summaryrefslogtreecommitdiff
path: root/files
diff options
context:
space:
mode:
authorHendrik Jäger <gitcommit@henk.geekmail.org>2023-08-25 14:09:44 +0200
committerHendrik Jäger <gitcommit@henk.geekmail.org>2023-08-25 14:09:44 +0200
commit3763dff3d493ac9bd37be62b7dafe881209f1cf0 (patch)
tree6a04f3387135f1136dbe5b44d3b137ab462e4b15 /files
parent89cf21d6706a178cb5299b0b064b804a9c4029b4 (diff)
update rules
Diffstat (limited to 'files')
-rw-r--r--files/etc/logcheck/ignore.d.server/local-auditd5
1 files changed, 4 insertions, 1 deletions
diff --git a/files/etc/logcheck/ignore.d.server/local-auditd b/files/etc/logcheck/ignore.d.server/local-auditd
index ced4fe8..3ef82af 100644
--- a/files/etc/logcheck/ignore.d.server/local-auditd
+++ b/files/etc/logcheck/ignore.d.server/local-auditd
@@ -4,13 +4,15 @@ type=CRED_ACQ msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit
type=CRED_DISP msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[[:alnum:]/?]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]-]+")?$
type=CRED_REFR msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[[:alnum:]/?]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]-]+")?$
type=LOGIN msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 subj==?unconfined old-auid=[[:digit:]]+ auid=[[:digit:]]+ tty=\(none\) old-ses=[[:digit:]]+ ses=[[:digit:]]+ res=1([^[:alpha:]]+UID="root" OLD-AUID="[[:alpha:]]+" AUID="[[:alnum:]-]+")?$
+type=PROCTITLE msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): proctitle="[[:alnum:]/]+"$
+type=PROCTITLE msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): proctitle=[[:xdigit:]]+$
type=SERVICE_START msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='unit=[[:alnum:]@-]+ comm="systemd" exe="/usr/lib/systemd/systemd" hostname=\? addr=\? terminal=\? res=success'[^[:alpha:]]+UID="root" AUID="unset"$
type=SERVICE_STOP msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='unit=[[:alnum:]@-]+ comm="systemd" exe="/usr/lib/systemd/systemd" hostname=\? addr=\? terminal=\? res=success'[^[:alpha:]]+UID="root" AUID="unset"$
type=USER_ACCT msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:accounting grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_*-]+" exe="[^"]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]]+")?$
type=USER_AUTH msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:authentication grantors=(\?|pam_[[:alnum:]]+,?)+ acct="?[[:alnum:]?"?'$#%^~&,.;:!+=@_*\(\)\{\}-]*"? exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=(failed|success)'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+")?$
type=USER_CHAUTHTOK msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=0 ses=[[:digit:]]+ subj==?unconfined msg='op=display aging info id=[[:digit:]]+ exe="/usr/bin/chage" hostname=\? addr=\? terminal=\? res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+" ID="[[:alnum:]-]+")?$
-type=USER_CMD msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='cwd="[^"]+" cmd=[[:alnum:][:xdigit:]]+ terminal=(\?|pts/[[:digit:]]+) res=success'$
type=USER_CMD msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='cwd="[^"]+" cmd="[[:alnum:]/]+" exe="[[:alnum:]/]+" terminal=(\?|pts/[[:digit:]]+) res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]]+"( ID="[[:alnum:]-]+")?)?$
+type=USER_CMD msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='cwd="[^"]+" cmd=[[:alnum:][:xdigit:]]+ terminal=(\?|pts/[[:digit:]]+) res=success'$
type=USER_END msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:session_close grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]-]+")?$
type=USER_ERR msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:bad_ident grantors=\? acct="\?" exe="/usr/sbin/sshd" hostname=[[:alnum:]:.]+ addr=[[:xdigit:]:.]+ terminal=ssh res=failed'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+"( ID="[[:alnum:]]+")?)?$
type=USER_LOGIN msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=login (acct="?[[:alnum:]@_-]+"?|id=[[:digit:]]+) exe="/usr/sbin/sshd" hostname=(\?|[[:alnum:]:.]+) addr=[[:xdigit:]:.]+ terminal=[^[:space:]]+ res=(failed|success)'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+"( ID="[[:alnum:]]+")?)?$
@@ -30,3 +32,4 @@ type=USER_START msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:dig
^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: rate_limit 0$
^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: /sbin/augenrules: No change$
^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: The audit daemon is exiting\.$
+type=SYSCALL msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): arch=[[:xdigit:]]+ syscall=[[:digit:]]+ success=yes exit=[[:digit:]]+ a0=7 a1=[[:xdigit:]]+ a2=[[:digit:]]+ a3=[[:xdigit:]]+ items=0 ppid=4470 pid=[[:digit:]]+ auid=[[:digit:]]+ uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=\(none\) ses=[[:digit:]]+ comm="[[:alnum:]]+" exe="[[:alnum:]/]+" subj=unconfined key=\(null\)[^[:alpha:]]+ARCH=x86_64 SYSCALL=write AUID="[[:alnum:]]+" UID="[[:alnum:]]+" GID="[[:alnum:]]+" EUID="[[:alnum:]]+" SUID="[[:alnum:]]+" FSUID="[[:alnum:]]+" EGID="[[:alnum:]]+" SGID="[[:alnum:]]+" FSGID="[[:alnum:]]+"$