Bug#473526: cyrus-common-2.2: logcheck issues
Ross Boylan
RossBoylan at stanfordalumni.org
Mon Mar 31 06:31:39 UTC 2008
Package: cyrus-common-2.2
Version: 2.2.13-13+b2
Severity: normal
Currently the package ships /etc/logcheck/violations.ignore.d/cyrus2_2.
1) The file will have no effect with the current name. It needs to be
logcheck-cyrus2_2. As /usr/share/doc/logcheck-database/README.logcheck-database.gz says
----------------------------------------------
Remember that package-specific "ignore" filters will _not_ override
non-package-specific "flagging" patterns! Thus for instance if
"fooserver" outputs syslog messages like this:
"$DATE $HOSTNAME fooserver[$PID]: 3 attempts 0 rejected"
then the standard keyword "reject" listed in the generic
"/etc/logcheck/violations.d/logcheck" file will trigger frequent
"Security Events" reports. Putting a filtering pattern in
"/etc/logcheck/violations.ignore.d/fooserver" won't help here!
The solution is to use a file named in the specially-privileged
./logcheck-<packagename> format:
"/etc/logcheck/violations.ignore.d/logcheck-fooserver".
This can contain patterns provided by that particular package
which nonetheless need to take precedence over the generic rules.
--------------------------------------------------------------------
2) I suggest including the following pattern:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/(lmtp|lmtpunix)\[[0-9]+\]: duplicate_(check|mark): .*$
(Logically the final .*$ is superfluous, but I think complete line patterns are preferred). This is to avoid the following "security events":
Mar 29 16:40:56 corn cyrus/lmtpunix[1034]: duplicate_check: <E1JfkfI-0000Gt-Cy at corn.betterworld.us> user.ross.comp.admin 0
Mar 29 16:40:56 corn cyrus/lmtpunix[1034]: duplicate_mark: <E1JfkfI-0000Gt-Cy at corn.betterworld.us> user.ross.comp.admin 1206834055 134539179
Those were flagged by the word "admin" in violations.d/logcheck, but
presumably other keyword might pop up too. As far as I know, these
events are unremarkable.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (990, 'stable'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-6-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages cyrus-common-2.2 depends on:
ii adduser 3.106 add and remove users and groups
ii debconf [debconf 1.5.20 Debian configuration management sy
ii dpkg 1.14.16.6 package maintenance system for Deb
ii exim4-daemon-hea 4.69-2 Exim MTA (v4) daemon with extended
ii gawk 1:3.1.5.dfsg-4.1 GNU awk, a pattern scanning and pr
ii libasn1-8-heimda 1.0.1-5+b1 Heimdal Kerberos - ASN.1 library
ii libc6 2.7-6 GNU C Library: Shared libraries
ii libcomerr2 1.40.8-2 common error description library
ii libdb4.2 4.2.52+dfsg-4 Berkeley v4.2 Database Libraries [
ii libgssapi2-heimd 1.0.1-5+b1 Heimdal Kerberos - GSSAPI support
ii libkrb5-22-heimd 1.0.1-5+b1 Heimdal Kerberos - libraries
ii libroken18-heimd 1.0.1-5+b1 Heimdal Kerberos - roken support l
ii libsasl2-2 2.1.22.dfsg1-18 Cyrus SASL - authentication abstra
ii libsnmp15 5.4.1~dfsg-6 SNMP (Simple Network Management Pr
ii libssl0.9.8 0.9.8g-8 SSL shared libraries
ii libwrap0 7.6.dbs-14 Wietse Venema's TCP wrappers libra
ii libzephyr3 2.1.20070719.SNAPSHOT-1 The original "Instant Message" sys
ii netbase 4.30 Basic TCP/IP networking system
ii perl 5.8.8-12 Larry Wall's Practical Extraction
Versions of packages cyrus-common-2.2 recommends:
ii cyrus-admin-2.2 2.2.13-13 Cyrus mail system (administration
ii cyrus-imapd-2.2 2.2.13-13+b2 Cyrus mail system (IMAP support)
-- debconf information excluded
More information about the Pkg-Cyrus-imapd-Debian-devel
mailing list