Package: crowdsec Version: 1.4.6-4 Severity: serious Justification: maintainer/upstream's judgement
Hi, One critical thing that was missed during the bookworm release cycle is that crowdsec's default configuration only checks traditional log files. In particular: /var/log/auth.log to detect failed SSH logins. That was fine in Debian 11, but with rsyslog's Priority being lowered from important to optional in Debian 12, the traditional log files are no longer produced and we're lacking detection. :/ There are two things to consider here to provide a fix: - We could try and enable the journalctl datasource selectively, but since we're shipping the default config file marked conffiles, that is likely to trigger prompting users during upgrades, so that doesn't look too appealing. If we *don't* do that though, crowdsec's current version would fail to initialize the journalctl datasource if journald isn't available, and would error out. - So the current plan is to apply two changes: one updating the default config file, and one adjusting crowdsec's behaviour when it comes to unavailable datasources: logging and continuing instead of failing. Upstream has: - https://github.com/crowdsecurity/crowdsec/pull/2316 to update the config file. - https://github.com/crowdsecurity/crowdsec/commit/a910b7becad1e06cb460949ab448d3172eb5679f to make sure the engine doesn't fail with an unavailable datasource. The second one comes with a slight behavorial change: crowdsec now errors out if there's no valid datasources. That seems way better than running with a broken config though. Cheers, -- Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/
