projects / ossec-hids.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
new upstream release (3.3.0); modify package compatibility for Stretch
[ossec-hids.git] / etc / rules / openbsd_rules.xml
diff --git a/etc/rules/openbsd_rules.xml b/etc/rules/openbsd_rules.xml
old mode 100755 (executable)
new mode 100644 (file)
index f970be2..6675e9e
--- a/etc/rules/openbsd_rules.xml
+++ b/etc/rules/openbsd_rules.xml
@@ -210,6 +210,88 @@
     <description>Bad ntp peer.</description>
   </rule>
 
+  <rule id="51533" level="1">
+    <program_name>^dhclient$</program_name>
+    <if_sid>1002</if_sid>
+    <match>receive_packet failed on </match>
+    <description>dhclient receive_packet failed.</description>
+  </rule>
+
+  <rule id="51534" level="1">
+    <if_sid>51533</if_sid>
+    <match>Input/output error$</match>
+    <description>dhclient receive_packet failed due to I/O error.</description>
+  </rule>
+
+  <rule id="51535" level="1">
+    <program_name>^dhclient$</program_name>
+    <if_sid>1002</if_sid>
+    <match>SIOCDIFADDR failed </match>
+    <description>SIOCDIFADDR failed</description>
+  </rule>
+
+  <rule id="51536" level="1">
+    <if_sid>51535</if_sid>
+    <match> Device not configured$</match>
+    <description>dhclient: device not configured.</description>
+  </rule>
+
+</group>
+
+<group name="local,syslog,openbsd,doas">
+
+  <rule id="51550" level="0">
+    <decoded_as>doas</decoded_as>
+    <description>doas grouping</description>
+  </rule>
+
+  <rule id="51551" level="1">
+    <if_sid>51550</if_sid>
+    <match>cannot stat</match>
+    <description>doas cannot stat a file.</description>
+  </rule>
+
+  <rule id="51552" level="2">
+    <if_sid>51551</if_sid>
+    <match>: Permission denied$</match>
+    <description>doas cannot stat a file due to permissions.</description>
+  </rule>
+
+  <rule id="51553" level="5">
+    <if_sid>51550</if_sid>
+    <match>path not secure$</match>
+    <description>A critical path for doas does not have secure permissions.</description>
+  </rule>
+
+  <rule id="51554" level="5">
+    <if_sid>51550</if_sid>
+    <match>failed command for </match>
+    <description>Failed doas command.</description>
+  </rule>
+
+  <rule id="51555" level="1">
+    <if_sid>51550</if_sid>
+    <match>ran command</match>
+    <description>A command was run using doas.</description>
+  </rule>
+
+  <rule id="51556" level="2">
+    <if_sid>51555</if_sid>
+    <match> as root </match>
+    <description>A doas command was run as root.</description>
+  </rule>
+
+  <rule id="51557" level="5">
+    <if_sid>51550</if_sid>
+    <match>failed auth for</match>
+    <description>doas authentication failed.</description>
+  </rule>
+
+  <rule id="51558" level="4">
+    <program_name>sendsyslog</program_name>
+    <match>^dropped </match>
+    <description>sendsyslog dropped log messages.</description>
+  </rule>
 
 </group> <!-- SYSLOG,LOCAL -->
 
ossec-hids