Update logcheck rules for auditd

1 files changed, 3 insertions, 3 deletions

diff --git a/files/etc/logcheck/ignore.d.server/local-auditd b/files/etc/logcheck/ignore.d.server/local-auditd
index 5ed3e8b..66dca88 100644
--- a/files/etc/logcheck/ignore.d.server/local-auditd
+++ b/files/etc/logcheck/ignore.d.server/local-auditd
@@ -3,10 +3,10 @@ type=USER_CHAUTHTOK msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[
 type=USER_CMD msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=0 ses=[[:digit:]]+ subj==unconfined msg='cwd="/etc/puppet" cmd=[[:xdigit:]]+ terminal=pts/[[:digit:]]+ res=success$
 type=USER_ERR msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=0 ses=[[:digit:]]+ subj==unconfined msg='op=PAM:bad_ident grantors=\? acct="\?" exe="/usr/sbin/sshd" hostname=[[:xdigit:]:.]+ addr=[[:xdigit:]:.]+ terminal=ssh res=failed'$
 type=USER_LOGIN msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=login acct="?[[:alnum:]@-]+"? exe="/usr/sbin/sshd" hostname=\? addr=[[:xdigit:]:.]+ terminal=sshd res=failed'$
-type=CRED_ACQ msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@-]+" exe="[^"]+" hostname=(\?|[[:xdigit:]:.]+) addr=\? terminal=(cron|ssh) res=success'$
-type=CRED_DISP msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@-]+" exe="[^"]+" hostname=\? addr=\? terminal=(cron|ssh) res=success'$
+type=CRED_ACQ msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@-]+" exe="[^"]+" hostname=(\?|[[:xdigit:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=(cron|ssh) res=success'$
+type=CRED_DISP msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@-]+" exe="[^"]+" hostname=(\?|[[:xdigit:]:.]+) addr=\? terminal=(cron|ssh) res=success'$
 type=USER_ACCT msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:accounting grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@-]+" exe="[^"]+" hostname=(\?|[[:xdigit:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/]+ res=success'$
 type=USER_AUTH msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:authentication grantors=(\?|pam_[[:alnum:]]+,?)+ acct="[[:alnum:].@-]+" exe="[^"]*" hostname=[[:xdigit:]:.]+ addr=[[:xdigit:]:.]+ terminal=(ssh|dovecot) res=(failed|success)'$
 type=USER_START msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_open grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@-]+" exe="/usr/sbin/cron" hostname=(\?|[[:xdigit:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=(cron|ssh) res=success'$
-type=USER_END msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_close grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@-]++" exe="/usr/sbin/cron" hostname=\? addr=\? terminal=cron res=success'$
+type=USER_END msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_close grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@-]+" exe="/usr/sbin/cron" hostname=(\?|[[:xdigit:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=cron res=success'$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Audit daemon rotating log files$