Update logcheck rules for auditd

1 files changed, 4 insertions, 0 deletions

diff --git a/files/etc/logcheck/ignore.d.server/local-auditd b/files/etc/logcheck/ignore.d.server/local-auditd
index 13df1eb..3dbb786 100644
--- a/files/etc/logcheck/ignore.d.server/local-auditd
+++ b/files/etc/logcheck/ignore.d.server/local-auditd
@@ -1 +1,5 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Audit daemon rotating log files$
+type=USER_(START|END) msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=108 ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_open grantors=pam_loginuid,pam_env,pam_env,pam_permit,pam_unix,pam_limits acct="(logcheck|root|daemon|www-data)" exe="/usr/sbin/cron" hostname=\? addr=\? terminal=cron res=success'$
+type=USER_LOGIN msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=0 ses=[[:digit:]]+ subj==unconfined msg='op=login acct=[[:digit:]]+ exe="/usr/sbin/sshd" hostname=? addr=[[:xdigit:]:.]+ terminal=sshd res=failed'$
+type=USER_ERR msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=0 ses=[[:digit:]]+ subj==unconfined msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=[[:xdigit:]:.]+ addr=[[:xdigit:]:.]+ terminal=ssh res=failed'$
+type=USER_AUTH msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=0 ses=[[:digit:]]+ subj==unconfined msg='op=PAM:authentication grantors=? acct="[[:alnum:]]+" exe="/usr/sbin/sshd" hostname=[[:xdigit:]:.]+ addr=[[:xdigit:]:.]+ terminal=ssh res=failed'$