• Support
  • Forums
  • Blogs

rootcheck(rootkit) scan dirs

determinedetermine

New Life Form
Hi to everyone.

I have a problem with configuring OSSEC rootcheck.
While rootcheck is scanning at my data directories with the enormous amount of files, application server suffered from high CPU overload and I\O wait.

current settings from ./etc/ossec.conf
  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  </rootcheck>

systemcheck settings I have already modified to exclude my dirs.

The question is how to exclude particular dirs from scanning during rootcheck, not the notification?

Thanks in advance


Tagged:

Share post:

Answers

  • determine,

    Rootcheck is generally designed to scan system directories and not data directories. With this said, the data you are looking for can be found at the URL below:

  • edited September 13
    @kcoe, thanks for help.
    I've found the solution.

          <check_sys>no</check_sys>   in <rootcheck> section.
    The thing is "
    check_sys" is turn on by default and it scans WHOLE system every time according to the <frequency>.

    And this feature can't be configured to set some dirs in ignoring list, just ON and OFF.
    this aspect was revealed in the book "Install ossec host-based intrusion detection"
Sign In or Register to comment.