Hi Daniel,
Sorry to have taken so many months (!) to get back to you.
I've tried the rootcheck ignore option out but it still appears to scan the
files.
(exert from ossec.conf )
<rootcheck>
<rootkit_files>/usr/local/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/usr/local/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/usr/local/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/usr/local/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/usr/local/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/usr/local/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
<ignore>/home/httpd/html/other</ignore>
<ignore>/home/httpd/html/photos</ignore>
</rootcheck>
the same options are in the ossec.conf locally and on the ossec server.
Where am I going wrong?
This was tried with both the snapshot http://ossec.net/files/snapshots/ossec
-hids-090723.tar.gz and the release version 2.2 of ossec.
Thanks,
Andy
