Daniel & List,
I assume everyone who runs OSSEC with syscheckd running gets multiple checksum alerts each time they run yum/apt or any other package manager. What do you think about adding functionality in OSSEC to possibly suppress these alerts if a package manager/updater has just been invoked.
I understand that this functionality will NOT be appropriate for some people who need to know every package that has been touched, but others might be like me and have started to igmore the alerts that come in directly after my nightly yum update.
Maybe it's not possible, but here are the beginning of my thoughts:
Step 1)
Add a signature that will fire when the yum application has been invoked
Step 2)
option 1 ---> keep syscheck quiet until /var/log/yum.log has been edited <- bad idea, window of blindness
option 2 ---> tail the changes to /var/log/yum.log and *somehow* find out what binaries are effected by each package and have syscheckd ignore those specific binary checksum changes. <- better idea, but i dont know how to do it
option 3 ---> ?
What do you all think? Good idea? Bad idea? Good idea but not practical due to the fact their are so many different ways to update packages? Or just not possilbe?
-Seth
- [ossec-list] Yum/Apt updates and chksum alerts Seth
