MSVSphere Packaging Team
1 year ago
parent
387bbd2afb
commit
056b8a48fb
@ -0,0 +1,19 @@
|
|||||||
|
--- a/scripts/services/audit 2022/01/22 17:22:03
|
||||||
|
+++ b/scripts/services/audit 2022/01/22 17:35:34
|
||||||
|
@@ -134,10 +134,13 @@
|
||||||
|
( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): table=/) or
|
||||||
|
( $ThisLine =~ /audit_printk_skb: [0-9]* callbacks suppressed/) or
|
||||||
|
( $ThisLine =~ /item=[0-9] name="\S*" inode=[0-9]+ dev=\S* mode=[0-9]* ouid=[0-9]* ogid=[0-9]* rdev=[0-9:]* obj=\S*/) or
|
||||||
|
- ( $ThisLine =~ /^auditctl(?:\[[0-9]+\])?: No rules$/ )
|
||||||
|
+ ( $ThisLine =~ /^auditctl(?:\[[0-9]+\])?: No rules$/ ) or
|
||||||
|
+ ( $ThisLine =~ /No plugins found, not dispatching events/ )
|
||||||
|
) {
|
||||||
|
# Ignore these entries
|
||||||
|
- } elsif ( $ThisLine =~ /audit\([0-9]{10}.[0-9]{3}:[0-9]\): initialized$/) {
|
||||||
|
+ } elsif (( $ThisLine =~ /audit\([0-9]{10}.[0-9]{3}:[0-9]\): initialized$/ ) or
|
||||||
|
+ ( $ThisLine =~ /audit\([0-9]{10}.[0-9]{3}:[0-9]\): state=initialized / )
|
||||||
|
+ ) {
|
||||||
|
$NumberOfInits++;
|
||||||
|
} elsif ( $ThisLine =~ /Init complete, audit pid set to: [0-9]+/) {
|
||||||
|
$NumberOfDStartsPid++;
|
||||||
|
|
||||||
@ -0,0 +1,11 @@
|
|||||||
|
--- a/conf/services/secure.conf 2016-03-30 23:32:33.000000000 +0200
|
||||||
|
+++ b/conf/services/secure.conf 2023-06-27 19:42:42.296713366 +0200
|
||||||
|
@@ -24,7 +24,7 @@
|
||||||
|
# Use this to ignore certain services in the secure log.
|
||||||
|
# You can ignore as many services as you would like.
|
||||||
|
# (we ignore sshd because its entries are processed by the sshd script)
|
||||||
|
-$ignore_services = sshd Pluto stunnel proftpd saslauthd imapd postfix/smtpd
|
||||||
|
+$ignore_services = sshd Pluto stunnel proftpd saslauthd imapd postfix/smtpd sudo
|
||||||
|
|
||||||
|
# For these services, summarize only (i.e. don't least each IP, just
|
||||||
|
# list the number of connections total)
|
||||||
@ -0,0 +1,13 @@
|
|||||||
|
--- a/scripts/services/fail2ban
|
||||||
|
+++ b/scripts/services/fail2ban
|
||||||
|
@@ -91,7 +91,8 @@
|
||||||
|
($ThisLine =~ /INFO\s+(Stopping all jails|Exiting Fail2ban)/) or
|
||||||
|
($ThisLine =~ /INFO\s+Initiated '.*' backend/) or
|
||||||
|
($ThisLine =~ /INFO\s+(Added logfile = .*|Set maxRetry = \d+|Set findtime = \d+|Set banTime = \d+)/) or
|
||||||
|
- ($ThisLine =~ /Unable to find a corresponding IP address for .*: \[Errno -2\] Name or service not known/)
|
||||||
|
+ ($ThisLine =~ /Unable to find a corresponding IP address for .*: \[Errno -2\] Name or service not known/) or
|
||||||
|
+ ($ThisLine =~ /: Server ready$/)
|
||||||
|
)
|
||||||
|
{
|
||||||
|
if ( $Debug >= 6 ) {
|
||||||
|
|
||||||
@ -0,0 +1,20 @@
|
|||||||
|
--- a/scripts/services/sshd 2022/01/20 15:28:35 1.1
|
||||||
|
+++ b/scripts/services/sshd 2022/01/20 15:32:01
|
||||||
|
@@ -1,3 +1,5 @@
|
||||||
|
+#!/usr/bin/env perl
|
||||||
|
+
|
||||||
|
##########################################################################
|
||||||
|
# $Id$
|
||||||
|
##########################################################################
|
||||||
|
@@ -376,6 +378,11 @@
|
||||||
|
print STDERR "DEBUG: Found -Failed login- line\n";
|
||||||
|
}
|
||||||
|
$BadLogins{$Host}{"$User/$Method"}++;
|
||||||
|
+ } elsif ( my ($User,$Host) = ( $ThisLine =~ m/^Disconnected from authenticating user (\S+) (\S+) / ) ) {
|
||||||
|
+ if ( $Debug >= 5 ) {
|
||||||
|
+ print STDERR "DEBUG: Found -Disconnected Failed login- line\n";
|
||||||
|
+ }
|
||||||
|
+ $BadLogins{$Host}{$User}++;
|
||||||
|
} elsif ($ThisLine =~ s/^(log: )?Could not reverse map address ([^ ]*).*$/$2/) {
|
||||||
|
$NoRevMap{$ThisLine}++;
|
||||||
|
} elsif ( my ($Address) = ($ThisLine =~ /^reverse mapping checking getaddrinfo for (\S+( \[\S+\])?) failed - POSSIBLE BREAK-IN ATTEMPT!/)) {
|
||||||
@ -0,0 +1,20 @@
|
|||||||
|
===================================================================
|
||||||
|
RCS file: /usr/share/logwatch/scripts/services/RCS/pam_unix,v
|
||||||
|
retrieving revision 1.1
|
||||||
|
diff -u -r1.1 /usr/share/logwatch/scripts/services/pam_unix
|
||||||
|
--- a/scripts/services/pam_unix 2022/01/20 14:21:24 1.1
|
||||||
|
+++ b/scripts/services/pam_unix 2022/01/20 14:22:35
|
||||||
|
@@ -340,6 +340,12 @@
|
||||||
|
} else {
|
||||||
|
$data{$service}{'Unknown Entries'}{$line}++;
|
||||||
|
}
|
||||||
|
+ } elsif ($service eq 'systemd-user') {
|
||||||
|
+ if ($line =~ /session (?:opened|closed) for user /) {
|
||||||
|
+ # ignore this line
|
||||||
|
+ } else {
|
||||||
|
+ $data{$service}{'Unknown Entries'}{$line}++;
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
$data{$service}{'Unknown Entries'}{$line}++;
|
||||||
|
}
|
||||||
|
|
||||||
@ -0,0 +1,13 @@
|
|||||||
|
--- a/scripts/services/secure
|
||||||
|
+++ b/scripts/services/secure
|
||||||
|
@@ -273,6 +273,9 @@
|
||||||
|
( $ThisLine =~ /polkit-grant-helper-pam\[\d+\]: pam_thinkfinger\(polkit:auth\): conversation failed/) or
|
||||||
|
( $ThisLine =~ /polkitd\(authority=.*\): (Unr|R)egistered Authentication Agent/) or
|
||||||
|
( $ThisLine =~ /polkitd\(authority=.*\): Operator of unix-session:/) or
|
||||||
|
+ ( $ThisLine =~ /polkitd.*Acquired the name .* on the system bus/) or
|
||||||
|
+ ( $ThisLine =~ /polkitd.*Finished loading, compiling/) or
|
||||||
|
+ ( $ThisLine =~ /polkitd.*Loading rules from directory /) or
|
||||||
|
( $ThisLine =~ /(gdm-session-worker|gdm-password|gnome-screensaver-dialog)\[\d+\]: gkr-pam: no password is available for user/) or
|
||||||
|
( $ThisLine =~ /gkr-pam: the password for the login keyring was invalid/) or
|
||||||
|
( $ThisLine =~ /groupadd\[\d+\]: group added to /) or # Details in other messages
|
||||||
|
|
||||||
@ -0,0 +1,11 @@
|
|||||||
|
--- a/scripts/services/kernel
|
||||||
|
+++ b/scripts/services/kernel
|
||||||
|
@@ -135,6 +135,7 @@
|
||||||
|
$SkipError = 1 if $ThisLine =~ /ERST: Error Record Serialization Table \(ERST\) support is initialized/;
|
||||||
|
$SkipError = 1 if $ThisLine =~ /GHES: Generic hardware error source: \d+ notified via .* is not supported/;
|
||||||
|
$SkipError = 1 if $ThisLine =~ /PCIe errors handled by (?:BIOS|OS)/;
|
||||||
|
+ $SkipError = 1 if $ThisLine =~ /RAS: Correctable Errors collector initialized\.$/;
|
||||||
|
# These happen when kerberos tickets expire, which can be normal
|
||||||
|
$SkipError = 1 if $ThisLine =~ /Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server/ && $Ignore_rpcsec_expired;
|
||||||
|
# filter out mount options
|
||||||
|
|
||||||
@ -0,0 +1,12 @@
|
|||||||
|
--- a/scripts/services/sendmail
|
||||||
|
+++ b/scripts/services/sendmail
|
||||||
|
@@ -388,7 +388,7 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
# QueueID formats: in 8.11 it was \w{7}\d{5}, in 8.12+ it is \w{8}\d{6}
|
||||||
|
-my $QueueIDFormat = "(?:\\w{7,9}\\d{5}|NOQUEUE)";
|
||||||
|
+my $QueueIDFormat = "(?:\\w{7,9}\\d{5,6}|NOQUEUE)";
|
||||||
|
|
||||||
|
# ENOENT refers to "no such file or directory"
|
||||||
|
my $ENOENT = Errno::ENOENT();
|
||||||
|
|
||||||
@ -0,0 +1,23 @@
|
|||||||
|
--- a/scripts/services/sshd
|
||||||
|
+++ b/scripts/services/sshd
|
||||||
|
@@ -566,7 +566,8 @@
|
||||||
|
|
||||||
|
if (keys %BadLogins) {
|
||||||
|
print "\nFailed logins from:\n";
|
||||||
|
- foreach my $ip (sort SortIP keys %BadLogins) {
|
||||||
|
+ my $totalSort = TotalCountOrder(%BadLogins, \&SortIP);
|
||||||
|
+ foreach my $ip (sort $totalSort keys %BadLogins) {
|
||||||
|
my $name = LookupIP($ip);
|
||||||
|
my $totcount = 0;
|
||||||
|
foreach my $user (keys %{$BadLogins{$ip}}) {
|
||||||
|
@@ -587,7 +588,8 @@
|
||||||
|
|
||||||
|
if (keys %IllegalUsers) {
|
||||||
|
print "\nIllegal users from:\n";
|
||||||
|
- foreach my $ip (sort SortIP keys %IllegalUsers) {
|
||||||
|
+ my $totalSort = TotalCountOrder(%IllegalUsers, \&SortIP);
|
||||||
|
+ foreach my $ip (sort $totalSort keys %IllegalUsers) {
|
||||||
|
my $name = LookupIP($ip);
|
||||||
|
my $totcount = 0;
|
||||||
|
foreach my $user (keys %{$IllegalUsers{$ip}}) {
|
||||||
|
|
||||||
@ -0,0 +1,31 @@
|
|||||||
|
--- a/scripts/services/systemd 2022/01/20 16:00:56 1.1
|
||||||
|
+++ b/scripts/services/systemd 2022/01/20 16:14:16
|
||||||
|
@@ -42,7 +42,7 @@
|
||||||
|
$ThisLine =~ / failed\.$/ or
|
||||||
|
$ThisLine =~ /: (control|main) process exited, code=(exited|killed),? status=/ or
|
||||||
|
# Informational
|
||||||
|
- $ThisLine =~ /^Closed .* socket\.$/ or
|
||||||
|
+ $ThisLine =~ /^Closed .* [Ss]ocket\.$/ or
|
||||||
|
$ThisLine =~ /^Closed udev / or
|
||||||
|
$ThisLine =~ /^Detected (architecture|virtualization) / or
|
||||||
|
$ThisLine =~ /^Found device / or
|
||||||
|
@@ -76,11 +76,17 @@
|
||||||
|
$ThisLine =~ /^Configuration file \/usr\/lib\/systemd\/system\/wpa_supplicant\.service is marked executable/ or
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1306452
|
||||||
|
$ThisLine =~ /^tmp\.mount: Directory \/tmp to mount over is not empty, mounting anyway\.$/ or
|
||||||
|
- $ThisLine =~ /^Received SIGRTMIN\+2[01] from PID \d+ \(plymouthd\)\.$/ or
|
||||||
|
+ $ThisLine =~ /^Received SIGRTMIN\+2[01] from PID \d+ \((?:plymouthd|n\/a)\)\.$/ or
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1072368
|
||||||
|
$ThisLine =~ /^Received SIGRTMIN\+24 from PID \d+ \(kill\)\.$/ or
|
||||||
|
$ThisLine =~ /^Removed slice / or
|
||||||
|
- $ThisLine =~ /^pam_unix\(systemd-user:session\): session (?:opened|closed) for user/
|
||||||
|
+ $ThisLine =~ /^pam_unix\(systemd-user:session\): session (?:opened|closed) for user/ or
|
||||||
|
+ # Ex: user-runtime-dir@1001.service: Succeeded.
|
||||||
|
+ $ThisLine =~ /: Succeeded\.$/ or
|
||||||
|
+ # Ex: Reloading Fail2Ban Service.
|
||||||
|
+ $ThisLine =~ /^Reloading .*\.$/ or
|
||||||
|
+ # Ex: Set up automount Arbitrary Executable File Formats File System Automount Point.
|
||||||
|
+ $ThisLine =~ /^Set up .*\.$/
|
||||||
|
) {
|
||||||
|
# Ignore these
|
||||||
|
} elsif (my ($service) = ($ThisLine =~ /^Unit (.*) entered failed state\.$/)) {
|
||||||
Loading…
Reference in new issue