sid 5300 incorrectly alerts on OS X

[mikedowney01]

I've noticed sid 5300 alerting for successful authentication when the "Open Directory - Membership cache TTL..." log is generated. This is being triggered due to " - " being matched in the rule.

[ddpbsd]

Can you provide a log sample?

[mikedowney01]

Sure.
The following logs are generated:

su[734]: in pam_sm_authenticate(): authentication succeeded
su[734]: in pam_sm_acct_mgmt(): The root_only option means root only.
su[734]: in pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800.
AccountPolicyHelper[256]: (73.22) AuthenticationAllowed completed: record “test”, result: Success (0).

Which in turn generates the following alert:

Rule: 5301 fired (level 5) -> "User missed the password to change UID (user id)."
Portion of the log(s):

Apr 30 11:19:09 test-mac su[734]: in pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800.

[mikedowney01]

Thanks for the correction. I was hesitant to submit a pull request in case "-" was alerting for logs on older systems.

[ddpbsd]

It could be, but I don't have any evidence that it does. I can only work
with the information I have. :-)

On Fri, May 8, 2015 at 12:04 PM, Mike Downey [email protected]
wrote:

Thanks for the correction. I was hesitant to submit a pull request in case
"-" was alerting for logs on older systems.

Reply to this email directly or view it on GitHub
#604 (comment).