On Mon, Jan 9, 2012 at 4:27 PM, Andy Jack <[email protected]> wrote: > Hello list! So I'm working on a cdb list of users so there can be rules > that differentiate when a user on the list vs. not on the list logs in, > as described here: > > http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html > > After confirming that the list is being read and the two rules are being > alerted correctly (one for on-the-list, and the other for > not-on-the-list), I tried modifying the text list and re-running > bin/ossec-makelists to see if the alerts change when a user is taken off > the list: > > 1) user1 and user2, are on the list, user3 is not. run > bin/ossec-makelists. run ossec-control start. > 2) logging in as either user1 or user2 alerts the on-the-list rule. > logging in as user3 alerts the not-on-the-list rule. > 3) modify the list, removing the line for user2. re-run > bin/ossec-makelists. leave ossec running as-is. > 4) logging in as user2 alerts the on-the-list rule still. > > According to the URL above, updating the cdb file should invalidate the > mmap and make the analysis daemon re-read the db from disk as needed, > but this doesn't appear to be happening. Could I have something > configured incorrectly? Permissions issue perhaps? Or do I have to > wait a period of time for ossec to notice or purge a cache or something? > > root@pegasus:/var/ossec# ls -ld /var/ossec > dr-xr-x--- 14 root ossec 4096 2012-01-09 14:13 /var/ossec > root@pegasus:/var/ossec# ls -ld /var/ossec/lists > drwxr-xr-x 2 root ossec 4096 2012-01-09 16:08 /var/ossec/lists > root@pegasus:/var/ossec# ls -l /var/ossec/lists > total 8 > -rw-r--r-- 1 root ossec 77 2012-01-09 16:08 employees > -rw-r--r-- 1 root ossec 2345 2012-01-09 16:08 employees.cdb > > I just tried adding user4 to the list and remaking the cdb, and ossec > still alerts as though user4 is not on the list. The behavior seems to > indicate that ossec isn't re-reading the updated lists. I guess > restarting ossec is a workaround but that's a pain for every list > modification. > > Thanks, > Andy
I don't know the answer off hand, but how long do you wait? Does ossec-makelists indicate that it's rebuilding the list?
