Package: cyrus-common-2.2 Version: 2.2.13-13+b2 Severity: normal Currently the package ships /etc/logcheck/violations.ignore.d/cyrus2_2.
1) The file will have no effect with the current name. It needs to be logcheck-cyrus2_2. As /usr/share/doc/logcheck-database/README.logcheck-database.gz says ---------------------------------------------- Remember that package-specific "ignore" filters will _not_ override non-package-specific "flagging" patterns! Thus for instance if "fooserver" outputs syslog messages like this: "$DATE $HOSTNAME fooserver[$PID]: 3 attempts 0 rejected" then the standard keyword "reject" listed in the generic "/etc/logcheck/violations.d/logcheck" file will trigger frequent "Security Events" reports. Putting a filtering pattern in "/etc/logcheck/violations.ignore.d/fooserver" won't help here! The solution is to use a file named in the specially-privileged ./logcheck-<packagename> format: "/etc/logcheck/violations.ignore.d/logcheck-fooserver". This can contain patterns provided by that particular package which nonetheless need to take precedence over the generic rules. -------------------------------------------------------------------- 2) I suggest including the following pattern: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/(lmtp|lmtpunix)\[[0-9]+\]: duplicate_(check|mark): .*$ (Logically the final .*$ is superfluous, but I think complete line patterns are preferred). This is to avoid the following "security events": Mar 29 16:40:56 corn cyrus/lmtpunix[1034]: duplicate_check: <[EMAIL PROTECTED]> user.ross.comp.admin 0 Mar 29 16:40:56 corn cyrus/lmtpunix[1034]: duplicate_mark: <[EMAIL PROTECTED]> user.ross.comp.admin 1206834055 134539179 Those were flagged by the word "admin" in violations.d/logcheck, but presumably other keyword might pop up too. As far as I know, these events are unremarkable. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (990, 'testing'), (990, 'stable'), (50, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.18-6-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages cyrus-common-2.2 depends on: ii adduser 3.106 add and remove users and groups ii debconf [debconf 1.5.20 Debian configuration management sy ii dpkg 1.14.16.6 package maintenance system for Deb ii exim4-daemon-hea 4.69-2 Exim MTA (v4) daemon with extended ii gawk 1:3.1.5.dfsg-4.1 GNU awk, a pattern scanning and pr ii libasn1-8-heimda 1.0.1-5+b1 Heimdal Kerberos - ASN.1 library ii libc6 2.7-6 GNU C Library: Shared libraries ii libcomerr2 1.40.8-2 common error description library ii libdb4.2 4.2.52+dfsg-4 Berkeley v4.2 Database Libraries [ ii libgssapi2-heimd 1.0.1-5+b1 Heimdal Kerberos - GSSAPI support ii libkrb5-22-heimd 1.0.1-5+b1 Heimdal Kerberos - libraries ii libroken18-heimd 1.0.1-5+b1 Heimdal Kerberos - roken support l ii libsasl2-2 2.1.22.dfsg1-18 Cyrus SASL - authentication abstra ii libsnmp15 5.4.1~dfsg-6 SNMP (Simple Network Management Pr ii libssl0.9.8 0.9.8g-8 SSL shared libraries ii libwrap0 7.6.dbs-14 Wietse Venema's TCP wrappers libra ii libzephyr3 2.1.20070719.SNAPSHOT-1 The original "Instant Message" sys ii netbase 4.30 Basic TCP/IP networking system ii perl 5.8.8-12 Larry Wall's Practical Extraction Versions of packages cyrus-common-2.2 recommends: ii cyrus-admin-2.2 2.2.13-13 Cyrus mail system (administration ii cyrus-imapd-2.2 2.2.13-13+b2 Cyrus mail system (IMAP support) -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]