[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] Re: src/dst user patch

To: ossec-dev@xxxxxxxxxxxxxxxx
Subject: [ossec-dev] Re: src/dst user patch
From: "Daniel Cid" <dcid@xxxxxxxxx>
Date: Thu, 9 Aug 2007 23:05:04 -0300

Hi Sebastien,

Sorry for taking so long to reply, I was quite busy with the release of 1.3.

Anyway, your patched worked fine and it clarifies the internal structures of
ossec a bit, but I am afraid that it can make it more confusing for the users
writing rules and using ossec (which were used with the user field). It will
also break backwards compatibility with previous versions...

I am still struggling where this is the best option for both the code standpoint
and for the final user.

Anyone has other suggestions? If you didn't follow this thread, currently we
have "user" and "dstuser" on ossec. User is used all the time and "dstuser"
is only used with sudo and su. The proposed patch changes user to be "srcuser"
(internally) and on the rules/decoders, user becomes dstuser (as in target
user).

*btw, how is the prelude work going? Do you asked me for cvs access? I thought
so , but I can't record.. If yes, let me know and I will create an
account for you.

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On 8/2/07, Sebastien Tricaud <sebastien.tricaud@xxxxxxxxx> wrote:
> Hello people,
>
> the following patch makes things clear towards datastructure and
> improves usability.
>
> Previously, when defining/receiving rulesets, you'd never know whether
> user meant source user or target user.
>
> Even though it is almost always a target user, things were not clear enough.
>
>
> For example, when doing:
> toady@achilles% su root
> Password:
> su: Authentication failure
> Sorry.
>
>
> The following email will be now sent:
> OSSEC HIDS Notification.
> 2007 Aug 02 16:18:52
>
> Received From: achilles->/var/log/auth.log
> Rule: 5302 fired (level 9) -> "User missed the password to change UID to
> root."
> Portion of the log(s):
>
> Source User: toady
> Target User: root
> Aug  2 16:18:51 achilles su[29634]: - pts/3 str:root
>
>
>  --END OF NOTIFICATION
>
> As you can see, the source user here is toady, whois is performing a su
> into root.
>
>
> In this patch, rulesets are updated, xml parser and analysis as well.
>
>
> Feel free to provide any comments,
>
> Thanks,
> Sebastien.
>
>
>

Follow-Ups:
- [ossec-dev] Re: src/dst user patch
  - From: Sebastien Tricaud

References:
- [ossec-dev] src/dst user patch
  - From: Sebastien Tricaud

Prev by Date: [ossec-dev] Re: [PATCHv2] Make syscheckd use SCHED_BATCH on Linux versions that support it
Next by Date: [ossec-dev] Re: src/dst user patch
Previous by thread: [ossec-dev] src/dst user patch
Next by thread: [ossec-dev] Re: src/dst user patch
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.