# $Id: hot-potato.conf,v 1.42 2002/12/18 18:48:31 jmates Exp $

#

# JAM 2002-01-31 "red alert" configuration for swatch, to bug various

# folks via email when Bad Things are seen in the logfile in question.

#

# Aimed at /var/log/everything, which in theory is a *.* accumulation

# of all logs on the central log server.  Better yet would be to run

# syslog-ng, and have it talk with swatch via a pipe?

#

# For the message subject, use the following syntax:

# LW: category (info|notice|warn)

#

# Category are kinda loose, see rules for range.  Level should be

# info, notice, or warn, depending on the message.

#

# More generic matches should go at the bottom, to allow specific

# errors to be logged with more suitable email subjects.





# UW-IMAP having issues (corrupt mail box, etc)

watchfor /(?i)imap toolkit crash/

        mail=sysadmin,subject="LW: mail (warn)"

        throttle 10:00,use=regex





# SSH misconfigurations users will never spot

watchfor /(?i)sshd.*?refused: bad ownership or modes for (file|directory) /

        mail=sysadmin,subject="LW: user (notice)"

        throttle 10:00,use=regex





# testing rule for similar issues, too many false positive and need

# to talk to users about home dir policies before breaking anything

#watchfor /(?i)writable by group/

#  mail=sysadmin,subject="LW: user (notice)"

#  throttle 10:00,use=regex





watchfor /(?i)password.+?change/

                 mail=sysadmin,subject="LW: user (info)"





# sudo issues (might be more of these, depending on settings)

watchfor /(?i)sudo(?:\[\d+\])?:.*?incorrect password attempts/

        mail=sysadmin,subject="LW: security (notice)"

        throttle 10:00





# maybe brute-force attempt, usually just user flailing away at keyboard

watchfor /(?i)excessive login failures/

        mail=sysadmin,subject="LW: security (notice)"

        throttle 10:00





# potential security issues

watchfor /(?i)su(?:\[\d+\])?: BAD SU /

         mail=sysadmin,subject="LW: security (warn)"

         throttle 10:00





# usually misconfigurations

watchfor /(?i)illegal user /

        mail=sysadmin,subject="LW: security (info)"

        throttle 15:00





# PAM (Linux only?) null logins -> root a Bad Thing ((null)/0)

# JAM 2002-12-05 testing, may be too loose?

watchfor /(?i)\(\(null\)\//

        mail=sysadmin,subject="LW: security (warn)"

        throttle 10:00





# watch for and get noisy about NFS problems

# too many false positives, grr

#watchfor /(?i)nfs.*?not responding/

#       mail=sysadmin

#       throttle 10:00





watchfor /(?i)nfs: task \d+ can.t get a request slot/

        mail=sysadmin,subject="LW: disk (notice)"

        throttle 10:00





# unproductive...

watchfor /(?i)file system full/

        mail=sysadmin,subject="LW: disk (warn)"

        throttle 10:00





# good to know about

watchfor /(?i) duplicate IP address /

        mail=sysadmin,subject="LW: network (warn)"

        throttle 10:00





# non-STARTTLS/Kerberos plaintext login attempts to UW-IMAP

# JAM 2002-03-18 hrmm, KMail appears to tweak this a lot...

#watchfor /(?i)(imapd|ipop[23]d).*?: Login disabled user=/

#       echo

#       mail=sysadmin

#       throttle 1:00:00,use=regex





# rare, but worth hearing about

# (RedHat Linux 6.2 inetd server complaining about freqent IMAP connections)

watchfor /(?i)inetd(?:\[\d+\]): .+? server failing/

        echo

        mail=sysadmin

        throttle 15:00





# eek!

watchfor /(?i)kernel panic/

        mail=sysadmin,subject="LW: system (warn)"

        throttle 10:00





# noteworthy, usually...

watchfor /(?i)kernel: Out of Memory: Killed process/

        mail=sysadmin,subject="LW: system (warn)"

        throttle 15:00





# OpenBSD harddrive errors

watchfor /(?i)uncorrectable data error/

         mail=sysadmin,subject="LW: disk (warn)"

         throttle 10:00,use=regex





# Linux harddrive errors

# TODO: too loose?  tight?

watchfor /(?i)kernel: .+?UncorrectableError/

         mail=sysadmin,subject="LW: disk (warn)"

         throttle 15:00





# more Linux hardware issues

watchfor /(?i)kernel: EXT3-fs error.+?IO failure/

        mail=sysadmin,subject="LW: disk (warn)"

        throttle 15:00,use=regex





ignore /(?i)kernel: ide-floppy.+?I\/O error/

ignore /(?i)kernel:.+?I\/O error.+?\(floppy\)/

watchfor /(?i)kernel:.+?I\/O error/

        mail=sysadmin,subject="LW: disk (info)"

        throttle 15:00,use=regex





# RAIDZONE disk errors

watchfor /(?i)RAIDZONE Service detected that the drive .+? has reached warning levels/

  mail=sysadmin,subject="LW: disk (notice)"

  throttle 15:00





# more RAIDZONE errors

watchfor /(?i)kernel: (rzft|rzmpd):.+?failed/

  mail=sysadmin,subject="LW: disk (warn)"

  throttle 15:00





# tcpdump/password sniffing/etc.

watchfor /promiscuous/

  mail=sysadmin,subject="LW: network (info)"

  throttle 15:00,use=regex





# testing general "permission denied" issues

watchfor /(?i)permission denied/

        mail=sysadmin,subject="LW: misc (info)"

        throttle 15:00





# testing generic rule for Bad Things

watchfor /(?i)fatal error/

        mail=sysadmin,subject="LW: misc (warn)"

        throttle 10:00,use=regex