[Logcheck-devel] Bug#551340: [logcheck-database] Rule in /etc/logcheck/violations.ignore.d/logcheck-su does not match
Andrzej Zięba
a-zieba at go2.pl
Sat Oct 17 13:42:54 UTC 2009
Package: logcheck-database
Version: 1.2.69
Severity: normal
Tags: patch
Hi,
I think that this rule:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: (\+|-)
(pts/[0-9]{1,2}|tty[0-9]) [_[:alnum:]-]+:[_[:alnum:]-]+$
is supposed to filter out lines like:
Oct 17 14:49:24 myhost su[13469]: + /dev/pts/1 user1:root
It is not working because the pattern dos not include the "/dev/" part
and should be changed to something like this:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: (\+|-)
/dev/(pts/[0-9]{1,2}|tty[0-9]) [_[:alnum:]-]+:[_[:alnum:]-]+$
Regards,
Andrzej
--- System information. ---
Architecture: i386
Kernel: Linux 2.6.30-2-686
Debian Release: squeeze/sid
990 testing security.debian.org
990 testing ftp.icm.edu.pl
--- Package information. ---
Package's Depends field is empty.
Package's Recommends field is empty.
Package's Suggests field is empty.
--
Andrzej Zięba
Pruszcz Gdański
Poland
More information about the Logcheck-devel
mailing list