There is a files/directories to ignore section within ossec.conf if you add the directory there that might be the quickest way.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dennis Golden Sent: Tuesday, March 03, 2009 1:38 PM To: ossec list Subject: [ossec-list] How can I prevent rootcheck from processing r/o proc filesystem Is there anyway that I can prevent rootcheck from processing a read only proc filesystem? SUSE ntpd mounts a read only proc filesystem at /var/lib/ntp/proc and rootcheck is producing false positives in this directory. Alternatively, is there a way to test the rules for rootcheck? I have tried ./rootcheck_control -i 000 -L and use this as input to ossec-logtest with the following results: System Audit: File '/var/lib/ntp/proc/7810/attr/sockcreate' is owned by root and has written permissions to anyone. **Phase 1: Completed pre-decoding. full event: 'System Audit: File '/var/lib/ntp/proc/7810/attr/sockcreate' is owned by root and has written permissions to anyone.' hostname: 'dg-linux2' program_name: '(null)' log: 'System Audit: File '/var/lib/ntp/proc/7810/attr/sockcreate' is owned by root and has written permissions to anyone.' **Phase 2: Completed decoding. No decoder matched. TIA, Dennis -- Dennis Golden Golden Consulting Services, Inc.
