Re: bogus 'active system attack' logcheck (merely postgres "explain"!)

To: debian-user@lists.debian.org
Subject: Re: bogus 'active system attack' logcheck (merely postgres "explain"!)
From: Dave Sherohman <esper@sherohman.org>
Date: Thu, 16 Jan 2003 11:16:05 -0600
Message-id: <[🔎] 20030116171605.GC20917@sherohman.org>
Mail-followup-to: Dave Sherohman <esper@sherohman.org>, debian-user@lists.debian.org
In-reply-to: <[🔎] 20030115163427.GD6601@mail.serensoft.com>
References: <[🔎] 20030115163427.GD6601@mail.serensoft.com>

On Wed, Jan 15, 2003 at 10:34:27AM -0600, will trillich wrote:
> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> Jan 15 08:32:17 server postgres[6712]: [2-2] Nested Loop (cost=1.77..13992.25 rows=1 width=101)
> Jan 15 08:32:17 server postgres[6712]: [2-3]   ->  Nested Loop (cost=1.77..13990.98 rows=1 width=97)
> Jan 15 08:32:17 server postgres[6712]: [2-5]               -> Nested Loop  (cost=0.00..13986.19 rows=1 width=68)

> what would be the least insane way to address this and give my
> adrenaline a sense of relaxation?

For some reason (I'm sure it's a good one, but I have no idea what
it might be), /etc/logcheck/logcheck.hacking (apparently obsolete),
/etc/logcheck/logcheck.cracking, and /etc/logcheck/logcheck.violations
on my system include "nested" as one of the patterns they match.

At this point, there does not appear to be an easy workaround for
this short of removing "nested" from these files, as logcheck does not
include a cracking.ignore file or directory.  (You can add "postgres.*:
.* Nested Loop" or similar to /etc/logcheck/violations.ignore.d/local
to stop this from showing up as a security violation, but it will still
appear as a system attack.)

You may also be able to convince postgres to do its nightly maintenance
quietly instead of spewing thousands of messages to the log; I've reported
this as a bug against older versions of postgresql and been told that a
newer version "finally got debug messages under control", but I haven't
verified whether this means the nightly maintenance can be gagged in a
fashion which will survive an upgrade of the postgresql packages.

The ideal solution, IMO, would be for logcheck to add a
cracking.ignore.d and for postgresql to install a file there
(/etc/logcheck/cracking.ignore.d/postgresql) containing the necessary
pattern to tell logcheck to ignore these specific messages.

-- 
The freedoms that we enjoy presently are the most important victories of the
White Hats over the past several millennia, and it is vitally important that
we don't give them up now, only because we are frightened.
  - Eolake Stobblehouse (http://stobblehouse.com/text/battle.html)

Reply to:

References:
- bogus 'active system attack' logcheck (merely postgres "explain"!)
  - From: will trillich <will@serensoft.com>

Prev by Date: Re: Easiest Nameserver
Next by Date: Re: KDE questions
Previous by thread: bogus 'active system attack' logcheck (merely postgres "explain"!)
Next by thread: IMP breaks after security update
Index(es):
- Date
- Thread