[Logcheck-devel] Bug#551340: [logcheck-database] Rule in /etc/logcheck/violations.ignore.d/logcheck-su does not match

Andrzej Zięba a-zieba at go2.pl
Sat Oct 17 13:42:54 UTC 2009


Package: logcheck-database
Version: 1.2.69
Severity: normal
Tags: patch

Hi,

I think that this rule:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: (\+|-) 
(pts/[0-9]{1,2}|tty[0-9]) [_[:alnum:]-]+:[_[:alnum:]-]+$

is supposed to filter out lines like:

Oct 17 14:49:24 myhost su[13469]: + /dev/pts/1 user1:root

It is not working because the pattern dos not include the "/dev/" part 
and should be changed to something like this:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: (\+|-) 
/dev/(pts/[0-9]{1,2}|tty[0-9]) [_[:alnum:]-]+:[_[:alnum:]-]+$

Regards,
Andrzej

--- System information. ---
Architecture: i386
Kernel:       Linux 2.6.30-2-686

Debian Release: squeeze/sid
   990 testing         security.debian.org
   990 testing         ftp.icm.edu.pl

--- Package information. ---
Package's Depends field is empty.

Package's Recommends field is empty.

Package's Suggests field is empty.




-- 
Andrzej Zięba
Pruszcz Gdański
Poland





More information about the Logcheck-devel mailing list