Bug 846725 - logwatch pam_unix service script drops digit from IP address
logwatch pam_unix service script drops digit from IP address
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: logwatch (Show other bugs)
17
All Linux
unspecified Severity low
: ---
: ---
Assigned To: Jan Synacek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-08 10:19 EDT by Gilles Detillieux
Modified: 2012-12-20 11:04 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 11:04:03 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to pam_unix service script to match trailing spaces in authentication failure log entries (801 bytes, patch)
2012-08-08 10:19 EDT, Gilles Detillieux
no flags Details | Diff

  None (edit)
Description Gilles Detillieux 2012-08-08 10:19:22 EDT
Created attachment 603048 [details]
Patch to pam_unix service script to match trailing spaces in authentication failure log entries

Description of problem:
logwatch drops last digit from IP address in some pam_unix authentication failure log entries.

Version-Release number of selected component (if applicable):
7.4.0-13.20120619svn110.fc17

How reproducible:
Fairly consistently, given PAM authentication failures with an unknown user name.

Steps to Reproduce:
1. Wait for someone to try unsuccessfully to login, using an invalid user name.
2. Run "logwatch" or allow it to run from its cron job.
3. Look at authentication failures in pam_unix section and compare to log entries for the day.
  
Actual results:
 --------------------- pam_unix Begin ------------------------ 

 sshd:
    Authentication Failures:
       unknown (58.251.161.44): 232 Time(s)
       unknown (58.251.161.4): 109 Time(s)
    Invalid Users:
       Unknown Account: 341 Time(s)
    Unknown Entries:
       service(sshd) ignoring max retries; 4 > 3: 39 Time(s)
 
 
 ---------------------- pam_unix End ------------------------- 


Expected results:
 --------------------- pam_unix Begin ------------------------ 

 sshd:
    Authentication Failures:
       unknown (58.251.161.44): 341 Time(s)
    Invalid Users:
       Unknown Account: 341 Time(s)
    Unknown Entries:
       service(sshd) ignoring max retries; 4 > 3: 39 Time(s)
 
 
 ---------------------- pam_unix End ------------------------- 



Additional info:
The format for log entries like the following has changed recently:
Aug  7 23:50:46 gilles sshd[4105]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.251.161.44

When the rhost=IP part was not followed by a user=name part (i.e. when the user name was unknown), the log entry used to consistently have a single space after the IP address, and logwatch simple-mindedly expected, and dropped, that single character from the entry.  Recently, these log entries no longer have the trailing space, so the pam_unix script's regular expression should be changed to match and drop zero or more trailing spaces, rather than any single character.  See attached patch.
Comment 1 Jan Synacek 2012-09-27 08:16:24 EDT
Thanks for the patch!

Pushed to rawhide:

http://lists.fedoraproject.org/pipermail/scm-commits/2012-September/869452.html
Comment 2 Fedora Update System 2012-10-01 02:33:31 EDT
logwatch-7.4.0-17.20120619svn110.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/logwatch-7.4.0-17.20120619svn110.fc18
Comment 3 Fedora Update System 2012-10-01 16:13:00 EDT
Package logwatch-7.4.0-17.20120619svn110.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing logwatch-7.4.0-17.20120619svn110.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15170/logwatch-7.4.0-17.20120619svn110.fc18
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2012-12-20 11:04:05 EST
logwatch-7.4.0-17.20120619svn110.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.