There is a <frequency> setting for rootcheck.
On Mon, Apr 25, 2011 at 1:48 PM, Christopher Laibinis <[email protected]> wrote: > Does syscheck control rootcheck? > > On Apr 22, 12:28 pm, sameer nanda <[email protected]> wrote: >> hey doug, >> >> y dont u increase the time of syscheck .. >> >> that is what i mean to say is , set it at a time gap of around 21600 >> seconds. >> i hope this will reduce cpu utilization. >> >> On 22 April 2011 05:06, Christopher Laibinis <[email protected]>wrote: >> >> > How can I ignore a file or directory in the rootcheck portion of OSSC? >> >> > For instance I am receiving the following: >> >> > OSSEC HIDS Notification. >> > 2011 Apr 22 02:48:35 >> >> > Received From: (nyctpdprd1) 10.186.196.132->rootcheck >> > Rule: 510 fired (level 7) -> "Host-based anomaly detection event >> > (rootcheck)." >> > Portion of the log(s): >> >> > File '/dev/oracleasm/.query_disk' present on /dev. Possible hidden >> > file. >> >> > I would like to ignore this file and have added the >> >> > <ignore>/dev/oracleasm</ignore> >> >> > directive in the ossec.conf file under the <rootcheck> portion, but it >> > does not work.
