We are using OSSEC-hids-2.0. We have an NFS share on our servers that get mounted on /usr/local/nfsmount. Because we don't want OSSEC to check this NFS share, on the ossec.conf there is an ignore entry that looks like this: <ignore>/usr/local/nfsmount</ignore>. However, after adding this ignore entry and restarting the ossec service, the ossec-rootcheck continues to check the NFS share (/usr/local/nfsmount). This is what the box says on the ossec.log: ossec-rootcheck: INFO: Starting rootcheck scan.
I also confirmed this by running lsof | grep ossec which give me the following: ossec-sys 5696 root 8r DIR 0,24 3864 33956 /usr/local/nfsmount (nfs.domain.net:/nfsshare) ossec-sys 5696 root 9r DIR 0,24 3864 33978 /usr/local/nfsmount/documents (nfs.domain.net:/nfsshare) ossec-sys 5696 root 10r DIR 0,24 3864 455233 /usr/local/nfsmount/documents/previews (nfs.domain.net:/nfsshare ossec-sys 5696 root 11r DIR 0,24 3864 4859570 /usr/local/nfsmount/documents/previews/0000 (nfs.domain.net:/nfsshare) ossec-sys 5696 root 12r DIR 0,24 2048 6231553 /usr/local/nfsmount/documents/previews/0000/0020 (nfs.domain.net:/nfsshare) ossec-sys 5696 root 13r DIR 0,24 3864 6688091 /usr/local/nfsmount/documents/previews/0000/0020/4611 (nfs.domain.net:/nfsshare) I am not sure if this is a bug or not. If anyone has pointers or even a fix to this problem please let me know. Thanks.
