[Logcheck-devel] Bug#780441: logcheck/PAM interaction ignore domain names as user

[Miltiadis Chrisomallos]

Package: logcheck
Severity: normal

Dear Maintainer,



the default "/etc/logcheck/ignore.d.server/su"
has the following

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: Successful su for
[[:alnum:]-]+ by [[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]:
pam_[[:alnum:]]+\(su:session\): session closed for user [[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]:
pam_[[:alnum:]]+\(su:session\): session opened for user [[:alnum:]-]+ by
([[:alnum:]-]+)?\(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\?
root:[_[:alnum:]-]+$


but sometimes the session closed for user .... is the hostname and has "."
inside
like these

Mar 13 07:16:01 api su[57408]: Successful su for mydomain.com by root
Mar 13 01:52:01 api su[47132]: + ??? root:mydomain.com
Mar 13 01:52:01 api su[47132]: pam_unix(su:session): session opened for
user mydomain.com by (uid=0)
Mar 13 01:52:01 api su[47132]: pam_unix(su:session): session closed for
user mydomain.com


so think it must be changed like the following

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: Successful su for
[[:alnum:].-]+ by [[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]:
pam_[[:alnum:]]+\(su:session\): session closed for user [[:alnum:].-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]:
pam_[[:alnum:]]+\(su:session\): session opened for user [[:alnum:].-]+ by
([[:alnum:]-]+)?\(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\?
root:[_[:alnum:].-]+$



-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash