summaryrefslogtreecommitdiff
path: root/files
diff options
context:
space:
mode:
authorHendrik Jäger <gitcommit@henk.geekmail.org>2021-05-03 22:20:29 +0300
committerHendrik Jäger <gitcommit@henk.geekmail.org>2021-05-03 22:20:29 +0300
commitcf985884dae8da4d10587bc3bb38389e8e90e8db (patch)
tree9ae5ca08f7545c259532f7dd0b6f9c79f9254bc8 /files
parent2964ab449ed916a7b9091a962eb40a0add553cb5 (diff)
Update logcheck rules for auditd
Diffstat (limited to 'files')
-rw-r--r--files/etc/logcheck/ignore.d.server/local-auditd13
1 files changed, 7 insertions, 6 deletions
diff --git a/files/etc/logcheck/ignore.d.server/local-auditd b/files/etc/logcheck/ignore.d.server/local-auditd
index 7874007..845e5cf 100644
--- a/files/etc/logcheck/ignore.d.server/local-auditd
+++ b/files/etc/logcheck/ignore.d.server/local-auditd
@@ -1,12 +1,13 @@
type=CRED_ACQ msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:setcred grantors=pam_permit acct="(root|logcheck|daemon|www-data)" exe="/usr/sbin/cron" hostname=\? addr=\? terminal=cron res=success'$
-type=CRED_DISP msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:setcred grantors=pam_permit acct="www-data" exe="/usr/sbin/cron" hostname=\? addr=\? terminal=cron res=success'$
-type=LOGIN msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 subj==unconfined old-auid=[[:digit:]]+ auid=0 tty=\(none\) old-ses=[[:digit:]]+ ses=[[:digit:]]+ res=1$
+type=CRED_DISP msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:setcred grantors=pam_permit acct="(www-data|logcheck)" exe="/usr/sbin/cron" hostname=\? addr=\? terminal=cron res=success'$
+type=LOGIN msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 subj==unconfined old-auid=[[:digit:]]+ auid=(0|1|33|108) tty=\(none\) old-ses=[[:digit:]]+ ses=[[:digit:]]+ res=1$
type=USER_ACCT msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=0 ses=[[:digit:]]+ subj==unconfined msg='op=PAM:accounting grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=\? addr=\? terminal=/dev/pts/[[:digit:]]+ res=success'$
type=USER_ACCT msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:accounting grantors=pam_permit acct="(root|logcheck|daemon|www-data)" exe="/usr/sbin/cron" hostname=\? addr=\? terminal=cron res=success'$
-type=USER_AUTH msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=0 ses=[[:digit:]]+ subj==unconfined msg='op=PAM:authentication grantors=? acct="[[:alnum:]]+" exe="/usr/sbin/sshd" hostname=[[:xdigit:]:.]+ addr=[[:xdigit:]:.]+ terminal=ssh res=failed'$
+type=USER_AUTH msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=0 ses=[[:digit:]]+ subj==unconfined msg='op=PAM:authentication grantors=\? acct="[[:alnum:]]+" exe="/usr/sbin/sshd" hostname=[[:xdigit:]:.]+ addr=[[:xdigit:]:.]+ terminal=ssh res=failed'$
type=USER_CHAUTHTOK msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=0 ses=[[:digit:]]+ subj==unconfined msg='op=display aging info id=[[:digit:]]+ exe="/usr/bin/chage" hostname=\? addr=\? terminal=\? res=success'$
type=USER_CMD msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=0 ses=[[:digit:]]+ subj==unconfined msg='cwd="/etc/puppet" cmd=[[:xdigit:]]+ terminal=pts/[[:digit:]]+ res=success$
-type=USER_ERR msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=0 ses=[[:digit:]]+ subj==unconfined msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=[[:xdigit:]:.]+ addr=[[:xdigit:]:.]+ terminal=ssh res=failed'$
-type=USER_LOGIN msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=0 ses=[[:digit:]]+ subj==unconfined msg='op=login acct=[[:digit:]]+ exe="/usr/sbin/sshd" hostname=? addr=[[:xdigit:]:.]+ terminal=sshd res=failed'$
-type=USER_(START|END) msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=108 ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_open grantors=pam_loginuid,pam_env,pam_env,pam_permit,pam_unix,pam_limits acct="(logcheck|root|daemon|www-data)" exe="/usr/sbin/cron" hostname=\? addr=\? terminal=cron res=success'$
+type=USER_ERR msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=0 ses=[[:digit:]]+ subj==unconfined msg='op=PAM:bad_ident grantors=\? acct="\?" exe="/usr/sbin/sshd" hostname=[[:xdigit:]:.]+ addr=[[:xdigit:]:.]+ terminal=ssh res=failed'$
+type=USER_LOGIN msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=0 ses=[[:digit:]]+ subj==unconfined msg='op=login acct=[[:digit:]]+ exe="/usr/sbin/sshd" hostname=\? addr=[[:xdigit:]:.]+ terminal=sshd res=failed'$
+type=USER_START msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=(0|1|33|108) ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_open grantors=pam_loginuid,pam_env,pam_env,pam_permit,pam_unix,pam_limits acct="[[:alnum:]]+" exe="/usr/sbin/cron" hostname=\? addr=\? terminal=cron res=success'$
+type=USER_END msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=(0|1|33|108) ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_close grantors=pam_loginuid,pam_env,pam_env,pam_permit,pam_unix,pam_limits acct="[[:alnum:]]+" exe="/usr/sbin/cron" hostname=\? addr=\? terminal=cron res=success'$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Audit daemon rotating log files$
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-15 17:35:46 +0000