Michel Messerschmidt
2010-Jul-06 18:21 UTC
[Logcheck-devel] Bug#588285: logcheck: Additional rules to ignore successful kerberos authentication
Package: logcheck
Version: 1.3.10
Severity: normal
Tags: patch
Many of my logcheck reports are triggered by regular user authentication
against kerberos enabled services.
Here are rules to ignore authentication success messages for some common
daemons.
violations.ignore.d/logcheck-sudo:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: pam_krb5+\(sudo:auth\): user
[[:alnum:]-]+ authenticated as [[:alnum:]@-]+$
ignore.d.server/cups-lpd:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cupsd: pam_krb5\(cups:auth\): user
[[:alnum:]-]+ authenticated as [[:alnum:]@-]+$
ignore.d.server/ssh:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]:
pam_krb5\(sshd:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]@-]+$
ignore.d.workstation/gdm:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: pam_krb5\(gdm:auth\):
user [[:alnum:]-]+ authenticated as [[:alnum:]@-]+$
Regards,
Michel
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500,
'stable'), (1, 'experimental')onan!
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-vserver-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages logcheck depends on:
ii adduser 3.112 add and remove users and groups
ii cron 3.0pl1-113 process scheduling daemono ignore
successful kerberos authentication
ii exim4 4.72-1 metapackage to ease Exim MTA (v4)
ii exim4-daemon-light [mail-tran 4.72-1 lightweight Exim MTA (v4) daemon
ii lockfile-progs 0.1.15 Programs for locking and unlocking
ii logtail 1.3.10 Print log file lines that have not
ii mime-construct 1.10 construct/send MIME messages from
ii rsyslog [system-log-daemon] 4.6.2-1 enhanced multi-threaded syslogd
Versions of packages logcheck recommends:
ii logcheck-database 1.3.10 database of system log rules for t
Versions of packages logcheck suggests:
pn syslog-summary <none> (no description available)
-- Configuration Files:
/etc/logcheck/logcheck.conf [Errno 13] Permission denied:
u'/etc/logcheck/logcheck.conf'
/etc/logcheck/logcheck.logfiles [Errno 13] Permission denied:
u'/etc/logcheck/logcheck.logfiles'
-- no debconf information
Russ Allbery
2010-Jul-07 01:26 UTC
[Logcheck-devel] Bug#588285: Bug#588285: logcheck: Additional rules to ignore successful kerberos authentication
Michel Messerschmidt <lists at michel-messerschmidt.de> writes:> Many of my logcheck reports are triggered by regular user authentication > against kerberos enabled services. > Here are rules to ignore authentication success messages for some common > daemons.> violations.ignore.d/logcheck-sudo: > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: pam_krb5+\(sudo:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]@-]+$> ignore.d.server/cups-lpd: > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cupsd: pam_krb5\(cups:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]@-]+$> ignore.d.server/ssh: > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_krb5\(sshd:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]@-]+$> ignore.d.workstation/gdm: > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: pam_krb5\(gdm:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]@-]+$I wonder if the right way of handling this would be to instead install a logcheck rule as part of the libpam-krb5 package that looks something like: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ [[:alnum:]]+(\[[0-9]+\])?: pam_krb5\([[:alnum:]]+:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]@-]+$ or if that would be too general. -- Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
Michel Messerschmidt
2010-Jul-08 18:17 UTC
[Logcheck-devel] Bug#588285: Bug#588285: logcheck: Additional rules to ignore successful kerberos authentication
On Tue, Jul 06, 2010 at 06:26:10PM -0700, Russ Allbery wrote:> I wonder if the right way of handling this would be to instead install a > logcheck rule as part of the libpam-krb5 package that looks something > like: > > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ [[:alnum:]]+(\[[0-9]+\])?: pam_krb5\([[:alnum:]]+:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]@-]+$Ok works fine for me now. Your rule matches all pam_krb5 success messages on my systems besides dovecot, because it uses "dovecot-auth" as the process name. I propose to enhance the rule to: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ [[:alnum:]-]+(\[[0-9]+\])?: pam_krb5\([[:alnum:]]+:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]@-]+$
Hannes von Haugwitz
2010-Jul-08 19:03 UTC
[Logcheck-devel] Bug#588285: Bug#588285: logcheck: Additional rules to ignore successful kerberos authentication
Michel Messerschmidt wrote:> On Tue, Jul 06, 2010 at 06:26:10PM -0700, Russ Allbery wrote: >> I wonder if the right way of handling this would be to instead install a >> logcheck rule as part of the libpam-krb5 package that looks something >> like: >> >> ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ [[:alnum:]]+(\[[0-9]+\])?: pam_krb5\([[:alnum:]]+:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]@-]+$ > > Ok works fine for me now. > > Your rule matches all pam_krb5 success messages on my systems besides > dovecot, because it uses "dovecot-auth" as the process name. > I propose to enhance the rule to: > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ [[:alnum:]-]+(\[[0-9]+\])?: pam_krb5\([[:alnum:]]+:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]@-]+$ > >Valid point. Fixed in e786dd9. Greetings Hannes
Debian Bug Tracking System
2010-Jul-29 07:51 UTC
[Logcheck-devel] Bug#588285: marked as done (logcheck: Additional rules to ignore successful kerberos authentication)
Your message dated Thu, 29 Jul 2010 07:47:08 +0000 with message-id <E1OeNpc-0005AL-2Z at franck.debian.org> and subject line Bug#588285: fixed in logcheck 1.3.11 has caused the Debian Bug report #588285, regarding logcheck: Additional rules to ignore successful kerberos authentication to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 588285: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=588285 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Michel Messerschmidt <lists at michel-messerschmidt.de> Subject: logcheck: Additional rules to ignore successful kerberos authentication Date: Tue, 6 Jul 2010 20:21:15 +0200 Size: 4214 URL: <http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20100729/b3f37842/attachment.eml> -------------- next part -------------- An embedded message was scrubbed... From: Hannes von Haugwitz <hannes at vonhaugwitz.com> Subject: Bug#588285: fixed in logcheck 1.3.11 Date: Thu, 29 Jul 2010 07:47:08 +0000 Size: 7787 URL: <http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20100729/b3f37842/attachment-0001.eml>