• Ossec_Integration

Monitor Lshell Activities with Ossec

Problems

Notify system administrastors if users enter something wrong in lshell's prompt.

Requirements

• Ossec is installed and running well on your system

• Lshell sends logs to syslog, with 'lshell' as syslogname. For example, in /etc/lshell.conf you must use

[global]
 loglevel    : 2
 logfilename : syslog
 syslogname  : lshell

Ossec configurations

Local Decoder

Add the following lines in your local_decoder.xml

<decoder name="lshell">
  <program_name>^lshell</program_name>
</decoder>

<decoder name="lshell-status">
  <parent>lshell</parent>
  <prematch>^\w+: \w+: </prematch>
  <regex>^(\w+): (\w+): </regex>
  <order>user,status</order>
</decoder>

<decoder name="lshell-user-status">
  <parent>lshell</parent>
  <prematch>^\w+: \W+ \w+</prematch>
  <regex>^\w+: \W+ (\w+)</regex>
  <order>status</order>
</decoder>

Local rules

Add the following lines in your local_rules.xml. You may update the rule id and the level to fit in your purpose.

  <!------------------------------------------------------------------->
  <!-- Lshell monitoring -->
  <!------------------------------------------------------------------->

  <rule id="100040" level="0">
    <decoded_as>lshell</decoded_as>
    <description>lshell messages grouped</description>
  </rule>

  <rule id="100041" level="3">
    <if_sid>100040</if_sid>
    <match>Exited|Logged in</match>
    <description>lshell user logged in/out.</description>
  </rule>

  <rule id="100042" level="4">
    <if_sid>100040</if_sid>
    <status>^WARN</status>
    <description>lshell warning message.</description>
  </rule>

  <rule id="100042" level="7">
    <if_sid>100040</if_sid>
    <status>^ERROR</status>
    <description>lshell error message.</description>
  </rule>

  <rule id="100043" level="7">
    <if_sid>100040</if_sid>
    <status>forbidden</status>
    <description>User tried a forbidden command/syntax.</description>
  </rule>

Sample Lshell logs

Mar  1 08:33:18 staging-app-2 lshell[9750]: trung: Logged in
Mar  1 08:33:53 staging-app-2 lshell[9750]: trung: WARN: couldn't write history to file /log/trung.lshell_history
Mar  1 08:33:57 staging-app-2 lshell[9750]: trung: WARN: couldn't write history to file /log/trung.lshell_history
Mar  1 08:33:58 staging-app-2 lshell[9750]: trung: *** forbidden command -> "sleep 10"
Mar  1 08:34:22 staging-app-2 lshell[9750]: trung: Exited
Mar  1 08:34:22 staging-app-2 lshell[9750]: trung: WARN: couldn't write history to file /log/trung.lshell_history
Mar  1 08:34:25 staging-app-2 lshell[9768]: trung: Logged in
Mar  1 08:34:32 staging-app-2 lshell[9768]: trung: *** forbidden syntax -> "lpath"
Mar  1 08:34:36 staging-app-2 lshell[9768]: trung: *** forbidden syntax -> "history"
Mar  1 09:18:34 staging-app-2 lshell[10155]: trung: Exited
Mar  1 09:18:41 staging-app-2 lshell[11225]: trung: Logged in
Mar  1 09:20:16 staging-app-2 lshell[11225]: trung: Exited
Mar  1 09:20:16 staging-app-2 lshell[11225]: trung: ERROR: Missing parameter

Test your Ossec configurations

Please use the program ossec-logtest in the Ossec installation. After you invoking the program, it will wait for your input. Just copy and paste any line the previous section into window of ossec-logtest and enjoy the new rules.

Miscellaneous

The original issue that fires this document is https://github.com/ghantoos/lshell/issues/2. This document is first written by Anh K. Huynh (https://github.com/icy). For more details about Ossec please visit its homepage http://ossec.net/.