Unfortunately, it's still not working, and I'm not sure what else I can try... This is what I'm doing:
The log entries that I want to ignore all look like this (from archives.log): 2017 May 24 12:38:16 (ci-runner__development_12.34.56.78) any->rootcheck File '/var/lib/docker/volumes/d758587e86d60a53043c93c1f730d6e04acdcb5f7a5a181182cfe0fb754aa293/_data/path/to/some/file.txt' is owned by root and has written permissions to anyone. Inspired by rule 511 from the wazuh ruleset <https://github.com/wazuh/wazuh-ruleset/blob/f1e1e46e51faefbe75c79052d63437cc3c1a02b4/rules/0015-ossec_rules.xml#L63>, I have the following rule in /var/ossec/etc/rules/local_rules.xml: <rule id="100510" level="0"> <if_sid>510</if_sid> <regex>is owned by root and has written permissions to anyone</regex> <description>Ignore this rule</description> <group>rootcheck,</group> </rule> After editing the local rules file, I execute a "/var/ossec/bin/ossec-control restart" on the server, and after that also on the client. I wait for rootcheck to execute, which generates many entries such as the one above in the archives.log. Unfortunately, they still show up as a level 7 event in the kibana dashboard: rule.id:510 agent.name:ci-runner__development_12.34.56.78 agent.id:009 manager.name:ec2-11-22-33-44.ap-southeast-2.compute.amazonaws.comrule. firedtimes:1,700 rule.level:7 rule.description:Host-based anomaly detection event (rootcheck). rule.groups:ossec, rootcheck source:decoder.name:rootcheck title:File is owned by root and has written permissions to anyone. full_log: File '/var/lib/docker/volumes/d758587e86d60a53043c93c1f730d6e04acdcb5f7a5a181182cfe0fb754aa293/_data/path/to/some/file.txt' is owned by root and has written permissions to anyone. @timestamp:May 24th 2017, 12:38:16.000 file:/var/lib/docker/volumes/ d758587e86d60a53043c93c1f730d6e04acdcb5f7a5a181182cfe0fb754aa293/_data/path/ to/some/file.txt host:ec2-11-22-33-44.ap-southeast-2.compute.amazonaws.com location:rootcheck Unfortunately, we can't just change the permissions of these without breaking our CI. I'm not very concerned about the world-writable files under /var/lib/docker/volumes, since only root can traverse this path anyway, so I would love to just ignore them, as they are about 90% of what shows up in the dashboards, so it drowns out other events. Do you have any ideas what I could try next? Many thanks for your help so far! On Tuesday, May 23, 2017 at 1:35:58 AM UTC+12, Jesus Linares wrote: > > You can't use ossec-logtest for rootcheck events. For example, if I get > the full_log of a real alert: "File > '/usr/local/nsis/nsis-3.0b2-src/Contrib/Language files/Valencian.nlf' is > owned by root and has written permissions to anyone." and I paste it in > logtest: > > *Phase 1: Completed pre-decoding. > full event: 'File '/usr/local/nsis/nsis-3.0b2-src/Contrib/Language > files/Valencian.nlf' is owned by root and has written permissions to > anyone.' > hostname: 'ip-10-0-0-10' > program_name: '(null)' > log: 'File '/usr/local/nsis/nsis-3.0b2-src/Contrib/Language files/ > Valencian.nlf' is owned by root and has written permissions to anyone.' > > > **Phase 2: Completed decoding. > No decoder matched. > > > So, ossec-logtest doesn't show anything, but the alert is properly > generated. This is due to rootcheck has decoders at c-level. > > Your rule looks right, just restart OSSEC and test it manually. Sometimes, > OSSEC has problems with \.* so if that part doesn't have spaces, it is > better to use \S*. > > Let me know if it works. > Regards. > > > On Saturday, May 20, 2017 at 3:04:44 AM UTC+2, dan (ddpbsd) wrote: >> >> On Thu, May 18, 2017 at 4:51 PM, Gert Verhoog <[email protected]> wrote: >> > Hi Jesus, >> > >> > I'm having the same problem, and the triggering of this rule causes so >> much >> > noise that it's drowning out other alerts. I have added a rule like you >> > suggested to my local rules: >> > >> > <rule id="100510" level="0" frequency="0" timeframe="45" >> ignore="600"> >> > <if_matched_sid>510</if_matched_sid> >> > <regex>/var/lib/docker/volumes/\.*/_data/\.* is owned by root and >> has >> > written permissions to anyone</regex> >> > <description>Ignore rootcheck warning on world-writable docker >> > volumes</description> >> > </rule> >> > >> > But it doesn't seem to have an effect. I've played with the regex, >> > simplifying it and even deleting it altogether, but I still can't seem >> to >> > get it working. Logtest shows the following output: >> > >> > >> > File >> > >> '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot' >> >> >> > is owned by root and has written permissions to anyone. >> > >> >> Is this the log message you get from the agent? You can turn on the >> logall option and check archives.log for the exact message from the >> agent. >> >> > >> > **Phase 1: Completed pre-decoding. >> > >> > >> > full event: 'File >> > >> '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot' >> >> >> > is owned by root and has written permissions to anyone.' >> > >> > >> > hostname: 'ec2-12-34-56-78' >> > >> > >> > program_name: '(null)' >> > >> > >> > log: 'File >> > >> '/var/lib/docker/volumes/81c96e1d9b6a07710dc0ba90daccf5650efe59e213b20354bbb86f4e65929a0e/_data/path/to/static/fonts/icons/glyphicons-social-regular.eot' >> >> >> > is owned by root and has written permissions to anyone.' >> > >> > >> > >> > >> > **Phase 2: Completed decoding. >> > >> > >> > No decoder matched. >> > >> > >> > >> > I'm fairly new to OSSEC and Wazuh, so I may be missing something. Is >> there >> > anything obvious that I'm doing wrong? >> > >> > Cheers! >> > Gert >> > >> > >> > >> > On Wednesday, April 19, 2017 at 12:14:28 AM UTC+12, Jesus Linares >> wrote: >> >> >> >> Hi Rob, >> >> >> >> you need to add the conditions to trigger that rule only for your >> specific >> >> files. Use match or regex: >> >> >> >> <rule id="70908" level="0" frequency="0" timeframe="45" ignore="600"> >> >> <if_matched_sid>510</if_matched_sid> >> >> <!-- >> >> contitions: >> >> option 1: >> >> <match>YOUR_FILE1|YOUR_FILE2|...</match> >> >> option 2: >> >> <regex>YOUR_FILE\.+</regex> >> >> --> >> >> <description>Ignore rule 510 for 600 seconds for some >> >> files.</description> >> >> </rule> >> > >> > >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
