Bruce Martins wrote: > There is a files/directories to ignore section within ossec.conf if you add > the directory there that might be the quickest way.
I've done that, but it appears to only apply to syscheck. The rootcheck process appears to ignore it. > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Dennis Golden > Sent: Tuesday, March 03, 2009 1:38 PM > To: ossec list > Subject: [ossec-list] How can I prevent rootcheck from processing r/o proc > filesystem > > > Is there anyway that I can prevent rootcheck from processing a read only > proc filesystem? SUSE ntpd mounts a read only proc filesystem at > /var/lib/ntp/proc and rootcheck is producing false positives in this > directory. > > Alternatively, is there a way to test the rules for rootcheck? I have > tried ./rootcheck_control -i 000 -L and use this as input to > ossec-logtest with the following results: > > System Audit: File '/var/lib/ntp/proc/7810/attr/sockcreate' is owned by > root and has written permissions to anyone. > > > **Phase 1: Completed pre-decoding. > full event: 'System Audit: File > '/var/lib/ntp/proc/7810/attr/sockcreate' is owned by root and has > written permissions to anyone.' > hostname: 'dg-linux2' > program_name: '(null)' > log: 'System Audit: File '/var/lib/ntp/proc/7810/attr/sockcreate' > is owned by root and has written permissions to anyone.' > > **Phase 2: Completed decoding. > No decoder matched. > > TIA, > > Dennis -- Dennis Golden Golden Consulting Services, Inc.
