Hi All, SuSE runs ntpd in its own chroot'ed environment and remounts the proc system in there.
I don't run OSSEC integrity checking (since I already use tripwire) but I do use the rootkit checking and the presence of another instance of the procfs seems to cause it difficulty. I've already had to filter out messages of the form: "File '/var/lib/ntp/proc/BLAH/attr/current' is owned by root and has written permissions to anyone." (and similar for attr/fscreate and attr/exec) via my local_rules, but today I also got a: "Anomaly detected in file '/var/lib/ntp/proc/31893'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit." which I presume occurred because process with PID 31893 was created/destroyed in between runs of stats and readdir (certainly I can't cd to it now). Is there any way to instruct the rootkit checker in OSSEC that /var/lib/ntp/proc is a procfs or at least tell it to ignore it, rather than having to filter out individual instances like this as and when they occur? Of course if anyone thinks the above message really is more than a mistake let me know! Thanks!
