#!/bin/bash

set -eu

LOGFILE=$(mktemp)
trap 'rm -f ${LOGFILE}' 0 INT QUIT ABRT PIPE TERM

chmod 0640 "${LOGFILE}"
chgrp adm "${LOGFILE}"

echo "Jan 31 06:51:07 debian-sid-amd64 su: pam_unix(su-l:auth) failure; logname=testuser uid=1000 euid=0 tty=pts/7 ruser=testuser rhost=  user=root" >> "${LOGFILE}"
echo "Jan 31 06:51:09 debian-sid-amd64 su: FAILED SU (to root) testuser on pts/7" >> "${LOGFILE}"

echo "Jan 31 07:15:01 debian-sid-amd64 CRON[588228]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)" >> "${LOGFILE}"
echo "Jan 31 07:17:01 debian-sid-amd64 CRON[588240]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)" >> "${LOGFILE}"

EXPECTED_OUTPUT="This email is sent by logcheck. If you no longer wish to receive
such mail, you can either uninstall the logcheck package or modify
its configuration file (/etc/logcheck/logcheck.conf).

Security Events for su
=-=-=-=-=-=-=-=-=-=-=-
Jan 31 06:51:07 debian-sid-amd64 su: pam_unix(su-l:auth) failure; logname=testuser uid=1000 euid=0 tty=pts/7 ruser=testuser rhost=  user=root
Jan 31 06:51:09 debian-sid-amd64 su: FAILED SU (to root) testuser on pts/7
"
diff <(su -s /bin/bash -c "/usr/sbin/logcheck -o -l ${LOGFILE}" logcheck) <(echo "$EXPECTED_OUTPUT")
