To note, we added the following to the core ossec config instead: <rootcheck> <ignore>/var/lib/docker/aufs/mnt/</ignore> </rootcheck>
On Tuesday, 19 September 2017 10:08:54 UTC+1, Tom Farrar wrote: > > Hi all, > > We're looking to add a rule in local_rules to match against Docker's aufs > mounts which sets rootcheck alerts (509,510) to level 0. So far we've tried > the following with no luck: > > <rule id="100022" level="0"> > <if_sid>509</if_sid> > <match>/var/lib/docker/aufs/mnt</match> > <description>Ignore alerts for this file as a rootcheck alert is > triggered because of the file permissions required.</description> > </rule> > > <rule id="100023" level="0"> > <if_sid>510</if_sid> > <match>/var/lib/docker/aufs/mnt</match> > <description>Ignore alerts for this file as a rootcheck alert is > triggered because of the file permissions required.</description> > </rule> > > and > > <rule id="100022" level="0"> > <if_sid>509</if_sid> > <match>/var/lib/docker/aufs/mnt/*</match> > <description>Ignore alerts for this file as a rootcheck alert is > triggered because of the file permissions required.</description> > </rule> > > <rule id="100023" level="0"> > <if_sid>510</if_sid> > <match>/var/lib/docker/aufs/mnt/*</match> > <description>Ignore alerts for this file as a rootcheck alert is > triggered because of the file permissions required.</description> > </rule> > > Can anyone point us in the right direction please? I believe we've used match > for a single directory before (successfully), but never on a directory that > has several layers of sub-directories. > > Thanks, > > Tom > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.