Overriding default rules

[josip....@gmail.com]

Hi,

I'm receiving these alerts

-------

Received From: (server) IP->/var/log/secure

Rule: 5403 fired (level 4) -> "First time user executed sudo."
Portion of the log(s):

Nov  5 12:05:49 server sudo: PAM unable to dlopen(/usr/lib64/security/pam_fprintd.so): /usr/lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
-------

Since it uses the rule 5403, I'd like to override it only for this message and leave it be for all other alerts.

Is my only option:

override 5403 to disregard PAM message

override 5404 to be the same as old 5403 rule

override 5405 to be the same as old 5404 rule

...

?

Or do you know the other way? 

[juancarl...@wazuh.com]

Hello,

This is an interesting behavior and I will ask our team of developers to look further into it, as it isn't really a "First time user executing sudo" event. Thanks for pointing this out to us.

As for overriding just this alert I would suggest adding a child rule that matches only this message.

The documentation to reference in this case is this: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Depending on the pattern of all the alerts you are seeing, by placing the following rule in /var/ossec/etc/rules/local_rules.xml

  <rule id="100002" level="0">
    <if_sid>5403</if_sid>
    <match>^PAM unable to dlopen</match>
    <description>False sudo alert by PAM</description>
  </rule>

This should whitelist all messages like this. However you may be interested in setting a higher alert level in order to not completely ignore this message.

I hope this helps,
Best regards,
Juan Carlos

[Josip Domšić]

Thanks, I'll try is tomorrow. When I was testing It seem like rule 5403 was fired regardless of overriding, since it was a "lower rule id". Maybe it's just me.

As for level - 0 is OK. Since it "fingerprint reader is missing".

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/22gUR4xmIII/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4bdd47cd-1aa4-40d0-8cab-734b9d31184f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[juancarl...@wazuh.com]

Hi,

I look forward to knowing if it worked.

Please remember that you must reload the ossec-logtest utility after saving your custom rule for it to be considered, or the wazuh-manager if you're testing with the whole system.

The way that Wazuh evaluates the rules is it first looks at the rule files in alphanumerical order, when it finds a rule that matches then it will look only at the rules that are children of the matching rule, by increasing order of id and repeat the process for the children of all subsequent matches.

This process is made very clear if you run ossec-logtest -v .

Best regards,
Juan Carlos

[Josip Domšić]

Hi,

Sorry about being late - yes it worked. Thank you.

Now I understand that I don't need to override rules, I can also create a child rule. awesome :) 

--

You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/22gUR4xmIII/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fcb32462-06bd-4b6b-8c24-c8adec95bf0f%40googlegroups.com.