In system_audit_rcl.txt, the following line was there since 2007 and is still the same in OSSEC 2.7. $web_dirs=/var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www;
Is there one specific folder that you encountered the issue? On Friday, January 18, 2013 7:37:57 AM UTC-8, Valentin Avram wrote: > > Update: > I figured out why rootcheck was wondering into an ignored folder: it was > because of the $web_dirs variable in system_audit_rcl.txt which happened to > match the folder which contained the NFS mountpoint. > > Since the agent is version 2.6 I do not know if this behaviour is the same > in 2.7, but if so, I believe this is a bug, the ignored folders should also > apply to the paths specified in policy files. > > On Wed, Jan 16, 2013 at 7:32 PM, Valentin Avram <[email protected]<javascript:> > > wrote: > >> Hello. >> >> I'm very sure I once knew the answer to the question I ask below, but >> right now I really can't remember and the tests I made didn't work. >> >> Presuming there is a folder on a server, like /var/special_folder which >> is a mountpoint for a NFS share on another server, and the mountpoint has >> hundreds of branched folders and thousands of files in it. >> >> Although I have specified <ignore>/var/special_folder</ignore> in the >> <rootcheck> section of the OSSEC agent running on the machine, the >> rootcheck process keeps wandering into that folder, which makes the process >> stay in D state for days (waiting for IO - access to a specified file if >> one knows the exact path is blazing fast, but directory listings take ages). >> >> Is there any way to "convince" rootcheck to just not go into a folder and >> all its subfolders? >> >> The OSSEC versions running on the agent (2.6) and the server (2.5) are >> pretty obsolete (and yes, I know, it is "extremely very wrong" to run an >> agent newer than the server, but for now the server can't be upgraded or >> replaced) >> >> Thank you for your time. >> >> >> >
