logcheck bug in pattern matching for su

To: debian-user@lists.debian.org
Subject: logcheck bug in pattern matching for su
From: Pavlos Parissis <p_pavlos@freemail.gr>
Date: Mon, 21 Jul 2008 11:47:57 +0200
Message-id: <[🔎] 20080721114757.327dee1f.p_pavlos@freemail.gr>

Hi,

Before I file a bug report I would like to verify with you guys that I have found a bug.

As the subject suggests there is an issue with the pattern matching for su in this file

# cat /etc/logcheck/violations.d/su
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ pts/[0-9]+ [[:alnum:]]+-root$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root-[[:alnum:]]+$

the issue resides in 3rd and 4th line, the - character should be : for matching user:root and root:user strings.

Here are the proofs

Running the 3rd line which gives no matches
# egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ pts/[0-9]+ [[:alnum:]]+-root$' /var/log/auth.log

Running again the 3rd line but changing the - character to :
# egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ pts/[0-9]+ [[:alnum:]]+:root$' /var/log/auth.log
Jul 21 09:27:36 hraklhs su[4313]: + pts/0 pparissis:root
Jul 21 10:32:48 hraklhs su[5244]: + pts/1 pparissis:root

Running the 4th line which gives no matches
# egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root-[[:alnum:]]+$' /var/log/auth.log

Running again the 4th line but changing the - character to :
# egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root:[[:alnum:]]+$' /var/log/auth.log
Jul 20 07:40:01 hraklhs su[11619]: + ??? root:nobody
Jul 21 07:35:01 hraklhs su[23294]: + ??? root:nobody
Jul 21 07:35:01 hraklhs su[23298]: + ??? root:nobody
Jul 21 07:35:01 hraklhs su[23303]: + ??? root:nobody

There are 2 possible solutions for this issue
1) fix the 2 lines on /etc/logcheck/violations.d/su
2) comment the following line on /etc/logcheck/violations.ignore.d/logcheck-su
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: (\+|-) (pts/[0-9]{1,2}|tty[0-9]) [_[:alnum:]-]+:[_[:alnum:]-]+$

The first solution fixes the bug and the second is a hack. If I follow the 2nd solution I get the messages because they weren't matched against the ignored rules
and not because they were matched by a logcheck rule.



Cheers,
Pavlos

Reply to:

Follow-Ups:
- Re: logcheck bug in pattern matching for su
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: debian/unstable: iceweasel segmentation fault
Next by Date: Re: OT: Audiophile grade music server using several flavors of Debian
Previous by thread: Kernel doesn't like the EDIMAX KVM switch
Next by thread: Re: logcheck bug in pattern matching for su
Index(es):
- Date
- Thread