On Fri, Oct 18, 2013 at 3:30 PM, Paul Raines <[email protected]> wrote: > I have a directory /var/www/html/QUARANTINE I would like rootcheck to > ignore. > > I looked at the document > > http://www.ossec.net/doc/manual/rootcheck/manual-rootcheck.html > > and it mentions ignore and auto_ignore options in the first paragraph of > Configuration Options but then they are not described anywhere in the > options list. How do they work? Where do they go? >
auto_ignore is for controlling whether a file change isn't alerted after the third alert. Ignore is documented here: http://ossec.net/doc/syntax/head_ossec_config.syscheck.html (if there's a rootcheck version of ignore, I don't know about it, and I don't use rootcheck). > Also, item #4 at the top of the document says "Scan the whole filesytem > ...". Just the root filesystem? All local filesystems? I see an option > "scanall" listed that defaults to "no" but it is not clear what "whole > system" means and what the subset scanned is if the answer is "no". > I'd assume "whole filesystem" means the entire thing. From / on up. > Thanks > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
