From 3e49522b7ab75833e412ec38d05e5edc9645993b Mon Sep 17 00:00:00 2001 From: sebres Date: Fri, 13 May 2016 20:07:19 +0200 Subject: [PATCH 1/5] fixes unexpected extra regex-space in generic `__prefix_line` (gh-1405, misleadingly committed in d2a953756802bd7cf63f5f5f792371f52f5cba8c); all optional spaces normalized in generic include `common.conf` + test cases are extended (using new example pseudo-filter and test log `zzz-generic-example`); --- ChangeLog | 3 ++ config/filter.d/common.conf | 8 +++--- config/filter.d/zzz-generic-example.conf | 17 +++++++++++ fail2ban/tests/clientreadertestcase.py | 7 +++-- fail2ban/tests/files/logs/zzz-generic-example | 28 +++++++++++++++++++ 5 files changed, 56 insertions(+), 7 deletions(-) create mode 100644 config/filter.d/zzz-generic-example.conf create mode 100644 fail2ban/tests/files/logs/zzz-generic-example diff --git a/ChangeLog b/ChangeLog index 9ac9a752..44ba9d11 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,9 @@ ver. 0.9.5 (2016/XX/XXX) - wanna-be-released * fixed a grave bug within tags substitutions because of incorrect detection of recursion in case of multiple inline substitutions of the same tag (affected actions: `bsd-ipfw`, etc). Now tracks the actual list of the already substituted tags (per tag instead of single list) + * filter.d/common.conf + - unexpected extra regex-space in generic `__prefix_line` (gh-1405) + - all optional spaces normalized in `common.conf`, test covered now - New Features: * New Actions: diff --git a/config/filter.d/common.conf b/config/filter.d/common.conf index 3e35f1d8..115fa96c 100644 --- a/config/filter.d/common.conf +++ b/config/filter.d/common.conf @@ -26,11 +26,11 @@ __daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:? # extra daemon info # EXAMPLE: [ID 800047 auth.info] -__daemon_extra_re = (?:\[ID \d+ \S+\]) +__daemon_extra_re = \[ID \d+ \S+\] # Combinations of daemon name and PID # EXAMPLES: sshd[31607], pop(pam_unix)[4920] -__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?) +__daemon_combs_re = %(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:? # Some messages have a kernel prefix with a timestamp # EXAMPLES: kernel: [769570.846956] @@ -44,14 +44,14 @@ __md5hex = (?:[\da-f]{2}:){15}[\da-f]{2} # bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or # appearing before the host as per testcases/files/logs/bsd/*. -__bsd_syslog_verbose = (<[^.]+\.[^.]+>) +__bsd_syslog_verbose = <[^.]+\.[^.]+> # Common line prefixes (beginnings) which could be used in filters # # [bsdverbose]? [hostname] [vserver tag] daemon_id spaces # # This can be optional (for instance if we match named native log files) -__prefix_line = \s*%(__bsd_syslog_verbose)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s* +__prefix_line = \s*(?:(?:%(__bsd_syslog_verbose)s)\s*)?(?:(?:%(__hostname)s)\s*)?(?:(?:%(__kernel_prefix)s)\s*)?(?:(?:@vserver_\S+)\s*)?(?:(?:%(__daemon_combs_re)s)\s*)?(?:(?:%(__daemon_extra_re)s)\s*)? # PAM authentication mechanism check for failures, e.g.: pam_unix, pam_sss, # pam_ldap diff --git a/config/filter.d/zzz-generic-example.conf b/config/filter.d/zzz-generic-example.conf new file mode 100644 index 00000000..421c117d --- /dev/null +++ b/config/filter.d/zzz-generic-example.conf @@ -0,0 +1,17 @@ +# Fail2Ban generic example resp. test filter +# +# Author: Serg G. Brester (sebres) +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = test-demo + +failregex = ^%(__prefix_line)sF2B: failure from $ +ignoreregex = diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py index 0a3734e5..b5c31c38 100644 --- a/fail2ban/tests/clientreadertestcase.py +++ b/fail2ban/tests/clientreadertestcase.py @@ -600,9 +600,10 @@ class JailsReaderTest(LogCaptureTestCase): self.assertTrue(jails.read()) # opens fine self.assertTrue(jails.getOptions()) # reads fine # grab all filter names - filters = set(os.path.splitext(os.path.split(a)[1])[0] - for a in glob.glob(os.path.join('config', 'filter.d', '*.conf')) - if not a.endswith('common.conf')) + filters = (os.path.splitext(os.path.split(flt)[1])[0] + for flt in glob.glob(os.path.join('config', 'filter.d', '*.conf')) + if not flt.endswith('common.conf')) + filters = set(filter(lambda flt: not flt.startswith('zzz-'), filters)) # get filters of all jails (filter names without options inside filter[...]) filters_jail = set( JailReader.extractOptions(jail.options['filter'])[0] for jail in jails.jails diff --git a/fail2ban/tests/files/logs/zzz-generic-example b/fail2ban/tests/files/logs/zzz-generic-example new file mode 100644 index 00000000..ecc5a1c6 --- /dev/null +++ b/fail2ban/tests/files/logs/zzz-generic-example @@ -0,0 +1,28 @@ +# -- _daemon with __pid_re, without __hostname -- +# failJSON: { "time": "2005-06-21T16:47:46", "match": true , "host": "192.0.2.1" } +Jun 21 16:47:46 machine test-demo[13709]: F2B: failure from 192.0.2.1 +# -- _daemon with __pid_re -- +# failJSON: { "time": "2005-06-21T16:47:48", "match": true , "host": "192.0.2.1" } +Jun 21 16:47:48 test-demo[13709]: F2B: failure from 192.0.2.1 + +# -- __kernel_prefix -- +# failJSON: { "time": "2005-06-21T16:47:50", "match": true , "host": "192.0.2.2" } +Jun 21 16:47:50 machine kernel: [ 970.699396] F2B: failure from 192.0.2.2 + +# -- _daemon_re with and without __pid_re -- +# failJSON: { "time": "2005-06-21T16:47:52", "match": true , "host": "192.0.2.3" } +Jun 21 16:47:52 machine [test-demo] F2B: failure from 192.0.2.3 +# failJSON: { "time": "2005-06-21T16:47:53", "match": true , "host": "192.0.2.3" } +Jun 21 16:47:53 machine [test-demo][13709] F2B: failure from 192.0.2.3 +# failJSON: { "time": "2005-06-21T16:50:00", "match": true , "host": "192.0.2.3" } +Jun 21 16:50:00 machine test-demo(pam_unix) F2B: failure from 192.0.2.3 +# failJSON: { "time": "2005-06-21T16:50:02", "match": true , "host": "192.0.2.3" } +Jun 21 16:50:02 machine test-demo(pam_unix)[13709] F2B: failure from 192.0.2.3 + + +# -- all common definitions together (bsdverbose hostname kernel_prefix vserver tag daemon_id space) -- +# failJSON: { "time": "2005-06-21T16:55:01", "match": true , "host": "192.0.2.3" } +Jun 21 16:55:01 machine kernel: [ 970.699396] @vserver_demo test-demo(pam_unix)[13709] [ID 255 test] F2B: failure from 192.0.2.3 +# -- the same as above with additional spaces around -- +# failJSON: { "time": "2005-06-21T16:55:02", "match": true , "host": "192.0.2.3" } +Jun 21 16:55:02 machine kernel: [ 970.699396] @vserver_demo test-demo(pam_unix)[13709] [ID 255 test] F2B: failure from 192.0.2.3 From de813acf5104dc00c0086b544c6fe82f428d4ca8 Mon Sep 17 00:00:00 2001 From: sebres Date: Tue, 17 May 2016 11:33:49 +0200 Subject: [PATCH 2/5] extends generic `__prefix_line` with optional brackets for the date ambit (gh-1421), added new parameter `__date_ambit` + test case added; --- ChangeLog | 2 ++ config/filter.d/common.conf | 4 +++- fail2ban/tests/files/logs/zzz-generic-example | 3 +++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 44ba9d11..d52e1cff 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,8 @@ ver. 0.9.5 (2016/XX/XXX) - wanna-be-released * filter.d/common.conf - unexpected extra regex-space in generic `__prefix_line` (gh-1405) - all optional spaces normalized in `common.conf`, test covered now + - generic `__prefix_line` extended with optional brackets for the date ambit (gh-1421), + added new parameter `__date_ambit` - New Features: * New Actions: diff --git a/config/filter.d/common.conf b/config/filter.d/common.conf index 115fa96c..23fd1d5a 100644 --- a/config/filter.d/common.conf +++ b/config/filter.d/common.conf @@ -46,12 +46,14 @@ __md5hex = (?:[\da-f]{2}:){15}[\da-f]{2} # appearing before the host as per testcases/files/logs/bsd/*. __bsd_syslog_verbose = <[^.]+\.[^.]+> +__date_ambit = \[\] + # Common line prefixes (beginnings) which could be used in filters # # [bsdverbose]? [hostname] [vserver tag] daemon_id spaces # # This can be optional (for instance if we match named native log files) -__prefix_line = \s*(?:(?:%(__bsd_syslog_verbose)s)\s*)?(?:(?:%(__hostname)s)\s*)?(?:(?:%(__kernel_prefix)s)\s*)?(?:(?:@vserver_\S+)\s*)?(?:(?:%(__daemon_combs_re)s)\s*)?(?:(?:%(__daemon_extra_re)s)\s*)? +__prefix_line = (?:%(__date_ambit)s)?\s*(?:(?:%(__bsd_syslog_verbose)s)\s*)?(?:(?:%(__hostname)s)\s*)?(?:(?:%(__kernel_prefix)s)\s*)?(?:(?:@vserver_\S+)\s*)?(?:(?:%(__daemon_combs_re)s)\s*)?(?:(?:%(__daemon_extra_re)s)\s*)? # PAM authentication mechanism check for failures, e.g.: pam_unix, pam_sss, # pam_ldap diff --git a/fail2ban/tests/files/logs/zzz-generic-example b/fail2ban/tests/files/logs/zzz-generic-example index ecc5a1c6..e3480b63 100644 --- a/fail2ban/tests/files/logs/zzz-generic-example +++ b/fail2ban/tests/files/logs/zzz-generic-example @@ -26,3 +26,6 @@ Jun 21 16:55:01 machine kernel: [ 970.699396] @vserver_demo test-de # -- the same as above with additional spaces around -- # failJSON: { "time": "2005-06-21T16:55:02", "match": true , "host": "192.0.2.3" } Jun 21 16:55:02 machine kernel: [ 970.699396] @vserver_demo test-demo(pam_unix)[13709] [ID 255 test] F2B: failure from 192.0.2.3 +# -- the same as above with brackets as date ambit -- +# failJSON: { "time": "2005-06-21T16:55:03", "match": true , "host": "192.0.2.3" } +[Jun 21 16:55:03] machine kernel: [ 970.699396] @vserver_demo test-demo(pam_unix)[13709] [ID 255 test] F2B: failure from 192.0.2.3 From cb4f9be8b2748e940303cff77d72ab7fdcf06a53 Mon Sep 17 00:00:00 2001 From: sebres Date: Tue, 17 May 2016 11:54:08 +0200 Subject: [PATCH 3/5] the date brackets removed from filters using `__prefix_line`, because `__prefix_line` already contains the date ambit; --- config/filter.d/asterisk.conf | 20 ++++++++++---------- config/filter.d/nsd.conf | 4 ++-- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index 3975fb29..01063efa 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -16,17 +16,17 @@ __pid_re = (?:\[\d+\]) iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4} # All Asterisk log messages begin like this: -log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? +log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*( in \w+:)? -failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$ - ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(:\d+\) to extension '[^']*' rejected because extension not found in context - ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host failed to authenticate as '[^']*'$ - ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from \)$ - ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host failed MD5 authentication for '[^']*' \([^)]+\)$ - ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@\S*$ - ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s hacking attempt detected ''$ - ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)//\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$ - ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from "$ +failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$ + ^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(:\d+\) to extension '[^']*' rejected because extension not found in context + ^%(__prefix_line)s%(log_prefix)s Host failed to authenticate as '[^']*'$ + ^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from \)$ + ^%(__prefix_line)s%(log_prefix)s Host failed MD5 authentication for '[^']*' \([^)]+\)$ + ^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device) [^@]+@\S*$ + ^%(__prefix_line)s%(log_prefix)s hacking attempt detected ''$ + ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)//\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$ + ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from "$ ignoreregex = diff --git a/config/filter.d/nsd.conf b/config/filter.d/nsd.conf index 70b41ca4..8f32f7be 100644 --- a/config/filter.d/nsd.conf +++ b/config/filter.d/nsd.conf @@ -22,7 +22,7 @@ _daemon = nsd # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT -failregex = ^\[\]%(__prefix_line)sinfo: ratelimit block .* query TYPE255$ - ^\[\]%(__prefix_line)sinfo: .* refused, no acl matches\.$ +failregex = ^%(__prefix_line)sinfo: ratelimit block .* query TYPE255$ + ^%(__prefix_line)sinfo: .* refused, no acl matches\.$ ignoreregex = From 25af11215b71dec2197b8df9ee1aa9f813965aca Mon Sep 17 00:00:00 2001 From: sebres Date: Tue, 17 May 2016 20:08:46 +0200 Subject: [PATCH 4/5] test case for generic common moved to `./fail2ban/tests/config/filter.d/zzz-generic-example.conf` to prevent shipping it with fail2ban installations --- fail2ban/tests/clientreadertestcase.py | 7 +++--- .../config}/filter.d/zzz-generic-example.conf | 2 +- fail2ban/tests/samplestestcase.py | 25 +++++++++++-------- 3 files changed, 19 insertions(+), 15 deletions(-) rename {config => fail2ban/tests/config}/filter.d/zzz-generic-example.conf (85%) diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py index b5c31c38..0a3734e5 100644 --- a/fail2ban/tests/clientreadertestcase.py +++ b/fail2ban/tests/clientreadertestcase.py @@ -600,10 +600,9 @@ class JailsReaderTest(LogCaptureTestCase): self.assertTrue(jails.read()) # opens fine self.assertTrue(jails.getOptions()) # reads fine # grab all filter names - filters = (os.path.splitext(os.path.split(flt)[1])[0] - for flt in glob.glob(os.path.join('config', 'filter.d', '*.conf')) - if not flt.endswith('common.conf')) - filters = set(filter(lambda flt: not flt.startswith('zzz-'), filters)) + filters = set(os.path.splitext(os.path.split(a)[1])[0] + for a in glob.glob(os.path.join('config', 'filter.d', '*.conf')) + if not a.endswith('common.conf')) # get filters of all jails (filter names without options inside filter[...]) filters_jail = set( JailReader.extractOptions(jail.options['filter'])[0] for jail in jails.jails diff --git a/config/filter.d/zzz-generic-example.conf b/fail2ban/tests/config/filter.d/zzz-generic-example.conf similarity index 85% rename from config/filter.d/zzz-generic-example.conf rename to fail2ban/tests/config/filter.d/zzz-generic-example.conf index 421c117d..a59ccb1e 100644 --- a/config/filter.d/zzz-generic-example.conf +++ b/fail2ban/tests/config/filter.d/zzz-generic-example.conf @@ -7,7 +7,7 @@ # Read common prefixes. If any customizations available -- read them from # common.local -before = common.conf +before = ../../../../config/filter.d/common.conf [Definition] diff --git a/fail2ban/tests/samplestestcase.py b/fail2ban/tests/samplestestcase.py index 9e6c0ee7..a40a11da 100644 --- a/fail2ban/tests/samplestestcase.py +++ b/fail2ban/tests/samplestestcase.py @@ -35,6 +35,7 @@ from ..server.filter import Filter from ..client.filterreader import FilterReader from .utils import setUpMyTime, tearDownMyTime, CONFIG_DIR +TEST_CONFIG_DIR = os.path.join(os.path.dirname(__file__), "config") TEST_FILES_DIR = os.path.join(os.path.dirname(__file__), "files") @@ -60,11 +61,11 @@ class FilterSamplesRegex(unittest.TestCase): "Expected more FilterSampleRegexs tests") -def testSampleRegexsFactory(name): +def testSampleRegexsFactory(name, basedir): def testFilter(self): # Check filter exists - filterConf = FilterReader(name, "jail", {}, basedir=CONFIG_DIR) + filterConf = FilterReader(name, "jail", {}, basedir=basedir) self.assertEqual(filterConf.getFile(), name) self.assertEqual(filterConf.getJailName(), "jail") filterConf.read() @@ -147,11 +148,15 @@ def testSampleRegexsFactory(name): return testFilter -for filter_ in filter(lambda x: not x.endswith('common.conf') and x.endswith('.conf'), - os.listdir(os.path.join(CONFIG_DIR, "filter.d"))): - filterName = filter_.rpartition(".")[0] - if not filterName.startswith('.'): - setattr( - FilterSamplesRegex, - "testSampleRegexs%s" % filterName.upper(), - testSampleRegexsFactory(filterName)) +for basedir_, filter_ in ( + (CONFIG_DIR, lambda x: not x.endswith('common.conf') and x.endswith('.conf')), + (TEST_CONFIG_DIR, lambda x: x.startswith('zzz-') and x.endswith('.conf')), +): + for filter_ in filter(filter_, + os.listdir(os.path.join(basedir_, "filter.d"))): + filterName = filter_.rpartition(".")[0] + if not filterName.startswith('.'): + setattr( + FilterSamplesRegex, + "testSampleRegexs%s" % filterName.upper(), + testSampleRegexsFactory(filterName, basedir_)) From 52377984cd415c089438bdfbcc2c86e344f8ca59 Mon Sep 17 00:00:00 2001 From: sebres Date: Thu, 19 May 2016 17:01:44 +0200 Subject: [PATCH 5/5] back to mandatory space, ungrouping of sub parameters in `__prefix_line` + small code review; --- config/filter.d/common.conf | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/config/filter.d/common.conf b/config/filter.d/common.conf index 23fd1d5a..586f428a 100644 --- a/config/filter.d/common.conf +++ b/config/filter.d/common.conf @@ -30,7 +30,7 @@ __daemon_extra_re = \[ID \d+ \S+\] # Combinations of daemon name and PID # EXAMPLES: sshd[31607], pop(pam_unix)[4920] -__daemon_combs_re = %(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:? +__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?) # Some messages have a kernel prefix with a timestamp # EXAMPLES: kernel: [769570.846956] @@ -46,14 +46,16 @@ __md5hex = (?:[\da-f]{2}:){15}[\da-f]{2} # appearing before the host as per testcases/files/logs/bsd/*. __bsd_syslog_verbose = <[^.]+\.[^.]+> -__date_ambit = \[\] +__vserver = @vserver_\S+ + +__date_ambit = (?:\[\]) # Common line prefixes (beginnings) which could be used in filters # # [bsdverbose]? [hostname] [vserver tag] daemon_id spaces # # This can be optional (for instance if we match named native log files) -__prefix_line = (?:%(__date_ambit)s)?\s*(?:(?:%(__bsd_syslog_verbose)s)\s*)?(?:(?:%(__hostname)s)\s*)?(?:(?:%(__kernel_prefix)s)\s*)?(?:(?:@vserver_\S+)\s*)?(?:(?:%(__daemon_combs_re)s)\s*)?(?:(?:%(__daemon_extra_re)s)\s*)? +__prefix_line = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)?(?:%(__daemon_combs_re)s\s+)?(?:%(__daemon_extra_re)s\s+)? # PAM authentication mechanism check for failures, e.g.: pam_unix, pam_sss, # pam_ldap