summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHendrik Jäger <gitcommit@henk.geekmail.org>2024-09-14 23:32:46 +0200
committerHendrik Jäger <gitcommit@henk.geekmail.org>2024-09-14 23:32:46 +0200
commit76eca8f840c879b03f998b339be5f809d326d647 (patch)
tree693889956285d0a42709de41b02933b8329b0563
parentce609733a524148f1371a70533fa50445bfefb92 (diff)
update rules
Diffstat
-rw-r--r--files/etc/logcheck/ignore.d.server/local-auditd4
1 files changed, 4 insertions, 0 deletions
diff --git a/files/etc/logcheck/ignore.d.server/local-auditd b/files/etc/logcheck/ignore.d.server/local-auditd
index 5c414f6..1ba770d 100644
--- a/files/etc/logcheck/ignore.d.server/local-auditd
+++ b/files/etc/logcheck/ignore.d.server/local-auditd
@@ -29,6 +29,10 @@
^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=CRED_REFR msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]@_-]+")?$
^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=CWD msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): cwd="/root"$
^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=LOGIN msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ subj==?unconfined old-auid=[[:digit:]]+ auid=[[:digit:]]+ tty=\(none\) old-ses=[[:digit:]]+ ses=[[:digit:]]+ res=1([^[:alpha:]]+UID="root" OLD-AUID="[[:alpha:]]+" AUID="[[:alnum:]@_-]+")?$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=NETFILTER_CFG msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): table=filter:[[:digit:]]+ family=1 entries=[[:digit:]]+ op=nft_register_chain pid=[[:digit]]+ subj=unconfined comm="nft"$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=NETFILTER_CFG msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): table=filter:[[:digit:]]+ family=1 entries=[[:digit:]]+ op=nft_unregister_table pid=[[:digit]]+ subj=unconfined comm="nft"$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=NETFILTER_CFG msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): table=nat:[[:digit:]]+ family=2 entries=[[:digit:]]+ op=nft_register_chain pid=[[:digit]]+ subj=unconfined comm="nft"$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=NETFILTER_CFG msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): table=nat:[[:digit:]]+ family=2 entries=[[:digit:]]+ op=nft_unregister_table pid=[[:digit]]+ subj=unconfined comm="nft"$
^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=PATH msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): item=[[:digit:]]+ name=\(null\) inode=[[:digit:]]+ dev=[[:xdigit:]:]+ mode=[[:digit:]]+ ouid=0 ogid=0 rdev=00:00 nametype=(PARENT|CREATE) cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"$
^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=PROCTITLE msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): proctitle="[[:alnum:]/]+"$
^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=PROCTITLE msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): proctitle=[[:xdigit:]]+$
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-14 23:12:05 +0000