Hi Dennis, Rootcheck shouldn't be checking read-only file systems in there (including /proc, /sys, etc). I made a small fix for it and it is available at:
http://www.ossec.net/files/snapshots/ossec-hids-090304.tar.gz If you can try it out, it would be great. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Mar 3, 2009 at 5:29 PM, Dennis Golden <[email protected]> wrote: > > Bruce Martins wrote: >> Yeah I don't seen an option in the documentation for adding an ignore >> value to root check, did you add the value scanall and set this to >> yes ? > > No. > >> If so I would try setting this to no or removing it as the default >> value is no. > > Well, I created a local rule to ignore these: > > <group name="ossec,"> > > <rule id="100511" level="0"> > <if_sid>510</if_sid> > <match>/var/lib/ntp/proc</match> > <description>Read only proc filesystem.</description> > <group>rootcheck,</group> > </rule> > > </group> <!-- OSSEC --> > > But this seems a waste of processing, so I created a bug report on > bugzilla. Hopefully, this local rule will help someone else, who happens > on the problem. > > Dennis > -- > Dennis Golden > Golden Consulting Services, Inc. >
