Update login failure checking to check auth.log instead of messages,

and teach it to look for more general classes of failures, including
SSH login failures.  This is similar but not identical to a patch
submitted by aeonflux@synapse.subneural.net.

1 files changed, 3 insertions, 3 deletions

diff --git a/etc/periodic/security/800.loginfail b/etc/periodic/security/800.loginfail
index c4446f5..5d61bb7 100755
--- a/etc/periodic/security/800.loginfail
+++ b/etc/periodic/security/800.loginfail
@@ -43,17 +43,17 @@ LOG="${daily_status_security_logdir}"
 yesterday=`date -v-1d "+%b %e "`
 
 catmsgs() {
-	find ${LOG} -name 'messages.*' -mtime -2 |
+	find ${LOG} -name 'auth.log.*' -mtime -2 |
 	    sort -t. -r -n +1 -2 |
 	    xargs zcat -f
-	[ -f ${LOG}/messages ] && cat $LOG/messages
+	[ -f ${LOG}/auth.log ] && cat $LOG/auth.log
 }
 
 case "$daily_status_security_loginfail_enable" in
     [Yy][Ee][Ss])
 	echo ""
 	echo "${host} login failures:"
-	n=$(catmsgs | grep -ia "^$yesterday.*login failure" |
+	n=$(catmsgs | grep -ia "^$yesterday.*[fF]ail" |
 	    tee /dev/stderr | wc -l)
 	[ $n -gt 0 ] && rc=1 || rc=0;;
     *)	rc=0;;