From d758d8f700fe7b2538b8dd38aee52c56503212b5 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Hendrik=20J=C3=A4ger?= <gitcommit@henk.geekmail.org>
Date: Fri, 15 Sep 2023 13:59:57 +0200
Subject: [PATCH] update rules

---
 files/etc/logcheck/ignore.d.server/local-auditd | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/files/etc/logcheck/ignore.d.server/local-auditd b/files/etc/logcheck/ignore.d.server/local-auditd
index f778a22..7ae913f 100644
--- a/files/etc/logcheck/ignore.d.server/local-auditd
+++ b/files/etc/logcheck/ignore.d.server/local-auditd
@@ -13,6 +13,8 @@
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: rate_limit 0$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: /sbin/augenrules: No change$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: The audit daemon is exiting\.$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?BPF prog-id=[[:digit:]]+ op=LOAD$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?BPF prog-id=[[:digit:]]+ op=UNLOAD$
 ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?CRED_ACQ pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]]+" exe="[[:alnum:]/]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:xdigit:]:.]+) terminal=[^[:space:]]+ res=success'
 ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?CRED_DISP pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]]+" exe="[[:alnum:]/]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:alnum:]:.]+) terminal=[^[:space:]]+ res=success'
 ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?CRED_REFR pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]]+" exe="[[:alnum:]/]+" hostname=(\?|[[:alnum:]:.]+) addr=(\?|[[:alnum:]:.]+) terminal=[^[:space:]]+ res=success'
@@ -21,7 +23,8 @@
 ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?SYSCALL arch=c000003e syscall=1 success=yes exit=1 a0=[[:xdigit:]]+ a1=[[:xdigit:]]+ a2=[[:xdigit:]]+ a3=[[:xdigit:]]+ items=0 ppid=[[:digit:]]+ pid=[[:digit:]]+ auid=[[:digit:]]+ uid=[[:digit:]]+ gid=[[:digit:]]+ euid=[[:digit:]]+ suid=[[:digit:]]+ fsuid=[[:digit:]]+ egid=[[:digit:]]+ sgid=[[:digit:]]+ fsgid=[[:digit:]]+ tty=\(none\) ses=[[:digit:]]+ comm="[[:alnum:]]+" exe="[[:alnum:]/]+" subj=unconfined key=\(null\)$
 ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?SYSCALL arch=c000003e syscall=1 success=yes exit=3 a0=[[:xdigit:]]+ a1=[[:xdigit:]]+ a2=[[:xdigit:]]+ a3=[[:xdigit:]]+ items=0 ppid=[[:digit:]]+ pid=[[:digit:]]+ auid=[[:digit:]]+ uid=[[:digit:]]+ gid=[[:digit:]]+ euid=[[:digit:]]+ suid=[[:digit:]]+ fsuid=[[:digit:]]+ egid=[[:digit:]]+ sgid=[[:digit:]]+ fsgid=[[:digit:]]+ tty=\(none\) ses=[[:digit:]]+ comm="[[:alnum:]]+" exe="[[:alnum:]/]+" subj=unconfined key=\(null\)$
 ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=ANOM_PROMISCUOUS msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): dev=[[:alnum:].]+ prom=[[:digit:]]+ old_prom=[[:digit:]]+ auid=[[:digit:]]+ uid=[[:digit:]]+ gid=[[:digit:]]+ ses=[[:digit:]]+([^[:alpha:]]+AUID="[[:alnum:]]+" UID="root" GID="root")?$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=BPF msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): prog-id=[[:digit:]]+ op=(UN)?LOAD$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=BPF msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): prog-id=[[:digit:]]+ op=LOAD$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=BPF msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): prog-id=[[:digit:]]+ op=UNLOAD$
 ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=CRED_ACQ msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]]+")?$
 ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=CRED_DISP msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]-]+")?$
 ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?type=CRED_REFR msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj==?unconfined msg='op=PAM:setcred grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[^"]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]-]+")?$
-- 
2.39.5