update rules

author Hendrik Jäger <gitcommit@henk.geekmail.org>

Sun, 29 Sep 2024 22:43:12 +0000 (00:43 +0200)

committer Hendrik Jäger <gitcommit@henk.geekmail.org>

Sun, 29 Sep 2024 22:43:12 +0000 (00:43 +0200)
author Hendrik Jäger <gitcommit@henk.geekmail.org>
Sun, 29 Sep 2024 22:43:12 +0000 (00:43 +0200)
committer Hendrik Jäger <gitcommit@henk.geekmail.org>
Sun, 29 Sep 2024 22:43:12 +0000 (00:43 +0200)
diff --git a/files/etc/logcheck/ignore.d.server/local-auditd b/files/etc/logcheck/ignore.d.server/local-auditd

index 123a6f06928a39ee2b411f50f4cb18a2454fc808..5c0d63f2917670d9ca87b5ac38e64ff6f8752819 100644 (file)
--- a/files/etc/logcheck/ignore.d.server/local-auditd
+++ b/files/etc/logcheck/ignore.d.server/local-auditd
@@ -15,47 +15,36 @@
  ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: The audit daemon is exiting\.$
  ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit(\[[[:digit:]]+\])?: )?BPF prog-id=[[:digit:]]+ op=LOAD$
  ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit(\[[[:digit:]]+\])?: )?BPF prog-id=[[:digit:]]+ op=UNLOAD$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?CRED_ACQ pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[^[:space:]]+ res=success'$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?CRED_DISP pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:alnum:]:.]+) terminal=[^[:space:]]+ res=success'$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?CRED_REFR pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:alnum:]:.]+) terminal=[^[:space:]]+ res=success'$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?SERVICE_START pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='unit=(anacron|apt-daily|systemd-tmpfiles-clean|etckeeper|dpkg-db-backup|exim4-base|logrotate|man-db|apt-daily-upgrade|e2scrub_all|fstrim|monit) comm="systemd" exe="[[:alnum:]/]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:alnum:]:.]+) terminal=[^[:space:]]+ res=success'$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?SERVICE_STOP pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='unit=(anacron|apt-daily|systemd-tmpfiles-clean|etckeeper|dpkg-db-backup|exim4-base|logrotate|man-db|apt-daily-upgrade|e2scrub_all|fstrim|monit|systemd-fsckd) comm="systemd" exe="[[:alnum:]/]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:alnum:]:.]+) terminal=[^[:space:]]+ res=success'$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?SYSCALL arch=c000003e syscall=1 success=yes exit=[134] a0=[[:xdigit:]]+ a1=[[:xdigit:]]+ a2=[[:xdigit:]]+ a3=[[:xdigit:]]+ items=0 ppid=[[:digit:]]+ pid=[[:digit:]]+ auid=[[:digit:]]+ uid=[[:digit:]]+ gid=[[:digit:]]+ euid=[[:digit:]]+ suid=[[:digit:]]+ fsuid=[[:digit:]]+ egid=[[:digit:]]+ sgid=[[:digit:]]+ fsgid=[[:digit:]]+ tty=\(none\) ses=[[:digit:]]+ comm="[[:alnum:]]+" exe="[[:alnum:]/]+" subj=unconfined key=\(null\)$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=ANOM_PROMISCUOUS msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): dev=[[:alnum:].]+ prom=[[:digit:]]+ old_prom=[[:digit:]]+ auid=[[:digit:]]+ uid=[[:digit:]]+ gid=[[:digit:]]+ ses=[[:digit:]]+([^[:alpha:]]+AUID="[[:alnum:]]+" UID="root" GID="root")?$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=BPF msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): prog-id=[[:digit:]]+ op=LOAD$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=BPF msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): prog-id=[[:digit:]]+ op=UNLOAD$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=CONFIG_CHANGE msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): op=set (audit_pid|audit_backlog_limit|audit_failure|audit_backlog_wait_time)=[[:digit:]]+ old=[[:digit:]]+ auid=0 ses=[[:digit:]]+ subj=unconfined res=[[:digit:]]+[^[:alpha:]]+AUID="root"$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=CRED_ACQ msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]@_-]+")?$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=CRED_DISP msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]@_-]+")?$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=CRED_REFR msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]@_-]+")?$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=CWD msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): cwd="/root"$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=DAEMON_END msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): op=terminate auid=0 uid=0 ses=[[:digit:]]+ pid=[[:digit:]]+ subj=unconfined res=success[^[:alpha:]]+UID="root"$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=DAEMON_START msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): op=start ver=[[:digit:].]+ format=enriched kernel=[[:alnum:].-]+ auid=0 pid=[[:digit:]]+ uid=0 ses=[[:digit:]]+ subj=unconfined +res=success[^[:alpha:]]+AUID="root" UID="root"$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=LOGIN msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ subj==?unconfined old-auid=[[:digit:]]+ auid=[[:digit:]]+ tty=\(none\) old-ses=[[:digit:]]+ ses=[[:digit:]]+ res=1([^[:alpha:]]+UID="root" OLD-AUID="[[:alpha:]]+" AUID="[[:alnum:]@_-]+")?$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=NETFILTER_CFG msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): table=filter:[[:digit:]]+ family=1 entries=[[:digit:]]+ op=nft_register_chain pid=[[:digit:]]+ subj=unconfined comm="nft"$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=NETFILTER_CFG msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): table=filter:[[:digit:]]+ family=1 entries=[[:digit:]]+ op=nft_unregister_table pid=[[:digit:]]+ subj=unconfined comm="nft"$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=NETFILTER_CFG msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): table=nat:[[:digit:]]+ family=2 entries=[[:digit:]]+ op=nft_register_chain pid=[[:digit:]]+ subj=unconfined comm="nft"$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=NETFILTER_CFG msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): table=nat:[[:digit:]]+ family=2 entries=[[:digit:]]+ op=nft_unregister_table pid=[[:digit:]]+ subj=unconfined comm="nft"$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=PATH msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): item=[[:digit:]]+ name=\(null\) inode=[[:digit:]]+ dev=[[:xdigit:]:]+ mode=[[:digit:]]+ ouid=0 ogid=0 rdev=00:00 nametype=(PARENT|CREATE) cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\1dOUID="root" OGID="root"$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=PROCTITLE msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): proctitle="[[:alnum:]/]+"$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=PROCTITLE msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): proctitle=[[:xdigit:]]+$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=SERVICE_START msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='unit=[[:alnum:]@_-]+ comm="systemd" exe="/usr/lib/systemd/systemd" hostname=\? addr=\? terminal=[^[:space:]]+ res=success'[^[:alpha:]]+UID="root" AUID="unset"$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=SERVICE_STOP msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='unit=[[:alnum:]@_-]+ comm="systemd" exe="/usr/lib/systemd/systemd" hostname=\? addr=\? terminal=[^[:space:]]+ res=success'[^[:alpha:]]+UID="root" AUID="unset"$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=SYSCALL msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): arch=[[:xdigit:]]+ syscall=[[:digit:]]+ success=yes exit=[[:digit:]]+ a0=[[:xdigit:]]+ a1=[[:xdigit:]]+ a2=[[:xdigit:]]+ a3=[[:xdigit:]]+ items=[[:digit:]]+ ppid=[[:digit:]]+ pid=[[:digit:]]+ auid=[[:digit:]]+ uid=[[:digit:]]+ gid=[[:digit:]]+ euid=[[:digit:]]+ suid=[[:digit:]]+ fsuid=[[:digit:]]+ egid=[[:digit:]]+ sgid=[[:digit:]]+ fsgid=[[:digit:]]+ tty=(\(none\)|pts[[:digit:]]+) ses=[[:digit:]]+ comm="[[:alnum:]]+" exe="[[:alnum:]/]+" subj=unconfined key=\(null\)[^[:alpha:]]+ARCH=x86_64 SYSCALL=(write|ioctl|sendmsg|sendto) AUID="[[:alnum:]_]+" UID="[[:alnum:]]+" GID="[[:alnum:]]+" EUID="[[:alnum:]]+" SUID="[[:alnum:]]+" FSUID="[[:alnum:]]+" EGID="[[:alnum:]]+" SGID="[[:alnum:]]+" FSGID="[[:alnum:]]+"$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=UNKNOWN\[[[:digit:]]+\] msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): module=crypt op=ctr ppid=[[:digit:]]+ pid=[[:digit:]]+ auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=[[:digit:]]+ comm="cryptsetup" exe="/usr/sbin/cryptsetup" subj=unconfined dev=[[:digit:]:]+ error_msg='success' res=1\1dAUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=USER_ACCT msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:accounting grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_*-]+" exe="[^"]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]]+")?$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=USER_AUTH msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:authentication grantors=(\?|pam_[[:alnum:]]+,?)+ acct="?[[:alnum:]?"?'$#%^~&,.;:!+=@_*\(\)\{\}-]*"? exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[^[:space:]]+ res=(failed|success)'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+")?$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=USER_CHAUTHTOK msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=display aging info id=[[:digit:]]+ exe="/usr/bin/chage" hostname=\? addr=\? terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+" ID="[[:alnum:]-]+")?$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=USER_CMD msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='cwd="[^"]+" cmd="[[:alnum:]/]+" exe="[[:alnum:]/]+" terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]]+"( ID="[[:alnum:]-]+")?)?$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=USER_CMD msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='cwd="[^"]+" cmd=[[:alnum:][:xdigit:]]+ terminal=[^[:space:]]+ res=success'$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=USER_END msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:session_close grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]@_-]+")?$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=USER_ERR msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:bad_ident grantors=\? acct="\?" exe="/usr/sbin/sshd" hostname=[[:alnum:]:.]+ addr=[[:xdigit:]:.]+ terminal=[^[:space:]]+ res=failed'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+"( ID="[[:alnum:]]+")?)?$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=USER_LOGIN msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=login (acct="?[[:alnum:]@_-]+"?|id=[[:digit:]]+) exe="/usr/sbin/sshd" hostname=(\?|[[:alnum:]:.]+) addr=[[:xdigit:]:.]+ terminal=[^[:space:]]+ res=(failed|success)'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+"( ID="[[:alnum:]]+")?)?$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=USER_START msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:session_open grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]@_-]+")?$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?USER_ACCT pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:alnum:]:.]+) terminal=[^[:space:]]+ res=success'$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?USER_AUTH pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:authentication grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:alnum:]:.]+) terminal=[^[:space:]]+ res=success'$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?USER_CHAUTHTOK pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=display aging info id=[[:digit:]]+ exe="/usr/bin/chage" hostname=\? addr=\? terminal=[^[:space:]]+ res=success'$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?USER_END pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:session_close grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:alnum:]:.]+) terminal=[^[:space:]]+ res=success'$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?USER_LOGIN pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=login id=[[:digit:]]+ exe="[[:alnum:]/]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:alnum:]:.]+) terminal=[^[:space:]]+ res=success'$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?USER_START pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:session_open grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:alnum:]:.]+) terminal=[^[:space:]]+ res=success'$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?ANOM_PROMISCUOUS( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? dev=[[:alnum:].]+ prom=[[:digit:]]+ old_prom=[[:digit:]]+ auid=[[:digit:]]+ uid=[[:digit:]]+ gid=[[:digit:]]+ ses=[[:digit:]]+([^[:alpha:]]+AUID="[[:alnum:]@_-]+" UID="root" GID="root")?$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?BPF( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? prog-id=[[:digit:]]+ op=LOAD$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?BPF( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? prog-id=[[:digit:]]+ op=UNLOAD$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?CONFIG_CHANGE( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? op=set (audit_pid|audit_backlog_limit|audit_failure|audit_backlog_wait_time)=[[:digit:]]+ old=[[:digit:]]+ auid=0 ses=[[:digit:]]+ subj=unconfined res=[[:digit:]]+[^[:alpha:]]+AUID="root"$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?CRED_ACQ( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]@_-]+")?$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?CRED_DISP( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]@_-]+")?$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?CRED_REFR( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]@_-]+")?$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?CWD( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? cwd="/root"$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?DAEMON_END( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? op=terminate auid=0 uid=0 ses=[[:digit:]]+ pid=[[:digit:]]+ subj=unconfined res=success[^[:alpha:]]+UID="root"$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?DAEMON_START( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? op=start ver=[[:digit:].]+ format=enriched kernel=[[:alnum:].-]+ auid=0 pid=[[:digit:]]+ uid=0 ses=[[:digit:]]+ subj=unconfined +res=success[^[:alpha:]]+AUID="root" UID="root"$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?LOGIN( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ subj=unconfined old-auid=[[:digit:]]+ auid=[[:digit:]]+ tty=\(none\) old-ses=[[:digit:]]+ ses=[[:digit:]]+ res=1([^[:alpha:]]+UID="root" OLD-AUID="[[:alnum:]@_-]+" AUID="[[:alnum:]@_-]+")?$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?NETFILTER_CFG( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? table=filter:[[:digit:]]+ family=1 entries=[[:digit:]]+ op=nft_register_chain pid=[[:digit:]]+ subj=unconfined comm="nft"$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?NETFILTER_CFG( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? table=filter:[[:digit:]]+ family=1 entries=[[:digit:]]+ op=nft_unregister_table pid=[[:digit:]]+ subj=unconfined comm="nft"$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?NETFILTER_CFG( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? table=nat:[[:digit:]]+ family=2 entries=[[:digit:]]+ op=nft_register_chain pid=[[:digit:]]+ subj=unconfined comm="nft"$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?NETFILTER_CFG( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? table=nat:[[:digit:]]+ family=2 entries=[[:digit:]]+ op=nft_unregister_table pid=[[:digit:]]+ subj=unconfined comm="nft"$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?PATH( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? item=[[:digit:]]+ name=\(null\) inode=[[:digit:]]+ dev=[[:xdigit:]:]+ mode=[[:digit:]]+ ouid=0 ogid=0 rdev=00:00 nametype=(PARENT|CREATE) cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\1dOUID="root" OGID="root"$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?PROCTITLE( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? proctitle="[^"]+"$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?SERVICE_START(( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)?)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='unit=[[:alnum:]@_-]+ comm="systemd" exe="/usr/lib/systemd/systemd" hostname=\? addr=\? terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="root" AUID="unset")?$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?SERVICE_STOP(( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)?)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='unit=[[:alnum:]@_-]+ comm="systemd" exe="/usr/lib/systemd/systemd" hostname=\? addr=\? terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="root" AUID="unset")?$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?SYSCALL( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? arch=[[:xdigit:]]+ syscall=[[:digit:]]+ success=yes exit=[[:digit:]]+ a0=[[:xdigit:]]+ a1=[[:xdigit:]]+ a2=[[:xdigit:]]+ a3=[[:xdigit:]]+ items=[[:digit:]]+ ppid=[[:digit:]]+ pid=[[:digit:]]+ auid=[[:digit:]]+ uid=[[:digit:]]+ gid=[[:digit:]]+ euid=[[:digit:]]+ suid=[[:digit:]]+ fsuid=[[:digit:]]+ egid=[[:digit:]]+ sgid=[[:digit:]]+ fsgid=[[:digit:]]+ tty=(\(none\)|pts[[:digit:]]+) ses=[[:digit:]]+ comm="[[:alnum:]]+" exe="[[:alnum:]/]+" subj=unconfined key=\(null\)([^[:alpha:]]+ARCH=x86_64 SYSCALL=(write|ioctl|sendmsg|sendto) AUID="[[:alnum:]@_-]+" UID="[[:alnum:]]+" GID="[[:alnum:]]+" EUID="[[:alnum:]]+" SUID="[[:alnum:]]+" FSUID="[[:alnum:]]+" EGID="[[:alnum:]]+" SGID="[[:alnum:]]+" FSGID="[[:alnum:]]+")?$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?UNKNOWN\[[[:digit:]]+\]( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? module=crypt op=ctr ppid=[[:digit:]]+ pid=[[:digit:]]+ auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=[[:digit:]]+ comm="cryptsetup" exe="/usr/sbin/cryptsetup" subj=unconfined dev=[[:digit:]:]+ error_msg='success' res=1\1dAUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_ACCT( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:accounting grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]@_-]+")?$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_ACCT( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_AUTH( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:authentication grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]@_-]+")?$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_AUTH( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:authentication grantors=(\?|pam_[[:alnum:]]+,?)+ acct="[^"]+" exe="[[:alnum:]/]*" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=(failed|success)'([^[:alpha:]]+UID="root" AUID="[[:alnum:]@_-]+")?$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_CHAUTHTOK( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=display aging info id=[[:digit:]]+ exe="/usr/bin/chage" hostname=\? addr=\? terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]@_-]+" ID="[[:alnum:]-]+")?$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_CMD( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='cwd="[^"]+" cmd="[[:alnum:]/]+" exe="[[:alnum:]/]+" terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]@_-]+"( ID="[[:alnum:]-]+")?)?$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_CMD( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='cwd="[^"]+" cmd="[[:alnum:]/]+" terminal=[^[:space:]]+ res=success'$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_END( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:session_close grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]@_-]+")?$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_ERR( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:bad_ident grantors=\? acct="\?" exe="/usr/sbin/sshd" hostname=[[:alnum:]:.]+ addr=[[:xdigit:]:.]+ terminal=[^[:space:]]+ res=failed'([^[:alpha:]]+UID="root" AUID="[[:alnum:]@_-]+"( ID="[[:alnum:]]+")?)?$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_LOGIN( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=login (acct="?[[:alnum:]@_-]+"?|id=[[:digit:]]+) exe="[[:alnum:]/]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=(failed|success)'([^[:alpha:]]+UID="root" AUID="[[:alnum:]@_-]+"( ID="[[:alnum:]]+")?)?$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_START( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:session_open grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]@_-]+")?$
  ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit: )?PROCTITLE proctitle=[[:xdigit:]]+$
author	Hendrik Jäger <gitcommit@henk.geekmail.org>
	Sun, 29 Sep 2024 22:43:12 +0000 (00:43 +0200)
committer	Hendrik Jäger <gitcommit@henk.geekmail.org>
	Sun, 29 Sep 2024 22:43:12 +0000 (00:43 +0200)