Dear All,
I currently have a few rules which are very similar, how can I have
multiple matches with the same rule:
<!-- Ignore System Audit of /tmp not being on it's own it's partition-->
<rule id="100007" level="0">
<if_sid>510</if_sid>
<match>Robust partition scheme - /tmp is not on its own partition.
File: /etc/fstab.</match>
<description>Ignore /tmp not being on it's own partition</description>
<group>rootcheck,</group>
</rule>
<!-- Ignore System Audit of /opt not being on it's own it's partition-->
<rule id="100008" level="0">
<if_sid>510</if_sid>
<match>Robust partition scheme - /opt is not on its own
partition.</match>
<description>Ignore /opt not being on it's own partition</description>
<group>rootcheck,</group>
</rule>
<!-- Ignore System Audit of /var not being on it's own it's partition-->
<rule id="100009" level="0">
<if_sid>510</if_sid>
<match>Robust partition scheme - /var is not on its own
partition.</match>
<description>Ignore /var not being on it's own partition</description>
<group>rootcheck,</group>
</rule>
Is there a way to have multiple <match> lines ?
Would something like this work:
<rule id="100007" level="0">
<if_sid>510</if_sid>
<regex>Robust partition scheme - \\\w\w\w is not on its own partition.
</regex>
<description>Ignore dirs on / not being on their own
partition</description>
<group>rootcheck,</group>
</rule>
Basically, can I use <regex> matching instead of exact <match> ?
Thanks
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
