From 30bb1a77a3d0214cb941cd65df7c8c520d5f46d8 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Tue, 17 Sep 2013 10:50:46 +1000 Subject: [PATCH] ENH: added syslog prefix to pam-generic filter. Disable regex match for pre 2006 (< 0.99.2.0) versions on linux-pam --- ChangeLog | 2 ++ config/filter.d/pam-generic.conf | 15 ++++++++++----- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2001158b..c4d4afcc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -68,6 +68,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests and extra failure examples in sample logs * filter.d/apache-auth - added expressions for mod_authz, mod_auth and mod_auth_digest failures. + * filter.d/pam-generic - added syslog prefix. Disabled support for + linux-pam before version 0.99.2.0 (2005) Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий * filter.d/exim.conf -- regex hardening and extra failure examples in sample logs diff --git a/config/filter.d/pam-generic.conf b/config/filter.d/pam-generic.conf index eaeb122f..15aadf3e 100644 --- a/config/filter.d/pam-generic.conf +++ b/config/filter.d/pam-generic.conf @@ -3,6 +3,9 @@ # Author: Yaroslav Halchenko # # +[INCLUDES] + +before = common.conf [Definition] @@ -11,17 +14,19 @@ # To catch all failed logins _ttys_re=\S* -# -# Shortcuts for easier comprehension of the failregex -__pid_re=(?:\[\d+\]) __pam_re=\(?pam_unix(?:\(\S+\))?\)?:? -__pam_combs_re=(?:%(__pid_re)s?:\s+%(__pam_re)s|%(__pam_re)s%(__pid_re)s?:) +_daemon = \S+ # Option: failregex # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT # -failregex = \s\S+ \S+%(__pam_combs_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ +failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ + +# for linux-pam before 0.99.2.0 (late 2005) +# _daemon = \S*\(?pam_unix\)? +# failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ + # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored.