FreeBSD Bugzilla – Attachment 184281 Details for
Bug 220609
security/logcheck: Update to 1.3.18
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
updated patch file
patch-security_logcheck (text/plain), 36.72 KB, created by
Yasuhiro Kimura
on 2017-07-11 18:50:40 UTC
(
hide
)
Description:
updated patch file
Filename:
MIME Type:
Creator:
Yasuhiro Kimura
Created:
2017-07-11 18:50:40 UTC
Size:
36.72 KB
patch
obsolete
>Index: Makefile >=================================================================== >--- Makefile (revision 445458) >+++ Makefile (working copy) >@@ -2,7 +2,7 @@ > # $FreeBSD$ > > PORTNAME= logcheck >-PORTVERSION= 1.3.17 >+PORTVERSION= 1.3.18 > CATEGORIES= security > MASTER_SITES= DEBIAN_POOL > DISTNAME= ${PORTNAME}_${PORTVERSION} >@@ -11,7 +11,9 @@ > COMMENT= Auditing tool for system logs on Unix boxes > > LICENSE= GPLv2 >+LICENSE_FILE= ${WRKSRC}/LICENSE > >+BUILD_DEPENDS= docbook-to-man>0:textproc/docbook-to-man > RUN_DEPENDS= mime-construct:mail/mime-construct \ > lockfile:mail/procmail \ > bash:shells/bash >@@ -38,39 +40,32 @@ > BINMODE= 755 > SUB_LIST+= LOGCHECK_USER=${LOGCHECK_USER} \ > LOGCHECK_GROUP=${LOGCHECK_GROUP} \ >- CRON=${PORT_OPTIONS:MCRON} >+ DBDIR=${DBDIR} CRON=${PORT_OPTIONS:MCRON} > SUB_FILES= pkg-install pkg-deinstall pkg-message > PLIST_SUB+= LOGCHECK_USER=${LOGCHECK_USER} \ > LOGCHECK_GROUP=${LOGCHECK_GROUP} \ > DBDIR=${DBDIR} RUNDIR=${RUNDIR} >-SHEBANG_FILES= src/logcheck src/logtail src/logtail2 >+SHEBANG_FILES= src/logcheck src/logtail src/logtail2 src/detectrotate/*.dtr > CONFIG_DIRS= cracking.d ignore.d.paranoid ignore.d.server \ > ignore.d.workstation violations.d violations.ignore.d >-DOCS= AUTHORS CHANGES CREDITS LICENSE TODO docs/README* >+DOCS= AUTHORS CHANGES CREDITS TODO docs/README* > PORTDOCS= ${DOCS:T} >-MAN_FILES= logcheck.8 logtail.8 logtail2.8 >+MAN1_FILES= logcheck-test.1 >+MAN8_FILES= logcheck.8 logtail.8 logtail2.8 >+REINPLACE_FILES= debian/logcheck.cron.d docs/logcheck.sgml \ >+ docs/logtail2.8 docs/README.logcheck \ >+ docs/README.logcheck-database docs/README.logtail \ >+ etc/logcheck.conf src/logcheck src/logtail2 > >-PATCH_LIST= extra-patch-debian__logcheck.cron.d \ >- extra-patch-docs__logcheck.8 \ >- extra-patch-etc__logcheck.conf \ >- extra-patch-src__logcheck \ >- extra-patch-src__logtail2 >-EXTRA_PATCHES= ${PATCH_LIST:C|^|${WRKDIR}/|g} >- > .include <bsd.port.pre.mk> > >-pre-patch: >-.for patch in ${PATCH_LIST} >- @${SED} ${_SUB_LIST_TEMP} ${FILESDIR}/${patch}.in > ${WRKDIR}/${patch} >+do-build: >+.for file in ${REINPLACE_FILES} >+ ${REINPLACE_CMD} ${_SUB_LIST_TEMP} ${WRKSRC}/${file} > .endfor >+ docbook-to-man ${WRKSRC}/docs/logcheck.sgml > ${WRKSRC}/docs/logcheck.8 >+ ${FIND} ${WRKSRC} -type f \( -name \*.orig -o -name \*.bak \) -delete > >-post-patch: >- @${FIND} ${WRKSRC}/rulefiles -type f -name \*.orig -delete >- >-do-build: >- @${REINPLACE_CMD} -e 's!/var/log/syslog!/var/log/messages!' \ >- ${WRKSRC}/etc/logcheck.logfiles >- > do-install: > @${MKDIR} ${STAGEDIR}${DATADIR}/detectrotate \ > ${STAGEDIR}${DBDIR} \ >@@ -78,6 +73,7 @@ > ${STAGEDIR}${ETCDIR} \ > ${STAGEDIR}${EXAMPLESDIR} \ > ${STAGEDIR}${RUNDIR} >+ ${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck-test ${STAGEDIR}${PREFIX}/bin > ${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck ${STAGEDIR}${PREFIX}/sbin > ${INSTALL_SCRIPT} ${WRKSRC}/src/logtail ${STAGEDIR}${PREFIX}/sbin > ${INSTALL_SCRIPT} ${WRKSRC}/src/logtail2 ${STAGEDIR}${PREFIX}/sbin >@@ -97,7 +93,10 @@ > @${ECHO_CMD} '@exec ${CHGRP} -R ${LOGCHECK_GROUP} \ > ${ETCDIR:S|^${PREFIX}/|%D/|} \ > ${DATADIR:S|^${PREFIX}/|%D/|}' >> ${TMPPLIST} >-.for i in ${MAN_FILES} >+.for i in ${MAN1_FILES} >+ ${INSTALL_MAN} ${WRKSRC}/docs/$i ${STAGEDIR}${MAN1PREFIX}/man/man1 >+.endfor >+.for i in ${MAN8_FILES} > ${INSTALL_MAN} ${WRKSRC}/docs/$i ${STAGEDIR}${MAN8PREFIX}/man/man8 > .endfor > cd ${WRKSRC} && ${INSTALL_DATA} ${DOCS} ${STAGEDIR}${DOCSDIR} >Index: distinfo >=================================================================== >--- distinfo (revision 445458) >+++ distinfo (working copy) >@@ -1,2 +1,3 @@ >-SHA256 (logcheck_1.3.17.tar.xz) = c2d3fc323e8c6555e91d956385dbfd0f67b55872ed0f6a7ad8ad2526a9faf03a >-SIZE (logcheck_1.3.17.tar.xz) = 130956 >+TIMESTAMP = 1499679623 >+SHA256 (logcheck_1.3.18.tar.xz) = 077b9149ccd2b747b52785afa89da844f3d072c017c9e719925dec6acb9a9af4 >+SIZE (logcheck_1.3.18.tar.xz) = 131252 >Index: files/extra-patch-debian__logcheck.cron.d.in >=================================================================== >--- files/extra-patch-debian__logcheck.cron.d.in (revision 445458) >+++ files/extra-patch-debian__logcheck.cron.d.in (nonexistent) >@@ -1,16 +0,0 @@ >---- ./debian/logcheck.cron.d.orig 2006-08-06 19:10:49.000000000 -0400 >-+++ ./debian/logcheck.cron.d 2008-09-06 19:11:28.000000000 -0400 >-@@ -1,9 +1,5 @@ >--# /etc/cron.d/logcheck: crontab entries for the logcheck package >-- >--PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin >-+# crontab entries for the logcheck package >-+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin >- MAILTO=root >-- >--@reboot logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi >--2 * * * * logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi >-- >--# EOF >-+@reboot if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck -R; fi >-+2 * * * * if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck; fi >Index: files/extra-patch-docs__logcheck.8.in >=================================================================== >--- files/extra-patch-docs__logcheck.8.in (revision 445458) >+++ files/extra-patch-docs__logcheck.8.in (nonexistent) >@@ -1,118 +0,0 @@ >---- docs/logcheck.8.orig 2009-12-15 15:03:22.000000000 -0500 >-+++ docs/logcheck.8 2009-12-15 15:03:41.000000000 -0500 >-@@ -0,0 +1,115 @@ >-+.\" This manpage has been automatically generated by docbook2man >-+.\" from a DocBook document. This tool can be found at: >-+.\" <http://shell.ipoline.com/~elmert/comp/docbook2X/> >-+.\" Please send any bug reports, improvements, comments, patches, >-+.\" etc. to Steve Cheng <steve@ggi-project.org>. >-+.TH "Logcheck" "8" "15 December 2009" "" "" >-+ >-+.SH NAME >-+logcheck \- program to scan system logs for interesting lines >-+.SH SYNOPSIS >-+ >-+\fBlogcheck\fR [ \fBOPTIONS\fR ] >-+ >-+.SH "DESCRIPTION" >-+.PP >-+The \fBlogcheck\fR program helps spot problems and >-+security violations in your logfiles automatically and will send the >-+results to you periodically in an e-mail. By default logcheck runs as >-+an hourly cronjob just off the hour and after every reboot. >-+.PP >-+\fBlogcheck\fR supports three level of filtering: >-+"paranoid" is for high-security machines running as few services >-+as possible. Don't use it if you can't handle its verbose messages. >-+"server" is the default and contains rules for many different daemons. >-+"workstation" is for sheltered machines and filters most of the messages. >-+The ignore rules work in additive manner. "paranoid" rules are also >-+included at level "server" and "workstation". >-+.PP >-+The messages reported are sorted into three layers, system events, >-+security events and attack alerts. The verbosity of system events is >-+controlled by which level you choose, paranoid, server or workstation. >-+However, security events and attack alerts are not affected by this. >-+.SH "EXAMPLES" >-+.PP >-+\fBlogcheck\fR can be invoked directly thanks >-+to su(8) or sudo(8), which change the user ID. The following example checks the logfiles >-+without updating the offset and outputs everything to STDOUT. >-+.PP >-+sudo -u logcheck \fBlogcheck\fR -o -t >-+.SH "OPTIONS" >-+.PP >-+A summary of options is included below. >-+.TP >-+\fB-c CFG \fR >-+Overrule default configuration file. >-+.TP >-+\fB-d \fR >-+Debug mode. >-+.TP >-+\fB-h \fR >-+Show usage information. >-+.TP >-+\fB-H \fR >-+Use this hostname string in the subject of logcheck mail. >-+.TP >-+\fB-l LOG \fR >-+Run logfile through logcheck. >-+.TP >-+\fB-L CFG \fR >-+Overrule default logfiles list. >-+.TP >-+\fB-m \fR >-+Mail report to recipient. >-+.TP >-+\fB-o \fR >-+STDOUT mode, not sending mail. >-+.TP >-+\fB-p \fR >-+Set the report level to "paranoid". >-+.TP >-+\fB-r DIR \fR >-+Overrule default rules directory. >-+.TP >-+\fB-R \fR >-+Adds "Reboot:" to the email subject line. >-+.TP >-+\fB-s \fR >-+Set the report level to "server". >-+.TP >-+\fB-S DIR \fR >-+Overrule default state directory. >-+.TP >-+\fB-t \fR >-+Testing mode does not update offset. >-+.TP >-+\fB-T \fR >-+Do not remove the TMPDIR. >-+.TP >-+\fB-u \fR >-+Enable syslog-summary. >-+.TP >-+\fB-v \fR >-+Print current version. >-+.TP >-+\fB-w \fR >-+Set the report level to "workstation". >-+.SH "FILES" >-+.PP >-+%%ETCDIR%%/logcheck.conf is the main configuration file. >-+.PP >-+%%ETCDIR%%/logcheck.logfiles is the list of files to monitor. >-+.PP >-+%%DOCSDIR%%/README.logcheck-database for hints on how to write, test and maintain rules. >-+.SH "EXIT STATUS" >-+.PP >-+0 upon success; 1 upon failure >-+.SH "SEE ALSO" >-+.PP >-+\fBlogtail\fR(8) >-+.SH "AUTHOR" >-+.PP >-+logcheck is developed by Debian logcheck Team at alioth: >-+http://alioth.debian.org/projects/logcheck/. >-+.PP >-+This manual page was written by Jon Middleton. >Index: files/extra-patch-etc__logcheck.conf.in >=================================================================== >--- files/extra-patch-etc__logcheck.conf.in (revision 445458) >+++ files/extra-patch-etc__logcheck.conf.in (nonexistent) >@@ -1,17 +0,0 @@ >---- etc/logcheck.conf.orig 2010-04-15 01:15:34.000000000 +0900 >-+++ etc/logcheck.conf 2010-05-12 14:22:13.000000000 +0900 >-@@ -53,13 +53,7 @@ >- # Controls the base directory for rules file location >- # This must be an absolute path >- >--#RULEDIR="/etc/logcheck" >-- >--# Controls if syslog-summary is run over each section. >--# Alternatively, set to "1" to enable extra summary. >--# HINT: syslog-summary needs to be installed. >-- >--#SYSLOGSUMMARY=0 >-+#RULEDIR="%%ETCDIR%%" >- >- # Controls Subject: lines on logcheck reports: >- >Index: files/extra-patch-src__logcheck.in >=================================================================== >--- files/extra-patch-src__logcheck.in (revision 445458) >+++ files/extra-patch-src__logcheck.in (nonexistent) >@@ -1,151 +0,0 @@ >---- src/logcheck.orig 2010-07-07 15:59:57.000000000 -0400 >-+++ src/logcheck 2010-07-07 16:19:33.000000000 -0400 >-@@ -24,17 +24,10 @@ >- >- if [ `id -u` = 0 ]; then >- echo "logcheck should not be run as root. Use su to invoke logcheck:" >-- echo "su -s /bin/bash -c \"/usr/sbin/logcheck${@:+ $@}\" logcheck" >-+ echo "su -m %%LOGCHECK_USER%% -c \"%%LOCALBASE%%/bin/bash %%PREFIX%%/sbin/logcheck${@:+ $@}\"" >- echo "Or use sudo: sudo -u logcheck logcheck${@:+ $@}." >- # you may want to uncomment that hack to let logcheck invoke itself. >-- # su -s /bin/bash -c "$0 $*" logcheck >-- exit 1 >--fi >-- >--if [ ! -f /usr/bin/lockfile-create -o \ >-- ! -f /usr/bin/lockfile-remove -o \ >-- ! -f /usr/bin/lockfile-touch ]; then >-- echo "fatal: lockfile-progs is a prerequisite for logcheck, and was not found." >-+ # su -s %%LOCALBASE%%/bin/bash -c "$0 $*" logcheck >- exit 1 >- fi >- >-@@ -69,12 +62,12 @@ >- ADDTAG="no" >- >- # Set the default paths >--RULEDIR="/etc/logcheck" >--CONFFILE="/etc/logcheck/logcheck.conf" >--STATEDIR="/var/lib/logcheck" >--LOGFILES_LIST="/etc/logcheck/logcheck.logfiles" >--LOGFILE_FALLBACK="/var/log/syslog" >--LOGTAIL="/usr/sbin/logtail2" >-+RULEDIR="%%ETCDIR%%" >-+CONFFILE="%%ETCDIR%%/logcheck.conf" >-+STATEDIR="/var/db/logcheck" >-+LOGFILES_LIST="%%ETCDIR%%/logcheck.logfiles" >-+LOGFILE_FALLBACK="/var/log/messages" >-+LOGTAIL="%%PREFIX%%/sbin/logtail2" >- CAT="/bin/cat" >- SYSLOG_SUMMARY="/usr/bin/syslog-summary" >- >-@@ -89,20 +82,15 @@ >- SORTUNIQ=0 >- SUPPORT_CRACKING_IGNORE=0 >- SYSLOGSUMMARY=0 >--LOCKDIR=/run/lock/logcheck >-+LOCKDIR=/var/run/logcheck >- LOCKFILE="$LOCKDIR/logcheck" >- >- # Carry out the clean up tasks >- cleanup() { >- >-- if [ -n "$LOCK" ]; then >-- debug "cleanup: Killing lockfile-touch - $LOCK" >-- kill "$LOCK" && unset LOCK >-- fi >-- >-- if [ -f "$LOCKFILE.lock" ]; then >-- debug "cleanup: Removing lockfile: $LOCKFILE.lock" >-- lockfile-remove "$LOCKFILE" >-+ if [ -f "$LOCKFILE" ]; then >-+ debug "cleanup: Removing lockfile: $LOCKFILE" >-+ rm -f "$LOCKFILE" >- fi >- >- if [ -d "$TMPDIR" ]; then >-@@ -144,14 +132,9 @@ >- if [ "$2" = "noclean" ]; then >- debug "error: Not removing lockfile" >- else >-- if [ -n "$LOCK" ]; then >-- debug "error: Killing lockfile-touch - $LOCK" >-- kill "$LOCK" && unset LOCK >-- fi >-- >-- if [ -f "$LOCKFILE.lock" ]; then >-- debug "error: Removing lockfile: $LOCKFILE.lock" >-- lockfile-remove "$LOCKFILE" >-+ if [ -f "$LOCKFILE" ]; then >-+ debug "error: Removing lockfile: $LOCKFILE" >-+ rm -f "$LOCKFILE" >- fi >- >- fi >-@@ -170,7 +153,7 @@ >- ${TMPDIR:+Check temporary directory: $TMPDIR >- } >- Also verify that the logcheck user can read all files referenced in >--/etc/logcheck/logcheck.logfiles! >-+%%ETCDIR%%/logcheck.logfiles! >- >- $(export) >- EOF >-@@ -215,7 +198,7 @@ >- mkdir "$cleaned" \ >- || error "Could not make dir $cleaned for cleaned rulefiles." >- fi >-- for rulefile in $(run-parts --list "$dir"); do >-+ for rulefile in $(ls -1R "$dir"); do >- rulefile="$(basename "$rulefile")" >- if [ -f "${dir}/${rulefile}" ]; then >- debug "cleanrules: ${dir}/${rulefile}" >-@@ -529,9 +512,9 @@ >- >- # Hostname either fully qualified or not. >- if [ "$FQDN" -eq 1 ]; then >-- HOSTNAME="$(hostname --fqdn 2>/dev/null)" >-+ HOSTNAME="$(hostname -f 2>/dev/null)" >- else >-- HOSTNAME="$(hostname --short 2>/dev/null)" >-+ HOSTNAME="$(hostname -s 2>/dev/null)" >- fi >- >- # Now check for the other options >-@@ -610,30 +593,25 @@ >- >- trap 'cleanup' 0 >- >--debug "Trying to get lockfile: $LOCKFILE.lock" >-+debug "Trying to get lockfile: $LOCKFILE" >- if [ ! -d "$LOCKDIR" ]; then >- mkdir -m 0755 "$LOCKDIR" >- fi >--lockfile-create --retry 1 "$LOCKFILE" > /dev/null 2>&1 >-+lockfile -r 1 "$LOCKFILE" > /dev/null 2>&1 >- >- >- if [ $? -eq 1 ]; then >- trap 0 >-- if [ -e "${LOCKFILE}.lock" ]; then >-+ if [ -e "${LOCKFILE}" ]; then >- error "Another logcheck process is still running" "noclean" >- else >-- error "Failed to get lockfile: $LOCKFILE.lock" "noclean" >-+ error "Failed to get lockfile: $LOCKFILE" "noclean" >- fi >-- >--else >-- debug "Running lockfile-touch $LOCKFILE.lock" >-- lockfile-touch "$LOCKFILE" & >-- LOCK="$!" >- fi >- >- # Create the secure temporary directory or exit >--TMPDIR="$(mktemp -d -p "${TMP:-/tmp}" logcheck.XXXXXX)" \ >-- || TMPDIR="$(mktemp -d -p /var/tmp logcheck.XXXXXX)" \ >-+TMPDIR="$(mktemp -d ${TMP:-/tmp}/logcheck.XXXXXX)" \ >-+ || TMPDIR="$(mktemp -d /var/tmp/logcheck.XXXXXX)" \ >- || error "Could not create temporary directory" >- >- # Now clean the rulefiles in the directories >Index: files/extra-patch-src__logtail2.in >=================================================================== >--- files/extra-patch-src__logtail2.in (revision 445458) >+++ files/extra-patch-src__logtail2.in (nonexistent) >@@ -1,11 +0,0 @@ >---- src/logtail2.orig 2010-01-18 17:24:26.000000000 -0500 >-+++ src/logtail2 2010-01-18 17:24:40.000000000 -0500 >-@@ -108,7 +108,7 @@ >- # function with dateext magic added. >- >- #print "determine_rotated_logfile $filename $inode\n"; >-- for my $codefile (glob("/usr/share/logtail/detectrotate/*.dtr")) { >-+ for my $codefile (glob("%%DATADIR%%/detectrotate/*.dtr")) { >- my $func = do $codefile; >- if (!$func) { >- print STDERR "cannot compile $codefile: $!"; >Index: files/patch-debian_logcheck.cron.d >=================================================================== >--- files/patch-debian_logcheck.cron.d (nonexistent) >+++ files/patch-debian_logcheck.cron.d (working copy) >@@ -0,0 +1,16 @@ >+--- debian/logcheck.cron.d.orig 2017-01-25 21:08:04 UTC >++++ debian/logcheck.cron.d >+@@ -1,9 +1,5 @@ >+-# /etc/cron.d/logcheck: crontab entries for the logcheck package >+- >+-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin >++# crontab entries for the logcheck package >++PATH=/sbin:/bin:/usr/sbin:/usr/bin:%%PREFIX%%/sbin:%%PREFIX%%/bin >+ MAILTO=root >+- >+-@reboot logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi >+-2 * * * * logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi >+- >+-# EOF >++@reboot if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck -R; fi >++2 * * * * if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck; fi >Index: files/patch-docs_README.logcheck >=================================================================== >--- files/patch-docs_README.logcheck (nonexistent) >+++ files/patch-docs_README.logcheck (working copy) >@@ -0,0 +1,16 @@ >+--- docs/README.logcheck.orig 2017-01-25 21:08:04 UTC >++++ docs/README.logcheck >+@@ -17,11 +17,11 @@ don't start overlapping. >+ ====================================================================== >+ LOG ENTRIES >+ ----------- >+-These are taken from a specified set of logfiles (usually syslog and >++These are taken from a specified set of logfiles (usually messages and >+ auth.log); a special Perl utility named "logtail" is used which >+ "bookmarks" its place in the logs, so that events aren't reported >+ twice in successive logcheck runs. The offset records are stored as >+-(eg) "/var/lib/logcheck/offset.var.log.syslog"; lines to be >++(eg) "%%DBDIR%%/offset.var.log.messages"; lines to be >+ considered by logcheck are copied into tempfiles in the working >+ directory "/var/tmp/logcheck". See the corresponding README for >+ logtail for further notes on complications such as log-rotation. >Index: files/patch-docs_README.logcheck-database >=================================================================== >--- files/patch-docs_README.logcheck-database (nonexistent) >+++ files/patch-docs_README.logcheck-database (working copy) >@@ -0,0 +1,105 @@ >+--- docs/README.logcheck-database.orig 2017-01-25 21:08:04 UTC >++++ docs/README.logcheck-database >+@@ -15,7 +15,7 @@ normal egrep pattern-matches, applied in >+ 1. the "SECURITY ALERTS" layer, designed to detect the traces of active >+ intrusion attempts. >+ >+- Patterns raising the alarm go in "/etc/logcheck/cracking.d"; any >++ Patterns raising the alarm go in "%%ETCDIR%%/cracking.d"; any >+ event that matches one of these patterns turns the report >+ into an urgent "Security Alerts" report, with the relevant >+ event moved to a special section. The cracking.d standard >+@@ -26,7 +26,7 @@ normal egrep pattern-matches, applied in >+ the default logcheck configuration, but if the local >+ administrator enables this layer of filtering in >+ logcheck.conf, then the rules go in the directory >+- "/etc/logcheck/cracking.ignore.d". Matches with >++ "%%ETCDIR%%/cracking.ignore.d". Matches with >+ cracking.ignore rules will then reclassify the alert as a >+ false alarm (compare violations.ignore below). Note that >+ this means they are totally ignored - log messages handled >+@@ -35,12 +35,12 @@ normal egrep pattern-matches, applied in >+ 2. the "SECURITY EVENTS" layer, designed to detect less critical >+ events still considered worthy of special attention. >+ >+- Patterns raising the alarm go in "/etc/logcheck/violations.d"; >++ Patterns raising the alarm go in "%%ETCDIR%%/violations.d"; >+ matches with these result in a "Security Events" alert, >+ with the relevant event moved to a special section. >+ >+ Patterns cancelling such alarms go in the standard directory >+- "/etc/logcheck/violations.ignore.d"; apparent "Security >++ "%%ETCDIR%%/violations.ignore.d"; apparent "Security >+ Events" that match with violations.ignore patterns are >+ discarded as false alarms. >+ >+@@ -51,7 +51,7 @@ normal egrep pattern-matches, applied in >+ from the logfiles are considered for inclusion in the main >+ "System Events" section. >+ >+- Patterns in the three "/etc/logcheck/ignore.d.*" directories >++ Patterns in the three "%%ETCDIR%%/ignore.d.*" directories >+ again function to overrule alerts; the log messages that >+ match them are excluded from the report as trivial. The >+ specific directories consulted depend on the prevailing >+@@ -78,13 +78,13 @@ underscore, and hyphen. >+ Contains filters relevant to only one Debian package - for example >+ if "fooserver" logs suspicious events like this: >+ "$DATE $HOSTNAME fooserver[$PID]: $USER is up to no good" >+-then a line in "/etc/logcheck/violations.d/fooserver" with an >++then a line in "%%ETCDIR%%/violations.d/fooserver" with an >+ appropriate pattern will promote it from a mere "System Event" >+ to a full "Security Event" in a subsection of the mailing headed >+ "fooserver". Or then again if that kind of log message is more >+ trivial than it looks (maybe "foo" is a networked game of >+ spy-and-counterspy) then a line in >+-"/etc/logcheck/ignore.d.server/fooserver" will turn it into a >++"%%ETCDIR%%/ignore.d.server/fooserver" will turn it into a >+ nonevent for all but the most assiduous of administrators. >+ >+ Sometimes a package will have not only special alarm calls which >+@@ -107,7 +107,7 @@ that need to be processed. >+ >+ Standard "generic" rules go in each directory's "./logcheck" file; >+ thus for instance any log message at all matching "ATTACK" >+-(listed in "/etc/logcheck/cracking.d/logcheck") _always_ triggers >++(listed in "%%ETCDIR%%/cracking.d/logcheck") _always_ triggers >+ a "Security Alert", unless you deliberately tamper with >+ "cracking.ignore.d" rules. >+ >+@@ -122,12 +122,12 @@ non-package-specific "flagging" patterns >+ "fooserver" outputs syslog messages like this: >+ "$DATE $HOSTNAME fooserver[$PID]: 3 attempts 0 rejected" >+ then the standard keyword "reject" listed in the generic >+-"/etc/logcheck/violations.d/logcheck" file will trigger frequent >++"%%ETCDIR%%/violations.d/logcheck" file will trigger frequent >+ "Security Events" reports. Putting a filtering pattern in >+-"/etc/logcheck/violations.ignore.d/fooserver" won't help here! >++"%%ETCDIR%%/violations.ignore.d/fooserver" won't help here! >+ The solution is to use a file named in the specially-privileged >+ ./logcheck-<packagename> format: >+-"/etc/logcheck/violations.ignore.d/logcheck-fooserver". >++"%%ETCDIR%%/violations.ignore.d/logcheck-fooserver". >+ This can contain patterns provided by that particular package >+ which nonetheless need to take precedence over the generic rules. >+ >+@@ -137,8 +137,8 @@ Sysadmins can use the "local-*" filename >+ additions to the "logcheck-*" pattern lists. If you have "ippl" >+ logging network connections verbosely into syslog then you can put >+ custom "Security Events" keywords in >+-"/etc/logcheck/violations.d/local-ippl" and exceptions in >+-"/etc/logcheck/violations.ignore.d/local-ippl". >++"%%ETCDIR%%/violations.d/local-ippl" and exceptions in >++"%%ETCDIR%%/violations.ignore.d/local-ippl". >+ >+ >+ WRITING RULES >+@@ -181,7 +181,7 @@ logcheck-test(1)). >+ Alternatively you can manually grep your log file, and remove trailing >+ space with something like this: >+ >+- sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep \ >++ sed -e 's/[[:space:]]*$//' /var/log/messages | egrep \ >+ '^\w{3} [ :0-9]{11} oempc wwwoffled\[[0-9]+\]: WWWOFFLE (On|Off)line\.$' >+ >+ If the log line is displayed, then your regex works. >Index: files/patch-docs_README.logtail >=================================================================== >--- files/patch-docs_README.logtail (nonexistent) >+++ files/patch-docs_README.logtail (working copy) >@@ -0,0 +1,11 @@ >+--- docs/README.logtail.orig 2017-01-25 21:08:04 UTC >++++ docs/README.logtail >+@@ -28,7 +28,7 @@ Logtail2, a different executeable, also >+ guessing a file name that might have been the target of log rotation >+ and printing that file's contents starting with the stored offset. If >+ you have a non-standard rotation scheme, you can drop your own >+-heuristic into /usr/share/logtail/detectrotate/ and have it >++heuristic into %%DATADIR%%/detectrotate/ and have it >+ automatically picked up by logtail2. >+ ====================================================================== >+ COMMANDLINE ARGUMENTS >Index: files/patch-docs_logcheck-test.1 >=================================================================== >--- files/patch-docs_logcheck-test.1 (nonexistent) >+++ files/patch-docs_logcheck-test.1 (working copy) >@@ -0,0 +1,26 @@ >+--- docs/logcheck-test.1.orig 2017-01-25 21:08:04 UTC >++++ docs/logcheck-test.1 >+@@ -38,8 +38,8 @@ Show usage information >+ .B \-a, \-\-auth.log >+ Parse /var/log/auth.log for matching lines >+ .TP >+-.B \-s, \-\-syslog >+-Parse /var/log/syslog for matching lines >++.B \-m, \-\-messages >++Parse /var/log/messages for matching lines >+ .TP >+ .B \-l, \-\-log\-file FILE >+ Parse FILE for matching lines >+@@ -69,10 +69,10 @@ With >+ .B logcheck-test >+ you can easily write and test new rules. >+ .PP >+-Test a single rule against /var/log/syslog: >++Test a single rule against /var/log/messages: >+ .RS >+ .fam C >+-logcheck-test \-s "RULE" >++logcheck-test \-m "RULE" >+ .fam T >+ .RE >+ >Index: files/patch-docs_logcheck.sgml >=================================================================== >--- files/patch-docs_logcheck.sgml (nonexistent) >+++ files/patch-docs_logcheck.sgml (working copy) >@@ -0,0 +1,17 @@ >+--- docs/logcheck.sgml.orig 2017-01-25 21:08:04 UTC >++++ docs/logcheck.sgml >+@@ -244,10 +244,10 @@ manpage.1: manpage.sgml >+ <refsect1> >+ <title>FILES</title> >+ >+- <para>/etc/logcheck/logcheck.conf is the main configuration file.</para> >+- <para>/etc/logcheck/logcheck.logfiles is the list of files to monitor.</para> >+- <para>/etc/logcheck/logcheck.logfiles.d is the directory of lists of files to monitor.</para> >+- <para>/usr/share/doc/logcheck-database/README.logcheck-database.gz for hints on how to write, test and maintain rules.</para> >++ <para>%%ETCDIR%%/logcheck.conf is the main configuration file.</para> >++ <para>%%ETCDIR%%/logcheck.logfiles is the list of files to monitor.</para> >++ <para>%%ETCDIR%%/logcheck.logfiles.d is the directory of lists of files to monitor.</para> >++ <para>%%DOCSDIR%%/README.logcheck-database for hints on how to write, test and maintain rules.</para> >+ </refsect1> >+ <refsect1> >+ <title>EXIT STATUS</title> >Index: files/patch-docs_logtail2.8 >=================================================================== >--- files/patch-docs_logtail2.8 (nonexistent) >+++ files/patch-docs_logtail2.8 (working copy) >@@ -0,0 +1,11 @@ >+--- docs/logtail2.8.orig 2017-01-25 21:08:04 UTC >++++ docs/logtail2.8 >+@@ -38,7 +38,7 @@ is not empty, the inode of >+ is checked. If the inode is changed, >+ .B logtail2 >+ uses the heuristics stored in >+-.I /usr/share/logtail/detectrotate/ >++.I %%DATADIR%%/detectrotate/ >+ to find a file that might be the rotated >+ .I logfile >+ and prints it starting with the stored offset. It then proceeds to >Index: files/patch-etc_logcheck.conf >=================================================================== >--- files/patch-etc_logcheck.conf (nonexistent) >+++ files/patch-etc_logcheck.conf (working copy) >@@ -0,0 +1,37 @@ >+--- etc/logcheck.conf.orig 2017-01-25 21:08:04 UTC >++++ etc/logcheck.conf >+@@ -9,7 +9,7 @@ >+ # Controls the presence of boilerplate at the top of each message: >+ # Alternatively, set to "0" to disable the introduction. >+ # >+-# If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt >++# If the files %%ETCDIR%%/header.txt and %%ETCDIR%%/footer.txt >+ # are present their contents will be read and used as the header and >+ # footer of any generated mails. >+ >+@@ -44,8 +44,8 @@ FQDN=1 >+ >+ #SORTUNIQ=0 >+ >+-# Controls whether /etc/logcheck/cracking.ignore.d is scanned for >+-# exceptions to the rules in /etc/logcheck/cracking.d: >++# Controls whether %%ETCDIR%%/cracking.ignore.d is scanned for >++# exceptions to the rules in %%ETCDIR%%/cracking.d: >+ # Alternatively, set to "1" to enable cracking.ignore support >+ >+ #SUPPORT_CRACKING_IGNORE=0 >+@@ -53,13 +53,7 @@ FQDN=1 >+ # Controls the base directory for rules file location >+ # This must be an absolute path >+ >+-#RULEDIR="/etc/logcheck" >+- >+-# Controls if syslog-summary is run over each section. >+-# Alternatively, set to "1" to enable extra summary. >+-# HINT: syslog-summary needs to be installed. >+- >+-#SYSLOGSUMMARY=0 >++#RULEDIR="%%ETCDIR%%" >+ >+ # Controls Subject: lines on logcheck reports: >+ >Index: files/patch-etc_logcheck.logfiles >=================================================================== >--- files/patch-etc_logcheck.logfiles (nonexistent) >+++ files/patch-etc_logcheck.logfiles (working copy) >@@ -0,0 +1,8 @@ >+--- etc/logcheck.logfiles.orig 2017-01-25 21:08:04 UTC >++++ etc/logcheck.logfiles >+@@ -1,4 +1,4 @@ >+ # these files will be checked by logcheck >+ # This has been tuned towards a default syslog install >+-/var/log/syslog >+ /var/log/auth.log >++/var/log/messages >Index: files/patch-rulefiles__linux__ignore.d.server__ssh >=================================================================== >--- files/patch-rulefiles__linux__ignore.d.server__ssh (revision 445458) >+++ files/patch-rulefiles__linux__ignore.d.server__ssh (working copy) >@@ -1,6 +1,6 @@ >---- ./rulefiles/linux/ignore.d.server/ssh.orig 2010-09-03 04:24:30.000000000 -0400 >-+++ ./rulefiles/linux/ignore.d.server/ssh 2011-11-23 14:25:31.000000000 -0500 >-@@ -21,8 +21,8 @@ >+--- rulefiles/linux/ignore.d.server/ssh.orig 2017-01-25 21:08:04 UTC >++++ rulefiles/linux/ignore.d.server/ssh >+@@ -27,8 +27,8 @@ > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) check pass; user unknown$ > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) bad username \[[^]]+\]$ > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Could not get shadow information for NOUSER$ >Index: files/patch-src_logcheck >=================================================================== >--- files/patch-src_logcheck (nonexistent) >+++ files/patch-src_logcheck (working copy) >@@ -0,0 +1,153 @@ >+--- src/logcheck.orig 2017-07-11 17:32:13 UTC >++++ src/logcheck >+@@ -24,17 +24,10 @@ >+ >+ if [ `id -u` = 0 ]; then >+ echo "logcheck should not be run as root. Use su to invoke logcheck:" >+- echo "su -s /bin/bash -c \"/usr/sbin/logcheck${@:+ $@}\" logcheck" >++ echo "su -m %%LOGCHECK_USER%% -c \"%%LOCALBASE%%/bin/bash %%PREFIX%%/sbin/logcheck${@:+ $@}\"" >+ echo "Or use sudo: sudo -u logcheck logcheck${@:+ $@}." >+ # you may want to uncomment that hack to let logcheck invoke itself. >+- # su -s /bin/bash -c "$0 $*" logcheck >+- exit 1 >+-fi >+- >+-if [ ! -f /usr/bin/lockfile-create -o \ >+- ! -f /usr/bin/lockfile-remove -o \ >+- ! -f /usr/bin/lockfile-touch ]; then >+- echo "fatal: lockfile-progs is a prerequisite for logcheck, and was not found." >++ # su -s %%LOCALBASE%%/bin/bash -c "$0 $*" logcheck >+ exit 1 >+ fi >+ >+@@ -69,13 +62,13 @@ EVENTSSUBJECT="System Events" >+ ADDTAG="no" >+ >+ # Set the default paths >+-RULEDIR="/etc/logcheck" >+-CONFFILE="/etc/logcheck/logcheck.conf" >+-STATEDIR="/var/lib/logcheck" >+-LOGFILES_LIST="/etc/logcheck/logcheck.logfiles" >+-LOGFILES_LIST_D="/etc/logcheck/logcheck.logfiles.d" >+-LOGFILE_FALLBACK="/var/log/syslog" >+-LOGTAIL="/usr/sbin/logtail2" >++RULEDIR="%%ETCDIR%%" >++CONFFILE="%%ETCDIR%%/logcheck.conf" >++STATEDIR="%%DBDIR%%" >++LOGFILES_LIST="%%ETCDIR%%/logcheck.logfiles" >++LOGFILES_LIST_D="%%ETCDIR%%/logcheck.logfiles.d" >++LOGFILE_FALLBACK="/var/log/messages" >++LOGTAIL="%%PREFIX%%/sbin/logtail2" >+ CAT="/bin/cat" >+ SYSLOG_SUMMARY="/usr/bin/syslog-summary" >+ >+@@ -90,20 +83,15 @@ FQDN=0 >+ SORTUNIQ=0 >+ SUPPORT_CRACKING_IGNORE=0 >+ SYSLOGSUMMARY=0 >+-LOCKDIR=/run/lock/logcheck >++LOCKDIR=/var/run/logcheck >+ LOCKFILE="$LOCKDIR/logcheck" >+ >+ # Carry out the clean up tasks >+ cleanup() { >+ >+- if [ -n "$LOCK" ]; then >+- debug "cleanup: Killing lockfile-touch - $LOCK" >+- kill "$LOCK" && unset LOCK >+- fi >+- >+- if [ -f "$LOCKFILE.lock" ]; then >+- debug "cleanup: Removing lockfile: $LOCKFILE.lock" >+- lockfile-remove "$LOCKFILE" >++ if [ -f "$LOCKFILE" ]; then >++ debug "cleanup: Removing lockfile: $LOCKFILE" >++ rm -f "$LOCKFILE" >+ fi >+ >+ if [ -d "$TMPDIR" ]; then >+@@ -145,14 +133,9 @@ error() { >+ if [ "$2" = "noclean" ]; then >+ debug "error: Not removing lockfile" >+ else >+- if [ -n "$LOCK" ]; then >+- debug "error: Killing lockfile-touch - $LOCK" >+- kill "$LOCK" && unset LOCK >+- fi >+- >+- if [ -f "$LOCKFILE.lock" ]; then >+- debug "error: Removing lockfile: $LOCKFILE.lock" >+- lockfile-remove "$LOCKFILE" >++ if [ -f "$LOCKFILE" ]; then >++ debug "error: Removing lockfile: $LOCKFILE" >++ rm -f "$LOCKFILE" >+ fi >+ >+ fi >+@@ -171,7 +154,7 @@ $message >+ ${TMPDIR:+Check temporary directory: $TMPDIR >+ } >+ Also verify that the logcheck user can read all files referenced in >+-/etc/logcheck/logcheck.logfiles! >++%%ETCDIR%%/logcheck.logfiles! >+ >+ $(export) >+ EOF >+@@ -223,7 +206,7 @@ cleanrules() { >+ error "Couldn't read $x" >+ fi >+ done >+- for rulefile in $(run-parts --list "$dir"); do >++ for rulefile in $(ls -1R "$dir"); do >+ rulefile="$(basename "$rulefile")" >+ if [ -f "${dir}/${rulefile}" ]; then >+ debug "cleanrules: ${dir}/${rulefile}" >+@@ -538,9 +521,9 @@ fi >+ >+ # Hostname either fully qualified or not. >+ if [ "$FQDN" -eq 1 ]; then >+- HOSTNAME="$(hostname --fqdn 2>/dev/null)" >++ HOSTNAME="$(hostname -f 2>/dev/null)" >+ else >+- HOSTNAME="$(hostname --short 2>/dev/null)" >++ HOSTNAME="$(hostname -s 2>/dev/null)" >+ fi >+ >+ # Now check for the other options >+@@ -623,30 +606,25 @@ fi >+ >+ trap 'cleanup' 0 >+ >+-debug "Trying to get lockfile: $LOCKFILE.lock" >++debug "Trying to get lockfile: $LOCKFILE" >+ if [ ! -d "$LOCKDIR" ]; then >+ mkdir -m 0755 "$LOCKDIR" >+ fi >+-lockfile-create --retry 1 "$LOCKFILE" > /dev/null 2>&1 >++lockfile -r 1 "$LOCKFILE" > /dev/null 2>&1 >+ >+ >+ if [ $? -eq 1 ]; then >+ trap 0 >+- if [ -e "${LOCKFILE}.lock" ]; then >++ if [ -e "${LOCKFILE}" ]; then >+ error "Another logcheck process is still running" "noclean" >+ else >+- error "Failed to get lockfile: $LOCKFILE.lock" "noclean" >++ error "Failed to get lockfile: $LOCKFILE" "noclean" >+ fi >+- >+-else >+- debug "Running lockfile-touch $LOCKFILE.lock" >+- lockfile-touch "$LOCKFILE" & >+- LOCK="$!" >+ fi >+ >+ # Create the secure temporary directory or exit >+-TMPDIR="$(mktemp -d -p "${TMP:-/tmp}" logcheck.XXXXXX)" \ >+- || TMPDIR="$(mktemp -d -p /var/tmp logcheck.XXXXXX)" \ >++TMPDIR="$(mktemp -d ${TMP:-/tmp}/logcheck.XXXXXX)" \ >++ || TMPDIR="$(mktemp -d /var/tmp/logcheck.XXXXXX)" \ >+ || error "Could not create temporary directory" >+ >+ # Now clean the rulefiles in the directories >Index: files/patch-src_logcheck-test >=================================================================== >--- files/patch-src_logcheck-test (nonexistent) >+++ files/patch-src_logcheck-test (working copy) >@@ -0,0 +1,23 @@ >+--- src/logcheck-test.orig 2017-01-25 21:08:04 UTC >++++ src/logcheck-test >+@@ -38,7 +38,7 @@ usage() { >+ usage: logcheck-test >+ -h|--help : Show usage information >+ -a|--auth.log : Parse /var/log/auth.log >+--s|--syslog : Parse /var/log/syslog >++-m|--messages : Parse /var/log/messages >+ -l|--log-file LOGFILE : Parse LOGFILE >+ -i|--invert-match : Show lines that don't match the RULE or RULEFILE >+ -q|--quiet : Suppress rule summary >+@@ -103,9 +103,9 @@ while [ -n "${1:-}" ]; do >+ warn "option -a ignored" >+ fi >+ ;; >+- -s|--syslog) >++ -m|--messages) >+ if [ -z "$FILE" ] ; then >+- FILE="/var/log/syslog" >++ FILE="/var/log/messages" >+ else >+ warn "option -s ignored" >+ fi >Index: files/patch-src_logtail2 >=================================================================== >--- files/patch-src_logtail2 (nonexistent) >+++ files/patch-src_logtail2 (working copy) >@@ -0,0 +1,11 @@ >+--- src/logtail2.orig 2017-07-11 17:32:13 UTC >++++ src/logtail2 >+@@ -109,7 +109,7 @@ sub determine_rotated_logfile { >+ # function with dateext magic added. >+ >+ #print "determine_rotated_logfile $filename $inode\n"; >+- for my $codefile (glob("/usr/share/logtail/detectrotate/*.dtr")) { >++ for my $codefile (glob("%%DATADIR%%/detectrotate/*.dtr")) { >+ my $func = do $codefile; >+ if (!$func) { >+ print STDERR "cannot compile $codefile: $!"; >Index: pkg-plist >=================================================================== >--- pkg-plist (revision 445458) >+++ pkg-plist (working copy) >@@ -1,4 +1,7 @@ > @mode 640 >+%%DATADIR%%/detectrotate/10-savelog.dtr >+%%DATADIR%%/detectrotate/20-logrotate.dtr >+%%DATADIR%%/detectrotate/30-logrotate-dateext.dtr > %%ETCDIR%%/cracking.d/kernel > %%ETCDIR%%/cracking.d/rlogind > %%ETCDIR%%/cracking.d/rsh >@@ -131,6 +134,8 @@ > %%ETCDIR%%/ignore.d.server/sudo > %%ETCDIR%%/ignore.d.server/sympa > %%ETCDIR%%/ignore.d.server/syslogd >+%%ETCDIR%%/ignore.d.server/systemd >+%%ETCDIR%%/ignore.d.server/systemd-timesyncd > %%ETCDIR%%/ignore.d.server/teapop > %%ETCDIR%%/ignore.d.server/telnetd > %%ETCDIR%%/ignore.d.server/tftpd >@@ -179,6 +184,8 @@ > %%ETCDIR%%/ignore.d.workstation/wpasupplicant > %%ETCDIR%%/ignore.d.workstation/xdm > %%ETCDIR%%/ignore.d.workstation/xlockmore >+%%ETCDIR%%/logcheck.conf.sample >+%%ETCDIR%%/logcheck.logfiles.sample > %%ETCDIR%%/violations.d/kernel > %%ETCDIR%%/violations.d/logcheck > %%ETCDIR%%/violations.d/smartd >@@ -186,12 +193,9 @@ > %%ETCDIR%%/violations.d/sudo > %%ETCDIR%%/violations.ignore.d/logcheck-su > %%ETCDIR%%/violations.ignore.d/logcheck-sudo >-%%ETCDIR%%/logcheck.conf.sample >-%%ETCDIR%%/logcheck.logfiles.sample >-%%DATADIR%%/detectrotate/10-savelog.dtr >-%%DATADIR%%/detectrotate/20-logrotate.dtr >-%%DATADIR%%/detectrotate/30-logrotate-dateext.dtr > @mode >+bin/logcheck-test >+man/man1/logcheck-test.1.gz > man/man8/logcheck.8.gz > man/man8/logtail.8.gz > man/man8/logtail2.8.gz
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Flags:
yasu
:
maintainer-approval+
Actions:
View
|
Diff
Attachments on
bug 220609
:
184238
|
184253
| 184281 |
184295