csf.pignore issue

milo695 · Post by **milo695** » 13 Feb 2024, 07:56

Hi,
either I don't know how to use it or csf.pignore is not working as it should, this is what I tried so far:

# stop monitoring wordpress breakdance /tmp files
dir:/tmp/systemd-private-*-ea-php*-php-fpm.service-*/tmp/
dir:/tmp/systemd-private-*/*
dir:/tmp/systemd-private-*
dir:/tmp/systemd-private-*-ea-php81-php-fpm.service-*/tmp/breakdance-ffea200c/twig-auto-generated-cache/*

and

Code: Select all

# stop monitoring user
user:user1
user:user2

The reason I'm doing this is very high rate of email notifications containing (Suspicious File Alert):

Code: Select all

File:   /tmp/systemd-private-48e12b312c2a482786a513ddcbf214b0-ea-php81-php-fpm.service-9oahU0/tmp/breakdance-bb3ae9f8/twig-auto-generated-cache/95/95263025d28d383c8e354d0dd8406abb.php
Reason: Script, file extension
Owner:  user1:user1 (1050:1051)
Action: No action taken

None of the above worked. Any suggestion on how to stop monitoring "/tmp/systemd-private-*" folders and why is user still monitored?