From 44bc83c26c621c21307f9a80fa9cbc8dd857a76f Mon Sep 17 00:00:00 2001
From: =?utf8?q?Hendrik=20J=C3=A4ger?= <gitcommit@henk.geekmail.org>
Date: Sat, 8 May 2021 18:24:05 +0300
Subject: [PATCH 1/1] Update logcheck rules for auditd

---
 files/etc/logcheck/ignore.d.server/local-auditd | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/etc/logcheck/ignore.d.server/local-auditd b/files/etc/logcheck/ignore.d.server/local-auditd
index 05877b5..cc50c08 100644
--- a/files/etc/logcheck/ignore.d.server/local-auditd
+++ b/files/etc/logcheck/ignore.d.server/local-auditd
@@ -2,7 +2,7 @@ type=LOGIN msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]
 type=USER_CHAUTHTOK msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=0 ses=[[:digit:]]+ subj==unconfined msg='op=display aging info id=[[:digit:]]+ exe="/usr/bin/chage" hostname=\? addr=\? terminal=\? res=success'$
 type=USER_CMD msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=0 ses=[[:digit:]]+ subj==unconfined msg='cwd="/etc/puppet" cmd=[[:xdigit:]]+ terminal=pts/[[:digit:]]+ res=success$
 type=USER_ERR msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:bad_ident grantors=\? acct="\?" exe="/usr/sbin/sshd" hostname=[[:xdigit:]:.]+ addr=[[:xdigit:]:.]+ terminal=ssh res=failed'$
-type=USER_LOGIN msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=login (acct="?[[:alnum:]@_-]+"?|id=[[:digit:]]+) exe="/usr/sbin/sshd" hostname=\? addr=[[:xdigit:]:.]+ terminal=[^[:space:]]+ res=(failed|success)'$
+type=USER_LOGIN msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=login (acct="?[[:alnum:]@_-]+"?|id=[[:digit:]]+) exe="/usr/sbin/sshd" hostname=(\?|[[:xdigit:]:.]+) addr=[[:xdigit:]:.]+ terminal=[^[:space:]]+ res=(failed|success)'$
 type=CRED_ACQ msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=(\?|[[:xdigit:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=(cron|ssh) res=success'$
 type=CRED_DISP msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=(\?|[[:xdigit:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=(cron|ssh) res=success'$
 type=CRED_REFR msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=0 auid=[[:digit:]]+ ses=[[:digit:]]+ subj==unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=(\?|[[:xdigit:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=(cron|ssh) res=success'$
-- 
2.39.2