Hi Dan,
Thanks a lot for getting back in touch with me. I woke up to a lot of
emails this morning from OSSEC telling me about problems with rule 1002!!
I did some digging and found hundreds of these AppArmor/Chromium log
entries, all with the words 'denied_mask' in them. I then found out that
rule 1002 looks out for the words 'denied' (amongst others) in the logs
which is why OSSEC thought something was fishy.
I tried your suggested rule but there were too many variations for the
match to work. I ended up creating 7 rules for the different entries I
could find. I didnt want to go too broad in case I made it ignore something
that it really shouldn't!
Thanks again Dan, I havent received an email for at least an hour and I now
understand OSSEC & rules more :D
Nick
PS. Here are the rules I created, just in case they are of any help to
someone else:
<rule id="102003" level="0">
<decoded_as>iptables</decoded_as>
<match>apparmor="ALLOWED" operation="open" parent=19494
profile="/usr/lib/chromium-browser/chromium-browser</match>
<description>Ignore chromium</description>
</rule>
<rule id="102004" level="0">
<decoded_as>iptables</decoded_as>
<match>apparmor="ALLOWED" operation="open" parent=19683
profile="/usr/lib/chromium-browser/chromium-browser</match>
<description>Ignore chromium</description>
</rule>
<rule id="102005" level="0">
<decoded_as>iptables</decoded_as>
<match>apparmor="ALLOWED" operation="open" parent=27064
profile="/usr/lib/chromium-browser/chromium-browser</match>
<description>Ignore chromium</description>
</rule>
<rule id="102006" level="0">
<decoded_as>iptables</decoded_as>
<match>apparmor="ALLOWED" operation="open" parent=19419
profile="/usr/lib/chromium-browser/chromium-browser</match>
<description>Ignore chromium</description>
</rule>
<rule id="102007" level="0">
<decoded_as>iptables</decoded_as>
<match>apparmor="ALLOWED" operation="truncate" parent=27064
profile="/usr/lib/chromium-browser/chromium-browser</match>
<description>Ignore chromium</description>
</rule>
<rule id="102008" level="0">
<decoded_as>iptables</decoded_as>
<match>apparmor="ALLOWED" operation="open" parent=6766
profile="/usr/lib/chromium-browser/chromium-browser</match>
<description>Ignore chromium</description>
</rule>
<rule id="102009" level="0">
<decoded_as>iptables</decoded_as>
<match>apparmor="ALLOWED" operation="open" parent=6691
profile="/usr/lib/chromium-browser/chromium-browser</match>
<description>Ignore chromium</description>
</rule>
On Thursday, 12 April 2012 15:41:41 UTC+1, dan (ddpbsd) wrote:
>
> Don't ignore 1002. 1002 is a rule that looks for certain keywords.
> These log messages are often something that should be looked at. If
> you don't want to see the alerts, create a rule to ignore that
> specific log message, not 1002 all together.
>
> Writing a rule to ignore this usually starts with running it through
> ossec-logtest:
>
> # /var/ossec/bin/ossec-logtest
> 2012/04/12 10:37:08 ossec-testrule: INFO: Reading decoder file
> etc/decoder.xml.
> 2012/04/12 10:37:08 ossec-testrule: INFO: Reading decoder file
> etc/local_decoder.xml.
> 2012/04/12 10:37:08 ossec-testrule: INFO: Reading decoder file
> etc/wip/nsd_decoder.xml.
> 2012/04/12 10:37:08 ossec-testrule: INFO: Reading loading the lists
> file: 'lists/blocked.txt.cdb'
> 2012/04/12 10:37:08 ossec-testrule: INFO: Reading loading the lists
> file: 'lists/userlist.txt.cdb'
> 2012/04/12 10:37:08 ossec-testrule: INFO: Started (pid: 2340).
> ossec-testrule: Type one log per line.
>
> Apr 12 14:56:26 server kernel: [39631.605323] type=1400
> audit(1334238986.635:1101151): apparmor="ALLOWED" operation="open"
> parent=1 profile="/usr/lib/chromium-browser/chromium-browser"
> name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"
> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Apr 12 14:56:26 server kernel: [39631.605323]
> type=1400 audit(1334238986.635:1101151): apparmor="ALLOWED"
> operation="open" parent=1
> profile="/usr/lib/chromium-browser/chromium-browser"
> name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"
> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0'
> hostname: 'server'
> program_name: 'kernel'
> log: '[39631.605323] type=1400 audit(1334238986.635:1101151):
> apparmor="ALLOWED" operation="open" parent=1
> profile="/usr/lib/chromium-browser/chromium-browser"
> name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"
> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0'
>
> **Phase 2: Completed decoding.
> decoder: 'iptables'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '1002'
> Level: '2'
> Description: 'Unknown problem somewhere in the system.'
> **Alert to be generated.
>
>
> This gives us some more information. If the log messages are all
> similar enough, I'd create a rule like the following in
> /var/ossec/rules/local_rules.xml:
> <rule id="102003" level="0">
> <decoded_as>iptables</decoded_as>
> <match>apparmor="ALLOWED" operation="open" parent=1
> profile="/usr/lib/chromium-browser/chromium-browser</match>
> <description>Ignore chromium</description>
> </rule>
>
> Then run ossec-logtest again:
> # /var/ossec/bin/ossec-logtest
> 2012/04/12 10:39:41 ossec-testrule: INFO: Reading decoder file
> etc/decoder.xml.
> 2012/04/12 10:39:41 ossec-testrule: INFO: Reading decoder file
> etc/local_decoder.xml.
> 2012/04/12 10:39:41 ossec-testrule: INFO: Reading decoder file
> etc/wip/nsd_decoder.xml.
> 2012/04/12 10:39:41 ossec-testrule: INFO: Reading loading the lists
> file: 'lists/blocked.txt.cdb'
> 2012/04/12 10:39:41 ossec-testrule: INFO: Reading loading the lists
> file: 'lists/userlist.txt.cdb'
> 2012/04/12 10:39:41 ossec-testrule: INFO: Started (pid: 1790).
> ossec-testrule: Type one log per line.
>
> Apr 12 14:56:26 server kernel: [39631.605323] type=1400
> audit(1334238986.635:1101151): apparmor="ALLOWED" operation="open"
> parent=1 profile="/usr/lib/chromium-browser/chromium-browser"
> name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"
> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Apr 12 14:56:26 server kernel: [39631.605323]
> type=1400 audit(1334238986.635:1101151): apparmor="ALLOWED"
> operation="open" parent=1
> profile="/usr/lib/chromium-browser/chromium-browser"
> name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"
> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0'
> hostname: 'server'
> program_name: 'kernel'
> log: '[39631.605323] type=1400 audit(1334238986.635:1101151):
> apparmor="ALLOWED" operation="open" parent=1
> profile="/usr/lib/chromium-browser/chromium-browser"
> name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"
> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0'
>
> **Phase 2: Completed decoding.
> decoder: 'iptables'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '102003'
> Level: '0'
> Description: 'Ignore chromium'
>
>
> The rule assumes that all of these log messages have the exact phrase
> as mentioned in the <match> option. If not, you'll have to tweak it a
> bit.
>
> On Thu, Apr 12, 2012 at 10:20 AM, Nick Barnes wrote:
> > Hi,
> >
> > Im new to OSSEC (still a Ubuntu noob too) and have left all of the
> default
> > settings from the installation the same, with the exception of my email
> > address and a tick in the box for email notifications.
> >
> > Within seconds of setting it all up, I've started getting loads of the
> same
> > notifications regarding Rule 1002 - Unknown problem somewhere in the
> system.
> > It looks like this is all to do with Chromium web browser and/or
> AppArmor?
> >
> > Received From: server->/var/log/syslog
> > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> > Portion of the log(s):
> >
> > Apr 12 14:56:26 server kernel: [39631.605323] type=1400
> > audit(1334238986.635:1101151): apparmor="ALLOWED" operation="open"
> parent=1
> > profile="/usr/lib/chromium-browser/chromium-browser"
> > name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"
> > requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> >
> > How can I stop this? Is it safe for me to ignore rule 1002 in the config
> or
> > should I just stop low-level notifications from being emailed to me? If I
> > should stop the notifications, what is the safest level of notification I
> > should stop at? I've seen level 7 mentioned a few times but will I still
> get
> > notified about failed root logins etc?
> >
> > Better yet, does anyone know how I can solve this unknown problem at its
> > source?
> >
> > Thanks for your help!
> >
> > Nick
>
>
