The reason to keep track of first log in is to get an alert after an account that it is not used for log in suddendly does. Imagine a situation where someone installed nagios or any other service that requieres a full login account in order to execute checks. Sure you use nagios for monitoring. So if you get that someone logged in with that account. You know you have been own3d. Ossec way to discover this events without knowing your accounts is using FTS.
On 9/8/06, Forrest Aldrich <[EMAIL PROTECTED]> wrote:
I'm getting a few of these:
OSSEC HIDS Notification.
2006 Sep 08 10:35:25
Received From: (firewall) 192.168.1.1->/var/log/auth.log
Rule: 10100 fired (level 4) -> "First time user logged in."
Portion of the log(s):
sshd[97130]: Accepted keyboard-interactive/pam for forrie from xx.xx.xx.xx port 34328 ssh2
And it's definitely NOT the first time I've logged in.
Is this a bug? How does it track when someone logs in for the first time... etc?
_F
