Regarding cpanel users... I don't know cpanel, but it seems is part of chkservd service (info <https://forums.cpanel.net/threads/pure-ftpd-127-0-0-1-info-__cpanel__service__auth__ftpd.103069/>). Anyway, you can ignore them using rules.
Regards. Jesus Linares On Thursday, February 18, 2016 at 12:35:56 PM UTC+1, Jesus Linares wrote: > > Hi Maxim, > > First, you have to activate policy_rules: ossec.conf: > <include>policy_rules.xml</include> > > I guess the problem with your rule is that the decoder is not extracting > the field *user*. > > For example, if I switch between user root to homer: "root@LinMV:~# su > homer" it is generated this log: "Feb 18 11:23:17 LinMV su[1202]: > pam_unix(su:session): session opened for user homer by root(uid=0)". If you > use /var/ossec/bin/logtest you will see that the decoder doesn't extract > any field: > Feb 18 11:23:17 LinMV su[1202]: pam_unix(su:session): session opened for > user homer by root(uid=0) > **Phase 2: Completed decoding. > decoder: 'pam' > > So, you have 2 options, change the decoder to extract the user field, or > change your rules. Here an example: > > local_rules.xml: > <group name="policy_violation_overwrite,"> > <rule id="17101" level="9" overwrite="yes"> > <if_group>authentication_success</if_group> > <time>00:00 am - 11:59 pm</time> > <description>Successful login during non-business hours. TEST > </description> > <group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,</group> > </rule> > > <rule id="100002" level="0"> > <if_sid>17101</if_sid> > <match>user homer</match> > <description>Ignore USERNAME</description> > </rule> > </group> > > In rule 100002, I match with "user homer": "Feb 18 11:23:17 LinMV > su[1202]: pam_unix(su:session): session opened for user homer by > root(uid=0)". You could use regex tag for regular expressions. > *Remember to change the <time>. This is an example. > > Output: > Feb 18 11:23:17 LinMV su[1202]: pam_unix(su:session): session opened for > user homer by root(uid=0) > > > > > **Phase 1: Completed pre-decoding. > full event: 'Feb 18 11:23:17 LinMV su[1202]: pam_unix(su:session): > session opened for user homer by root(uid=0)' > hostname: 'LinMV' > program_name: 'su' > log: 'pam_unix(su:session): session opened for user homer by > root(uid=0)' > > > **Phase 2: Completed decoding. > decoder: 'pam' > > > **Phase 3: Completed filtering (rules). > Rule id: '100002' > Level: '0' > Description: 'Ignore USERNAME' > > Regards. > > > On Thursday, February 18, 2016 at 10:29:27 AM UTC+1, Maxim Surdu wrote: >> >> Hi dear community, >> >> i install and configure about 10 agents, and of course i have a lot of >> users,a part of this users are service-users >> >> in policy-rules.xml >> >> i have next rules >> >> <group name="policy_violation,"> >> <rule id="17101" level="9"> >> <if_group>authentication_success</if_group> >> <time>4 pm - 7 am</time> >> <description>Successful login during non-business hours.</description> >> <group>login_time,</group> >> </rule> >> >> <rule id="17102" level="9"> >> <if_group>authentication_success</if_group> >> <weekday>weekends</weekday> >> <description>Successful login during weekend.</description> >> <group>login_day,</group> >> </rule> >> >> >> and ii add a rule to ignore user www-data >> >> <rule id="17103" level="0"> >> <if_sid>17101</if_sid> >> <user>www-data</user> >> <description>Ignore USERNAME</description> >> </rule> >> >> but is not working >> >> also i have a lot of users what begin with >> __cpanel__service__auth__ftpd********** >> >> some exaples: >> >> __cpanel__service__auth__ftpd__k0MtRO0qadKcn0W104TiJX_fIUt6NTesiDOXfXjQdao09FHQbymiy9OB4AenozyY >> >> __cpanel__service__auth__ftpd__iNQU40H8hsz0rrHIyB2CSrz47pJhIaWXEvo5Bn9oYK8Jfx0LzN4rK2DqxYfnn_sn >> >> >> __cpanel__service__auth__ftpd__GkNcCNIvBSTW1ZDvgUd8RmBex9y6AaZ8BXSZFyVe9mLogb7sBHzwDSbggie5zVaE >> >> >> and ossec mail me for this service-users that they successful login >> during non-business hours, i know that but i don't need that data in >> mail box >> >> how can i exclude all this service users for policy rules? >> >> i appreciate your help, and a lot of respect for developers and community! >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
