The problem is that RHE 5 only registers a single su/pam event upon execution of a su command and that event is being decoded by the PAM decoder.
Our environment includes RHE, SuSE and Mac hosts. When I was testing ssh in that environment, the result was either just an ssh event or both an ssh event and a pam event, depending upon the OS. Thus, OSSEC always generated at least an ssh alert. However, with su in the RHE 5 environment, there isn't an su event and a pam event, but a combined event which is being decoded by the PAM decoder. Our other hosts, SuSE and Mac, generate an su event which is decoded by the SU decoder. We override rules 5301, 5303 and 5304 in local_rules.xml to email the su alert. We don't want to email 5501 and 5503 (PAM) rules because we'll get not only alerts triggered by su but alerts triggered by other processes such as ssh. Finally, it would be preferable for the sake of consistency, for all su attempts to generate su alerts. Right now, an su attempt in the RHE environment generates a pam alert. So, could I add another su decoder in decoder.xml like this: <decoder name="su"> <program_name>^su$</program_name> </decoder> <decoder name="su"> <program_name>^su$</program_name> <prematch>^\(pam_unix\)</prematch> </decoder> where the first decoder is the one that comes with OSSEC and the second one is mine? However, would it ever be triggered given that the decoder: <decoder name="pam"> <program_name></program_name> <prematch>^pam_unix|^\(pam_unix\)</prematch> </decoder> which comes with OSSEC precedes my proposed new su decoder? When OSSEC receives a new event, does it decode it in the order of decoders in the decoder.xml file? If that's the case could I move my new decoder ahead of the PAM decoders in the decoder.xml file? Trevor On Jun 11, 5:37 am, ddp <[email protected]> wrote: > What are you trying to do with your local_rules exactly? > dan > > > > On Wed, Jun 10, 2009 at 8:04 PM, tm<[email protected]> wrote: > > > Hello, > > > We are currently running an OSSEC pilot. We are receiving events from > > a Red Hat Enterprise 5.x host on our OSSEC server like this: > > > 2009 Jun 10 12:29:34 (host.b.c.d) w.x.y.z->/var/log/secure Jun 10 > > 12:29:32 host su: pam_unix(su-l:session): session opened for user > > testuser by testuser(uid=45634) > > > However, because of the way the decoders are written in decoders.xml, > > this is decoded as a PAM event rather than an SU event: > > > <decoder name="pam"> > > <program_name>(pam_unix)$</program_name> > > </decoder> > > > <decoder name="pam"> > > <program_name></program_name> > > <prematch>^pam_unix|^\(pam_unix\)</prematch> > > </decoder> > > > So, pam_rules.xml fires off an alert rather than syslog_rules.xml: > > > <group name="pam,syslog,"> > > <rule id="5500" level="0" noalert="1"> > > <decoded_as>pam</decoded_as> > > <description>Grouping of the pam_unix rules.</description> > > </rule> > > > <rule id="5501" level="3"> > > <if_sid>5500</if_sid> > > <match>session opened for user </match> > > <description>Login session opened.</description> > > <group>authentication_success,</group> > > </rule> > > > Resulting in this alert: > > > ** Alert 1244662174.3005033: - pam,syslog,authentication_success, > > 2009 Jun 10 12:29:34 (host.b.c.d) w.x.y.z->/var/log/secure > > Rule: 5501 (level 3) -> 'Login session opened.' > > Src IP: (none) > > User: (none) > > Jun 10 12:29:32 host su: pam_unix(su-l:session): session opened for > > user testuser by testuser(uid=45634) > > > I'd prefer to overwrite rules 5301-5305 in local_rules.xml to handle > > the regular expression but they depend on 5300 which depends on the > > event being decoded by su rather than pam. > > > Any suggestions as to handle this situation? > > > Thanks, > > Trevor McLeod- Hide quoted text - > > - Show quoted text -
