Hi all,
We're looking to add a rule in local_rules to match against Docker's aufs
mounts which sets rootcheck alerts (509,510) to level 0. So far we've tried
the following with no luck:
<rule id="100022" level="0">
<if_sid>509</if_sid>
<match>/var/lib/docker/aufs/mnt</match>
<description>Ignore alerts for this file as a rootcheck alert is
triggered because of the file permissions required.</description>
</rule>
<rule id="100023" level="0">
<if_sid>510</if_sid>
<match>/var/lib/docker/aufs/mnt</match>
<description>Ignore alerts for this file as a rootcheck alert is
triggered because of the file permissions required.</description>
</rule>
and
<rule id="100022" level="0">
<if_sid>509</if_sid>
<match>/var/lib/docker/aufs/mnt/*</match>
<description>Ignore alerts for this file as a rootcheck alert is
triggered because of the file permissions required.</description>
</rule>
<rule id="100023" level="0">
<if_sid>510</if_sid>
<match>/var/lib/docker/aufs/mnt/*</match>
<description>Ignore alerts for this file as a rootcheck alert is
triggered because of the file permissions required.</description>
</rule>
Can anyone point us in the right direction please? I believe we've used match
for a single directory before (successfully), but never on a directory that has
several layers of sub-directories.
Thanks,
Tom
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
