Closed ghost closed 10 years ago
On Tue, Jun 24, 2014 at 1:12 PM, RealRancor notifications@github.com wrote:
Hi,
the following rules are firing up on a debian wheezy system running OSSEC 2.8 from the alienvault repos:
OSSEC HIDS Notification. 2014 Jun 24 10:35:30
Received From: hostname->/var/log/messages Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s):
Jun 24 10:35:29 hostname kernel: [49787.970285] audit: type=1400 audit(1403598929.839:88986): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/dovecot//null-1//null-2//null-4a6" name="/home/admin/mails/new/" pid=19973 comm="imap" requested_mask="r" denied_mask="r" fsuid=1003 ouid=1003
At the moment i'm hiding those message with the following local rule:
1002 iptables apparmor="ALLOWED" Ignore allowed apparmor entries but maybe there is a better way to catch the DENIED message of apparmor and ignore the ALLOWED messages.
Create rules to handle the log messages so the 1002 rule doesn't match. I think that ignoring all 1002s is a Bad Idea, it's too good of a tool to ignore.
Reply to this email directly or view it on GitHub.
OSSEC appears to be working correctly in this case. You may want to write an apparmor decoder. Please use the mailing list for support issues like this.
This isn't really an issue, could a moderator close this? @jrossi ?
Hi,
sorry closing it myself. Wasn't aware that this issue tracker is not used for feature requests.
That wasn't a feature request.
It was meant to include a fix for this in the current ossec-rules but maybe i should have written this more clearly.
@RealRancor Checkout the apparmor branch I've started here: https://github.com/ddpbsd/ossec-hids/commit/a8bb27065bb35a099edaa5f722b56904dac0544e
I don't know what other information you want to get out of the log message, or what other log messages you care about. Can you help me flesh this out?
Hi,
the following rules are firing up on a debian wheezy system running OSSEC 2.8 from the alienvault repos:
At the moment i'm hiding those message with the following local rule:
but maybe there is a better way to catch the DENIED message of apparmor and ignore the ALLOWED messages.