BEFORE:
# cd /var/ossec/bin/
# cat /tmp/xyx| ossec-logtest
**Phase 1: Completed pre-decoding.
full event: 'type=USER_ROLE_CHANGE
msg=audit(1319707059.115:2015): user pid=15622 uid=0 auid=1010 ses=222
subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam:
default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
selected-context=?: exe="/usr/sbin/sshd" hostname=? addr=? terminal=?
res=failed''
hostname: 'ix'
program_name: '(null)'
log: 'type=USER_ROLE_CHANGE msg=audit(1319707059.115:2015):
user pid=15622 uid=0 auid=1010 ses=222
subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam:
default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
selected-context=?: exe="/usr/sbin/sshd" hostname=? addr=? terminal=?
res=failed''
**Phase 2: Completed decoding.
decoder: 'auditd'
action: 'USER_ROLE_CHANGE'
id: '2015'
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
++++
ADD:
<decoder name="auditd-user">
<parent>auditd</parent>
<regex offset="after_regex"> subj=\S+ msg='\.+
selected-context=\.+ exe="(\.+)" hostname=\S+ addr=(\S+) terminal=\S+
res=(\S+)'$</regex>
<order>extra_data,srcip,status</order>
</decoder>
<rule id="40002" level="10">
<decoded_as>auditd</decoded_as>
<match>USER_ROLE_CHANGE</match>
<status>failed</status>
<description>Blah blah</description>
</rule>
++++
AFTER:
**Phase 1: Completed pre-decoding.
full event: 'type=USER_ROLE_CHANGE
msg=audit(1319707059.115:2015): user pid=15622 uid=0 auid=1010 ses=222
subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam:
default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
selected-context=?: exe="/usr/sbin/sshd" hostname=? addr=? terminal=?
res=failed''
hostname: 'ix'
program_name: '(null)'
log: 'type=USER_ROLE_CHANGE msg=audit(1319707059.115:2015):
user pid=15622 uid=0 auid=1010 ses=222
subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam:
default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
selected-context=?: exe="/usr/sbin/sshd" hostname=? addr=? terminal=?
res=failed''
**Phase 2: Completed decoding.
decoder: 'auditd'
action: 'USER_ROLE_CHANGE'
id: '2015'
extra_data: '/usr/sbin/sshd'
srcip: '?'
status: 'failed''
**Phase 3: Completed filtering (rules).
Rule id: '40002'
Level: '10'
Description: 'Blah blah'
**Alert to be generated.
On Thu, Oct 27, 2011 at 5:50 AM, mikes <[email protected]> wrote:
> Hi all,
>
> i have problem with my OSSEC configuration for /var/log/audit/audit.log.
>
> Logs like this:
> type=CRED_DISP msg=audit(1319707798.304:2022): user pid=15073 uid=1010
> auid=1010 ses=217 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='op=PAM:setcred acct="root" exe="/bin/su" hostname=? addr=?
> terminal=pts/0 res=success'
> type=USER_END msg=audit(1319707798.308:2023): user pid=15073 uid=1010
> auid=1010 ses=217 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='op=PAM:session_close acct="root" exe="/bin/su" hostname=? addr=?
> terminal=pts/0 res=success'
> type=USER_AUTH msg=audit(1319708232.739:2024): user pid=16894 uid=1010
> auid=1010 ses=217 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=?
> terminal=pts/0 res=failed'
> type=USER_ROLE_CHANGE msg=audit(1319707059.115:2015): user pid=15622 uid=0
> auid=1010 ses=222 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam:
> default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> selected-context=?: exe="/usr/sbin/sshd" hostname=? addr=? terminal=?
> res=failed'
>
> My decoder.xml for "audit":
>
> <decoder name="auditd">
> <prematch>type=\S+ msg=audit</prematch>
> <regex offset="after_prematch">msg=</regex>
> <regex>'PAM: \.+ acct="(\S+)" : exe="(\S+)" \(hostname=(\S+), addr=(\S+),
> terminal=(\S+) res=(\S+)\)'</regex>
> <order>user, extra_data, srcip, dstip, id, status </order>
> </decoder>
>
> And my local_rules.xml for this:
> <group name="auditd">
> <rule id="100100" level="6" noalert="0">
> <decoded_as>auditd</decoded_as>
> <description>SELinux messages grouped.</description>
> </rule>
>
> <rule id="100101" level="8">
> <if_sid>100100</if_sid>
> <match>USER_ROLE_CHANGE</match>
> <match>res=failed</match>
> <description>Changing user role</description>
> </rule>
>
> <rule id="100102" level="7">
> <if_sid>100101</if_sid>
> <match>res=failed</match>
> <description>SELinux error: user changing role
> failed.</description>
> </rule>
>
>
> So.. if I add follow lines:
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/audit/audit.log</location>
> </localfile
>
> it's allways decode through syslog rules:
> <var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal
> |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
> <rule id="1002" level="2">
> <match>$BAD_WORDS</match>
> <options>alert_by_email</options>
> <description>Unknown problem somewhere in the system.</description>
> </rule>
>
> And... notification (via email):
>
> Received From: ossec-srv->/var/log/audit/audit.log
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> type=USER_ROLE_CHANGE msg=audit(1319616373.237:1729): user pid=10776 uid=0
> auid=1010 ses=193 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam:
> default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> selected-context=?: exe="/usr/sbin/sshd" hostname=? addr=? terminal=?
> res=failed'
>
>
> Where is my problem? Why my local_rules doesn't work?
>
> Anybody help me? :)
>
