On Thu, Mar 10, 2016 at 7:12 AM, Armin M <[email protected]> wrote:
> Hi,
>
> I just locked myself out of a system and found the reason to be that
> apparently, some ssh versions produce the following message for every su
> command:
>
> pam_systemd(su:session): Failed to create session: No such file or directory
>
Are you sure it was this log message that caused you to be locked out?
There is no information in that log message that could be used in an
active response.
# /var/ossec/bin/ossec-logtest
2016/03/10 07:15:22 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2016/03/10 07:15:22 ossec-testrule: INFO: Reading decoder file
etc/decoders.d/appleairport_decoder.xml.
2016/03/10 07:15:22 ossec-testrule: INFO: Reading decoder file
etc/decoders.d/nsd_decoder.xml.
2016/03/10 07:15:22 ossec-testrule: INFO: Reading decoder file
etc/decoders.d/openbsd-dhcpd_decoder.xml.
2016/03/10 07:15:22 ossec-testrule: INFO: Reading the lists file:
'rules/lists/ossec.block'
2016/03/10 07:15:23 ossec-testrule: INFO: Started (pid: 28800).
ossec-testrule: Type one log per line.
Mar 10 07:14:28 ix pam_systemd(su:session): Failed to create session:
No such file or directory
**Phase 1: Completed pre-decoding.
full event: 'Mar 10 07:14:28 ix pam_systemd(su:session): Failed
to create session: No such file or directory'
hostname: 'ix'
program_name: '(null)'
log: 'pam_systemd(su:session): Failed to create session: No
such file or directory'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
> This apparently triggers rule id 5716 which matches ^Failed in auth.log.
>
> Now it seems I can't do anything against the above pam_systemd message (see
> also
> http://ubuntu-bugs.narkive.com/P3rO1nNZ/bug-1318168-re-su-failed-to-create-session-no-such-file-or-directory)
> but how can I best avoid ossec triggering on this, without removing the rule
> entirely since I still want it to trigger on other failures?
>
> Thanks,
> Armin
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
