From 3f4349ae5537137ec3ffdea460063fb87af06c46 Mon Sep 17 00:00:00 2001 From: Hendrik Jäger Date: Thu, 7 Jul 2022 22:02:40 +0200 Subject: update rules --- files/etc/logcheck/ignore.d.server/local-auditd | 2 ++ 1 file changed, 2 insertions(+) diff --git a/files/etc/logcheck/ignore.d.server/local-auditd b/files/etc/logcheck/ignore.d.server/local-auditd index 55d988c..00f6a99 100644 --- a/files/etc/logcheck/ignore.d.server/local-auditd +++ b/files/etc/logcheck/ignore.d.server/local-auditd @@ -12,6 +12,8 @@ type=USER_START msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:dig type=USER_END msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_close grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]-]+")?$ type=USER_END msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_close grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+")?$ type=ANOM_PROMISCUOUS msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): dev=[[:alnum:].]+ prom=[[:digit:]]+ old_prom=[[:digit:]]+ auid=0 uid=0 gid=0 ses=[[:digit:]]+([^[:alpha:]]+AUID="[[:alnum:]]+" UID="root" GID="root")?$ +type=SERVICE_START msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='unit=[[:alnum:]-]+ comm="systemd" exe="/usr/lib/systemd/systemd" hostname=\? addr=\? terminal=\? res=success'[^[:alpha:]]+UID="root" AUID="unset"$ +type=SERVICE_STOP msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='unit=[[:alnum:]-]+ comm="systemd" exe="/usr/lib/systemd/systemd" hostname=\? addr=\? terminal=\? res=success'[^[:alpha:]]+ID="root" AUID="unset"$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Audit daemon rotating log files$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: The audit daemon is exiting\.$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: No plugins found, not dispatching events$ -- cgit v1.2.3