I hereby claim:
- I am mutemule on github.
- I am dwg (https://keybase.io/dwg) on keybase.
- I have a public key ASBcYPDfcNij7MUQmBsJzmMfZu1jphLe22l3R4ngfEzNqgo
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
Everyone who runs OSSEC on a Unix system has a common problem: you want to follow and apply security udpates closely, but every time you patch, you get a flood of alerts. And this problem quickly grows: if a given package update would result in five alerts, that's fine if you only have one server. But if you have a hundred servers? Five hundred? Five thousand?
So, I've cobbled some stuff together to abuse the OSSEC's Active Response mechanism to not raise an alert when a package is upgraded properly. I've tried to emulate the workflow of a human administrator as closely as closely as possible, but there are definitely some areas that could be handled better -- see Caveats below.
Any time I get an OSSEC alert, I'll do any number of things that generally fall into three categories: