Logcheck devel - Jul 2004 - Bug#258427: logcheck/logtail didn't detect tampering logfile

Package: logcheck

wanted to work on #195935,
but found a less than funny issue, easy to reproduce:

* remove some lines in front of your logfile
* invoke logcheck

you'll get a big email with all not matching lines from that log.

not setting that to high priority because you are getting also the 
newer loglines. don't know if i find time that weekend.
wanted to document it anyways.

a++ maks



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040709/e957cd50/attachment.pgp

Your message dated Mon, 19 Jul 2004 20:02:02 +0200
with message-id <20040719180202.GP1870 at sputnik.stro.at>
and subject line [Logcheck-devel] Bug#258427: logcheck/logtail didn't detect
tampering logfile
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 9 Jul 2004 16:29:09
+0000
>From max at stro.at Fri Jul 09 09:29:09 2004
Return-path: <max at stro.at>
Received: from ns3.factline.com [213.239.193.148] (postfix)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BiyFJ-0008Bm-00; Fri, 09 Jul 2004 09:29:09 -0700
Received: by ns3.factline.com (Postfix, from userid 5001)
	id E6E0A89A826; Fri,  9 Jul 2004 18:29:06 +0200 (CEST)
Received: from baikonur.stro.at (baikonur.stro.at [213.239.196.228])
	by ns3.factline.com (Postfix) with ESMTP id 7C94B881D9E
	for <submit at bugs.debian.org>; Fri,  9 Jul 2004 18:29:04 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by baikonur.stro.at (Postfix) with ESMTP id E22665C00C
	for <submit at bugs.debian.org>; Fri,  9 Jul 2004 18:29:03 +0200 (CEST)
Received: from baikonur.stro.at ([127.0.0.1])
	by localhost (baikonur [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 03843-07 for <submit at bugs.debian.org>;
	Fri, 9 Jul 2004 18:29:00 +0200 (CEST)
Received: from sputnik (unknown [62.47.159.130])
	by baikonur.stro.at (Postfix) with ESMTP id 75E035C00B
	for <submit at bugs.debian.org>; Fri,  9 Jul 2004 18:29:00 +0200 (CEST)
Received: from max by sputnik with local (Exim 4.32)
	id 1BiyF9-0002vz-KG
	for submit at bugs.debian.org; Fri, 09 Jul 2004 18:28:59 +0200
Date: Fri, 9 Jul 2004 18:28:59 +0200
From: maximilian attems <debian at sternwelten.at>
To: submit at bugs.debian.org
Subject: logcheck/logtail didn't detect tampering logfile
Message-ID: <20040709162859.GB1678 at sputnik.stro.at>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
boundary="huq684BweRXVnRxX"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040523i
Sender: maximilian attems <max at stro.at>
X-Virus-Scanned: by Amavis (ClamAV) at stro.at
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 


--huq684BweRXVnRxX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: logcheck

wanted to work on #195935,
but found a less than funny issue, easy to reproduce:

* remove some lines in front of your logfile
* invoke logcheck

you'll get a big email with all not matching lines from that log.

not setting that to high priority because you are getting also the=20
newer loglines. don't know if i find time that weekend.
wanted to document it anyways.

a++ maks




--huq684BweRXVnRxX
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA7sfL6//kSTNjoX0RAsUYAJ9lMMnUF5Y4rRolfKCGKUYxP9NuuwCfYs0M
1+OFGbimS0qaPzxAN6yeAAc=jP1q
-----END PGP SIGNATURE-----

--huq684BweRXVnRxX--

---------------------------------------
Received: (at 258427-done) by bugs.debian.org; 19 Jul 2004 18:02:04
+0000
>From max at stro.at Mon Jul 19 11:02:04 2004
Return-path: <max at stro.at>
Received: from baikonur.stro.at [213.239.196.228] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BmcSi-0000fK-00; Mon, 19 Jul 2004 11:02:04 -0700
Received: from localhost (localhost [127.0.0.1])
	by baikonur.stro.at (Postfix) with ESMTP id 1E0285C00B
	for <258427-done at bugs.debian.org>; Mon, 19 Jul 2004 20:02:03 +0200
(CEST)
Received: from baikonur.stro.at ([127.0.0.1])
	by localhost (baikonur [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 32115-05 for <258427-done at bugs.debian.org>;
	Mon, 19 Jul 2004 20:02:01 +0200 (CEST)
Received: from sputnik (M992P015.adsl.highway.telekom.at [62.47.155.239])
	by baikonur.stro.at (Postfix) with ESMTP id D501D5C008
	for <258427-done at bugs.debian.org>; Mon, 19 Jul 2004 20:02:00 +0200
(CEST)
Received: from max by sputnik with local (Exim 4.32)
	id 1BmcSg-0001qw-9f
	for 258427-done at bugs.debian.org; Mon, 19 Jul 2004 20:02:02 +0200
Date: Mon, 19 Jul 2004 20:02:02 +0200
From: maks attems <debian at sternwelten.at>
To: 258427-done at bugs.debian.org
Subject: Re: [Logcheck-devel] Bug#258427: logcheck/logtail didn't detect
tampering logfile
Message-ID: <20040719180202.GP1870 at sputnik.stro.at>
References: <20040709162859.GB1678 at sputnik.stro.at>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
boundary="5KxTQ9fdN6Op3ksq"
Content-Disposition: inline
In-Reply-To: <20040709162859.GB1678 at sputnik.stro.at>
User-Agent: Mutt/1.5.6+20040523i
Sender: maximilian attems <max at stro.at>
X-Virus-Scanned: by Amavis (ClamAV) at stro.at
Delivered-To: 258427-done at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 


--5KxTQ9fdN6Op3ksq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, 09 Jul 2004, maximilian attems wrote:
> Package: logcheck
>=20
> wanted to work on #195935,
> but found a less than funny issue, easy to reproduce:
>=20
> * remove some lines in front of your logfile
> * invoke logcheck
>=20
> you'll get a big email with all not matching lines from that log.
hmm relooked  through logtail added some more print statements
and found that in aboves case when you remove the beginning of a log,
you'll get a new inode and therefor logtail is not complaining.

i'm closing my bug report, as one should assume that this parts
already got mailed and we have no idea of any offset,
so basicaly logtail's assumptions are right.

a++ maks


--5KxTQ9fdN6Op3ksq
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA/Aya6//kSTNjoX0RAg+8AJ41bJ39lIGbcaGhSTAK8yfIJ+rZBQCfXnny
/Ik5rchxibARJx5aQeGFgH4=eQl+
-----END PGP SIGNATURE-----

--5KxTQ9fdN6Op3ksq--