Bug 83097 - some important services are not being monitored
some important services are not being monitored
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: logwatch (Show other bugs)
8.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Elliot Lee
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-01-30 03:00 EST by Thomas M Steenholdt
Modified: 2008-05-01 11:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-02-19 18:01:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Thomas M Steenholdt 2003-01-30 03:00:52 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021212

Description of problem:
I have been fiddling about for some time, trying to figure out what it took to
make logwatch report stuff like failed root logins, failed logins with unknown
usernames ans failed user logins.

As it turns out, it seems that the service logged in messages, pam_unix does not
have a conf/script on the RedHat 8.0 version of logwatch.

Quickly i turned to my Phoebe box to see how everything looked there and  in
respect of supporting services, things looked very promising... Phoebe has, to
name a few; pam_unix, disk_space, raid. All modules that the Red Hat 8.0 version
does not have and that I think is actually critical!

Especially pam_unix, as currently, watching the mails sent from logwatch will
not alert you if someone is trying to bruteforce your root account for instance.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. login as root, but type a bad password
2. login as an unknown user khklj(?) with any password
3. make an ssh connection to the mashine as root, and type a bad password
4. run logwatch --range today --print
    

Actual Results:  Nothing regarding all the failed login attempts are reported 

Expected Results:  All the failed login attempts should be reported

Additional info:
Comment 1 Scott R. Godin 2003-02-05 22:47:51 EST
Additionally: 

/etc/log.d/conf/logwatch.conf
/etc/log.d/logwatch.conf

so, which one is the correct one to edit? they are both exactly the same. :P
Comment 2 Elliot Lee 2003-02-19 18:01:37 EST
This isn't near the level of urgency it would need for us to release an 8.0
logwatch errata, especially since you can take the Phoebe logwatch and nstall it
on 8.0 very easily.

As far as logwatch.conf, /etc/log.d/logwatch.conf is a symlink to
/etc/log.d/conf/logwatch.conf

Note You need to log in before you can comment on or make changes to this bug.