. /usr/share/carnet-tools/functions.sh
# get installation directory
-. /etc/ossec-init.conf
+if [ -e /etc/ossec-init.conf ]; then
+ . /etc/ossec-init.conf
+fi
if [ "X${DIRECTORY}" = "X" ]; then
DIRECTORY="/var/ossec"
fi
BEGIN {
FS = "\""
}
-/^[ \t]*<rule id="[[:digit:]]+" .*>/ {
+/<rule id="[0-9]*".*>/ {
if (max < $2)
max = $2
}
print max
};
'
-sid=100000
if [ -e "$local_rules" ]; then
sid=$(awk "$script" "$local_rules")
fi
+if [ -z "$sid" ]; then
+ sid=100000
+fi
# update local rules with our policy
if [ -e "$local_rules" ]; then
cp-update --comment '<!--' --comment-end '-->' \
ossec-hids-cn "$local_rules.$$" <<EOF
-<group name="syslog,errors,local">
+<group name="local">
<rule id="$(expr "$sid" + 1)" level="0">
<if_sid>1002</if_sid>
<match>rsync</match>
<description>Events ignored</description>
</rule>
- <rule id="$(expr "$sid" + 1)" level="0">
+ <rule id="$(expr "$sid" + 2)" level="0">
<if_sid>1002</if_sid>
<program_name>^sophie|^smartd</program_name>
- <description>Events ignored</description>
+ <description>Ignore Sophie/SMARTd</description>
</rule>
-</group>
-<group name="syslog,postfix,local">
- <rule id="$(expr "$sid" + 1)" level="0">
+ <rule id="$(expr "$sid" + 3)" level="0">
<if_sid>3303</if_sid>
<description>Events ignored</description>
</rule>
- <rule id="$(expr "$sid" + 1)" level="0">
- <if_sid>3356</if_sid>
- <description>Ignore blacklisted mail...</description>
+ <rule id="$(expr "$sid" + 4)" level="0">
+ <if_sid>3356</if_sid>
+ <description>Ignore blacklisted mail</description>
</rule>
+
+ <rule id="$(expr "$sid" + 5)" level="0">
+ <if_sid>1002</if_sid>
+ <match>cache</match>
+ <program_name>^named</program_name>
+ <description>Ignore BIND cache warnings</description>
+ </rule>
+
+ <rule id="$(expr "$sid" + 6)" level="0">
+ <if_sid>2933</if_sid>
+ <match>Updated timestamp for job</match>
+ <program_name>^anacron</program_name>
+ <description>Ignore Anacron warnings</description>
+ </rule>
</group>
EOF
cp_mv "$local_rules.$$" "$local_rules"
# and restart the service
-if [ -x /usr/sbin/invoke-rc.d ]; then
- invoke-rc.d ossec-hids restart
-else
- /etc/init.d/ossec-hids restart
+if [ -x /etc/init.d/ossec-hids ]; then
+ if [ -x /usr/sbin/invoke-rc.d ]; then
+ invoke-rc.d ossec-hids restart || true
+ else
+ /etc/init.d/ossec-hids restart || true
+ fi
fi
# dh_installdeb will replace this with shell code automatically