summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHendrik Jäger <gitcommit@henk.geekmail.org>2024-09-30 08:39:25 +0200
committerHendrik Jäger <gitcommit@henk.geekmail.org>2024-09-30 08:39:25 +0200
commite29d54747a5b7ba4a41f2ea9dffa03f4e44c8df6 (patch)
tree2b40807b10bd23fe737f54e76f9b1975be5b095c
parentf4862b0df5c8387172180d14c6548bb779a526cd (diff)
update rules
-rw-r--r--files/etc/logcheck/ignore.d.server/local-auditd2
1 files changed, 1 insertions, 1 deletions
diff --git a/files/etc/logcheck/ignore.d.server/local-auditd b/files/etc/logcheck/ignore.d.server/local-auditd
index 5c0d63f..d9ed27f 100644
--- a/files/etc/logcheck/ignore.d.server/local-auditd
+++ b/files/etc/logcheck/ignore.d.server/local-auditd
@@ -31,7 +31,7 @@
^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?NETFILTER_CFG( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? table=nat:[[:digit:]]+ family=2 entries=[[:digit:]]+ op=nft_register_chain pid=[[:digit:]]+ subj=unconfined comm="nft"$
^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?NETFILTER_CFG( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? table=nat:[[:digit:]]+ family=2 entries=[[:digit:]]+ op=nft_unregister_table pid=[[:digit:]]+ subj=unconfined comm="nft"$
^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?PATH( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? item=[[:digit:]]+ name=\(null\) inode=[[:digit:]]+ dev=[[:xdigit:]:]+ mode=[[:digit:]]+ ouid=0 ogid=0 rdev=00:00 nametype=(PARENT|CREATE) cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"$
-^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?PROCTITLE( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? proctitle="[^"]+"$
+^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?PROCTITLE( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? proctitle=[^[:space:]]+$
^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?SERVICE_START(( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)?)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='unit=[[:alnum:]@_-]+ comm="systemd" exe="/usr/lib/systemd/systemd" hostname=\? addr=\? terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="root" AUID="unset")?$
^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?SERVICE_STOP(( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)?)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='unit=[[:alnum:]@_-]+ comm="systemd" exe="/usr/lib/systemd/systemd" hostname=\? addr=\? terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="root" AUID="unset")?$
^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?SYSCALL( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? arch=[[:xdigit:]]+ syscall=[[:digit:]]+ success=yes exit=[[:digit:]]+ a0=[[:xdigit:]]+ a1=[[:xdigit:]]+ a2=[[:xdigit:]]+ a3=[[:xdigit:]]+ items=[[:digit:]]+ ppid=[[:digit:]]+ pid=[[:digit:]]+ auid=[[:digit:]]+ uid=[[:digit:]]+ gid=[[:digit:]]+ euid=[[:digit:]]+ suid=[[:digit:]]+ fsuid=[[:digit:]]+ egid=[[:digit:]]+ sgid=[[:digit:]]+ fsgid=[[:digit:]]+ tty=(\(none\)|pts[[:digit:]]+) ses=[[:digit:]]+ comm="[[:alnum:]]+" exe="[[:alnum:]/]+" subj=unconfined key=\(null\)([^[:alpha:]]+ARCH=x86_64 SYSCALL=(write|ioctl|sendmsg|sendto) AUID="[[:alnum:]@_-]+" UID="[[:alnum:]]+" GID="[[:alnum:]]+" EUID="[[:alnum:]]+" SUID="[[:alnum:]]+" FSUID="[[:alnum:]]+" EGID="[[:alnum:]]+" SGID="[[:alnum:]]+" FSGID="[[:alnum:]]+")?$