diff options
author | sebres <serg.brester@sebres.de> | 2022-11-15 14:23:28 +0100 |
---|---|---|
committer | sebres <serg.brester@sebres.de> | 2022-11-15 14:23:28 +0100 |
commit | 36af3f2502cf0608fd569bb82cf24aa30324a6ec (patch) | |
tree | e733e10ebb5019060a17f3a29f6c10085b612fbe | |
parent | a58fcb87867f1ec83b98da224872041244f69843 (diff) | |
parent | cbb097a2b35260c516ede8620efa4e8317d9ce1c (diff) | |
download | fail2ban-36af3f2502cf0608fd569bb82cf24aa30324a6ec.tar.gz |
Merge branch 'gh-3405'
-rw-r--r-- | config/filter.d/selinux-common.conf | 2 | ||||
-rw-r--r-- | config/filter.d/selinux-ssh.conf | 4 | ||||
-rw-r--r-- | fail2ban/tests/files/logs/selinux-ssh | 3 |
3 files changed, 7 insertions, 2 deletions
diff --git a/config/filter.d/selinux-common.conf b/config/filter.d/selinux-common.conf index b3e0ae4f..dc9616d2 100644 --- a/config/filter.d/selinux-common.conf +++ b/config/filter.d/selinux-common.conf @@ -14,7 +14,7 @@ [Definition] -failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$ +failregex = ^type=%(_type)s msg=audit\(:\d+\): (?:user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'(?:\x1D|$) ignoreregex = diff --git a/config/filter.d/selinux-ssh.conf b/config/filter.d/selinux-ssh.conf index 6955094f..e5793c0a 100644 --- a/config/filter.d/selinux-ssh.conf +++ b/config/filter.d/selinux-ssh.conf @@ -15,7 +15,9 @@ _subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023 _exe =/usr/sbin/sshd _terminal = ssh -_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed +_anygrp = (?!acct=|exe=|addr=|terminal=|res=)\w+=(?:".*"|\S*) + +_msg = (?:%(_anygrp)s )*acct=(?:"<F-USER>[^"]+</F-USER>"|<F-ALT_USER>\S+</F-ALT_USER>) exe="%(_exe)s" (?:%(_anygrp)s )*addr=<ADDR> terminal=%(_terminal)s res=failed # DEV Notes: # diff --git a/fail2ban/tests/files/logs/selinux-ssh b/fail2ban/tests/files/logs/selinux-ssh index f9e1b828..6ba552fe 100644 --- a/fail2ban/tests/files/logs/selinux-ssh +++ b/fail2ban/tests/files/logs/selinux-ssh @@ -27,3 +27,6 @@ type=USER_AUTH msg=audit(1383116263.000:603): pid=12887 uid=0 auid=4294967295 se # failJSON: { "time": "2013-10-30T07:54:08", "match": false , "host": "192.168.3.100" } type=USER_LOGIN msg=audit(1383116048.000:595): pid=12354 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="dan" exe="/usr/sbin/sshd" hostname=? addr=192.168.3.100 terminal=ssh res=failed' + +# failJSON: { "time": "2022-11-14T00:11:11", "match": true , "host": "192.0.2.111" } +type=USER_AUTH msg=audit(1668381071.000:373474): pid=173582 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/sbin/sshd" hostname=192.0.2.111 addr=192.0.2.111 terminal=ssh res=failed'UID="root" AUID="unset" |