diff --git a/ChangeLog b/ChangeLog index 4c6f15ef..a54fc0fa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -69,6 +69,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests * filter.d/apache-auth - added expressions for mod_authz, mod_auth and mod_auth_digest failures. * filter.d/recidive -- support f2b syslog target and anchor regex at start + * filter.d/pam-generic - added syslog prefix. Disabled support for + linux-pam before version 0.99.2.0 (2005) Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий * filter.d/exim.conf -- regex hardening and extra failure examples in sample logs diff --git a/config/filter.d/pam-generic.conf b/config/filter.d/pam-generic.conf index eaeb122f..15aadf3e 100644 --- a/config/filter.d/pam-generic.conf +++ b/config/filter.d/pam-generic.conf @@ -3,6 +3,9 @@ # Author: Yaroslav Halchenko # # +[INCLUDES] + +before = common.conf [Definition] @@ -11,17 +14,19 @@ # To catch all failed logins _ttys_re=\S* -# -# Shortcuts for easier comprehension of the failregex -__pid_re=(?:\[\d+\]) __pam_re=\(?pam_unix(?:\(\S+\))?\)?:? -__pam_combs_re=(?:%(__pid_re)s?:\s+%(__pam_re)s|%(__pam_re)s%(__pid_re)s?:) +_daemon = \S+ # Option: failregex # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT # -failregex = \s\S+ \S+%(__pam_combs_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ +failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ + +# for linux-pam before 0.99.2.0 (late 2005) +# _daemon = \S*\(?pam_unix\)? +# failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ + # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/testcases/files/logs/pam-generic b/testcases/files/logs/pam-generic index dc7efeee..e562ac7f 100644 --- a/testcases/files/logs/pam-generic +++ b/testcases/files/logs/pam-generic @@ -6,9 +6,12 @@ May 12 09:47:54 vaio sshd[16004]: (pam_unix) authentication failure; logname= ui May 12 09:48:03 vaio sshd[16021]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com # failJSON: { "time": "2005-05-15T18:02:12", "match": true , "host": "66.232.129.62" } May 15 18:02:12 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62 user=mark -# failJSON: { "time": "2004-11-25T17:12:13", "match": true , "host": "192.168.10.3" } + +# linux-pam messages before commit f0f9c4479303b5a9c37667cf07f58426dc081676 (release 0.99.2.0 ) - nolonger supported +# failJSON: { "time": "2004-11-25T17:12:13", "match": false } Nov 25 17:12:13 webmail pop(pam_unix)[4920]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.10.3 user=mailuser -# failJSON: { "time": "2005-07-19T18:11:26", "match": true , "host": "www3.google.com" } -Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com -# failJSON: { "time": "2005-07-19T18:11:26", "match": true , "host": "www3.google.com" } -Jul 19 18:11:26 srv2 vsftpd: pam_unix: authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com + +# failJSON: { "time": "2005-07-19T18:11:26", "match": true , "host": "www.google.com" } +Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www.google.com +# failJSON: { "time": "2005-07-19T18:11:26", "match": true , "host": "www.google.com" } +Jul 19 18:11:26 srv2 vsftpd: pam_unix: authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www.google.com