diff options
author | Hendrik Jäger <gitcommit@henk.geekmail.org> | 2024-10-05 23:28:48 +0200 |
---|---|---|
committer | Hendrik Jäger <gitcommit@henk.geekmail.org> | 2024-10-05 23:28:48 +0200 |
commit | 90bf6fcc33ee6d84418a467ccbc0b3a1eaea88c3 (patch) | |
tree | 60b02ddadaeea0ca2376a884d599a97369c0b7c0 | |
parent | 684dbe134f157dfb95158b66ba797e8a240f60fa (diff) |
update rules
-rw-r--r-- | files/etc/logcheck/ignore.d.server/local-auditd | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/files/etc/logcheck/ignore.d.server/local-auditd b/files/etc/logcheck/ignore.d.server/local-auditd index d9ed27f..f9fcdc2 100644 --- a/files/etc/logcheck/ignore.d.server/local-auditd +++ b/files/etc/logcheck/ignore.d.server/local-auditd @@ -39,7 +39,7 @@ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_ACCT( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:accounting grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]@_-]+")?$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_ACCT( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_AUTH( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:authentication grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]@_-]+")?$ -^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_AUTH( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:authentication grantors=(\?|pam_[[:alnum:]]+,?)+ acct="[^"]+" exe="[[:alnum:]/]*" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=(failed|success)'([^[:alpha:]]+UID="root" AUID="[[:alnum:]@_-]+")?$ +^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_AUTH( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:authentication grantors=(\?|pam_[[:alnum:]]+,?)+ acct=("[^"]+"|[[:xdigit:]]+) exe="[[:alnum:]/]*" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=(failed|success)'([^[:alpha:]]+UID="root" AUID="[[:alnum:]@_-]+")?$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_CHAUTHTOK( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=display aging info id=[[:digit:]]+ exe="/usr/bin/chage" hostname=\? addr=\? terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]@_-]+" ID="[[:alnum:]-]+")?$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_CMD( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='cwd="[^"]+" cmd="[[:alnum:]/]+" exe="[[:alnum:]/]+" terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]@_-]+"( ID="[[:alnum:]-]+")?)?$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_CMD( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='cwd="[^"]+" cmd="[[:alnum:]/]+" terminal=[^[:space:]]+ res=success'$ |