Package: logcheck
Version: 1.3.19
Severity: wishlist
Hi,
I've a server in a Windows environment. So,
it uses sssd to authenticate against an AD, and
all usernames are of the form login@domain.
I cannot suppress the domain, as a second
(independent) ldap identity provider is also used
(leading to users of the form login@domain2)
And some window logins (service accounts)
must (site policy) start with "!".
It means that all logcheck rules involving
a user name (cron, ...) do not filter anything
anymore on my server. But, as my case is
pretty special, I do not think it would be
a good think to change all rules (at least
for "!", the "@" can become useful with the
spread of sssd use)
Of course, I can fix that locally, rewriting
(duplicating) all existing logcheck rules with
a patch for user names. But I was thinking to
fix that more widely. Hence this bug report
to discuss this proposal. I'm ready to try to
implement it if we agree on it.
The idea would be to add some kind of
variables to logcheck rules that the admin
can tweek for its particular environment.
So, I was thinking to a file with variable
definitions such as:
HOSTNAME=[._[:alnum:]-]+
TIMESTAMP=\w{3} [ :0-9]{11}
USER=[_[:alnum:]-]+
# if we allow variable recursion:
STARTLOG=^@TIMESTAMP@ @HOSTNAME@
and then, taking cron as a example, replace the line
@STARTLOG@ (/USR/SBIN/)?CRON\[[0-9]+\]: \(@USER@\) CMD \(.*\)$
Then logcheck would transform such a line to
(^(\w{3} [ :0-9]{11}) ([._[:alnum:]-]+)) (/USR/SBIN/)?CRON\[[0-9]+\]:
\(([_[:alnum:]-]+)\) CMD \(.*\)$
I would add () around each variable substitution
to avoid strange effect of replacement. It means
that a variable would only be allowed to
contain a correct regexp, not a part of it.
Ie:
FOO=[a-
BAR=z]
would not be allowed (to build @FOO@@BAR@)
If you think the overall goal in interesting,
I've several questions:
- which syntax for variables (definition and use)
- at which time would logcheck interpret the
variables (ie a compile time to generate
a current set of rules files, or at each
invocation time?)
In any case, having a way to generate
an old-style rule files set would allow
to use new-style rule files with an old
logcheck daemon
- would it be allowed to change a variable
value for a specific rule file (for example
have a directory with config files only used
if their name match the rule file name)?
- a package maintainer should be allowed to
provide a new default value for a variable
to be used only if the variable is not
globally set (for example with a special
comment in the rule file such as:
## LOGCHECK:IFACE=eth[0-9]
)
logcheck would the provide by default
a list of default values for standardized
parts of rules (hostname, username,
network interface name, ...)
So, I'm waiting for feedback before
starting the implementation.
Regards,
Vincent
-- System Information:
Debian Release: buster/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'),
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armel, mipsel
Kernel: Linux 4.19.0-rc7-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8),
LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages logcheck depends on:
ii adduser 3.118
ii cron [cron-daemon] 3.0pl1-130
ii lockfile-progs 0.1.18
ii logtail 1.3.19
ii mime-construct 1.11+nmu2
ii postfix [mail-transport-agent] 3.3.0-1+b1
ii rsyslog [system-log-daemon] 8.38.0-1+b1
Versions of packages logcheck recommends:
ii logcheck-database 1.3.19
Versions of packages logcheck suggests:
pn syslog-summary <none>
-- Configuration Files:
/etc/logcheck/logcheck.conf [Errno 13] Permission non accordée:
'/etc/logcheck/logcheck.conf'
/etc/logcheck/logcheck.logfiles [Errno 13] Permission non accordée:
'/etc/logcheck/logcheck.logfiles'
-- no debconf information
