Daniel Cid wrote: > Hi Dennis, > > Rootcheck shouldn't be checking read-only file systems in there > (including /proc, /sys, etc). I made a small fix > for it and it is available at: > > http://www.ossec.net/files/snapshots/ossec-hids-090304.tar.gz > > If you can try it out, it would be great. > > Thanks, > > -- > Daniel B. Cid
Thanks Daniel, I installed the snapshot and tested. I had to let it run for a while to make sure it looked okay. Looks good, Dennis > > On Tue, Mar 3, 2009 at 5:29 PM, Dennis Golden > <[email protected]> wrote: >> Bruce Martins wrote: >>> Yeah I don't seen an option in the documentation for adding an ignore >>> value to root check, did you add the value scanall and set this to >>> yes ? >> No. >> >>> If so I would try setting this to no or removing it as the default >>> value is no. >> Well, I created a local rule to ignore these: >> >> <group name="ossec,"> >> >> <rule id="100511" level="0"> >> <if_sid>510</if_sid> >> <match>/var/lib/ntp/proc</match> >> <description>Read only proc filesystem.</description> >> <group>rootcheck,</group> >> </rule> >> >> </group> <!-- OSSEC --> >> >> But this seems a waste of processing, so I created a bug report on >> bugzilla. Hopefully, this local rule will help someone else, who happens >> on the problem. >> >> Dennis >> -- >> Dennis Golden >> Golden Consulting Services, Inc. >> > -- Dennis Golden Golden Consulting Services, Inc.
