Rule 1002 - Problem with Chrome and/or AppArmor?

[Nick Barnes]

Hi,

Im new to OSSEC (still a Ubuntu noob too) and have left all of the default settings from the installation the same, with the exception of my email address and a tick in the box for email notifications.

Within seconds of setting it all up, I've started getting loads of the same notifications regarding Rule 1002 - Unknown problem somewhere in the system. It looks like this is all to do with Chromium web browser and/or AppArmor?

Received From: server->/var/log/syslog

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Apr 12 14:56:26 server kernel: [39631.605323] type=1400 audit(1334238986.635:1101151): apparmor="ALLOWED" operation="open" parent=1 profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

How can I stop this? Is it safe for me to ignore rule 1002 in the config or should I just stop low-level notifications from being emailed to me? If I should stop the notifications, what is the safest level of notification I should stop at? I've seen level 7 mentioned a few times but will I still get notified about failed root logins etc?

Better yet, does anyone know how I can solve this unknown problem at its source?

Thanks for your help!

Nick

[dan (ddp)]

Don't ignore 1002. 1002 is a rule that looks for certain keywords.
These log messages are often something that should be looked at. If
you don't want to see the alerts, create a rule to ignore that
specific log message, not 1002 all together.

Writing a rule to ignore this usually starts with running it through
ossec-logtest:

# /var/ossec/bin/ossec-logtest
2012/04/12 10:37:08 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2012/04/12 10:37:08 ossec-testrule: INFO: Reading decoder file
etc/local_decoder.xml.
2012/04/12 10:37:08 ossec-testrule: INFO: Reading decoder file
etc/wip/nsd_decoder.xml.
2012/04/12 10:37:08 ossec-testrule: INFO: Reading loading the lists
file: 'lists/blocked.txt.cdb'
2012/04/12 10:37:08 ossec-testrule: INFO: Reading loading the lists
file: 'lists/userlist.txt.cdb'
2012/04/12 10:37:08 ossec-testrule: INFO: Started (pid: 2340).
ossec-testrule: Type one log per line.

Apr 12 14:56:26 server kernel: [39631.605323] type=1400
audit(1334238986.635:1101151): apparmor="ALLOWED" operation="open"
parent=1 profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

**Phase 1: Completed pre-decoding.
full event: 'Apr 12 14:56:26 server kernel: [39631.605323]

type=1400 audit(1334238986.635:1101151): apparmor="ALLOWED"
operation="open" parent=1
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"

requested_mask="r" denied_mask="r" fsuid=1000 ouid=0'
hostname: 'server'
program_name: 'kernel'
log: '[39631.605323] type=1400 audit(1334238986.635:1101151):

apparmor="ALLOWED" operation="open" parent=1
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"

requested_mask="r" denied_mask="r" fsuid=1000 ouid=0'

**Phase 2: Completed decoding.
decoder: 'iptables'

**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.

This gives us some more information. If the log messages are all
similar enough, I'd create a rule like the following in
/var/ossec/rules/local_rules.xml:
<rule id="102003" level="0">
<decoded_as>iptables</decoded_as>
<match>apparmor="ALLOWED" operation="open" parent=1
profile="/usr/lib/chromium-browser/chromium-browser</match>
<description>Ignore chromium</description>
</rule>

Then run ossec-logtest again:
# /var/ossec/bin/ossec-logtest
2012/04/12 10:39:41 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2012/04/12 10:39:41 ossec-testrule: INFO: Reading decoder file
etc/local_decoder.xml.
2012/04/12 10:39:41 ossec-testrule: INFO: Reading decoder file
etc/wip/nsd_decoder.xml.
2012/04/12 10:39:41 ossec-testrule: INFO: Reading loading the lists
file: 'lists/blocked.txt.cdb'
2012/04/12 10:39:41 ossec-testrule: INFO: Reading loading the lists
file: 'lists/userlist.txt.cdb'
2012/04/12 10:39:41 ossec-testrule: INFO: Started (pid: 1790).
ossec-testrule: Type one log per line.

Apr 12 14:56:26 server kernel: [39631.605323] type=1400
audit(1334238986.635:1101151): apparmor="ALLOWED" operation="open"
parent=1 profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

**Phase 1: Completed pre-decoding.
full event: 'Apr 12 14:56:26 server kernel: [39631.605323]

type=1400 audit(1334238986.635:1101151): apparmor="ALLOWED"
operation="open" parent=1
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"

requested_mask="r" denied_mask="r" fsuid=1000 ouid=0'
hostname: 'server'
program_name: 'kernel'
log: '[39631.605323] type=1400 audit(1334238986.635:1101151):

apparmor="ALLOWED" operation="open" parent=1
profile="/usr/lib/chromium-browser/chromium-browser"
name="/proc/11685/task/11691/stat" pid=6851 comm="Chrome_IOThread"

requested_mask="r" denied_mask="r" fsuid=1000 ouid=0'

**Phase 2: Completed decoding.
decoder: 'iptables'

**Phase 3: Completed filtering (rules).
Rule id: '102003'
Level: '0'
Description: 'Ignore chromium'

The rule assumes that all of these log messages have the exact phrase
as mentioned in the <match> option. If not, you'll have to tweak it a
bit.