Don't ignore 1002. 1002 is a rule that looks for certain keywords.
These log messages are often something that should be looked at. If
you don't want to see the alerts, create a rule to ignore that
specific log message, not 1002 all together.
Writing a rule to ignore this usually starts with running it through
ossec-logtest:
# /var/ossec/bin/ossec-logtest
2012/04/12 10:37:08 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2012/04/12 10:37:08 ossec-testrule: INFO: Reading decoder file
etc/local_decoder.xml.
2012/04/12 10:37:08 ossec-testrule: INFO: Reading decoder file
etc/wip/nsd_decoder.xml.
2012/04/12 10:37:08 ossec-testrule: INFO: Reading loading the lists
file: 'lists/blocked.txt.cdb'
2012/04/12 10:37:08 ossec-testrule: INFO: Reading loading the lists
file: 'lists/userlist.txt.cdb'
2012/04/12 10:37:08 ossec-testrule: INFO: Started (pid: 2340).
ossec-testrule: Type one log per line.
Apr 12 14:56:26 server kernel: [39631.605323] type=1400
audit(1334238986.635:1101151): apparmor="ALLOWED" operation="open"
parent=1 profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
**Phase 1: Completed pre-decoding.
full event: 'Apr 12 14:56:26 server kernel: [39631.605323]
type=1400 audit(1334238986.635:1101151): apparmor="ALLOWED"
operation="open" parent=1
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0'
hostname: 'server'
program_name: 'kernel'
log: '[39631.605323] type=1400 audit(1334238986.635:1101151):
apparmor="ALLOWED" operation="open" parent=1
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0'
**Phase 2: Completed decoding.
decoder: 'iptables'
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
This gives us some more information. If the log messages are all
similar enough, I'd create a rule like the following in
/var/ossec/rules/local_rules.xml:
<rule id="102003" level="0">
<decoded_as>iptables</decoded_as>
<match>apparmor="ALLOWED" operation="open" parent=1
profile="/usr/lib/chromium-browser/chromium-browser</match>
<description>Ignore chromium</description>
</rule>
Then run ossec-logtest again:
# /var/ossec/bin/ossec-logtest
2012/04/12 10:39:41 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2012/04/12 10:39:41 ossec-testrule: INFO: Reading decoder file
etc/local_decoder.xml.
2012/04/12 10:39:41 ossec-testrule: INFO: Reading decoder file
etc/wip/nsd_decoder.xml.
2012/04/12 10:39:41 ossec-testrule: INFO: Reading loading the lists
file: 'lists/blocked.txt.cdb'
2012/04/12 10:39:41 ossec-testrule: INFO: Reading loading the lists
file: 'lists/userlist.txt.cdb'
2012/04/12 10:39:41 ossec-testrule: INFO: Started (pid: 1790).
ossec-testrule: Type one log per line.
Apr 12 14:56:26 server kernel: [39631.605323] type=1400
audit(1334238986.635:1101151): apparmor="ALLOWED" operation="open"
parent=1 profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
**Phase 1: Completed pre-decoding.
full event: 'Apr 12 14:56:26 server kernel: [39631.605323]
type=1400 audit(1334238986.635:1101151): apparmor="ALLOWED"
operation="open" parent=1
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0'
hostname: 'server'
program_name: 'kernel'
log: '[39631.605323] type=1400 audit(1334238986.635:1101151):
apparmor="ALLOWED" operation="open" parent=1
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0'
**Phase 2: Completed decoding.
decoder: 'iptables'
**Phase 3: Completed filtering (rules).
Rule id: '102003'
Level: '0'
Description: 'Ignore chromium'
The rule assumes that all of these log messages have the exact phrase
as mentioned in the <match> option. If not, you'll have to tweak it a
bit.
On Thu, Apr 12, 2012 at 10:20 AM, Nick Barnes <[email protected]> wrote:
> Hi,
>
> Im new to OSSEC (still a Ubuntu noob too) and have left all of the default
> settings from the installation the same, with the exception of my email
> address and a tick in the box for email notifications.
>
> Within seconds of setting it all up, I've started getting loads of the same
> notifications regarding Rule 1002 - Unknown problem somewhere in the system.
> It looks like this is all to do with Chromium web browser and/or AppArmor?
>
> Received From: server->/var/log/syslog
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Apr 12 14:56:26 server kernel: [39631.605323] type=1400
> audit(1334238986.635:1101151): apparmor="ALLOWED" operation="open" parent=1
> profile="/usr/lib/chromium-browser/chromium-browser"
> name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"
> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>
> How can I stop this? Is it safe for me to ignore rule 1002 in the config or
> should I just stop low-level notifications from being emailed to me? If I
> should stop the notifications, what is the safest level of notification I
> should stop at? I've seen level 7 mentioned a few times but will I still get
> notified about failed root logins etc?
>
> Better yet, does anyone know how I can solve this unknown problem at its
> source?
>
> Thanks for your help!
>
> Nick
