i have a custom alert when have a new user trigger on linux server.
my querry is : where(/useradd/ AND /user/)
But i take a lot of false possitve email alert with log : useradd_exec_t
AuditD - - - type=PATH msg=audit(1615286961.725:1562322): item=0 name="/usr/sbin/usermod" inode=4228771 dev=fd:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:useradd_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
Could you help me which querry should i set to custom alert
if this is a false positive can you also provide an example of a true positive?
/useradd/ and /user/ is not really helpful as /user/ will always be true if there is the word “useradd” in the string, because it also includes “user”
You can try it here: https://regexr.com/
Looks like a new user gets logged like this:
sudo: mike : TTY=pts/2 ; PWD=/home/mike ; USER=root ; COMMAND=/usr/sbin/adduser jim sudo: pam_unix(sudo:session): session opened for user root by mike(uid=1000) groupadd: group added to /etc/group: name=jim, GID=1001 groupadd: group added to /etc/gshadow: name=jim groupadd: new group: name=jim, GID=1001 useradd: new user: name=jim, UID=1001, GID=1001, home=/home/jim, shell=/bin/bash passwd: pam_unix(passwd:chauthtok): password changed for jim passwd: gkr-pam: couldn't update the login keyring password: no old password was entered chfn: changed user 'jim' information sudo: pam_unix(sudo:session): session closed for user root
If you want to match the line:
useradd: new user: name=jim, UID=1001, GID=1001, home=/home/jim, shell=/bin/bash
I would recommend to user /new user/ maybe in combination with /useradd/.
/new user/ AND /useradd/
Thank you very much to help me resolve. I will try new querry.