From nobody@FreeBSD.org  Mon Feb  4 18:11:57 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6DFDB16A420
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  4 Feb 2008 18:11:57 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 5B3AD13C46B
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  4 Feb 2008 18:11:57 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m14I9w5U011658
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 4 Feb 2008 18:09:58 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m14I9wkV011656;
	Mon, 4 Feb 2008 18:09:58 GMT
	(envelope-from nobody)
Message-Id: <200802041809.m14I9wkV011656@www.freebsd.org>
Date: Mon, 4 Feb 2008 18:09:58 GMT
From: Michael Grimm <trashcan@odo.in-berlin.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch] 800.loginfail misses relevant security information after upgrade from 6.2-RELEASE
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         120263
>Category:       conf
>Synopsis:       [patch] 800.loginfail misses relevant security information after upgrade from 6.2-RELEASE
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 04 18:20:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Michael Grimm
>Release:        FreeBSD 6.3-RELEASE i386
>Organization:
none
>Environment:
FreeBSD troi.scotty.invalid 6.3-RELEASE FreeBSD 6.3-RELEASE #0: Sat Jan 26 02:49:42 CET 2008 root@troi.scotty.invalid:/usr/obj/usr/src/sys/VIA-C7 i386
>Description:
The following entries in /var/log/auth.log should be triggered in the daily security report
(xxx.xxx.xxx.xxx and yyy.tld are used to protect the innocent ;-) ):                                                                             

Jan 26 08:10:30 troi sshd[68360]: Invalid user gary from xxx.xxx.xxx.xxx                                                   
Jan 26 16:09:32 troi sshd[76566]: reverse mapping checking getaddrinfo for yyy.tld [xxx.xxx.xxx.xxx] failed - POSSIBLE BREAK-IN ATTEMPT!

800.loginfail of 6.2-RELEASE did recognize both entries in the logfile, whereas 6.3-RELEASE
only recognizes the second entry. 

The relevant 6.2-regex-part of 6.2-800.loginfail is:
	egrep -ia "^$yesterday.*(fail|invalid|bad|illegal)"
and in 6.3 is has been changed to:
	egrep -ia "^$yesterday.*: .* (fail|invalid|bad|illegal)"

Presumely, one tried to overcome false-positives when system names contained "fail|invalid|bad|illegal"
and tried to modify the regex accordingly.

Now, ""^$yesterday.*: " triggers the first part upto "...sshd[.....]: " correctly. After that, if a buzzword resides somewhere in the following text it will be triggered (second example), but if the remaining text starts with one buzzword (first example: Invalid) it cannot be triggered due to a single blank demanded *before* the buzzword in ".* (fail|invalid|bad|illegal)"                                                                                                                     

The following entry in /var/log/auth.log is neither triggered by 6.2 nor by 6.3-800.loginfail. IMHO
this should be added as well:

Jan 26 23:16:52 troi sshd[87777]: User root from xxx.xxx.xxx.xxx not allowed because not listed in AllowUsers





>How-To-Repeat:

>Fix:
apply patch

Patch attached with submission follows:

--- /usr/src/etc/periodic/security/800.loginfail	2007-03-06 19:29:19.000000000 +0100
+++ 800.loginfail	2008-02-04 19:06:17.000000000 +0100
@@ -59,7 +59,7 @@
     [Yy][Ee][Ss])
 	echo ""
 	echo "${host} login failures:"
-	n=$(catmsgs | egrep -ia "^$yesterday.*: .* (fail|invalid|bad|illegal)" |
+	n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal|not allowed)" |
 	    tee /dev/stderr | wc -l)
 	[ $n -gt 0 ] && rc=1 || rc=0;;
     *)	rc=0;;


>Release-Note:
>Audit-Trail:
>Unformatted:
