Logcheck devel - Jan 2005 - Bug#290195: violations.d/sudo and violations.ignore.d/logcheck-sudo missing sudo log entries

Package: logcheck
Version: 1.2.32
Severity: normal

It seems when someone runs a sudo command on my system, logcheck misses
it.
The second line of /etc/logcheck/violations.d/sudo matches them, but 
the /etc/logcheck/violations.ignore.d/logcheck-sudo kills them.

Furthermore, when users run commands like '$ sudo rm *' in a directory
with lots of files, we reports with lines like:
Jan 13 09:42:34 localhost sudo:     root : (command continued)
./munin/munin-node.log.2.gz ./munin/munin-node.log.1.gz

Can this be changed to one of the following scenarios:
a) sudo command is reported, and the (command continued) lines are also.
b) sudo command is reported, but (command continued) lines are not.
c) neither sudo command is reported, nor the (command continued) lines.

I've included a rule to ignore the command continued:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: +\w+ : \(command continued\).*$


Cheers,


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.9-1-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)

Versions of packages logcheck depends on:
ii  adduser          3.59                    Add and remove users and groups
ii  cron             3.0pl1-86               management of regular background p
ii  debconf [debconf 1.4.30.11               Debian configuration management sy
ii  debianutils      2.8.4                   Miscellaneous utilities specific t
ii  lockfile-progs   0.1.10                  Programs for locking and unlocking
ii  logcheck-databas 1.2.32                  A database of system log rules for
ii  logtail          1.2.32                  Print log file lines that have not
ii  mailx            1:8.1.2-0.20040524cvs-4 A simple mail user agent
ii  perl             5.8.4-5                 Larry Wall's Practical
Extraction
ii  postfix [mail-tr 2.1.4-5                 A high-performance mail transport 
ii  sysklogd [system 1.4.1-16                System Logging Daemon

-- debconf information:
  logcheck/changes:
* logcheck/install-note:

tags 290195 pending
thanks

On Thu, 13 Jan 2005, Geoff Crompton wrote:
> It seems when someone runs a sudo command on my system, logcheck misses
> it.
> The second line of /etc/logcheck/violations.d/sudo matches them, but 
> the /etc/logcheck/violations.ignore.d/logcheck-sudo kills them.
before logcheck reported all sudo uses,
now out of the box we don't report if he uses cmds out of /bin, /sbin
or /usr/{,s}bin

it is left up to the admin to fintune that rule,
in order to match his needs.
 
> Furthermore, when users run commands like '$ sudo rm *' in a
directory
> with lots of files, we reports with lines like:
> Jan 13 09:42:34 localhost sudo:     root : (command continued)
> ./munin/munin-node.log.2.gz ./munin/munin-node.log.1.gz
> 
> Can this be changed to one of the following scenarios:
> a) sudo command is reported, and the (command continued) lines are also.
> b) sudo command is reported, but (command continued) lines are not.
> c) neither sudo command is reported, nor the (command continued) lines.
ok thanks hadn't seen that logline yet.
the continued lines will be ignored.
 
> I've included a rule to ignore the command continued:
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: +\w+ : \(command continued\).*$
good, but user may have '_-' in their usernames, spaces..
what about that:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:]-]+ :
\(command continued\).*$

added to current logcheck cvs.
thanks for your feedback.

--
maks

Processing commands for control at bugs.debian.org:
> tags 290195 pending
Bug#290195: violations.d/sudo and violations.ignore.d/logcheck-sudo missing sudo
log entries
There were no tags set.
Tags added: pending
> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Your message dated Sun, 23 Jan 2005 22:02:06 -0500
with message-id <E1CsuUQ-0007Wy-00 at newraff.debian.org>
and subject line Bug#290195: fixed in logcheck 1.2.34
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 12 Jan 2005 23:47:01
+0000
>From geoff.crompton at strategicdata.com.au Wed Jan 12 15:47:01 2005
Return-path: <geoff.crompton at strategicdata.com.au>
Received: from sdcarl02.strategicdata.com.au (mail.strategicdata.com.au)
[203.214.67.82]
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CosCb-000391-00; Wed, 12 Jan 2005 15:47:01 -0800
Received: from sd01.mel.strategicdata.com.au (localhost [127.0.0.1])
	by mail.strategicdata.com.au (Postfix) with ESMTP id 1A3CD12B8052;
	Thu, 13 Jan 2005 10:46:58 +1100 (EST)
Received: 
	from mail.strategicdata.com.au (localhost [])
	by localhost ([127.0.0.1]);
	Wed, 12 Jan 2005 23:46:58 +0000
Received: from shitno.mel.strategicdata.com.au (shitno.mel.strategicdata.com.au
[192.168.1.14])
	by mail.strategicdata.com.au (Postfix) with ESMTP id C0E4F12B8052;
	Thu, 13 Jan 2005 10:46:57 +1100 (EST)
Received: by shitno.mel.strategicdata.com.au (Postfix, from userid 1000)
	id BCFE9E392D; Thu, 13 Jan 2005 10:46:57 +1100 (EST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Geoff Crompton <geoff.crompton at strategicdata.com.au>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: violations.d/sudo and violations.ignore.d/logcheck-sudo missing sudo
log
 entries
X-Mailer: reportbug 3.2
Date: Thu, 13 Jan 2005 10:46:57 +1100
Message-Id: <20050112234657.BCFE9E392D at shitno.mel.strategicdata.com.au>
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: logcheck
Version: 1.2.32
Severity: normal

It seems when someone runs a sudo command on my system, logcheck misses
it.
The second line of /etc/logcheck/violations.d/sudo matches them, but 
the /etc/logcheck/violations.ignore.d/logcheck-sudo kills them.

Furthermore, when users run commands like '$ sudo rm *' in a directory
with lots of files, we reports with lines like:
Jan 13 09:42:34 localhost sudo:     root : (command continued)
./munin/munin-node.log.2.gz ./munin/munin-node.log.1.gz

Can this be changed to one of the following scenarios:
a) sudo command is reported, and the (command continued) lines are also.
b) sudo command is reported, but (command continued) lines are not.
c) neither sudo command is reported, nor the (command continued) lines.

I've included a rule to ignore the command continued:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: +\w+ : \(command continued\).*$


Cheers,


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.9-1-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)

Versions of packages logcheck depends on:
ii  adduser          3.59                    Add and remove users and groups
ii  cron             3.0pl1-86               management of regular background p
ii  debconf [debconf 1.4.30.11               Debian configuration management sy
ii  debianutils      2.8.4                   Miscellaneous utilities specific t
ii  lockfile-progs   0.1.10                  Programs for locking and unlocking
ii  logcheck-databas 1.2.32                  A database of system log rules for
ii  logtail          1.2.32                  Print log file lines that have not
ii  mailx            1:8.1.2-0.20040524cvs-4 A simple mail user agent
ii  perl             5.8.4-5                 Larry Wall's Practical
Extraction
ii  postfix [mail-tr 2.1.4-5                 A high-performance mail transport 
ii  sysklogd [system 1.4.1-16                System Logging Daemon

-- debconf information:
  logcheck/changes:
* logcheck/install-note:

---------------------------------------
Received: (at 290195-close) by bugs.debian.org; 24 Jan 2005 03:05:41
+0000
>From katie at ftp-master.debian.org Sun Jan 23 19:05:41 2005
Return-path: <katie at ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CsuXs-0005b6-00; Sun, 23 Jan 2005 19:05:41 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1CsuUQ-0007Wy-00; Sun, 23 Jan 2005 22:02:06 -0500
From: Todd Troxell <ttroxell at debian.org>
To: 290195-close at bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#290195: fixed in logcheck 1.2.34
Message-Id: <E1CsuUQ-0007Wy-00 at newraff.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Sun, 23 Jan 2005 22:02:06 -0500
Delivered-To: 290195-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 3

Source: logcheck
Source-Version: 1.2.34

We believe that the bug you reported is fixed in the latest version of
logcheck, which is due to be installed in the Debian FTP archive:

logcheck-database_1.2.34_all.deb
  to pool/main/l/logcheck/logcheck-database_1.2.34_all.deb
logcheck_1.2.34.dsc
  to pool/main/l/logcheck/logcheck_1.2.34.dsc
logcheck_1.2.34.tar.gz
  to pool/main/l/logcheck/logcheck_1.2.34.tar.gz
logcheck_1.2.34_all.deb
  to pool/main/l/logcheck/logcheck_1.2.34_all.deb
logtail_1.2.34_all.deb
  to pool/main/l/logcheck/logtail_1.2.34_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 290195 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sunday, 23 Jan 2005 21:31:00 -0500
Source: logcheck
Binary: logcheck logtail logcheck-database
Architecture: source all
Version: 1.2.34
Distribution: unstable
Urgency: low
Maintainer: Debian logcheck Team <logcheck-devel at
lists.alioth.debian.org>
Changed-By: Todd Troxell <ttroxell at debian.org>
Description: 
 logcheck   - Mails anomalies in the system logfiles to the administrator
 logcheck-database - A database of system log rules for the use of log checkers
 logtail    - Print log file lines that have not been read
Closes: 289529 289801 289866 290195 290511 291395
Changes: 
 logcheck (1.2.34) unstable; urgency=low
 .
   todd:
   * Correct "Gandhi" spelling in docs/README.how.to.interpret.
     Thanks Satya <debbugs at thesatya.com> (closes: #289529)
   * Set logtail to report errors on stderr instead of stdout.
     (closes: #289801)
   * Adjust logcheck to redirect stdout and also stderr when reporting in order
     to maintain the current behavior of logcheck after the change above.
   * Change rule directories to setgid for real this time. (closes: #291395)
   * Update gconf, workstation/kernel rules
   maks:
   * Add pdns, fix scponly, fix gconfd SIGHUP rule.
   * Fix pam_winbind rule at level workstation. (Closes: #289866)
   * Ignore sudo "command continued" logline. (Closes: #290195)
   * Add rule for daily sysklogd -r restart at level server. (Closes: #290511)
   jamie:
   * Update rules for nagios.
Files: 
 6612f3aae699b008fbbce64951b28d74 703 admin optional logcheck_1.2.34.dsc
 1042830c8ae783c69751fc99b588f943 90068 admin optional logcheck_1.2.34.tar.gz
 6cd0126e9f140a2dbaf22d28b5ce08d6 42210 admin optional logcheck_1.2.34_all.deb
 5fc7d09450a439eb169010993c84ac9b 57956 admin optional
logcheck-database_1.2.34_all.deb
 2426337abec798ed7a28ee5954f8717c 25770 admin optional logtail_1.2.34_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB9F+E4u3oQ3FHP2YRAvaHAJ95fSajvH++jdpR2UqWiIjk7zXf3QCeJZb1
CdzEyRku0QK3EEeGm27yzUg=ACq6
-----END PGP SIGNATURE-----