[Logcheck-commits] martin f. krafft: add viol-merge files i forgot to check in

Martin F. Krafft madduck at alioth.debian.org
Sun Aug 31 19:24:23 UTC 2008 

Module: logcheck
Branch: master
Commit: 1e1ad029add457ed0aa60a55b6bf5a37e40a0017
URL:    http://git.debian.org/?p=logcheck/logcheck.git;a=commit;h=1e1ad029add457ed0aa60a55b6bf5a37e40a0017

Author: martin f. krafft <madduck at debian.org>
Date:   Sun Aug 31 20:12:05 2008 +0100

add viol-merge files i forgot to check in

---

 rulefiles/linux/ignore.d.paranoid/pureftp |    4 ++++
 rulefiles/linux/ignore.d.paranoid/usb     |    1 +
 rulefiles/linux/ignore.d.server/login     |    1 +
 rulefiles/linux/ignore.d.server/passwd    |    2 ++
 rulefiles/linux/ignore.d.server/pureftp   |    3 +++
 rulefiles/linux/ignore.d.server/sendmail  |    2 ++
 rulefiles/linux/ignore.d.server/su        |    8 ++++++++
 rulefiles/linux/ignore.d.server/sudo      |    4 ++++
 8 files changed, 25 insertions(+), 0 deletions(-)

diff --git a/rulefiles/linux/ignore.d.paranoid/pureftp b/rulefiles/linux/ignore.d.paranoid/pureftp
new file mode 100644
index 0000000..04d9737
--- /dev/null
+++ b/rulefiles/linux/ignore.d.paranoid/pureftp
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[ERROR\] Can't open .+: No such file or directory$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[ERROR\] Can't remove directory: No such file or directory$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\] .+ (up|down)loaded  \([0-9]+ bytes, [0-9]+.[0-9]+KB/sec\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \(\?@[._[:alnum:]-]+\) \[DEBUG\] This is a private system - No anonymous login$
diff --git a/rulefiles/linux/ignore.d.paranoid/usb b/rulefiles/linux/ignore.d.paranoid/usb
new file mode 100644
index 0000000..fcd5310
--- /dev/null
+++ b/rulefiles/linux/ignore.d.paranoid/usb
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: usb-uhci: interrupt, status [0-9], frame # [0-9]+
diff --git a/rulefiles/linux/ignore.d.server/login b/rulefiles/linux/ignore.d.server/login
new file mode 100644
index 0000000..f644c91
--- /dev/null
+++ b/rulefiles/linux/ignore.d.server/login
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ login\[[0-9]+\]: ROOT LOGIN  on 'tty[0-9]'$
diff --git a/rulefiles/linux/ignore.d.server/passwd b/rulefiles/linux/ignore.d.server/passwd
new file mode 100644
index 0000000..087ea62
--- /dev/null
+++ b/rulefiles/linux/ignore.d.server/passwd
@@ -0,0 +1,2 @@
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ passwd\[[[:digit:]]+\]: \(pam_unix\) authentication failure; logname=[-._[:alnum:]]+ uid=[[:digit:]]+ euid=0 tty= ruser= rhost= [[:space:]]*user=[-._[:alnum:]]+$
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ passwd\[[[:digit:]]+\]: pam_unix\(passwd:[[:alnum:]]+\): authentication failure; logname=[-._[:alnum:]]+ uid=[[:digit:]]+ euid=0 tty= ruser= rhost= [[:space:]]*user=[-._[:alnum:]]+$
diff --git a/rulefiles/linux/ignore.d.server/pureftp b/rulefiles/linux/ignore.d.server/pureftp
new file mode 100644
index 0000000..9428873
--- /dev/null
+++ b/rulefiles/linux/ignore.d.server/pureftp
@@ -0,0 +1,3 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[ERROR\] Can't open .+: No such file or directory$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[ERROR\] Can't remove directory: No such file or directory$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: \(\?@[._[:alnum:]-]+\) \[DEBUG\] This is a private system - No anonymous login$
diff --git a/rulefiles/linux/ignore.d.server/sendmail b/rulefiles/linux/ignore.d.server/sendmail
new file mode 100644
index 0000000..59b14f7
--- /dev/null
+++ b/rulefiles/linux/ignore.d.server/sendmail
@@ -0,0 +1,2 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: [[:alnum:]]+: ruleset=check_mail, arg1=<.*>, relay=([._[:alnum:]@-]+ )?\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]( \(may be forged\))?, reject=[0-9]+ [0-9]\.[0-9]\.[0-9] <.*>\.\.\. +[0-9]+Blocked by [._[:alnum:]:/-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: ruleset=check_relay, arg1=[._[:alnum:]-]+, arg2=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}, relay=[._[:alnum:]-]+ \[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\], reject=[0-9]+ [0-9]\.[0-9]\.[0-9] [0-9]+Blocked by [._[:alnum:]:/-]+$
diff --git a/rulefiles/linux/ignore.d.server/su b/rulefiles/linux/ignore.d.server/su
new file mode 100644
index 0000000..1c9be43
--- /dev/null
+++ b/rulefiles/linux/ignore.d.server/su
@@ -0,0 +1,8 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: (\+|-) (pts/[0-9]{1,2}|tty[0-9]) [_[:alnum:]-]+:[_[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: Successful su for [[:alnum:]-]+ by [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root:[_[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: pam_[[:alnum:]]+\(su:session\): session closed for user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: pam_[[:alnum:]]+\(su:session\): session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: pam_authenticate: Authentication failure$
diff --git a/rulefiles/linux/ignore.d.server/sudo b/rulefiles/linux/ignore.d.server/sudo
new file mode 100644
index 0000000..61889cb
--- /dev/null
+++ b/rulefiles/linux/ignore.d.server/sudo
@@ -0,0 +1,4 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session closed for user [[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ).*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$

More information about the Logcheck-commits mailing list