Configuration
Basic usage
To configure the options for rootcheck, go to the Rootcheck section in ossec.conf. The most common configuration options are: frequency and system-audit
Basic example to configure audit polices:
<rootcheck>
<system_audit>./db/system_audit_rcl.txt</system_audit>
<system_audit>./db/cis_debian_linux_rcl.txt</system_audit>
<system_audit>./db/cis_rhel_linux_rcl.txt</system_audit>
</rootcheck>
Configure periodic scans
This is a basic configuration to run a scan every 10 hours.
<rootcheck>
<frequency>36000</frequency>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
</rootcheck>
Root access to SSH
First you need to create your custom audit file (audit_test.txt):
# PermitRootLogin not allowed
# PermitRootLogin indicates if the root user can log in by ssh.
$sshd_file=/etc/ssh/sshd_config;
[SSH Configuration - 1: Root can log in] [any] [1]
f:$sshd_file -> !r:^# && r:PermitRootLogin\.+yes;
f:$sshd_file -> r:^#\s*PermitRootLogin;
2. Reference our new file in the rootcheck options:
<rootcheck>
<system_audit>/var/ossec/etc/shared/audit_test.txt</system_audit>
</rootcheck>