[Logcheck-devel] Bug#593482: Please update violations.ignore.d/logcheck-sudo to ignore regular messages
Michel Messerschmidt
lists at michel-messerschmidt.de
Wed Aug 18 14:31:51 UTC 2010
Package: logcheck
Version: 1.3.11
Severity: normal
Tags: patch
logcheck does not filter some sudo log messages that I consider false positives.
One message is caused by executing "sudo -l":
Aug 18 16:14:24 rio sudo: mic : TTY=pts/1 ; PWD=/home/mic ; USER=root ; COMMAND=list
The other message is caused by system shutdown through slim:
Aug 17 14:24:26 rio sudo: root : TTY=console ; PWD=/ ; USER=root ; COMMAND=/sbin/shutdown -h now SliM F11 initiated system shutdown
This change works for me:
--- logcheck/violations.ignore.d/logcheck-sudo (revision 286)
+++ logcheck/violations.ignore.d/logcheck-sudo (working copy)
@@ -1,5 +1,5 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: pam_krb5\(sudo:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]-]+@[.A-Z]+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ).*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session closed for user [[:alnum:]-]+$
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages logcheck depends on:
ii adduser 3.112 add and remove users and groups
ii cron 3.0pl1-113 process scheduling daemon
ii exim4-daemon-light [mail-tran 4.72-1 lightweight Exim MTA (v4) daemon
ii lockfile-progs 0.1.15 Programs for locking and unlocking
ii logtail 1.3.11 Print log file lines that have not
ii mime-construct 1.11 construct/send MIME messages from
ii rsyslog [system-log-daemon] 4.6.4-1 enhanced multi-threaded syslogd
Versions of packages logcheck recommends:
ii logcheck-database 1.3.11 database of system log rules for t
Versions of packages logcheck suggests:
pn syslog-summary <none> (no description available)
-- Configuration Files:
/etc/logcheck/logcheck.conf [Errno 13] Permission denied: u'/etc/logcheck/logcheck.conf'
/etc/logcheck/logcheck.logfiles [Errno 13] Permission denied: u'/etc/logcheck/logcheck.logfiles'
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20100818/f061065a/attachment.pgp>
More information about the Logcheck-devel
mailing list