My two cents (and rushing out the door, so if I missed a point or misunderstood let me know!):
Will it stop rootkits from being installed?
If you mean kernel level rootkits, it might be able to stop them from being uploaded or opened but only if they can be detected. So yes its helpful, but its not the actual layer we use to stop rootkits. kernel rootkits are best stopped with the hardened ASL kernel. The ASL kernel will stop rootkits from being installed if you configure ASL to lock the kernel (which is the default). So out of the bot, ASL stops rootkits from being installed. You dont even need dazuko to stop rootkits if you have the ASL kernel.
If you mean PHP shells and stuff like that, yes dazuko is a great tool, but for kernel rootkits alone its not the solution. It might stop kernel level rootkits, but thats not what we added into ASL for. Its there to help prevent things from running that are malicious, and good kernel level rootkit attack can get around that potentially - which is why ASL has rootkit protections built into the kernel.
What are the recommended settings for /etc/asl/dazuko-include and /etc/asl/dazuko-exclude on a standard CentOS/Plesk/ASL box?
I recommend you set dazuko to watch all your user writable directories, such as:
/home
/tmp
/var/tmp
/var/www
Your statistics directories may generate false positives however. We've tried to account for that in the clamav rules we include, and so far all the error_log false positives (malicious domains for example used to generate FPs in the error_log) has been accounted for, and if you run into just let us know its pretty easy for us to tune the rules to ignore non-malicious events.
We don't recommend setting dazuko to watch /bin and /usr because those are largely unnecessary. You need to become root to change those, and if the bad guys have root they can just disable dazuko. ASL can also prevent this through the Role Based Access Control system, but thats an advanced option that we dont enable by default (you need to create your own policies to use it). Its like SELinux, except it has a self learning mode - but you still need to tune it for your system.
So, didnt want to get off on a tangent, RBAC good - now back to dazuko.
Do changes to those config files require a reboot each time?
No. Just a reload of clamd.