Hi all,
i have problem with my OSSEC configuration for /var/log/audit/audit.log.
Logs like this:
type=CRED_DISP msg=audit(1319707798.304:2022): user pid=15073 uid=1010
auid=1010 ses=217
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:setcred acct="root" exe="/bin/su" hostname=? addr=?
terminal=pts/0 res=success'
type=USER_END msg=audit(1319707798.308:2023): user pid=15073 uid=1010
auid=1010 ses=217
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:session_close acct="root" exe="/bin/su" hostname=? addr=?
terminal=pts/0 res=success'
type=USER_AUTH msg=audit(1319708232.739:2024): user pid=16894 uid=1010
auid=1010 ses=217
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=?
terminal=pts/0 res=failed'
type=USER_ROLE_CHANGE msg=audit(1319707059.115:2015): user pid=15622 uid=0
auid=1010 ses=222 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
msg='pam:
default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
selected-context=?: exe="/usr/sbin/sshd" hostname=? addr=? terminal=?
res=failed'
My decoder.xml for "audit":
<decoder name="auditd">
<prematch>type=\S+ msg=audit</prematch>
<regex offset="after_prematch">msg=</regex>
<regex>'PAM: \.+ acct="(\S+)" : exe="(\S+)" \(hostname=(\S+), addr=(\S+),
terminal=(\S+) res=(\S+)\)'</regex>
<order>user, extra_data, srcip, dstip, id, status </order>
</decoder>
And my local_rules.xml for this:
<group name="auditd">
<rule id="100100" level="6" noalert="0">
<decoded_as>auditd</decoded_as>
<description>SELinux messages grouped.</description>
</rule>
<rule id="100101" level="8">
<if_sid>100100</if_sid>
<match>USER_ROLE_CHANGE</match>
<match>res=failed</match>
<description>Changing user role</description>
</rule>
<rule id="100102" level="7">
<if_sid>100101</if_sid>
<match>res=failed</match>
<description>SELinux error: user changing role
failed.</description>
</rule>
So.. if I add follow lines:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/audit/audit.log</location>
</localfile
it's allways decode through syslog rules:
<var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal
|denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
<rule id="1002" level="2">
<match>$BAD_WORDS</match>
<options>alert_by_email</options>
<description>Unknown problem somewhere in the system.</description>
</rule>
And... notification (via email):
Received From: ossec-srv->/var/log/audit/audit.log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
type=USER_ROLE_CHANGE msg=audit(1319616373.237:1729): user pid=10776 uid=0
auid=1010 ses=193 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam:
default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
selected-context=?: exe="/usr/sbin/sshd" hostname=? addr=? terminal=?
res=failed'
Where is my problem? Why my local_rules doesn't work?
Anybody help me? :)
