From doconnor@cain.gsoft.com.au  Fri Jan 13 00:40:28 2006
Return-Path: <doconnor@cain.gsoft.com.au>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7770516A41F
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 13 Jan 2006 00:40:28 +0000 (GMT)
	(envelope-from doconnor@cain.gsoft.com.au)
Received: from cain.gsoft.com.au (cain.gsoft.com.au [203.31.81.10])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B458A43D45
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 13 Jan 2006 00:40:27 +0000 (GMT)
	(envelope-from doconnor@cain.gsoft.com.au)
Received: from cain.gsoft.com.au (localhost [127.0.0.1])
	by cain.gsoft.com.au (8.13.5/8.13.4) with ESMTP id k0D0eQd1095715
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 13 Jan 2006 11:10:26 +1030 (CST)
	(envelope-from doconnor@cain.gsoft.com.au)
Received: (from doconnor@localhost)
	by cain.gsoft.com.au (8.13.5/8.13.4/Submit) id k0D0eQva095714;
	Fri, 13 Jan 2006 11:10:26 +1030 (CST)
	(envelope-from doconnor)
Message-Id: <200601130040.k0D0eQva095714@cain.gsoft.com.au>
Date: Fri, 13 Jan 2006 11:10:26 +1030 (CST)
From: "Daniel O'Connor" <doconnor@gsoft.com.au>
Reply-To: "Daniel O'Connor" <doconnor@gsoft.com.au>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject:
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         91732
>Category:       conf
>Synopsis:       [patch] 800.loginfail: fix log message grep expression
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    brueffer
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 13 00:50:10 GMT 2006
>Closed-Date:    Sun Mar 23 14:12:55 CET 2014
>Last-Modified:  Sun Mar 23 14:12:55 CET 2014
>Originator:     Daniel O'Connor
>Release:        FreeBSD 6.0-RELEASE amd64
>Organization:
>Environment:
System: FreeBSD cain.gsoft.com.au 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Wed Nov 2 19:07:38 UTC 2005 root@rat.samsco.home:/usr/obj/usr/src/sys/GENERIC amd64

>Description:
/etc/periodic/security/800.loginfail uses a simplistic grep expression to
find relevant log messages.  Unfortunately it misses some things that it
shouldn't and shows others that are superfluous.

eg. sasl-auth login failures don't show up, but sshd warnings about non-
matching forward/reverse lookups are.

>How-To-Repeat:

>Fix:
--- /etc/periodic/security/800.loginfail.orig   Thu Nov  3 04:23:36 2005
+++ /etc/periodic/security/800.loginfail        Wed Jan 11 14:05:34 2006
@@ -59,7 +59,10 @@
     [Yy][Ee][Ss])
        echo ""
        echo "${host} login failures:"
-       n=$(catmsgs | grep -ia "^$yesterday.*fail" |
+       n=$(catmsgs | grep -ia "^$yesterday.*" |
+           grep -v 'Accepted' | grep -v 'logfile turned over' |
+           grep -v 'subsystem request for' |
+           grep -v 'reverse mapping checking getaddrinfo for' |
            tee /dev/stderr | wc -l)
        [ $n -gt 0 ] && rc=1 || rc=0;;
     *) rc=0;;


>Release-Note:
>Audit-Trail:

From: "Skye Poier" <spoier@gmail.com>
To: bug-followup@FreeBSD.org, doconnor@gsoft.com.au
Cc:  
Subject: Re: conf/91732: [patch] 800.loginfail: fix log message grep expression
Date: Fri, 11 Aug 2006 17:58:21 -0700

 I noticed the same problem; although I was primarily worried about not
 seeing ssh login failures in the security report.  I discovered it was
 because "fail" no longer appears in the auth.log line on my FreeBSD
 6.1 installation:
 
 Aug 11 08:39:20 hostname sshd[48839]: error: PAM: authentication error
 for someuser from somewhere.pacbell.net
 
 I simply modified the grep in 800.loginfail to read:
 
         n=$(catmsgs | grep -ia "^$yesterday.*\(fail\|authentication error\)" |
             tee /dev/stderr | wc -l)

From: Alan Amesbury <amesbury@umn.edu>
To: bug-followup@FreeBSD.org
Cc: doconnor@gsoft.com.au,
    trashcan@odo.in-berlin.de
Subject: Re: conf/91732: [patch] 800.loginfail: fix log message grep expression
Date: Fri, 19 Mar 2010 14:58:02 -0500

 This is a multi-part message in MIME format.
 --------------070601020601060300050303
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 
 Although it's been a few years since Daniel O'Connor submitted his bug 
 report, it looks like this problem hasn't yet been fixed.  I've also run 
 into problems with the simplistic expression used by 'egrep' in 
 800.loginfail, and have come up with my own correction (patch attached) 
 to correct for it based on a minimal approach to change.  In my case the 
 simplistic nature of the regexp is causing it to match hashes that are 
 also being placed in the logs that 800.loginfail examines.  Thus it 
 matches on things like
 
 Mar 17 00:07:29 [REDACTED] [REDACTED][25063]:        sha256: 
 9e0e0cb645a4cfabadc402fd7e6a38b297b04ac90fa3d4acdc14f027facbb5e7
 
 
 because that hash happens to have the sequence "bad" in it.
 
 PR conf/120263 seems related to this.  What can I do to help get this 
 patched in -CURRENT and MFC'ed back to 8.0-RELEASE?
 
 
 -- 
 Alan Amesbury
 OIT Security and Assurance
 University of Minnesota
 
 --------------070601020601060300050303
 Content-Type: text/plain;
  name="patch_for_800.loginfail"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="patch_for_800.loginfail"
 
 --- 800.loginfail.ORIG	2010-03-19 14:42:46.000000000 -0500
 +++ 800.loginfail	2010-03-19 14:43:10.000000000 -0500
 @@ -59,7 +59,7 @@
      [Yy][Ee][Ss])
  	echo ""
  	echo "${host} login failures:"
 -	n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" |
 +	n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal) " |
  	    tee /dev/stderr | wc -l)
  	[ $n -gt 0 ] && rc=1 || rc=0;;
      *)	rc=0;;
 
 --------------070601020601060300050303--

From: Christian Marg <marg@rz.tu-clausthal.de>
To: bug-followup@FreeBSD.org, doconnor@gsoft.com.au
Cc:  
Subject: Re: conf/91732: [patch] 800.loginfail: fix log message grep expression
Date: Thu, 26 May 2011 10:30:34 +0200

 This is a cryptographically signed message in MIME format.
 
 --------------ms020507050700000801060303
 Content-Type: multipart/mixed;
  boundary="------------020303040004040106000607"
 
 This is a multi-part message in MIME format.
 --------------020303040004040106000607
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: quoted-printable
 
 Hello,
 
 this problem is still unresolved in 8.2-RELEASE. For example I see many=20
 "ANON ftp: Login successful." log messages from my ProFTPD, just because =
 
 the host name of the client contains the word "kabel-badenwuerttemberg.de=
 ".
 
 I have a minor correction to Alan Amesbury's patch, which assumes that=20
 there always is a space following the word the expression checks for.=20
 I'd rather use "\b" to check for word boundaries. See the patch in my=20
 attachment. It also finds lines with "auth.*error" in them.
 
 bye
 Christian
 --=20
 Christian Marg                 mail  : mailto:marg@rz.tu-clausthal.de
 Rechenzentrum TU Clausthal     web   : http://www.tu-clausthal.de
 D-38678 Clausthal-Zellerfeld   fon   : 05323/72-2626
 Germany                        jabber: ifcma@jabber.tu-clausthal.de
 
 --------------020303040004040106000607
 Content-Type: text/plain;
  name="loginfail.patch.txt"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: attachment;
  filename="loginfail.patch.txt"
 
 --- 800.loginfail-orig  2011-03-03 10:28:00.000000000 +0100
 +++ 800.loginfail 2011-05-26 10:13:04.000000000 +0200
 @@ -59,7 +59,7 @@
      [Yy][Ee][Ss])
         echo ""
         echo "${host} login failures:"
 -       n=3D$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|ill=
 egal)" |
 +       n=3D$(catmsgs | egrep -ia "^$yesterday.*: .*\b(fail(ures?|ed)?|in=
 valid|bad|illegal|auth.*error)\b" |
             tee /dev/stderr | wc -l)
         [ $n -gt 0 ] && rc=3D1 || rc=3D0;;
      *) rc=3D0;;
 
 --------------020303040004040106000607--
 
 --------------ms020507050700000801060303
 Content-Type: application/pkcs7-signature; name="smime.p7s"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment; filename="smime.p7s"
 Content-Description: S/MIME Cryptographic Signature
 
 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIUbTCC
 BCEwggMJoAMCAQICAgDHMA0GCSqGSIb3DQEBBQUAMHExCzAJBgNVBAYTAkRFMRwwGgYDVQQK
 ExNEZXV0c2NoZSBUZWxla29tIEFHMR8wHQYDVQQLExZULVRlbGVTZWMgVHJ1c3QgQ2VudGVy
 MSMwIQYDVQQDExpEZXV0c2NoZSBUZWxla29tIFJvb3QgQ0EgMjAeFw0wNjEyMTkxMDI5MDBa
 Fw0xOTA2MzAyMzU5MDBaMFoxCzAJBgNVBAYTAkRFMRMwEQYDVQQKEwpERk4tVmVyZWluMRAw
 DgYDVQQLEwdERk4tUEtJMSQwIgYDVQQDExtERk4tVmVyZWluIFBDQSBHbG9iYWwgLSBHMDEw
 ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpm8NnhfkNrvWNVMOWUDU9YuluTO2U
 1wBblSJ01CDrNI/W7MAxBAuZgeKmFNJSoCgjhIt0iQReW+DieMF4yxbLKDU5ey2QRdDtoAB6
 fL9KDhsAw4bpXCsxEXsM84IkQ4wcOItqaACa7txPeKvSxhObdq3u3ibo7wGvdA/BCaL2a869
 080UME/15eOkyGKbghoDJzANAmVgTe3RCSMqljVYJ9N2xnG2kB3E7f81hn1vM7PbD8URwoqD
 oZRdQWvY0hD1TP3KUazZve+Sg7va64sWVlZDz+HVEz2mHycwzUlU28kTNJpxdcVs6qcLmPkh
 nSevPqM5OUhqjK3JmfvDEvK9AgMBAAGjgdkwgdYwcAYDVR0fBGkwZzBloGOgYYZfaHR0cDov
 L3BraS50ZWxlc2VjLmRlL2NnaS1iaW4vc2VydmljZS9hZl9Eb3dubG9hZEFSTC5jcmw/LWNy
 bF9mb3JtYXQ9WF81MDkmLWlzc3Vlcj1EVF9ST09UX0NBXzIwHQYDVR0OBBYEFEm3xs/oPR9/
 6kR7Eyn38QpwPt5kMB8GA1UdIwQYMBaAFDHDeRu69VPXF+CJei0XbAqzK50zMA4GA1UdDwEB
 /wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMA0GCSqGSIb3DQEBBQUAA4IBAQA74Vp3wEgX
 3KkY7IGvWonwvSiSpspZGBJw7Cjy565/lizn8l0ZMfYTK3S9vYCyufdnyTmieTvhERHua3iR
 M347XyYndVNljjNj7s9zw7CSI0khUHUjoR8Y4pSFPT8z6XcgjaK95qGFKUD2P3MyWA0Ja6ba
 hWzAP7uNZmRWJE6uDT8yNQFb6YyC2XJZT7GGhfF0hVblw/hc843uR7NTBXDn5U2KaYMo4RMJ
 hp5eyOpYHgwf+aTUWgRo/Sg+iwK2WLX2oSw3VwBnqyNojWOl75lrXP1LVvarQIc01BGSbOyH
 xQoLBzNytG8MHVQs2FHHzL8w00Ny8TK/jM5JY6gA9/IcMIIFKDCCBBCgAwIBAgIECgyxljAN
 BgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJERTETMBEGA1UEChMKREZOLVZlcmVpbjEQMA4G
 A1UECxMHREZOLVBLSTEkMCIGA1UEAxMbREZOLVZlcmVpbiBQQ0EgR2xvYmFsIC0gRzAxMB4X
 DTA3MDMwNjA5MjczNloXDTE5MDMwNTAwMDAwMFowgZgxCzAJBgNVBAYTAkRFMSowKAYDVQQK
 EyFUZWNobmlzY2hlIFVuaXZlcnNpdGFldCBDbGF1c3RoYWwxFjAUBgNVBAsTDVJlY2hlbnpl
 bnRydW0xHjAcBgNVBAMTFVRVIENsYXVzdGhhbCBDQSAtIEcwMjElMCMGCSqGSIb3DQEJARYW
 cGtpQHJ6LnR1LWNsYXVzdGhhbC5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
 ALiTQIGm718nnhWt8IiMlFmK9AMhGYmhTWZO41XHR4PTg9fvFBULkpqBJzl/U9LwAtDTmvyk
 FQ1+OdWm7qdDJhSiJnNTKZTHXYYG6aTdRLakwYNmB2IZNnNqeEuqS7qJzPZdiebNzRJsh11x
 UUbOlIfA3N8MOLS+Jj2N+R8R05jeLFoSGBAQqDyI9RwbqoLxf8rKlvcAzpJHDEMkA6AYcaNM
 jp6MTfN7xQB+VS6w/0NroT+plTXts+omff1mKfNvVROpC+lKi3jVW8kVU31zrarX+l39vnoI
 hkb6Nb81vguc4P5x/r3EyddaO/3WX2KHAk7mf6ml8tJHTFi5D1XRtakCAwEAAaOCAbUwggGx
 MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBRi/JK35+3zHzVVW8lD
 31CzXvQQJTAfBgNVHSMEGDAWgBRJt8bP6D0ff+pEexMp9/EKcD7eZDAhBgNVHREEGjAYgRZw
 a2lAcnoudHUtY2xhdXN0aGFsLmRlMIGIBgNVHR8EgYAwfjA9oDugOYY3aHR0cDovL2NkcDEu
 cGNhLmRmbi5kZS9nbG9iYWwtcm9vdC1jYS9wdWIvY3JsL2NhY3JsLmNybDA9oDugOYY3aHR0
 cDovL2NkcDIucGNhLmRmbi5kZS9nbG9iYWwtcm9vdC1jYS9wdWIvY3JsL2NhY3JsLmNybDCB
 ogYIKwYBBQUHAQEEgZUwgZIwRwYIKwYBBQUHMAKGO2h0dHA6Ly9jZHAxLnBjYS5kZm4uZGUv
 Z2xvYmFsLXJvb3QtY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0MEcGCCsGAQUFBzAChjtodHRw
 Oi8vY2RwMi5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNy
 dDANBgkqhkiG9w0BAQUFAAOCAQEAL1N0jYuGTKeAv4RmqAC+0P+KjwAJjh2gMA/Z4au84EUf
 ana4G4Im2lM8BhuNAEyxKJeU4WWcMMHqBicK1xl2OpxOsEsRb7i++aIHe/+DMqKMdteZUkjw
 XP+H59V1ZgN7DKAXvIguKEYgVsPpNluPJyKX0jeDw+hGxo0RnepZG1Hn7b5HctJQxAjn8Zf3
 VHVMf3oN3NAQ3EnN8G6FOwcoC5JT+baqAS0K/rvhPTAUWvi8S0WRxzBbHK4I/LvKE5mLO9uI
 Akj8r11haKAdpepamqzq4QNKf/UqJB7w2N6Ruve1MwZh90lxelWquWjvtXOJrcL8QzlhfNTB
 u/8nqloIFTCCBYowggRyoAMCAQICBBEMpRgwDQYJKoZIhvcNAQEFBQAwgZgxCzAJBgNVBAYT
 AkRFMSowKAYDVQQKEyFUZWNobmlzY2hlIFVuaXZlcnNpdGFldCBDbGF1c3RoYWwxFjAUBgNV
 BAsTDVJlY2hlbnplbnRydW0xHjAcBgNVBAMTFVRVIENsYXVzdGhhbCBDQSAtIEcwMjElMCMG
 CSqGSIb3DQEJARYWcGtpQHJ6LnR1LWNsYXVzdGhhbC5kZTAeFw0xMDExMjQxNDU2MDhaFw0x
 MzExMjMxNDU2MDhaMFIxCzAJBgNVBAYTAkRFMSowKAYDVQQKEyFUZWNobmlzY2hlIFVuaXZl
 cnNpdGFldCBDbGF1c3RoYWwxFzAVBgNVBAMTDkNocmlzdGlhbiBNYXJnMIIBIjANBgkqhkiG
 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuhoPQ/hBKDDMjyXqz6cG6G+k5YHGdHfv9gh3w6ncuh5u
 rEJ6/SpcqpiFZxPYRLKd5bsM3cf0ELrAsT7f5UoFuKtyEX4Pn5Ww4N0uj82tlxmlT0No3CAV
 t1Pc7a1juYgV4O63m/igRevZl2u+9AhYJaxqYTOx1BBim7wjx0lQHBTHz26/UueUudakEVnF
 kNelGzQ3oSiIShii3CrSH22uOQ3r7zQ+KakwbqjNV+l/mD3W+QMBhyQvvARPJHkPeGe5HwDo
 6b7zzVDoCGai7EyeGapmdNN8gDfhgTNKDtlLkskSCqUMHDKvT/13dzOjS2iU29Azzk4jTHS5
 n64dZJCrswIDAQABo4ICHzCCAhswCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwKQYDVR0lBCIw
 IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMB0GA1UdDgQWBBTbwx34N/hSwNmT
 T75NQUtPFcvKsjAfBgNVHSMEGDAWgBRi/JK35+3zHzVVW8lD31CzXvQQJTBZBgNVHREEUjBQ
 gRdtYXJnQHJ6LnR1LWNsYXVzdGhhbC5kZYEeY2hyaXN0aWFuLm1hcmdAdHUtY2xhdXN0aGFs
 LmRlgRVpZmNtYUB0dS1jbGF1c3RoYWwuZGUwgY8GA1UdHwSBhzCBhDBAoD6gPIY6aHR0cDov
 L2NkcDEucGNhLmRmbi5kZS90dS1jbGF1c3RoYWwtY2EvcHViL2NybC9nX2NhY3JsLmNybDBA
 oD6gPIY6aHR0cDovL2NkcDIucGNhLmRmbi5kZS90dS1jbGF1c3RoYWwtY2EvcHViL2NybC9n
 X2NhY3JsLmNybDCBqAYIKwYBBQUHAQEEgZswgZgwSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZHAx
 LnBjYS5kZm4uZGUvdHUtY2xhdXN0aGFsLWNhL3B1Yi9jYWNlcnQvZ19jYWNlcnQuY3J0MEoG
 CCsGAQUFBzAChj5odHRwOi8vY2RwMi5wY2EuZGZuLmRlL3R1LWNsYXVzdGhhbC1jYS9wdWIv
 Y2FjZXJ0L2dfY2FjZXJ0LmNydDANBgkqhkiG9w0BAQUFAAOCAQEAJkHb85tF8rblRsyfYP3A
 d+iFCsrzdPucM289YAxycNCF31ispgj8dwk7qWE6bPtENRgplNN2yYGAGdGdOz9Tq7kzV0Ws
 8gB+PNLXUuLmWK/FbpBDPfVd3tveB8e4ZBLrzM19zVID8n/x7gYvy9BF6cYega2Vb6eZBUt8
 QdgCQJM9KgSzn1ip63o1F1GAyjfs1+/lM0BF+29+3xJUKDqc/DctTgI8rsR/a9eCUGmZVXFY
 0p2i9QbUzjIIHgG8ICuquJ3Nj6EpGzi+GDm/W538D9HI1Vt3lDKiDLz9gjF/aitr0JmCCRQv
 30PwfIGYfEmZwvJotQRkrfu4rUh16B4L2jCCBYowggRyoAMCAQICBBEMpRgwDQYJKoZIhvcN
 AQEFBQAwgZgxCzAJBgNVBAYTAkRFMSowKAYDVQQKEyFUZWNobmlzY2hlIFVuaXZlcnNpdGFl
 dCBDbGF1c3RoYWwxFjAUBgNVBAsTDVJlY2hlbnplbnRydW0xHjAcBgNVBAMTFVRVIENsYXVz
 dGhhbCBDQSAtIEcwMjElMCMGCSqGSIb3DQEJARYWcGtpQHJ6LnR1LWNsYXVzdGhhbC5kZTAe
 Fw0xMDExMjQxNDU2MDhaFw0xMzExMjMxNDU2MDhaMFIxCzAJBgNVBAYTAkRFMSowKAYDVQQK
 EyFUZWNobmlzY2hlIFVuaXZlcnNpdGFldCBDbGF1c3RoYWwxFzAVBgNVBAMTDkNocmlzdGlh
 biBNYXJnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuhoPQ/hBKDDMjyXqz6cG
 6G+k5YHGdHfv9gh3w6ncuh5urEJ6/SpcqpiFZxPYRLKd5bsM3cf0ELrAsT7f5UoFuKtyEX4P
 n5Ww4N0uj82tlxmlT0No3CAVt1Pc7a1juYgV4O63m/igRevZl2u+9AhYJaxqYTOx1BBim7wj
 x0lQHBTHz26/UueUudakEVnFkNelGzQ3oSiIShii3CrSH22uOQ3r7zQ+KakwbqjNV+l/mD3W
 +QMBhyQvvARPJHkPeGe5HwDo6b7zzVDoCGai7EyeGapmdNN8gDfhgTNKDtlLkskSCqUMHDKv
 T/13dzOjS2iU29Azzk4jTHS5n64dZJCrswIDAQABo4ICHzCCAhswCQYDVR0TBAIwADALBgNV
 HQ8EBAMCBeAwKQYDVR0lBCIwIAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMB0G
 A1UdDgQWBBTbwx34N/hSwNmTT75NQUtPFcvKsjAfBgNVHSMEGDAWgBRi/JK35+3zHzVVW8lD
 31CzXvQQJTBZBgNVHREEUjBQgRdtYXJnQHJ6LnR1LWNsYXVzdGhhbC5kZYEeY2hyaXN0aWFu
 Lm1hcmdAdHUtY2xhdXN0aGFsLmRlgRVpZmNtYUB0dS1jbGF1c3RoYWwuZGUwgY8GA1UdHwSB
 hzCBhDBAoD6gPIY6aHR0cDovL2NkcDEucGNhLmRmbi5kZS90dS1jbGF1c3RoYWwtY2EvcHVi
 L2NybC9nX2NhY3JsLmNybDBAoD6gPIY6aHR0cDovL2NkcDIucGNhLmRmbi5kZS90dS1jbGF1
 c3RoYWwtY2EvcHViL2NybC9nX2NhY3JsLmNybDCBqAYIKwYBBQUHAQEEgZswgZgwSgYIKwYB
 BQUHMAKGPmh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvdHUtY2xhdXN0aGFsLWNhL3B1Yi9jYWNl
 cnQvZ19jYWNlcnQuY3J0MEoGCCsGAQUFBzAChj5odHRwOi8vY2RwMi5wY2EuZGZuLmRlL3R1
 LWNsYXVzdGhhbC1jYS9wdWIvY2FjZXJ0L2dfY2FjZXJ0LmNydDANBgkqhkiG9w0BAQUFAAOC
 AQEAJkHb85tF8rblRsyfYP3Ad+iFCsrzdPucM289YAxycNCF31ispgj8dwk7qWE6bPtENRgp
 lNN2yYGAGdGdOz9Tq7kzV0Ws8gB+PNLXUuLmWK/FbpBDPfVd3tveB8e4ZBLrzM19zVID8n/x
 7gYvy9BF6cYega2Vb6eZBUt8QdgCQJM9KgSzn1ip63o1F1GAyjfs1+/lM0BF+29+3xJUKDqc
 /DctTgI8rsR/a9eCUGmZVXFY0p2i9QbUzjIIHgG8ICuquJ3Nj6EpGzi+GDm/W538D9HI1Vt3
 lDKiDLz9gjF/aitr0JmCCRQv30PwfIGYfEmZwvJotQRkrfu4rUh16B4L2jGCA/cwggPzAgEB
 MIGhMIGYMQswCQYDVQQGEwJERTEqMCgGA1UEChMhVGVjaG5pc2NoZSBVbml2ZXJzaXRhZXQg
 Q2xhdXN0aGFsMRYwFAYDVQQLEw1SZWNoZW56ZW50cnVtMR4wHAYDVQQDExVUVSBDbGF1c3Ro
 YWwgQ0EgLSBHMDIxJTAjBgkqhkiG9w0BCQEWFnBraUByei50dS1jbGF1c3RoYWwuZGUCBBEM
 pRgwCQYFKw4DAhoFAKCCAiowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
 CQUxDxcNMTEwNTI2MDgzMDM0WjAjBgkqhkiG9w0BCQQxFgQUaq01jo2xT2bfWt7ATdseU9js
 48EwXwYJKoZIhvcNAQkPMVIwUDALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcN
 AwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGyBgkrBgEE
 AYI3EAQxgaQwgaEwgZgxCzAJBgNVBAYTAkRFMSowKAYDVQQKEyFUZWNobmlzY2hlIFVuaXZl
 cnNpdGFldCBDbGF1c3RoYWwxFjAUBgNVBAsTDVJlY2hlbnplbnRydW0xHjAcBgNVBAMTFVRV
 IENsYXVzdGhhbCBDQSAtIEcwMjElMCMGCSqGSIb3DQEJARYWcGtpQHJ6LnR1LWNsYXVzdGhh
 bC5kZQIEEQylGDCBtAYLKoZIhvcNAQkQAgsxgaSggaEwgZgxCzAJBgNVBAYTAkRFMSowKAYD
 VQQKEyFUZWNobmlzY2hlIFVuaXZlcnNpdGFldCBDbGF1c3RoYWwxFjAUBgNVBAsTDVJlY2hl
 bnplbnRydW0xHjAcBgNVBAMTFVRVIENsYXVzdGhhbCBDQSAtIEcwMjElMCMGCSqGSIb3DQEJ
 ARYWcGtpQHJ6LnR1LWNsYXVzdGhhbC5kZQIEEQylGDANBgkqhkiG9w0BAQEFAASCAQCzT2WG
 G1v3c0iB+rCmr/F9q2F4rplfyGjTIn5u1xmEWHs8bNbURj1DXGxIg6wUSAR6/qK9EMfQrhkg
 fh3nAcF6DeXl99nqqqLbe10g56RijmZPD5rddiGLDBe3pTEsp6NN6/57NHPzECeSqqJlkAmj
 7Z9amWeRmlFlZCBWlsEJTbgimw5EyHZvetskc6c+TCa7D0E1w3obYg04T1aG/XGYHv1S+Tdd
 T4jBQUYhKN7O1QFYShZBmvBFAbWPxyz4x0TYViqLPRbYFIxJySMNj/9bjKQGC4XXSZn89DIb
 GFsspnLCjFkYFPOf674tw3mxJnI4X8MrLY2HUu22uI3S6e6QAAAAAAAA
 --------------ms020507050700000801060303--
State-Changed-From-To: open->patched 
State-Changed-By: brueffer 
State-Changed-When: Fri Feb 21 00:44:29 CET 2014 
State-Changed-Why:  
Christian's patch seemed to be a good way forward, so I committed it to HEAD. 
Sorry this took so long, some kind of improvement should have been committed 
long ago. 


Responsible-Changed-From-To: freebsd-bugs->brueffer 
Responsible-Changed-By: brueffer 
Responsible-Changed-When: Fri Feb 21 00:44:29 CET 2014 
Responsible-Changed-Why:  
MFC reminder. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=91732 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/91732: commit references a PR
Date: Thu, 20 Feb 2014 23:43:58 +0000 (UTC)

 Author: brueffer
 Date: Thu Feb 20 23:43:49 2014
 New Revision: 262273
 URL: http://svnweb.freebsd.org/changeset/base/262273
 
 Log:
   Further refine the auth fail regex to catch more auth failures and
   reduce false positives.
   
   The committed patch was provided by Christian Marg.
   
   PR:		91732
   Submitted by:	Daniel O'Connor <doconnor at gsoft.com.au>
   		Skye Poier <spoier at gmail.com>
   		Alan Amesbury <amesbury at umn.edu>
   		Christian Marg <marg at rz.tu-clausthal.de>
   MFC after:	1 month
 
 Modified:
   head/etc/periodic/security/800.loginfail
 
 Modified: head/etc/periodic/security/800.loginfail
 ==============================================================================
 --- head/etc/periodic/security/800.loginfail	Thu Feb 20 23:18:30 2014	(r262272)
 +++ head/etc/periodic/security/800.loginfail	Thu Feb 20 23:43:49 2014	(r262273)
 @@ -64,7 +64,7 @@ if check_yesno_period security_status_lo
  then
  	echo ""
  	echo "${host} login failures:"
 -	n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" |
 +	n=$(catmsgs | egrep -ia "^$yesterday.*: .*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b" |
  	    tee /dev/stderr | wc -l)
  	[ $n -gt 0 ] && rc=1 || rc=0
  fi
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/91732: commit references a PR
Date: Sun, 23 Mar 2014 12:58:52 +0000 (UTC)

 Author: brueffer
 Date: Sun Mar 23 12:58:48 2014
 New Revision: 263661
 URL: http://svnweb.freebsd.org/changeset/base/263661
 
 Log:
   Further refine the auth fail regex to catch more auth failures and
   reduce false positives.
   
   The committed patch was provided by Christian Marg.
   
   PR:		91732
   Submitted by:	Daniel O'Connor <doconnor at gsoft.com.au>
     		Skye Poier <spoier at gmail.com>
     		Alan Amesbury <amesbury at umn.edu>
     		Christian Marg <marg at rz.tu-clausthal.de>
 
 Modified:
   stable/10/etc/periodic/security/800.loginfail
 Directory Properties:
   stable/10/   (props changed)
 
 Modified: stable/10/etc/periodic/security/800.loginfail
 ==============================================================================
 --- stable/10/etc/periodic/security/800.loginfail	Sun Mar 23 12:49:25 2014	(r263660)
 +++ stable/10/etc/periodic/security/800.loginfail	Sun Mar 23 12:58:48 2014	(r263661)
 @@ -64,7 +64,7 @@ if check_yesno_period security_status_lo
  then
  	echo ""
  	echo "${host} login failures:"
 -	n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" |
 +	n=$(catmsgs | egrep -ia "^$yesterday.*: .*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b" |
  	    tee /dev/stderr | wc -l)
  	[ $n -gt 0 ] && rc=1 || rc=0
  fi
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/91732: commit references a PR
Date: Sun, 23 Mar 2014 13:03:50 +0000 (UTC)

 Author: brueffer
 Date: Sun Mar 23 13:03:46 2014
 New Revision: 263662
 URL: http://svnweb.freebsd.org/changeset/base/263662
 
 Log:
   MFC: r262273
   
   Further refine the auth fail regex to catch more auth failures and
   reduce false positives.
   
   The committed patch was provided by Christian Marg.
   
   PR:		91732
   Submitted by:	Daniel O'Connor <doconnor at gsoft.com.au>
       		Skye Poier <spoier at gmail.com>
       		Alan Amesbury <amesbury at umn.edu>
       		Christian Marg <marg at rz.tu-clausthal.de>
 
 Modified:
   stable/9/etc/periodic/security/800.loginfail
 Directory Properties:
   stable/9/etc/   (props changed)
 
 Modified: stable/9/etc/periodic/security/800.loginfail
 ==============================================================================
 --- stable/9/etc/periodic/security/800.loginfail	Sun Mar 23 12:58:48 2014	(r263661)
 +++ stable/9/etc/periodic/security/800.loginfail	Sun Mar 23 13:03:46 2014	(r263662)
 @@ -59,7 +59,7 @@ case "$daily_status_security_loginfail_e
      [Yy][Ee][Ss])
  	echo ""
  	echo "${host} login failures:"
 -	n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" |
 +	n=$(catmsgs | egrep -ia "^$yesterday.*: .*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b" |
  	    tee /dev/stderr | wc -l)
  	[ $n -gt 0 ] && rc=1 || rc=0;;
      *)	rc=0;;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/91732: commit references a PR
Date: Sun, 23 Mar 2014 13:06:31 +0000 (UTC)

 Author: brueffer
 Date: Sun Mar 23 13:06:27 2014
 New Revision: 263663
 URL: http://svnweb.freebsd.org/changeset/base/263663
 
 Log:
   MFC: r262273
   
   Further refine the auth fail regex to catch more auth failures and
   reduce false positives.
   
   The committed patch was provided by Christian Marg.
   
   PR:		91732
   Submitted by:	Daniel O'Connor <doconnor at gsoft.com.au>
         		Skye Poier <spoier at gmail.com>
         		Alan Amesbury <amesbury at umn.edu>
         		Christian Marg <marg at rz.tu-clausthal.de>
 
 Modified:
   stable/8/etc/periodic/security/800.loginfail
 Directory Properties:
   stable/8/etc/   (props changed)
 
 Modified: stable/8/etc/periodic/security/800.loginfail
 ==============================================================================
 --- stable/8/etc/periodic/security/800.loginfail	Sun Mar 23 13:03:46 2014	(r263662)
 +++ stable/8/etc/periodic/security/800.loginfail	Sun Mar 23 13:06:27 2014	(r263663)
 @@ -59,7 +59,7 @@ case "$daily_status_security_loginfail_e
      [Yy][Ee][Ss])
  	echo ""
  	echo "${host} login failures:"
 -	n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" |
 +	n=$(catmsgs | egrep -ia "^$yesterday.*: .*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b" |
  	    tee /dev/stderr | wc -l)
  	[ $n -gt 0 ] && rc=1 || rc=0;;
      *)	rc=0;;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: brueffer 
State-Changed-When: Sun Mar 23 14:12:34 CET 2014 
State-Changed-Why:  
Merge to stable branches done. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=91732 
>Unformatted:
