Aaron M. Ucko
2007-Aug-30 17:45 UTC
[Logcheck-devel] [PATCH] Amend filters for new (0.99+) pam format.
Signed-off-by: Aaron M. Ucko <ucko at debian.org>
---
rulefiles/linux/ignore.d.paranoid/cron | 2 ++
rulefiles/linux/ignore.d.paranoid/ssh | 2 ++
rulefiles/linux/ignore.d.server/dovecot | 1 +
rulefiles/linux/ignore.d.server/logcheck | 2 ++
rulefiles/linux/ignore.d.server/proftpd | 1 +
rulefiles/linux/ignore.d.server/saslauthd | 1 +
rulefiles/linux/ignore.d.server/ssh | 2 ++
rulefiles/linux/ignore.d.workstation/francine | 1 +
rulefiles/linux/ignore.d.workstation/gdm | 1 +
rulefiles/linux/ignore.d.workstation/kdm | 2 ++
rulefiles/linux/ignore.d.workstation/wdm | 2 ++
rulefiles/linux/ignore.d.workstation/xdm | 2 ++
rulefiles/linux/violations.d/sudo | 1 +
.../linux/violations.ignore.d/logcheck-dovecot | 1 +
.../linux/violations.ignore.d/logcheck-passwd | 1 +
.../linux/violations.ignore.d/logcheck-proftpd | 1 +
.../linux/violations.ignore.d/logcheck-saslauthd | 1 +
rulefiles/linux/violations.ignore.d/logcheck-ssh | 1 +
rulefiles/linux/violations.ignore.d/logcheck-su | 2 ++
19 files changed, 27 insertions(+), 0 deletions(-)
diff --git a/rulefiles/linux/ignore.d.paranoid/cron
b/rulefiles/linux/ignore.d.paranoid/cron
index d7fffc2..b777956 100644
--- a/rulefiles/linux/ignore.d.paranoid/cron
+++ b/rulefiles/linux/ignore.d.paranoid/cron
@@ -6,3 +6,5 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /usr/sbin/cron\[[0-9]+\]: \(CRON\) INFO
\(Skipping @reboot jobs -- not system startup\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam_[[:alnum:]]+\) session
opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam_[[:alnum:]]+\) session
closed for user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]:
pam_[[:alnum:]]+\(cron:session\): session opened for user [[:alnum:]-]+ by
\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]:
pam_[[:alnum:]]+\(cron:session\): session closed for user [[:alnum:]-]+$
diff --git a/rulefiles/linux/ignore.d.paranoid/ssh
b/rulefiles/linux/ignore.d.paranoid/ssh
index 9ff8a31..06c5416 100644
--- a/rulefiles/linux/ignore.d.paranoid/ssh
+++ b/rulefiles/linux/ignore.d.paranoid/ssh
@@ -1,2 +1,4 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: \(pam_[[:alnum:]]+\) session
opened for user [^[:space:]]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: \(pam_[[:alnum:]]+\) session
closed for user [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]:
pam_[[:alnum:]]+\(ssh:session\): session opened for user [^[:space:]]+ by
([[:alnum:]-]+)?\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]:
pam_[[:alnum:]]+\(ssh:session\): session closed for user [^[:space:]]+$
diff --git a/rulefiles/linux/ignore.d.server/dovecot
b/rulefiles/linux/ignore.d.server/dovecot
index 0fe3c7c..e321fde 100644
--- a/rulefiles/linux/ignore.d.server/dovecot
+++ b/rulefiles/linux/ignore.d.server/dovecot
@@ -12,6 +12,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: ssl-build-param: SSL
parameters regeneration completed$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth\(-_.[[:alnum:]]+\):
(pg|my)sql: Connected to [-_.[:alnum:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot-auth: \(pam_unix\) check pass;
user unknown$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot-auth:
pam_unix\(dovecot:[[:alnum:]]+\): check pass; user unknown$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ deliver\([-_.@[:alnum:]]+\):
msgid=<[^[:space:]]+>( \((added by [^[:space:]]+|sfid-[_[:xdigit:]]+)\))?:
saved mail to [-_.[:alnum:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot:
auth-worker\([-_.[:alnum:]]+\): (pg|my)sql: Connected to [-_.[:alnum:]]+
\([-_.[:alnum:]]+\)$
# see #396760
diff --git a/rulefiles/linux/ignore.d.server/logcheck
b/rulefiles/linux/ignore.d.server/logcheck
index a2272ec..767e27f 100644
--- a/rulefiles/linux/ignore.d.server/logcheck
+++ b/rulefiles/linux/ignore.d.server/logcheck
@@ -1,5 +1,7 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
\(pam_[[:alnum:]]+\) session opened for user [.[:alnum:]-]+ by
(root|LOGIN)?\(uid=0\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
\(pam_[[:alnum:]]+\) session closed for user [.[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
pam_[[:alnum:]]+\([[:alnum:]]+:session\): session opened for user [.[:alnum:]-]+
by (root|LOGIN)?\(uid=0\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
pam_[[:alnum:]]+\([[:alnum:]]+:session\): session closed for user
[.[:alnum:]-]+$
# new pam format
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session opened for user
[.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session closed for user
[.[:alnum:]-]+$
diff --git a/rulefiles/linux/ignore.d.server/proftpd
b/rulefiles/linux/ignore.d.server/proftpd
index 24e4426..4109e26 100644
--- a/rulefiles/linux/ignore.d.server/proftpd
+++ b/rulefiles/linux/ignore.d.server/proftpd
@@ -1,4 +1,5 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd: \(pam_unix\) session
(opened|closed) for user [._[:alnum:]-]+( by \(uid=[0-9]+\))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd: pam_unix\(proftpd:session\):
session (opened|closed) for user [._[:alnum:]-]+( by \(uid=[0-9]+\))?$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [._[:alnum:]-]+
\([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\) - FTP session (opened|closed)\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [._[:alnum:]-]+
\([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\) - (USER [._[:alnum:]-]+|ANON
(anonymous|ftp)): Login successful\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [._[:alnum:]-]+
\([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\) - (USER [._[:alnum:]-]+|ANON
(anonymous|ftp)): Limit access denies login\.$
diff --git a/rulefiles/linux/ignore.d.server/saslauthd
b/rulefiles/linux/ignore.d.server/saslauthd
index 609f262..0843794 100644
--- a/rulefiles/linux/ignore.d.server/saslauthd
+++ b/rulefiles/linux/ignore.d.server/saslauthd
@@ -1,4 +1,5 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ saslauthd+\[[0-9]+\]: Domain/Realm not
available\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ saslauthd+\[[0-9]+\]: DIGEST-MD5 client step
[0-9]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]:
\(pam_unix\) check pass; user unknown$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]:
pam_unix\([[:alnum:]]+:[[:alnum:]]+\): check pass; user unknown$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]:
do_request[[:space:]]*: NULL password received$
diff --git a/rulefiles/linux/ignore.d.server/ssh
b/rulefiles/linux/ignore.d.server/ssh
index 4c361eb..6c547de 100644
--- a/rulefiles/linux/ignore.d.server/ssh
+++ b/rulefiles/linux/ignore.d.server/ssh
@@ -18,6 +18,8 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Failed
(keyboard-interactive/pam|password|none) for i(llegal|nvalid) user
[-\'"@#$%^+<!>._[:alnum:]]* from ([:.[:xdigit:]]+|UNKNOWN) port
[[:digit:]]{1,5} ssh2?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\)
check pass; user unknown$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\)
auth could not identify password for \[[-_.[:alnum:]]*\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]:
pam_unix\(ssh:[[:alnum:]]+\): check pass; user unknown$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]:
pam_unix\(ssh:auth\): auth could not identify password for \[[-_.[:alnum:]]*\]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Address [._[:alnum:]-]+ maps
to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE
BREAK-?IN ATTEMPT!$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: reverse mapping checking
getaddrinfo for [._[:alnum:]-]+ failed - POSSIBLE BREAK-?IN ATTEMPT!$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: recv_rexec_state:
ssh_msg_recv failed$
diff --git a/rulefiles/linux/ignore.d.workstation/francine
b/rulefiles/linux/ignore.d.workstation/francine
index c748b71..58c3534 100644
--- a/rulefiles/linux/ignore.d.workstation/francine
+++ b/rulefiles/linux/ignore.d.workstation/francine
@@ -1 +1,2 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ francine: \(pam_unix\) session
(opened|closed) for user [a-z]+( by LOGIN\(uid=0\))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ francine: pam_unix\(francine:session\):
session (opened|closed) for user [a-z]+( by LOGIN\(uid=0\))?$
diff --git a/rulefiles/linux/ignore.d.workstation/gdm
b/rulefiles/linux/ignore.d.workstation/gdm
index 68af5cb..f2c73a3 100644
--- a/rulefiles/linux/ignore.d.workstation/gdm
+++ b/rulefiles/linux/ignore.d.workstation/gdm
@@ -1,2 +1,3 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: [[:alnum:]]+:
\(pam_securetty\) access denied: tty ':0' is not secure !$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: [[:alnum:]]+:
pam_securetty\(gdm:[[:alnum:]]+\): access denied: tty ':0' is not secure
!$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: gdm_slave_xioerror_handler:
Fatal X error - Restarting :[0-9]$
diff --git a/rulefiles/linux/ignore.d.workstation/kdm
b/rulefiles/linux/ignore.d.workstation/kdm
index 11a7ca4..febace7 100644
--- a/rulefiles/linux/ignore.d.workstation/kdm
+++ b/rulefiles/linux/ignore.d.workstation/kdm
@@ -1,3 +1,5 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]: \(pam_[[:alnum:]]+\)
session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]: \(pam_[[:alnum:]]+\)
session closed for user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]:
pam_[[:alnum:]]+\(kdm:session\): session opened for user [[:alnum:]-]+ by
\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]:
pam_[[:alnum:]]+\(kdm:session\): session closed for user [[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm_greet\[[0-9]+\]: Can't open default
user face$
diff --git a/rulefiles/linux/ignore.d.workstation/wdm
b/rulefiles/linux/ignore.d.workstation/wdm
index 54c56e5..8527bb5 100644
--- a/rulefiles/linux/ignore.d.workstation/wdm
+++ b/rulefiles/linux/ignore.d.workstation/wdm
@@ -1,2 +1,4 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wdm: \(pam_[[:alnum:]]+\) session opened for
user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wdm: \(pam_[[:alnum:]]+\) session closed for
user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wdm: :0\[[0-9]+\]:
pam_[[:alnum:]]+\(wdm:session\): session opened for user [[:alnum:]-]+ by
\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wdm: :0\[[0-9]+\]:
pam_[[:alnum:]]+\(wdm:session\): session closed for user [[:alnum:]-]+$
diff --git a/rulefiles/linux/ignore.d.workstation/xdm
b/rulefiles/linux/ignore.d.workstation/xdm
index 7383ed1..3ed4900 100644
--- a/rulefiles/linux/ignore.d.workstation/xdm
+++ b/rulefiles/linux/ignore.d.workstation/xdm
@@ -1,2 +1,4 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+[[:space:]]+: \(pam_[[:alnum:]]+\) session
opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+[[:space:]]+: \(pam_[[:alnum:]]+\) session
closed for user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xdm: :0\[[0-9]+\]:
pam_[[:alnum:]]+\(xdm:session\): session opened for user [[:alnum:]-]+ by
\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xdm: :0\[[0-9]+\]:
pam_[[:alnum:]]+\(xdm:session\): session closed for user [[:alnum:]-]+$
diff --git a/rulefiles/linux/violations.d/sudo
b/rulefiles/linux/violations.d/sudo
index 9875f6b..c0af733 100644
--- a/rulefiles/linux/violations.d/sudo
+++ b/rulefiles/linux/violations.d/sudo
@@ -1,2 +1,3 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: \(pam_[[:alnum:]]+\) .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]:
pam_[[:alnum:]]+\(sudo:[[:alnum:]]+\): .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: .*$
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-dovecot
b/rulefiles/linux/violations.ignore.d/logcheck-dovecot
index 4036c96..d286734 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-dovecot
+++ b/rulefiles/linux/violations.ignore.d/logcheck-dovecot
@@ -1 +1,2 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot-auth: \(pam_unix\)
authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot-auth:
pam_unix\(dovecot:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0
tty=dovecot ruser= rhost=$
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-passwd
b/rulefiles/linux/violations.ignore.d/logcheck-passwd
index c04eaa1..087ea62 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-passwd
+++ b/rulefiles/linux/violations.ignore.d/logcheck-passwd
@@ -1 +1,2 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ passwd\[[[:digit:]]+\]: \(pam_unix\)
authentication failure; logname=[-._[:alnum:]]+ uid=[[:digit:]]+ euid=0 tty=
ruser= rhost= [[:space:]]*user=[-._[:alnum:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ passwd\[[[:digit:]]+\]:
pam_unix\(passwd:[[:alnum:]]+\): authentication failure; logname=[-._[:alnum:]]+
uid=[[:digit:]]+ euid=0 tty= ruser= rhost= [[:space:]]*user=[-._[:alnum:]]+$
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-proftpd
b/rulefiles/linux/violations.ignore.d/logcheck-proftpd
index 98105c3..a5c3492 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-proftpd
+++ b/rulefiles/linux/violations.ignore.d/logcheck-proftpd
@@ -1,4 +1,5 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd: \(pam_unix\) authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+
user=[-_.[:alnum:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd:
pam_unix\(proftpd:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0
tty= ruser= rhost=[-_.:[:alnum:]]+ user=[-_.[:alnum:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:
[._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\) - PAM\([-_.[:alnum:]]+\):
Authentication failure\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:
[._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\) - Connection from
[._[:alnum:]-]+ \[[.:[:xdigit:]]+\] denied\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]:
[._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\) - USER [-._[:alnum:]]+
\(Login failed\): Limit access denies login$
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-saslauthd
b/rulefiles/linux/violations.ignore.d/logcheck-saslauthd
index 28cc2b4..c8f8e47 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-saslauthd
+++ b/rulefiles/linux/violations.ignore.d/logcheck-saslauthd
@@ -1,4 +1,5 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: DEBUG:
auth_pam: pam_authenticate failed: User not known to the underlying
authentication module$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: DEBUG:
auth_pam: pam_authenticate failed: Authentication failure$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]:
\(pam_unix\) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
[[:space:]]*user=[-._[:alnum:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd:
pam_unix\([[:alnum:]]+:[[:alnum:]]+\): authentication failure; logname= uid=0
euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+ user=[-_.[:alnum:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]:
do_auth[[:space:]]*: auth failure: \[user=[._[:alnum:]-]+\] \[service=smtp\]
\[realm=[._[:alnum:]-]+\] \[mech=pam\] \[reason=PAM auth error\]$
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-ssh
b/rulefiles/linux/violations.ignore.d/logcheck-ssh
index e0d64f1..ce15db1 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-ssh
+++ b/rulefiles/linux/violations.ignore.d/logcheck-ssh
@@ -9,4 +9,5 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: I(llegal|nvalid)
user [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Failed
(keyboard-interactive/pam|password|none) for i(llegal|nvalid) user [^[:space:]]+
from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+) port [[:digit:]]{1,5} ssh2?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\)
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd: pam_unix\(ssh:[[:alnum:]]+\):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+
user=[-_.[:alnum:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: recv_rexec_state:
ssh_msg_recv failed$
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-su
b/rulefiles/linux/violations.ignore.d/logcheck-su
index 7dbf61d..f5df94a 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-su
+++ b/rulefiles/linux/violations.ignore.d/logcheck-su
@@ -2,6 +2,8 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session
opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session
opened for user [[:alnum:]-]+ by [[:alnum:]-]+\(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session
closed for user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]:
pam_[[:alnum:]]+\(su:session\): session opened for user [[:alnum:]-]+ by
[[:alnum:]-]*\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]:
pam_[[:alnum:]]+\(su:session\): session closed for user [[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root:[_[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: Successful su for
[[:alnum:]-]+ by [[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: pam_authenticate:
Authentication failure$
--
1.5.2.5