1. Daniel Cid
  2. ossec-hids
  3. Issues
Issue #15 new

Syscheck Not Disabled When Configured to be

mstarks01
created an issue

New install (2.5.1). Chose server, disable rootcheck, syscheck, active response. After installation, this was in ossec.conf:

<rootcheck> <disabled>yes</disabled> </rootcheck>

But not this:

<syscheck> <disabled>yes</disabled> </syscheck>

So I added it. But it seems that syscheck is not truly enabled, since the ossec-syscheckd process is still running. Also, ossec.log displays many of these:

2011/06/10 09:39:19 ossec-syscheckd(1105): ERROR: Attempted to use null string.

Also, it is configured with rules, but did not set up any logs (localfiles) to read.

Comments (1)

  1. mstarks01 reporter

    Upon retesting, I don't see the 'Attempted to use null string.' error any more; however, the syscheck daemon does continue to run when not needed.

  2. Log in to comment