Update - this rule worked for me:
<rule id="105402" level="3">
<decoded_as>sudo</decoded_as>
<regex> ; USER=root ; TSID=\S+ ; COMMAND=</regex>
<description>Successful sudo to ROOT executed - custom</description>
</rule>
Is this the correct approach? Or in this case would it be better to update
the OSSEC-included rule 5402 to accommodate both cases?
On Tue, Dec 30, 2014 at 5:15 PM, Christina Plummer <[email protected]>
wrote:
> Hello all,
>
> I noticed while testing today that OSSEC (2.8.1) is failing to properly
> match on rule 5402 when the sudo log contains the TSID= field. This field
> is related to the log_output option, which I think was added in sudo-1.7
> (for use along with sudoreplay).
>
> From the sudoers manpage:
>
> log_output If set, sudo will run the command in a pseudo tty
> and
> log all output that is sent to the screen, similar
> to
> the script(1) command. If the standard output or
> stan-
> dard error is not connected to the user’s tty, due
> to
> I/O redirection or because the command is part of a
> pipeline, that output is also captured and stored in
> separate log files.
>
> Output is logged to the directory specified by the
> iolog_dir option (/var/log/sudo-io by default)
> using a
> unique session ID that is included in the normal
> sudo
> log line, prefixed with “TSID=”. The iolog_file
> option
> may be used to control the format of the session ID.
>
> Output logs may be viewed with the sudoreplay(8)
> util-
> ity, which can also be used to list or search the
> available logs.
>
> Here is an example log that is failing to match - it just stops after
> phase 2:
>
> Dec 30 19:36:11 rheltest sudo: cplummer : TTY=pts/2 ; PWD=/home/cplummer1
> ; USER=root ; TSID=0000UM ; COMMAND=/bin/bash
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Dec 30 19:36:11 rheltest sudo: cplummer : TTY=pts/2 ;
> PWD=/home/cplummer ; USER=root ; TSID=0000UM ; COMMAND=/bin/bash'
> hostname: 'rheltest'
> program_name: 'sudo'
> log: 'cplummer : TTY=pts/2 ; PWD=/home/cplummer ; USER=root ;
> TSID=0000UM ; COMMAND=/bin/bash'
>
> **Phase 2: Completed decoding.
> decoder: 'sudo'
>
>
> When I remove the "TSID=0000UM ;" from the log, it matches properly.
>
> I can see the problem is in the rule definition itself assuming that the
> COMMAND= section will immediately follow the USER= section:
>
> <rule id="5402" level="3">
> <if_sid>5400</if_sid>
> <match> ; USER=root ; COMMAND=</match>
> <description>Successful sudo to ROOT executed</description>
> </rule>
>
>
> What is the correct way to fix? Should I just add a custom rule in
> local_rules.xml that is identical to 5402, except insert the TSID=
> section? I tried a few variations on this theme and it didn't seem to
> work, e.g.
>
> <rule id="105401" level="3">
> <decoded_as>sudo</decoded_as>
> <regex> ; USER=root ; TSID=\S ; COMMAND=</regex>
> <description>Successful sudo to ROOT executed - custom2</description>
> </rule>
>
> I'm still only getting to phase 2. I am wondering if I need to update the
> decoder as well (even though it does seem to be correctly decoding the log
> as sudo).
> But given that this feature of sudo has been around for awhile, might it
> be worthwhile to update the OSSEC-included rules/decoder instead of me just
> doing it locally?
>
> Thanks in advance,
> Christina
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
