summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorsebres <serg.brester@sebres.de>2022-11-15 14:23:28 +0100
committersebres <serg.brester@sebres.de>2022-11-15 14:23:28 +0100
commit36af3f2502cf0608fd569bb82cf24aa30324a6ec (patch)
treee733e10ebb5019060a17f3a29f6c10085b612fbe
parenta58fcb87867f1ec83b98da224872041244f69843 (diff)
parentcbb097a2b35260c516ede8620efa4e8317d9ce1c (diff)
downloadfail2ban-36af3f2502cf0608fd569bb82cf24aa30324a6ec.tar.gz
Merge branch 'gh-3405'
Diffstat
-rw-r--r--config/filter.d/selinux-common.conf2
-rw-r--r--config/filter.d/selinux-ssh.conf4
-rw-r--r--fail2ban/tests/files/logs/selinux-ssh3
3 files changed, 7 insertions, 2 deletions
diff --git a/config/filter.d/selinux-common.conf b/config/filter.d/selinux-common.conf
index b3e0ae4f..dc9616d2 100644
--- a/config/filter.d/selinux-common.conf
+++ b/config/filter.d/selinux-common.conf
@@ -14,7 +14,7 @@
[Definition]
-failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$
+failregex = ^type=%(_type)s msg=audit\(:\d+\): (?:user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'(?:\x1D|$)
ignoreregex =
diff --git a/config/filter.d/selinux-ssh.conf b/config/filter.d/selinux-ssh.conf
index 6955094f..e5793c0a 100644
--- a/config/filter.d/selinux-ssh.conf
+++ b/config/filter.d/selinux-ssh.conf
@@ -15,7 +15,9 @@ _subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023
_exe =/usr/sbin/sshd
_terminal = ssh
-_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed
+_anygrp = (?!acct=|exe=|addr=|terminal=|res=)\w+=(?:".*"|\S*)
+
+_msg = (?:%(_anygrp)s )*acct=(?:"<F-USER>[^"]+</F-USER>"|<F-ALT_USER>\S+</F-ALT_USER>) exe="%(_exe)s" (?:%(_anygrp)s )*addr=<ADDR> terminal=%(_terminal)s res=failed
# DEV Notes:
#
diff --git a/fail2ban/tests/files/logs/selinux-ssh b/fail2ban/tests/files/logs/selinux-ssh
index f9e1b828..6ba552fe 100644
--- a/fail2ban/tests/files/logs/selinux-ssh
+++ b/fail2ban/tests/files/logs/selinux-ssh
@@ -27,3 +27,6 @@ type=USER_AUTH msg=audit(1383116263.000:603): pid=12887 uid=0 auid=4294967295 se
# failJSON: { "time": "2013-10-30T07:54:08", "match": false , "host": "192.168.3.100" }
type=USER_LOGIN msg=audit(1383116048.000:595): pid=12354 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="dan" exe="/usr/sbin/sshd" hostname=? addr=192.168.3.100 terminal=ssh res=failed'
+
+# failJSON: { "time": "2022-11-14T00:11:11", "match": true , "host": "192.0.2.111" }
+type=USER_AUTH msg=audit(1668381071.000:373474): pid=173582 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/sbin/sshd" hostname=192.0.2.111 addr=192.0.2.111 terminal=ssh res=failed'UID="root" AUID="unset"
View Lorry Controller Status