On 08/10/2012 10:17 AM, Kat wrote:
JB & Michael - good thoughts - only one problem, I have 4000 hosts. Gonna make for a very looooonnngggggg rules file.
Oh, I see. You want a different ignore interval for each host.
My thought on this is simple - more so for alerting on attacks/issues as they move around. Or for the audit rules - another reason for this. Here is the situation - let's say an audit rule kicks off, so I create a ticket for a team to fix that problem, but I want to give them 7 days (or some arbitrary number, maybe only a day) to fix the problem - I want to ignore that rule for a period of time. Now this is simple in the world of a few dozen hosts, but when we are in the hundreds or thousands, not so much. AND if it triggers on each of those 4000 hosts, then yes, I have a problem, but even if it only triggers on 2000, I need a way to "acknowledge" the alert for a certain amount of time.
I believe rootcheck rules will only trigger once until the deviation has been resolved. I would have to verify, though...
What about something like <expire>date/time</expire> in a rule? The rule would only be effective until that date/time. If you combine that with other elements like <group>, would that be effective?