If you don't mind touching the code, you can modify the scrip to ignore
certain files.
The script for remote file integrity monitoring in linux is
"ssh_integrity_check_linux" and it runs the following command:
send "echo \"INFO: Starting.\"; for i in `find $args 2>/dev/null`;do
tail \$i >/dev/null 2>&1 &&md5=`md5sum \$i | cut -d \" \" -f 1` &&
sha1=`sha1sum \$i | cut -d \" \" -f 1` && echo FWD: `stat --printf
\"%s:%a:%u:%g\" \$i`:\$md5:\$sha1 \$i; done; exit\r"
You could change "find $args 2>/dev/null" by something else like:
find $args 2>/dev/null | grep -v "/etc/passwd"
Another, more elegant way of ignoring certain files would be creating a new
rule, similar the one mentioned in another email in this group. Haven't
test it but something like this could work:
<rule id="100004" level="0">
<if_group>syscheck</if_group>
<match>/home/example.txt</match>
<description>No alert for /home/example.txt</description>
</rule>
Best
On Wed, Jan 20, 2016 at 8:05 AM, Ben <[email protected]> wrote:
> Is there option for excluding directory in agentless configuration? There
> is <ignore> for syscheck, but in <arguments>, there is no option for
> ignore?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
