Update: I figured out why rootcheck was wondering into an ignored folder: it was because of the $web_dirs variable in system_audit_rcl.txt which happened to match the folder which contained the NFS mountpoint.
Since the agent is version 2.6 I do not know if this behaviour is the same in 2.7, but if so, I believe this is a bug, the ignored folders should also apply to the paths specified in policy files. On Wed, Jan 16, 2013 at 7:32 PM, Valentin Avram <[email protected]> wrote: > Hello. > > I'm very sure I once knew the answer to the question I ask below, but > right now I really can't remember and the tests I made didn't work. > > Presuming there is a folder on a server, like /var/special_folder which is > a mountpoint for a NFS share on another server, and the mountpoint has > hundreds of branched folders and thousands of files in it. > > Although I have specified <ignore>/var/special_folder</ignore> in the > <rootcheck> section of the OSSEC agent running on the machine, the > rootcheck process keeps wandering into that folder, which makes the process > stay in D state for days (waiting for IO - access to a specified file if > one knows the exact path is blazing fast, but directory listings take ages). > > Is there any way to "convince" rootcheck to just not go into a folder and > all its subfolders? > > The OSSEC versions running on the agent (2.6) and the server (2.5) are > pretty obsolete (and yes, I know, it is "extremely very wrong" to run an > agent newer than the server, but for now the server can't be upgraded or > replaced) > > Thank you for your time. > > >
