Since I migrated a server environment from Debian 7 (Wheezy) to 9 (Strech) I was constantly receiving the following kinds of alert e-mails from OSSEC:
OSSEC HIDS Notification.
2018 Jul 29 09:42:18
Received From: (container3) 10.10.1.103->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Jul 29 09:42:17 container3 systemd: apt-daily.service: Failed to reset devices.list: Operation not permitted
--END OF NOTIFICATION
The following systemd timers caused these log entries:
Maybe there are even more, depending what is installed.
These logs were found in all LXC containers of the new environment and were caused by this:
"Unprivileged containers cannot modify the devices cgroup configuration."
(found on https://github.com/lxc/lxd/issues/2004)
Yes, that makes sense and is actually expected behaviour. Although SystemD should be able to detect "i am running inside an unprivileged container; I cannot modify my own cgroup settings" and therefore should probably log something different, for now there is no "fix" for this problem.
Anyway, I wanted OSSEC to ignore such log entries. On the OSSEC server I adapted /var/ossec/rules/local_rules and added the following rule:
<!-- Added rule by Claudio: Ignore systemd warnings "Failed to reset devices.list" -->
<rule id="100101" level="0">
<match>Failed to reset devices.list</match>
<description>Ignore systemd warnings "Failed to reset devices.list" inside containers.</description>
The rule id is a unique ID of your own rule. To make sure you're not using an already used number, you have to use an ID between 100000 and 109999. This range is reserved for "user defined rules".
The if_sid field checks which rule actually created the alert. In the mail alert above you can see which rule was fired: 1002. That's the general rule to grep through syslogs and search for certain regular expressions.
Then in the match field you enter your regular expression. In this case I simply entered a full sentence "Failed to reset devices.list".
And finally in the description field you enter the description of that rule.
After an OSSEC server restart, the alerts were gone.