Removing a Debian package sends notifications that the package was installed first #2141
Description
Using the default syslog_rules.xml, if you uninstall a Debian package, you'll get a notification that it was installed right before you get one indicating it was uninstalled. E.g. on an Ubuntu Focal (20.04) system, running apt remove ufw -y triggers:
Rule: 2902 fired (level 7) -> "New dpkg (Debian Package) installed."
Portion of the log(s):
[timestamp] status installed ufw:all 0.36-6ubuntu1.1
--END OF NOTIFICATION
Rule: 2903 fired (level 7) -> "Dpkg (Debian Package) removed."
Portion of the log(s):
[timestamp] remove ufw:all 0.36-6ubuntu1.1
--END OF NOTIFICATION
Rule: 2903 fired (level 7) -> "Dpkg (Debian Package) removed."
Portion of the log(s):
[timestamp] purge ufw:all 0.36-6ubuntu1.1
Here are the relevant dpkg logs from the operation:
2024-12-18 17:49:01 startup packages remove
2024-12-18 17:49:01 status installed ufw:all 0.36-6ubuntu1.1
2024-12-18 17:49:01 remove ufw:all 0.36-6ubuntu1.1 <none>
2024-12-18 17:49:01 status half-configured ufw:all 0.36-6ubuntu1.1
2024-12-18 17:49:01 status half-installed ufw:all 0.36-6ubuntu1.1
2024-12-18 17:49:01 status config-files ufw:all 0.36-6ubuntu1.1
2024-12-18 17:49:01 startup packages configure
2024-12-18 17:49:01 startup packages purge
2024-12-18 17:49:01 purge ufw:all 0.36-6ubuntu1.1 <none>
2024-12-18 17:49:01 status config-files ufw:all 0.36-6ubuntu1.1
2024-12-18 17:49:01 status triggers-pending rsyslog:amd64 8.2001.0-1ubuntu1.3
2024-12-18 17:49:02 status not-installed ufw:all <none>
2024-12-18 17:49:02 startup packages configure
2024-12-18 17:49:02 trigproc rsyslog:amd64 8.2001.0-1ubuntu1.3 <none>
2024-12-18 17:49:02 status half-configured rsyslog:amd64 8.2001.0-1ubuntu1.3
2024-12-18 17:49:02 status installed rsyslog:amd64 8.2001.0-1ubuntu1.3
So the second line ("installed ufw:all") matches
ossec-hids/etc/rules/syslog_rules.xml
Lines 606 to 611 in 39a9313