Best way to whitelist installed RPM / packages

[Shawn Wiley]

Is there a way with OSSEC to create a white list of packages that should be installed on my Red Hat server and create an ongoing alert that's triggered if an unauthorized package (non-white-list) is installed? My concern is if someone installs an unauthorized package and I miss the alert or the alert is cleared would the package be able to continue to run without any new alerts being generated? Can I use OSSEC in this test case or is there another tool I need to use? Thanks in advance for any advice.

-Shawn

[Jesus Linares]

Hi Shawn,

by default OSSEC triggers an alert when a package is installed/removed/updated:

command

yum install valgrind.x86_64

archives.log

2016 Sep 15 09:08:44 ip-10-0-0-10->/var/log/messages Sep 15 09:08:43 ip-10-0-0-10 yum[5630]: Installed: 1:valgrind-3.10.0-16.el7.x86_64

alerts.log

** Alert 1473930524.4047: mail  - syslog,yum,config_changed,pci_dss_10.6.1,pci_dss_10.2.7,
2016 Sep 15 09:08:44 ip-10-0-0-10->/var/log/messages
Rule: 2932 (level 7) -> 'New Yum package installed.'
Sep 15 09:08:43 ip-10-0-0-10 yum[5630]: Installed: 1:valgrind-3.10.0-16.el7.x86_64

If you want a whitelist of packages:

1. Create a decoder for yum in order to extract the package name in a field (extra_data for example)
2. Create a CDB list with the white list packages
3. Create a child rule of 2932 in local_rules.xml with level 0 and check if extra_data (the package name) is in the CDB list. In this way, you will see only alerts for packages which are not in the list.

I hope it helps.

Regards.

[Shawn Wiley]

Thanks for the help that's perfect.