[Logcheck-devel] Bug#588285: Bug#588285: logcheck: Additional rules to ignore successful kerberos authentication
Russ Allbery
rra at debian.org
Wed Jul 7 01:26:10 UTC 2010
Michel Messerschmidt <lists at michel-messerschmidt.de> writes:
> Many of my logcheck reports are triggered by regular user authentication
> against kerberos enabled services.
> Here are rules to ignore authentication success messages for some common
> daemons.
> violations.ignore.d/logcheck-sudo:
> ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: pam_krb5+\(sudo:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]@-]+$
> ignore.d.server/cups-lpd:
> ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cupsd: pam_krb5\(cups:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]@-]+$
> ignore.d.server/ssh:
> ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: pam_krb5\(sshd:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]@-]+$
> ignore.d.workstation/gdm:
> ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: pam_krb5\(gdm:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]@-]+$
I wonder if the right way of handling this would be to instead install a
logcheck rule as part of the libpam-krb5 package that looks something
like:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ [[:alnum:]]+(\[[0-9]+\])?: pam_krb5\([[:alnum:]]+:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]@-]+$
or if that would be too general.
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Logcheck-devel
mailing list