Hello Juraj!
you can try <ignore> option in rootcheck section in your
ossec-agent-shared.conf
for example:
<agent_config profile="my_profile">
<syscheck>
</syscheck>
<rootcheck>
<ignore>/var/www/ptb/</ignore>
</rootcheck>
<agent_config>
On 31.08.2016 15:08, B2RN wrote:
Hey all,
I'm trying to figure out whether there's a way to disable any sort of
FS crawls performed by OSSEC. We have a few SAN clients that have
2.3PB of mounted network shares and I'd like to avoid OSSEC going
through them for obvious reasons.
http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/ mentions
"skip_nfs", but this isn't actually NFS. It's a magical proprietary thing.
And like I said, I'd just want to disable FS crawls entirely and have
the agent(s) set up with log parsing and maybe active-response.
Depends on how well I can write up the decoders/rules.
By the way, asking before I start messing around with this because the
machines are live.
Cheers,
Juraj
--
---
You received this message because you are subscribed to the Google
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
