File: pam.rules

package info (click to toggle)
prelude-lml 1.0.0-1
  • links: PTS
  • area: main
  • in suites: squeeze
  • size: 7,724 kB
  • ctags: 4,520
  • sloc: ansic: 36,137; sh: 11,362; makefile: 253; python: 21
file content (110 lines) | stat: -rw-r--r-- 4,401 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
 
#####
#
# Copyright (C) 2004 Yoann Vandoorselaere <yoann@prelude-ids.org>
# All Rights Reserved
#
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING.  If not, write to
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
#
#####

# The two first rules ignore cron jobs (allowing admin to log them, but without receiving
# alerts), without having to reconfigure or change the syslog engine.
#
# other lines will still be logged by pam.rules:
# Dec 14 09:31:58 piche sshd[8778]: pam_unix(ssh:session): session opened for user pollux by (uid=0)

# old pam format (< 0.99):

# ignore opened or closed sessions
#Apr 20 11:55:01 piche CRON[23295]: (pam_unix) session opened for user root by (uid=0)
#Apr 20 11:55:01 piche CRON[23293]: (pam_unix) session closed for user root
#LOG:Dec 14 09:31:58 piche sshd[8778]: pam_unix(ssh:session): session opened for user pollux by (uid=0)
regex=CRON\[\d+\]: \(pam_unix\) session (opened|closed) for user; \
 silent; \
 last;

# new pam format:
# ignore opened or closed sessions (for all pam modules)
#Dec 14 09:09:01 piche CRON[5898]: pam_unix(cron:session): session opened for user root by (uid=0)
#Dec 14 09:09:01 piche CRON[5898]: pam_unix(cron:session): session closed for user root
#LOG:Dec 14 09:31:58 piche sshd[8778]: pam_unix(ssh:session): session opened for user pollux by (uid=0)
regex=CRON\[\d+\]: \S+\(cron:\S+\): session (opened|closed) for user; \
 silent; \
 last;

regex=for user root by; id=4; \
assessment.impact.type=admin; \
chained; silent;


#LOG:Aug 14 17:32:19 blah su(pam_unix)[17944]: session opened for user root by (uid=123)
#LOG:Dec  9 18:47:10 devel5 sshd(pam_unix)[13189]: session opened for user yyyy by xxxx(uid=0)
regex=session opened for user (\S+) by (\S*)\(uid=(\d*)\); optgoto=4; \
 classification.text=Credentials Change; \
 id=1; \
 revision=2; \
 analyzer(0).name=PAM; \
 analyzer(0).class=Authentication; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=user; \
 assessment.impact.severity=low; \
 assessment.impact.description=User $2 authenticated to $1 successfuly; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$2;  \
 source(0).user.user_id(0).number=$3; \
 target(0).user.category=os-device; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$1; \
 last

# LOG:Dec 21 21:18:46 share2 sshd(pam_unix)[15525]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a.b.c.d  user=root
#
regex=authentication failure\; logname=([^ ]*)[ ]*uid=([^ ]*)[ ]*euid=.* tty=([^ ]*)[ ]*ruser=([^ ]*)[ ]*rhost=([^ ]*)[ ]*user=([^ ]*); \
 classification.text=Credentials Change; optgoto=4; \
 id=2; \
 revision=2; \
 analyzer(0).name=PAM; \
 analyzer(0).class=Authentication; \
 assessment.impact.completion=failed; \
 assessment.impact.type=user; \
 assessment.impact.severity=high; \
 assessment.impact.description=User $4 tried to authenticate as $6 and failed; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$5; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$4;           \
 source(0).user.user_id(0).tty=$3; \
 source(0).user.user_id(0).number=$2; \
 target(0).user.category=os-device; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$6; \
 last

# No log sample; please submit
regex=no such user; \
 classification.text=Invalid User; \
 id=3; \
 revision=1; \
 analyzer(0).name=PAM; \
 analyzer(0).class=Credentials Change; \
 assessment.impact.completion=failed; \
 assessment.impact.type=other; \
 assessment.impact.severity=medium; \
 assessment.impact.description=Someone tried to log in using a non-existant user; \
 last