X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fusr%2Fshare%2Fdoc%2Fossec-hids%2Fcontrib%2Fossec-testing%2Ftests%2Fsudo.ini;fp=debian%2Fossec-hids%2Fusr%2Fshare%2Fdoc%2Fossec-hids%2Fcontrib%2Fossec-testing%2Ftests%2Fsudo.ini;h=f0eedc5e9f996e186a47d66158c68c2db9fa263c;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b

diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/sudo.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/sudo.ini
new file mode 100644
index 0000000..f0eedc5
--- /dev/null
+++ b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/sudo.ini
@@ -0,0 +1,38 @@
+[sudo: all]
+log 1 pass = Apr 27 15:22:23 niban sudo:     dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast
+log 2 pass = Apr 14 10:59:01 enigma sudo:     dcid : TTY=ttyp3 ; PWD=/home/dcid/ossec-hids.0.1a/src/analysisd ; USER=root ; COMMAND=/bin/cp -pr ../../bin/addagent ../../bin/osaudit-logaudit ../../bin/ossec-execd ../../bin/ossec-logcollector ../../bin/ossec-maild ../../bin/ossec-remoted /var/ossec/bin
+log 3 pass = Apr 19 14:52:02 enigma sudo:     dcid : TTY=ttyp3 ; PWD=/var/www/alex ; USER=root ; COMMAND=/sbin/chown dcid.dcid .
+log 4 pass = Dec 30 19:36:11 rheltest sudo: cplummer : TTY=pts/2 ; PWD=/home/cplummer1 ; USER=root ; TSID=0000UM ; COMMAND=/bin/bash
+
+rule = 5403
+alert = 4
+decoder = sudo 
+
+[Failed attempt to run sudo]
+log 1 pass = Jun 25 15:51:13 precise32 sudo:     mike : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ls
+
+rule = 5401
+alert = 5
+decoder = sudo
+
+[First time user executed sudo]
+log 1 pass = Jun 25 15:48:21 precise32 sudo:  mike : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/su -
+
+rule = 5403
+alert = 4
+decoder = sudo
+
+[3 incorrect password attempts]
+log 1 pass = Jun 25 16:15:45 precise32 sudo:     mike : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ls
+
+rule = 5404
+alert = 10
+decoder = sudo
+
+[unauthorized user]
+log 1 pass = Apr 13 08:36:31 ix sudo:     ddp2 : user NOT in sudoers ; TTY=ttypZ ; PWD=/home/ddp2 ; USER=root ; COMMAND=/bin/ls
+
+rule = 5405
+alert = 5
+decoder = sudo
+