On Wed, Aug 10, 2011 at 11:02 AM, Blauch Armand <[email protected]> wrote:
> Hello,
>
> Thanks for your help.
>
> My intend is to alert when a user use su command if he's not on a
> list. (In this list I have all the authorized su users. I don't want
> that rule fire for them, because su usage are ok for this account).
>
> I don't understand the list format, what is "stuff" in your example
> (testuser:stuff testuser2:stuff)?
> I've tried with stuff=user or stuff=dstuser, and it doesn't work.
>

In your example the value (in the key:value pair) doesn't matter. It
isn't being used. It can be anything.

You could use:

testuser:testuser
testuser2:Bob Biggins
testuser3:Scott Summers

The important part is that the user names are in the key position, so
re-write your list and try again.



>
>
> On 10 août, 16:42, "dan (ddp)" <[email protected]> wrote:
>> On Wed, Aug 10, 2011 at 10:29 AM, Blauch Armand <[email protected]> wrote:
>> > hello,
>>
>> > I try to use the list option on a rule:
>> > <list field="user" lookup="not_match_key">/etc/ossec/rules/
>> > testlistgroup1</list>
>>
>> I think your list is going to alert if the user is not in the list as
>> the key. Is this what you intend?
>>
>> > this doesn't work! I've try so many things, I don't know what to do!
>> > The rule fired at each time, like the rule doesn't read the list?
>> > I only have few account to put in this list (testuser, testuser2....)
>> > and I don't understand how to write it.
>>
>> > I've first created a testlistgroup1.txt, with this values:
>> > user:testuser
>> > user:testuser2
>>
>> The format should be key:value and key should be unique.
>> So:
>>
>>
>>
>>
>>
>>
>>
>>
>> > I run the ./ossec-makelist without problem; at each time I change the
>> > testlistgroup1.txt
>>
>> > my ossec.conf file is like this:
>> > <rules>
>> >    <list>testlistgroup1.txt.cdb</list>
>> > </rules>
>>
>> > When I start ossec-logtest I have this message:
>> > ossec-testrule: INFO: Reading loading the lists file:
>> > 'testlistgroup1.txt.cdb'
>>
>> > Does someone can help me? What is wrong with my list?

Reply via email to