Hi Maxim,
First, you have to activate policy_rules: ossec.conf:
<include>policy_rules.xml</include>
I guess the problem with your rule is that the decoder is not extracting
the field *user*.
For example, if I switch between user root to homer: "root@LinMV:~# su
homer" it is generated this log: "Feb 18 11:23:17 LinMV su[1202]:
pam_unix(su:session): session opened for user homer by root(uid=0)". If you
use /var/ossec/bin/logtest you will see that the decoder doesn't extract
any field:
Feb 18 11:23:17 LinMV su[1202]: pam_unix(su:session): session opened for
user homer by root(uid=0)
**Phase 2: Completed decoding.
decoder: 'pam'
So, you have 2 options, change the decoder to extract the user field, or
change your rules. Here an example:
local_rules.xml:
<group name="policy_violation_overwrite,">
<rule id="17101" level="9" overwrite="yes">
<if_group>authentication_success</if_group>
<time>00:00 am - 11:59 pm</time>
<description>Successful login during non-business hours. TEST
</description>
<group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,</group>
</rule>
<rule id="100002" level="0">
<if_sid>17101</if_sid>
<match>user homer</match>
<description>Ignore USERNAME</description>
</rule>
</group>
In rule 100002, I match with "user homer": "Feb 18 11:23:17 LinMV su[1202]:
pam_unix(su:session): session opened for user homer by root(uid=0)". You
could use regex tag for regular expressions.
*Remember to change the <time>. This is an example.
Output:
Feb 18 11:23:17 LinMV su[1202]: pam_unix(su:session): session opened for
user homer by root(uid=0)
**Phase 1: Completed pre-decoding.
full event: 'Feb 18 11:23:17 LinMV su[1202]: pam_unix(su:session):
session opened for user homer by root(uid=0)'
hostname: 'LinMV'
program_name: 'su'
log: 'pam_unix(su:session): session opened for user homer by
root(uid=0)'
**Phase 2: Completed decoding.
decoder: 'pam'
**Phase 3: Completed filtering (rules).
Rule id: '100002'
Level: '0'
Description: 'Ignore USERNAME'
Regards.
On Thursday, February 18, 2016 at 10:29:27 AM UTC+1, Maxim Surdu wrote:
>
> Hi dear community,
>
> i install and configure about 10 agents, and of course i have a lot of
> users,a part of this users are service-users
>
> in policy-rules.xml
>
> i have next rules
>
> <group name="policy_violation,">
> <rule id="17101" level="9">
> <if_group>authentication_success</if_group>
> <time>4 pm - 7 am</time>
> <description>Successful login during non-business hours.</description>
> <group>login_time,</group>
> </rule>
>
> <rule id="17102" level="9">
> <if_group>authentication_success</if_group>
> <weekday>weekends</weekday>
> <description>Successful login during weekend.</description>
> <group>login_day,</group>
> </rule>
>
>
> and ii add a rule to ignore user www-data
>
> <rule id="17103" level="0">
> <if_sid>17101</if_sid>
> <user>www-data</user>
> <description>Ignore USERNAME</description>
> </rule>
>
> but is not working
>
> also i have a lot of users what begin with
> __cpanel__service__auth__ftpd**********
>
> some exaples:
>
> __cpanel__service__auth__ftpd__k0MtRO0qadKcn0W104TiJX_fIUt6NTesiDOXfXjQdao09FHQbymiy9OB4AenozyY
>
> __cpanel__service__auth__ftpd__iNQU40H8hsz0rrHIyB2CSrz47pJhIaWXEvo5Bn9oYK8Jfx0LzN4rK2DqxYfnn_sn
>
>
> __cpanel__service__auth__ftpd__GkNcCNIvBSTW1ZDvgUd8RmBex9y6AaZ8BXSZFyVe9mLogb7sBHzwDSbggie5zVaE
>
>
> and ossec mail me for this service-users that they successful login
> during non-business hours, i know that but i don't need that data in
> mail box
>
> how can i exclude all this service users for policy rules?
>
> i appreciate your help, and a lot of respect for developers and community!
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
