Hello list! So I'm working on a cdb list of users so there can be rules that differentiate when a user on the list vs. not on the list logs in, as described here:
http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html After confirming that the list is being read and the two rules are being alerted correctly (one for on-the-list, and the other for not-on-the-list), I tried modifying the text list and re-running bin/ossec-makelists to see if the alerts change when a user is taken off the list: 1) user1 and user2, are on the list, user3 is not. run bin/ossec-makelists. run ossec-control start. 2) logging in as either user1 or user2 alerts the on-the-list rule. logging in as user3 alerts the not-on-the-list rule. 3) modify the list, removing the line for user2. re-run bin/ossec-makelists. leave ossec running as-is. 4) logging in as user2 alerts the on-the-list rule still. According to the URL above, updating the cdb file should invalidate the mmap and make the analysis daemon re-read the db from disk as needed, but this doesn't appear to be happening. Could I have something configured incorrectly? Permissions issue perhaps? Or do I have to wait a period of time for ossec to notice or purge a cache or something? root@pegasus:/var/ossec# ls -ld /var/ossec dr-xr-x--- 14 root ossec 4096 2012-01-09 14:13 /var/ossec root@pegasus:/var/ossec# ls -ld /var/ossec/lists drwxr-xr-x 2 root ossec 4096 2012-01-09 16:08 /var/ossec/lists root@pegasus:/var/ossec# ls -l /var/ossec/lists total 8 -rw-r--r-- 1 root ossec 77 2012-01-09 16:08 employees -rw-r--r-- 1 root ossec 2345 2012-01-09 16:08 employees.cdb I just tried adding user4 to the list and remaking the cdb, and ossec still alerts as though user4 is not on the list. The behavior seems to indicate that ossec isn't re-reading the updated lists. I guess restarting ossec is a workaround but that's a pain for every list modification. Thanks, Andy
