Package: logcheck Version: 1.3.11 Severity: normal Tags: patch logcheck does not filter some sudo log messages that I consider false positives.
One message is caused by executing "sudo -l":
Aug 18 16:14:24 rio sudo: mic : TTY=pts/1 ; PWD=/home/mic ; USER=root ;
COMMAND=list
The other message is caused by system shutdown through slim:
Aug 17 14:24:26 rio sudo: root : TTY=console ; PWD=/ ; USER=root ;
COMMAND=/sbin/shutdown -h now SliM F11 initiated system shutdown
This change works for me:
--- logcheck/violations.ignore.d/logcheck-sudo (revision 286)
+++ logcheck/violations.ignore.d/logcheck-sudo (working copy)
@@ -1,5 +1,5 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: pam_krb5\(sudo:auth\): user
[[:alnum:]-]+ authenticated as [[:alnum:]...@[.a-z]+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ :
TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ;
COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ).*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ :
TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ;
USER=[._[:alnum:]-]+ ; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ :
\(command continued\).*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\):
session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\):
session closed for user [[:alnum:]-]+$
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages logcheck depends on:
ii adduser 3.112 add and remove users and groups
ii cron 3.0pl1-113 process scheduling daemon
ii exim4-daemon-light [mail-tran 4.72-1 lightweight Exim MTA (v4) daemon
ii lockfile-progs 0.1.15 Programs for locking and unlocking
ii logtail 1.3.11 Print log file lines that have not
ii mime-construct 1.11 construct/send MIME messages from
ii rsyslog [system-log-daemon] 4.6.4-1 enhanced multi-threaded syslogd
Versions of packages logcheck recommends:
ii logcheck-database 1.3.11 database of system log rules for t
Versions of packages logcheck suggests:
pn syslog-summary <none> (no description available)
-- Configuration Files:
/etc/logcheck/logcheck.conf [Errno 13] Permission denied:
u'/etc/logcheck/logcheck.conf'
/etc/logcheck/logcheck.logfiles [Errno 13] Permission denied:
u'/etc/logcheck/logcheck.logfiles'
-- no debconf information
signature.asc
Description: Digital signature
