Commits

Daniel Cid committed b508cec Draft

Adding last -n to the default list of commands being monitored.

Comments (0)

Files changed (2)

etc/rules/ossec_rules.xml

     <check_diff />
     <description>Listened ports status (netstat) changed (new port opened or closed).</description> 
   </rule>
-  
+
+  <rule id="534" level="1">
+    <if_sid>530</if_sid>
+    <match>ossec: output: 'w'</match>
+    <check_diff />
+    <description>List of logged in users. It will not be alerted by default.</description> 
+  </rule>
+
+  <rule id="535" level="1">
+    <if_sid>530</if_sid>
+    <match>ossec: output: 'last -n </match>
+    <check_diff />
+    <description>List of the last logged in users.</description> 
+  </rule>
+
   <rule id="550" level="7">
     <category>ossec</category>
     <decoded_as>syscheck_integrity_changed</decoded_as>
       echo "    <log_format>full_command</log_format>" >> $NEWCONFIG
       echo "    <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>" >> $NEWCONFIG
       echo "  </localfile>" >> $NEWCONFIG
+      echo "" >> $NEWCONFIG
+      echo "  <localfile>" >> $NEWCONFIG
+      echo "    <log_format>full_command</log_format>" >> $NEWCONFIG
+      echo "    <command>last -n 5</command>" >> $NEWCONFIG
+      echo "  </localfile>" >> $NEWCONFIG
    fi