Red Hat Bugzilla – Bug 83097
some important services are not being monitored
Last modified: 2008-05-01 11:38:05 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021212 Description of problem: I have been fiddling about for some time, trying to figure out what it took to make logwatch report stuff like failed root logins, failed logins with unknown usernames ans failed user logins. As it turns out, it seems that the service logged in messages, pam_unix does not have a conf/script on the RedHat 8.0 version of logwatch. Quickly i turned to my Phoebe box to see how everything looked there and in respect of supporting services, things looked very promising... Phoebe has, to name a few; pam_unix, disk_space, raid. All modules that the Red Hat 8.0 version does not have and that I think is actually critical! Especially pam_unix, as currently, watching the mails sent from logwatch will not alert you if someone is trying to bruteforce your root account for instance. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. login as root, but type a bad password 2. login as an unknown user khklj(?) with any password 3. make an ssh connection to the mashine as root, and type a bad password 4. run logwatch --range today --print Actual Results: Nothing regarding all the failed login attempts are reported Expected Results: All the failed login attempts should be reported Additional info:
Additionally: /etc/log.d/conf/logwatch.conf /etc/log.d/logwatch.conf so, which one is the correct one to edit? they are both exactly the same. :P
This isn't near the level of urgency it would need for us to release an 8.0 logwatch errata, especially since you can take the Phoebe logwatch and nstall it on 8.0 very easily. As far as logwatch.conf, /etc/log.d/logwatch.conf is a symlink to /etc/log.d/conf/logwatch.conf