Is there anyway that I can prevent rootcheck from processing a read only
proc filesystem? SUSE ntpd mounts a read only proc filesystem at
/var/lib/ntp/proc and rootcheck is producing false positives in this
directory.
Alternatively, is there a way to test the rules for rootcheck? I have
tried ./rootcheck_control -i 000 -L and use this as input to
ossec-logtest with the following results:
System Audit: File '/var/lib/ntp/proc/7810/attr/sockcreate' is owned by
root and has written permissions to anyone.
**Phase 1: Completed pre-decoding.
full event: 'System Audit: File
'/var/lib/ntp/proc/7810/attr/sockcreate' is owned by root and has
written permissions to anyone.'
hostname: 'dg-linux2'
program_name: '(null)'
log: 'System Audit: File '/var/lib/ntp/proc/7810/attr/sockcreate'
is owned by root and has written permissions to anyone.'
**Phase 2: Completed decoding.
No decoder matched.
TIA,
Dennis
--
Dennis Golden
Golden Consulting Services, Inc.
