Page 1 of 1
Ignore a user specific process in csf.pignore
Posted: 19 Sep 2019, 14:24
by klodoma
Hi,
I am a bit confused about the structure of csf.pignore
How can I ignore a specific exe or cmd for
ANY user and
for a specific user?
Code: Select all
exe:/usr/sbin/proftpd - ignore proftpd for any user!?
user:bob
exe:/usr/sbin/exec1 - ignore exec1 for user bob?
exe:/usr/sbin/exec2 - ignore exec2 for user bob?
user:charlie
exe:/usr/sbin/exec1 - ignore exec1 for user charlie?
exe:/usr/sbin/exec2 - ignore exec2 for user charlie?
exe:/usr/sbin/foobar - ignore foobar for any user or just charlie!?
I looked into here for a sample:
https://diadem.in/blog/csflfd-installation-for-plesk/
Re: Ignore a user specific process in csf.pignore
Posted: 19 Sep 2019, 20:02
by BallyBasic79
For detail, refer to
8. Process Tracking in
https://download.configserver.com/csf/readme.txt (if you haven't already.)
My understanding is that
csf.pignore will ignore:
• a specific CMD or EXE for all users
• for a specific USER, all cmd or exe
I'm not clear from your message if you are looking to combine the two options for more discriminate ignoring of specific processes for only specific users. Will you please clarify?
From experience, I know that getting the format of the process statement correct can be troublesome. There are several notes in the readme on the source of the process that CSF uses for evaluation (/proc), where to get more information, and a caution about a problematic NULL character that can be inadvertently copied into the pignore file.
I hope this helps you solve this.
Re: Ignore a user specific process in csf.pignore
Posted: 30 Sep 2019, 10:28
by klodoma
BallyBasic79 wrote: ↑19 Sep 2019, 20:02
My understanding is that
csf.pignore will ignore:
• a specific CMD or EXE for all users
• for a specific USER, all cmd or exe
I'm not clear from your message if you are looking to combine the two options for more discriminate ignoring of specific processes for only specific users. Will you please clarify?
Sorry for the late reply, I was out.
Yes, I am looking see if the combination of the user/exe(or cmd) is possible.
My use-case is very simple:
/usr/sbin/exec1 is OK to run under a specific user but I want it to be reported if another user runs it.
exe:/usr/sbin/exec1
Another real life-example:
/usr/local/openvpn_as/bin/python is OK to run as user
openvpn_as but all the rest should be reported.
now if I put
Code: Select all
exe:/usr/local/openvpn_as/bin/python
then this will be ignore for all users, so the question is if the following does the trick?
Code: Select all
user:openvpn_as
exe:/usr/local/openvpn_as/bin/python
Re: Ignore a user specific process in csf.pignore
Posted: 01 Oct 2019, 07:38
by BallyBasic79
klodoma wrote: ↑30 Sep 2019, 10:28
so the question is if the following does the trick?
Code: Select all
user:openvpn_as
exe:/usr/local/openvpn_as/bin/python
You have a good opportunity to find out: "Test and See."
I am fairly certain that will ignore everything for openvpn_as
and also ignore /usr/local/openvpn_as/bin/python for all users.
But not that exe for just that one user.
Question: Which is more critical (or which do you want to put up more)? Getting the notices of any activity or ignoring the ones you can ignore? Maybe create a filter in your mail client to delete the ones citing that user? HTH