Package: logcheck-database
Version: 1.3.23
Severity: normal
Tags: patch
Dear Maintainer,
Running logcheck on testing/bullseye with reportlevel workstation it
reports various messages that would be screened out except that the
package name includes a "-". Here's a sample of some of the lines
that are reported (as "system events"):
May 10 10:17:30 debtest systemd[1]: Starting Daily apt-listbugs preferences
cleanup...
May 10 10:17:30 debtest systemd[1]: Starting exim4-base housekeeping...
May 10 10:17:30 debtest systemd[1]: Starting Daily man-db regeneration.
The first one led me to report Bug #987839 (cc'd in this report)
against apt-listbugs, which led to discovering this more general
problem.
In particular, the current pattern
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]:
(Starting|Stopping) [ +[:alnum:]/]+\.(\.\.)?$
in ignore.d.server/systemd fails to match these items because
[ +[:alnum:]/]+
will not match a "-". I believe it should be
[- +[:alnum:]/]+
or possibly even
[-_ +[:alnum:]/]+
or just
.+
Taking the intermediate possibility gives
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]:
(Starting|Stopping) [-_ +[:alnum:]/]+\.(\.\.)?$
The first 3 rules in the current file all use the same pattern and
probably need the same rewrite:
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]:
(Started|Reached|Stopped) target [ +[:alnum:]]+\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]:
(Starting|Stopping) [ +[:alnum:]/]+\.(\.\.)?$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]:
(Start|Stopp)ed [ +[:alnum:]/]+\.$
A related issue is that the patterns also fail to match various
"Finished" messages. It seems to me if you are going to ignore the
starting messages you should ignore the finishing ones as well.
Sample log entries reported:
May 10 10:17:30 debtest systemd[1]: Finished Discard unused blocks on
filesystems from /etc/fstab.
May 10 10:17:30 debtest systemd[1]: Finished exim4-base housekeeping.
May 10 10:17:31 debtest systemd[1]: Finished Daily apt-listbugs preferences
cleanup.
Currently the only Finished pattern is
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: Finished
(Rotate log files|Daily apt (download|upgrade and clean) activities|Daily
man-db regeneration)\.$
So either that should be expanded to include additional specific tests or it
should be made as general as the starting patterns, i.e.,
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: Finished
[-_ +[:alnum:]/]+\.$
Finally, this is also related to Bug #808429
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808429), which
includes a much more extensive list of changes to the systemd
patterns. It uses .+ as the pattern for the message after start/stop
messages, and would exclude all of them. However, it has no patterns
that match "Finished".
In short, I propose changing these rules
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]:
(Started|Reached|Stopped) target [ +[:alnum:]]+\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]:
(Starting|Stopping) [ +[:alnum:]/]+\.(\.\.)?$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]:
(Start|Stopp)ed [ +[:alnum:]/]+\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: Finished
(Rotate log files|Daily apt (download|upgrade and clean) activities|Daily
man-db regeneration)\.$
To these
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]:
(Started|Reached|Stopped) target .+\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]:
(Starting|Stopping) .+\.(\.\.)?$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]:
(Start|Stopp)ed .+\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: Finished
.+\.$
Or one of the other alternatives listed above if .+ seems too loose.
P.S. The system to automatically gather configuration info is not
working--see the bottom.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-6-amd64 (SMP w/3 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-- Configuration Files:
/etc/logcheck/cracking.d/kernel [Errno 13] Permission denied:
'/etc/logcheck/cracking.d/kernel'
/etc/logcheck/cracking.d/rlogind [Errno 13] Permission denied:
'/etc/logcheck/cracking.d/rlogind'
[should this be happening? I'm cutting it off here.]
-- no debconf information
