Date: Fri, 5 Jan 2007 09:17:31 +0100 (CET) From: Christian Laursen <cfsl@pil.dk> To: FreeBSD-gnats-submit@FreeBSD.org Subject: conf/107560: Change matching expression in periodic/security/800.loginfail Message-ID: <20070105081731.9B6E474CC04@badtrans.pil.dk> Resent-Message-ID: <200701050850.l058oHD8063377@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 107560
>Category: conf
>Synopsis: Change matching expression in periodic/security/800.loginfail
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jan 05 08:50:16 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Christian Laursen
>Release: FreeBSD 6.2-RC1 amd64
>Organization:
pil.dk
>Environment:
System: FreeBSD badtrans.pil.dk 6.2-RC1 FreeBSD 6.2-RC1 #5: Mon Dec 4 13:20:23 CET 2006 root@fahrenheit.pil.dk:/usr/obj/usr/dana/src/freebsd6/src/sys/X2100 amd64
>Description:
The current regular expression used to match login failures matches everything
if the hostname happens to include one of the words that it looks for.
The attached small patch ensures that matching for those keywords is not done
on the hostname part of the log lines.
>How-To-Repeat:
>Fix:
--- 800.loginfail.diff begins here ---
--- 800.loginfail.orig Fri Jan 5 08:56:12 2007
+++ 800.loginfail Fri Jan 5 09:10:26 2007
@@ -59,7 +59,7 @@
[Yy][Ee][Ss])
echo ""
echo "${host} login failures:"
- n=$(catmsgs | egrep -ia "^$yesterday.*(fail|invalid|bad|illegal)" |
+ n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" |
tee /dev/stderr | wc -l)
[ $n -gt 0 ] && rc=1 || rc=0;;
*) rc=0;;
--- 800.loginfail.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070105081731.9B6E474CC04>