On Wed, Aug 10, 2011 at 11:02 AM, Blauch Armand <[email protected]> wrote: > Hello, > > Thanks for your help. > > My intend is to alert when a user use su command if he's not on a > list. (In this list I have all the authorized su users. I don't want > that rule fire for them, because su usage are ok for this account). > > I don't understand the list format, what is "stuff" in your example > (testuser:stuff testuser2:stuff)? > I've tried with stuff=user or stuff=dstuser, and it doesn't work. >
In your example the value (in the key:value pair) doesn't matter. It isn't being used. It can be anything. You could use: testuser:testuser testuser2:Bob Biggins testuser3:Scott Summers The important part is that the user names are in the key position, so re-write your list and try again. > > > On 10 août, 16:42, "dan (ddp)" <[email protected]> wrote: >> On Wed, Aug 10, 2011 at 10:29 AM, Blauch Armand <[email protected]> wrote: >> > hello, >> >> > I try to use the list option on a rule: >> > <list field="user" lookup="not_match_key">/etc/ossec/rules/ >> > testlistgroup1</list> >> >> I think your list is going to alert if the user is not in the list as >> the key. Is this what you intend? >> >> > this doesn't work! I've try so many things, I don't know what to do! >> > The rule fired at each time, like the rule doesn't read the list? >> > I only have few account to put in this list (testuser, testuser2....) >> > and I don't understand how to write it. >> >> > I've first created a testlistgroup1.txt, with this values: >> > user:testuser >> > user:testuser2 >> >> The format should be key:value and key should be unique. >> So: >> >> >> >> >> >> >> >> >> > I run the ./ossec-makelist without problem; at each time I change the >> > testlistgroup1.txt >> >> > my ossec.conf file is like this: >> > <rules> >> > <list>testlistgroup1.txt.cdb</list> >> > </rules> >> >> > When I start ossec-logtest I have this message: >> > ossec-testrule: INFO: Reading loading the lists file: >> > 'testlistgroup1.txt.cdb' >> >> > Does someone can help me? What is wrong with my list?
