HIDS 2933
Rule ID
2933
Status
Active rule currently published.
Description
This rule is detects when the operating system has reported that the operating systems software management tool, yum, has updated a piece of software. This may be an authorized change, or an unauthorized change and these changes should be investigated further.
Guidance
By default ASL and aum will automatically update themselves, and certain parts of the system. They will update:
aum
- aum
- mod_security
- supporting libraries used by mod_security
ASL
- asl
- aum
- asl-php
- mod_security
- supporting libraries used by mod_security
- kernel
- clamav
- ossec
- proftp (Plesk systems only)
- rkhunter
If other software was changed, and you did not update or upgrade this software, then this may be an indication that a malicious use has changed these on your system. You should always investigate file changes to verify that they were only conducted by authorized parties.
False Positives
There is no known false positive for this rule. This rule is detects when the operating system has reported that the operating systems software management tool, yum, has updated a piece of software, therefore, it is not recommended that you disable this rule.
Similar Rules
None.
Knowledge Base Articles
None.
Outside References
