From: Hendrik Jäger Date: Sun, 21 Jul 2024 10:27:53 +0000 (+0200) Subject: update rules X-Git-Url: https://git.netwichtig.de/gitweb/?a=commitdiff_plain;h=e9af696508796bfad5190669173948c55dc1b0de;p=user%2Fhenk%2Fcode%2Fpuppet%2Fmodules%2Flogcheck.git update rules --- diff --git a/files/etc/logcheck/ignore.d.server/local-auditd b/files/etc/logcheck/ignore.d.server/local-auditd index b024805..5c414f6 100644 --- a/files/etc/logcheck/ignore.d.server/local-auditd +++ b/files/etc/logcheck/ignore.d.server/local-auditd @@ -27,14 +27,15 @@ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=CRED_ACQ msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]@_-]+")?$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=CRED_DISP msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]@_-]+")?$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=CRED_REFR msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]@_-]+")?$ +^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=CWD msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): cwd="/root"$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=LOGIN msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ subj==?unconfined old-auid=[[:digit:]]+ auid=[[:digit:]]+ tty=\(none\) old-ses=[[:digit:]]+ ses=[[:digit:]]+ res=1([^[:alpha:]]+UID="root" OLD-AUID="[[:alpha:]]+" AUID="[[:alnum:]@_-]+")?$ +^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=PATH msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): item=[[:digit:]]+ name=\(null\) inode=[[:digit:]]+ dev=[[:xdigit:]:]+ mode=[[:digit:]]+ ouid=0 ogid=0 rdev=00:00 nametype=(PARENT|CREATE) cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=PROCTITLE msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): proctitle="[[:alnum:]/]+"$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=PROCTITLE msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): proctitle=[[:xdigit:]]+$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=SERVICE_START msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='unit=[[:alnum:]@_-]+ comm="systemd" exe="/usr/lib/systemd/systemd" hostname=\? addr=\? terminal=[^[:space:]]+ res=success'[^[:alpha:]]+UID="root" AUID="unset"$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=SERVICE_STOP msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='unit=[[:alnum:]@_-]+ comm="systemd" exe="/usr/lib/systemd/systemd" hostname=\? addr=\? terminal=[^[:space:]]+ res=success'[^[:alpha:]]+UID="root" AUID="unset"$ -^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=SYSCALL msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): arch=[[:xdigit:]]+ syscall=[[:digit:]]+ success=yes exit=[[:digit:]]+ a0=[[:xdigit:]]+ a1=[[:xdigit:]]+ a2=[[:xdigit:]]+ a3=[[:xdigit:]]+ items=0 ppid=[[:digit:]]+ pid=[[:digit:]]+ auid=[[:digit:]]+ uid=[[:digit:]]+ gid=[[:digit:]]+ euid=[[:digit:]]+ suid=[[:digit:]]+ fsuid=[[:digit:]]+ egid=[[:digit:]]+ sgid=[[:digit:]]+ fsgid=[[:digit:]]+ tty=\(none\) ses=[[:digit:]]+ comm="[[:alnum:]]+" exe="[[:alnum:]/]+" subj=unconfined key=\(null\)[^[:alpha:]]+ARCH=x86_64 SYSCALL=write AUID="[[:alnum:]_]+" UID="[[:alnum:]]+" GID="[[:alnum:]]+" EUID="[[:alnum:]]+" SUID="[[:alnum:]]+" FSUID="[[:alnum:]]+" EGID="[[:alnum:]]+" SGID="[[:alnum:]]+" FSGID="[[:alnum:]]+"$ -^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=SYSCALL msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): arch=[[:xdigit:]]+ syscall=[[:digit:]]+ success=yes exit=[[:digit:]]+ a0=[[:xdigit:]]+ a1=[[:xdigit:]]+ a2=[[:xdigit:]]+ a3=[[:xdigit:]]+ items=0 ppid=[[:digit:]]+ pid=[[:digit:]]+ auid=[[:digit:]]+ uid=[[:digit:]]+ gid=[[:digit:]]+ euid=[[:digit:]]+ suid=[[:digit:]]+ fsuid=[[:digit:]]+ egid=[[:digit:]]+ sgid=[[:digit:]]+ fsgid=[[:digit:]]+ tty=\(none\) ses=[[:digit:]]+ comm="[[:alnum:]]+" exe="/usr/sbin/hostapd" subj=unconfined key=\(null\)[^[:alpha:]]+ARCH=x86_64 SYSCALL=ioctl AUID="[[:alnum:]_]+" UID="[[:alnum:]]+" GID="[[:alnum:]]+" EUID="[[:alnum:]]+" SUID="[[:alnum:]]+" FSUID="[[:alnum:]]+" EGID="[[:alnum:]]+" SGID="[[:alnum:]]+" FSGID="[[:alnum:]]+"$ -^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=SYSCALL msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): arch=[[:xdigit:]]+ syscall=[[:digit:]]+ success=yes exit=[[:digit:]]+ a0=[[:xdigit:]]+ a1=[[:xdigit:]]+ a2=[[:xdigit:]]+ a3=[[:xdigit:]]+ items=0 ppid=[[:digit:]]+ pid=[[:digit:]]+ auid=[[:digit:]]+ uid=[[:digit:]]+ gid=[[:digit:]]+ euid=[[:digit:]]+ suid=[[:digit:]]+ fsuid=[[:digit:]]+ egid=[[:digit:]]+ sgid=[[:digit:]]+ fsgid=[[:digit:]]+ tty=\(none\) ses=[[:digit:]]+ comm="[[:alnum:]]+" exe="/usr/sbin/hostapd" subj=unconfined key=\(null\)[^[:alpha:]]+ARCH=x86_64 SYSCALL=sendmsg AUID="[[:alnum:]_]+" UID="[[:alnum:]]+" GID="[[:alnum:]]+" EUID="[[:alnum:]]+" SUID="[[:alnum:]]+" FSUID="[[:alnum:]]+" EGID="[[:alnum:]]+" SGID="[[:alnum:]]+" FSGID="[[:alnum:]]+"$ +^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=SYSCALL msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): arch=[[:xdigit:]]+ syscall=[[:digit:]]+ success=yes exit=[[:digit:]]+ a0=[[:xdigit:]]+ a1=[[:xdigit:]]+ a2=[[:xdigit:]]+ a3=[[:xdigit:]]+ items=[[:digit:]]+ ppid=[[:digit:]]+ pid=[[:digit:]]+ auid=[[:digit:]]+ uid=[[:digit:]]+ gid=[[:digit:]]+ euid=[[:digit:]]+ suid=[[:digit:]]+ fsuid=[[:digit:]]+ egid=[[:digit:]]+ sgid=[[:digit:]]+ fsgid=[[:digit:]]+ tty=(\(none\)|pts0) ses=[[:digit:]]+ comm="[[:alnum:]]+" exe="[[:alnum:]/]+" subj=unconfined key=\(null\)[^[:alpha:]]+ARCH=x86_64 SYSCALL=(write|ioctl|sendmsg) AUID="[[:alnum:]_]+" UID="[[:alnum:]]+" GID="[[:alnum:]]+" EUID="[[:alnum:]]+" SUID="[[:alnum:]]+" FSUID="[[:alnum:]]+" EGID="[[:alnum:]]+" SGID="[[:alnum:]]+" FSGID="[[:alnum:]]+"$ +^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=UNKNOWN\[[[:digit:]]+\] msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): module=crypt op=ctr ppid=[[:digit:]]+ pid=[[:digit:]]+ auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="cryptsetup" exe="/usr/sbin/cryptsetup" subj=unconfined dev=[[:digit:]:]+ error_msg='success' res=1AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=USER_ACCT msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:accounting grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_*-]+" exe="[^"]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]]+")?$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=USER_AUTH msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:authentication grantors=(\?|pam_[[:alnum:]]+,?)+ acct="?[[:alnum:]?"?'$#%^~&,.;:!+=@_*\(\)\{\}-]*"? exe="[^"]*" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[^[:space:]]+ res=(failed|success)'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+")?$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=USER_CHAUTHTOK msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=display aging info id=[[:digit:]]+ exe="/usr/bin/chage" hostname=\? addr=\? terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+" ID="[[:alnum:]-]+")?$