Hello,
These single, sample su events from a RHE5 host were being decoded by
a PAM decoder rather than a SU decoder.
Jun 10 10:50:09 somehost su: pam_unix(su-l:session): session opened
for user xyz by xyz (uid=45634)
Jun 10 13:06:03 somehost su: pam_unix(su:session): session opened for
user root by tabmcleo(uid=45634)
Jun 10 12:32:32 somehost su: pam_unix(su-l:auth): authentication
failure; logname=xyz uid=45634 euid=0 tty=pts/0 ruser=xyz rhost=
user=xyz
Jun 10 13:02:33 naramata su: pam_unix(su:auth): authentication
failure; logname=xyz uid=45634 euid=0 tty=pts/1 ruser=xyz rhost=
user=root
This happens because of this PAM decoder in the default OSSEC
decoder.xml file:
<decoder name="pam">
<program_name></program_name>
<prematch>^pam_unix|^\(pam_unix\)</prematch>
</decoder>
which matches any program name (including su) followed by "pam_unix"
or "(pam_unix)" at the start of the log.
This strategy might work if each of the events shown above had related
events which were decoded as su events. However, each event occurs by
itself with no other related events. Since the PAM decoder precedes
the SU decoder in the decoder.xml file an SU event results in a PAM
alert and not an SU alert.
The solution is to insert another decoder ahead of the one above which
looks for a program_name of "su" and prematches "pam_unix" at the
start of the log. Then additional decoders (su-detail-a and su-detail-
b) are included in the su section of this file to decode additional
information.
No changes to any su rules in syslog_rules.xml was required. The
existing rules create the necessary alerts.
Here are the changes to the PAM section of decoder.xml:
<decoder name="pam">
<program_name>(pam_unix)$</program_name>
</decoder>
<!-- customization SU 1 -->
<decoder name="su">
<program_name>su</program_name>
<prematch>^pam_unix</prematch>
</decoder>
<!-- end: customization SU 1 -->
<decoder name="pam">
<program_name></program_name>
<prematch>^pam_unix|^\(pam_unix\)</prematch>
</decoder>
Here are the changes to the SU section of decoder.xml:
<decoder name="su">
<program_name>^su$</program_name>
</decoder>
<decoder name="su-detail">
<parent>su</parent>
<prematch>^'su </prematch>
<regex>^'su (\S+)' \S+ for (\S+) on \S+$</regex>
<order>dstuser, srcuser</order>
<fts>name, srcuser, location</fts>
</decoder>
<!-- customization SU 1 -->
<!-- For RHE 5.x -->
<decoder name="su-detail-a">
<parent>su</parent>
<prematch>^pam_unix\(su\S+session\)</prematch>
<regex offset="after_prematch">for\s+user\s+(\S+)\s+by\s+(\S+)\(</
regex>
<order>dstuser, srcuser</order>
<fts>name, srcuser, location</fts>
</decoder>
<decoder name="su-detail-b">
<parent>su</parent>
<prematch>^pam_unix\(su\S+auth\)</prematch>
<regex offset="after_prematch">ruser=(\S+)\s+rhost=\s+user=(\S+)</
regex>
<order>srcuser, dstuser</order>
<fts>name, srcuser, location</fts>
</decoder>
<!-- end: customization SU 1 -->
--
Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en
