diff --git a/config/filter.d/selinux-common.conf b/config/filter.d/selinux-common.conf index b3e0ae4f..dc9616d2 100644 --- a/config/filter.d/selinux-common.conf +++ b/config/filter.d/selinux-common.conf @@ -14,7 +14,7 @@ [Definition] -failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$ +failregex = ^type=%(_type)s msg=audit\(:\d+\): (?:user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'(?:\x1D|$) ignoreregex = diff --git a/config/filter.d/selinux-ssh.conf b/config/filter.d/selinux-ssh.conf index 6955094f..e5793c0a 100644 --- a/config/filter.d/selinux-ssh.conf +++ b/config/filter.d/selinux-ssh.conf @@ -15,7 +15,9 @@ _subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023 _exe =/usr/sbin/sshd _terminal = ssh -_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr= terminal=%(_terminal)s res=failed +_anygrp = (?!acct=|exe=|addr=|terminal=|res=)\w+=(?:".*"|\S*) + +_msg = (?:%(_anygrp)s )*acct=(?:"[^"]+"|\S+) exe="%(_exe)s" (?:%(_anygrp)s )*addr= terminal=%(_terminal)s res=failed # DEV Notes: # diff --git a/fail2ban/tests/files/logs/selinux-ssh b/fail2ban/tests/files/logs/selinux-ssh index f9e1b828..6ba552fe 100644 --- a/fail2ban/tests/files/logs/selinux-ssh +++ b/fail2ban/tests/files/logs/selinux-ssh @@ -27,3 +27,6 @@ type=USER_AUTH msg=audit(1383116263.000:603): pid=12887 uid=0 auid=4294967295 se # failJSON: { "time": "2013-10-30T07:54:08", "match": false , "host": "192.168.3.100" } type=USER_LOGIN msg=audit(1383116048.000:595): pid=12354 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="dan" exe="/usr/sbin/sshd" hostname=? addr=192.168.3.100 terminal=ssh res=failed' + +# failJSON: { "time": "2022-11-14T00:11:11", "match": true , "host": "192.0.2.111" } +type=USER_AUTH msg=audit(1668381071.000:373474): pid=173582 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/sbin/sshd" hostname=192.0.2.111 addr=192.0.2.111 terminal=ssh res=failed'UID="root" AUID="unset"