/etc/periodic/security/800.loginfail uses a simplistic grep expression to find relevant log messages. Unfortunately it misses some things that it shouldn't and shows others that are superfluous. eg. sasl-auth login failures don't show up, but sshd warnings about non- matching forward/reverse lookups are.
I noticed the same problem; although I was primarily worried about not seeing ssh login failures in the security report. I discovered it was because "fail" no longer appears in the auth.log line on my FreeBSD 6.1 installation: Aug 11 08:39:20 hostname sshd[48839]: error: PAM: authentication error for someuser from somewhere.pacbell.net I simply modified the grep in 800.loginfail to read: n=$(catmsgs | grep -ia "^$yesterday.*\(fail\|authentication error\)" | tee /dev/stderr | wc -l)
Although it's been a few years since Daniel O'Connor submitted his bug report, it looks like this problem hasn't yet been fixed. I've also run into problems with the simplistic expression used by 'egrep' in 800.loginfail, and have come up with my own correction (patch attached) to correct for it based on a minimal approach to change. In my case the simplistic nature of the regexp is causing it to match hashes that are also being placed in the logs that 800.loginfail examines. Thus it matches on things like Mar 17 00:07:29 [REDACTED] [REDACTED][25063]: sha256: 9e0e0cb645a4cfabadc402fd7e6a38b297b04ac90fa3d4acdc14f027facbb5e7 because that hash happens to have the sequence "bad" in it. PR conf/120263 seems related to this. What can I do to help get this patched in -CURRENT and MFC'ed back to 8.0-RELEASE? -- Alan Amesbury OIT Security and Assurance University of Minnesota
This is a multi-part message in MIME format.
Author: brueffer Date: Thu Feb 20 23:43:49 2014 New Revision: 262273 URL: http://svnweb.freebsd.org/changeset/base/262273 Log: Further refine the auth fail regex to catch more auth failures and reduce false positives. The committed patch was provided by Christian Marg. PR: 91732 Submitted by: Daniel O'Connor <doconnor at gsoft.com.au> Skye Poier <spoier at gmail.com> Alan Amesbury <amesbury at umn.edu> Christian Marg <marg at rz.tu-clausthal.de> MFC after: 1 month Modified: head/etc/periodic/security/800.loginfail Modified: head/etc/periodic/security/800.loginfail ============================================================================== --- head/etc/periodic/security/800.loginfail Thu Feb 20 23:18:30 2014 (r262272) +++ head/etc/periodic/security/800.loginfail Thu Feb 20 23:43:49 2014 (r262273) @@ -64,7 +64,7 @@ if check_yesno_period security_status_lo then echo "" echo "${host} login failures:" - n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" | + n=$(catmsgs | egrep -ia "^$yesterday.*: .*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b" | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0 fi _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
State Changed From-To: open->patched Christian's patch seemed to be a good way forward, so I committed it to HEAD. Sorry this took so long, some kind of improvement should have been committed long ago.
Responsible Changed From-To: freebsd-bugs->brueffer MFC reminder.
Author: brueffer Date: Sun Mar 23 12:58:48 2014 New Revision: 263661 URL: http://svnweb.freebsd.org/changeset/base/263661 Log: Further refine the auth fail regex to catch more auth failures and reduce false positives. The committed patch was provided by Christian Marg. PR: 91732 Submitted by: Daniel O'Connor <doconnor at gsoft.com.au> Skye Poier <spoier at gmail.com> Alan Amesbury <amesbury at umn.edu> Christian Marg <marg at rz.tu-clausthal.de> Modified: stable/10/etc/periodic/security/800.loginfail Directory Properties: stable/10/ (props changed) Modified: stable/10/etc/periodic/security/800.loginfail ============================================================================== --- stable/10/etc/periodic/security/800.loginfail Sun Mar 23 12:49:25 2014 (r263660) +++ stable/10/etc/periodic/security/800.loginfail Sun Mar 23 12:58:48 2014 (r263661) @@ -64,7 +64,7 @@ if check_yesno_period security_status_lo then echo "" echo "${host} login failures:" - n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" | + n=$(catmsgs | egrep -ia "^$yesterday.*: .*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b" | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0 fi _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Author: brueffer Date: Sun Mar 23 13:03:46 2014 New Revision: 263662 URL: http://svnweb.freebsd.org/changeset/base/263662 Log: MFC: r262273 Further refine the auth fail regex to catch more auth failures and reduce false positives. The committed patch was provided by Christian Marg. PR: 91732 Submitted by: Daniel O'Connor <doconnor at gsoft.com.au> Skye Poier <spoier at gmail.com> Alan Amesbury <amesbury at umn.edu> Christian Marg <marg at rz.tu-clausthal.de> Modified: stable/9/etc/periodic/security/800.loginfail Directory Properties: stable/9/etc/ (props changed) Modified: stable/9/etc/periodic/security/800.loginfail ============================================================================== --- stable/9/etc/periodic/security/800.loginfail Sun Mar 23 12:58:48 2014 (r263661) +++ stable/9/etc/periodic/security/800.loginfail Sun Mar 23 13:03:46 2014 (r263662) @@ -59,7 +59,7 @@ case "$daily_status_security_loginfail_e [Yy][Ee][Ss]) echo "" echo "${host} login failures:" - n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" | + n=$(catmsgs | egrep -ia "^$yesterday.*: .*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b" | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0;; *) rc=0;; _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Author: brueffer Date: Sun Mar 23 13:06:27 2014 New Revision: 263663 URL: http://svnweb.freebsd.org/changeset/base/263663 Log: MFC: r262273 Further refine the auth fail regex to catch more auth failures and reduce false positives. The committed patch was provided by Christian Marg. PR: 91732 Submitted by: Daniel O'Connor <doconnor at gsoft.com.au> Skye Poier <spoier at gmail.com> Alan Amesbury <amesbury at umn.edu> Christian Marg <marg at rz.tu-clausthal.de> Modified: stable/8/etc/periodic/security/800.loginfail Directory Properties: stable/8/etc/ (props changed) Modified: stable/8/etc/periodic/security/800.loginfail ============================================================================== --- stable/8/etc/periodic/security/800.loginfail Sun Mar 23 13:03:46 2014 (r263662) +++ stable/8/etc/periodic/security/800.loginfail Sun Mar 23 13:06:27 2014 (r263663) @@ -59,7 +59,7 @@ case "$daily_status_security_loginfail_e [Yy][Ee][Ss]) echo "" echo "${host} login failures:" - n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" | + n=$(catmsgs | egrep -ia "^$yesterday.*: .*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b" | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0;; *) rc=0;; _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
State Changed From-To: patched->closed Merge to stable branches done.