Attachment #184281 for bug #220609




# $FreeBSD$

PORTNAME=	logcheck
PORTVERSION=	1.3.18
CATEGORIES=	security
MASTER_SITES=	DEBIAN_POOL
DISTNAME=	${PORTNAME}_${PORTVERSION}

COMMENT=	Auditing tool for system logs on Unix boxes

LICENSE=	GPLv2
LICENSE_FILE=	${WRKSRC}/LICENSE

BUILD_DEPENDS=	docbook-to-man>0:textproc/docbook-to-man
RUN_DEPENDS=	mime-construct:mail/mime-construct \
		lockfile:mail/procmail \
		bash:shells/bash

BINMODE=	755
SUB_LIST+=	LOGCHECK_USER=${LOGCHECK_USER} \
		LOGCHECK_GROUP=${LOGCHECK_GROUP} \
		DBDIR=${DBDIR} CRON=${PORT_OPTIONS:MCRON}
SUB_FILES=	pkg-install pkg-deinstall pkg-message
PLIST_SUB+=	LOGCHECK_USER=${LOGCHECK_USER} \
		LOGCHECK_GROUP=${LOGCHECK_GROUP} \
		DBDIR=${DBDIR} RUNDIR=${RUNDIR}
SHEBANG_FILES=	src/logcheck src/logtail src/logtail2 src/detectrotate/*.dtr
CONFIG_DIRS=	cracking.d ignore.d.paranoid ignore.d.server \
		ignore.d.workstation violations.d violations.ignore.d
DOCS=		AUTHORS CHANGES CREDITS TODO docs/README*
PORTDOCS=	${DOCS:T}
MAN1_FILES=	logcheck-test.1
MAN8_FILES=	logcheck.8 logtail.8 logtail2.8
REINPLACE_FILES=	debian/logcheck.cron.d docs/logcheck.sgml \
			docs/logtail2.8 docs/README.logcheck \
			docs/README.logcheck-database docs/README.logtail \
			etc/logcheck.conf src/logcheck src/logtail2

PATCH_LIST=	extra-patch-debian__logcheck.cron.d \
		extra-patch-docs__logcheck.8 \
		extra-patch-etc__logcheck.conf \
		extra-patch-src__logcheck \
		extra-patch-src__logtail2
EXTRA_PATCHES=	${PATCH_LIST:C|^|${WRKDIR}/|g}

.include <bsd.port.pre.mk>

do-build:
.for file in ${REINPLACE_FILES}
	${REINPLACE_CMD} ${_SUB_LIST_TEMP} ${WRKSRC}/${file}
.endfor
	docbook-to-man ${WRKSRC}/docs/logcheck.sgml > ${WRKSRC}/docs/logcheck.8
	${FIND} ${WRKSRC} -type f \( -name \*.orig -o -name \*.bak \) -delete

post-patch:
	@${FIND} ${WRKSRC}/rulefiles -type f -name \*.orig -delete

do-build:
	@${REINPLACE_CMD} -e 's!/var/log/syslog!/var/log/messages!' \
		${WRKSRC}/etc/logcheck.logfiles

do-install:
	@${MKDIR} ${STAGEDIR}${DATADIR}/detectrotate \
		  ${STAGEDIR}${DBDIR} \

		  ${STAGEDIR}${ETCDIR} \
		  ${STAGEDIR}${EXAMPLESDIR} \
		  ${STAGEDIR}${RUNDIR}
	${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck-test ${STAGEDIR}${PREFIX}/bin
	${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck ${STAGEDIR}${PREFIX}/sbin
	${INSTALL_SCRIPT} ${WRKSRC}/src/logtail ${STAGEDIR}${PREFIX}/sbin
	${INSTALL_SCRIPT} ${WRKSRC}/src/logtail2 ${STAGEDIR}${PREFIX}/sbin

	@${ECHO_CMD} '@exec ${CHGRP} -R ${LOGCHECK_GROUP} \
		${ETCDIR:S|^${PREFIX}/|%D/|} \
		${DATADIR:S|^${PREFIX}/|%D/|}' >> ${TMPPLIST}
.for i in ${MAN1_FILES}
	${INSTALL_MAN} ${WRKSRC}/docs/$i ${STAGEDIR}${MAN1PREFIX}/man/man1
.endfor
.for i in ${MAN8_FILES}
	${INSTALL_MAN} ${WRKSRC}/docs/$i ${STAGEDIR}${MAN8PREFIX}/man/man8
.endfor
	cd ${WRKSRC} && ${INSTALL_DATA} ${DOCS} ${STAGEDIR}${DOCSDIR}

Lines 1-2 Link Here

(-)distinfo (-2 / +3 lines)
1	SHA256 (logcheck_1.3.17.tar.xz) = c2d3fc323e8c6555e91d956385dbfd0f67b55872ed0f6a7ad8ad2526a9faf03a	1	TIMESTAMP = 1499679623
2	SIZE (logcheck_1.3.17.tar.xz) = 130956	2	SHA256 (logcheck_1.3.18.tar.xz) = 077b9149ccd2b747b52785afa89da844f3d072c017c9e719925dec6acb9a9af4
		3	SIZE (logcheck_1.3.18.tar.xz) = 131252




--- ./debian/logcheck.cron.d.orig	2006-08-06 19:10:49.000000000 -0400
+++ ./debian/logcheck.cron.d	2008-09-06 19:11:28.000000000 -0400
@@ -1,9 +1,5 @@
-# /etc/cron.d/logcheck: crontab entries for the logcheck package
-
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+# crontab entries for the logcheck package
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
 MAILTO=root
-
-@reboot         logcheck    if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi
-2 * * * *       logcheck    if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi
-
-# EOF
+@reboot    if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck -R; fi
+2 * * * *  if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck; fi




--- docs/logcheck.8.orig	2009-12-15 15:03:22.000000000 -0500
+++ docs/logcheck.8	2009-12-15 15:03:41.000000000 -0500
@@ -0,0 +1,115 @@
+.\" This manpage has been automatically generated by docbook2man 
+.\" from a DocBook document.  This tool can be found at:
+.\" <http://shell.ipoline.com/~elmert/comp/docbook2X/> 
+.\" Please send any bug reports, improvements, comments, patches, 
+.\" etc. to Steve Cheng <steve@ggi-project.org>.
+.TH "Logcheck" "8" "15 December 2009" "" ""
+
+.SH NAME
+logcheck \- program to scan system logs for interesting lines
+.SH SYNOPSIS
+
+\fBlogcheck\fR [ \fBOPTIONS\fR ]
+
+.SH "DESCRIPTION"
+.PP
+The \fBlogcheck\fR program helps spot problems and
+security violations in your logfiles automatically and will send the
+results to you periodically in an e-mail. By default logcheck runs as 
+an hourly cronjob just off the hour and after every reboot.
+.PP
+\fBlogcheck\fR supports three level of filtering:
+"paranoid" is for high-security machines running as few services
+as possible. Don't use it if you can't handle its verbose messages.
+"server" is the default and contains rules for many different daemons.
+"workstation" is for sheltered machines and filters most of the messages.
+The ignore rules work in additive manner. "paranoid" rules are also
+included at level "server" and "workstation".
+.PP
+The messages reported are sorted into three layers, system events,
+security events and attack alerts. The verbosity of system events is 
+controlled by which level you choose, paranoid, server or workstation. 
+However, security events and attack alerts are not affected by this.
+.SH "EXAMPLES"
+.PP
+\fBlogcheck\fR can be invoked directly thanks
+to su(8) or sudo(8), which change the user ID. The following example checks the logfiles
+without updating the offset and outputs everything to STDOUT.
+.PP
+sudo -u logcheck \fBlogcheck\fR -o -t
+.SH "OPTIONS"
+.PP
+A summary of options is included below.
+.TP
+\fB-c CFG \fR
+Overrule default configuration file.
+.TP
+\fB-d \fR
+Debug mode.
+.TP
+\fB-h \fR
+Show usage information.
+.TP
+\fB-H \fR
+Use this hostname string in the subject of logcheck mail.
+.TP
+\fB-l LOG \fR
+Run logfile through logcheck.
+.TP
+\fB-L CFG \fR
+Overrule default logfiles list.
+.TP
+\fB-m \fR
+Mail report to recipient.
+.TP
+\fB-o \fR
+STDOUT mode, not sending mail.
+.TP
+\fB-p \fR
+Set the report level to "paranoid".
+.TP
+\fB-r DIR \fR
+Overrule default rules directory.
+.TP
+\fB-R \fR
+Adds "Reboot:" to the email subject line.
+.TP
+\fB-s \fR
+Set the report level to "server".
+.TP
+\fB-S DIR \fR
+Overrule default state directory.
+.TP
+\fB-t \fR
+Testing mode does not update offset.
+.TP
+\fB-T \fR
+Do not remove the TMPDIR.
+.TP
+\fB-u \fR
+Enable syslog-summary.
+.TP
+\fB-v \fR
+Print current version.
+.TP
+\fB-w \fR
+Set the report level to "workstation".
+.SH "FILES"
+.PP
+%%ETCDIR%%/logcheck.conf is the main configuration file.
+.PP
+%%ETCDIR%%/logcheck.logfiles is the list of files to monitor.
+.PP
+%%DOCSDIR%%/README.logcheck-database for hints on how to write, test and maintain rules.
+.SH "EXIT STATUS"
+.PP
+0 upon success; 1 upon failure
+.SH "SEE ALSO"
+.PP
+\fBlogtail\fR(8)
+.SH "AUTHOR"
+.PP
+logcheck is developed by Debian logcheck Team at alioth: 
+http://alioth.debian.org/projects/logcheck/.
+.PP
+This manual page was written by Jon Middleton.




--- etc/logcheck.conf.orig	2010-04-15 01:15:34.000000000 +0900
+++ etc/logcheck.conf	2010-05-12 14:22:13.000000000 +0900
@@ -53,13 +53,7 @@
 # Controls the base directory for rules file location
 # This must be an absolute path
 
-#RULEDIR="/etc/logcheck"
-
-# Controls if syslog-summary is run over each section.
-# Alternatively, set to "1" to enable extra summary.
-# HINT: syslog-summary needs to be installed.
-
-#SYSLOGSUMMARY=0
+#RULEDIR="%%ETCDIR%%"
 
 # Controls Subject: lines on logcheck reports:
 




--- src/logcheck.orig	2010-07-07 15:59:57.000000000 -0400
+++ src/logcheck	2010-07-07 16:19:33.000000000 -0400
@@ -24,17 +24,10 @@
 
 if [ `id -u` = 0 ]; then
     echo "logcheck should not be run as root. Use su to invoke logcheck:"
-    echo "su -s /bin/bash -c \"/usr/sbin/logcheck${@:+ $@}\" logcheck"
+    echo "su -m %%LOGCHECK_USER%% -c \"%%LOCALBASE%%/bin/bash %%PREFIX%%/sbin/logcheck${@:+ $@}\""
     echo "Or use sudo: sudo -u logcheck logcheck${@:+ $@}."
     # you may want to uncomment that hack to let logcheck invoke itself.
-    # su -s /bin/bash -c "$0 $*" logcheck
-    exit 1
-fi
-
-if [ ! -f /usr/bin/lockfile-create -o \
-     ! -f /usr/bin/lockfile-remove -o \
-     ! -f /usr/bin/lockfile-touch ]; then
-    echo "fatal: lockfile-progs is a prerequisite for logcheck, and was not found."
+    # su -s %%LOCALBASE%%/bin/bash -c "$0 $*" logcheck
     exit 1
 fi
 
@@ -69,12 +62,12 @@
 ADDTAG="no"
 
 # Set the default paths
-RULEDIR="/etc/logcheck"
-CONFFILE="/etc/logcheck/logcheck.conf"
-STATEDIR="/var/lib/logcheck"
-LOGFILES_LIST="/etc/logcheck/logcheck.logfiles"
-LOGFILE_FALLBACK="/var/log/syslog"
-LOGTAIL="/usr/sbin/logtail2"
+RULEDIR="%%ETCDIR%%"
+CONFFILE="%%ETCDIR%%/logcheck.conf"
+STATEDIR="/var/db/logcheck"
+LOGFILES_LIST="%%ETCDIR%%/logcheck.logfiles"
+LOGFILE_FALLBACK="/var/log/messages"
+LOGTAIL="%%PREFIX%%/sbin/logtail2"
 CAT="/bin/cat"
 SYSLOG_SUMMARY="/usr/bin/syslog-summary"
 
@@ -89,20 +82,15 @@
 SORTUNIQ=0
 SUPPORT_CRACKING_IGNORE=0
 SYSLOGSUMMARY=0
-LOCKDIR=/run/lock/logcheck
+LOCKDIR=/var/run/logcheck
 LOCKFILE="$LOCKDIR/logcheck"
 
 # Carry out the clean up tasks
 cleanup() {
 
-    if [ -n "$LOCK" ]; then
-        debug "cleanup: Killing lockfile-touch - $LOCK"
-	kill "$LOCK" && unset LOCK
-    fi
-
-    if [ -f "$LOCKFILE.lock" ]; then
-        debug "cleanup: Removing lockfile: $LOCKFILE.lock"
-	lockfile-remove "$LOCKFILE"
+    if [ -f "$LOCKFILE" ]; then
+        debug "cleanup: Removing lockfile: $LOCKFILE"
+	rm -f "$LOCKFILE"
     fi
 
     if [ -d "$TMPDIR" ]; then
@@ -144,14 +132,9 @@
     if [ "$2" = "noclean" ]; then
 	debug "error: Not removing lockfile"
     else
-        if [ -n "$LOCK" ]; then
-	    debug "error: Killing lockfile-touch - $LOCK"
-	    kill "$LOCK" && unset LOCK
-	fi
-
-       if [ -f "$LOCKFILE.lock" ]; then
-           debug "error: Removing lockfile: $LOCKFILE.lock"
-           lockfile-remove "$LOCKFILE"
+       if [ -f "$LOCKFILE" ]; then
+           debug "error: Removing lockfile: $LOCKFILE"
+           rm -f "$LOCKFILE"
        fi
 
     fi
@@ -170,7 +153,7 @@
 ${TMPDIR:+Check temporary directory: $TMPDIR
 }
 Also verify that the logcheck user can read all files referenced in
-/etc/logcheck/logcheck.logfiles!
+%%ETCDIR%%/logcheck.logfiles!
 
 $(export)
 EOF
@@ -215,7 +198,7 @@
 	    mkdir "$cleaned" \
 	        || error "Could not make dir $cleaned for cleaned rulefiles."
 	fi
-	for rulefile in $(run-parts --list "$dir"); do
+	for rulefile in $(ls -1R "$dir"); do
 	    rulefile="$(basename "$rulefile")"
 	    if [ -f "${dir}/${rulefile}" ]; then
 		debug "cleanrules: ${dir}/${rulefile}"
@@ -529,9 +512,9 @@
 
 # Hostname either fully qualified or not.
 if [ "$FQDN" -eq 1 ]; then
-        HOSTNAME="$(hostname --fqdn 2>/dev/null)"
+        HOSTNAME="$(hostname -f 2>/dev/null)"
 else
-        HOSTNAME="$(hostname --short 2>/dev/null)"
+        HOSTNAME="$(hostname -s 2>/dev/null)"
 fi
 
 # Now check for the other options
@@ -610,30 +593,25 @@
 
 trap 'cleanup' 0
 
-debug "Trying to get lockfile: $LOCKFILE.lock"
+debug "Trying to get lockfile: $LOCKFILE"
 if [ ! -d "$LOCKDIR" ]; then
 	mkdir -m 0755 "$LOCKDIR"
 fi
-lockfile-create --retry 1 "$LOCKFILE" > /dev/null 2>&1
+lockfile -r 1 "$LOCKFILE" > /dev/null 2>&1
 
 
 if [ $? -eq 1 ]; then
     trap 0
-    if [ -e "${LOCKFILE}.lock" ]; then
+    if [ -e "${LOCKFILE}" ]; then
         error "Another logcheck process is still running" "noclean"
     else
-        error "Failed to get lockfile: $LOCKFILE.lock" "noclean"
+        error "Failed to get lockfile: $LOCKFILE" "noclean"
     fi
-
-else
-    debug "Running lockfile-touch $LOCKFILE.lock"
-    lockfile-touch "$LOCKFILE" &
-    LOCK="$!"
 fi
 
 # Create the secure temporary directory or exit
-TMPDIR="$(mktemp -d -p "${TMP:-/tmp}" logcheck.XXXXXX)" \
-    || TMPDIR="$(mktemp -d -p /var/tmp logcheck.XXXXXX)" \
+TMPDIR="$(mktemp -d ${TMP:-/tmp}/logcheck.XXXXXX)" \
+    || TMPDIR="$(mktemp -d /var/tmp/logcheck.XXXXXX)" \
     || error "Could not create temporary directory"
 
 # Now clean the rulefiles in the directories

Lines 1-11 Link Here

(-)files/extra-patch-src__logtail2.in (-11 lines)
1	--- src/logtail2.orig 2010-01-18 17:24:26.000000000 -0500
2	+++ src/logtail2 2010-01-18 17:24:40.000000000 -0500
3	@@ -108,7 +108,7 @@
4	# function with dateext magic added.
5
6	#print "determine_rotated_logfile $filename $inode\n";
7	- for my $codefile (glob("/usr/share/logtail/detectrotate/*.dtr")) {
8	+ for my $codefile (glob("%%DATADIR%%/detectrotate/*.dtr")) {
9	my $func = do $codefile;
10	if (!$func) {
11	print STDERR "cannot compile $codefile: $!";




--- debian/logcheck.cron.d.orig	2017-01-25 21:08:04 UTC
+++ debian/logcheck.cron.d
@@ -1,9 +1,5 @@
-# /etc/cron.d/logcheck: crontab entries for the logcheck package
-
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+# crontab entries for the logcheck package
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:%%PREFIX%%/sbin:%%PREFIX%%/bin
 MAILTO=root
-
-@reboot         logcheck    if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi
-2 * * * *       logcheck    if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi
-
-# EOF
+@reboot    if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck -R; fi
+2 * * * *  if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck; fi




--- docs/README.logcheck.orig	2017-01-25 21:08:04 UTC
+++ docs/README.logcheck
@@ -17,11 +17,11 @@ don't start overlapping.
 ======================================================================
 LOG ENTRIES
 -----------
-These are taken from a specified set of logfiles (usually syslog and
+These are taken from a specified set of logfiles (usually messages and
 auth.log); a special Perl utility named "logtail" is used which
 "bookmarks" its place in the logs, so that events aren't reported
 twice in successive logcheck runs.  The offset records are stored as
-(eg) "/var/lib/logcheck/offset.var.log.syslog"; lines to be
+(eg) "%%DBDIR%%/offset.var.log.messages"; lines to be
 considered by logcheck are copied into tempfiles in the working
 directory "/var/tmp/logcheck".  See the corresponding README for
 logtail for further notes on complications such as log-rotation.




--- docs/README.logcheck-database.orig	2017-01-25 21:08:04 UTC
+++ docs/README.logcheck-database
@@ -15,7 +15,7 @@ normal egrep pattern-matches, applied in
 1. the "SECURITY ALERTS" layer, designed to detect the traces of active
 	intrusion attempts.
 
-   Patterns raising the alarm go in "/etc/logcheck/cracking.d"; any
+   Patterns raising the alarm go in "%%ETCDIR%%/cracking.d"; any
 	event that matches one of these patterns turns the report
 	into an urgent "Security Alerts" report, with the relevant
 	event moved to a special section.  The cracking.d standard
@@ -26,7 +26,7 @@ normal egrep pattern-matches, applied in
 	the default logcheck configuration, but if the local
 	administrator enables this layer of filtering in
 	logcheck.conf, then the rules go in the directory
-	"/etc/logcheck/cracking.ignore.d".  Matches with
+	"%%ETCDIR%%/cracking.ignore.d".  Matches with
 	cracking.ignore rules will then reclassify the alert as a
 	false alarm (compare violations.ignore below).  Note that
 	this means they are totally ignored - log messages handled
@@ -35,12 +35,12 @@ normal egrep pattern-matches, applied in
 2. the "SECURITY EVENTS" layer, designed to detect less critical
 	events still considered worthy of special attention.
 
-   Patterns raising the alarm go in "/etc/logcheck/violations.d";
+   Patterns raising the alarm go in "%%ETCDIR%%/violations.d";
 	matches with these result in a "Security Events" alert,
 	with the relevant event moved to a special section.
 
    Patterns cancelling such alarms go in the standard directory
-	"/etc/logcheck/violations.ignore.d"; apparent "Security
+	"%%ETCDIR%%/violations.ignore.d"; apparent "Security
 	Events" that match with violations.ignore patterns are
 	discarded as false alarms.
 
@@ -51,7 +51,7 @@ normal egrep pattern-matches, applied in
 	from the logfiles are considered for inclusion in the main
 	"System Events" section.
 
-   Patterns in the three "/etc/logcheck/ignore.d.*" directories
+   Patterns in the three "%%ETCDIR%%/ignore.d.*" directories
 	again function to overrule alerts; the log messages that
 	match them are excluded from the report as trivial.  The
 	specific directories consulted depend on the prevailing
@@ -78,13 +78,13 @@ underscore, and hyphen.
 Contains filters relevant to only one Debian package - for example
 if "fooserver" logs suspicious events like this:
 "$DATE $HOSTNAME fooserver[$PID]: $USER is up to no good"
-then a line in "/etc/logcheck/violations.d/fooserver" with an
+then a line in "%%ETCDIR%%/violations.d/fooserver" with an
 appropriate pattern will promote it from a mere "System Event"
 to a full "Security Event" in a subsection of the mailing headed
 "fooserver".  Or then again if that kind of log message is more
 trivial than it looks (maybe "foo" is a networked game of
 spy-and-counterspy) then a line in
-"/etc/logcheck/ignore.d.server/fooserver" will turn it into a
+"%%ETCDIR%%/ignore.d.server/fooserver" will turn it into a
 nonevent for all but the most assiduous of administrators.
 
 Sometimes a package will have not only special alarm calls which
@@ -107,7 +107,7 @@ that need to be processed.
 
 Standard "generic" rules go in each directory's "./logcheck" file;
 thus for instance any log message at all matching "ATTACK"
-(listed in "/etc/logcheck/cracking.d/logcheck") _always_ triggers
+(listed in "%%ETCDIR%%/cracking.d/logcheck") _always_ triggers
 a "Security Alert", unless you deliberately tamper with
 "cracking.ignore.d" rules.
 
@@ -122,12 +122,12 @@ non-package-specific "flagging" patterns
 "fooserver" outputs syslog messages like this:
     "$DATE $HOSTNAME fooserver[$PID]: 3 attempts 0 rejected"
 then the standard keyword "reject" listed in the generic
-"/etc/logcheck/violations.d/logcheck" file will trigger frequent
+"%%ETCDIR%%/violations.d/logcheck" file will trigger frequent
 "Security Events" reports.  Putting a filtering pattern in
-"/etc/logcheck/violations.ignore.d/fooserver" won't help here!
+"%%ETCDIR%%/violations.ignore.d/fooserver" won't help here!
 The solution is to use a file named in the specially-privileged
 ./logcheck-<packagename> format:
-"/etc/logcheck/violations.ignore.d/logcheck-fooserver".
+"%%ETCDIR%%/violations.ignore.d/logcheck-fooserver".
 This can contain patterns provided by that particular package
 which nonetheless need to take precedence over the generic rules.
 
@@ -137,8 +137,8 @@ Sysadmins can use the "local-*" filename
 additions to the "logcheck-*" pattern lists.  If you have "ippl"
 logging network connections verbosely into syslog then you can put
 custom "Security Events" keywords in
-"/etc/logcheck/violations.d/local-ippl" and exceptions in
-"/etc/logcheck/violations.ignore.d/local-ippl".
+"%%ETCDIR%%/violations.d/local-ippl" and exceptions in
+"%%ETCDIR%%/violations.ignore.d/local-ippl".
 
 
 WRITING RULES
@@ -181,7 +181,7 @@ logcheck-test(1)).
 Alternatively you can manually grep your log file, and remove trailing
 space with something like this:
 
-    sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep \
+    sed -e 's/[[:space:]]*$//' /var/log/messages | egrep \
     '^\w{3} [ :0-9]{11} oempc wwwoffled\[[0-9]+\]: WWWOFFLE (On|Off)line\.$'
 
 If the log line is displayed, then your regex works.

Line 0 Link Here

(-)files/patch-docs_README.logtail (+11 lines)
	1	--- docs/README.logtail.orig 2017-01-25 21:08:04 UTC
	2	+++ docs/README.logtail
	3	@@ -28,7 +28,7 @@ Logtail2, a different executeable, also
	4	guessing a file name that might have been the target of log rotation
	5	and printing that file's contents starting with the stored offset. If
	6	you have a non-standard rotation scheme, you can drop your own
	7	-heuristic into /usr/share/logtail/detectrotate/ and have it
	8	+heuristic into %%DATADIR%%/detectrotate/ and have it
	9	automatically picked up by logtail2.
	10	======================================================================
	11	COMMANDLINE ARGUMENTS




--- docs/logcheck-test.1.orig	2017-01-25 21:08:04 UTC
+++ docs/logcheck-test.1
@@ -38,8 +38,8 @@ Show usage information
 .B \-a, \-\-auth.log
 Parse /var/log/auth.log for matching lines
 .TP
-.B \-s, \-\-syslog
-Parse /var/log/syslog for matching lines
+.B \-m, \-\-messages
+Parse /var/log/messages for matching lines
 .TP
 .B \-l, \-\-log\-file FILE
 Parse FILE for matching lines
@@ -69,10 +69,10 @@ With
 .B logcheck-test
 you can easily write and test new rules.
 .PP
-Test a single rule against /var/log/syslog:
+Test a single rule against /var/log/messages:
 .RS
 .fam C
-logcheck-test \-s "RULE"
+logcheck-test \-m "RULE"
 .fam T
 .RE
 




--- docs/logcheck.sgml.orig	2017-01-25 21:08:04 UTC
+++ docs/logcheck.sgml
@@ -244,10 +244,10 @@ manpage.1: manpage.sgml
   <refsect1>
     <title>FILES</title>
 
-    <para>/etc/logcheck/logcheck.conf is the main configuration file.</para>
-    <para>/etc/logcheck/logcheck.logfiles is the list of files to monitor.</para>
-    <para>/etc/logcheck/logcheck.logfiles.d is the directory of lists of files to monitor.</para>
-    <para>/usr/share/doc/logcheck-database/README.logcheck-database.gz for hints on how to write, test and maintain rules.</para>
+    <para>%%ETCDIR%%/logcheck.conf is the main configuration file.</para>
+    <para>%%ETCDIR%%/logcheck.logfiles is the list of files to monitor.</para>
+    <para>%%ETCDIR%%/logcheck.logfiles.d is the directory of lists of files to monitor.</para>
+    <para>%%DOCSDIR%%/README.logcheck-database for hints on how to write, test and maintain rules.</para>
   </refsect1>
   <refsect1>
     <title>EXIT STATUS</title>

Line 0 Link Here

(-)files/patch-docs_logtail2.8 (+11 lines)
	1	--- docs/logtail2.8.orig 2017-01-25 21:08:04 UTC
	2	+++ docs/logtail2.8
	3	@@ -38,7 +38,7 @@ is not empty, the inode of
	4	is checked. If the inode is changed,
	5	.B logtail2
	6	uses the heuristics stored in
	7	-.I /usr/share/logtail/detectrotate/
	8	+.I %%DATADIR%%/detectrotate/
	9	to find a file that might be the rotated
	10	.I logfile
	11	and prints it starting with the stored offset. It then proceeds to




--- etc/logcheck.conf.orig	2017-01-25 21:08:04 UTC
+++ etc/logcheck.conf
@@ -9,7 +9,7 @@
 # Controls the presence of boilerplate at the top of each message:
 # Alternatively, set to "0" to disable the introduction.
 #
-# If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt
+# If the files %%ETCDIR%%/header.txt and %%ETCDIR%%/footer.txt
 # are present their contents will be read and used as the header and
 # footer of any generated mails.
 
@@ -44,8 +44,8 @@ FQDN=1
 
 #SORTUNIQ=0
 
-# Controls whether /etc/logcheck/cracking.ignore.d is scanned for
-# exceptions to the rules in /etc/logcheck/cracking.d:
+# Controls whether %%ETCDIR%%/cracking.ignore.d is scanned for
+# exceptions to the rules in %%ETCDIR%%/cracking.d:
 # Alternatively, set to "1" to enable cracking.ignore support
 
 #SUPPORT_CRACKING_IGNORE=0
@@ -53,13 +53,7 @@ FQDN=1
 # Controls the base directory for rules file location
 # This must be an absolute path
 
-#RULEDIR="/etc/logcheck"
-
-# Controls if syslog-summary is run over each section.
-# Alternatively, set to "1" to enable extra summary.
-# HINT: syslog-summary needs to be installed.
-
-#SYSLOGSUMMARY=0
+#RULEDIR="%%ETCDIR%%"
 
 # Controls Subject: lines on logcheck reports:
 

Line 0 Link Here

(-)files/patch-etc_logcheck.logfiles (+8 lines)
	1	--- etc/logcheck.logfiles.orig 2017-01-25 21:08:04 UTC
	2	+++ etc/logcheck.logfiles
	3	@@ -1,4 +1,4 @@
	4	# these files will be checked by logcheck
	5	# This has been tuned towards a default syslog install
	6	-/var/log/syslog
	7	/var/log/auth.log
	8	+/var/log/messages

Lines 1-6 Link Here

(-)files/patch-rulefiles__linux__ignore.d.server__ssh (-3 / +3 lines)
1	--- ./rulefiles/linux/ignore.d.server/ssh.orig 2010-09-03 04:24:30.000000000 -0400	1	--- rulefiles/linux/ignore.d.server/ssh.orig 2017-01-25 21:08:04 UTC
2	+++ ./rulefiles/linux/ignore.d.server/ssh 2011-11-23 14:25:31.000000000 -0500	2	+++ rulefiles/linux/ignore.d.server/ssh
3	@@ -21,8 +21,8 @@	3	@@ -27,8 +27,8 @@
4	^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: $pam_unix$ check pass; user unknown$	4	^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: $pam_unix$ check pass; user unknown$
5	^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: $pam_unix$ bad username \[[^]]+\]$	5	^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: $pam_unix$ bad username \[[^]]+\]$
6	^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Could not get shadow information for NOUSER$	6	^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Could not get shadow information for NOUSER$




--- src/logcheck.orig	2017-07-11 17:32:13 UTC
+++ src/logcheck
@@ -24,17 +24,10 @@
 
 if [ `id -u` = 0 ]; then
     echo "logcheck should not be run as root. Use su to invoke logcheck:"
-    echo "su -s /bin/bash -c \"/usr/sbin/logcheck${@:+ $@}\" logcheck"
+    echo "su -m %%LOGCHECK_USER%% -c \"%%LOCALBASE%%/bin/bash %%PREFIX%%/sbin/logcheck${@:+ $@}\""
     echo "Or use sudo: sudo -u logcheck logcheck${@:+ $@}."
     # you may want to uncomment that hack to let logcheck invoke itself.
-    # su -s /bin/bash -c "$0 $*" logcheck
-    exit 1
-fi
-
-if [ ! -f /usr/bin/lockfile-create -o \
-     ! -f /usr/bin/lockfile-remove -o \
-     ! -f /usr/bin/lockfile-touch ]; then
-    echo "fatal: lockfile-progs is a prerequisite for logcheck, and was not found."
+    # su -s %%LOCALBASE%%/bin/bash -c "$0 $*" logcheck
     exit 1
 fi
 
@@ -69,13 +62,13 @@ EVENTSSUBJECT="System Events"
 ADDTAG="no"
 
 # Set the default paths
-RULEDIR="/etc/logcheck"
-CONFFILE="/etc/logcheck/logcheck.conf"
-STATEDIR="/var/lib/logcheck"
-LOGFILES_LIST="/etc/logcheck/logcheck.logfiles"
-LOGFILES_LIST_D="/etc/logcheck/logcheck.logfiles.d"
-LOGFILE_FALLBACK="/var/log/syslog"
-LOGTAIL="/usr/sbin/logtail2"
+RULEDIR="%%ETCDIR%%"
+CONFFILE="%%ETCDIR%%/logcheck.conf"
+STATEDIR="%%DBDIR%%"
+LOGFILES_LIST="%%ETCDIR%%/logcheck.logfiles"
+LOGFILES_LIST_D="%%ETCDIR%%/logcheck.logfiles.d"
+LOGFILE_FALLBACK="/var/log/messages"
+LOGTAIL="%%PREFIX%%/sbin/logtail2"
 CAT="/bin/cat"
 SYSLOG_SUMMARY="/usr/bin/syslog-summary"
 
@@ -90,20 +83,15 @@ FQDN=0
 SORTUNIQ=0
 SUPPORT_CRACKING_IGNORE=0
 SYSLOGSUMMARY=0
-LOCKDIR=/run/lock/logcheck
+LOCKDIR=/var/run/logcheck
 LOCKFILE="$LOCKDIR/logcheck"
 
 # Carry out the clean up tasks
 cleanup() {
 
-    if [ -n "$LOCK" ]; then
-        debug "cleanup: Killing lockfile-touch - $LOCK"
-	kill "$LOCK" && unset LOCK
-    fi
-
-    if [ -f "$LOCKFILE.lock" ]; then
-        debug "cleanup: Removing lockfile: $LOCKFILE.lock"
-	lockfile-remove "$LOCKFILE"
+    if [ -f "$LOCKFILE" ]; then
+        debug "cleanup: Removing lockfile: $LOCKFILE"
+	rm -f "$LOCKFILE"
     fi
 
     if [ -d "$TMPDIR" ]; then
@@ -145,14 +133,9 @@ error() {
     if [ "$2" = "noclean" ]; then
 	debug "error: Not removing lockfile"
     else
-        if [ -n "$LOCK" ]; then
-	    debug "error: Killing lockfile-touch - $LOCK"
-	    kill "$LOCK" && unset LOCK
-	fi
-
-       if [ -f "$LOCKFILE.lock" ]; then
-           debug "error: Removing lockfile: $LOCKFILE.lock"
-           lockfile-remove "$LOCKFILE"
+       if [ -f "$LOCKFILE" ]; then
+           debug "error: Removing lockfile: $LOCKFILE"
+           rm -f "$LOCKFILE"
        fi
 
     fi
@@ -171,7 +154,7 @@ $message
 ${TMPDIR:+Check temporary directory: $TMPDIR
 }
 Also verify that the logcheck user can read all files referenced in
-/etc/logcheck/logcheck.logfiles!
+%%ETCDIR%%/logcheck.logfiles!
 
 $(export)
 EOF
@@ -223,7 +206,7 @@ cleanrules() {
 			error "Couldn't read $x"
 		fi
 	done
-	for rulefile in $(run-parts --list "$dir"); do
+	for rulefile in $(ls -1R "$dir"); do
 	    rulefile="$(basename "$rulefile")"
 	    if [ -f "${dir}/${rulefile}" ]; then
 		debug "cleanrules: ${dir}/${rulefile}"
@@ -538,9 +521,9 @@ fi
 
 # Hostname either fully qualified or not.
 if [ "$FQDN" -eq 1 ]; then
-        HOSTNAME="$(hostname --fqdn 2>/dev/null)"
+        HOSTNAME="$(hostname -f 2>/dev/null)"
 else
-        HOSTNAME="$(hostname --short 2>/dev/null)"
+        HOSTNAME="$(hostname -s 2>/dev/null)"
 fi
 
 # Now check for the other options
@@ -623,30 +606,25 @@ fi
 
 trap 'cleanup' 0
 
-debug "Trying to get lockfile: $LOCKFILE.lock"
+debug "Trying to get lockfile: $LOCKFILE"
 if [ ! -d "$LOCKDIR" ]; then
 	mkdir -m 0755 "$LOCKDIR"
 fi
-lockfile-create --retry 1 "$LOCKFILE" > /dev/null 2>&1
+lockfile -r 1 "$LOCKFILE" > /dev/null 2>&1
 
 
 if [ $? -eq 1 ]; then
     trap 0
-    if [ -e "${LOCKFILE}.lock" ]; then
+    if [ -e "${LOCKFILE}" ]; then
         error "Another logcheck process is still running" "noclean"
     else
-        error "Failed to get lockfile: $LOCKFILE.lock" "noclean"
+        error "Failed to get lockfile: $LOCKFILE" "noclean"
     fi
-
-else
-    debug "Running lockfile-touch $LOCKFILE.lock"
-    lockfile-touch "$LOCKFILE" &
-    LOCK="$!"
 fi
 
 # Create the secure temporary directory or exit
-TMPDIR="$(mktemp -d -p "${TMP:-/tmp}" logcheck.XXXXXX)" \
-    || TMPDIR="$(mktemp -d -p /var/tmp logcheck.XXXXXX)" \
+TMPDIR="$(mktemp -d ${TMP:-/tmp}/logcheck.XXXXXX)" \
+    || TMPDIR="$(mktemp -d /var/tmp/logcheck.XXXXXX)" \
     || error "Could not create temporary directory"
 
 # Now clean the rulefiles in the directories




--- src/logcheck-test.orig	2017-01-25 21:08:04 UTC
+++ src/logcheck-test
@@ -38,7 +38,7 @@ usage() {
 usage: logcheck-test
 -h|--help                   : Show usage information
 -a|--auth.log               : Parse /var/log/auth.log
--s|--syslog                 : Parse /var/log/syslog
+-m|--messages               : Parse /var/log/messages
 -l|--log-file LOGFILE       : Parse LOGFILE
 -i|--invert-match           : Show lines that don't match the RULE or RULEFILE
 -q|--quiet                  : Suppress rule summary
@@ -103,9 +103,9 @@ while [ -n "${1:-}" ]; do
                 warn "option -a ignored"
             fi
         ;;
-        -s|--syslog)
+        -m|--messages)
             if [ -z "$FILE" ] ; then
-                FILE="/var/log/syslog"
+                FILE="/var/log/messages"
             else
                 warn "option -s ignored"
             fi

Line 0 Link Here

(-)files/patch-src_logtail2 (+11 lines)
	1	--- src/logtail2.orig 2017-07-11 17:32:13 UTC
	2	+++ src/logtail2
	3	@@ -109,7 +109,7 @@ sub determine_rotated_logfile {
	4	# function with dateext magic added.
	5
	6	#print "determine_rotated_logfile $filename $inode\n";
	7	- for my $codefile (glob("/usr/share/logtail/detectrotate/*.dtr")) {
	8	+ for my $codefile (glob("%%DATADIR%%/detectrotate/*.dtr")) {
	9	my $func = do $codefile;
	10	if (!$func) {
	11	print STDERR "cannot compile $codefile: $!";

Lines 1-4 Link Here

(-)pkg-plist (-5 / +9 lines)
1	@mode 640	1	@mode 640
		2	%%DATADIR%%/detectrotate/10-savelog.dtr
		3	%%DATADIR%%/detectrotate/20-logrotate.dtr
		4	%%DATADIR%%/detectrotate/30-logrotate-dateext.dtr
2	%%ETCDIR%%/cracking.d/kernel	5	%%ETCDIR%%/cracking.d/kernel
3	%%ETCDIR%%/cracking.d/rlogind	6	%%ETCDIR%%/cracking.d/rlogind
4	%%ETCDIR%%/cracking.d/rsh	7	%%ETCDIR%%/cracking.d/rsh
Lines 131-136 Link Here
131	%%ETCDIR%%/ignore.d.server/sudo	134	%%ETCDIR%%/ignore.d.server/sudo
132	%%ETCDIR%%/ignore.d.server/sympa	135	%%ETCDIR%%/ignore.d.server/sympa
133	%%ETCDIR%%/ignore.d.server/syslogd	136	%%ETCDIR%%/ignore.d.server/syslogd
		137	%%ETCDIR%%/ignore.d.server/systemd
		138	%%ETCDIR%%/ignore.d.server/systemd-timesyncd
134	%%ETCDIR%%/ignore.d.server/teapop	139	%%ETCDIR%%/ignore.d.server/teapop
135	%%ETCDIR%%/ignore.d.server/telnetd	140	%%ETCDIR%%/ignore.d.server/telnetd
136	%%ETCDIR%%/ignore.d.server/tftpd	141	%%ETCDIR%%/ignore.d.server/tftpd
Lines 179-184 Link Here
179	%%ETCDIR%%/ignore.d.workstation/wpasupplicant	184	%%ETCDIR%%/ignore.d.workstation/wpasupplicant
180	%%ETCDIR%%/ignore.d.workstation/xdm	185	%%ETCDIR%%/ignore.d.workstation/xdm
181	%%ETCDIR%%/ignore.d.workstation/xlockmore	186	%%ETCDIR%%/ignore.d.workstation/xlockmore
		187	%%ETCDIR%%/logcheck.conf.sample
		188	%%ETCDIR%%/logcheck.logfiles.sample
182	%%ETCDIR%%/violations.d/kernel	189	%%ETCDIR%%/violations.d/kernel
183	%%ETCDIR%%/violations.d/logcheck	190	%%ETCDIR%%/violations.d/logcheck
184	%%ETCDIR%%/violations.d/smartd	191	%%ETCDIR%%/violations.d/smartd
Lines 186-197 Link Here
186	%%ETCDIR%%/violations.d/sudo	193	%%ETCDIR%%/violations.d/sudo
187	%%ETCDIR%%/violations.ignore.d/logcheck-su	194	%%ETCDIR%%/violations.ignore.d/logcheck-su
188	%%ETCDIR%%/violations.ignore.d/logcheck-sudo	195	%%ETCDIR%%/violations.ignore.d/logcheck-sudo
189	%%ETCDIR%%/logcheck.conf.sample
190	%%ETCDIR%%/logcheck.logfiles.sample
191	%%DATADIR%%/detectrotate/10-savelog.dtr
192	%%DATADIR%%/detectrotate/20-logrotate.dtr
193	%%DATADIR%%/detectrotate/30-logrotate-dateext.dtr
194	@mode	196	@mode
		197	bin/logcheck-test
		198	man/man1/logcheck-test.1.gz
195	man/man8/logcheck.8.gz	199	man/man8/logcheck.8.gz
196	man/man8/logtail.8.gz	200	man/man8/logtail.8.gz
197	man/man8/logtail2.8.gz	201	man/man8/logtail2.8.gz

Return to bug 220609

Lines 2-8 Link Here

(-)Makefile (-23 / +22 lines)
2	# $FreeBSD$	2	# $FreeBSD$
3		3
4	PORTNAME= logcheck	4	PORTNAME= logcheck
5	PORTVERSION= 1.3.17	5	PORTVERSION= 1.3.18
6	CATEGORIES= security	6	CATEGORIES= security
7	MASTER_SITES= DEBIAN_POOL	7	MASTER_SITES= DEBIAN_POOL
8	DISTNAME= ${PORTNAME}_${PORTVERSION}	8	DISTNAME= ${PORTNAME}_${PORTVERSION}
Lines 11-17 Link Here
11	COMMENT= Auditing tool for system logs on Unix boxes	11	COMMENT= Auditing tool for system logs on Unix boxes
12		12
13	LICENSE= GPLv2	13	LICENSE= GPLv2
		14	LICENSE_FILE= ${WRKSRC}/LICENSE
14		15
		16	BUILD_DEPENDS= docbook-to-man>0:textproc/docbook-to-man
15	RUN_DEPENDS= mime-construct:mail/mime-construct \	17	RUN_DEPENDS= mime-construct:mail/mime-construct \
16	lockfile:mail/procmail \	18	lockfile:mail/procmail \
17	bash:shells/bash	19	bash:shells/bash
Lines 38-76 Link Here
38	BINMODE= 755	40	BINMODE= 755
39	SUB_LIST+= LOGCHECK_USER=${LOGCHECK_USER} \	41	SUB_LIST+= LOGCHECK_USER=${LOGCHECK_USER} \
40	LOGCHECK_GROUP=${LOGCHECK_GROUP} \	42	LOGCHECK_GROUP=${LOGCHECK_GROUP} \
41	CRON=${PORT_OPTIONS:MCRON}	43	DBDIR=${DBDIR} CRON=${PORT_OPTIONS:MCRON}
42	SUB_FILES= pkg-install pkg-deinstall pkg-message	44	SUB_FILES= pkg-install pkg-deinstall pkg-message
43	PLIST_SUB+= LOGCHECK_USER=${LOGCHECK_USER} \	45	PLIST_SUB+= LOGCHECK_USER=${LOGCHECK_USER} \
44	LOGCHECK_GROUP=${LOGCHECK_GROUP} \	46	LOGCHECK_GROUP=${LOGCHECK_GROUP} \
45	DBDIR=${DBDIR} RUNDIR=${RUNDIR}	47	DBDIR=${DBDIR} RUNDIR=${RUNDIR}
46	SHEBANG_FILES= src/logcheck src/logtail src/logtail2	48	SHEBANG_FILES= src/logcheck src/logtail src/logtail2 src/detectrotate/*.dtr
47	CONFIG_DIRS= cracking.d ignore.d.paranoid ignore.d.server \	49	CONFIG_DIRS= cracking.d ignore.d.paranoid ignore.d.server \
48	ignore.d.workstation violations.d violations.ignore.d	50	ignore.d.workstation violations.d violations.ignore.d
49	DOCS= AUTHORS CHANGES CREDITS LICENSE TODO docs/README*	51	DOCS= AUTHORS CHANGES CREDITS TODO docs/README*
50	PORTDOCS= ${DOCS:T}	52	PORTDOCS= ${DOCS:T}
51	MAN_FILES= logcheck.8 logtail.8 logtail2.8	53	MAN1_FILES= logcheck-test.1
		54	MAN8_FILES= logcheck.8 logtail.8 logtail2.8
		55	REINPLACE_FILES= debian/logcheck.cron.d docs/logcheck.sgml \
		56	docs/logtail2.8 docs/README.logcheck \
		57	docs/README.logcheck-database docs/README.logtail \
		58	etc/logcheck.conf src/logcheck src/logtail2
52		59
53	PATCH_LIST= extra-patch-debian__logcheck.cron.d \
54	extra-patch-docs__logcheck.8 \
55	extra-patch-etc__logcheck.conf \
56	extra-patch-src__logcheck \
57	extra-patch-src__logtail2
58	EXTRA_PATCHES= ${PATCH_LIST:C\|^\|${WRKDIR}/\|g}
59
60	.include <bsd.port.pre.mk>	60	.include <bsd.port.pre.mk>
61		61
62	pre-patch:	62	do-build:
63	.for patch in ${PATCH_LIST}	63	.for file in ${REINPLACE_FILES}
64	@${SED} ${_SUB_LIST_TEMP} ${FILESDIR}/${patch}.in > ${WRKDIR}/${patch}	64	${REINPLACE_CMD} ${_SUB_LIST_TEMP} ${WRKSRC}/${file}
65	.endfor	65	.endfor
		66	docbook-to-man ${WRKSRC}/docs/logcheck.sgml > ${WRKSRC}/docs/logcheck.8
		67	${FIND} ${WRKSRC} -type f \( -name \.orig -o -name \.bak \) -delete
66		68
67	post-patch:
68	@${FIND} ${WRKSRC}/rulefiles -type f -name \*.orig -delete
69
70	do-build:
71	@${REINPLACE_CMD} -e 's!/var/log/syslog!/var/log/messages!' \
72	${WRKSRC}/etc/logcheck.logfiles
73
74	do-install:	69	do-install:
75	@${MKDIR} ${STAGEDIR}${DATADIR}/detectrotate \	70	@${MKDIR} ${STAGEDIR}${DATADIR}/detectrotate \
76	${STAGEDIR}${DBDIR} \	71	${STAGEDIR}${DBDIR} \
Lines 78-83 Link Here
78	${STAGEDIR}${ETCDIR} \	73	${STAGEDIR}${ETCDIR} \
79	${STAGEDIR}${EXAMPLESDIR} \	74	${STAGEDIR}${EXAMPLESDIR} \
80	${STAGEDIR}${RUNDIR}	75	${STAGEDIR}${RUNDIR}
		76	${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck-test ${STAGEDIR}${PREFIX}/bin
81	${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck ${STAGEDIR}${PREFIX}/sbin	77	${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck ${STAGEDIR}${PREFIX}/sbin
82	${INSTALL_SCRIPT} ${WRKSRC}/src/logtail ${STAGEDIR}${PREFIX}/sbin	78	${INSTALL_SCRIPT} ${WRKSRC}/src/logtail ${STAGEDIR}${PREFIX}/sbin
83	${INSTALL_SCRIPT} ${WRKSRC}/src/logtail2 ${STAGEDIR}${PREFIX}/sbin	79	${INSTALL_SCRIPT} ${WRKSRC}/src/logtail2 ${STAGEDIR}${PREFIX}/sbin
Lines 97-103 Link Here
97	@${ECHO_CMD} '@exec ${CHGRP} -R ${LOGCHECK_GROUP} \	93	@${ECHO_CMD} '@exec ${CHGRP} -R ${LOGCHECK_GROUP} \
98	${ETCDIR:S\|^${PREFIX}/\|%D/\|} \	94	${ETCDIR:S\|^${PREFIX}/\|%D/\|} \
99	${DATADIR:S\|^${PREFIX}/\|%D/\|}' >> ${TMPPLIST}	95	${DATADIR:S\|^${PREFIX}/\|%D/\|}' >> ${TMPPLIST}
100	.for i in ${MAN_FILES}	96	.for i in ${MAN1_FILES}
		97	${INSTALL_MAN} ${WRKSRC}/docs/$i ${STAGEDIR}${MAN1PREFIX}/man/man1
		98	.endfor
		99	.for i in ${MAN8_FILES}
101	${INSTALL_MAN} ${WRKSRC}/docs/$i ${STAGEDIR}${MAN8PREFIX}/man/man8	100	${INSTALL_MAN} ${WRKSRC}/docs/$i ${STAGEDIR}${MAN8PREFIX}/man/man8
102	.endfor	101	.endfor
103	cd ${WRKSRC} && ${INSTALL_DATA} ${DOCS} ${STAGEDIR}${DOCSDIR}	102	cd ${WRKSRC} && ${INSTALL_DATA} ${DOCS} ${STAGEDIR}${DOCSDIR}

Lines 1-16 Link Here

(-)files/extra-patch-debian__logcheck.cron.d.in (-16 lines)
1	--- ./debian/logcheck.cron.d.orig 2006-08-06 19:10:49.000000000 -0400
2	+++ ./debian/logcheck.cron.d 2008-09-06 19:11:28.000000000 -0400
3	@@ -1,9 +1,5 @@
4	-# /etc/cron.d/logcheck: crontab entries for the logcheck package
5	-
6	-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
7	+# crontab entries for the logcheck package
8	+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
9	MAILTO=root
10	-
11	-@reboot logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi
12	-2 * * * * logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi
13	-
14	-# EOF
15	+@reboot if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck -R; fi
16	+2 * * * * if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck; fi

Lines 1-118 Link Here

(-)files/extra-patch-docs__logcheck.8.in (-118 lines)
1	--- docs/logcheck.8.orig 2009-12-15 15:03:22.000000000 -0500
2	+++ docs/logcheck.8 2009-12-15 15:03:41.000000000 -0500
3	@@ -0,0 +1,115 @@
4	+.\" This manpage has been automatically generated by docbook2man
5	+.\" from a DocBook document. This tool can be found at:
6	+.\" <http://shell.ipoline.com/~elmert/comp/docbook2X/>
7	+.\" Please send any bug reports, improvements, comments, patches,
8	+.\" etc. to Steve Cheng <steve@ggi-project.org>.
9	+.TH "Logcheck" "8" "15 December 2009" "" ""
10	+
11	+.SH NAME
12	+logcheck \- program to scan system logs for interesting lines
13	+.SH SYNOPSIS
14	+
15	+\fBlogcheck\fR [ \fBOPTIONS\fR ]
16	+
17	+.SH "DESCRIPTION"
18	+.PP
19	+The \fBlogcheck\fR program helps spot problems and
20	+security violations in your logfiles automatically and will send the
21	+results to you periodically in an e-mail. By default logcheck runs as
22	+an hourly cronjob just off the hour and after every reboot.
23	+.PP
24	+\fBlogcheck\fR supports three level of filtering:
25	+"paranoid" is for high-security machines running as few services
26	+as possible. Don't use it if you can't handle its verbose messages.
27	+"server" is the default and contains rules for many different daemons.
28	+"workstation" is for sheltered machines and filters most of the messages.
29	+The ignore rules work in additive manner. "paranoid" rules are also
30	+included at level "server" and "workstation".
31	+.PP
32	+The messages reported are sorted into three layers, system events,
33	+security events and attack alerts. The verbosity of system events is
34	+controlled by which level you choose, paranoid, server or workstation.
35	+However, security events and attack alerts are not affected by this.
36	+.SH "EXAMPLES"
37	+.PP
38	+\fBlogcheck\fR can be invoked directly thanks
39	+to su(8) or sudo(8), which change the user ID. The following example checks the logfiles
40	+without updating the offset and outputs everything to STDOUT.
41	+.PP
42	+sudo -u logcheck \fBlogcheck\fR -o -t
43	+.SH "OPTIONS"
44	+.PP
45	+A summary of options is included below.
46	+.TP
47	+\fB-c CFG \fR
48	+Overrule default configuration file.
49	+.TP
50	+\fB-d \fR
51	+Debug mode.
52	+.TP
53	+\fB-h \fR
54	+Show usage information.
55	+.TP
56	+\fB-H \fR
57	+Use this hostname string in the subject of logcheck mail.
58	+.TP
59	+\fB-l LOG \fR
60	+Run logfile through logcheck.
61	+.TP
62	+\fB-L CFG \fR
63	+Overrule default logfiles list.
64	+.TP
65	+\fB-m \fR
66	+Mail report to recipient.
67	+.TP
68	+\fB-o \fR
69	+STDOUT mode, not sending mail.
70	+.TP
71	+\fB-p \fR
72	+Set the report level to "paranoid".
73	+.TP
74	+\fB-r DIR \fR
75	+Overrule default rules directory.
76	+.TP
77	+\fB-R \fR
78	+Adds "Reboot:" to the email subject line.
79	+.TP
80	+\fB-s \fR
81	+Set the report level to "server".
82	+.TP
83	+\fB-S DIR \fR
84	+Overrule default state directory.
85	+.TP
86	+\fB-t \fR
87	+Testing mode does not update offset.
88	+.TP
89	+\fB-T \fR
90	+Do not remove the TMPDIR.
91	+.TP
92	+\fB-u \fR
93	+Enable syslog-summary.
94	+.TP
95	+\fB-v \fR
96	+Print current version.
97	+.TP
98	+\fB-w \fR
99	+Set the report level to "workstation".
100	+.SH "FILES"
101	+.PP
102	+%%ETCDIR%%/logcheck.conf is the main configuration file.
103	+.PP
104	+%%ETCDIR%%/logcheck.logfiles is the list of files to monitor.
105	+.PP
106	+%%DOCSDIR%%/README.logcheck-database for hints on how to write, test and maintain rules.
107	+.SH "EXIT STATUS"
108	+.PP
109	+0 upon success; 1 upon failure
110	+.SH "SEE ALSO"
111	+.PP
112	+\fBlogtail\fR(8)
113	+.SH "AUTHOR"
114	+.PP
115	+logcheck is developed by Debian logcheck Team at alioth:
116	+http://alioth.debian.org/projects/logcheck/.
117	+.PP
118	+This manual page was written by Jon Middleton.

Lines 1-17 Link Here

(-)files/extra-patch-etc__logcheck.conf.in (-17 lines)
1	--- etc/logcheck.conf.orig 2010-04-15 01:15:34.000000000 +0900
2	+++ etc/logcheck.conf 2010-05-12 14:22:13.000000000 +0900
3	@@ -53,13 +53,7 @@
4	# Controls the base directory for rules file location
5	# This must be an absolute path
6
7	-#RULEDIR="/etc/logcheck"
8	-
9	-# Controls if syslog-summary is run over each section.
10	-# Alternatively, set to "1" to enable extra summary.
11	-# HINT: syslog-summary needs to be installed.
12	-
13	-#SYSLOGSUMMARY=0
14	+#RULEDIR="%%ETCDIR%%"
15
16	# Controls Subject: lines on logcheck reports:
17

Lines 1-151 Link Here

(-)files/extra-patch-src__logcheck.in (-151 lines)
1	--- src/logcheck.orig 2010-07-07 15:59:57.000000000 -0400
2	+++ src/logcheck 2010-07-07 16:19:33.000000000 -0400
3	@@ -24,17 +24,10 @@
4
5	if [ `id -u` = 0 ]; then
6	echo "logcheck should not be run as root. Use su to invoke logcheck:"
7	- echo "su -s /bin/bash -c \"/usr/sbin/logcheck${@:+ $@}\" logcheck"
8	+ echo "su -m %%LOGCHECK_USER%% -c \"%%LOCALBASE%%/bin/bash %%PREFIX%%/sbin/logcheck${@:+ $@}\""
9	echo "Or use sudo: sudo -u logcheck logcheck${@:+ $@}."
10	# you may want to uncomment that hack to let logcheck invoke itself.
11	- # su -s /bin/bash -c "$0 $*" logcheck
12	- exit 1
13	-fi
14	-
15	-if [ ! -f /usr/bin/lockfile-create -o \
16	- ! -f /usr/bin/lockfile-remove -o \
17	- ! -f /usr/bin/lockfile-touch ]; then
18	- echo "fatal: lockfile-progs is a prerequisite for logcheck, and was not found."
19	+ # su -s %%LOCALBASE%%/bin/bash -c "$0 $*" logcheck
20	exit 1
21	fi
22
23	@@ -69,12 +62,12 @@
24	ADDTAG="no"
25
26	# Set the default paths
27	-RULEDIR="/etc/logcheck"
28	-CONFFILE="/etc/logcheck/logcheck.conf"
29	-STATEDIR="/var/lib/logcheck"
30	-LOGFILES_LIST="/etc/logcheck/logcheck.logfiles"
31	-LOGFILE_FALLBACK="/var/log/syslog"
32	-LOGTAIL="/usr/sbin/logtail2"
33	+RULEDIR="%%ETCDIR%%"
34	+CONFFILE="%%ETCDIR%%/logcheck.conf"
35	+STATEDIR="/var/db/logcheck"
36	+LOGFILES_LIST="%%ETCDIR%%/logcheck.logfiles"
37	+LOGFILE_FALLBACK="/var/log/messages"
38	+LOGTAIL="%%PREFIX%%/sbin/logtail2"
39	CAT="/bin/cat"
40	SYSLOG_SUMMARY="/usr/bin/syslog-summary"
41
42	@@ -89,20 +82,15 @@
43	SORTUNIQ=0
44	SUPPORT_CRACKING_IGNORE=0
45	SYSLOGSUMMARY=0
46	-LOCKDIR=/run/lock/logcheck
47	+LOCKDIR=/var/run/logcheck
48	LOCKFILE="$LOCKDIR/logcheck"
49
50	# Carry out the clean up tasks
51	cleanup() {
52
53	- if [ -n "$LOCK" ]; then
54	- debug "cleanup: Killing lockfile-touch - $LOCK"
55	- kill "$LOCK" && unset LOCK
56	- fi
57	-
58	- if [ -f "$LOCKFILE.lock" ]; then
59	- debug "cleanup: Removing lockfile: $LOCKFILE.lock"
60	- lockfile-remove "$LOCKFILE"
61	+ if [ -f "$LOCKFILE" ]; then
62	+ debug "cleanup: Removing lockfile: $LOCKFILE"
63	+ rm -f "$LOCKFILE"
64	fi
65
66	if [ -d "$TMPDIR" ]; then
67	@@ -144,14 +132,9 @@
68	if [ "$2" = "noclean" ]; then
69	debug "error: Not removing lockfile"
70	else
71	- if [ -n "$LOCK" ]; then
72	- debug "error: Killing lockfile-touch - $LOCK"
73	- kill "$LOCK" && unset LOCK
74	- fi
75	-
76	- if [ -f "$LOCKFILE.lock" ]; then
77	- debug "error: Removing lockfile: $LOCKFILE.lock"
78	- lockfile-remove "$LOCKFILE"
79	+ if [ -f "$LOCKFILE" ]; then
80	+ debug "error: Removing lockfile: $LOCKFILE"
81	+ rm -f "$LOCKFILE"
82	fi
83
84	fi
85	@@ -170,7 +153,7 @@
86	${TMPDIR:+Check temporary directory: $TMPDIR
87	}
88	Also verify that the logcheck user can read all files referenced in
89	-/etc/logcheck/logcheck.logfiles!
90	+%%ETCDIR%%/logcheck.logfiles!
91
92	$(export)
93	EOF
94	@@ -215,7 +198,7 @@
95	mkdir "$cleaned" \
96	\|\| error "Could not make dir $cleaned for cleaned rulefiles."
97	fi
98	- for rulefile in $(run-parts --list "$dir"); do
99	+ for rulefile in $(ls -1R "$dir"); do
100	rulefile="$(basename "$rulefile")"
101	if [ -f "${dir}/${rulefile}" ]; then
102	debug "cleanrules: ${dir}/${rulefile}"
103	@@ -529,9 +512,9 @@
104
105	# Hostname either fully qualified or not.
106	if [ "$FQDN" -eq 1 ]; then
107	- HOSTNAME="$(hostname --fqdn 2>/dev/null)"
108	+ HOSTNAME="$(hostname -f 2>/dev/null)"
109	else
110	- HOSTNAME="$(hostname --short 2>/dev/null)"
111	+ HOSTNAME="$(hostname -s 2>/dev/null)"
112	fi
113
114	# Now check for the other options
115	@@ -610,30 +593,25 @@
116
117	trap 'cleanup' 0
118
119	-debug "Trying to get lockfile: $LOCKFILE.lock"
120	+debug "Trying to get lockfile: $LOCKFILE"
121	if [ ! -d "$LOCKDIR" ]; then
122	mkdir -m 0755 "$LOCKDIR"
123	fi
124	-lockfile-create --retry 1 "$LOCKFILE" > /dev/null 2>&1
125	+lockfile -r 1 "$LOCKFILE" > /dev/null 2>&1
126
127
128	if [ $? -eq 1 ]; then
129	trap 0
130	- if [ -e "${LOCKFILE}.lock" ]; then
131	+ if [ -e "${LOCKFILE}" ]; then
132	error "Another logcheck process is still running" "noclean"
133	else
134	- error "Failed to get lockfile: $LOCKFILE.lock" "noclean"
135	+ error "Failed to get lockfile: $LOCKFILE" "noclean"
136	fi
137	-
138	-else
139	- debug "Running lockfile-touch $LOCKFILE.lock"
140	- lockfile-touch "$LOCKFILE" &
141	- LOCK="$!"
142	fi
143
144	# Create the secure temporary directory or exit
145	-TMPDIR="$(mktemp -d -p "${TMP:-/tmp}" logcheck.XXXXXX)" \
146	- \|\| TMPDIR="$(mktemp -d -p /var/tmp logcheck.XXXXXX)" \
147	+TMPDIR="$(mktemp -d ${TMP:-/tmp}/logcheck.XXXXXX)" \
148	+ \|\| TMPDIR="$(mktemp -d /var/tmp/logcheck.XXXXXX)" \
149	\|\| error "Could not create temporary directory"
150
151	# Now clean the rulefiles in the directories

Line 0 Link Here

(-)files/patch-debian_logcheck.cron.d (+16 lines)
	1	--- debian/logcheck.cron.d.orig 2017-01-25 21:08:04 UTC
	2	+++ debian/logcheck.cron.d
	3	@@ -1,9 +1,5 @@
	4	-# /etc/cron.d/logcheck: crontab entries for the logcheck package
	5	-
	6	-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
	7	+# crontab entries for the logcheck package
	8	+PATH=/sbin:/bin:/usr/sbin:/usr/bin:%%PREFIX%%/sbin:%%PREFIX%%/bin
	9	MAILTO=root
	10	-
	11	-@reboot logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi
	12	-2 * * * * logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi
	13	-
	14	-# EOF
	15	+@reboot if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck -R; fi
	16	+2 * * * * if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck; fi

Line 0 Link Here

(-)files/patch-docs_README.logcheck (+16 lines)
	1	--- docs/README.logcheck.orig 2017-01-25 21:08:04 UTC
	2	+++ docs/README.logcheck
	3	@@ -17,11 +17,11 @@ don't start overlapping.
	4	======================================================================
	5	LOG ENTRIES
	6	-----------
	7	-These are taken from a specified set of logfiles (usually syslog and
	8	+These are taken from a specified set of logfiles (usually messages and
	9	auth.log); a special Perl utility named "logtail" is used which
	10	"bookmarks" its place in the logs, so that events aren't reported
	11	twice in successive logcheck runs. The offset records are stored as
	12	-(eg) "/var/lib/logcheck/offset.var.log.syslog"; lines to be
	13	+(eg) "%%DBDIR%%/offset.var.log.messages"; lines to be
	14	considered by logcheck are copied into tempfiles in the working
	15	directory "/var/tmp/logcheck". See the corresponding README for
	16	logtail for further notes on complications such as log-rotation.

Line 0 Link Here

(-)files/patch-docs_README.logcheck-database (+105 lines)
		1	--- docs/README.logcheck-database.orig 2017-01-25 21:08:04 UTC
		2	+++ docs/README.logcheck-database
		3	@@ -15,7 +15,7 @@ normal egrep pattern-matches, applied in
		4	1. the "SECURITY ALERTS" layer, designed to detect the traces of active
		5	intrusion attempts.
		6
		7	- Patterns raising the alarm go in "/etc/logcheck/cracking.d"; any
		8	+ Patterns raising the alarm go in "%%ETCDIR%%/cracking.d"; any
		9	event that matches one of these patterns turns the report
		10	into an urgent "Security Alerts" report, with the relevant
		11	event moved to a special section. The cracking.d standard
		12	@@ -26,7 +26,7 @@ normal egrep pattern-matches, applied in
		13	the default logcheck configuration, but if the local
		14	administrator enables this layer of filtering in
		15	logcheck.conf, then the rules go in the directory
		16	- "/etc/logcheck/cracking.ignore.d". Matches with
		17	+ "%%ETCDIR%%/cracking.ignore.d". Matches with
		18	cracking.ignore rules will then reclassify the alert as a
		19	false alarm (compare violations.ignore below). Note that
		20	this means they are totally ignored - log messages handled
		21	@@ -35,12 +35,12 @@ normal egrep pattern-matches, applied in
		22	2. the "SECURITY EVENTS" layer, designed to detect less critical
		23	events still considered worthy of special attention.
		24
		25	- Patterns raising the alarm go in "/etc/logcheck/violations.d";
		26	+ Patterns raising the alarm go in "%%ETCDIR%%/violations.d";
		27	matches with these result in a "Security Events" alert,
		28	with the relevant event moved to a special section.
		29
		30	Patterns cancelling such alarms go in the standard directory
		31	- "/etc/logcheck/violations.ignore.d"; apparent "Security
		32	+ "%%ETCDIR%%/violations.ignore.d"; apparent "Security
		33	Events" that match with violations.ignore patterns are
		34	discarded as false alarms.
		35
		36	@@ -51,7 +51,7 @@ normal egrep pattern-matches, applied in
		37	from the logfiles are considered for inclusion in the main
		38	"System Events" section.
		39
		40	- Patterns in the three "/etc/logcheck/ignore.d.*" directories
		41	+ Patterns in the three "%%ETCDIR%%/ignore.d.*" directories
		42	again function to overrule alerts; the log messages that
		43	match them are excluded from the report as trivial. The
		44	specific directories consulted depend on the prevailing
		45	@@ -78,13 +78,13 @@ underscore, and hyphen.
		46	Contains filters relevant to only one Debian package - for example
		47	if "fooserver" logs suspicious events like this:
		48	"$DATE $HOSTNAME fooserver[$PID]: $USER is up to no good"
		49	-then a line in "/etc/logcheck/violations.d/fooserver" with an
		50	+then a line in "%%ETCDIR%%/violations.d/fooserver" with an
		51	appropriate pattern will promote it from a mere "System Event"
		52	to a full "Security Event" in a subsection of the mailing headed
		53	"fooserver". Or then again if that kind of log message is more
		54	trivial than it looks (maybe "foo" is a networked game of
		55	spy-and-counterspy) then a line in
		56	-"/etc/logcheck/ignore.d.server/fooserver" will turn it into a
		57	+"%%ETCDIR%%/ignore.d.server/fooserver" will turn it into a
		58	nonevent for all but the most assiduous of administrators.
		59
		60	Sometimes a package will have not only special alarm calls which
		61	@@ -107,7 +107,7 @@ that need to be processed.
		62
		63	Standard "generic" rules go in each directory's "./logcheck" file;
		64	thus for instance any log message at all matching "ATTACK"
65	-(listed in "/etc/logcheck/cracking.d/logcheck") _always_ triggers
66	+(listed in "%%ETCDIR%%/cracking.d/logcheck") _always_ triggers
67	a "Security Alert", unless you deliberately tamper with
68	"cracking.ignore.d" rules.
69
70	@@ -122,12 +122,12 @@ non-package-specific "flagging" patterns
71	"fooserver" outputs syslog messages like this:
72	"$DATE $HOSTNAME fooserver[$PID]: 3 attempts 0 rejected"
73	then the standard keyword "reject" listed in the generic
74	-"/etc/logcheck/violations.d/logcheck" file will trigger frequent
75	+"%%ETCDIR%%/violations.d/logcheck" file will trigger frequent
76	"Security Events" reports. Putting a filtering pattern in
77	-"/etc/logcheck/violations.ignore.d/fooserver" won't help here!
78	+"%%ETCDIR%%/violations.ignore.d/fooserver" won't help here!
79	The solution is to use a file named in the specially-privileged
80	./logcheck-<packagename> format:
81	-"/etc/logcheck/violations.ignore.d/logcheck-fooserver".
82	+"%%ETCDIR%%/violations.ignore.d/logcheck-fooserver".
83	This can contain patterns provided by that particular package
84	which nonetheless need to take precedence over the generic rules.
85
86	@@ -137,8 +137,8 @@ Sysadmins can use the "local-*" filename
87	additions to the "logcheck-*" pattern lists. If you have "ippl"
88	logging network connections verbosely into syslog then you can put
89	custom "Security Events" keywords in
90	-"/etc/logcheck/violations.d/local-ippl" and exceptions in
91	-"/etc/logcheck/violations.ignore.d/local-ippl".
92	+"%%ETCDIR%%/violations.d/local-ippl" and exceptions in
93	+"%%ETCDIR%%/violations.ignore.d/local-ippl".
94
95
96	WRITING RULES
97	@@ -181,7 +181,7 @@ logcheck-test(1)).
98	Alternatively you can manually grep your log file, and remove trailing
99	space with something like this:
100
101	- sed -e 's/[[:space:]]*$//' /var/log/syslog \| egrep \
102	+ sed -e 's/[[:space:]]*$//' /var/log/messages \| egrep \
103	'^\w{3} [ :0-9]{11} oempc wwwoffled\[[0-9]+\]: WWWOFFLE (On\|Off)line\.$'
104
105	If the log line is displayed, then your regex works.

Line 0 Link Here

(-)files/patch-docs_logcheck-test.1 (+26 lines)
	1	--- docs/logcheck-test.1.orig 2017-01-25 21:08:04 UTC
	2	+++ docs/logcheck-test.1
	3	@@ -38,8 +38,8 @@ Show usage information
	4	.B \-a, \-\-auth.log
	5	Parse /var/log/auth.log for matching lines
	6	.TP
	7	-.B \-s, \-\-syslog
	8	-Parse /var/log/syslog for matching lines
	9	+.B \-m, \-\-messages
	10	+Parse /var/log/messages for matching lines
	11	.TP
	12	.B \-l, \-\-log\-file FILE
	13	Parse FILE for matching lines
	14	@@ -69,10 +69,10 @@ With
	15	.B logcheck-test
	16	you can easily write and test new rules.
	17	.PP
	18	-Test a single rule against /var/log/syslog:
	19	+Test a single rule against /var/log/messages:
	20	.RS
	21	.fam C
	22	-logcheck-test \-s "RULE"
	23	+logcheck-test \-m "RULE"
	24	.fam T
	25	.RE
	26

Line 0 Link Here

(-)files/patch-docs_logcheck.sgml (+17 lines)
	1	--- docs/logcheck.sgml.orig 2017-01-25 21:08:04 UTC
	2	+++ docs/logcheck.sgml
	3	@@ -244,10 +244,10 @@ manpage.1: manpage.sgml
	4	<refsect1>
	5	<title>FILES</title>
	6
	7	- <para>/etc/logcheck/logcheck.conf is the main configuration file.</para>
	8	- <para>/etc/logcheck/logcheck.logfiles is the list of files to monitor.</para>
	9	- <para>/etc/logcheck/logcheck.logfiles.d is the directory of lists of files to monitor.</para>
	10	- <para>/usr/share/doc/logcheck-database/README.logcheck-database.gz for hints on how to write, test and maintain rules.</para>
	11	+ <para>%%ETCDIR%%/logcheck.conf is the main configuration file.</para>
	12	+ <para>%%ETCDIR%%/logcheck.logfiles is the list of files to monitor.</para>
	13	+ <para>%%ETCDIR%%/logcheck.logfiles.d is the directory of lists of files to monitor.</para>
	14	+ <para>%%DOCSDIR%%/README.logcheck-database for hints on how to write, test and maintain rules.</para>
	15	</refsect1>
	16	<refsect1>
	17	<title>EXIT STATUS</title>

Line 0 Link Here

(-)files/patch-etc_logcheck.conf (+37 lines)
	1	--- etc/logcheck.conf.orig 2017-01-25 21:08:04 UTC
	2	+++ etc/logcheck.conf
	3	@@ -9,7 +9,7 @@
	4	# Controls the presence of boilerplate at the top of each message:
	5	# Alternatively, set to "0" to disable the introduction.
	6	#
	7	-# If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt
	8	+# If the files %%ETCDIR%%/header.txt and %%ETCDIR%%/footer.txt
	9	# are present their contents will be read and used as the header and
	10	# footer of any generated mails.
	11
	12	@@ -44,8 +44,8 @@ FQDN=1
	13
	14	#SORTUNIQ=0
	15
	16	-# Controls whether /etc/logcheck/cracking.ignore.d is scanned for
	17	-# exceptions to the rules in /etc/logcheck/cracking.d:
	18	+# Controls whether %%ETCDIR%%/cracking.ignore.d is scanned for
	19	+# exceptions to the rules in %%ETCDIR%%/cracking.d:
	20	# Alternatively, set to "1" to enable cracking.ignore support
	21
	22	#SUPPORT_CRACKING_IGNORE=0
	23	@@ -53,13 +53,7 @@ FQDN=1
	24	# Controls the base directory for rules file location
	25	# This must be an absolute path
	26
	27	-#RULEDIR="/etc/logcheck"
	28	-
	29	-# Controls if syslog-summary is run over each section.
	30	-# Alternatively, set to "1" to enable extra summary.
	31	-# HINT: syslog-summary needs to be installed.
	32	-
	33	-#SYSLOGSUMMARY=0
	34	+#RULEDIR="%%ETCDIR%%"
	35
	36	# Controls Subject: lines on logcheck reports:
	37

Line 0 Link Here

(-)files/patch-src_logcheck (+153 lines)
		1	--- src/logcheck.orig 2017-07-11 17:32:13 UTC
		2	+++ src/logcheck
		3	@@ -24,17 +24,10 @@
		4
		5	if [ `id -u` = 0 ]; then
		6	echo "logcheck should not be run as root. Use su to invoke logcheck:"
		7	- echo "su -s /bin/bash -c \"/usr/sbin/logcheck${@:+ $@}\" logcheck"
		8	+ echo "su -m %%LOGCHECK_USER%% -c \"%%LOCALBASE%%/bin/bash %%PREFIX%%/sbin/logcheck${@:+ $@}\""
		9	echo "Or use sudo: sudo -u logcheck logcheck${@:+ $@}."
		10	# you may want to uncomment that hack to let logcheck invoke itself.
		11	- # su -s /bin/bash -c "$0 $*" logcheck
		12	- exit 1
		13	-fi
		14	-
		15	-if [ ! -f /usr/bin/lockfile-create -o \
		16	- ! -f /usr/bin/lockfile-remove -o \
		17	- ! -f /usr/bin/lockfile-touch ]; then
		18	- echo "fatal: lockfile-progs is a prerequisite for logcheck, and was not found."
		19	+ # su -s %%LOCALBASE%%/bin/bash -c "$0 $*" logcheck
		20	exit 1
		21	fi
		22
		23	@@ -69,13 +62,13 @@ EVENTSSUBJECT="System Events"
		24	ADDTAG="no"
		25
		26	# Set the default paths
		27	-RULEDIR="/etc/logcheck"
		28	-CONFFILE="/etc/logcheck/logcheck.conf"
		29	-STATEDIR="/var/lib/logcheck"
		30	-LOGFILES_LIST="/etc/logcheck/logcheck.logfiles"
		31	-LOGFILES_LIST_D="/etc/logcheck/logcheck.logfiles.d"
		32	-LOGFILE_FALLBACK="/var/log/syslog"
		33	-LOGTAIL="/usr/sbin/logtail2"
		34	+RULEDIR="%%ETCDIR%%"
		35	+CONFFILE="%%ETCDIR%%/logcheck.conf"
		36	+STATEDIR="%%DBDIR%%"
		37	+LOGFILES_LIST="%%ETCDIR%%/logcheck.logfiles"
		38	+LOGFILES_LIST_D="%%ETCDIR%%/logcheck.logfiles.d"
		39	+LOGFILE_FALLBACK="/var/log/messages"
		40	+LOGTAIL="%%PREFIX%%/sbin/logtail2"
		41	CAT="/bin/cat"
		42	SYSLOG_SUMMARY="/usr/bin/syslog-summary"
		43
		44	@@ -90,20 +83,15 @@ FQDN=0
		45	SORTUNIQ=0
		46	SUPPORT_CRACKING_IGNORE=0
		47	SYSLOGSUMMARY=0
		48	-LOCKDIR=/run/lock/logcheck
		49	+LOCKDIR=/var/run/logcheck
		50	LOCKFILE="$LOCKDIR/logcheck"
		51
		52	# Carry out the clean up tasks
		53	cleanup() {
		54
		55	- if [ -n "$LOCK" ]; then
		56	- debug "cleanup: Killing lockfile-touch - $LOCK"
		57	- kill "$LOCK" && unset LOCK
		58	- fi
		59	-
		60	- if [ -f "$LOCKFILE.lock" ]; then
		61	- debug "cleanup: Removing lockfile: $LOCKFILE.lock"
		62	- lockfile-remove "$LOCKFILE"
		63	+ if [ -f "$LOCKFILE" ]; then
		64	+ debug "cleanup: Removing lockfile: $LOCKFILE"
65	+ rm -f "$LOCKFILE"
66	fi
67
68	if [ -d "$TMPDIR" ]; then
69	@@ -145,14 +133,9 @@ error() {
70	if [ "$2" = "noclean" ]; then
71	debug "error: Not removing lockfile"
72	else
73	- if [ -n "$LOCK" ]; then
74	- debug "error: Killing lockfile-touch - $LOCK"
75	- kill "$LOCK" && unset LOCK
76	- fi
77	-
78	- if [ -f "$LOCKFILE.lock" ]; then
79	- debug "error: Removing lockfile: $LOCKFILE.lock"
80	- lockfile-remove "$LOCKFILE"
81	+ if [ -f "$LOCKFILE" ]; then
82	+ debug "error: Removing lockfile: $LOCKFILE"
83	+ rm -f "$LOCKFILE"
84	fi
85
86	fi
87	@@ -171,7 +154,7 @@ $message
88	${TMPDIR:+Check temporary directory: $TMPDIR
89	}
90	Also verify that the logcheck user can read all files referenced in
91	-/etc/logcheck/logcheck.logfiles!
92	+%%ETCDIR%%/logcheck.logfiles!
93
94	$(export)
95	EOF
96	@@ -223,7 +206,7 @@ cleanrules() {
97	error "Couldn't read $x"
98	fi
99	done
100	- for rulefile in $(run-parts --list "$dir"); do
101	+ for rulefile in $(ls -1R "$dir"); do
102	rulefile="$(basename "$rulefile")"
103	if [ -f "${dir}/${rulefile}" ]; then
104	debug "cleanrules: ${dir}/${rulefile}"
105	@@ -538,9 +521,9 @@ fi
106
107	# Hostname either fully qualified or not.
108	if [ "$FQDN" -eq 1 ]; then
109	- HOSTNAME="$(hostname --fqdn 2>/dev/null)"
110	+ HOSTNAME="$(hostname -f 2>/dev/null)"
111	else
112	- HOSTNAME="$(hostname --short 2>/dev/null)"
113	+ HOSTNAME="$(hostname -s 2>/dev/null)"
114	fi
115
116	# Now check for the other options
117	@@ -623,30 +606,25 @@ fi
118
119	trap 'cleanup' 0
120
121	-debug "Trying to get lockfile: $LOCKFILE.lock"
122	+debug "Trying to get lockfile: $LOCKFILE"
123	if [ ! -d "$LOCKDIR" ]; then
124	mkdir -m 0755 "$LOCKDIR"
125	fi
126	-lockfile-create --retry 1 "$LOCKFILE" > /dev/null 2>&1
127	+lockfile -r 1 "$LOCKFILE" > /dev/null 2>&1
128
129
130	if [ $? -eq 1 ]; then
131	trap 0
132	- if [ -e "${LOCKFILE}.lock" ]; then
133	+ if [ -e "${LOCKFILE}" ]; then
134	error "Another logcheck process is still running" "noclean"
135	else
136	- error "Failed to get lockfile: $LOCKFILE.lock" "noclean"
137	+ error "Failed to get lockfile: $LOCKFILE" "noclean"
138	fi
139	-
140	-else
141	- debug "Running lockfile-touch $LOCKFILE.lock"
142	- lockfile-touch "$LOCKFILE" &
143	- LOCK="$!"
144	fi
145
146	# Create the secure temporary directory or exit
147	-TMPDIR="$(mktemp -d -p "${TMP:-/tmp}" logcheck.XXXXXX)" \
148	- \|\| TMPDIR="$(mktemp -d -p /var/tmp logcheck.XXXXXX)" \
149	+TMPDIR="$(mktemp -d ${TMP:-/tmp}/logcheck.XXXXXX)" \
150	+ \|\| TMPDIR="$(mktemp -d /var/tmp/logcheck.XXXXXX)" \
151	\|\| error "Could not create temporary directory"
152
153	# Now clean the rulefiles in the directories

Line 0 Link Here

(-)files/patch-src_logcheck-test (+23 lines)
	1	--- src/logcheck-test.orig 2017-01-25 21:08:04 UTC
	2	+++ src/logcheck-test
	3	@@ -38,7 +38,7 @@ usage() {
	4	usage: logcheck-test
	5	-h\|--help : Show usage information
	6	-a\|--auth.log : Parse /var/log/auth.log
	7	--s\|--syslog : Parse /var/log/syslog
	8	+-m\|--messages : Parse /var/log/messages
	9	-l\|--log-file LOGFILE : Parse LOGFILE
	10	-i\|--invert-match : Show lines that don't match the RULE or RULEFILE
	11	-q\|--quiet : Suppress rule summary
	12	@@ -103,9 +103,9 @@ while [ -n "${1:-}" ]; do
	13	warn "option -a ignored"
	14	fi
	15	;;
	16	- -s\|--syslog)
	17	+ -m\|--messages)
	18	if [ -z "$FILE" ] ; then
	19	- FILE="/var/log/syslog"
	20	+ FILE="/var/log/messages"
	21	else
	22	warn "option -s ignored"
	23	fi