https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295191
Bug ID: 295191
Summary: 800.loginfail false positives
Product: Base System
Version: 14.4-STABLE
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: [email protected]
Reporter: [email protected]
I regularly run a command via sudo which emits the following line through
syslog to /var/log/auth.log:
May 11 07:46:04 <auth.info> XX sudo[5684]: XX : TTY=pts/2 ; PWD=/tmp ;
USER=root ; COMMAND=/usr/local/bin/rdist -P ... -l
notify=ferror:stdout=warning,nerror,ferror,change,notice -o
remove,numchkowner,numchkgroup local4
800.loginfail catches these as the regex part "...|auth.*error)\b" matches
the "auth" of "auth.info" until the "ferror,". This spams the daily security
output, making real login failures to be easily missed.
Instead of trying to refine the regex being currently used (which probably is
almost impossible if we want to deal with all cases like this), we might use
something like a (user) customisable additional regex to filter stuff out,
e.g.:
catmsgs | grep -Ev "${security_status_loginfail_ignore_regex}" | egrep -ia
"${prefix}.*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b"
If people thing this is an option, I try to make up a patch. In this case,
should
we do something like
In /etc/defaults/periodic.conf:
security_status_loginfail_ignore_regex=""
In 800.loginfail:
if [ -z "$security_status_loginfail_ignore_regex" ]; then
catmsgs | egrep -ia
"${prefix}.*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b"
else
catmsgs | grep -Ev "${security_status_loginfail_ignore_regex}" | egrep -ia
"${prefix}.*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b"
fi
OR
In /etc/defaults/periodic.conf:
security_status_loginfail_ignore_regex='$.'
In 800.loginfail:
catmsgs | grep -Ev "${security_status_loginfail_ignore_regex}" | egrep -ia
"${prefix}.*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b"
--
You are receiving this mail because:
You are the assignee for the bug.
