I'm having the same problem that was reported by Jess Bromley on 2008-10-29. I am getting the following errors:
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): File '/var/lib/ntp/proc/6633/attr/sockcreate' is owned by root and has written permissions to anyone. This is because the proc filesystem is mounted read only at /var/lib/ntp/proc. I have verified that the permissions are the same on /proc/6633/attr/sockcreate, but rootcheck is not complaining about these. I have <ignore>/var/lib/ntp/proc</ignore> in the ossec.conf, but rootcheck ignores that. I'm sure that there must be other chroot programs that might do this. BTW, there are hundreds of these. Any advice will be appreciated. I'm using ossec 2.0 on openSUSE 11.0. Dennis -- Dennis Golden Golden Consulting Services, Inc.