Ignore a user specific process in csf.pignore

[klodoma]

Hi,

I am a bit confused about the structure of csf.pignore

How can I ignore a specific exe or cmd for ANY user and for a specific user?

Code: Select all

exe:/usr/sbin/proftpd - ignore proftpd for any user!?

user:bob
exe:/usr/sbin/exec1 - ignore exec1 for user bob?
exe:/usr/sbin/exec2 - ignore exec2 for user bob?

user:charlie
exe:/usr/sbin/exec1 - ignore exec1 for user charlie?
exe:/usr/sbin/exec2 - ignore exec2 for user charlie?

exe:/usr/sbin/foobar - ignore foobar  for any user or just charlie!?

I looked into here for a sample:
https://diadem.in/blog/csflfd-installation-for-plesk/

[BallyBasic79]

For detail, refer to 8. Process Tracking in https://download.configserver.com/csf/readme.txt (if you haven't already.)

My understanding is that csf.pignore will ignore:
• a specific CMD or EXE for all users
• for a specific USER, all cmd or exe

I'm not clear from your message if you are looking to combine the two options for more discriminate ignoring of specific processes for only specific users. Will you please clarify?

From experience, I know that getting the format of the process statement correct can be troublesome. There are several notes in the readme on the source of the process that CSF uses for evaluation (/proc), where to get more information, and a caution about a problematic NULL character that can be inadvertently copied into the pignore file.

I hope this helps you solve this.

[klodoma]

My understanding is that csf.pignore will ignore:
• a specific CMD or EXE for all users
• for a specific USER, all cmd or exe

I'm not clear from your message if you are looking to combine the two options for more discriminate ignoring of specific processes for only specific users. Will you please clarify?

Sorry for the late reply, I was out.
Yes, I am looking see if the combination of the user/exe(or cmd) is possible.
My use-case is very simple:

/usr/sbin/exec1 is OK to run under a specific user but I want it to be reported if another user runs it.
exe:/usr/sbin/exec1

Another real life-example:
/usr/local/openvpn_as/bin/python is OK to run as user openvpn_as but all the rest should be reported.
now if I put

Code: Select all

exe:/usr/local/openvpn_as/bin/python

then this will be ignore for all users, so the question is if the following does the trick?

Code: Select all

user:openvpn_as
exe:/usr/local/openvpn_as/bin/python

[BallyBasic79]

so the question is if the following does the trick?

Code: Select all

user:openvpn_as
exe:/usr/local/openvpn_as/bin/python

You have a good opportunity to find out: "Test and See."

I am fairly certain that will ignore everything for openvpn_as
and also ignore /usr/local/openvpn_as/bin/python for all users.
But not that exe for just that one user.

Question: Which is more critical (or which do you want to put up more)? Getting the notices of any activity or ignoring the ones you can ignore? Maybe create a filter in your mail client to delete the ones citing that user? HTH