diff -up logwatch-7.3.6/scripts/services/secure.pom logwatch-7.3.6/scripts/services/secure --- logwatch-7.3.6/scripts/services/secure.pom 2008-10-20 13:50:05.000000000 +0200 +++ logwatch-7.3.6/scripts/services/secure 2008-10-21 10:47:07.000000000 +0200 @@ -196,7 +196,9 @@ while (defined($ThisLine = <STDIN>)) { ( $ThisLine =~ /^su\[\d+\]: [+-] .+/) or ( $ThisLine =~ /^su\[\d+\]: FAILED su for \S+ by \S+/) or #debian: done in pam_unix ( $ThisLine =~ /^login\[\d+\]: ROOT LOGIN on '\S+'/) or #debian: done in pam_unix (Similar message on other system is reported) - ( $ThisLine =~ /^login\[\d+\]: FAILED LOGIN \(\d+\) on ['`]\S+' FOR `\S+', (Authentication failure|User not known to the underlying authentication module)/) or #debian: done in pam_unix + ( $ThisLine =~ /^login\[\d+\]: FAILED LOGIN \(\d+\) on ['`]\S+' FOR `\S+', (Authentication failure|User not known to the underlying authentication module)/) or + ( $ThisLine =~ /^login: FAILED LOGIN 2 FROM (.*) FOR .*, (Authentication failure|User not known to the underlying authentication module)/) or + ( $ThisLine =~ /^login: pam_securetty(.*): unexpected response from failed conversation function/) or ( $ThisLine =~ /^pam_limits\[\d+\]/ ) or ( $ThisLine =~ /^kcheckpass(\[\d+\]|):/ ) or # done in pam_unix ( $ThisLine =~ /^cyrus\/lmtpd\[\d+\]: [^ ]+ server step [12]/ ) or @@ -213,8 +215,15 @@ while (defined($ThisLine = <STDIN>)) { ( $ThisLine =~ /pam_succeed_if\(.*:.*\): error retrieving information about user [a-zA-Z]*/ ) or ( $ThisLine =~ /logfile turned over/) or # newsyslog on OpenBSD ( $ThisLine =~ /Connection closed by/) or - ( $ThisLine =~ /sshd.*: Accepted \S+ for \S+ from [\d\.:a-f]+ port \d+/) or # ssh script reads this log ) - ( $ThisLine =~ /userhelper.*: running (.*) with context (.*)/) + ( $ThisLine =~ /sshd.*: Accepted \S+ for \S+ from [\d\.:a-f]+ port \d+/) or # ssh script reads this log ) or + ( $ThisLine =~ /userhelper.*: running (.*) with context (.*)/) or + ( $ThisLine =~ /userhelper.*: pam_thinkfinger(.*): conversation failed/) or + ( $ThisLine =~ /su: PAM [0-9] more authentication failure; .*/) or + ( $ThisLine =~ /polkit-grant-helper\[\d+\]: granted authorization for [^ ]* to uid [0-9]* \[auth=.*\]/) or + ( $ThisLine =~ /polkit-grant-helper\[\d+\]: granted authorization for [^ ]* to session .* \[uid=[0-9]*\]/) or + ( $ThisLine =~ /polkit-grant-helper-pam\[\d+\]: pam_thinkfinger\(polkit:auth\): conversation failed/) or + ( $ThisLine =~ /gdm-session-worker\[\d+\]: gkr-pam: no password is available for user/) or + ( $ThisLine =~ /gdm-session-worker\[\d+\]: pam_namespace\(gdm:session\): Unmount of [^ ]* failed, Device or resource busy/) ) { # Ignore these entries } elsif ($ThisLine =~ /^spop3d/ || $ThisLine =~ /^pop\(\w+\)\[\d+\]:/) { @@ -423,6 +432,9 @@ while (defined($ThisLine = <STDIN>)) { $ChangedUID{"$Name,$UID1,$UID2"}++; } elsif (($Module,$Service) = ($ThisLine =~ /Deprecated (pam_[^ ]*) module called from service "([^ ]*)"/)) { $DeprecateModule{"$Module,$Service"}++; + } elsif ( ($User) = ($ThisLine =~ /useradd.*failed adding user `(.*)', data deleted/) ) {# failed adding user/)) {# (.*), data deleted/)) { + # useradd: failed adding user `rpcuser', data deleted + $FailedAddUsers{$User}++; } else { # Unmatched entries... $ThisLine =~ s/\[\d+\]:/:/; @@ -440,6 +452,14 @@ if ($DeletedUsers) { print "Deleted Users:\n$DeletedUsers\n"; } +if (keys %FailedAddUsers) { + print "Failed adding users:\n"; + foreach $User (keys %FailedAddUsers) { + print " $User: ". $FailedAddUsers{$User}. " Time(s)\n"; + } + print"\n"; +} + if ($NewGroups) { print "New Groups:\n$NewGroups\n"; }