Pavlos Parissis
2008-Jul-21 12:16 UTC
[Logcheck-devel] Bug#491694: logcheck-database: 3rd and 4th rules in /etc/logcheck/violations.d/su fail to match log lines
Package: logcheck-database
Version: 1.2.54
Severity: wishlist
*** Please type your report below this line ***
There is an issue with the pattern matching for su
in /etc/logcheck/violations.d/su Here are the rules from the above file
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ pts/[0-9]+ [[:alnum:]]+-root
$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root-[[:alnum:]]+$
The issue resides in 3rd and 4th line, the - character should be : for matching
user:root and root:user strings.
Here are the proofs
Running the 3rd line which gives no matches
node1:# egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+
pts/[0-9]+
[[:alnum:]]+-root$' auth.log
Running again the 3rd line but changing the - character to :
node1: # egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+
pts/[0-9]+
[[:alnum:]]+[-:]root$' auth.log
Jul 21 09:27:36 hraklhs su[4313]: + pts/0 user:root
Jul 21 10:32:48 hraklhs su[5244]: + pts/1 user:root
Running the 4th line which gives no matches
node1:# egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\?
root-[[:alnum:]]+$' auth.log
node1:#
Running again the 4th line but changing the - character to :
node1:# egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\?
root
[-:] [[:alnum:]]+$' auth.log
Jul 20 07:40:01 hraklhs su[11619]: + ??? root:nobody
Jul 21 07:35:01 hraklhs su[23294]: + ??? root:nobody
Jul 21 07:35:01 hraklhs su[23298]: + ??? root:nobody
Jul 21 07:35:01 hraklhs su[23303]: + ??? root:nobody
In order to reproduce the problem the 1st line
in /etc/logcheck/violations.ignore.d/logcheck-su should be removed or commented
out. BTW this line uses the : character and not the - character for matching
user:root and root:user strings.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.25.10
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages logcheck-database depends on:
ii debconf [debconf-2.0] 1.5.11etch1 Debian configuration management sy
logcheck-database recommends no packages.
-- debconf information:
logcheck-database/conffile-cleanup: false
Debian Bug Tracking System
2008-Aug-31 19:36 UTC
[Logcheck-devel] Bug#491694: marked as done (logcheck-database: 3rd and 4th rules in /etc/logcheck/violations.d/su fail to match log lines)
Your message dated Sun, 31 Aug 2008 19:32:06 +0000 with message-id <E1KZsec-00064h-Gu at ries.debian.org> and subject line Bug#491694: fixed in logcheck 1.3.0 has caused the Debian Bug report #491694, regarding logcheck-database: 3rd and 4th rules in /etc/logcheck/violations.d/su fail to match log lines to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 491694: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=491694 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Pavlos Parissis <p_pavlos at freemail.gr> Subject: logcheck-database: 3rd and 4th rules in /etc/logcheck/violations.d/su fail to match log lines Date: Mon, 21 Jul 2008 14:16:33 +0200 Size: 3769 Url: http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20080831/d5bc77fa/attachment.eml -------------- next part -------------- An embedded message was scrubbed... From: madduck at debian.org (martin f. krafft) Subject: Bug#491694: fixed in logcheck 1.3.0 Date: Sun, 31 Aug 2008 19:32:06 +0000 Size: 8101 Url: http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20080831/d5bc77fa/attachment-0001.eml
Debian Bug Tracking System
2009-Feb-11 12:15 UTC
[Logcheck-devel] Bug#491694: marked as done (logcheck-database: 3rd and 4th rules in /etc/logcheck/violations.d/su fail to match log lines)
Your message dated Wed, 11 Feb 2009 12:02:04 +0000 with message-id <E1LXDn2-0002ob-WC at ries.debian.org> and subject line Bug#491694: fixed in logcheck 1.2.69 has caused the Debian Bug report #491694, regarding logcheck-database: 3rd and 4th rules in /etc/logcheck/violations.d/su fail to match log lines to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 491694: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=491694 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Pavlos Parissis <p_pavlos at freemail.gr> Subject: logcheck-database: 3rd and 4th rules in /etc/logcheck/violations.d/su fail to match log lines Date: Mon, 21 Jul 2008 14:16:33 +0200 Size: 3769 Url: http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20090211/989c9c3d/attachment.eml -------------- next part -------------- An embedded message was scrubbed... From: Gerfried Fuchs <rhonda at debian.at> Subject: Bug#491694: fixed in logcheck 1.2.69 Date: Wed, 11 Feb 2009 12:02:04 +0000 Size: 5407 Url: http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20090211/989c9c3d/attachment-0001.eml