by default OSSEC triggers an alert when a package is
yum install valgrind.x86_64
2016 Sep 15 09:08:44 ip-10-0-0-10->/var/log/messages Sep 15 09:08:43 ip-10-0
-0-10 yum: Installed: 1:valgrind-3.10.0-16.el7.x86_64
** Alert 1473930524.4047: mail - syslog,yum,config_changed,pci_dss_10.6.1,
2016 Sep 15 09:08:44 ip-10-0-0-10->/var/log/messages
Rule: 2932 (level 7) -> 'New Yum package installed.'
Sep 15 09:08:43 ip-10-0-0-10 yum: Installed: 1:valgrind-3.10.0-
If you want a whitelist of packages:
1. Create a decoder for yum in order to extract the package name in a
field (*extra_data *for example)
2. Create a *CDB list* with the white list packages
3. Create a child rule of 2932 in* local_rules.xml* with level 0 and
check if extra_data (the package name) is in the CDB list. In this way, you
will see only alerts for packages which are not in the list.
I hope it helps.
On Wednesday, September 14, 2016 at 10:27:07 PM UTC+2, Shawn Wiley wrote:
> Is there a way with OSSEC to create a white list of packages that should
> be installed on my Red Hat server and create an ongoing alert that's
> triggered if an unauthorized package (non-white-list) is installed? My
> concern is if someone installs an unauthorized package and I miss the alert
> or the alert is cleared would the package be able to continue to run
> without any new alerts being generated? Can I use OSSEC in this test case
> or is there another tool I need to use? Thanks in advance for any advice.
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
For more options, visit https://groups.google.com/d/optout.