Hi, rootcheck doesn't discriminate as it's goal is to look for files and configuration that would be consistent with the presence of a rootkit. The ignore setting is only valid in the <syscheck> directive, like this
<syscheck> <directories check_all=yes>/etc,/usr/bin,/usr/sbin</directories> <ignore>/tmp/</ignore> </syscheck> however, the ignore would only make sense if you want to ignore a directory deeper in the hierarchy, like this <syscheck> <directories check_all="yes">/tmp</directories> ... <ignore>/tmp/dir1/dir2/dir3</ignore> </syscheck> because you don't care about file changes in that specific location, but you do in all other subfolders of /tmp. Hope this helps, Kind Regards, Wim On 21 Dec 2009, at 09:58, rosgos wrote: > Hi everyone, > > I am using ossec v2.3 on server and I have a exception in module > rootchchek: > > <rootcheck> > .............. > <ignore>/tmp/</ignore> > </rootcheck> > > I have restarted de daemon, but I am receiving alerts about changes in > directory /tmp. > It isn't incorrect this sitaxy in osssec.conf ? > > Thanks. > Albert. > > >
