Home Explore Help
Sign In
kolter
/
ansible-playbooks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Add logcheck rules for postfix, rsyslog, opendkim and ssh

Emmanuel Bouthenot 6 years ago
parent
b228e80907
commit
c33613110f
5 changed files with 6 additions and 2 deletions
Split View Show Diff Stats
  1. 1 0
      roles/common/files/logcheck/opendkim_local
  2. 1 0
      roles/common/files/logcheck/postfix_local
  3. 1 2
      roles/common/files/logcheck/rsyslog_local
  4. 2 0
      roles/common/files/logcheck/sshd_local
  5. 1 0
      roles/common/tasks/security.yml

+ 1 - 0
roles/common/files/logcheck/opendkim_local
View File 

@@ -0,0 +1 @@
 
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ opendkim\[[0-9]+\]: [A-Z0-9]+: no signing table match for .+$

+ 1 - 0
roles/common/files/logcheck/postfix_local
View File 

@@ -2,3 +2,4 @@
 
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd?\[[[:digit:]]+\]: (Anonymous|(Unt|T)rusted) TLS connection established (to|from) [-\.[:alnum:]]+\[[:\.[:xdigit:]]+\]:([[:digit:]]+:)? TLSv[\.[:digit:]]+ with cipher [-[:alnum:]]+ \([[:digit:]]+/[[:digit:]]+ bits\)$
 
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: SSL_accept error from [-\.[:alnum:]]+\[[:\.[:xdigit:]]+\]:([[:digit:]]+:)? (lost connection|Connection timed out|Connection reset by peer|Broken pipe)$
 
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: improper command pipelining after (AUTH|QUIT|HELO) from [-\.[:alnum:]]+\[[:\.[:xdigit:]]+\]: QUIT\\r\\n$
 
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: disconnect from [-\.[:alnum:]]+\[[:\.[:xdigit:]]+\] ehlo=[0-9]+( auth=[0-9]+/[0-9]+)?( rset=[0-9])? quit=[0-9]+ commands=[0-9]+(/[0-9]+)?$

+ 1 - 2
roles/common/files/logcheck/rsyslog_local
View File 

@@ -1,5 +1,4 @@
 
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed$
 
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$
 
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (liblogging-stdlog|rsyslogd):\s+\[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] (rsyslogd was HUPed|restart)$
 
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd\-?[[:digit:]]+: action 'action [[:digit:]]+' resumed \(module 'builtin:ompipe'\) \[try http://www.rsyslog.com/e/[[:digit:]]+ \]$
 
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd\-?[[:digit:]]+: action 'action [[:digit:]]+' suspended, next retry is .+ \[try http://www.rsyslog.com/e/[[:digit:]]+ \]$
 
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: /dev/xconsole$

+ 2 - 0
roles/common/files/logcheck/sshd_local
View File 

@@ -11,3 +11,5 @@
 
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd: .+: ssh key successfully retrieved for uid '\w+'$
 
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Postponed publickey for .+ from [-:\.[:alnum:]]+ port [[:digit:]]+ ssh2 \[preauth\]$
 
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [-:\.[:alnum:]]+: [[:digit:]]+: (Closed due to user request\.) \[preauth\]$
 
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Received disconnect from [-:\.[:alnum:]]+: [0-9]+: No more user authentication methods available\. \[preauth\]$
 
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by [-:\.[:alnum:]]+ port [0-9]+ \[preauth\]$

+ 1 - 0
roles/common/tasks/security.yml
View File 

@@ -64,6 +64,7 @@
 
     - 'noip2'
 
     - 'ntp'
 
     - 'openvpn'
 
+    - 'opendkim'
 
     - 'php'
 
     - 'postfix'
 
     - 'pure-ftpd'