From owner-freebsd-stable  Thu Apr 20  5: 7:46 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from mail.enteract.com (mail.enteract.com [207.229.143.33])
	by hub.freebsd.org (Postfix) with ESMTP id 67E8837BDD6
	for <freebsd-stable@freebsd.org>; Thu, 20 Apr 2000 05:07:43 -0700 (PDT)
	(envelope-from jim@nasby.net)
Received: from nasby.net (sysnasby@2.nasby.dsl.enteract.com [216.80.51.18])
	by mail.enteract.com (8.9.3/8.9.3) with ESMTP id HAA84837
	for <freebsd-stable@freebsd.org>; Thu, 20 Apr 2000 07:07:42 -0500 (CDT)
	(envelope-from jim@nasby.net)
Message-ID: <38FEF308.1C6783CB@nasby.net>
Date: Thu, 20 Apr 2000 07:07:36 -0500
From: "Jim C. Nasby" <jim@nasby.net>
Organization: distributed.net
X-Mailer: Mozilla 4.7 [en] (WinNT; U)
X-Accept-Language: en-US,en
MIME-Version: 1.0
To: freebsd-stable@freebsd.org
Subject: /etc/security checking wrong file for login failures?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On my 4.0-stable system (last cvsup'd Mar 28), this is the end of
/etc/security (I broke the zcat line across two lines for this email):

echo "${host} login failures:"
zcat -f $LOG/messages.0* $LOG/messages | grep -i \
	"^$yesterday.*login failure"

# Show tcp_wrapper warning messages
#
separator
echo "${host} refused connections:"
zcat -f $LOG/messages.0* $LOG/messages | grep -i \
	"^$yesterday.*refused connect"

Shouldn't it be checking $LOG/messages instead of messages.0*? The
default newsyslog.conf on this system rotates /var/log/messages when it
hits 100k; maybe /etc/security is expecting it to be rotated daily.

I think the following would solve this:
echo "${host} login failures:"
if [ -f $LOG/messages ]; then
        grep -i "^$yesterday.*login failure" $LOG/messages
        if [ -f $LOG/messages.0* ]; then
                zcat -f $LOG/messages.0* $LOG/messages | grep -i \
			"^$yesterday.*login failure"
        fi
else
        echo "$LOG/messages does not exist!"
fi

# Show tcp_wrapper warning messages
#
separator
echo "${host} refused connections:"
if [ -f $LOG/messages ]; then
        grep -i "^$yesterday.*refused connect" $LOG/messages
        if [ -f $LOG/messages.0* ]; then
                zcat -f $LOG/messages.0* $LOG/messages | grep -i \
			"^$yesterday.*refused connect"
        fi
else
        echo "$LOG/messages does not exist!"
fi

Again, I split the zcat line for this email.

I guess I should probaby have done a PR on this, but I wasn't sure if
there was a good reason for the way things were setup that was escaping
me.
-- 
Jim C. Nasby (aka Decibel!)                                  /^\ 
jim@nasby.net                                               /___\
Freelance lighting designer and database developer         /  |  \
Member: Triangle Fraternity, Sports Car Club of America   /___|___\

Give your computer some brain candy! www.distributed.net Team #1828
Get paid to surf!! http://www.enteract.com/~nasby/alladvantage.html


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message