It worked! The ploblem was that i was changing the /var/ossec/etc/ossec.conf on the clients, but not the /var/ossec/etc/shared/agent.conf.
Thanks a lot! On Wed, Jun 13, 2012 at 12:15 PM, dan (ddp) <[email protected]> wrote: > On Wed, Jun 13, 2012 at 11:10 AM, Wilson Ricardo <[email protected]> > wrote: >> No: >> >> (...) >> <syscheck> >> <!-- Frequency that syscheck is executed - default to every 22 hours --> >> <frequency>79200</frequency> >> >> <!-- Directories to check (perform all possible verifications) --> >> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> <directories check_all="yes">/bin,/sbin</directories> >> (...) >> >> On Wed, Jun 13, 2012 at 12:07 PM, dan (ddp) <[email protected]> wrote: >>> On Wed, Jun 13, 2012 at 11:01 AM, Wilson Ricardo <[email protected]> >>> wrote: >>>> It is exactly what is happening. >>>> The volume is checked is every client, with obvious negative effects. >>>> >>>> On Wed, Jun 13, 2012 at 11:58 AM, dan (ddp) <[email protected]> wrote: >>>>> On Wed, Jun 13, 2012 at 10:44 AM, Wilson Ricardo <[email protected]> >>>>> wrote: >>>>>> Hi, >>>>>> >>>>>> I configured the ossec.conf to ignore the mounted volumes, but the >>>>>> ossec is still checking nfs volumes. >>>>>> ossec.conf: >>>>>> >>>>>> <syscheck> >>>>>> <!-- Frequency that syscheck is executed - default to every 22 hours >>>>>> --> >>>>>> <frequency>79200</frequency> >>>>>> >>>>>> <!-- Directories to check (perform all possible verifications) --> >>>>>> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>>>>> <directories check_all="yes">/bin,/sbin</directories> >>>>>> >>>>>> <!-- Files/directories to ignore --> >>>>>> <ignore>/etc/mtab</ignore> >>>>>> <ignore>/etc/mnttab</ignore> >>>>>> <ignore>/etc/hosts.deny</ignore> >>>>>> <ignore>/etc/mail/statistics</ignore> >>>>>> <ignore>/etc/random-seed</ignore> >>>>>> <ignore>/etc/adjtime</ignore> >>>>>> <ignore>/etc/httpd/logs</ignore> >>>>>> <ignore>/etc/utmpx</ignore> >>>>>> <ignore>/etc/wtmpx</ignore> >>>>>> <ignore>/etc/cups/certs</ignore> >>>>>> <ignore>/etc/dumpdates</ignore> >>>>>> <ignore>/etc/prelink.cache</ignore> >>>>>> <ignore>/etc/svc/volatile</ignore> >>>>>> <ignore>/usr/bin/inotifywait</ignore> >>>>>> <ignore>/usr/bin/inotifywatch</ignore> >>>>>> <ignore type="sregex">/var/www*</ignore> >>>>>> (...) >>>>>> >>>>>> <rootcheck> >>>>>> >>>>>> <rootkit_files>/var/ossec//etc/shared/rootkit_files.txt</rootkit_files> >>>>>> >>>>>> <rootkit_trojans>/var/ossec//etc/shared/rootkit_trojans.txt</rootkit_trojans> >>>>>> >>>>>> <system_audit>/var/ossec//etc/shared/system_audit_rcl.txt</system_audit> >>>>>> >>>>>> <system_audit>/var/ossec//etc/shared/cis_rhel_linux_rcl.txt</system_audit> >>>>>> >>>>>> <system_audit>/var/ossec//etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >>>>>> <ignore type="sregex">/var/www*</ignore> >>>>>> </rootcheck> >>>>>> >>>>>> Versions: >>>>>> ossec-hids-client-2.6-12.el5.art >>>>>> ossec-hids-2.6-12.el5.art >>>>>> Linux img02 2.6.18-194.3.1.el5 #1 SMP Thu May 13 13:08:30 EDT 2010 >>>>>> x86_64 x86_64 x86_64 GNU/Linux >>>>>> CentOS release 5.5 (Final) >>>>>> >>>>>> Mount points: >>>>>> [root@img02 ~]# mount >>>>>> /dev/sdb1 on / type ext3 (rw) >>>>>> proc on /proc type proc (rw) >>>>>> sysfs on /sys type sysfs (rw) >>>>>> devpts on /dev/pts type devpts (rw,gid=5,mode=620) >>>>>> /dev/sdb5 on /tmp type ext3 (rw) >>>>>> /dev/sda1 on /boot type ext3 (rw) >>>>>> tmpfs on /dev/shm type tmpfs (rw) >>>>>> none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) >>>>>> sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) >>>>>> IP:/vol2/db_files/xml/galerias on /var/www/html/galerias type nfs >>>>>> (ro,rsize=32768,wsize=32768) >>>>>> IP:/vol2/mm_files/fotos on /var/www/html/fotos type nfs >>>>>> (ro,rsize=32768,wsize=32768) >>>>>> IP:/vol4/ on /var/www/vol4 type nfs (rw,rsize=32768,wsize=32768) >>>>>> (...) >>>>>> >>>>>> I already tried <ignore>/var/www</ignore>, and tried to ignore every >>>>>> mount point creating one <ignore> each one. >>>>>> >>>>>> What am I missing? >>>>>> >>>>>> Thank you. >>>>> >>>>> It doesn't even look like you have a <directories> setup for >>>>> /var(/www). So I'm not sure why it would be checking it in the first >>>>> place. >>>>> >>>>> But I don't think ignore works like everyone thinks it does. It still >>>>> checks everything, just ignores the results. >>> >>> So, is /var defined in a <directories> on these agents or something? > > Then it shouldn't be checking there at all. Double check your > configurations. /var/ossec/etc/ossec.conf and > /var/ossec/etc/shared/agent.conf. Check for links to /var/www in other > directories that are being checked. Check /var/ossec/logs/ossec.log > for syscheckd logs mentioning /var.
