diff options
author | Hendrik Jäger <gitcommit@henk.geekmail.org> | 2023-08-25 14:09:44 +0200 |
---|---|---|
committer | Hendrik Jäger <gitcommit@henk.geekmail.org> | 2023-08-25 14:09:44 +0200 |
commit | 3763dff3d493ac9bd37be62b7dafe881209f1cf0 (patch) | |
tree | 6a04f3387135f1136dbe5b44d3b137ab462e4b15 /files | |
parent | 89cf21d6706a178cb5299b0b064b804a9c4029b4 (diff) |
update rules
Diffstat (limited to 'files')
-rw-r--r-- | files/etc/logcheck/ignore.d.server/local-auditd | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/files/etc/logcheck/ignore.d.server/local-auditd b/files/etc/logcheck/ignore.d.server/local-auditd index ced4fe8..3ef82af 100644 --- a/files/etc/logcheck/ignore.d.server/local-auditd +++ b/files/etc/logcheck/ignore.d.server/local-auditd @@ -4,13 +4,15 @@ type=CRED_ACQ msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit type=CRED_DISP msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[[:alnum:]/?]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]-]+")?$ type=CRED_REFR msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[[:alnum:]/?]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]-]+")?$ type=LOGIN msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 subj==?unconfined old-auid=[[:digit:]]+ auid=[[:digit:]]+ tty=\(none\) old-ses=[[:digit:]]+ ses=[[:digit:]]+ res=1([^[:alpha:]]+UID="root" OLD-AUID="[[:alpha:]]+" AUID="[[:alnum:]-]+")?$ +type=PROCTITLE msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): proctitle="[[:alnum:]/]+"$ +type=PROCTITLE msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): proctitle=[[:xdigit:]]+$ type=SERVICE_START msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='unit=[[:alnum:]@-]+ comm="systemd" exe="/usr/lib/systemd/systemd" hostname=\? addr=\? terminal=\? res=success'[^[:alpha:]]+UID="root" AUID="unset"$ type=SERVICE_STOP msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='unit=[[:alnum:]@-]+ comm="systemd" exe="/usr/lib/systemd/systemd" hostname=\? addr=\? terminal=\? res=success'[^[:alpha:]]+UID="root" AUID="unset"$ type=USER_ACCT msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:accounting grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_*-]+" exe="[^"]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]]+")?$ type=USER_AUTH msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:authentication grantors=(\?|pam_[[:alnum:]]+,?)+ acct="?[[:alnum:]?"?'$#%^~&,.;:!+=@_*\(\)\{\}-]*"? exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=(failed|success)'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+")?$ type=USER_CHAUTHTOK msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=0 ses=[[:digit:]]+ subj==?unconfined msg='op=display aging info id=[[:digit:]]+ exe="/usr/bin/chage" hostname=\? addr=\? terminal=\? res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+" ID="[[:alnum:]-]+")?$ -type=USER_CMD msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='cwd="[^"]+" cmd=[[:alnum:][:xdigit:]]+ terminal=(\?|pts/[[:digit:]]+) res=success'$ type=USER_CMD msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='cwd="[^"]+" cmd="[[:alnum:]/]+" exe="[[:alnum:]/]+" terminal=(\?|pts/[[:digit:]]+) res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]]+"( ID="[[:alnum:]-]+")?)?$ +type=USER_CMD msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='cwd="[^"]+" cmd=[[:alnum:][:xdigit:]]+ terminal=(\?|pts/[[:digit:]]+) res=success'$ type=USER_END msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:session_close grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]-]+")?$ type=USER_ERR msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:bad_ident grantors=\? acct="\?" exe="/usr/sbin/sshd" hostname=[[:alnum:]:.]+ addr=[[:xdigit:]:.]+ terminal=ssh res=failed'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+"( ID="[[:alnum:]]+")?)?$ type=USER_LOGIN msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=login (acct="?[[:alnum:]@_-]+"?|id=[[:digit:]]+) exe="/usr/sbin/sshd" hostname=(\?|[[:alnum:]:.]+) addr=[[:xdigit:]:.]+ terminal=[^[:space:]]+ res=(failed|success)'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+"( ID="[[:alnum:]]+")?)?$ @@ -30,3 +32,4 @@ type=USER_START msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:dig ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: rate_limit 0$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: /sbin/augenrules: No change$ ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: The audit daemon is exiting\.$ +type=SYSCALL msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): arch=[[:xdigit:]]+ syscall=[[:digit:]]+ success=yes exit=[[:digit:]]+ a0=7 a1=[[:xdigit:]]+ a2=[[:digit:]]+ a3=[[:xdigit:]]+ items=0 ppid=4470 pid=[[:digit:]]+ auid=[[:digit:]]+ uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=\(none\) ses=[[:digit:]]+ comm="[[:alnum:]]+" exe="[[:alnum:]/]+" subj=unconfined key=\(null\)[^[:alpha:]]+ARCH=x86_64 SYSCALL=write AUID="[[:alnum:]]+" UID="[[:alnum:]]+" GID="[[:alnum:]]+" EUID="[[:alnum:]]+" SUID="[[:alnum:]]+" FSUID="[[:alnum:]]+" EGID="[[:alnum:]]+" SGID="[[:alnum:]]+" FSGID="[[:alnum:]]+"$ |