Package: logwatch
Version: 7.3.6.cvs20090906-1squeeze1
Severity: normal
Tags: patch
There are two places that I get a fair number of unmatched log entries that are
related to kerberos.
The one that would affect the greatest number of machines is in the ssh
reporting, where there are Authorized to entries whenever a conection is
authorized using kerberos.
The second is kdc entries in the secure log.
attached are two patches.
-- System Information:
Debian Release: 6.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages logwatch depends on:
ii perl 5.10.1-17 Larry Wall's Practical Extraction
ii sendmail-bin [mail-transport- 8.14.3-9.4 powerful, efficient, and scalable
Versions of packages logwatch recommends:
ii libdate-manip-perl 6.11-1 module for manipulating dates
Versions of packages logwatch suggests:
pn fortune-mod <none> (no description available)
-- Configuration Files:
/etc/cron.daily/00logwatch changed [not included]
-- no debconf information
--- sshd.old 2011-03-16 14:14:38.000000000 -0600
+++ sshd.new 2011-03-16 14:14:38.000000000 -0600
@@ -1,6 +1,6 @@
#!/usr/bin/perl
##########################################################################
-# $Id: sshd,v 1.77 2009/02/20 17:49:03 mike Exp $
+# $Id$
##########################################################################
# $Log: sshd,v $
# Revision 1.77 2009/02/20 17:49:03 mike
@@ -220,6 +220,7 @@
my %OtherList = ();
my %ChmodErr = ();
my %ChownErr = ();
+my %krb_relm = ();
my $sftpRequests = 0;
my $NetworkErrors = 0;
@@ -419,6 +420,8 @@
$ChmodErr{"$File,$Perm,$Why"}++;
} elsif (my ($File,$From,$To,$Why) = ($ThisLine =~ /error: chown (.*) (.*)
(.*) failed: (.*)/)) {
$ChownErr{"$File,$From,$To,$Why"}++;
+ } elsif (my ($user,$relm) = ($ThisLine =~ /Authorized to ([^ ]+), krb5
principal \1@([^ ]+) \(krb5_kuserok\)/)) {
+ $krb_relm{$relm}{$user}++;
} else {
# Report any unmatched entries...
unless ($ThisLine =~ /fwd X11 connect/) {
@@ -748,6 +751,19 @@
}
}
+if ( ($Detail == 7 && keys %krb_relm > 1) || ($Detail > 8 && keys %krb_relm) ){
+ print "\nSucessfull Kerberos Authentication from ",(scalar keys %krb_relm),"
relm:\n";
+ foreach my $relm (keys %krb_relm) {
+ if($Detail > 9){
+ print " ",$relm,":\n";
+ foreach my $user(keys %{$krb_relm{$relm}}){
+ print " ",$user,": ". $krb_relm{$relm}{$user} . " Times(s)\n";
+ }
+ }else{
+ print " ",$relm,": ". (scalar keys %{$krb_relm{$relm}}) . " User(s)\n";
+ }
+ }
+}
if (keys %OtherList) {
print "\n**Unmatched Entries**\n";
--- secure.old 2011-03-16 14:11:08.000000000 -0600
+++ secure.new 2011-03-16 14:11:08.000000000 -0600
@@ -1,6 +1,6 @@
#!/usr/bin/perl
#########################################################################
-# $Id: secure,v 1.85 2009/06/02 14:59:58 mike Exp $
+# $Id$
##########################################################################
# $Log: secure,v $
# Revision 1.85 2009/06/02 14:59:58 mike
@@ -472,6 +472,29 @@
} elsif ( ($User) = ($ThisLine =~ /useradd.*failed adding user `(.*)', data
deleted/) ) {# failed adding user/)) {# (.*), data deleted/)) {
# useradd: failed adding user `rpcuser', data deleted
$FailedAddUsers{$User}++;
+ } elsif (my ($type,$from,$response,$client,$service,$e) = ($ThisLine =~
/krb5kdc\[[0-9]*\]: (AS_REQ|TGS_REQ) \([0-9]+ etypes {[ 0-9]+}\)
([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+): (ISSUE|UNKNOWN_SERVER): authtime [0-9]+,
(?:etypes {rep=[0-9]+ tkt=[0-9]+ ses=[0-9]+},)? ([^ ]+) for ([^ ,]+)(?:,
)?(.*)$/)) {
+ if($service=~/^krbtgt\/([^@]+)@\1/){$service='Login'}
+ if($response eq 'UNKNOWN_SERVER' && $e eq 'Server not found in Kerberos
database'){
+ $response=$e;$e='';
+ }else{
+ #$e =~ s/^ +//;
+ #$e =~ s/^/#/;
+ #$e =~ s/$/#/;
+ }
+ $KerbList{$response}{$type}{$from}{$service}{$client}{$e}++;
+ } elsif (my ($type,$from,$response,$client,$service,$e) = ($ThisLine =~
/krb5kdc\[[0-9]*\]: (AS_REQ|TGS_REQ) \([0-9]+ etypes {[ 0-9]+}\)
([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):
(NEEDED_PREAUTH|PREAUTH_FAILED|CLIENT_NOT_FOUND): ([^ ]+) for ([^ ,]+)(?:,
)?(.*)$/)) {
+ if($service=~/^krbtgt\/([^@]+)@\1/){$service='Login'}
+ if($response eq 'CLIENT_NOT_FOUND' && $e eq 'Client not found in
Kerberos database'){
+ $response=$e;$e='';
+ }elsif($response eq 'NEEDED_PREAUTH' && $e eq 'Additional
pre-authentication required'){
+ next unless($Detail > 9||$type ne 'AS_REQ');
+ $response=$e;$e='';
+ }else{
+ #$e =~ s/^ +//;
+ #$e =~ s/^/#/;
+ #$e =~ s/$/#/;
+ }
+ $KerbList{$response}{$type}{$from}{$service}{$client}{$e}++;
} else {
# Unmatched entries...
$ThisLine =~ s/\[\d+\]:/:/;
@@ -815,6 +838,32 @@
}
+if (keys %KerbList) {
+ print "\n**Kerberos Entries**\n";
+ foreach my $response (sort {$a cmp $b} keys %KerbList) {
+ print " $response:\n";
+ foreach my $type (sort {$a cmp $b} keys %{$KerbList{$response}}) {
+ print " $type:\n";
+ foreach my $from (sort {$a cmp $b} keys
%{$KerbList{$response}{$type}}) {
+ print " $from:\n";
+ foreach my $service (sort {$a cmp $b} keys
%{$KerbList{$response}{$type}{$from}}) {
+ print " $service:\n";
+ foreach my $client (sort {$a cmp $b} keys
%{$KerbList{$response}{$type}{$from}{$service}}) {
+ if(scalar(keys
%{$KerbList{$response}{$type}{$from}{$service}{$client}})==1&&defined($KerbList{$response}{$type}{$from}{$service}{$client}{''})){
+ print " $client:
$KerbList{$response}{$type}{$from}{$service}{$client}{''} Time(s)\n";
+ }else{
+ print " $client:\n";
+ foreach my $e (sort {$a cmp $b} keys
%{$KerbList{$response}{$type}{$from}{$service}{$client}}) {
+ print " $e:
$KerbList{$response}{$type}{$from}{$service}{$client}{$e} Time(s)\n";
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
+
if (keys %OtherList) {
print "\n**Unmatched Entries**\n";
foreach $line (sort {$a cmp $b} keys %OtherList) {
