Source: logcheck-database
Severity: normal
Tags: patch
Dear Maintainer,
The winbind rules shipped with logcheck-database do not properly match
the log entries generated by pam_winbind. An example of the pam_winbind
log entries is as follows:
Dec 5 21:50:54 servername sshd[16250]: pam_winbind(sshd:auth): getting
password (0x00000000)
Dec 5 21:50:55 servername sshd[16250]: pam_winbind(sshd:auth): user 'username'
granted access
However, the winbind rules do not account for the daemon name in the log
messages and thus fail to match. I am unsure if the PAM log format
has changed, or if there might be cases where messages lacking the
daemon name are produced.
I have attached a patch which updates the winbind rules to match log
messages in the above format (using libpam-krb as a guide - which only
supports messages in this format). Additionally, I have attached a
second patch which ignores the "getting password" messages, as I can not
think of a likely scenario where they would be of interest to an
administrator.
Thanks,
Kevin
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 3.1.0-kevinoid1 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
>From 6e286c221e6ee278903c481f8c34ea151791fe45 Mon Sep 17 00:00:00 2001
From: Kevin Locke <ke...@kevinlocke.name>
Date: Tue, 6 Dec 2011 09:01:47 -0700
Subject: [PATCH 1/2] Adjust winbind rules to match with daemon name
Current log formatting for PAM modules includes the daemon name and PID
before pam_winbind and the PAM policy section in parentheses after.
Update the rule patterns to match this log format (analogously to
the libpam-krb rules).
Signed-off-by: Kevin Locke <ke...@kevinlocke.name>
---
rulefiles/linux/ignore.d.workstation/winbind | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/rulefiles/linux/ignore.d.workstation/winbind b/rulefiles/linux/ignore.d.workstation/winbind
index d1a091b..a666174 100644
--- a/rulefiles/linux/ignore.d.workstation/winbind
+++ b/rulefiles/linux/ignore.d.workstation/winbind
@@ -1,2 +1,2 @@
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pam_winbind\[[0-9]+\]: request failed: No such user, PAM error was [0-9]+, NT error was [_[:alpha:]]+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pam_winbind\[[0-9]+\]: user '[._[:alnum:]-]+' granted access$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [[:alnum:]-]+(\[[0-9]+\])?: pam_winbind\([[:alnum:]-]+:auth\): request failed: No such user, PAM error was [0-9]+, NT error was [_[:alpha:]]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [[:alnum:]-]+(\[[0-9]+\])?: pam_winbind\([[:alnum:]-]+:auth\): user '[._[:alnum:]-]+' granted access$
--
1.7.7.3
>From 95be0b8e0ed03547d3e260dac421e4da5f9650d4 Mon Sep 17 00:00:00 2001
From: Kevin Locke <ke...@kevinlocke.name>
Date: Tue, 6 Dec 2011 09:03:47 -0700
Subject: [PATCH 2/2] Ignore "getting password" messages from winbind
This is irrelevant information to administrators and represents
standard/expected behavior in common configurations.
Signed-off-by: Kevin Locke <ke...@kevinlocke.name>
---
rulefiles/linux/ignore.d.workstation/winbind | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rulefiles/linux/ignore.d.workstation/winbind b/rulefiles/linux/ignore.d.workstation/winbind
index a666174..b39c3c6 100644
--- a/rulefiles/linux/ignore.d.workstation/winbind
+++ b/rulefiles/linux/ignore.d.workstation/winbind
@@ -1,2 +1,3 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [[:alnum:]-]+(\[[0-9]+\])?: pam_winbind\([[:alnum:]-]+:auth\): request failed: No such user, PAM error was [0-9]+, NT error was [_[:alpha:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [[:alnum:]-]+(\[[0-9]+\])?: pam_winbind\([[:alnum:]-]+:auth\): user '[._[:alnum:]-]+' granted access$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [[:alnum:]-]+(\[[0-9]+\])?: pam_winbind\([[:alnum:]-]+:auth\): getting password \(0x[0-9]+\)$
--
1.7.7.3
