Bruce Martins wrote:
> Yeah I don't seen an option in the documentation for adding an ignore
> value to root check, did you add the value scanall and set this to
> yes ?
No.
> If so I would try setting this to no or removing it as the default
> value is no.
Well, I created a local rule to ignore these:
<group name="ossec,">
<rule id="100511" level="0">
<if_sid>510</if_sid>
<match>/var/lib/ntp/proc</match>
<description>Read only proc filesystem.</description>
<group>rootcheck,</group>
</rule>
</group> <!-- OSSEC -->
But this seems a waste of processing, so I created a bug report on
bugzilla. Hopefully, this local rule will help someone else, who happens
on the problem.
Dennis
--
Dennis Golden
Golden Consulting Services, Inc.
