rootcheckPermalink to this headline
Configuration options for policy monitoring and anomaly detection.
OptionsPermalink to this headline
base_directoryPermalink to this headline
The base directory that will be prefixed to the following options:
Check rootkits
Check trojans
Scan the
/devdirectoryCheck the hidden files using system calls
Default value (UNIX) |
/ |
Default value (Windows) |
C:\ |
Allowed values |
Path to a directory |
ignorePermalink to this headline
List of files or directories to be ignored (one entry per line). Multiple lines may be entered to include multiple files or directories. These files and directories will be ignored during scans.
Allowed values |
sregex |
Valid for |
check_sys, check_dev, check_files |
Attributes:
type |
Simple regex expression to ignore files and directories. |
|
Allowed values |
sregex |
|
rootkit_filesPermalink to this headline
Change the location of the rootkit files database.
Default value |
etc/shared/rootkit_files.txt |
Allowed values |
A file with the rootkit files signatures |
Note
Paths can be referred to as relative paths under the ThreatLockDown installation directory or full paths.
rootkit_trojansPermalink to this headline
Change the location of the rootkit trojans database.
Default value |
etc/shared/rootkit_trojans.txt |
Allowed values |
A file with the trojans signatures |
windows_auditPermalink to this headline
Specifies the path to a Windows audit definition file.
Default value |
n/a |
Allowed values |
Path to a Windows audit definition file |
system_auditPermalink to this headline
Specifies the path to an audit definition file for Unix-like systems.
Default value |
n/a |
Allowed values |
Audit definition file for Unix-like systems |
windows_appsPermalink to this headline
Specifies the path to a Windows application definition file.
Default value |
n/a |
Allowed values |
Path to a Windows application def. file |
windows_malwarePermalink to this headline
Specifies the path to a Windows malware definitions file.
Default value |
n/a |
Allowed values |
Path to a Windows malware definitions file |
scanallPermalink to this headline
Tells rootcheck to scan the entire system. This option may lead to some false positives.
Default value |
no |
Allowed values |
yes, no |
readallPermalink to this headline
Allow Rootcheck read all system files and compare the bytes read with files size.
With readall set to no, only these folders are checked: /bin, /sbin, /usr/bin, /usr/sbin, /dev, /lib, /etc, /root, /var/log, /var/mail, /var/lib, /var/www, /usr/lib, /usr/include, /tmp, /boot, /usr/local, /var/tmp and /sys.
Default value |
no |
Allowed values |
yes, no |
frequencyPermalink to this headline
Frequency that the rootcheck is going to be executed (in seconds).
Default value |
43200 |
Allowed values |
A positive number (seconds) |
disabledPermalink to this headline
Disables the execution of rootcheck.
Default value |
no |
Allowed values |
yes, no |
check_devPermalink to this headline
Enable or disable the checking of /dev.
Default value |
yes |
Allowed values |
yes, no |
check_filesPermalink to this headline
Enable or disable the checking of files.
Default value |
yes |
Allowed values |
yes, no |
check_ifPermalink to this headline
Enable or disable the checking of network interfaces.
Default value |
yes |
Allowed values |
yes, no |
check_pidsPermalink to this headline
Enable or disable the checking of process ID's.
Default value |
yes |
Allowed values |
yes, no |
check_portsPermalink to this headline
Enable or disable the checking of network ports.
Default value |
yes |
Allowed values |
yes, no |
check_sysPermalink to this headline
Enable or disable checking for anomalous file system objects.
Default value |
yes |
Allowed values |
yes, no |
check_trojansPermalink to this headline
Enable or disable checking for trojans.
Default value |
yes |
Allowed values |
yes, no |
check_unixauditPermalink to this headline
Enable or disable the checking of unixaudit.
Default value |
yes |
Allowed values |
yes, no |
check_winappsPermalink to this headline
Enable or disable the checking of winapps.
Default value |
yes |
Allowed values |
yes, no |
check_winauditPermalink to this headline
Enable or disable the checking of winaudit.
Default value |
yes |
Allowed values |
yes, no |
check_winmalwarePermalink to this headline
Enable or disable checking for Windows malware.
Default value |
yes |
Allowed values |
yes, no |
skip_nfsPermalink to this headline
Enable or disable the scanning of network mounted filesystems (Works on Linux and FreeBSD). Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.
Default value |
yes |
Allowed values |
yes, no |
Default Unix configurationPermalink to this headline
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<ignore type="sregex">^/etc/</ignore>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>