From root@badtrans.pil.dk  Fri Jan  5 08:43:06 2007
Return-Path: <root@badtrans.pil.dk>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 2234416A40F
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  5 Jan 2007 08:43:06 +0000 (UTC)
	(envelope-from root@badtrans.pil.dk)
Received: from badtrans.pil.dk (badtrans.pil.dk [193.162.142.37])
	by mx1.freebsd.org (Postfix) with ESMTP id E632413C442
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  5 Jan 2007 08:43:03 +0000 (UTC)
	(envelope-from root@badtrans.pil.dk)
Received: by badtrans.pil.dk (Postfix, from userid 0)
	id 9B6E474CC04; Fri,  5 Jan 2007 09:17:31 +0100 (CET)
Message-Id: <20070105081731.9B6E474CC04@badtrans.pil.dk>
Date: Fri,  5 Jan 2007 09:17:31 +0100 (CET)
From: Christian Laursen <cfsl@pil.dk>
Reply-To: Christian Laursen <cfsl@pil.dk>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Change matching expression in periodic/security/800.loginfail 
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         107560
>Category:       conf
>Synopsis:       [patch] Change matching expression in periodic/security/800.loginfail
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    remko
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 05 08:50:16 GMT 2007
>Closed-Date:    Wed Mar 07 13:46:37 GMT 2007
>Last-Modified:  Wed Mar 07 13:46:37 GMT 2007
>Originator:     Christian Laursen
>Release:        FreeBSD 6.2-RC1 amd64
>Organization:
pil.dk 
>Environment:
System: FreeBSD badtrans.pil.dk 6.2-RC1 FreeBSD 6.2-RC1 #5: Mon Dec 4 13:20:23 CET 2006 root@fahrenheit.pil.dk:/usr/obj/usr/dana/src/freebsd6/src/sys/X2100 amd64


	
>Description:
The current regular expression used to match login failures matches everything
if the hostname happens to include one of the words that it looks for.

The attached small patch ensures that matching for those keywords is not done
on the hostname part of the log lines.

	
>How-To-Repeat:
	
>Fix:

	

--- 800.loginfail.diff begins here ---
--- 800.loginfail.orig	Fri Jan  5 08:56:12 2007
+++ 800.loginfail	Fri Jan  5 09:10:26 2007
@@ -59,7 +59,7 @@
     [Yy][Ee][Ss])
 	echo ""
 	echo "${host} login failures:"
-	n=$(catmsgs | egrep -ia "^$yesterday.*(fail|invalid|bad|illegal)" |
+	n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" |
 	    tee /dev/stderr | wc -l)
 	[ $n -gt 0 ] && rc=1 || rc=0;;
     *)	rc=0;;
--- 800.loginfail.diff ends here ---


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-rc 
Responsible-Changed-By: remko 
Responsible-Changed-When: Fri Jan 5 09:02:58 UTC 2007 
Responsible-Changed-Why:  
Assign to the rc team. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107560 
Responsible-Changed-From-To: freebsd-rc->freebsd-bugs 
Responsible-Changed-By: dougb 
Responsible-Changed-When: Fri Jan 5 18:10:42 UTC 2007 
Responsible-Changed-Why:  

While this looks like a good change, periodic stuff isn't 
within the scope of rc.d. 



http://www.freebsd.org/cgi/query-pr.cgi?pr=107560 
Responsible-Changed-From-To: freebsd-bugs->remko 
Responsible-Changed-By: remko 
Responsible-Changed-When: Wed Feb 21 11:30:23 UTC 2007 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107560 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/107560: commit references a PR
Date: Fri, 23 Feb 2007 21:43:02 +0000 (UTC)

 remko       2007-02-23 21:42:54 UTC
 
   FreeBSD src repository
 
   Modified files:
     etc/periodic/security 800.loginfail 
   Log:
   Only match on log messages containing fail,invalid,
   bad or illegal. This prevents matching on systems that
   have a name that matches the query.
   
   PR:             conf/107560
   Submitted by:   Christian Laursen <cfsl at pil dot dk>
   MFC after:      3 days
   Approved by:    imp (mentor)
   
   Revision  Changes    Path
   1.8       +1 -1      src/etc/periodic/security/800.loginfail
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: remko 
State-Changed-When: Fri Feb 23 21:54:01 UTC 2007 
State-Changed-Why:  
I have committed this to -HEAD, will commit it to the remaining 
branches in a little. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107560 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/107560: commit references a PR
Date: Tue,  6 Mar 2007 18:29:24 +0000 (UTC)

 remko       2007-03-06 18:29:19 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_6)
     etc/periodic/security 800.loginfail 
   Log:
   MFC 800.loginfail rev 1.8
   
     Only match on log messages containing fail,invalid,
     bad or illegal. This prevents matching on systems that
     have a name that matches the query.
   
     PR:             conf/107560
     Submitted by:   Christian Laursen <cfsl at pil dot dk>
     MFC after:      3 days
     Approved by:    imp (mentor)
   
   Approved by:    imp (mentor)
   
   Revision  Changes    Path
   1.5.12.3  +1 -1      src/etc/periodic/security/800.loginfail
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: remko 
State-Changed-When: Wed Mar 7 13:46:35 UTC 2007 
State-Changed-Why:  
The patch has been committed to -HEAD and 6-STABLE, thanks for the 
submission! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107560 
>Unformatted:
