conf/120263: [patch] 800.loginfail misses relevant security information after upgrade from 6.2-RELEASE

Mon Feb 4 10:20:01 PST 2008

>Number:         120263
>Category:       conf
>Synopsis:       [patch] 800.loginfail misses relevant security information after upgrade from 6.2-RELEASE
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 04 18:20:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Michael Grimm
>Release:        FreeBSD 6.3-RELEASE i386
>Organization:
none
>Environment:
FreeBSD troi.scotty.invalid 6.3-RELEASE FreeBSD 6.3-RELEASE #0: Sat Jan 26 02:49:42 CET 2008 root at troi.scotty.invalid:/usr/obj/usr/src/sys/VIA-C7 i386
>Description:
The following entries in /var/log/auth.log should be triggered in the daily security report
(xxx.xxx.xxx.xxx and yyy.tld are used to protect the innocent ;-) ):                                                                             

Jan 26 08:10:30 troi sshd[68360]: Invalid user gary from xxx.xxx.xxx.xxx                                                   
Jan 26 16:09:32 troi sshd[76566]: reverse mapping checking getaddrinfo for yyy.tld [xxx.xxx.xxx.xxx] failed - POSSIBLE BREAK-IN ATTEMPT!

800.loginfail of 6.2-RELEASE did recognize both entries in the logfile, whereas 6.3-RELEASE
only recognizes the second entry. 

The relevant 6.2-regex-part of 6.2-800.loginfail is:
	egrep -ia "^$yesterday.*(fail|invalid|bad|illegal)"
and in 6.3 is has been changed to:
	egrep -ia "^$yesterday.*: .* (fail|invalid|bad|illegal)"

Presumely, one tried to overcome false-positives when system names contained "fail|invalid|bad|illegal"
and tried to modify the regex accordingly.

Now, ""^$yesterday.*: " triggers the first part upto "...sshd[.....]: " correctly. After that, if a buzzword resides somewhere in the following text it will be triggered (second example), but if the remaining text starts with one buzzword (first example: Invalid) it cannot be triggered due to a single blank demanded *before* the buzzword in ".* (fail|invalid|bad|illegal)"                                                                                                                     

The following entry in /var/log/auth.log is neither triggered by 6.2 nor by 6.3-800.loginfail. IMHO
this should be added as well:

Jan 26 23:16:52 troi sshd[87777]: User root from xxx.xxx.xxx.xxx not allowed because not listed in AllowUsers





>How-To-Repeat:

>Fix:
apply patch

Patch attached with submission follows:

--- /usr/src/etc/periodic/security/800.loginfail	2007-03-06 19:29:19.000000000 +0100
+++ 800.loginfail	2008-02-04 19:06:17.000000000 +0100
@@ -59,7 +59,7 @@
     [Yy][Ee][Ss])
 	echo ""
 	echo "${host} login failures:"
-	n=$(catmsgs | egrep -ia "^$yesterday.*: .* (fail|invalid|bad|illegal)" |
+	n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal|not allowed)" |
 	    tee /dev/stderr | wc -l)
 	[ $n -gt 0 ] && rc=1 || rc=0;;
     *)	rc=0;;


>Release-Note:
>Audit-Trail:
>Unformatted:
