On Wed, Mar 30, 2016 at 6:00 AM, sandeep dubey wrote:
> Yes, below is the rule and output for test -
>
> RULE :
>
> DENIED
> 1002
> profile="docker-default"
> IGNORE RULE
>
>
> TEST :
> root@ossec-cloud:/var/ossec/bin# ./ossec-logtest
> 2016/03/30 10:00:39 ossec-testrule: INFO: Reading l
Yes, below is the rule and output for test -
RULE :
DENIED
1002
profile="docker-default"
IGNORE RULE
TEST :
root@ossec-cloud:/var/ossec/bin# ./ossec-logtest
2016/03/30 10:00:39 ossec-testrule: INFO: Reading local decoder file.
2016/03/30 10:00:39 ossec-testrule: INFO: Started (pid: 6909
Did you run ossec-logtest to verify that your log triggers the rule just
created?
Try to run it and paste the log, if the rule 81 is not being fired
something went wrong with the rule creation.
On Wednesday, March 30, 2016 at 8:10:39 AM UTC+2, sandeep wrote:
>
> Hi Dan,
>
> Thanks for the d
Hi Dan,
Thanks for the detailed step and rule. I tried the same and still getting
alert.
On 29-Mar-2016 9:07 PM, "dan (ddp)" wrote:
> On Tue, Mar 29, 2016 at 11:29 AM, sandeep dubey
> wrote:
> > Hi,
> >
> > I am getting this alert form all the hosts -
> >
> > Mar 29 13:30:02 cmcloud kernel: [88
On Tue, Mar 29, 2016 at 11:29 AM, sandeep dubey
wrote:
> Hi,
>
> I am getting this alert form all the hosts -
>
> Mar 29 13:30:02 cmcloud kernel: [885866.238608] type=1400
> audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace"
> profile="docker-default" pid=21882 comm="ps" requested_m
Hi,
I am getting this alert form all the hosts -
*Mar 29 13:30:02 cmcloud kernel: [885866.238608] type=1400
audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace"
profile="docker-default" pid=21882 comm="ps" requested_mask="trace"
denied_mask="trace" peer="unconfined"*
to disable this