Hi Shawn,

by default OSSEC triggers an alert when a package is 

yum install valgrind.x86_64

2016 Sep 15 09:08:44 ip-10-0-0-10->/var/log/messages Sep 15 09:08:43 ip-10-0
-0-10 yum[5630]: Installed: 1:valgrind-3.10.0-16.el7.x86_64

** Alert 1473930524.4047: mail  - syslog,yum,config_changed,pci_dss_10.6.1,
2016 Sep 15 09:08:44 ip-10-0-0-10->/var/log/messages
Rule: 2932 (level 7) -> 'New Yum package installed.'
Sep 15 09:08:43 ip-10-0-0-10 yum[5630]: Installed: 1:valgrind-3.10.0-

If you want a whitelist of packages:

   1. Create a decoder for yum in order to extract the package name in a 
   field (*extra_data *for example)
   2. Create a *CDB list* with the white list packages
   3. Create a child rule of 2932 in* local_rules.xml* with level 0 and 
   check if extra_data (the package name) is in the CDB list. In this way, you 
   will see only alerts for packages which are not in the list.

I hope it helps.

On Wednesday, September 14, 2016 at 10:27:07 PM UTC+2, Shawn Wiley wrote:
> Is there a way with OSSEC to create a white list of packages that should 
> be installed on my Red Hat server and create an ongoing alert that's 
> triggered if an unauthorized package (non-white-list) is installed? My 
> concern is if someone installs an unauthorized package and I miss the alert 
> or the alert is cleared would the package be able to continue to run 
> without any new alerts being generated? Can I use OSSEC in this test case 
> or is there another tool I need to use? Thanks in advance for any advice.
> -Shawn


You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to