[Logcheck-devel] Bug#780441: logcheck/PAM interaction ignore domain names as user
Miltiadis Chrisomallos
miltos.c at gmail.com
Fri Mar 13 22:30:38 UTC 2015
Package: logcheck
Severity: normal
Dear Maintainer,
the default "/etc/logcheck/ignore.d.server/su"
has the following
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: Successful su for
[[:alnum:]-]+ by [[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]:
pam_[[:alnum:]]+\(su:session\): session closed for user [[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]:
pam_[[:alnum:]]+\(su:session\): session opened for user [[:alnum:]-]+ by
([[:alnum:]-]+)?\(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\?
root:[_[:alnum:]-]+$
but sometimes the session closed for user .... is the hostname and has "."
inside
like these
Mar 13 07:16:01 api su[57408]: Successful su for mydomain.com by root
Mar 13 01:52:01 api su[47132]: + ??? root:mydomain.com
Mar 13 01:52:01 api su[47132]: pam_unix(su:session): session opened for
user mydomain.com by (uid=0)
Mar 13 01:52:01 api su[47132]: pam_unix(su:session): session closed for
user mydomain.com
so think it must be changed like the following
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: Successful su for
[[:alnum:].-]+ by [[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]:
pam_[[:alnum:]]+\(su:session\): session closed for user [[:alnum:].-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]:
pam_[[:alnum:]]+\(su:session\): session opened for user [[:alnum:].-]+ by
([[:alnum:]-]+)?\(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\?
root:[_[:alnum:].-]+$
-- System Information:
Debian Release: 7.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
More information about the Logcheck-devel
mailing list