Imported Upstream version 2.7

[ossec-hids.git] / etc / rules / solaris_bsm_rules.xml

<!-- @(#) $Id: ./etc/rules/solaris_bsm_rules.xml, 2011/09/08 dcid Exp $

  -  Official Solaris BSM Auditing rules for OSSEC.
  -
  -  Copyright (C) 2009 Trend Micro Inc.
  -  All rights reserved.
  -
  -  This program is a free software; you can redistribute it
  -  and/or modify it under the terms of the GNU General Public
  -  License (version 2) as published by the FSF - Free Software
  -  Foundation.
  -
  -  License details: http://www.ossec.net/en/licensing.html
  -->
  

<!-- Solaris BSM Log messages -->
<group name="syslog,solaris_bsm,">
  <rule id="6100" level="0">
    <decoded_as>solaris_bsm</decoded_as>
    <description>Solaris BSM Auditing messages grouped.</description>
  </rule>

  <rule id="6101" level="5">
    <if_sid>6100</if_sid>
    <status>^failed</status>
    <description>Auditing session failed.</description>
  </rule>

  <rule id="6102" level="0">
    <if_sid>6100</if_sid>
    <status>^ok</status>
    <description>Auditing session succeeded.</description>
  </rule>

  <rule id="6103" level="3">
    <if_sid>6102</if_sid>
    <match>^login</match>
    <description>Login session succeeded.</description>
    <group>authentication_success,</group>
  </rule>
  
  <rule id="6104" level="5">
    <if_sid>6101</if_sid>
    <match>^login</match>
    <description>Login session failed.</description>
    <group>authentication_failed,</group>
  </rule>
  
  <rule id="6105" level="3">
    <if_sid>6102</if_sid>
    <match>^su </match>
    <description>User successfully changed UID.</description>
    <group>authentication_success,</group>
  </rule>
  
  <rule id="6106" level="5">
    <if_sid>6103</if_sid>
    <match>^su </match>
    <description>User failed to change UID (user id).</description>
    <group>authentication_failed,</group>
  </rule>
</group> <!-- SOLARIS BSM -->

<!-- EOF -->