diff options
| -rw-r--r-- | files/etc/logcheck/ignore.d.server/local-auditd | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/files/etc/logcheck/ignore.d.server/local-auditd b/files/etc/logcheck/ignore.d.server/local-auditd index d9ed27f..f9fcdc2 100644 --- a/files/etc/logcheck/ignore.d.server/local-auditd +++ b/files/etc/logcheck/ignore.d.server/local-auditd @@ -39,7 +39,7 @@ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_ACCT( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:accounting grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]@_-]+")?$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_ACCT( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:accounting grantors=pam_permit acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_AUTH( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:authentication grantors=(pam_[[:alnum:]]+,?)+ acct="[[:alnum:]@_-]+" exe="[[:alnum:]/]+" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]@_-]+")?$ -^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_AUTH( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:authentication grantors=(\?|pam_[[:alnum:]]+,?)+ acct="[^"]+" exe="[[:alnum:]/]*" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=(failed|success)'([^[:alpha:]]+UID="root" AUID="[[:alnum:]@_-]+")?$ +^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_AUTH( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=PAM:authentication grantors=(\?|pam_[[:alnum:]]+,?)+ acct=("[^"]+"|[[:xdigit:]]+) exe="[[:alnum:]/]*" hostname=[[:alnum:]:.?]+ addr=[[:xdigit:]:.?]+ terminal=[^[:space:]]+ res=(failed|success)'([^[:alpha:]]+UID="root" AUID="[[:alnum:]@_-]+")?$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_CHAUTHTOK( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='op=display aging info id=[[:digit:]]+ exe="/usr/bin/chage" hostname=\? addr=\? terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="root" AUID="[[:alnum:]@_-]+" ID="[[:alnum:]-]+")?$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_CMD( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='cwd="[^"]+" cmd="[[:alnum:]/]+" exe="[[:alnum:]/]+" terminal=[^[:space:]]+ res=success'([^[:alpha:]]+UID="[[:alnum:]]+" AUID="[[:alnum:]@_-]+"( ID="[[:alnum:]-]+")?)?$ ^((\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ audit\[[[:digit:]]+\]: )?(type=)?USER_CMD( msg=audit\([[:digit:]]+\.[[:digit:]]+:[[:digit:]]+\):)? pid=[[:digit:]]+ uid=[[:digit:]]+ auid=[[:digit:]]+ ses=[[:digit:]]+ subj=unconfined msg='cwd="[^"]+" cmd="[[:alnum:]/]+" terminal=[^[:space:]]+ res=success'$ |