local_rules matching against Docker aufs directories
26 views
Skip to first unread message
Tom Farrar
Sep 19, 2017, 5:08:54 AM9/19/17
to ossec-list
Hi all,
We're looking to add a rule in local_rules to match against Docker's aufs mounts which sets rootcheck alerts (509,510) to level 0. So far we've tried the following with no luck:
We're looking to add a rule in local_rules to match against Docker's aufs mounts which sets rootcheck alerts (509,510) to level 0. So far we've tried the following with no luck:
<rule id="100022" level="0"> <if_sid>509</if_sid> <match>/var/lib/docker/aufs/mnt</match> <description>Ignore alerts for this file as a rootcheck alert is triggered because of the file permissions required.</description> </rule> <rule id="100023" level="0"> <if_sid>510</if_sid> <match>/var/lib/docker/aufs/mnt</match> <description>Ignore alerts for this file as a rootcheck alert is triggered because of the file permissions required.</description> </rule>
and
<rule id="100022" level="0"> <if_sid>509</if_sid> <match>/var/lib/docker/aufs/mnt/*</match> <description>Ignore alerts for this file as a rootcheck alert is triggered because of the file permissions required.</description> </rule> <rule id="100023" level="0"> <if_sid>510</if_sid> <match>/var/lib/docker/aufs/mnt/*</match> <description>Ignore alerts for this file as a rootcheck alert is triggered because of the file permissions required.</description> </rule>
Can anyone point us in the right direction please? I believe we've used match for a single directory before (successfully), but never on a directory that has several layers of sub-directories.
Thanks,
Tom
Tom Farrar
Sep 20, 2017, 8:51:27 AM9/20/17
to ossec-list
To note, we added the following to the core ossec config instead:
<rootcheck>
<ignore>/var/lib/docker/aufs/mnt/</ignore>
</rootcheck>
<rootcheck>
<ignore>/var/lib/docker/aufs/mnt/</ignore>
</rootcheck>
Reply all
Reply to author
Forward
0 new messages