Pavlos Parissis
2008-Jul-21 12:16 UTC
[Logcheck-devel] Bug#491694: logcheck-database: 3rd and 4th rules in /etc/logcheck/violations.d/su fail to match log lines
Package: logcheck-database Version: 1.2.54 Severity: wishlist *** Please type your report below this line *** There is an issue with the pattern matching for su in /etc/logcheck/violations.d/su Here are the rules from the above file ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: .*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ pts/[0-9]+ [[:alnum:]]+-root $ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root-[[:alnum:]]+$ The issue resides in 3rd and 4th line, the - character should be : for matching user:root and root:user strings. Here are the proofs Running the 3rd line which gives no matches node1:# egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ pts/[0-9]+ [[:alnum:]]+-root$' auth.log Running again the 3rd line but changing the - character to : node1: # egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ pts/[0-9]+ [[:alnum:]]+[-:]root$' auth.log Jul 21 09:27:36 hraklhs su[4313]: + pts/0 user:root Jul 21 10:32:48 hraklhs su[5244]: + pts/1 user:root Running the 4th line which gives no matches node1:# egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root-[[:alnum:]]+$' auth.log node1:# Running again the 4th line but changing the - character to : node1:# egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root [-:] [[:alnum:]]+$' auth.log Jul 20 07:40:01 hraklhs su[11619]: + ??? root:nobody Jul 21 07:35:01 hraklhs su[23294]: + ??? root:nobody Jul 21 07:35:01 hraklhs su[23298]: + ??? root:nobody Jul 21 07:35:01 hraklhs su[23303]: + ??? root:nobody In order to reproduce the problem the 1st line in /etc/logcheck/violations.ignore.d/logcheck-su should be removed or commented out. BTW this line uses the : character and not the - character for matching user:root and root:user strings. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.25.10 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages logcheck-database depends on: ii debconf [debconf-2.0] 1.5.11etch1 Debian configuration management sy logcheck-database recommends no packages. -- debconf information: logcheck-database/conffile-cleanup: false
Debian Bug Tracking System
2008-Aug-31 19:36 UTC
[Logcheck-devel] Bug#491694: marked as done (logcheck-database: 3rd and 4th rules in /etc/logcheck/violations.d/su fail to match log lines)
Your message dated Sun, 31 Aug 2008 19:32:06 +0000 with message-id <E1KZsec-00064h-Gu at ries.debian.org> and subject line Bug#491694: fixed in logcheck 1.3.0 has caused the Debian Bug report #491694, regarding logcheck-database: 3rd and 4th rules in /etc/logcheck/violations.d/su fail to match log lines to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 491694: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=491694 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Pavlos Parissis <p_pavlos at freemail.gr> Subject: logcheck-database: 3rd and 4th rules in /etc/logcheck/violations.d/su fail to match log lines Date: Mon, 21 Jul 2008 14:16:33 +0200 Size: 3769 Url: http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20080831/d5bc77fa/attachment.eml -------------- next part -------------- An embedded message was scrubbed... From: madduck at debian.org (martin f. krafft) Subject: Bug#491694: fixed in logcheck 1.3.0 Date: Sun, 31 Aug 2008 19:32:06 +0000 Size: 8101 Url: http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20080831/d5bc77fa/attachment-0001.eml
Debian Bug Tracking System
2009-Feb-11 12:15 UTC
[Logcheck-devel] Bug#491694: marked as done (logcheck-database: 3rd and 4th rules in /etc/logcheck/violations.d/su fail to match log lines)
Your message dated Wed, 11 Feb 2009 12:02:04 +0000 with message-id <E1LXDn2-0002ob-WC at ries.debian.org> and subject line Bug#491694: fixed in logcheck 1.2.69 has caused the Debian Bug report #491694, regarding logcheck-database: 3rd and 4th rules in /etc/logcheck/violations.d/su fail to match log lines to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 491694: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=491694 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Pavlos Parissis <p_pavlos at freemail.gr> Subject: logcheck-database: 3rd and 4th rules in /etc/logcheck/violations.d/su fail to match log lines Date: Mon, 21 Jul 2008 14:16:33 +0200 Size: 3769 Url: http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20090211/989c9c3d/attachment.eml -------------- next part -------------- An embedded message was scrubbed... From: Gerfried Fuchs <rhonda at debian.at> Subject: Bug#491694: fixed in logcheck 1.2.69 Date: Wed, 11 Feb 2009 12:02:04 +0000 Size: 5407 Url: http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20090211/989c9c3d/attachment-0001.eml