On Tue, Mar 29, 2016 at 11:29 AM, sandeep dubey
<sandeep.san...@gmail.com> wrote:
> Hi,
>
> I am getting this alert form all the hosts -
>
> Mar 29 13:30:02 cmcloud kernel: [885866.238608] type=1400
> audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace"
> profile="docker-default" pid=21882 comm="ps" requested_mask="trace"
> denied_mask="trace" peer="unconfined"
>
> to disable this alerts i have written this -
> <rule id="1000500" level="7">
> <options>no_email_alert</options>
> <match>apparmor="DENIED" profile="docker-default"</match>
> <description>IGNORED RULE</description>
> </rule>
>
> and restarted the ossec master service, still getting same alert
> what am i missing here ?
>
The first step is to run the log message through ossec-logtest:
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608]
type=1400 audit(1459258202.301:67688): apparmor="DENIED"
operation="ptrace" profile="docker-default" pid=21882 comm="ps"
requested_mask="trace" denied_mask="trace" peer="unconfined"'
hostname: 'cmcloud'
program_name: 'kernel'
log: '[885866.238608] type=1400 audit(1459258202.301:67688):
apparmor="DENIED" operation="ptrace" profile="docker-default"
pid=21882 comm="ps" requested_mask="trace" denied_mask="trace"
peer="unconfined"'
**Phase 2: Completed decoding.
decoder: 'iptables'
status: 'DENIED'
extra_data: 'ptrace'
**Phase 3: Completed filtering (rules).
Rule id: '52002'
Level: '3'
Description: 'Apparmor DENIED'
**Alert to be generated.
So the log message is currently triggering rule 52002. We'll use this
in our rule.
The status is DENIED, which can also be useful.
So we'll write a basic rule that tries to match on these:
<rule id="800001" level="0">
<status>DENIED</status>
<match>profile="docker-default"</match>
<description>IGNORE RULE</description>
</rule>
I add this to /var/ossec/rules/local_rules.xml. I set the level to 0
because I don't care about it.
Then I rerun ossec-logtest:
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608]
type=1400 audit(1459258202.301:67688): apparmor="DENIED"
operation="ptrace" profile="docker-default" pid=21882 comm="ps"
requested_mask="trace" denied_mask="trace" peer="unconfined"'
hostname: 'cmcloud'
program_name: 'kernel'
log: '[885866.238608] type=1400 audit(1459258202.301:67688):
apparmor="DENIED" operation="ptrace" profile="docker-default"
pid=21882 comm="ps" requested_mask="trace" denied_mask="trace"
peer="unconfined"'
**Phase 2: Completed decoding.
decoder: 'iptables'
status: 'DENIED'
extra_data: 'ptrace'
**Phase 3: Completed filtering (rules).
Rule id: '800001'
Level: '0'
Description: 'IGNORE RULE'
With the custom rule in place the log message is adequately ignored.
> --
> Regards,
> Sandeep
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
