FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 07-21-2008, 09:47 AM
Pavlos Parissis
 
Default logcheck bug in pattern matching for su

Hi,

Before I file a bug report I would like to verify with you guys that I have found a bug.

As the subject suggests there is an issue with the pattern matching for su in this file

# cat /etc/logcheck/violations.d/su
^w{3} [ :0-9]{11} [._[:alnum:]-]+ su[[0-9]+]: (pam_[[:alnum:]]+) .*$
^w{3} [ :0-9]{11} [._[:alnum:]-]+ su[[0-9]+]: .*$
^w{3} [ :0-9]{11} [._[:alnum:]-]+ su[[0-9]+]: + pts/[0-9]+ [[:alnum:]]+-root$
^w{3} [ :0-9]{11} [._[:alnum:]-]+ su[[0-9]+]: + ??? root-[[:alnum:]]+$

the issue resides in 3rd and 4th line, the - character should be : for matching user:root and root:user strings.

Here are the proofs

Running the 3rd line which gives no matches
# egrep '^w{3} [ :0-9]{11} [._[:alnum:]-]+ su[[0-9]+]: + pts/[0-9]+ [[:alnum:]]+-root$' /var/log/auth.log

Running again the 3rd line but changing the - character to :
# egrep '^w{3} [ :0-9]{11} [._[:alnum:]-]+ su[[0-9]+]: + pts/[0-9]+ [[:alnum:]]+:root$' /var/log/auth.log
Jul 21 09:27:36 hraklhs su[4313]: + pts/0 pparissis:root
Jul 21 10:32:48 hraklhs su[5244]: + pts/1 pparissis:root

Running the 4th line which gives no matches
# egrep '^w{3} [ :0-9]{11} [._[:alnum:]-]+ su[[0-9]+]: + ??? root-[[:alnum:]]+$' /var/log/auth.log

Running again the 4th line but changing the - character to :
# egrep '^w{3} [ :0-9]{11} [._[:alnum:]-]+ su[[0-9]+]: + ??? root:[[:alnum:]]+$' /var/log/auth.log
Jul 20 07:40:01 hraklhs su[11619]: + ??? root:nobody
Jul 21 07:35:01 hraklhs su[23294]: + ??? root:nobody
Jul 21 07:35:01 hraklhs su[23298]: + ??? root:nobody
Jul 21 07:35:01 hraklhs su[23303]: + ??? root:nobody

There are 2 possible solutions for this issue
1) fix the 2 lines on /etc/logcheck/violations.d/su
2) comment the following line on /etc/logcheck/violations.ignore.d/logcheck-su
^w{3} [ :0-9]{11} [._[:alnum:]-]+ su[[0-9]+]: (+|-) (pts/[0-9]{1,2}|tty[0-9]) [_[:alnum:]-]+:[_[:alnum:]-]+$

The first solution fixes the bug and the second is a hack. If I follow the 2nd solution I get the messages because they weren't matched against the ignored rules
and not because they were matched by a logcheck rule.



Cheers,
Pavlos


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-21-2008, 11:40 AM
martin f krafft
 
Default logcheck bug in pattern matching for su

also sprach Pavlos Parissis <p_pavlos@freemail.gr> [2008.07.21.1147 +0200]:
> the issue resides in 3rd and 4th line, the - character should be
> : for matching user:root and root:user strings.

So maybe su changed the format *again*. You should file a wishlist
bug asking for [-:] to be used instead of plain -, ideally providing
a patch against the git HEAD, along with sample log output.

Instructions and additional information are here:

http://wiki.logcheck.org/index.cgi/RuleSubmission
http://logcheck.org/git.html

--
.'`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer, author, administrator, and user
`. `'` http://people.debian.org/~madduck - http://debiansystem.info
`- Debian - when you have better things to do than fixing systems

"never eat more than you can lift."
-- miss piggy
 
Old 07-21-2008, 12:02 PM
Pavlos Parissis
 
Default logcheck bug in pattern matching for su

On Mon, 21 Jul 2008 13:40:41 +0200
martin f krafft <madduck@debian.org> wrote:

> also sprach Pavlos Parissis <p_pavlos@freemail.gr> [2008.07.21.1147 +0200]:
> > the issue resides in 3rd and 4th line, the - character should be
> > : for matching user:root and root:user strings.
>
> So maybe su changed the format *again*. You should file a wishlist
> bug asking for [-:] to be used instead of plain -, ideally providing
> a patch against the git HEAD, along with sample log output.
> Instructions and additional information are here:
>
> http://wiki.logcheck.org/index.cgi/RuleSubmission
> http://logcheck.org/git.html

Thanks Martin for the confirmation on the bug.

I'll file the bug report against logcheck-database packages and not to logcheck
because /etc/logcheck/violations.d/su is provided by logcheck-database.
# dpkg -S /etc/logcheck/violations.d/su
logcheck-database: /etc/logcheck/violations.d/su

Unfortunately, I can't use git at the moment thus I will include the comments
which I wrote in this thread.

Cheers,
Pavlos


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-21-2008, 12:42 PM
Pavlos Parissis
 
Default logcheck bug in pattern matching for su

On Mon, 21 Jul 2008 14:02:33 +0200
Pavlos Parissis <p_pavlos@freemail.gr> wrote:

[...snip...]
> Thanks Martin for the confirmation on the bug.
>
> I'll file the bug report against logcheck-database packages and not to
> logcheck because /etc/logcheck/violations.d/su is provided by
> logcheck-database.
> # dpkg -S /etc/logcheck/violations.d/su
> logcheck-database: /etc/logcheck/violations.d/su

Debian Bug report #491694 was submitted


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 07:17 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org