Update logcheck rules

author Hendrik Jäger <gitcommit@henk.geekmail.org>

Tue, 6 Jul 2021 11:43:12 +0000 (14:43 +0300)

committer Hendrik Jäger <gitcommit@henk.geekmail.org>

Tue, 6 Jul 2021 11:43:12 +0000 (14:43 +0300)
author Hendrik Jäger <gitcommit@henk.geekmail.org>
Tue, 6 Jul 2021 11:43:12 +0000 (14:43 +0300)
committer Hendrik Jäger <gitcommit@henk.geekmail.org>
Tue, 6 Jul 2021 11:43:12 +0000 (14:43 +0300)
diff --git a/files/etc/logcheck/ignore.d.server/local-auditd b/files/etc/logcheck/ignore.d.server/local-auditd

index 8159cc356b270c56bd67be95142f237fa4ef54e6..460cc9ff9b339fd6c3b62197733d13faa1fa08fa 100644 (file)
--- a/files/etc/logcheck/ignore.d.server/local-auditd
+++ b/files/etc/logcheck/ignore.d.server/local-auditd
@@ -7,7 +7,7 @@ type=CRED_ACQ msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit
  type=CRED_DISP msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[[:alnum:]/?]+ res=success'$
  type=CRED_REFR msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[[:alnum:]/?]+ res=success'$
  type=USER_ACCT msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:accounting grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_*-]+" exe="[^"]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'$
  type=CRED_DISP msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[[:alnum:]/?]+ res=success'$
  type=CRED_REFR msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[[:alnum:]/?]+ res=success'$
  type=USER_ACCT msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:accounting grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_*-]+" exe="[^"]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'$
-type=USER_AUTH msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:authentication grantors=(\?|pam_[[:alnum:]]+,?)+ acct="[[:alnum:].@_*-]+" exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=(\?|ssh|dovecot) res=(failed|success)'$
+type=USER_AUTH msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:authentication grantors=(\?|pam_[[:alnum:]]+,?)+ acct="[[:alnum:].@_*-]+" exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=(failed|success)'$
  type=USER_START msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_open grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'$
  type=USER_END msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_close grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'$
  ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Audit daemon rotating log files$
  type=USER_START msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_open grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'$
  type=USER_END msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:session_close grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[[:alnum:]/?]+ res=success'$
  ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Audit daemon rotating log files$
diff --git a/files/etc/logcheck/ignore.d.server/local-tor b/files/etc/logcheck/ignore.d.server/local-tor

index 5fd8a35a6d4ecee82a0e755bd74a6d0bb86d76d5..54445a2e07d5892a32679fc0669d970b5921741e 100644 (file)
--- a/files/etc/logcheck/ignore.d.server/local-tor
+++ b/files/etc/logcheck/ignore.d.server/local-tor
@@ -1,5 +1,5 @@
  ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Heartbeat: Tor's uptime is ([[:digit:]]+ day(s)? )?[[:digit:]]+:[[:digit:]]+ hours, with [[:digit:]]+ circuits open. I've sent [[:digit:].]+ [GMk]B and received [[:digit:].]+ [GMk]B\.$
  ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Average packaged cell fullness: [[:digit:].]+%\. TLS write overhead: [[:digit:]]+%$
  ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Received http status code 404 \("Consensus is too old"\) from server '[[:xdigit:]:.]+:443' while fetching consensus directory\.$
  ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Heartbeat: Tor's uptime is ([[:digit:]]+ day(s)? )?[[:digit:]]+:[[:digit:]]+ hours, with [[:digit:]]+ circuits open. I've sent [[:digit:].]+ [GMk]B and received [[:digit:].]+ [GMk]B\.$
  ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Average packaged cell fullness: [[:digit:].]+%\. TLS write overhead: [[:digit:]]+%$
  ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Received http status code 404 \("Consensus is too old"\) from server '[[:xdigit:]:.]+:443' while fetching consensus directory\.$
-^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: http status 400 \("Nonauthoritative directory does not accept posted server descriptors"\) response from dirserver '[[:xdigit:]:.]+:443'\. Malformed rendezvous descriptor\?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: http status 400 \("Nonauthoritative directory does not accept posted server descriptors"\) response from dirserver '[[:xdigit:]:.]+:[[:digit:]]+'\. Malformed rendezvous descriptor\?$
  ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Our onion service received [[:digit:]]+ v2 and [[:digit:]]+ v3 INTRODUCE2 cells and attempted to launch [[:digit:]]+ rendezvous circuits\.$
  ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ Tor\[[[:digit:]]+\]: Our onion service received [[:digit:]]+ v2 and [[:digit:]]+ v3 INTRODUCE2 cells and attempted to launch [[:digit:]]+ rendezvous circuits\.$
author	Hendrik Jäger <gitcommit@henk.geekmail.org>
	Tue, 6 Jul 2021 11:43:12 +0000 (14:43 +0300)
committer	Hendrik Jäger <gitcommit@henk.geekmail.org>
	Tue, 6 Jul 2021 11:43:12 +0000 (14:43 +0300)
files/etc/logcheck/ignore.d.server/local-auditd		patch \| blob \| history
files/etc/logcheck/ignore.d.server/local-tor		patch \| blob \| history