[Logcheck-devel] [PATCH] Amend filters for new (0.99+) pam format.
Aaron M. Ucko
ucko at debian.org
Thu Aug 30 17:45:09 UTC 2007
Signed-off-by: Aaron M. Ucko <ucko at debian.org>
---
rulefiles/linux/ignore.d.paranoid/cron | 2 ++
rulefiles/linux/ignore.d.paranoid/ssh | 2 ++
rulefiles/linux/ignore.d.server/dovecot | 1 +
rulefiles/linux/ignore.d.server/logcheck | 2 ++
rulefiles/linux/ignore.d.server/proftpd | 1 +
rulefiles/linux/ignore.d.server/saslauthd | 1 +
rulefiles/linux/ignore.d.server/ssh | 2 ++
rulefiles/linux/ignore.d.workstation/francine | 1 +
rulefiles/linux/ignore.d.workstation/gdm | 1 +
rulefiles/linux/ignore.d.workstation/kdm | 2 ++
rulefiles/linux/ignore.d.workstation/wdm | 2 ++
rulefiles/linux/ignore.d.workstation/xdm | 2 ++
rulefiles/linux/violations.d/sudo | 1 +
.../linux/violations.ignore.d/logcheck-dovecot | 1 +
.../linux/violations.ignore.d/logcheck-passwd | 1 +
.../linux/violations.ignore.d/logcheck-proftpd | 1 +
.../linux/violations.ignore.d/logcheck-saslauthd | 1 +
rulefiles/linux/violations.ignore.d/logcheck-ssh | 1 +
rulefiles/linux/violations.ignore.d/logcheck-su | 2 ++
19 files changed, 27 insertions(+), 0 deletions(-)
diff --git a/rulefiles/linux/ignore.d.paranoid/cron b/rulefiles/linux/ignore.d.paranoid/cron
index d7fffc2..b777956 100644
--- a/rulefiles/linux/ignore.d.paranoid/cron
+++ b/rulefiles/linux/ignore.d.paranoid/cron
@@ -6,3 +6,5 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /usr/sbin/cron\[[0-9]+\]: \(CRON\) INFO \(Skipping @reboot jobs -- not system startup\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: pam_[[:alnum:]]+\(cron:session\): session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: pam_[[:alnum:]]+\(cron:session\): session closed for user [[:alnum:]-]+$
diff --git a/rulefiles/linux/ignore.d.paranoid/ssh b/rulefiles/linux/ignore.d.paranoid/ssh
index 9ff8a31..06c5416 100644
--- a/rulefiles/linux/ignore.d.paranoid/ssh
+++ b/rulefiles/linux/ignore.d.paranoid/ssh
@@ -1,2 +1,4 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [^[:space:]]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [^[:space:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: pam_[[:alnum:]]+\(ssh:session\): session opened for user [^[:space:]]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: pam_[[:alnum:]]+\(ssh:session\): session closed for user [^[:space:]]+$
diff --git a/rulefiles/linux/ignore.d.server/dovecot b/rulefiles/linux/ignore.d.server/dovecot
index 0fe3c7c..e321fde 100644
--- a/rulefiles/linux/ignore.d.server/dovecot
+++ b/rulefiles/linux/ignore.d.server/dovecot
@@ -12,6 +12,7 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: ssl-build-param: SSL parameters regeneration completed$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth\(-_.[[:alnum:]]+\): (pg|my)sql: Connected to [-_.[:alnum:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot-auth: \(pam_unix\) check pass; user unknown$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot-auth: pam_unix\(dovecot:[[:alnum:]]+\): check pass; user unknown$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ deliver\([-_.@[:alnum:]]+\): msgid=<[^[:space:]]+>( \((added by [^[:space:]]+|sfid-[_[:xdigit:]]+)\))?: saved mail to [-_.[:alnum:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth-worker\([-_.[:alnum:]]+\): (pg|my)sql: Connected to [-_.[:alnum:]]+ \([-_.[:alnum:]]+\)$
# see #396760
diff --git a/rulefiles/linux/ignore.d.server/logcheck b/rulefiles/linux/ignore.d.server/logcheck
index a2272ec..767e27f 100644
--- a/rulefiles/linux/ignore.d.server/logcheck
+++ b/rulefiles/linux/ignore.d.server/logcheck
@@ -1,5 +1,7 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session closed for user [.[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:session\): session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:session\): session closed for user [.[:alnum:]-]+$
# new pam format
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session closed for user [.[:alnum:]-]+$
diff --git a/rulefiles/linux/ignore.d.server/proftpd b/rulefiles/linux/ignore.d.server/proftpd
index 24e4426..4109e26 100644
--- a/rulefiles/linux/ignore.d.server/proftpd
+++ b/rulefiles/linux/ignore.d.server/proftpd
@@ -1,4 +1,5 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd: \(pam_unix\) session (opened|closed) for user [._[:alnum:]-]+( by \(uid=[0-9]+\))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd: pam_unix\(proftpd:session\): session (opened|closed) for user [._[:alnum:]-]+( by \(uid=[0-9]+\))?$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\) - FTP session (opened|closed)\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\) - (USER [._[:alnum:]-]+|ANON (anonymous|ftp)): Login successful\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd\[[0-9]+\]: [._[:alnum:]-]+ \([:._[:alnum:]-]+\[[.:[:xdigit:]]+\]\) - (USER [._[:alnum:]-]+|ANON (anonymous|ftp)): Limit access denies login\.$
diff --git a/rulefiles/linux/ignore.d.server/saslauthd b/rulefiles/linux/ignore.d.server/saslauthd
index 609f262..0843794 100644
--- a/rulefiles/linux/ignore.d.server/saslauthd
+++ b/rulefiles/linux/ignore.d.server/saslauthd
@@ -1,4 +1,5 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ saslauthd+\[[0-9]+\]: Domain/Realm not available\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ saslauthd+\[[0-9]+\]: DIGEST-MD5 client step [0-9]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: \(pam_unix\) check pass; user unknown$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: pam_unix\([[:alnum:]]+:[[:alnum:]]+\): check pass; user unknown$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: do_request[[:space:]]*: NULL password received$
diff --git a/rulefiles/linux/ignore.d.server/ssh b/rulefiles/linux/ignore.d.server/ssh
index 4c361eb..6c547de 100644
--- a/rulefiles/linux/ignore.d.server/ssh
+++ b/rulefiles/linux/ignore.d.server/ssh
@@ -18,6 +18,8 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Failed (keyboard-interactive/pam|password|none) for i(llegal|nvalid) user [-\'"@#$%^+<!>._[:alnum:]]* from ([:.[:xdigit:]]+|UNKNOWN) port [[:digit:]]{1,5} ssh2?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) check pass; user unknown$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) auth could not identify password for \[[-_.[:alnum:]]*\]$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(ssh:[[:alnum:]]+\): check pass; user unknown$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_unix\(ssh:auth\): auth could not identify password for \[[-_.[:alnum:]]*\]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Address [._[:alnum:]-]+ maps to [._[:alnum:]-]+, but this does not map back to the address - POSSIBLE BREAK-?IN ATTEMPT!$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: reverse mapping checking getaddrinfo for [._[:alnum:]-]+ failed - POSSIBLE BREAK-?IN ATTEMPT!$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: recv_rexec_state: ssh_msg_recv failed$
diff --git a/rulefiles/linux/ignore.d.workstation/francine b/rulefiles/linux/ignore.d.workstation/francine
index c748b71..58c3534 100644
--- a/rulefiles/linux/ignore.d.workstation/francine
+++ b/rulefiles/linux/ignore.d.workstation/francine
@@ -1 +1,2 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ francine: \(pam_unix\) session (opened|closed) for user [a-z]+( by LOGIN\(uid=0\))?$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ francine: pam_unix\(francine:session\): session (opened|closed) for user [a-z]+( by LOGIN\(uid=0\))?$
diff --git a/rulefiles/linux/ignore.d.workstation/gdm b/rulefiles/linux/ignore.d.workstation/gdm
index 68af5cb..f2c73a3 100644
--- a/rulefiles/linux/ignore.d.workstation/gdm
+++ b/rulefiles/linux/ignore.d.workstation/gdm
@@ -1,2 +1,3 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: [[:alnum:]]+: \(pam_securetty\) access denied: tty ':0' is not secure !$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: [[:alnum:]]+: pam_securetty\(gdm:[[:alnum:]]+\): access denied: tty ':0' is not secure !$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: gdm_slave_xioerror_handler: Fatal X error - Restarting :[0-9]$
diff --git a/rulefiles/linux/ignore.d.workstation/kdm b/rulefiles/linux/ignore.d.workstation/kdm
index 11a7ca4..febace7 100644
--- a/rulefiles/linux/ignore.d.workstation/kdm
+++ b/rulefiles/linux/ignore.d.workstation/kdm
@@ -1,3 +1,5 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]: pam_[[:alnum:]]+\(kdm:session\): session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]: pam_[[:alnum:]]+\(kdm:session\): session closed for user [[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm_greet\[[0-9]+\]: Can't open default user face$
diff --git a/rulefiles/linux/ignore.d.workstation/wdm b/rulefiles/linux/ignore.d.workstation/wdm
index 54c56e5..8527bb5 100644
--- a/rulefiles/linux/ignore.d.workstation/wdm
+++ b/rulefiles/linux/ignore.d.workstation/wdm
@@ -1,2 +1,4 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wdm: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wdm: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wdm: :0\[[0-9]+\]: pam_[[:alnum:]]+\(wdm:session\): session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wdm: :0\[[0-9]+\]: pam_[[:alnum:]]+\(wdm:session\): session closed for user [[:alnum:]-]+$
diff --git a/rulefiles/linux/ignore.d.workstation/xdm b/rulefiles/linux/ignore.d.workstation/xdm
index 7383ed1..3ed4900 100644
--- a/rulefiles/linux/ignore.d.workstation/xdm
+++ b/rulefiles/linux/ignore.d.workstation/xdm
@@ -1,2 +1,4 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+[[:space:]]+: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+[[:space:]]+: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xdm: :0\[[0-9]+\]: pam_[[:alnum:]]+\(xdm:session\): session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ xdm: :0\[[0-9]+\]: pam_[[:alnum:]]+\(xdm:session\): session closed for user [[:alnum:]-]+$
diff --git a/rulefiles/linux/violations.d/sudo b/rulefiles/linux/violations.d/sudo
index 9875f6b..c0af733 100644
--- a/rulefiles/linux/violations.d/sudo
+++ b/rulefiles/linux/violations.d/sudo
@@ -1,2 +1,3 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: \(pam_[[:alnum:]]+\) .*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: pam_[[:alnum:]]+\(sudo:[[:alnum:]]+\): .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: .*$
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-dovecot b/rulefiles/linux/violations.ignore.d/logcheck-dovecot
index 4036c96..d286734 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-dovecot
+++ b/rulefiles/linux/violations.ignore.d/logcheck-dovecot
@@ -1 +1,2 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot-auth: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot-auth: pam_unix\(dovecot:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=$
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-passwd b/rulefiles/linux/violations.ignore.d/logcheck-passwd
index c04eaa1..087ea62 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-passwd
+++ b/rulefiles/linux/violations.ignore.d/logcheck-passwd
@@ -1 +1,2 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ passwd\[[[:digit:]]+\]: \(pam_unix\) authentication failure; logname=[-._[:alnum:]]+ uid=[[:digit:]]+ euid=0 tty= ruser= rhost= [[:space:]]*user=[-._[:alnum:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ passwd\[[[:digit:]]+\]: pam_unix\(passwd:[[:alnum:]]+\): authentication failure; logname=[-._[:alnum:]]+ uid=[[:digit:]]+ euid=0 tty= ruser= rhost= [[:space:]]*user=[-._[:alnum:]]+$
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-proftpd b/rulefiles/linux/violations.ignore.d/logcheck-proftpd
index 98105c3..a5c3492 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-proftpd
+++ b/rulefiles/linux/violations.ignore.d/logcheck-proftpd
@@ -1,4 +1,5 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+ user=[-_.[:alnum:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd: pam_unix\(proftpd:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+ user=[-_.[:alnum:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]: [._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\) - PAM\([-_.[:alnum:]]+\): Authentication failure\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]: [._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\) - Connection from [._[:alnum:]-]+ \[[.:[:xdigit:]]+\] denied\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]{1,5}\]: [._[:alnum:]-]+ \([._[:alnum:]-]+\[[.:[:xdigit:]]+\]\) - USER [-._[:alnum:]]+ \(Login failed\): Limit access denies login$
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-saslauthd b/rulefiles/linux/violations.ignore.d/logcheck-saslauthd
index 28cc2b4..c8f8e47 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-saslauthd
+++ b/rulefiles/linux/violations.ignore.d/logcheck-saslauthd
@@ -1,4 +1,5 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= [[:space:]]*user=[-._[:alnum:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd: pam_unix\([[:alnum:]]+:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+ user=[-_.[:alnum:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: do_auth[[:space:]]*: auth failure: \[user=[._[:alnum:]-]+\] \[service=smtp\] \[realm=[._[:alnum:]-]+\] \[mech=pam\] \[reason=PAM auth error\]$
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-ssh b/rulefiles/linux/violations.ignore.d/logcheck-ssh
index e0d64f1..ce15db1 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-ssh
+++ b/rulefiles/linux/violations.ignore.d/logcheck-ssh
@@ -9,4 +9,5 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: I(llegal|nvalid) user [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Failed (keyboard-interactive/pam|password|none) for i(llegal|nvalid) user [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+) port [[:digit:]]{1,5} ssh2?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd: pam_unix\(ssh:[[:alnum:]]+\): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+ user=[-_.[:alnum:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: recv_rexec_state: ssh_msg_recv failed$
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-su b/rulefiles/linux/violations.ignore.d/logcheck-su
index 7dbf61d..f5df94a 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-su
+++ b/rulefiles/linux/violations.ignore.d/logcheck-su
@@ -2,6 +2,8 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by [[:alnum:]-]+\(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: pam_[[:alnum:]]+\(su:session\): session opened for user [[:alnum:]-]+ by [[:alnum:]-]*\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: pam_[[:alnum:]]+\(su:session\): session closed for user [[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root:[_[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: Successful su for [[:alnum:]-]+ by [[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: pam_authenticate: Authentication failure$
--
1.5.2.5
More information about the Logcheck-devel
mailing list