update rules

diff --git a/files/etc/logcheck/ignore.d.server/local-auditd b/files/etc/logcheck/ignore.d.server/local-auditd
index 3ef82afa9b343484e2307f26d9601773ab8ce2d4..36797b9fab922df3ee99c553729f1c382351ccab 100644 (file)
--- a/files/etc/logcheck/ignore.d.server/local-auditd
+++ b/files/etc/logcheck/ignore.d.server/local-auditd
@@ -32,4 +32,4 @@ type=USER_START msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): pid=[[:dig
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: rate_limit 0$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: /sbin/augenrules: No change$
 ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: The audit daemon is exiting\.$
-type=SYSCALL msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): arch=[[:xdigit:]]+ syscall=[[:digit:]]+ success=yes exit=[[:digit:]]+ a0=7 a1=[[:xdigit:]]+ a2=[[:digit:]]+ a3=[[:xdigit:]]+ items=0 ppid=4470 pid=[[:digit:]]+ auid=[[:digit:]]+ uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=\(none\) ses=[[:digit:]]+ comm="[[:alnum:]]+" exe="[[:alnum:]/]+" subj=unconfined key=\(null\)[^[:alpha:]]+ARCH=x86_64 SYSCALL=write AUID="[[:alnum:]]+" UID="[[:alnum:]]+" GID="[[:alnum:]]+" EUID="[[:alnum:]]+" SUID="[[:alnum:]]+" FSUID="[[:alnum:]]+" EGID="[[:alnum:]]+" SGID="[[:alnum:]]+" FSGID="[[:alnum:]]+"$
+type=SYSCALL msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\): arch=[[:xdigit:]]+ syscall=[[:digit:]]+ success=yes exit=[[:digit:]]+ a0=[[:digit:]]+ a1=[[:xdigit:]]+ a2=[[:digit:]]+ a3=[[:xdigit:]]+ items=0 ppid=[[:digit:]]+ pid=[[:digit:]]+ auid=[[:digit:]]+ uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=\(none\) ses=[[:digit:]]+ comm="[[:alnum:]]+" exe="[[:alnum:]/]+" subj=unconfined key=\(null\)[^[:alpha:]]+ARCH=x86_64 SYSCALL=write AUID="[[:alnum:]]+" UID="[[:alnum:]]+" GID="[[:alnum:]]+" EUID="[[:alnum:]]+" SUID="[[:alnum:]]+" FSUID="[[:alnum:]]+" EGID="[[:alnum:]]+" SGID="[[:alnum:]]+" FSGID="[[:alnum:]]+"$