Hi Shawn, by default OSSEC triggers an alert when a package is installed/removed/updated:
*command* yum install valgrind.x86_64 *archives.log* 2016 Sep 15 09:08:44 ip-10-0-0-10->/var/log/messages Sep 15 09:08:43 ip-10-0 -0-10 yum[5630]: Installed: 1:valgrind-3.10.0-16.el7.x86_64 *alerts.log* ** Alert 1473930524.4047: mail - syslog,yum,config_changed,pci_dss_10.6.1, pci_dss_10.2.7, 2016 Sep 15 09:08:44 ip-10-0-0-10->/var/log/messages Rule: 2932 (level 7) -> 'New Yum package installed.' Sep 15 09:08:43 ip-10-0-0-10 yum[5630]: Installed: 1:valgrind-3.10.0- 16.el7.x86_64 If you want a whitelist of packages: 1. Create a decoder for yum in order to extract the package name in a field (*extra_data *for example) 2. Create a *CDB list* with the white list packages 3. Create a child rule of 2932 in* local_rules.xml* with level 0 and check if extra_data (the package name) is in the CDB list. In this way, you will see only alerts for packages which are not in the list. I hope it helps. Regards. On Wednesday, September 14, 2016 at 10:27:07 PM UTC+2, Shawn Wiley wrote: > > Is there a way with OSSEC to create a white list of packages that should > be installed on my Red Hat server and create an ongoing alert that's > triggered if an unauthorized package (non-white-list) is installed? My > concern is if someone installs an unauthorized package and I miss the alert > or the alert is cleared would the package be able to continue to run > without any new alerts being generated? Can I use OSSEC in this test case > or is there another tool I need to use? Thanks in advance for any advice. > > -Shawn > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
