-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/pam_rules.xml, 2012/07/23 dcid Exp $
+
- Official Unix Pam rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
<description>Ignoring Annoying Ubuntu/debian cron login events.</description>
</rule>
+ <rule id="5523" level="0">
+ <if_sid>5504</if_sid>
+ <regex>^pam_unix\S+: check pass; user unknown$</regex>
+ <description>Ignoring events with a user or a password.</description>
+ </rule>
+
<rule id="5551" level="10" frequency="6" timeframe="180">
<if_matched_sid>5503</if_matched_sid>
<same_source_ip />
<group>authentication_failures,</group>
</rule>
+ <rule id="5552" level="0">
+ <if_sid>5500</if_sid>
+ <match>gdm:auth): conversation failed</match>
+ <description>PAM and gdm are not playing nicely.</description>
+ </rule>
+
+ <rule id="5553" level="4">
+ <program_name>login</program_name>
+ <match>cannot open shared object file: No such file or directory</match>
+ <description>PAM misconfiguration.</description>
+ </rule>
+
+ <rule id="5554" level="4">
+ <program_name>login</program_name>
+ <match>illegal module type: </match>
+ <description>PAM misconfiguration.</description>
+ </rule>
+
+ <rule id="5555" level="3">
+ <match>: password changed for</match>
+ <description>User changed password.</description>
+ </rule>
+
+
</group> <!-- SYSLOG,pam -->