Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 11 May 2026 06:44:56 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 295191] 800.loginfail false positives
Message-ID:  <bug-295191-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295191

            Bug ID: 295191
           Summary: 800.loginfail false positives
           Product: Base System
           Version: 14.4-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: mail@fbsd2.e4m.org

I regularly run a command via sudo which emits the following line through
syslog to /var/log/auth.log:

May 11 07:46:04 <auth.info> XX sudo[5684]:    XX : TTY=pts/2 ; PWD=/tmp ;
USER=root ; COMMAND=/usr/local/bin/rdist -P ... -l
notify=ferror:stdout=warning,nerror,ferror,change,notice -o
remove,numchkowner,numchkgroup local4

800.loginfail catches these as the regex part "...|auth.*error)\b" matches
the "auth" of "auth.info" until the "ferror,". This spams the daily security
output, making real login failures to be easily missed.

Instead of trying to refine the regex being currently used (which probably is
almost impossible if we want to deal with all cases like this), we might use
something like a (user) customisable additional regex to filter stuff out,
e.g.:

catmsgs | grep -Ev "${security_status_loginfail_ignore_regex}" | egrep -ia
"${prefix}.*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b"

If people thing this is an option, I try to make up a patch. In this case,
should
we do something like

In /etc/defaults/periodic.conf:
security_status_loginfail_ignore_regex=""

In 800.loginfail:
if [ -z "$security_status_loginfail_ignore_regex" ]; then
  catmsgs | egrep -ia
"${prefix}.*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b"
else
  catmsgs | grep -Ev "${security_status_loginfail_ignore_regex}" | egrep -ia
"${prefix}.*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b"
fi

OR

In /etc/defaults/periodic.conf:
security_status_loginfail_ignore_regex='$.'

In 800.loginfail:
catmsgs | grep -Ev "${security_status_loginfail_ignore_regex}" | egrep -ia
"${prefix}.*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b"

-- 
You are receiving this mail because:
You are the assignee for the bug.
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-295191-227>