On Tue, Jan 22, 2013 at 2:34 PM, Phil Cox <[email protected]> wrote:
> Jan 22 21:01:10 ossec-global sudo: appuser : TTY=pts/0 ; PWD=/home/appuser
> ; USER=bob ; COMMAND=/bin/bash
Phil,
You could write a new rule in your local_rules.xml, like following:
<rule id="101022" level="7">
<if_sid>5400</if_sid>
<match>COMMAND=/bin/bash</match>
<description>sudo shell execution</description>
</rule>
Here is the validation of this rule, using ossec-logtest:
% /var/ossec/bin/ossec-logtest
2013/01/23 00:43:36 ossec-testrule: INFO: Reading local decoder file.
2013/01/23 00:43:37 ossec-testrule: INFO: Started (pid: 13814).
ossec-testrule: Type one log per line.
Jan 22 21:01:10 ossec-global sudo: appuser : TTY=pts/0 ; PWD=/home/appuser
; USER=bob ; COMMAND=/bin/bash
**Phase 1: Completed pre-decoding.
full event: 'Jan 22 21:01:10 ossec-global sudo: appuser : TTY=pts/0
; PWD=/home/appuser ; USER=bob ; COMMAND=/bin/bash'
hostname: 'ossec-global'
program_name: 'sudo'
log: 'appuser : TTY=pts/0 ; PWD=/home/appuser ; USER=bob ;
COMMAND=/bin/bash'
**Phase 2: Completed decoding.
decoder: 'sudo'
**Phase 3: Completed filtering (rules).
Rule id: '101022'
Level: '7'
Description: 'sudo shell execution'
**Alert to be generated.
-Stephane.
