Hi all,
I have a problem with sycheckd: I'm using it to scan a system that
mounts a very large NFS volume (12TB). The volume is mounted in
/etc/something and /etc is scanned by syscheck.
So I added a rule to ignore /etc/something
<ignore>/etc/something</ignore>
But regardless syscheckd goes into that directory and scans all the
files in there. I followed its activity with a strace on the PID of
syscheckd and I can see it doing open() and read() on files in that dir.
Is it the expected behavior ? Is there a way to prevent syscheck to step
in /etc/something while keeping /etc ?
Thanks a lot,
Julien
