hi *, i am having a probelm with the rootcheck module on an host with openvz zones. it's quiete clear that rootcheck alarms on the zones itself, but it also shows alarms on the host itself ... it finds the proc filesystem from the zones and fires up
---example--- Received From: alfredo->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Anomaly detected in file '/var/lib/vz/root/1503/proc/24551'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit. --END OF NOTIFICATION ---end-of-example--- i tried various local rules but i did not find a solution to ignore the zones proc file system hope sombody can help me out cheers philipp p.s. is it normal that th mailing list archive stop workung after july on http://www.ossec.net/ossec-list/ but are still working on http://marc.theaimsgroup.com/?l=ossec-list. :)
