adjusted query_authlog_root_login

- filter ssh signature: awx - filter ssh signature: gitlabci
3 years ago · 12e1eaa923
parent 250a838820
commit 12e1eaa923
1 changed files with 47 additions and 25 deletions
--- a/kustomize/base/files/exporter.cfg
+++ b/kustomize/base/files/exporter.cfg
@ -32,6 +32,28 @@ QueryJson = {
            "match_phrase": {
              "system.auth.user": "root"
            }
          },
          {
            "match_phrase": {
              "system.auth.ssh.event": "Accepted"
            }
          }
        ],
        "must_not": [
          {
            "exists": {
              "field": "system.auth.sudo.user"
            }
          },
          {
            "match_phrase": {
              "system.auth.ssh.signature": "ED25519 SHA256:mbqaHromGo9o0xRQW7yQG5X4Y72t9k2eJdvsOAOYNvc"
            }
          },
          {
            "match_phrase": {
              "system.auth.ssh.signature": "ED25519 SHA256:FdAFdv9hoxEWiViXl9k8WRwq5OoWDvGQL+uzg6vjV3Q"
            }
          }
        ]
      }