Running two of the logs through ossec-logtest shows a few differences: May 7 09:50:46 Server su(pam_unix)[17639]: authentication failure; logname=username uid=500 euid=0 tty=pts/0 ruser=username rhost= user=root
**Phase 1: Completed pre-decoding. full event: 'May 7 09:50:46 Server su(pam_unix)[17639]: authentication failure; logname=username uid=500 euid=0 tty=pts/0 ruser=username rhost= user=root' hostname: 'Server' program_name: 'su(pam_unix)' log: 'authentication failure; logname=username uid=500 euid=0 tty=pts/0 ruser=username rhost= user=root' **Phase 2: Completed decoding. decoder: 'pam' **Phase 3: Completed filtering (rules). Rule id: '5503' Level: '5' Description: 'User login failed.' **Alert to be generated. May 7 09:53:29 server su: pam_unix(su-l:auth): authentication failure; logname=username uid=504 euid=0 tty=pts/0 ruser=username rhost= user=root **Phase 1: Completed pre-decoding. full event: 'May 7 09:53:29 server su: pam_unix(su-l:auth): authentication failure; logname=username uid=504 euid=0 tty=pts/0 ruser=username rhost= user=root' hostname: 'server' program_name: 'su' log: 'pam_unix(su-l:auth): authentication failure; logname=username uid=504 euid=0 tty=pts/0 ruser=username rhost= user=root' **Phase 2: Completed decoding. decoder: 'pam' **Phase 3: Completed filtering (rules). Rule id: '100003' Level: '9' Description: 'SU session to root attempted.' **Alert to be generated. Look at the program_name field: 'su(pam_unix)' for the first and 'su' for the second. The first alert comes through as rule 5503 because the log line does not match <match>su</match>, the second log does though. So that might be part of the problem. Does the server use the second log message (pam_unix(su-l:auth)? And the remote machines the first? On Fri, May 7, 2010 at 11:16 AM, Nicholas Ritter <ritter6...@gmail.com> wrote: > I did some digging, and gained more insight into what is going on. It > appears that CentOS and RHEL trigger alarms differently because of how su is > setup on the systems out of the box. But because of the way the rules match > (I think), I have trouble change the rule config with having to modify the > rules that come with OSSEC (which would break upstream updates.) I verified > this by looking at the difference in the way SU logs on both systems, and > the alarms that are generated. I then added some rules to local_rules.xml > which fixed the local OSSEC server but the local rules don't seem to be run > against remote OSSEC agents. I may be doing something wrong with getting my > custom rules to execute against the remote agents events. My custom rules > work against the ossec server (which is CentOS based,) but are not > running/working against the remote centos and remote RHEL systems, am I not > sticking the rules in the right place? > > > Here is some background information that Dan requested, and that I should I > have put it in to start with (my apologies.) > > > Log from RHEL 4 based system for failed SU activity: > > (/var/log/messages): > > May 7 09:50:46 Server su(pam_unix)[17639]: authentication failure; > logname=username uid=500 euid=0 tty=pts/0 ruser=username rhost= user=root > > > Assoiated OSSEC 2.4.1 alert: > > ** Alert 1273243848.10327129: - pam,syslog,authentication_failed, > 2010 May 07 09:50:48 (Sumatra.americantv.com) 10.80.1.101->/var/log/messages > Rule: 5503 (level 5) -> 'User login failed.' > Src IP: (none) > User: (none) > May 7 09:50:46 Server su(pam_unix)[17639]: authentication failure; > logname=username uid=500 euid=0 tty=pts/0 ruser=username rhost= user=root > > > > Log from RHEL 4 based system for successfull SU activity: > > (/var/log/messages): > > May 7 09:44:36 Server su(pam_unix)[17144]: session opened for user root by > username(uid=500) > May 7 09:45:16 Server su(pam_unix)[17144]: session closed for user root > > > > > > > > > Log from CentOS 5.4 based system for failed SU activity: > > (/var/log/secure): > > May 7 09:53:29 server su: pam_unix(su-l:auth): authentication failure; > logname=username uid=504 euid=0 tty=pts/0 ruser=username rhost= user=root > > > Associated OSSEC 2.4.1 alerts: > > ** Alert 1273244009.10329603: mail - pam,syslog,authentication_failure, > 2010 May 07 09:53:29 server->/var/log/secure > Rule: 100003 (level 9) -> 'SU session to root attempted.' > Src IP: (none) > User: (none) > May 7 09:53:29 server su: pam_unix(su-l:auth): authentication failure; > logname=username uid=504 euid=0 tty=pts/0 ruser=username rhost= user=root > > > Log from CentOS 5.4 based system for successfull SU activity: > > (/var/log/secure): > > May 7 09:53:36 server su: pam_unix(su-l:session): session opened for user > root by username(uid=504) > May 7 09:53:40 server su: pam_unix(su-l:session): session closed for user > root > > > Associated OSSEC 2.4.1 alerts: > > > ** Alert 1273244017.10331731: mail - pam,syslog,authentication_success, > 2010 May 07 09:53:37 server->/var/log/secure > Rule: 100004 (level 9) -> 'SU session to root openned.' > Src IP: (none) > User: (none) > May 7 09:53:36 server su: pam_unix(su-l:session): session opened for user > root by username(uid=504) > > ** Alert 1273243999.10328437: mail - pam,syslog,authentication_success, > 2010 May 07 09:53:40 server->/var/log/secure > Rule: 100005 (level 9) -> 'SU session to root closed.' > Src IP: (none) > User: (none) > May 7 09:53:40 server su: pam_unix(su-l:session): session closed for user > root > > > > Rules I added to local_rules.xml: > > <group name="pam,syslog,"> > > <!-- Catch and treat su events logged by PAM on CentOS/RHEL --> > <rule id="100002" level="0" noalert="1"> > <if_sid>5500</if_sid> > <match>su</match> > </rule> > > <rule id="100003" level="9"> > <if_sid>100002</if_sid> > <match>authentication fail</match> > <description>SU session to root attempted.</description> > <group>authentication_failure,</group> > </rule> > > <rule id="100004" level="9"> > <if_sid>100002</if_sid> > <match>session opened</match> > <description>SU session to root openned.</description> > <group>authentication_success,</group> > </rule> > > <rule id="100005" level="9"> > <if_sid>100002</if_sid> > <match>session closed</match> > <description>SU session to root closed.</description> > <group>authentication_success,</group> > </rule> > > </group> > > > > > > On Thu, May 6, 2010 at 4:48 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >> Can you give us log samples? >> >> On Thu, May 6, 2010 at 3:38 PM, Nicholas Ritter <ritter6...@gmail.com> >> wrote: >> > I correct my email, I meant rule 5503. >> > >> > On Thu, May 6, 2010 at 2:33 PM, Nicholas Ritter <ritter6...@gmail.com> >> > wrote: >> >> >> >> Has anyone noticed issues with OSSEC 2.4.1 when alerting on SU related >> >> events from Linux based hosts? Our Solaris boxes are fine, but I >> >> noticed >> >> that when an SU session (say su to root) on a linux box occurs, an >> >> alert is >> >> tripped (rule id 5303) but something doesn't seem right because 5303 is >> >> a >> >> successful change UID to root rule, but this is a failure. I think the >> >> regex >> >> might be to blame because the first regex for the rule is not in the >> >> log >> >> entry, but the second regex appears to match. >> >> >> >> Anyone else seeing this? >> >> >> > >> > > >