Index: scripts/services/secure =================================================================== --- scripts/services/secure (revision 85) +++ scripts/services/secure (working copy) @@ -244,10 +244,12 @@ ( $ThisLine =~ /PAM pam_set_item: attempt to set conv\(\) to NULL/) or ( $ThisLine =~ /PAM pam_get_item: nowhere to place requested item/) or ( $ThisLine =~ /pam_succeed_if\(.*:.*\): error retrieving information about user [a-zA-Z]*/ ) or + ( $ThisLine =~ /pam_selinux_permit\(.*:.*\):/ ) or ( $ThisLine =~ /logfile turned over/) or # newsyslog on OpenBSD ( $ThisLine =~ /vmware-authd\[[0-9]+\]: PAM \[error: [^ ]+ cannot open shared object file: No such file or directory\]/) or ( $ThisLine =~ /vmware-authd\[[0-9]+\]: PAM adding faulty module: [^ ]+/) or ( $ThisLine =~ /Connection closed by/) or + ( $ThisLine =~ /Conversation error/) or ( $ThisLine =~ /sshd.*: Accepted \S+ for \S+ from [\d\.:a-f]+ port \d+/) or # ssh script reads this log ( $ThisLine =~ /userhelper.*: running (.*) with context (.*)/) or ( $ThisLine =~ /userhelper.*: pam_thinkfinger(.*): conversation failed/) or @@ -255,7 +257,10 @@ ( $ThisLine =~ /polkit-grant-helper\[\d+\]: granted authorization for [^ ]* to uid [0-9]* \[auth=.*\]/) or ( $ThisLine =~ /polkit-grant-helper\[\d+\]: granted authorization for [^ ]* to session .* \[uid=[0-9]*\]/) or ( $ThisLine =~ /polkit-grant-helper-pam\[\d+\]: pam_thinkfinger\(polkit:auth\): conversation failed/) or - ( $ThisLine =~ /gdm-session-worker\[\d+\]: gkr-pam: no password is available for user/) or + ( $ThisLine =~ /polkitd\(authority=.*\): (Unr|R)egistered Authentication Agent/) or + ( $ThisLine =~ /(gdm-session-worker|gdm-password)\[\d+\]: gkr-pam: no password is available for user/) or + ( $ThisLine =~ /gkr-pam: the password for the login keyring was invalid/) or + ( $ThisLine =~ /groupadd\[\d+\]: group added to /) or # Details in other messages ( $ThisLine =~ /gdm-session-worker\[\d+\]: pam_namespace\(gdm:session\): Unmount of [^ ]* failed, Device or resource busy/) ) { # Ignore these entries @@ -380,13 +385,13 @@ $DeletedGroups .= " $ThisLine\n"; } elsif ( $ThisLine =~ s/^(?:useradd|adduser)\[\d+\]: new group: name=(.+), (?:gid|GID)=(\d+).*$/$1 ($2)/ ) { $NewGroups .= " $ThisLine\n"; - } elsif ( (undef,$User,,undef,$Group) = ($ThisLine =~ /(usermod|useradd)\[\d+\]: add `([^ ]+)' to (shadow |)group `([^ ]+)'/ )) { + } elsif ( (undef,$User,,undef,$Group) = ($ThisLine =~ /(usermod|useradd)\[\d+\]: add [`']([^ ]+)' to (shadow|)group [`']([^ ]+)'/ )) { $AddToGroup{$Group}{$User}++; } elsif ( $ThisLine =~ s/^groupadd\[\d+\]: new group: name=(.+), (?:gid|GID)=(\d+).*$/$1 ($2)/ ) { $NewGroups .= " $ThisLine\n"; } elsif ( $ThisLine =~ s/^gpasswd\[\d+\]: set members of // ) { $SetGroupMembers .= " $ThisLine\n"; - } elsif ( $ThisLine =~ /^userdel\[\d+\]: delete `(.*)' from (shadow |)group `(.*)'\s*$/ ) { + } elsif ( $ThisLine =~ /^(?:userdel|usermod)\[\d+\]: delete [`'](.*)' from (shadow |)group [`'](.*)'\s*$/ ) { push @RemoveFromGroup, " user $1 from group $3\n"; # This is an inetd lookup... $1 is the service (i.e. ftp), $2 is the response # I don't think these are important to log at this time @@ -473,7 +478,7 @@ } elsif ( ($Client,$User) = ($ThisLine =~ /vmware-authd\[\d+\]: login from ([0-9\.]+) as ([^ ]+)/) ) { $UserLogin{$User}++; } elsif ( ($User) = ($ThisLine =~ /vmware-authd\[\d+\]: pam_unix_auth\(vmware-authd:auth\): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=([^ ]*)/) ) { - } elsif ( ($User) = ($ThisLine =~ /useradd.*failed adding user `(.*)', data deleted/) ) {# failed adding user/)) {# (.*), data deleted/)) { + } elsif ( ($User) = ($ThisLine =~ /useradd.*failed adding user [`'](.*)', data deleted/) ) {# failed adding user/)) {# (.*), data deleted/)) { # useradd: failed adding user `rpcuser', data deleted $FailedAddUsers{$User}++; } elsif (($User,$Reason) = ($ThisLine =~ /dovecot-auth: pam_userdb\(dovecot:auth\): user `(.*)' denied access \((.*)\)/)) {