Syscheck Not Disabled When Configured to be
New install (2.5.1). Chose server, disable rootcheck, syscheck, active response. After installation, this was in ossec.conf:
<rootcheck> <disabled>yes</disabled> </rootcheck>
But not this:
<syscheck> <disabled>yes</disabled> </syscheck>
So I added it. But it seems that syscheck is not truly enabled, since the ossec-syscheckd process is still running. Also, ossec.log displays many of these:
2011/06/10 09:39:19 ossec-syscheckd(1105): ERROR: Attempted to use null string.
Also, it is configured with rules, but did not set up any logs (localfiles) to read.