I just tried your decoder with the rule in your original email, and no matter where I put it, the pam event fires.
If you put the following above the pam rules you get the desired result: <decoder name="su"> <program_name>^su$</program_name> </decoder> The ossec-logtest application can help you debug issues like this in the future. It's what I used to play around with this one. dan On Thu, Jun 11, 2009 at 4:04 PM, tm<[email protected]> wrote: > > The problem is that RHE 5 only registers a single su/pam event upon > execution of a su command and that event is being decoded by the PAM > decoder. > > Our environment includes RHE, SuSE and Mac hosts. When I was testing > ssh in that environment, the result was either just an ssh event or > both an ssh event and a pam event, depending upon the OS. Thus, OSSEC > always generated at least an ssh alert. > > However, with su in the RHE 5 environment, there isn't an su event and > a pam event, but a combined event which is being decoded by the PAM > decoder. Our other hosts, SuSE and Mac, generate an su event which is > decoded by the SU decoder. We override rules 5301, 5303 and 5304 in > local_rules.xml to email the su alert. We don't want to email 5501 > and 5503 (PAM) rules because we'll get not only alerts triggered by su > but alerts triggered by other processes such as ssh. > > Finally, it would be preferable for the sake of consistency, for all > su attempts to generate su alerts. Right now, an su attempt in the > RHE environment generates a pam alert. > > So, could I add another su decoder in decoder.xml like this: > > <decoder name="su"> > <program_name>^su$</program_name> > </decoder> > > <decoder name="su"> > <program_name>^su$</program_name> > <prematch>^\(pam_unix\)</prematch> > </decoder> > > where the first decoder is the one that comes with OSSEC and the > second one is mine? > > However, would it ever be triggered given that the decoder: > > <decoder name="pam"> > <program_name></program_name> > <prematch>^pam_unix|^\(pam_unix\)</prematch> > </decoder> > > which comes with OSSEC precedes my proposed new su decoder? > > When OSSEC receives a new event, does it decode it in the order of > decoders in the decoder.xml file? If that's the case could I move my > new decoder ahead of the PAM decoders in the decoder.xml file? > > Trevor >
