Hi Dan, Thanks for the detailed step and rule. I tried the same and still getting alert. On 29-Mar-2016 9:07 PM, "dan (ddp)" <[email protected]> wrote:
> On Tue, Mar 29, 2016 at 11:29 AM, sandeep dubey > <[email protected]> wrote: > > Hi, > > > > I am getting this alert form all the hosts - > > > > Mar 29 13:30:02 cmcloud kernel: [885866.238608] type=1400 > > audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace" > > profile="docker-default" pid=21882 comm="ps" requested_mask="trace" > > denied_mask="trace" peer="unconfined" > > > > to disable this alerts i have written this - > > <rule id="1000500" level="7"> > > <options>no_email_alert</options> > > <match>apparmor="DENIED" profile="docker-default"</match> > > <description>IGNORED RULE</description> > > </rule> > > > > and restarted the ossec master service, still getting same alert > > what am i missing here ? > > > > The first step is to run the log message through ossec-logtest: > ossec-testrule: Type one log per line. > **Phase 1: Completed pre-decoding. > full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608] > type=1400 audit(1459258202.301:67688): apparmor="DENIED" > operation="ptrace" profile="docker-default" pid=21882 comm="ps" > requested_mask="trace" denied_mask="trace" peer="unconfined"' > hostname: 'cmcloud' > program_name: 'kernel' > log: '[885866.238608] type=1400 audit(1459258202.301:67688): > apparmor="DENIED" operation="ptrace" profile="docker-default" > pid=21882 comm="ps" requested_mask="trace" denied_mask="trace" > peer="unconfined"' > > **Phase 2: Completed decoding. > decoder: 'iptables' > status: 'DENIED' > extra_data: 'ptrace' > > **Phase 3: Completed filtering (rules). > Rule id: '52002' > Level: '3' > Description: 'Apparmor DENIED' > **Alert to be generated. > > > So the log message is currently triggering rule 52002. We'll use this > in our rule. > The status is DENIED, which can also be useful. > So we'll write a basic rule that tries to match on these: > > <rule id="800001" level="0"> > <status>DENIED</status> > <match>profile="docker-default"</match> > <description>IGNORE RULE</description> > </rule> > > I add this to /var/ossec/rules/local_rules.xml. I set the level to 0 > because I don't care about it. > Then I rerun ossec-logtest: > ossec-testrule: Type one log per line. > **Phase 1: Completed pre-decoding. > full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608] > type=1400 audit(1459258202.301:67688): apparmor="DENIED" > operation="ptrace" profile="docker-default" pid=21882 comm="ps" > requested_mask="trace" denied_mask="trace" peer="unconfined"' > hostname: 'cmcloud' > program_name: 'kernel' > log: '[885866.238608] type=1400 audit(1459258202.301:67688): > apparmor="DENIED" operation="ptrace" profile="docker-default" > pid=21882 comm="ps" requested_mask="trace" denied_mask="trace" > peer="unconfined"' > > **Phase 2: Completed decoding. > decoder: 'iptables' > status: 'DENIED' > extra_data: 'ptrace' > > **Phase 3: Completed filtering (rules). > Rule id: '800001' > Level: '0' > Description: 'IGNORE RULE' > > With the custom rule in place the log message is adequately ignored. > > > -- > > Regards, > > Sandeep > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
