RE: [ossec-list] Finaly got it

Wed, 15 Dec 2010 13:05:23 -0800 

 Ok  I will post now what I have
But it still ruff they need to be cleand-up some. Please remember that 2 
weeks-ago
OSSEC was unknowns to me. So this  has to be refined. For example adding the
File creation date, who was logged in at that time, and I’m shure that my 
friendly
Neighborhood inquisitor (Corp Sec) will find something else they want to see

BTW I’m very open to anny suggestions on what I submitted
Dan

In /opt/ossec/etc

1 create local_decoder.xml
   In this decoder
Add the following lines

 <decoder name="perm">
 <prematch>Wrong</prematch>
</decoder>

<decoder name="perm-alert">
  <parent>perm</parent>
  <regex offset="after_parent">(Wrong \w+); (\.*)</regex>
  <order>srcip</order>
</decoder>

2  in /opt/ossec/rules
     Edit local_rules.xml and ad the following lines

<group name="perm">
  <rule id="100021" level="0" >
    <decoded_as>perm</decoded_as>
    <description>World-writable File</description>
</rule>

  <rule id="100022" level="12">
  <if_sid>100021</if_sid>
  <action>Wrong</action>
  <description>World-writable File</description>
 </rule>
</group>

 The collector is a one liner  installed in  /opt/ossec/active-response/bin

 #!/bin/sh

stat -c %A" "%n  /cdpq/* /users/*/* /etc/* | egrep -e "-rw.rw.rw..*"| sed 
"s/^\(-rw.rw.rw..*\)/Wrong file permissions in \1/" > /var/log/perm.log


4  in  /opt/ossec/etc/ossec.conf
   Add the folowing lines
<localfile>
    <log_format>syslog</log_format>
    <location>/var/log/perm.log</location>
  </localfile>

   <localfile>
    <log_format>command</log_format>
    <command>/opt/ossec/active-response/bin/file-perm.sh</command>
  </localfile>
De : [email protected] [mailto:[email protected]] De la 
part de loyd. darby
Envoyé : 15 déc. 2010 15:27
À : [email protected]
Objet : Re: [ossec-list] Finaly got it

cool !
can you share your final scripts?

On 12/15/2010 02:58 PM, [email protected]<mailto:[email protected]> wrote:

Hi



  Finaly got exactly what I want

To get there I made a new decoder in /ossec/etc/local_decoder.xml

Corrected the method in /opt/rules/local_rules.xml

Restarted the server  and voila! It works



Thank

Dan



OSSEC HIDS Notification.

2010 Dec 15 15:10:19



Received From: cdpqda->/var/log/perm.log

Rule: 100021 fired (level 10) -> "World-writable File"

Portion of the log(s):



Wrong file permissions in -rwxrwxrwx /cdpq/coco







 --END OF NOTIFICATION







OSSEC HIDS Notification.

2010 Dec 15 15:10:19



Received From: cdpqda->/var/log/perm.log

Rule: 100021 fired (level 10) -> "World-writable File"

Portion of the log(s):



Wrong file permissions in -rw-rw-rw- /cdpq/coco123







 --END OF NOTIFICATION







OSSEC HIDS Notification.

2010 Dec 15 15:10:19



Received From: cdpqda->/var/log/perm.log

Rule: 100021 fired (level 10) -> "World-writable File"

Portion of the log(s):



Wrong file permissions in -rwxrwxrwx /cdpq/mama







 --END OF NOTIFICATION







OSSEC HIDS Notification.

2010 Dec 15 15:10:19



Received From: cdpqda->/var/log/perm.log

Rule: 100021 fired (level 10) -> "World-writable File"

Portion of the log(s):



Wrong file permissions in -rw-rw-rw- /cdpq/mama123







 --END OF NOTIFICATION







OSSEC HIDS Notification.

2010 Dec 15 15:10:19



Received From: cdpqda->/var/log/perm.log

Rule: 100021 fired (level 10) -> "World-writable File"

Portion of the log(s):



Wrong file permissions in -rw-rw-rw- /users/assed/cdpqda.txt







 --END OF NOTIFICATION







OSSEC HIDS Notification.

2010 Dec 15 15:10:19



Received From: cdpqda->/var/log/perm.log

Rule: 100021 fired (level 10) -> "World-writable File"

Portion of the log(s):



Wrong file permissions in -rw-rw-rw- /users/assed/cis-cat.out







 --END OF NOTIFICATION







OSSEC HIDS Notification.

2010 Dec 15 15:10:19



Received From: cdpqda->/var/log/perm.log

Rule: 100021 fired (level 10) -> "World-writable File"

Portion of the log(s):



Wrong file permissions in -rw-rw-rw- /users/assed/cis-gsm-out







 --END OF NOTIFICATION







OSSEC HIDS Notification.

2010 Dec 15 15:10:19



Received From: cdpqda->/var/log/perm.log

Rule: 100021 fired (level 10) -> "World-writable File"

Portion of the log(s):



Wrong file permissions in -rwxrwxrwx /users/assed/per-sort2.pl







 --END OF NOTIFICATION







OSSEC HIDS Notification.

2010 Dec 15 15:10:19



Received From: cdpqda->/var/log/perm.log

Rule: 100021 fired (level 10) -> "World-writable File"

Portion of the log(s):



Wrong file permissions in -rw-rw-rw- /etc/cocomo







 --END OF NOTIFICATION







OSSEC HIDS Notification.

2010 Dec 15 15:10:21



Received From: cdpqda->/var/log/perm.log

Rule: 100021 fired (level 10) -> "World-writable File"

Portion of the log(s):



Wrong file permissions in -rwxrwxrwx /cdpq/coco







 --END OF NOTIFICATION







OSSEC HIDS Notification.

2010 Dec 15 15:10:21



Received From: cdpqda->/var/log/perm.log

Rule: 100021 fired (level 10) -> "World-writable File"

Portion of the log(s):



Wrong file permissions in -rw-rw-rw- /cdpq/coco123







 --END OF NOTIFICATION







OSSEC HIDS Notification.

2010 Dec 15 15:10:21



Received From: cdpqda->/var/log/perm.log

Rule: 100021 fired (level 10) -> "World-writable File"

Portion of the log(s):



Wrong file permissions in -rwxrwxrwx /cdpq/mama








________________________________
Avis de confidentialité : Ce courriel et les pièces qui y sont jointes 
contiennent de l'information confidentielle et peuvent être protégés par le 
secret professionnel ou constituer de l’information privilégiée. Ils sont 
destinés à l'usage exclusif de la (des) personne(s) à qui ils sont adressés. Si 
vous n'êtes pas le destinataire visé ou la personne chargée de transmettre ce 
document à son destinataire, vous êtes avisé par la présente que toute 
divulgation, reproduction, copie, distribution ou autre utilisation de cette 
information est strictement interdite. Si vous avez reçu ce courriel par 
erreur, veuillez en aviser immédiatement l’expéditeur par téléphone ainsi que 
détruire et effacer l'information que vous avez reçue de tout disque dur ou 
autre média sur lequel elle peut être enregistrée et ne pas en conserver de 
copie. Merci de votre collaboration.
Notice of Confidentiality: This electronic mail message, including any 
attachments, is confidential and may be privileged and protected by 
professional secrecy. They are intended for the exclusive use of the addressee. 
If you are not the intended addressee or the person responsible for delivering 
this document to the intended addressee, you are hereby advised that any 
disclosure, reproduction, copy, distribution or other use of this information 
is strictly forbidden. If you have received this document by mistake, please 
immediately inform the sender by telephone, destroy and delete the information 
received from any hard disk or any media on which it may have been registered 
and do not keep any copy. Thank you for your cooperation.



--

R. Loyd Darby, OSSIM-OCSE

Project Manager DOC/NOAA/NMFS

Infrastructure coordinator

Southeast Fisheries Science Center

305-361-4297

Reply via email to