<div dir="ltr">Yedidyah - yes, update would be best of course. I've had this HIDS running for a little over a year or so and never saw this before so was a little weary<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Sep 17, 2017 at 3:00 AM, Yedidyah Bar David <span dir="ltr"><<a href="mailto:didi@redhat.com" target="_blank">didi@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Fri, Sep 15, 2017 at 5:12 PM, Charles Kozler <<a href="mailto:ckozleriii@gmail.com">ckozleriii@gmail.com</a>> wrote:<br>
> Hello -<br>
><br>
> Can anyone just briefly tell me if this is expected behavior or not?<br>
><br>
> I know you can tell the engine to update hosts, but nobody was using the<br>
> engine and I see the engine logging in and the yum command being run so I am<br>
> curious if this is expected or not?<br>
<br>
</span>It is, unless you have otopi-1.6.2 or later:<br>
<br>
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1405838" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/<wbr>show_bug.cgi?id=1405838</a><br>
<span class=""><br>
><br>
> On Thu, Sep 14, 2017 at 10:54 AM, Charles Kozler <<a href="mailto:ckozleriii@gmail.com">ckozleriii@gmail.com</a>><br>
> wrote:<br>
>><br>
>> I received an alert from OSSEC HIDS that a package was installed at 00:59.<br>
>> Nobody uses this infrastructure but me<br>
>><br>
>> Upon investigation I find this<br>
>><br>
>> Sep 14 00:59:18 ovirthost1 sshd[93263]: Accepted publickey for root from<br>
>> 10.0.16.50 port 50197 ssh2: RSA<br>
>> 1c:fc:0d:b8:40:2c:bf:87:f7:8f:<wbr>b2:52:0b:c4:f6:4d<br>
>> Sep 14 00:59:18 ovirthost1 sshd[93263]: pam_unix(sshd:session): session<br>
>> opened for user root by (uid=0)<br>
>> Sep 14 00:59:46 ovirthost1 sshd[93263]: pam_unix(sshd:session): session<br>
>> closed for user root<br>
>><br>
>> 10.0.16.50 is my ovirt engine<br>
>><br>
>> And the yum log<br>
>><br>
>> Sep 14 00:59:28 Updated: iproute-3.10.0-87.el7.x86_64<br>
>><br>
>> However, what is baffling to me is that this is a cluster I setup about 9<br>
>> months ago and have not updated at all (its a testing env for VM systems)<br>
>><br>
>> Why would ovirt seemingly randomly update and install a package? I know<br>
>> the engine checks for updates on hosts but this is the first time in my time<br>
>> using ovirt that ovirt instructed a host to install a package. This occurred<br>
>> on all of my ovirt nodes in this infrastructure (3)<br>
<br>
</span>Probably the reason this didn't happen before is a mere coincidence -<br>
there are not many updates to 'iproute', or you did update it manually<br>
in other cases, or something like that.<br>
<br>
>><br>
>> ovirt Version 4.0.1.1-1.el7.centos<br>
<br>
Most likely you have otopi-1.5.2, which does not have above bug fixed.<br>
<br>
You might consider upgrading to oVirt 4.1.<br>
<br>
Best,<br>
<span class="HOEnZb"><font color="#888888">--<br>
Didi<br>
</font></span></blockquote></div><br></div>