Hello Alex, Michael Starks has written a comprehensive decoder for auditd. See this link http://groups.google.com/group/ossec-list/browse_thread/thread/861e5bb2b075e8e9/de765f35ac23bfd0?lnk=gst&q=auditd+decoder#de765f35ac23bfd0
Hope it helps. Regards, Chris On Tue, Jul 12, 2011 at 12:05 PM, Alex.B <[email protected]> wrote: > Hello everybody, > > I'm quite new to ossec so I hope I didn't miss the solution while > searching for it. > > My question is in the title, is it possible for OSSEC, when he alerts > for a file modification, to tell which user made it? > > My first thought was: no. > > So I thought about using auditd but the logformat is just a mess, I > get informations about the modification on 3 different lines and get > uids instead of real usernames: > > type=SYSCALL msg=audit(1310482288.083:28): arch=40000003 syscall=5 > success=yes exit=3 a0=8443608 a1=8241 a2=1ff a3=0 items=1 ppid=30262 > pid=24904 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 > fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 > comm="vim" exe="/usr/bin/vim.basic" key="test" > type=CWD msg=audit(1310482288.083:28): cwd="/home/ablanchard" > type=PATH msg=audit(1310482288.083:28): item=0 name="test_audit.txt" > inode=4719748 dev=08:01 mode=0100777 ouid=1000 ogid=1000 rdev=00:00 > > As you can see, we can find UID of the user modifying the file in the > first line and the actual file on the third line... > > Does anybody have any lead or even a solution to my problem? > > Thank you! > > Alex.
