actually it's not worked :( I realy dont know what to do.
And if I dont turn off the nfs check, I'll need to change the solution. Thank you again! On Wed, Jun 13, 2012 at 12:42 PM, Wilson Ricardo <[email protected]> wrote: > It worked! > > The ploblem was that i was changing the /var/ossec/etc/ossec.conf on > the clients, but not the /var/ossec/etc/shared/agent.conf. > > Thanks a lot! > > On Wed, Jun 13, 2012 at 12:15 PM, dan (ddp) <[email protected]> wrote: >> On Wed, Jun 13, 2012 at 11:10 AM, Wilson Ricardo <[email protected]> >> wrote: >>> No: >>> >>> (...) >>> <syscheck> >>> <!-- Frequency that syscheck is executed - default to every 22 hours --> >>> <frequency>79200</frequency> >>> >>> <!-- Directories to check (perform all possible verifications) --> >>> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>> <directories check_all="yes">/bin,/sbin</directories> >>> (...) >>> >>> On Wed, Jun 13, 2012 at 12:07 PM, dan (ddp) <[email protected]> wrote: >>>> On Wed, Jun 13, 2012 at 11:01 AM, Wilson Ricardo <[email protected]> >>>> wrote: >>>>> It is exactly what is happening. >>>>> The volume is checked is every client, with obvious negative effects. >>>>> >>>>> On Wed, Jun 13, 2012 at 11:58 AM, dan (ddp) <[email protected]> wrote: >>>>>> On Wed, Jun 13, 2012 at 10:44 AM, Wilson Ricardo <[email protected]> >>>>>> wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I configured the ossec.conf to ignore the mounted volumes, but the >>>>>>> ossec is still checking nfs volumes. >>>>>>> ossec.conf: >>>>>>> >>>>>>> <syscheck> >>>>>>> <!-- Frequency that syscheck is executed - default to every 22 hours >>>>>>> --> >>>>>>> <frequency>79200</frequency> >>>>>>> >>>>>>> <!-- Directories to check (perform all possible verifications) --> >>>>>>> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>>>>>> <directories check_all="yes">/bin,/sbin</directories> >>>>>>> >>>>>>> <!-- Files/directories to ignore --> >>>>>>> <ignore>/etc/mtab</ignore> >>>>>>> <ignore>/etc/mnttab</ignore> >>>>>>> <ignore>/etc/hosts.deny</ignore> >>>>>>> <ignore>/etc/mail/statistics</ignore> >>>>>>> <ignore>/etc/random-seed</ignore> >>>>>>> <ignore>/etc/adjtime</ignore> >>>>>>> <ignore>/etc/httpd/logs</ignore> >>>>>>> <ignore>/etc/utmpx</ignore> >>>>>>> <ignore>/etc/wtmpx</ignore> >>>>>>> <ignore>/etc/cups/certs</ignore> >>>>>>> <ignore>/etc/dumpdates</ignore> >>>>>>> <ignore>/etc/prelink.cache</ignore> >>>>>>> <ignore>/etc/svc/volatile</ignore> >>>>>>> <ignore>/usr/bin/inotifywait</ignore> >>>>>>> <ignore>/usr/bin/inotifywatch</ignore> >>>>>>> <ignore type="sregex">/var/www*</ignore> >>>>>>> (...) >>>>>>> >>>>>>> <rootcheck> >>>>>>> >>>>>>> <rootkit_files>/var/ossec//etc/shared/rootkit_files.txt</rootkit_files> >>>>>>> >>>>>>> <rootkit_trojans>/var/ossec//etc/shared/rootkit_trojans.txt</rootkit_trojans> >>>>>>> >>>>>>> <system_audit>/var/ossec//etc/shared/system_audit_rcl.txt</system_audit> >>>>>>> >>>>>>> <system_audit>/var/ossec//etc/shared/cis_rhel_linux_rcl.txt</system_audit> >>>>>>> >>>>>>> <system_audit>/var/ossec//etc/shared/cis_rhel5_linux_rcl.txt</system_audit> >>>>>>> <ignore type="sregex">/var/www*</ignore> >>>>>>> </rootcheck> >>>>>>> >>>>>>> Versions: >>>>>>> ossec-hids-client-2.6-12.el5.art >>>>>>> ossec-hids-2.6-12.el5.art >>>>>>> Linux img02 2.6.18-194.3.1.el5 #1 SMP Thu May 13 13:08:30 EDT 2010 >>>>>>> x86_64 x86_64 x86_64 GNU/Linux >>>>>>> CentOS release 5.5 (Final) >>>>>>> >>>>>>> Mount points: >>>>>>> [root@img02 ~]# mount >>>>>>> /dev/sdb1 on / type ext3 (rw) >>>>>>> proc on /proc type proc (rw) >>>>>>> sysfs on /sys type sysfs (rw) >>>>>>> devpts on /dev/pts type devpts (rw,gid=5,mode=620) >>>>>>> /dev/sdb5 on /tmp type ext3 (rw) >>>>>>> /dev/sda1 on /boot type ext3 (rw) >>>>>>> tmpfs on /dev/shm type tmpfs (rw) >>>>>>> none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) >>>>>>> sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) >>>>>>> IP:/vol2/db_files/xml/galerias on /var/www/html/galerias type nfs >>>>>>> (ro,rsize=32768,wsize=32768) >>>>>>> IP:/vol2/mm_files/fotos on /var/www/html/fotos type nfs >>>>>>> (ro,rsize=32768,wsize=32768) >>>>>>> IP:/vol4/ on /var/www/vol4 type nfs (rw,rsize=32768,wsize=32768) >>>>>>> (...) >>>>>>> >>>>>>> I already tried <ignore>/var/www</ignore>, and tried to ignore every >>>>>>> mount point creating one <ignore> each one. >>>>>>> >>>>>>> What am I missing? >>>>>>> >>>>>>> Thank you. >>>>>> >>>>>> It doesn't even look like you have a <directories> setup for >>>>>> /var(/www). So I'm not sure why it would be checking it in the first >>>>>> place. >>>>>> >>>>>> But I don't think ignore works like everyone thinks it does. It still >>>>>> checks everything, just ignores the results. >>>> >>>> So, is /var defined in a <directories> on these agents or something? >> >> Then it shouldn't be checking there at all. Double check your >> configurations. /var/ossec/etc/ossec.conf and >> /var/ossec/etc/shared/agent.conf. Check for links to /var/www in other >> directories that are being checked. Check /var/ossec/logs/ossec.log >> for syscheckd logs mentioning /var.
