Jesus Linares many thanks, it working great for rest of community who want the same rule with more users
<match>user USER_NAME1 | user USER_NAME2 | user USER_NAME3</match> With cpanel_users i resolve with next code <match>user www-data | __cpanel__service__auth__ftpd__</match> Regards. Surdu Maxim joi, 18 februarie 2016, 13:59:14 UTC+2, Jesus Linares a scris: > > Regarding cpanel users... I don't know cpanel, but it seems is part > of chkservd service (info > <https://forums.cpanel.net/threads/pure-ftpd-127-0-0-1-info-__cpanel__service__auth__ftpd.103069/>). > > Anyway, you can ignore them using rules. > > Regards. > Jesus Linares > > On Thursday, February 18, 2016 at 12:35:56 PM UTC+1, Jesus Linares wrote: >> >> Hi Maxim, >> >> First, you have to activate policy_rules: ossec.conf: >> <include>policy_rules.xml</include> >> >> I guess the problem with your rule is that the decoder is not extracting >> the field *user*. >> >> For example, if I switch between user root to homer: "root@LinMV:~# su >> homer" it is generated this log: "Feb 18 11:23:17 LinMV su[1202]: >> pam_unix(su:session): session opened for user homer by root(uid=0)". If you >> use /var/ossec/bin/logtest you will see that the decoder doesn't extract >> any field: >> Feb 18 11:23:17 LinMV su[1202]: pam_unix(su:session): session opened for >> user homer by root(uid=0) >> **Phase 2: Completed decoding. >> decoder: 'pam' >> >> So, you have 2 options, change the decoder to extract the user field, or >> change your rules. Here an example: >> >> local_rules.xml: >> <group name="policy_violation_overwrite,"> >> <rule id="17101" level="9" overwrite="yes"> >> <if_group>authentication_success</if_group> >> <time>00:00 am - 11:59 pm</time> >> <description>Successful login during non-business hours. TEST >> </description> >> <group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,</group> >> </rule> >> >> <rule id="100002" level="0"> >> <if_sid>17101</if_sid> >> <match>user homer</match> >> <description>Ignore USERNAME</description> >> </rule> >> </group> >> >> In rule 100002, I match with "user homer": "Feb 18 11:23:17 LinMV >> su[1202]: pam_unix(su:session): session opened for user homer by >> root(uid=0)". You could use regex tag for regular expressions. >> *Remember to change the <time>. This is an example. >> >> Output: >> Feb 18 11:23:17 LinMV su[1202]: pam_unix(su:session): session opened for >> user homer by root(uid=0) >> >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Feb 18 11:23:17 LinMV su[1202]: >> pam_unix(su:session): session opened for user homer by root(uid=0)' >> hostname: 'LinMV' >> program_name: 'su' >> log: 'pam_unix(su:session): session opened for user homer by >> root(uid=0)' >> >> >> **Phase 2: Completed decoding. >> decoder: 'pam' >> >> >> **Phase 3: Completed filtering (rules). >> Rule id: '100002' >> Level: '0' >> Description: 'Ignore USERNAME' >> >> Regards. >> >> >> On Thursday, February 18, 2016 at 10:29:27 AM UTC+1, Maxim Surdu wrote: >>> >>> Hi dear community, >>> >>> i install and configure about 10 agents, and of course i have a lot of >>> users,a part of this users are service-users >>> >>> in policy-rules.xml >>> >>> i have next rules >>> >>> <group name="policy_violation,"> >>> <rule id="17101" level="9"> >>> <if_group>authentication_success</if_group> >>> <time>4 pm - 7 am</time> >>> <description>Successful login during non-business >>> hours.</description> >>> <group>login_time,</group> >>> </rule> >>> >>> <rule id="17102" level="9"> >>> <if_group>authentication_success</if_group> >>> <weekday>weekends</weekday> >>> <description>Successful login during weekend.</description> >>> <group>login_day,</group> >>> </rule> >>> >>> >>> and ii add a rule to ignore user www-data >>> >>> <rule id="17103" level="0"> >>> <if_sid>17101</if_sid> >>> <user>www-data</user> >>> <description>Ignore USERNAME</description> >>> </rule> >>> >>> but is not working >>> >>> also i have a lot of users what begin with >>> __cpanel__service__auth__ftpd********** >>> >>> some exaples: >>> >>> __cpanel__service__auth__ftpd__k0MtRO0qadKcn0W104TiJX_fIUt6NTesiDOXfXjQdao09FHQbymiy9OB4AenozyY >>> >>> __cpanel__service__auth__ftpd__iNQU40H8hsz0rrHIyB2CSrz47pJhIaWXEvo5Bn9oYK8Jfx0LzN4rK2DqxYfnn_sn >>> >>> >>> __cpanel__service__auth__ftpd__GkNcCNIvBSTW1ZDvgUd8RmBex9y6AaZ8BXSZFyVe9mLogb7sBHzwDSbggie5zVaE >>> >>> >>> and ossec mail me for this service-users that they successful login >>> during non-business hours, i know that but i don't need that data in >>> mail box >>> >>> how can i exclude all this service users for policy rules? >>> >>> i appreciate your help, and a lot of respect for developers and >>> community! >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
