Bug 83097 - some important services are not being monitored
Summary: some important services are not being monitored
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: logwatch
Version: 8.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Elliot Lee
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-01-30 08:00 UTC by Thomas M Steenholdt
Modified: 2008-05-01 15:38 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2003-02-19 23:01:37 UTC
Embargoed:


Attachments (Terms of Use)

Description Thomas M Steenholdt 2003-01-30 08:00:52 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021212

Description of problem:
I have been fiddling about for some time, trying to figure out what it took to
make logwatch report stuff like failed root logins, failed logins with unknown
usernames ans failed user logins.

As it turns out, it seems that the service logged in messages, pam_unix does not
have a conf/script on the RedHat 8.0 version of logwatch.

Quickly i turned to my Phoebe box to see how everything looked there and  in
respect of supporting services, things looked very promising... Phoebe has, to
name a few; pam_unix, disk_space, raid. All modules that the Red Hat 8.0 version
does not have and that I think is actually critical!

Especially pam_unix, as currently, watching the mails sent from logwatch will
not alert you if someone is trying to bruteforce your root account for instance.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. login as root, but type a bad password
2. login as an unknown user khklj(?) with any password
3. make an ssh connection to the mashine as root, and type a bad password
4. run logwatch --range today --print
    

Actual Results:  Nothing regarding all the failed login attempts are reported 

Expected Results:  All the failed login attempts should be reported

Additional info:

Comment 1 Scott R. Godin 2003-02-06 03:47:51 UTC
Additionally: 

/etc/log.d/conf/logwatch.conf
/etc/log.d/logwatch.conf

so, which one is the correct one to edit? they are both exactly the same. :P

Comment 2 Elliot Lee 2003-02-19 23:01:37 UTC
This isn't near the level of urgency it would need for us to release an 8.0
logwatch errata, especially since you can take the Phoebe logwatch and nstall it
on 8.0 very easily.

As far as logwatch.conf, /etc/log.d/logwatch.conf is a symlink to
/etc/log.d/conf/logwatch.conf


Note You need to log in before you can comment on or make changes to this bug.