I did some digging, and gained more insight into what is going on. It
appears that CentOS and RHEL trigger alarms differently because of how su is
setup on the systems out of the box. But because of the way the rules match
(I think), I have trouble change the rule config with having to modify the
rules that come with OSSEC (which would break upstream updates.) I verified
this by looking at the difference in the way SU logs on both systems, and
the alarms that are generated. I then added some rules to local_rules.xml
which fixed the local OSSEC server but the local rules don't seem to be run
against remote OSSEC agents. I may be doing something wrong with getting my
custom rules to execute against the remote agents events. My custom rules
work against the ossec server (which is CentOS based,) but are not
running/working against the remote centos and remote RHEL systems, am I not
sticking the rules in the right place?
Here is some background information that Dan requested, and that I should I
have put it in to start with (my apologies.)
Log from RHEL 4 based system for failed SU activity:
(/var/log/messages):
May 7 09:50:46 Server su(pam_unix)[17639]: authentication failure;
logname=username uid=500 euid=0 tty=pts/0 ruser=username rhost= user=root
Assoiated OSSEC 2.4.1 alert:
** Alert 1273243848.10327129: - pam,syslog,authentication_failed,
2010 May 07 09:50:48 (Sumatra.americantv.com) 10.80.1.101->/var/log/messages
Rule: 5503 (level 5) -> 'User login failed.'
Src IP: (none)
User: (none)
May 7 09:50:46 Server su(pam_unix)[17639]: authentication failure;
logname=username uid=500 euid=0 tty=pts/0 ruser=username rhost= user=root
Log from RHEL 4 based system for successfull SU activity:
(/var/log/messages):
May 7 09:44:36 Server su(pam_unix)[17144]: session opened for user root by
username(uid=500)
May 7 09:45:16 Server su(pam_unix)[17144]: session closed for user root
Log from CentOS 5.4 based system for failed SU activity:
(/var/log/secure):
May 7 09:53:29 server su: pam_unix(su-l:auth): authentication failure;
logname=username uid=504 euid=0 tty=pts/0 ruser=username rhost= user=root
Associated OSSEC 2.4.1 alerts:
** Alert 1273244009.10329603: mail - pam,syslog,authentication_failure,
2010 May 07 09:53:29 server->/var/log/secure
Rule: 100003 (level 9) -> 'SU session to root attempted.'
Src IP: (none)
User: (none)
May 7 09:53:29 server su: pam_unix(su-l:auth): authentication failure;
logname=username uid=504 euid=0 tty=pts/0 ruser=username rhost= user=root
Log from CentOS 5.4 based system for successfull SU activity:
(/var/log/secure):
May 7 09:53:36 server su: pam_unix(su-l:session): session opened for user
root by username(uid=504)
May 7 09:53:40 server su: pam_unix(su-l:session): session closed for user
root
Associated OSSEC 2.4.1 alerts:
** Alert 1273244017.10331731: mail - pam,syslog,authentication_success,
2010 May 07 09:53:37 server->/var/log/secure
Rule: 100004 (level 9) -> 'SU session to root openned.'
Src IP: (none)
User: (none)
May 7 09:53:36 server su: pam_unix(su-l:session): session opened for user
root by username(uid=504)
** Alert 1273243999.10328437: mail - pam,syslog,authentication_success,
2010 May 07 09:53:40 server->/var/log/secure
Rule: 100005 (level 9) -> 'SU session to root closed.'
Src IP: (none)
User: (none)
May 7 09:53:40 server su: pam_unix(su-l:session): session closed for user
root
Rules I added to local_rules.xml:
<group name="pam,syslog,">
<!-- Catch and treat su events logged by PAM on CentOS/RHEL -->
<rule id="100002" level="0" noalert="1">
<if_sid>5500</if_sid>
<match>su</match>
</rule>
<rule id="100003" level="9">
<if_sid>100002</if_sid>
<match>authentication fail</match>
<description>SU session to root attempted.</description>
<group>authentication_failure,</group>
</rule>
<rule id="100004" level="9">
<if_sid>100002</if_sid>
<match>session opened</match>
<description>SU session to root openned.</description>
<group>authentication_success,</group>
</rule>
<rule id="100005" level="9">
<if_sid>100002</if_sid>
<match>session closed</match>
<description>SU session to root closed.</description>
<group>authentication_success,</group>
</rule>
</group>
On Thu, May 6, 2010 at 4:48 PM, dan (ddp) <[email protected]> wrote:
> Can you give us log samples?
>
> On Thu, May 6, 2010 at 3:38 PM, Nicholas Ritter <[email protected]>
> wrote:
> > I correct my email, I meant rule 5503.
> >
> > On Thu, May 6, 2010 at 2:33 PM, Nicholas Ritter <[email protected]>
> > wrote:
> >>
> >> Has anyone noticed issues with OSSEC 2.4.1 when alerting on SU related
> >> events from Linux based hosts? Our Solaris boxes are fine, but I noticed
> >> that when an SU session (say su to root) on a linux box occurs, an alert
> is
> >> tripped (rule id 5303) but something doesn't seem right because 5303 is
> a
> >> successful change UID to root rule, but this is a failure. I think the
> regex
> >> might be to blame because the first regex for the rule is not in the log
> >> entry, but the second regex appears to match.
> >>
> >> Anyone else seeing this?
> >>
> >
> >
>
