diff options
| author | Hendrik Jäger <gitcommit@henk.geekmail.org> | 2023-09-23 21:20:33 +0200 |
|---|---|---|
| committer | Hendrik Jäger <gitcommit@henk.geekmail.org> | 2023-09-23 21:20:33 +0200 |
| commit | 08051fc40238f3f757bae148e171c2867cf50306 (patch) | |
| tree | bbfc083fd2a307fb23e251aecaaa119f1d72a2ca /files | |
| parent | 7dfc98cd0f74b08264eda135d54dfbd5b53d6844 (diff) | |
update rules
Diffstat (limited to 'files')
| -rw-r--r-- | files/etc/logcheck/ignore.d.server/local-auditd | 4 | ||||
| -rw-r--r-- | files/etc/logcheck/ignore.d.server/local-dovecot | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/files/etc/logcheck/ignore.d.server/local-auditd b/files/etc/logcheck/ignore.d.server/local-auditd index b629f9b..e872a32 100644 --- a/files/etc/logcheck/ignore.d.server/local-auditd +++ b/files/etc/logcheck/ignore.d.server/local-auditd @@ -13,8 +13,8 @@ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: rate_limit 0$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: /sbin/augenrules: No change$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: The audit daemon is exiting\.$ -^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?BPF prog-id=[[:digit:]]+ op=LOAD$ -^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?BPF prog-id=[[:digit:]]+ op=UNLOAD$ +^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit(\[[[:digit:]]+\])?: )?BPF prog-id=[[:digit:]]+ op=LOAD$ +^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit(\[[[:digit:]]+\])?: )?BPF prog-id=[[:digit:]]+ op=UNLOAD$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?CRED_ACQ pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]]+" exe="[[:alnum:]/]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[^[:space:]]+ res=success' ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?CRED_DISP pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]]+" exe="[[:alnum:]/]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:alnum:]:.]+) terminal=[^[:space:]]+ res=success' ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?CRED_REFR pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]]+" exe="[[:alnum:]/]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:alnum:]:.]+) terminal=[^[:space:]]+ res=success' diff --git a/files/etc/logcheck/ignore.d.server/local-dovecot b/files/etc/logcheck/ignore.d.server/local-dovecot index 09bb390..b75ac06 100644 --- a/files/etc/logcheck/ignore.d.server/local-dovecot +++ b/files/etc/logcheck/ignore.d.server/local-dovecot @@ -32,7 +32,7 @@ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: lda\([[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?: sieve: msgid=<[[:alnum:]":<>{}@?=+/.,_!&\$%#~-]+>: stored mail into mailbox '[^[:space:]]+'$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: lda\([[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?: sieve: msgid=unspecified: fileinto action: stored mail into mailbox '[^[:space:]]+'$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: lda\([[:alnum:]]+\)(<[[:digit:]]+><[[:alnum:]+/]+>)?: sieve: msgid=unspecified: stored mail into mailbox '[^[:space:]]+'$ -^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Aborted login|Disconnected): Aborted login by logging out \(.*\): user=<[[:alnum:]*_.-]*>(, method=[[:alnum:]-]+)?, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, (TLS|SSL)(: Connection closed)?(, session=<[[:alnum:]/+]+>)?$ +^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Aborted login|Disconnected): Aborted login by logging out \(.*\): user=<[[:alnum:]@*_.-]*>(, method=[[:alnum:]-]+)?, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, (TLS|SSL)(: Connection closed)?(, session=<[[:alnum:]/+]+>)?$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Aborted login|Disconnected): Connection closed: read\(size=[[:digit:]]+\) failed: Connection reset by peer \(.*\): user=<>, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+(, session=<[[:alnum:]/+]+>)?$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Aborted login|Disconnected): Connection closed: read\(size=[[:digit:]]+\) failed: Connection reset by peer \(.*\): user=<>, rip=[[:xdigit:]:.]+, lip=[[:xdigit:]:.]+, (TLS|SSL)( handshaking)?:? read\(size=[[:digit:]]+\) failed: Connection reset by peer(, session=<[[:alnum:]/+]+>)?$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ dovecot: (pop3|imap|managesieve)-login: (Aborted login|Disconnected): Connection closed: (SSL_accept|SSL_read)\(?\)? failed: .*$ |