prelude-lml-rules 4.1.0-1 / etc / prelude-lml / ruleset / pam.rules

This file is indexed.

/etc/prelude-lml/ruleset/pam.rules is in prelude-lml-rules 4.1.0-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
#FULLNAME: PAM
#VERSION: 1.0
#DESCRIPTION: PAM is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface.

#####
#
# Copyright (C) 2004 Yoann Vandoorselaere <yoann@prelude-siem.org>
# All Rights Reserved
#
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
#####

#DESCRIPTION:Old pam format (< 0.99):
#DESCRIPTION:Ignore opened or closed sessions
#CATEGORY:Authentication
#LOG:Apr 20 11:55:01 piche CRON[23295]: (pam_unix) session opened for user root by (uid=0)
#LOG:Apr 20 11:55:01 piche CRON[23293]: (pam_unix) session closed for user root
#LOG:Dec 14 09:31:58 piche sshd[8778]: pam_unix(ssh:session): session opened for user pollux by (uid=0)
regex=CRON\[\d+\]: \(pam_unix\) session (opened|closed) for user; \
 silent; \
 last

#DESCRIPTION:New pam format
#DESCRIPTION:Ignore opened or closed sessions (for all pam modules)
#CATEGORY:Authentication
#LOG:Dec 14 09:09:01 piche CRON[5898]: pam_unix(cron:session): session opened for user root by (uid=0)
#LOG:Dec 14 09:09:01 piche CRON[5898]: pam_unix(cron:session): session closed for user root
#LOG:Dec 14 09:31:58 piche sshd[8778]: pam_unix(ssh:session): session opened for user pollux by (uid=0)
regex=CRON\[\d+\]: \S+\(cron:\S+\): session (opened|closed) for user; \
 silent; \
 last

#DESCRIPTION:Session opened for user root
#CATEGORY:Authentication
#LOG:Apr 20 11:55:01 piche CRON[23295]: (pam_unix) session opened for user root by (uid=0)
regex=for user root by; \
 id=4; \
 assessment.impact.type=admin; \
 chained; silent

#DESCRIPTION:Session opened for user
#CATEGORY:Authentication
#LOG:Aug 14 17:32:19 blah su(pam_unix)[17944]: session opened for user root by (uid=123)
#LOG:Dec  9 18:47:10 devel5 sshd(pam_unix)[13189]: session opened for user yyyy by xxxx(uid=0)
regex=session opened for user (\S+) by (\S*)\(uid=(\d*)\); \
 optgoto=4; \
 classification.text=Credentials Change; \
 id=1; \
 revision=2; \
 analyzer(0).name=PAM; \
 analyzer(0).manufacturer=Sun Microsystems; \
 analyzer(0).class=Authentication; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=user; \
 assessment.impact.severity=low; \
 assessment.impact.description=User $2 authenticated to $1 successfuly; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$2; \
 source(0).user.user_id(0).number=$3; \
 target(0).user.category=os-device; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$1; \
 last

#DESCRIPTION:Authentication failure
#CATEGORY:Authentication
#LOG:Dec 21 21:18:46 share2 sshd(pam_unix)[15525]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a.b.c.d  user=root
regex=authentication failure\; logname=([^ ]*)[ ]*uid=([^ ]*)[ ]*euid=.* tty=([^ ]*)[ ]*ruser=([^ ]*)[ ]*rhost=([^ ]*)[ ]*user=([^ ]*); \
 classification.text=Credentials Change; \
 optgoto=4; \
 id=2; \
 revision=2; \
 analyzer(0).name=PAM; \
 analyzer(0).manufacturer=Sun Microsystems; \
 analyzer(0).class=Authentication; \
 assessment.impact.completion=failed; \
 assessment.impact.type=user; \
 assessment.impact.severity=high; \
 assessment.impact.description=User $4 tried to authenticate as $6 and failed; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$5; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$4; \
 source(0).user.user_id(0).tty=$3; \
 source(0).user.user_id(0).number=$2; \
 target(0).user.category=os-device; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$6; \
 last

#DESCRIPTION:No such user
#CATEGORY:Authentication
#LOG:Dec 21 21:18:46 share2 sshd[15525]: pam_tally(sshd:auth): pam_get_uid; no such user
regex=no such user; \
 classification.text=Invalid User; \
 id=3; \
 revision=1; \
 analyzer(0).name=PAM; \
 analyzer(0).manufacturer=Sun Microsystems; \
 analyzer(0).class=Authentication; \
 assessment.impact.completion=failed; \
 assessment.impact.type=other; \
 assessment.impact.severity=medium; \
 assessment.impact.description=Someone tried to log in using a non-existant user; \
 last

APT Browse - Built by Thomas Orozco.