Bug 846725 - logwatch pam_unix service script drops digit from IP address
Summary: logwatch pam_unix service script drops digit from IP address
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: logwatch
Version: 17
Hardware: All
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Jan Synacek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-08-08 14:19 UTC by Gilles Detillieux
Modified: 2012-12-20 16:04 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-20 16:04:03 UTC
Type: Bug


Attachments (Terms of Use)
Patch to pam_unix service script to match trailing spaces in authentication failure log entries (801 bytes, patch)
2012-08-08 14:19 UTC, Gilles Detillieux
no flags Details | Diff

Description Gilles Detillieux 2012-08-08 14:19:22 UTC
Created attachment 603048 [details]
Patch to pam_unix service script to match trailing spaces in authentication failure log entries

Description of problem:
logwatch drops last digit from IP address in some pam_unix authentication failure log entries.

Version-Release number of selected component (if applicable):
7.4.0-13.20120619svn110.fc17

How reproducible:
Fairly consistently, given PAM authentication failures with an unknown user name.

Steps to Reproduce:
1. Wait for someone to try unsuccessfully to login, using an invalid user name.
2. Run "logwatch" or allow it to run from its cron job.
3. Look at authentication failures in pam_unix section and compare to log entries for the day.
  
Actual results:
 --------------------- pam_unix Begin ------------------------ 

 sshd:
    Authentication Failures:
       unknown (58.251.161.44): 232 Time(s)
       unknown (58.251.161.4): 109 Time(s)
    Invalid Users:
       Unknown Account: 341 Time(s)
    Unknown Entries:
       service(sshd) ignoring max retries; 4 > 3: 39 Time(s)
 
 
 ---------------------- pam_unix End ------------------------- 


Expected results:
 --------------------- pam_unix Begin ------------------------ 

 sshd:
    Authentication Failures:
       unknown (58.251.161.44): 341 Time(s)
    Invalid Users:
       Unknown Account: 341 Time(s)
    Unknown Entries:
       service(sshd) ignoring max retries; 4 > 3: 39 Time(s)
 
 
 ---------------------- pam_unix End ------------------------- 



Additional info:
The format for log entries like the following has changed recently:
Aug  7 23:50:46 gilles sshd[4105]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.251.161.44

When the rhost=IP part was not followed by a user=name part (i.e. when the user name was unknown), the log entry used to consistently have a single space after the IP address, and logwatch simple-mindedly expected, and dropped, that single character from the entry.  Recently, these log entries no longer have the trailing space, so the pam_unix script's regular expression should be changed to match and drop zero or more trailing spaces, rather than any single character.  See attached patch.

Comment 1 Jan Synacek 2012-09-27 12:16:24 UTC
Thanks for the patch!

Pushed to rawhide:

http://lists.fedoraproject.org/pipermail/scm-commits/2012-September/869452.html

Comment 2 Fedora Update System 2012-10-01 06:33:31 UTC
logwatch-7.4.0-17.20120619svn110.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/logwatch-7.4.0-17.20120619svn110.fc18

Comment 3 Fedora Update System 2012-10-01 20:13:00 UTC
Package logwatch-7.4.0-17.20120619svn110.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing logwatch-7.4.0-17.20120619svn110.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15170/logwatch-7.4.0-17.20120619svn110.fc18
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2012-12-20 16:04:05 UTC
logwatch-7.4.0-17.20120619svn110.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.