Hello. I'm very sure I once knew the answer to the question I ask below, but right now I really can't remember and the tests I made didn't work.
Presuming there is a folder on a server, like /var/special_folder which is a mountpoint for a NFS share on another server, and the mountpoint has hundreds of branched folders and thousands of files in it. Although I have specified <ignore>/var/special_folder</ignore> in the <rootcheck> section of the OSSEC agent running on the machine, the rootcheck process keeps wandering into that folder, which makes the process stay in D state for days (waiting for IO - access to a specified file if one knows the exact path is blazing fast, but directory listings take ages). Is there any way to "convince" rootcheck to just not go into a folder and all its subfolders? The OSSEC versions running on the agent (2.6) and the server (2.5) are pretty obsolete (and yes, I know, it is "extremely very wrong" to run an agent newer than the server, but for now the server can't be upgraded or replaced) Thank you for your time.
