Lee Maguire
2004-Jun-16 10:10 UTC
[Logcheck-devel] Bug#254681: logcheck-database: su from cron job
Package: logcheck-database
Version: 1.2.22a
Severity: normal
The updatedb process for find runs as part of cron.daily, and runs as
nobody. Since it is a cron job there is no associated terminal
("???"),
it is flagged as a security event by logcheck:
Jun 16 06:25:01 localhost su[30985]: + ??? root:nobody
I have added the following to /etc/logcheck/violations.ignore.d/local-su
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root:nobody$
maks attems
2004-Jun-16 13:04 UTC
Bug#254681: [Logcheck-devel] Bug#254681: logcheck-database: su from cron job
tag 254681 pending thanks On Wed, 16 Jun 2004, Lee Maguire wrote:> The updatedb process for find runs as part of cron.daily, and runs as > nobody. Since it is a cron job there is no associated terminal ("???"), > it is flagged as a security event by logcheck: > > Jun 16 06:25:01 localhost su[30985]: + ??? root:nobody > > I have added the following to /etc/logcheck/violations.ignore.d/local-su > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root:nobody$nice, just added to cvs, will be in next release! a+ maks -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040616/0f082d10/attachment.pgp
Debian Bug Tracking System
2004-Jul-09 03:48 UTC
[Logcheck-devel] Bug#254681: marked as done (logcheck-database: su from cron job)
Your message dated Thu, 08 Jul 2004 23:32:06 -0400 with message-id <E1Bim7K-0004VN-00 at newraff.debian.org> and subject line Bug#254681: fixed in logcheck 1.2.23 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 16 Jun 2004 10:10:34 +0000>From lee-debian at hexkey.co.uk Wed Jun 16 03:10:33 2004Return-path: <lee-debian at hexkey.co.uk> Received: from mouse.hexkey.org [212.13.199.141] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1BaXNJ-0002sL-00; Wed, 16 Jun 2004 03:10:33 -0700 Received: from lee by mouse.hexkey.org with local (Exim 3.35) id 1BaXNA-0006mR-00 for <submit at bugs.debian.org>; Wed, 16 Jun 2004 11:10:24 +0100 Date: Wed, 16 Jun 2004 11:10:24 +0100 From: Lee Maguire <lee-debian at hexkey.co.uk> To: Debian Bug Tracking System <submit at bugs.debian.org> Subject: logcheck-database: su from cron job Message-ID: <20040616101024.GA26053 at mouse.hexkey.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.28i Delivered-To: submit at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: Package: logcheck-database Version: 1.2.22a Severity: normal The updatedb process for find runs as part of cron.daily, and runs as nobody. Since it is a cron job there is no associated terminal ("???"), it is flagged as a security event by logcheck: Jun 16 06:25:01 localhost su[30985]: + ??? root:nobody I have added the following to /etc/logcheck/violations.ignore.d/local-su ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root:nobody$ --------------------------------------- Received: (at 254681-close) by bugs.debian.org; 9 Jul 2004 03:38:04 +0000>From katie at ftp-master.debian.org Thu Jul 08 20:38:04 2004Return-path: <katie at ftp-master.debian.org> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1BimD5-0006Jv-00; Thu, 08 Jul 2004 20:38:04 -0700 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1Bim7K-0004VN-00; Thu, 08 Jul 2004 23:32:06 -0400 From: Todd Troxell <ttroxell at debian.org> To: 254681-close at bugs.debian.org X-Katie: $Revision: 1.51 $ Subject: Bug#254681: fixed in logcheck 1.2.23 Message-Id: <E1Bim7K-0004VN-00 at newraff.debian.org> Sender: Archive Administrator <katie at ftp-master.debian.org> Date: Thu, 08 Jul 2004 23:32:06 -0400 Delivered-To: 254681-close at bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: X-CrossAssassin-Score: 10 Source: logcheck Source-Version: 1.2.23 We believe that the bug you reported is fixed in the latest version of logcheck, which is due to be installed in the Debian FTP archive: logcheck-database_1.2.23_all.deb to pool/main/l/logcheck/logcheck-database_1.2.23_all.deb logcheck_1.2.23.dsc to pool/main/l/logcheck/logcheck_1.2.23.dsc logcheck_1.2.23.tar.gz to pool/main/l/logcheck/logcheck_1.2.23.tar.gz logcheck_1.2.23_all.deb to pool/main/l/logcheck/logcheck_1.2.23_all.deb logtail_1.2.23_all.deb to pool/main/l/logcheck/logtail_1.2.23_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 254681 at bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster at debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Thursday, 12 Jul 2004 22:55:19 -0500 Source: logcheck Binary: logcheck logtail logcheck-database Architecture: source all Version: 1.2.23 Distribution: unstable Urgency: low Maintainer: Debian logcheck Team <logcheck-devel at lists.alioth.debian.org> Changed-By: Todd Troxell <ttroxell at debian.org> Description: logcheck - Mails anomalies in the system logfiles to the administrator logcheck-database - A database of system log rules for the use of log checkers logtail - Print log file lines that have not been read Closes: 149567 186372 190101 234385 244171 253861 253879 253998 254133 254681 255560 256549 Changes: logcheck (1.2.23) unstable; urgency=low . maks: * Remove logcheck pre-dependency on logtail. * Added imapproxy, kernel, nfs, scponly rules. * Updated dhcpd, innd, postfix, su, sudo rules. (Closes: #253879, #244171, #190101, #254681, #253861, #186372, #255560). * Fix locale dependent regexes. * Implemented testing mode to logcheck - doesn't update offset. * Added -l LOG switch for test runs on new log files. thanks todd for ideas and first work (Closes: #234385). * Add -m switch to specify recipient. (Closes: #149567). alfie: * debian/logcheck-database.templates: Clearified the rules-directories-note template and got updates for all translations. Thanks for fast responses! todd: * Update innfeed rules (Closes: #254133). * Update dhcp3 rules (Closes: #256549). * Change postinst script to set permissions on versions previous to 1.2.23 (Closes: #253998). * Add postfix rule for lmtp. * Add Rule for cyrus imap/SQUAT annoyance. * Spamd update for unknown message id. * Add Kernel and bonobo rules for workstations. Files: 194681a5833e247adcd50c6ffe0e4a43 670 admin optional logcheck_1.2.23.dsc ec715b8a1160751367dabdecb4ddfeb4 74885 admin optional logcheck_1.2.23.tar.gz 14ba0cd447909d769867efbd331960e6 37348 admin optional logcheck_1.2.23_all.deb bad26ea13036470994f54bf9e1c3c18b 42778 admin optional logcheck-database_1.2.23_all.deb ba84ae48e13e927d3e4da649913768e6 21788 admin optional logtail_1.2.23_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA7gsO4u3oQ3FHP2YRApstAKCSu6oScQckvbfjz0y3DuA51fD8dwCgw0Dc Np43xnp5o9CWVR4xuRbUqx4=MYFx -----END PGP SIGNATURE-----