Everyone who runs OSSEC on a Unix system has a common problem: you want to follow and apply security udpates closely, but every time you patch, you get a flood of alerts. And this problem quickly grows: if a given package update would result in five alerts, that's fine if you only have one server. But if you have a hundred servers? Five hundred? Five thousand?
So, I've cobbled some stuff together to abuse the OSSEC's Active Response mechanism to not raise an alert when a package is upgraded properly. I've tried to emulate the workflow of a human administrator as closely as closely as possible, but there are definitely some areas that could be handled better -- see Caveats below.
Any time I get an OSSEC alert, I'll do any number of things that generally fall into three categories:
- Validation of automated change: make sure the file was supposed to be upgraded: check the auto-upgrade logs, verify the package that installed/upgraded the file, etc.
- Validation of expected