
Specifies if rootcheck should scan network mounted filesystems. Works on Linux and FreeBSD. Currently skip_nfs will abort checks running against CIFS or NFS mounts.
Default: no
Allowed: yes/no
Note
This option was added in OSSEC 2.9.0.