1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
#!/bin/bash
set -eu
LOGFILE=$(mktemp)
trap 'rm -f ${LOGFILE}' 0 INT QUIT ABRT PIPE TERM
chmod 0640 "${LOGFILE}"
chgrp adm "${LOGFILE}"
echo "Jan 31 06:51:07 debian-sid-amd64 su: pam_unix(su-l:auth) failure; logname=testuser uid=1000 euid=0 tty=pts/7 ruser=testuser rhost= user=root" >> "${LOGFILE}"
echo "Jan 31 06:51:09 debian-sid-amd64 su: FAILED SU (to root) testuser on pts/7" >> "${LOGFILE}"
echo "Jan 31 07:15:01 debian-sid-amd64 CRON[588228]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)" >> "${LOGFILE}"
echo "Jan 31 07:17:01 debian-sid-amd64 CRON[588240]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)" >> "${LOGFILE}"
EXPECTED_OUTPUT="This email is sent by logcheck. If you no longer wish to receive
such mail, you can either uninstall the logcheck package or modify
its configuration file (/etc/logcheck/logcheck.conf).
Security Events for su
=-=-=-=-=-=-=-=-=-=-=-
Jan 31 06:51:07 debian-sid-amd64 su: pam_unix(su-l:auth) failure; logname=testuser uid=1000 euid=0 tty=pts/7 ruser=testuser rhost= user=root
Jan 31 06:51:09 debian-sid-amd64 su: FAILED SU (to root) testuser on pts/7
"
diff <(su -s /bin/bash -c "/usr/sbin/logcheck -o -l ${LOGFILE}" logcheck) <(echo "$EXPECTED_OUTPUT")
|
