2 - Official Unix Pam rules for OSSEC.
4 - Copyright (C) 2009 Trend Micro Inc.
7 - This program is a free software; you can redistribute it
8 - and/or modify it under the terms of the GNU General Public
9 - License (version 2) as published by the FSF - Free Software
12 - License details: http://www.ossec.net/en/licensing.html
16 <group name="pam,syslog,">
17 <rule id="5500" level="0" noalert="1">
18 <decoded_as>pam</decoded_as>
19 <description>Grouping of the pam_unix rules.</description>
22 <rule id="5501" level="3">
24 <match>session opened for user </match>
25 <description>Login session opened.</description>
26 <group>authentication_success,</group>
29 <rule id="5502" level="3">
31 <match>session closed for user </match>
32 <description>Login session closed.</description>
35 <rule id="5503" level="5">
37 <match>authentication failure; logname=</match>
38 <description>User login failed.</description>
39 <group>authentication_failed,</group>
42 <rule id="5504" level="5">
44 <match>check pass; user unknown</match>
45 <description>Attempt to login with an invalid user.</description>
46 <group>invalid_login</group>
49 <!-- Ignoring Annoying Ubuntu/debian cron login events. -->
50 <rule id="5521" level="0">
52 <program_name>^CRON$</program_name>
53 <match>^pam_unix(cron:session): session opened for user </match>
54 <description>Ignoring Annoying Ubuntu/debian cron login events.</description>
57 <rule id="5522" level="0">
59 <program_name>^CRON$</program_name>
60 <match>^pam_unix(cron:session): session closed for user </match>
61 <description>Ignoring Annoying Ubuntu/debian cron login events.</description>
64 <rule id="5551" level="10" frequency="6" timeframe="180">
65 <if_matched_sid>5503</if_matched_sid>
67 <description>Multiple failed logins in a small period of time.</description>
68 <group>authentication_failures,</group>
71 </group> <!-- SYSLOG,pam -->