[Logcheck-devel] Bug#491694: logcheck-database: 3rd and 4th rules in /etc/logcheck/violations.d/su fail to match log lines

Pavlos Parissis p_pavlos at freemail.gr
Mon Jul 21 12:16:33 UTC 2008 

Package: logcheck-database
Version: 1.2.54
Severity: wishlist

*** Please type your report below this line ***

There is an issue with the pattern matching for su
in /etc/logcheck/violations.d/su Here are the rules from the above file

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ pts/[0-9]+ [[:alnum:]]+-root
$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root-[[:alnum:]]+$

The issue resides in 3rd and 4th line, the - character should be : for matching
user:root and root:user strings.

Here are the proofs

Running the 3rd line which gives no matches
node1:# egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ pts/[0-9]+
 [[:alnum:]]+-root$' auth.log

Running again the 3rd line but changing the - character to :
node1: # egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ pts/[0-9]+
 [[:alnum:]]+[-:]root$' auth.log
Jul 21 09:27:36 hraklhs su[4313]: + pts/0 user:root
Jul 21 10:32:48 hraklhs su[5244]: + pts/1 user:root

Running the 4th line which gives no matches
node1:# egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\?
 root-[[:alnum:]]+$' auth.log
node1:#

Running again the 4th line but changing the - character to :
node1:# egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root
[-:] [[:alnum:]]+$' auth.log
Jul 20 07:40:01 hraklhs su[11619]: + ??? root:nobody
Jul 21 07:35:01 hraklhs su[23294]: + ??? root:nobody
Jul 21 07:35:01 hraklhs su[23298]: + ??? root:nobody
Jul 21 07:35:01 hraklhs su[23303]: + ??? root:nobody

In order to reproduce the problem the 1st line
in /etc/logcheck/violations.ignore.d/logcheck-su should be removed or commented
out. BTW this line uses the : character and not the - character for matching
user:root and root:user strings.


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.25.10
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages logcheck-database depends on:
ii  debconf [debconf-2.0]        1.5.11etch1 Debian configuration management sy


logcheck-database recommends no packages.

-- debconf information:
  logcheck-database/conffile-cleanup: false

More information about the Logcheck-devel mailing list