HIDS 2933

From Atomicorp Wiki
Jump to: navigation, search

Rule ID

2933

Status

Active rule currently published.

Description

This rule is detects when the operating system has reported that the operating systems software management tool, yum, has updated a piece of software. This may be an authorized change, or an unauthorized change and these changes should be investigated further.

Guidance

By default ASL and aum will automatically update themselves, and certain parts of the system. They will update:

aum

  • aum
  • mod_security
  • supporting libraries used by mod_security

ASL

  • asl
  • aum
  • asl-php
  • mod_security
  • supporting libraries used by mod_security
  • kernel
  • clamav
  • ossec
  • proftp (Plesk systems only)
  • rkhunter


If other software was changed, and you did not update or upgrade this software, then this may be an indication that a malicious use has changed these on your system. You should always investigate file changes to verify that they were only conducted by authorized parties.

False Positives

There is no known false positive for this rule. This rule is detects when the operating system has reported that the operating systems software management tool, yum, has updated a piece of software, therefore, it is not recommended that you disable this rule.


Similar Rules

None.

Knowledge Base Articles

None.

Outside References

Personal tools