thr3ads.net - Logcheck devel - [Logcheck-devel] Bug#593482: Please update violations.ignore.d/logcheck-sudo to ignore regular messages [Aug 2010]

If this information is useful, please help other people find it:
Share via:

Michel Messerschmidt

2010-Aug-18 14:31 UTC

[Logcheck-devel] Bug#593482: Please update violations.ignore.d/logcheck-sudo to ignore regular messages

Package: logcheck
Version: 1.3.11
Severity: normal
Tags: patch

logcheck does not filter some sudo log messages that I consider false positives.

One message is caused by executing "sudo -l":
Aug 18 16:14:24 rio sudo:      mic : TTY=pts/1 ; PWD=/home/mic ; USER=root ;
COMMAND=list

The other message is caused by system shutdown through slim:
Aug 17 14:24:26 rio sudo:     root : TTY=console ; PWD=/ ; USER=root ;
COMMAND=/sbin/shutdown -h now SliM F11 initiated system shutdown


This change works for me:
--- logcheck/violations.ignore.d/logcheck-sudo	(revision 286)
+++ logcheck/violations.ignore.d/logcheck-sudo	(working copy)
@@ -1,5 +1,5 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: pam_krb5\(sudo:auth\): user
[[:alnum:]-]+ authenticated as [[:alnum:]-]+@[.A-Z]+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ :
TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ;
COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ).*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ :
TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ;
USER=[._[:alnum:]-]+ ; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command
continued\).*$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\):
session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\):
session closed for user [[:alnum:]-]+$



-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500,
'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages logcheck depends on:
ii  adduser                       3.112      add and remove users and groups
ii  cron                          3.0pl1-113 process scheduling daemon
ii  exim4-daemon-light [mail-tran 4.72-1     lightweight Exim MTA (v4) daemon
ii  lockfile-progs                0.1.15     Programs for locking and unlocking
ii  logtail                       1.3.11     Print log file lines that have not
ii  mime-construct                1.11       construct/send MIME messages from 
ii  rsyslog [system-log-daemon]   4.6.4-1    enhanced multi-threaded syslogd

Versions of packages logcheck recommends:
ii  logcheck-database             1.3.11     database of system log rules for t

Versions of packages logcheck suggests:
pn  syslog-summary                <none>     (no description available)

-- Configuration Files:
/etc/logcheck/logcheck.conf [Errno 13] Permission denied:
u'/etc/logcheck/logcheck.conf'
/etc/logcheck/logcheck.logfiles [Errno 13] Permission denied:
u'/etc/logcheck/logcheck.logfiles'

-- no debconf information

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL:
<http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20100818/f061065a/attachment.pgp>

Debian Bug Tracking System

2010-Sep-03 08:51 UTC

head link

[Logcheck-devel] Bug#593482: marked as done (Please update violations.ignore.d/logcheck-sudo to ignore regular messages)

Your message dated Fri, 03 Sep 2010 08:48:27 +0000
with message-id <E1OrRwh-0005gL-4h at franck.debian.org>
and subject line Bug#593482: fixed in logcheck 1.3.13
has caused the Debian Bug report #593482,
regarding Please update violations.ignore.d/logcheck-sudo to ignore regular
messages
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
593482: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593482
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: Michel Messerschmidt <lists at michel-messerschmidt.de>
Subject: Please update violations.ignore.d/logcheck-sudo to ignore regular
 messages
Date: Wed, 18 Aug 2010 16:31:51 +0200
Size: 5615
URL:
<http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20100903/1f94d511/attachment-0002.eml>
-------------- next part --------------
An embedded message was scrubbed...
From: Hannes von Haugwitz <hannes at vonhaugwitz.com>
Subject: Bug#593482: fixed in logcheck 1.3.13
Date: Fri, 03 Sep 2010 08:48:27 +0000
Size: 5688
URL:
<http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20100903/1f94d511/attachment-0003.eml>

Logcheck devel - Aug 2010 - Bug#593482: Please update violations.ignore.d/logcheck-sudo to ignore regular messages

[Logcheck-devel] Bug#593482: Please update violations.ignore.d/logcheck-sudo to ignore regular messages

[Logcheck-devel] Bug#593482: marked as done (Please update violations.ignore.d/logcheck-sudo to ignore regular messages)