Hi Seth,
The idea is not bad, but very complex and system-centric to work out well. Also, an attacker could just modify the yum.log to hide their changes. I think that Ken propose is good.. If you know you updated the system, you can ignore the notifications during that specific time frame. You can also run "syscheck_update" on the server (and restart ossec) to re-generate the integrity database when you update the system... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/29/06, Ken A <[EMAIL PROTECTED]> wrote:
Seth wrote: > Daniel & List, > > I assume everyone who runs OSSEC with syscheckd running gets multiple > checksum alerts each time they run yum/apt or any other package manager. > What do you think about adding functionality in OSSEC to possibly suppress > these alerts if a package manager/updater has just been invoked. > > I understand that this functionality will NOT be appropriate for some > people > who need to know every package that has been touched, but others might be > like me and have started to igmore the alerts that come in directly > after my > nightly yum update. > > Maybe it's not possible, but here are the beginning of my thoughts: > > Step 1) > Add a signature that will fire when the yum application has been invoked > > Step 2) > option 1 ---> keep syscheck quiet until /var/log/yum.log has been edited <- > bad idea, window of blindness > option 2 ---> tail the changes to /var/log/yum.log and *somehow* find out > what binaries are effected by each package and have syscheckd ignore those > specific binary checksum changes. <- better idea, but i dont know how > to do > it > option 3 ---> ? > > What do you all think? Good idea? Bad idea? Good idea but not practical > due to the fact their are so many different ways to update packages? Or > just not possilbe? Yum, apt, smart, yast2, etc... It's just too complex and undermines the integrity of the feature. I'd go with a simple mail filter to put syscheck alerts into a separate folder in your email client, then you could parse that with your 'yum log vs. syscheck' script (that you write :-)) to weed out the yum related items. Or just highlight all the 3 am notices and delete them :-). Ken Pacific.Net > -Seth >
