On Fri, 14 May 2004, maks attems wrote:
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: +[_[:alnum]-]+ : TTY=pts/[0-9]+ ;
PWD=[^ ]+ ; USER=root ; COMMAND=/(usr|etc|bin|sbin)/.*$
well that rule is not enough, we have a bug in logcheck.
I looked at the diff since cvs import, the bug exists already before.
short explanation:
we ignore all our logcheck-* rules in the violations.ignore.d dir.
longer one:
here the relevant debug output:
--- snipp
D: [1084577137] Checking for security alerts
D: [1084577137] greplogoutput: logcheck
D: [1084577137] greplogoutput: returning 1
D: [1084577137] Checking for security volations
D: [1084577137] greplogoutput: logcheck
D: [1084577137] greplogoutput: su
D: [1084577137] greplogoutput: Entries in checked
D: [1084577137] cleanchecked - file: /tmp/logcheck.XXnJvmub/violations-ignore/su
D: [1084577137] report: cat'ing - Security Events for su
D: [1084577137] greplogoutput: sudo
D: [1084577137] greplogoutput: Entries in checked
D: [1084577137] report: cat'ing - Security Events for sudo
D: [1084577137] greplogoutput: returning 0
D: [1084577137] Checking for system events
---
you will quickly notice that for sudo no cleanchecked is called.
well here is the code path were greplogoutput is called:
--- logcheck has already preprocessed (logtail + sort)
# Check for security violations
if [ -d $TMPDIR/violations ]; then
debug "Checking for security volations"
rm -f $TMPDIR/checked
greplogoutput $TMPDIR/violations "$SECURITYSUBJECT" \
$TMPDIR/violations-ignore && SECURITY="1"
fi
---
ok now let's look at greplogoutput()
---
if [ -s $TMPDIR/checked ]; then
debug "greplogoutput: Entries in checked"
# Raise entries that match
if [ -n "$ignore" -a -f "$ignore/$(basename $grepfile)" ];
then
cleanchecked "$ignore/$(basename $grepfile)"
fi
---
until here all seems normal with see aboves debug output both
for su and sudo, well and the nextrule applies for su,
we get an debug output from the function cleanchecked for it.
but now it starts bizarre (appart from typo):
---
# If it's the logcheck file, we do something special
if [ "$(basename $grepfile)" = "logcheck" ]; then
# Now ignore all entries from the locgheck-<package> files
if [ -n "$ignore" ]; then
---
well our $grepfile is called sudo, aboves if fails!
i have no idea whats "something special"
even more bizarre seems that logcheck-foo files
should still on the way!?
so for current state in violations.ignore.d your name should be
a) local-foo
b) same filename as in violations
c) logcheck (we do not have any one)
maybe an older source than 1.2.17 should be considered,
for what the author of aboves special thing wanted to do.
well anyways i'm to tired for a real fix tonight.
thanks for your attention. :)
a++ maks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040515/3ab26f78/attachment.pgp