Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removing a Debian package sends notifications that the package was installed first #2141

Open
legoktm opened this issue Dec 19, 2024 · 0 comments
Open

Removing a Debian package sends notifications that the package was installed first #2141

legoktm opened this issue Dec 19, 2024 · 0 comments

Comments

@legoktm
Copy link

legoktm commented Dec 19, 2024

Using the default syslog_rules.xml, if you uninstall a Debian package, you'll get a notification that it was installed right before you get one indicating it was uninstalled. E.g. on an Ubuntu Focal (20.04) system, running apt remove ufw -y triggers:

Rule: 2902 fired (level 7) -> "New dpkg (Debian Package) installed."
Portion of the log(s):

[timestamp] status installed ufw:all 0.36-6ubuntu1.1

--END OF NOTIFICATION

Rule: 2903 fired (level 7) -> "Dpkg (Debian Package) removed."
Portion of the log(s):

[timestamp] remove ufw:all 0.36-6ubuntu1.1

--END OF NOTIFICATION

Rule: 2903 fired (level 7) -> "Dpkg (Debian Package) removed."
Portion of the log(s):

[timestamp] purge ufw:all 0.36-6ubuntu1.1

Here are the relevant dpkg logs from the operation:

2024-12-18 17:49:01 startup packages remove
2024-12-18 17:49:01 status installed ufw:all 0.36-6ubuntu1.1
2024-12-18 17:49:01 remove ufw:all 0.36-6ubuntu1.1 <none>
2024-12-18 17:49:01 status half-configured ufw:all 0.36-6ubuntu1.1
2024-12-18 17:49:01 status half-installed ufw:all 0.36-6ubuntu1.1
2024-12-18 17:49:01 status config-files ufw:all 0.36-6ubuntu1.1
2024-12-18 17:49:01 startup packages configure
2024-12-18 17:49:01 startup packages purge
2024-12-18 17:49:01 purge ufw:all 0.36-6ubuntu1.1 <none>
2024-12-18 17:49:01 status config-files ufw:all 0.36-6ubuntu1.1
2024-12-18 17:49:01 status triggers-pending rsyslog:amd64 8.2001.0-1ubuntu1.3
2024-12-18 17:49:02 status not-installed ufw:all <none>
2024-12-18 17:49:02 startup packages configure
2024-12-18 17:49:02 trigproc rsyslog:amd64 8.2001.0-1ubuntu1.3 <none>
2024-12-18 17:49:02 status half-configured rsyslog:amd64 8.2001.0-1ubuntu1.3
2024-12-18 17:49:02 status installed rsyslog:amd64 8.2001.0-1ubuntu1.3

So the second line ("installed ufw:all") matches

ossec-hids/etc/rules/syslog_rules.xml

Lines 606 to 611 in 39a9313

<rule id="2902" level="7">
<if_sid>2900</if_sid>
<pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} status installed</pcre2>
<description>New dpkg (Debian Package) installed.</description>
<group>config_changed,</group>
</rule>
, incorrectly triggering the new package installed notification (it's not new) and then sending out the correct package removal notification
legoktm added a commit to freedomofpress/securedrop-docs that referenced this issue Dec 20, 2024
@legoktm
Add note that ufw removal OSSEC alerts might be confusing
505029f 
Because of an upstream OSSEC bug[1], it alerts that the "ufw"
package was installed right before it alerts that it was removed.

Despite the notification, there is nothing for admins to do, so add
a small note about it.

[1] ossec/ossec-hids#2141
@legoktm legoktm mentioned this issue Dec 20, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@legoktm