One OSSEC server with multiple agents.
/var/ossec/etc/shared/agent.conf on the server (and it's matched by /var/ossec/etc/shared/agent.conf on all agents):
<agent_config os="linux">
<syscheck>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- files we don't watch/ignore -->
<frequency>7200</frequency>
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/etc/rc*.d/*our-api</ignore>
<ignore>/etc/init.d/our-api</ignore>
<ignore>/dev/.blkid.tab</ignore>
<ignore>/dev/.blkid.tab.old</ignore>
</syscheck>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/nginx/access.log</location>
</localfile>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
</rootcheck>
</agent_config>
So /etc/init.d/our-api is in the ignore list, I added it there earlier today. However, I just got an alert from multiple agents, after that file had changed after a deploy:
What is going on? It looks like adding a file to the ignore list does not exempt it from being flagged by the rules. If so, how do I truly ignore a given file everywhere?