Re: [ossec-list] Audit log and OSSEC unde RHEL6

Wed, 22 Dec 2010 13:17:01 -0800 

On 12/22/2010 09:54 PM, dan (ddp) wrote:

On Wed, Dec 22, 2010 at 3:17 PM, carlopmart<[email protected]>  wrote:

On 12/22/2010 08:44 PM, dan (ddp) wrote:


I don't have access to ossec-logtest right now, so you'll have to do
some testing with that on your own.
Everything I'm writing in this mail is untested. ;)

On Wed, Dec 22, 2010 at 12:41 PM, carlopmart<[email protected]>    wrote:


Hi all,

  I am trying to decode auditd messages using OSSEC under RHEL6 host. To
do
this I followed this howto:

http://securestate.blogspot.com/2010/09/getting-ossec-to-parse-auditd.html.

  My local_decoder.xml file is:



This decoder doesn't look quite right for your samples.


<decoder name="auditd">
<prematch>type=\S+ msg=audit</prematch>
<regex offset="after_prematch">msg=</regex>


I'm not sure what the above really serves.


<regex>'PAM: \.+ acct="(\S+)" : exe="(\S+)" \(hostname=(\S+), addr=(\S+),
terminal=(\S+) res=(\S+)\)'</regex>


The single quotes in this regex don't seem quite right. In the samples
the first single quote comes before op=PAM, not just PAM.
Also, the stray ":" and "," seem odd.


<order>user, extra_data, srcip, dstip, id, status</order>
</decoder>



Let's try to simplifying it a bit:
<decoder name="auditd>
   <prematch>^type=\S+ msg=audit</prematch>
   <regex offset="after_prematch>op=PAM:\S+ acct="(\S+)" exe="(\S+)"
hostname=(\S+) addr=(\S+) terminal=(\S+) res=(\S+)'$</regex>
   <order>user,extra_data,srcip,dstip,id,status</order>
</decoder>

Put that in local_decoder.xml, run /var/ossec/bin/ossec-logtest, and
paste in one of the audit log messages. If it doesn't seem to work,
and you need help tweaking, reply with the output.




Ok, my local_decoder.xml look like this now:

<decoder name="auditd">
  <prematch>^type=\S+ msg=audit</prematch>
  <regex offset="after_prematch">msg=</regex>
  <regex>op=PAM:\S+ acct="(\S+)" exe="(\S+)" hostname=(\S+) addr=(\S+)
terminal=(\S+) res=(\S+)'$</regex>
  <order>user,extra_data,srcip,dstip,id,status</order>
</decoder>

And ossec-logtest output:

2010/12/22 21:15:14 ossec-testrule: INFO: Reading local decoder file.
2010/12/22 21:15:14 ossec-testrule: INFO: Started (pid: 20934).
ossec-testrule: Type one log per line.

type=USER_ACCT msg=audit(1293048061.159:164): user pid=20453 uid=0
auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="root"
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'


**Phase 1: Completed pre-decoding.
       full event: 'type=USER_ACCT msg=audit(1293048061.159:164): user
pid=20453 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success''
       hostname: 'laptop'
       program_name: '(null)'
       log: 'type=USER_ACCT msg=audit(1293048061.159:164): user pid=20453
uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="root"
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success''

**Phase 2: Completed decoding.
       decoder: 'auditd'

  ... but alert, it isn't generated ...


--
CL Martinez
carlopmart {at} gmail {d0t} com



You'll have to play around with the<regex>  a bit.
It looks like the right decoder is being chosen (decoder: 'auditd'),
but the fields aren't being populated.
So, simplify again. Change the auditd decoder to look like this:

<decoder name="auditd">
  <prematch>^type=\S+ msg=audit</prematch>
  <regex>op=PAM:\S+ acct="(\S+)"</regex>
  <order>user</order>
</decoder>

If that works (populates the user field in Phase 2), change the regex
to include the next part:
<regex>op=PAM:\S+ acct="(\S+)" exe="(\S+)"</regex>

If that works, add the next section, if not adjust until it does:
<regex>op=PAM:\S+ acct="(\S+)" exe="(\S+)" hostname=(\S+)</regex>

If that works, add the next section. If not adjust until it does then
add the next section:
<regex>op=PAM:\S+ acct="(\S+)" exe="(\S+)" hostname=(\S+) addr=(\S+)</regex>

ossec-logtest is your best tool for getting this to work. I don't have
access to it at the moment, so all I can do is toss things out until
it works.



Ok, after all tests, my local_decoder.xml looks like this:

<decoder name="auditd">
  <prematch>^type=\S+ msg=audit</prematch>
  <regex>op=PAM:\S+ acct="(\S+)" exe="(\S+)" hostname=(\S+) addr=(\S+)</regex>
  <order>user,extra_data,srcip,dstip,id,status</order>
</decoder>

An ossec-logtest returns:

2010/12/22 22:05:04 ossec-testrule: INFO: Reading local decoder file.
2010/12/22 22:05:04 ossec-testrule: INFO: Started (pid: 23091).
ossec-testrule: Type one log per line.


type=USER_ACCT msg=audit(1293048061.159:164): user pid=20453 uid=0 auid=4294967295 
ses=4294967295 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? 
addr=? terminal=cron res=success'



**Phase 1: Completed pre-decoding.

       full event: 'type=USER_ACCT msg=audit(1293048061.159:164): user pid=20453 
uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success''

       hostname: 'laptop'
       program_name: '(null)'

       log: 'type=USER_ACCT msg=audit(1293048061.159:164): user pid=20453 uid=0 
auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="root" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success''


**Phase 2: Completed decoding.
       decoder: 'auditd'
       dstuser: 'root'
       extra_data: '/usr/sbin/crond'
       srcip: '?'
       dstip: '?'

**Phase 3: Completed filtering (rules).
       Rule id: '100001'
       Level: '10'
       Description: 'Auditd rule to notify when root logged in.'
**Alert to be generated.

Now, it is ok. But, I don't see status result in Phase 2 .. Is it normal or 
not??

Thanks.

--
CL Martinez
carlopmart {at} gmail {d0t} com






















					Reply via email to