Package: logwatch Version: 7.3.6.cvs20090906-1squeeze1 Severity: normal Tags: patch
There are two places that I get a fair number of unmatched log entries that are related to kerberos. The one that would affect the greatest number of machines is in the ssh reporting, where there are Authorized to entries whenever a conection is authorized using kerberos. The second is kdc entries in the secure log. attached are two patches. -- System Information: Debian Release: 6.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages logwatch depends on: ii perl 5.10.1-17 Larry Wall's Practical Extraction ii sendmail-bin [mail-transport- 8.14.3-9.4 powerful, efficient, and scalable Versions of packages logwatch recommends: ii libdate-manip-perl 6.11-1 module for manipulating dates Versions of packages logwatch suggests: pn fortune-mod <none> (no description available) -- Configuration Files: /etc/cron.daily/00logwatch changed [not included] -- no debconf information
--- sshd.old 2011-03-16 14:14:38.000000000 -0600 +++ sshd.new 2011-03-16 14:14:38.000000000 -0600 @@ -1,6 +1,6 @@ #!/usr/bin/perl ########################################################################## -# $Id: sshd,v 1.77 2009/02/20 17:49:03 mike Exp $ +# $Id$ ########################################################################## # $Log: sshd,v $ # Revision 1.77 2009/02/20 17:49:03 mike @@ -220,6 +220,7 @@ my %OtherList = (); my %ChmodErr = (); my %ChownErr = (); +my %krb_relm = (); my $sftpRequests = 0; my $NetworkErrors = 0; @@ -419,6 +420,8 @@ $ChmodErr{"$File,$Perm,$Why"}++; } elsif (my ($File,$From,$To,$Why) = ($ThisLine =~ /error: chown (.*) (.*) (.*) failed: (.*)/)) { $ChownErr{"$File,$From,$To,$Why"}++; + } elsif (my ($user,$relm) = ($ThisLine =~ /Authorized to ([^ ]+), krb5 principal \1@([^ ]+) \(krb5_kuserok\)/)) { + $krb_relm{$relm}{$user}++; } else { # Report any unmatched entries... unless ($ThisLine =~ /fwd X11 connect/) { @@ -748,6 +751,19 @@ } } +if ( ($Detail == 7 && keys %krb_relm > 1) || ($Detail > 8 && keys %krb_relm) ){ + print "\nSucessfull Kerberos Authentication from ",(scalar keys %krb_relm)," relm:\n"; + foreach my $relm (keys %krb_relm) { + if($Detail > 9){ + print " ",$relm,":\n"; + foreach my $user(keys %{$krb_relm{$relm}}){ + print " ",$user,": ". $krb_relm{$relm}{$user} . " Times(s)\n"; + } + }else{ + print " ",$relm,": ". (scalar keys %{$krb_relm{$relm}}) . " User(s)\n"; + } + } +} if (keys %OtherList) { print "\n**Unmatched Entries**\n";
--- secure.old 2011-03-16 14:11:08.000000000 -0600 +++ secure.new 2011-03-16 14:11:08.000000000 -0600 @@ -1,6 +1,6 @@ #!/usr/bin/perl ######################################################################### -# $Id: secure,v 1.85 2009/06/02 14:59:58 mike Exp $ +# $Id$ ########################################################################## # $Log: secure,v $ # Revision 1.85 2009/06/02 14:59:58 mike @@ -472,6 +472,29 @@ } elsif ( ($User) = ($ThisLine =~ /useradd.*failed adding user `(.*)', data deleted/) ) {# failed adding user/)) {# (.*), data deleted/)) { # useradd: failed adding user `rpcuser', data deleted $FailedAddUsers{$User}++; + } elsif (my ($type,$from,$response,$client,$service,$e) = ($ThisLine =~ /krb5kdc\[[0-9]*\]: (AS_REQ|TGS_REQ) \([0-9]+ etypes {[ 0-9]+}\) ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+): (ISSUE|UNKNOWN_SERVER): authtime [0-9]+, (?:etypes {rep=[0-9]+ tkt=[0-9]+ ses=[0-9]+},)? ([^ ]+) for ([^ ,]+)(?:, )?(.*)$/)) { + if($service=~/^krbtgt\/([^@]+)@\1/){$service='Login'} + if($response eq 'UNKNOWN_SERVER' && $e eq 'Server not found in Kerberos database'){ + $response=$e;$e=''; + }else{ + #$e =~ s/^ +//; + #$e =~ s/^/#/; + #$e =~ s/$/#/; + } + $KerbList{$response}{$type}{$from}{$service}{$client}{$e}++; + } elsif (my ($type,$from,$response,$client,$service,$e) = ($ThisLine =~ /krb5kdc\[[0-9]*\]: (AS_REQ|TGS_REQ) \([0-9]+ etypes {[ 0-9]+}\) ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+): (NEEDED_PREAUTH|PREAUTH_FAILED|CLIENT_NOT_FOUND): ([^ ]+) for ([^ ,]+)(?:, )?(.*)$/)) { + if($service=~/^krbtgt\/([^@]+)@\1/){$service='Login'} + if($response eq 'CLIENT_NOT_FOUND' && $e eq 'Client not found in Kerberos database'){ + $response=$e;$e=''; + }elsif($response eq 'NEEDED_PREAUTH' && $e eq 'Additional pre-authentication required'){ + next unless($Detail > 9||$type ne 'AS_REQ'); + $response=$e;$e=''; + }else{ + #$e =~ s/^ +//; + #$e =~ s/^/#/; + #$e =~ s/$/#/; + } + $KerbList{$response}{$type}{$from}{$service}{$client}{$e}++; } else { # Unmatched entries... $ThisLine =~ s/\[\d+\]:/:/; @@ -815,6 +838,32 @@ } +if (keys %KerbList) { + print "\n**Kerberos Entries**\n"; + foreach my $response (sort {$a cmp $b} keys %KerbList) { + print " $response:\n"; + foreach my $type (sort {$a cmp $b} keys %{$KerbList{$response}}) { + print " $type:\n"; + foreach my $from (sort {$a cmp $b} keys %{$KerbList{$response}{$type}}) { + print " $from:\n"; + foreach my $service (sort {$a cmp $b} keys %{$KerbList{$response}{$type}{$from}}) { + print " $service:\n"; + foreach my $client (sort {$a cmp $b} keys %{$KerbList{$response}{$type}{$from}{$service}}) { + if(scalar(keys %{$KerbList{$response}{$type}{$from}{$service}{$client}})==1&&defined($KerbList{$response}{$type}{$from}{$service}{$client}{''})){ + print " $client: $KerbList{$response}{$type}{$from}{$service}{$client}{''} Time(s)\n"; + }else{ + print " $client:\n"; + foreach my $e (sort {$a cmp $b} keys %{$KerbList{$response}{$type}{$from}{$service}{$client}}) { + print " $e: $KerbList{$response}{$type}{$from}{$service}{$client}{$e} Time(s)\n"; + } + } + } + } + } + } + } +} + if (keys %OtherList) { print "\n**Unmatched Entries**\n"; foreach $line (sort {$a cmp $b} keys %OtherList) {