[Logcheck-devel] Bug#440123: ignore.d.server/logcheck: please update for pam 0.99+

Thu Aug 30 16:01:31 UTC 2007

Upon closer inspection, a number of other files also contain old PAM
patterns; could you please update them as well?

# fgrep -nH -e '\(pam_' /etc/logcheck/*/*
/etc/logcheck/ignore.d.paranoid/cron:7:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
/etc/logcheck/ignore.d.paranoid/cron:8:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
/etc/logcheck/ignore.d.paranoid/ssh:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [^[:space:]]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
/etc/logcheck/ignore.d.paranoid/ssh:2:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [^[:space:]]+$
/etc/logcheck/ignore.d.server/dovecot:14:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot-auth: \(pam_unix\) check pass; user unknown$
/etc/logcheck/ignore.d.server/logcheck:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
/etc/logcheck/ignore.d.server/logcheck:2:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session closed for user [.[:alnum:]-]+$
/etc/logcheck/ignore.d.server/proftpd:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ proftpd: \(pam_unix\) session (opened|closed) for user [._[:alnum:]-]+( by \(uid=[0-9]+\))?$
/etc/logcheck/ignore.d.server/saslauthd:3:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: \(pam_unix\) check pass; user unknown$
/etc/logcheck/ignore.d.server/ssh:19:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) check pass; user unknown$
/etc/logcheck/ignore.d.server/ssh:20:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) auth could not identify password for \[[-_.[:alnum:]]*\]$
/etc/logcheck/ignore.d.workstation/francine:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ francine: \(pam_unix\) session (opened|closed) for user [a-z]+( by LOGIN\(uid=0\))?$
/etc/logcheck/ignore.d.workstation/gdm:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: [[:alnum:]]+: \(pam_securetty\) access denied: tty ':0' is not secure !$
/etc/logcheck/ignore.d.workstation/kdm:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
/etc/logcheck/ignore.d.workstation/kdm:2:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm: :0\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
/etc/logcheck/ignore.d.workstation/wdm:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wdm: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
/etc/logcheck/ignore.d.workstation/wdm:2:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wdm: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
/etc/logcheck/ignore.d.workstation/xdm:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+[[:space:]]+: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
/etc/logcheck/ignore.d.workstation/xdm:2:^\w{3} [ :0-9]{11} [._[:alnum:]-]+[[:space:]]+: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
/etc/logcheck/violations.d/su:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) .*$
/etc/logcheck/violations.d/sudo:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: \(pam_[[:alnum:]]+\) .*$
/etc/logcheck/violations.ignore.d/logcheck-dovecot:1:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot-auth: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=$
/etc/logcheck/violations.ignore.d/logcheck-passwd:1:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ passwd\[[[:digit:]]+\]: \(pam_unix\) authentication failure; logname=[-._[:alnum:]]+ uid=[[:digit:]]+ euid=0 tty= ruser= rhost= [[:space:]]*user=[-._[:alnum:]]+$
/etc/logcheck/violations.ignore.d/logcheck-proftpd:1:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+  user=[-_.[:alnum:]]+$
/etc/logcheck/violations.ignore.d/logcheck-saslauthd:3:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= [[:space:]]*user=[-._[:alnum:]]+$
/etc/logcheck/violations.ignore.d/logcheck-ssh:11:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$
/etc/logcheck/violations.ignore.d/logcheck-su:2:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
/etc/logcheck/violations.ignore.d/logcheck-su:3:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by [[:alnum:]-]+\(uid=[0-9]+\)$
/etc/logcheck/violations.ignore.d/logcheck-su:4:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$

Thanks!

-- 
Aaron M. Ucko, KB1CJC (amu at alum.mit.edu, ucko at debian.org)
Finger amu at monk.mit.edu (NOT a valid e-mail address) for more info.