On 21 June 2016 at 09:09, Tahir Hafiz <[email protected]> wrote: > Thing is how does one write a rule that covers all the events due to a > Puppet apply. > > A Puppet run instigates so many changes across an environment and various > system files, how can you write a rule that covers so much? > Is there a way to ignore a series of events by time alone and have that > ignore automated?
>From my reply on 17/6: "If you KNOW you're going to change certain files at certain times then add filters to reflect those things. For example, if your devs push code to <these projects> between 9.00 and 11.30, put in an ignore for those directories at those times. Better yet, have a list of files you're changing, check the syscheck alerts against the list of changes and if something is not on the list, time to email an alert." You can ignore (or alert) by time, see: http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html#element-time The bigger question is, "do you know what SHOULD change as part of a puppet push?" If the answer is "no" then you have the first problem to solve. kmw -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
