search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.42k stars 1.03k forks source link

"Unknown problem somewhere in the system" with apparmor enabled #234

Closed ghost closed 10 years ago

ghost commented 10 years ago

Hi,

the following rules are firing up on a debian wheezy system running OSSEC 2.8 from the alienvault repos:

OSSEC HIDS Notification.
2014 Jun 24 10:35:30

Received From: hostname->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jun 24 10:35:29 hostname kernel: [49787.970285] audit: type=1400 audit(1403598929.839:88986): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/dovecot//null-1//null-2//null-4a6" name="/home/admin/mails/new/" pid=19973 comm="imap" requested_mask="r" denied_mask="r" fsuid=1003 ouid=1003

At the moment i'm hiding those message with the following local rule:

<rule id="100020" level="0">
    <if_sid>1002</if_sid>
    <decoded_as>iptables</decoded_as>
    <match>apparmor="ALLOWED"</match>
    <description>Ignore allowed apparmor entries</description>
  </rule>

but maybe there is a better way to catch the DENIED message of apparmor and ignore the ALLOWED messages.

ddpbsd commented 10 years ago

On Tue, Jun 24, 2014 at 1:12 PM, RealRancor notifications@github.com wrote:

Hi,

the following rules are firing up on a debian wheezy system running OSSEC 2.8 from the alienvault repos:

OSSEC HIDS Notification. 2014 Jun 24 10:35:30

Received From: hostname->/var/log/messages Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s):

Jun 24 10:35:29 hostname kernel: [49787.970285] audit: type=1400 audit(1403598929.839:88986): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/dovecot//null-1//null-2//null-4a6" name="/home/admin/mails/new/" pid=19973 comm="imap" requested_mask="r" denied_mask="r" fsuid=1003 ouid=1003

At the moment i'm hiding those message with the following local rule:

1002 iptables apparmor="ALLOWED" Ignore allowed apparmor entries

but maybe there is a better way to catch the DENIED message of apparmor and ignore the ALLOWED messages.

Create rules to handle the log messages so the 1002 rule doesn't match. I think that ignoring all 1002s is a Bad Idea, it's too good of a tool to ignore.

Reply to this email directly or view it on GitHub.

mstarks01 commented 10 years ago

OSSEC appears to be working correctly in this case. You may want to write an apparmor decoder. Please use the mailing list for support issues like this.

ddpbsd commented 10 years ago

This isn't really an issue, could a moderator close this? @jrossi ?

ghost commented 10 years ago

Hi,

sorry closing it myself. Wasn't aware that this issue tracker is not used for feature requests.

ddpbsd commented 10 years ago

That wasn't a feature request.

ghost commented 10 years ago

It was meant to include a fix for this in the current ossec-rules but maybe i should have written this more clearly.

ddpbsd commented 10 years ago

@RealRancor Checkout the apparmor branch I've started here: https://github.com/ddpbsd/ossec-hids/commit/a8bb27065bb35a099edaa5f722b56904dac0544e

I don't know what other information you want to get out of the log message, or what other log messages you care about. Can you help me flesh this out?