Hi all, We are running ossec 2.0. Most (all) of our linux clients report daily of /etc/prelink.cache checksum changes. According to this RedHat post http://www.redhat.com/archives/fedora-list/2007-October/msg04408.html this is expected behavior. I know how to modify the local rules file on the ossec server to ignore certain events, however in this case I wasn't sure howto write the rule without affecting other checksum alerts. Would this be a safe way to exclude notifications of /etc/prelink.cache changes:
Here is the event: Received From: (servername1) 137.21.9.81->syscheck Rule: 552 fired (level 7) -> "Integrity checksum changed again (3rd time)." Portion of the log(s): Integrity checksum changed for: '/etc/prelink.cache' Old md5sum was: '7649b16e6cc72ce2b6e989bab337b38f' New md5sum is : 'e2c4858227aa021e9a52c96d87a2dcbc' Old sha1sum was: 'f29f4b8d55fd09334d6dc4e7c94fbda6d2c67225' New sha1sum is : 'f07051aa0ec779869f7e976e597cbe245d953bc2' Here is the rule I was thinking: <rule id="100128" level="0"> <if_sid>552</if_sid> <match>'/etc/prelink.cache'</match> <description>expected file change</description> </rule>