Andrew,
I had the same problem so I reported it to Daniel. He wrote back
saying:
I was testing it right now and there is indeed a bug. I added the
ignore configuration, but
somehow managed to forget to commit the code to actually check it...
It is fixed on this snapshot:
Hi Daniel,
Sorry to have taken so many months (!) to get back to you.
I've tried the rootcheck ignore option out but it still appears to scan the
files.
(exert from ossec.conf )
rootcheck
rootkit_files/usr/local/ossec/etc/shared/rootkit_files.txt/rootkit_files
Many thanks for that - I'll try it today.
I foresee a slight problem with our current setup.
Six webservers are clustered, one of which shares an image directory
as an nfs share under /home/httpd/images (hence the rootcheck scanning
it).
If I set a global ignore/home/httpd/images/ignore rule
We also have servers with nfs shares mounted.
Is it possible to configure rootcheck to not scan nfs shares? I can't
find much info on it.
thanks
Hey,
I added the ignore option to Rootcheck, so you can specify your NFS
shares in there to
avoid scanning them.
It is available on the latest snapshot:
http://ossec.net/files/snapshots/ossec-hids-090723.tar.gz
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Jul 23, 2009 at 6:45 AM,