Seth wrote:
Daniel & List,
I assume everyone who runs OSSEC with syscheckd running gets multiple
checksum alerts each time they run yum/apt or any other package manager.
What do you think about adding functionality in OSSEC to possibly suppress
these alerts if a package manager/updater has just been invoked.
I understand that this functionality will NOT be appropriate for some
people
who need to know every package that has been touched, but others might be
like me and have started to igmore the alerts that come in directly
after my
nightly yum update.
Maybe it's not possible, but here are the beginning of my thoughts:
Step 1)
Add a signature that will fire when the yum application has been invoked
Step 2)
option 1 ---> keep syscheck quiet until /var/log/yum.log has been edited <-
bad idea, window of blindness
option 2 ---> tail the changes to /var/log/yum.log and *somehow* find out
what binaries are effected by each package and have syscheckd ignore those
specific binary checksum changes. <- better idea, but i dont know how
to do
it
option 3 ---> ?
What do you all think? Good idea? Bad idea? Good idea but not practical
due to the fact their are so many different ways to update packages? Or
just not possilbe?
Yum, apt, smart, yast2, etc... It's just too complex and undermines the
integrity of the feature. I'd go with a simple mail filter to put
syscheck alerts into a separate folder in your email client, then you
could parse that with your 'yum log vs. syscheck' script (that you write
:-)) to weed out the yum related items. Or just highlight all the 3 am
notices and delete them :-).
Ken
Pacific.Net
-Seth
