logcheck bug in pattern matching for su

Mon, 21 Jul 2008 02:48:36 -0700 

Hi,

Before I file a bug report I would like to verify with you guys that I have 
found a bug.

As the subject suggests there is an issue with the pattern matching for su in 
this file

# cat /etc/logcheck/violations.d/su
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ pts/[0-9]+ 
[[:alnum:]]+-root$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root-[[:alnum:]]+$

the issue resides in 3rd and 4th line, the - character should be : for matching 
user:root and root:user strings.

Here are the proofs

Running the 3rd line which gives no matches
# egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ pts/[0-9]+ 
[[:alnum:]]+-root$' /var/log/auth.log

Running again the 3rd line but changing the - character to :
# egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ pts/[0-9]+ 
[[:alnum:]]+:root$' /var/log/auth.log
Jul 21 09:27:36 hraklhs su[4313]: + pts/0 pparissis:root
Jul 21 10:32:48 hraklhs su[5244]: + pts/1 pparissis:root

Running the 4th line which gives no matches
# egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? 
root-[[:alnum:]]+$' /var/log/auth.log

Running again the 4th line but changing the - character to :
# egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? 
root:[[:alnum:]]+$' /var/log/auth.log
Jul 20 07:40:01 hraklhs su[11619]: + ??? root:nobody
Jul 21 07:35:01 hraklhs su[23294]: + ??? root:nobody
Jul 21 07:35:01 hraklhs su[23298]: + ??? root:nobody
Jul 21 07:35:01 hraklhs su[23303]: + ??? root:nobody

There are 2 possible solutions for this issue
1) fix the 2 lines on /etc/logcheck/violations.d/su
2) comment the following line on /etc/logcheck/violations.ignore.d/logcheck-su
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: (\+|-) 
(pts/[0-9]{1,2}|tty[0-9]) [_[:alnum:]-]+:[_[:alnum:]-]+$

The first solution fixes the bug and the second is a hack. If I follow the 2nd 
solution I get the messages because they weren't matched against the ignored 
rules
and not because they were matched by a logcheck rule.



Cheers,
Pavlos


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to