diff -up logwatch-7.3.6/scripts/services/secure.pom logwatch-7.3.6/scripts/services/secure
--- logwatch-7.3.6/scripts/services/secure.pom 2008-10-20 13:50:05.000000000 +0200
+++ logwatch-7.3.6/scripts/services/secure 2008-10-21 10:47:07.000000000 +0200
@@ -196,7 +196,9 @@ while (defined($ThisLine = <STDIN>)) {
( $ThisLine =~ /^su\[\d+\]: [+-] .+/) or
( $ThisLine =~ /^su\[\d+\]: FAILED su for \S+ by \S+/) or #debian: done in pam_unix
( $ThisLine =~ /^login\[\d+\]: ROOT LOGIN on '\S+'/) or #debian: done in pam_unix (Similar message on other system is reported)
- ( $ThisLine =~ /^login\[\d+\]: FAILED LOGIN \(\d+\) on ['`]\S+' FOR `\S+', (Authentication failure|User not known to the underlying authentication module)/) or #debian: done in pam_unix
+ ( $ThisLine =~ /^login\[\d+\]: FAILED LOGIN \(\d+\) on ['`]\S+' FOR `\S+', (Authentication failure|User not known to the underlying authentication module)/) or
+ ( $ThisLine =~ /^login: FAILED LOGIN 2 FROM (.*) FOR .*, (Authentication failure|User not known to the underlying authentication module)/) or
+ ( $ThisLine =~ /^login: pam_securetty(.*): unexpected response from failed conversation function/) or
( $ThisLine =~ /^pam_limits\[\d+\]/ ) or
( $ThisLine =~ /^kcheckpass(\[\d+\]|):/ ) or # done in pam_unix
( $ThisLine =~ /^cyrus\/lmtpd\[\d+\]: [^ ]+ server step [12]/ ) or
@@ -213,8 +215,15 @@ while (defined($ThisLine = <STDIN>)) {
( $ThisLine =~ /pam_succeed_if\(.*:.*\): error retrieving information about user [a-zA-Z]*/ ) or
( $ThisLine =~ /logfile turned over/) or # newsyslog on OpenBSD
( $ThisLine =~ /Connection closed by/) or
- ( $ThisLine =~ /sshd.*: Accepted \S+ for \S+ from [\d\.:a-f]+ port \d+/) or # ssh script reads this log )
- ( $ThisLine =~ /userhelper.*: running (.*) with context (.*)/)
+ ( $ThisLine =~ /sshd.*: Accepted \S+ for \S+ from [\d\.:a-f]+ port \d+/) or # ssh script reads this log ) or
+ ( $ThisLine =~ /userhelper.*: running (.*) with context (.*)/) or
+ ( $ThisLine =~ /userhelper.*: pam_thinkfinger(.*): conversation failed/) or
+ ( $ThisLine =~ /su: PAM [0-9] more authentication failure; .*/) or
+ ( $ThisLine =~ /polkit-grant-helper\[\d+\]: granted authorization for [^ ]* to uid [0-9]* \[auth=.*\]/) or
+ ( $ThisLine =~ /polkit-grant-helper\[\d+\]: granted authorization for [^ ]* to session .* \[uid=[0-9]*\]/) or
+ ( $ThisLine =~ /polkit-grant-helper-pam\[\d+\]: pam_thinkfinger\(polkit:auth\): conversation failed/) or
+ ( $ThisLine =~ /gdm-session-worker\[\d+\]: gkr-pam: no password is available for user/) or
+ ( $ThisLine =~ /gdm-session-worker\[\d+\]: pam_namespace\(gdm:session\): Unmount of [^ ]* failed, Device or resource busy/)
) {
# Ignore these entries
} elsif ($ThisLine =~ /^spop3d/ || $ThisLine =~ /^pop\(\w+\)\[\d+\]:/) {
@@ -423,6 +432,9 @@ while (defined($ThisLine = <STDIN>)) {
$ChangedUID{"$Name,$UID1,$UID2"}++;
} elsif (($Module,$Service) = ($ThisLine =~ /Deprecated (pam_[^ ]*) module called from service "([^ ]*)"/)) {
$DeprecateModule{"$Module,$Service"}++;
+ } elsif ( ($User) = ($ThisLine =~ /useradd.*failed adding user `(.*)', data deleted/) ) {# failed adding user/)) {# (.*), data deleted/)) {
+ # useradd: failed adding user `rpcuser', data deleted
+ $FailedAddUsers{$User}++;
} else {
# Unmatched entries...
$ThisLine =~ s/\[\d+\]:/:/;
@@ -440,6 +452,14 @@ if ($DeletedUsers) {
print "Deleted Users:\n$DeletedUsers\n";
}
+if (keys %FailedAddUsers) {
+ print "Failed adding users:\n";
+ foreach $User (keys %FailedAddUsers) {
+ print " $User: ". $FailedAddUsers{$User}. " Time(s)\n";
+ }
+ print"\n";
+}
+
if ($NewGroups) {
print "New Groups:\n$NewGroups\n";
}