Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AppArmor apache2 OSSEC spam #2507

Closed
micahflee opened this issue Nov 4, 2017 · 0 comments · Fixed by #2550
Closed

AppArmor apache2 OSSEC spam #2507

micahflee opened this issue Nov 4, 2017 · 0 comments · Fixed by #2550
Labels
goals: reduce IDS noise OSSEC

Comments

@micahflee
Copy link
Contributor

Every day, SecureDrop servers reboot and apache2 restarts, and it triggers these two syslog errors, which trigger two Alert level 7 OSSEC emails. I'm not sure why there are two of them, but the emails get sent about 1 minute, then 3 minutes, after the app server OSSEC. They look like this:

OSSEC HIDS Notification.
2017 Nov 04 04:45:38

Received From: (app) 10.20.2.2->/var/log/syslog
Rule: 100012 fired (level 7) -> "Apparmor denied event"
Portion of the log(s):

Nov  4 04:45:37 app kernel: [   98.764680] audit: type=1400 audit(1509785137.281:16): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" name="/proc/1243/status" pid=1265 comm="apache2" requested_mask="r" denied_mask="r" fsuid=33 ouid=0



 --END OF NOTIFICATION

And this:

OSSEC HIDS Notification.
2017 Nov 04 04:47:30

Received From: (app) 10.20.2.2->/var/log/syslog
Rule: 100012 fired (level 7) -> "Apparmor denied event"
Portion of the log(s):

Nov  4 04:47:29 app kernel: [  210.518560] audit: type=1400 audit(1509785248.997:17): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" name="/proc/1242/status" pid=1398 comm="apache2" requested_mask="r" denied_mask="r" fsuid=33 ouid=0



 --END OF NOTIFICATION
@micahflee micahflee mentioned this issue Nov 4, 2017
Closed
redshiftzero added a commit that referenced this issue Nov 9, 2017
@redshiftzero
Update AppArmor profiles for /usr/sbin/apache2
cb86892 
Add read access to /proc/[pid]/status (read access to /proc/[pid]/stat
was already granted in the AppArmor profile).

This fixes the spurious alerts reported in #2456 and #2507
@redshiftzero redshiftzero mentioned this issue Nov 9, 2017
Merged
1 task
@conorsch conorsch added the OSSEC label Dec 13, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
goals: reduce IDS noise OSSEC
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update AppArmor profiles for Apache freedomofpress/securedrop
3 participants
@micahflee @conorsch @redshiftzero