Hi list.
in my config I have ignore tag inside the syscheck
There is no option to use the same tag under rootkit
the rootkit search engine searchs for files owned by root and worldwide writable ( I know is a security risk)
1. I do not see how a file owned by root and o+w is a rootkit alarm. (it may be a hardening issue)
2. I tried using <scanall>no</scanall> and still got the rootkit engine alarming of files under /usr/local/myfiles/
Did I say that ossec rocks?
--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---
- [ossec-list] ignoring directories for rootkit detection Meir Michanie
