]>
Commit | Line | Data |
---|---|---|
b3f071a2 | 1 | diff -urN logcheck-1.1.1/Makefile logcheck-1.1.1.patched/Makefile |
2 | --- logcheck-1.1.1/Makefile Sun Oct 31 16:07:29 1999 | |
3 | +++ logcheck-1.1.1.patched/Makefile Wed Jan 15 11:10:02 2003 | |
4 | @@ -4,6 +4,8 @@ | |
5 | # Send problems/code hacks to crowland@psionic.com or crowland@vni.net | |
6 | # Thanks to rbulling@obscure.org for cleaning this Makefile up.. | |
7 | # | |
8 | +# Modified for rpm package building. | |
9 | +# | |
10 | ||
11 | # Generic compiler | |
12 | CC = cc | |
13 | @@ -19,15 +21,15 @@ | |
14 | # the new paths!! | |
15 | ||
16 | # This is where keyword files go. | |
17 | -INSTALLDIR = /usr/local/etc | |
18 | +INSTALLDIR = ${RPM_BUILD_ROOT}/etc/logcheck | |
19 | ||
20 | # This is where logtail will go | |
21 | -INSTALLDIR_BIN = /usr/local/bin | |
22 | +INSTALLDIR_BIN = ${RPM_BUILD_ROOT}/usr/sbin | |
23 | ||
24 | # Some people want the logcheck.sh in /usr/local/bin. Uncomment this | |
25 | # if you want this. /usr/local/etc was kept for compatibility reasons. | |
26 | -#INSTALLDIR_SH = /usr/local/bin | |
27 | -INSTALLDIR_SH = /usr/local/etc | |
28 | +INSTALLDIR_SH = ${RPM_BUILD_ROOT}/usr/sbin | |
29 | +#INSTALLDIR_SH = /usr/local/etc | |
30 | ||
31 | # The scratch directory for logcheck files. | |
32 | TMPDIR = /usr/local/etc/tmp | |
33 | @@ -63,19 +65,21 @@ | |
34 | install: | |
35 | @echo "Making $(SYSTYPE)" | |
36 | $(CC) $(CFLAGS) -o ./src/logtail ./src/logtail.c | |
37 | - @echo "Creating temp directory $(TMPDIR)" | |
38 | - @if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi | |
39 | - @echo "Setting temp directory permissions" | |
40 | - chmod 700 $(TMPDIR) | |
41 | + # These are no longer necessary because it handled by logcheck | |
42 | + # itself. | |
43 | + #@echo "Creating temp directory $(TMPDIR)" | |
44 | + #@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi | |
45 | + #@echo "Setting temp directory permissions" | |
46 | + #chmod 700 $(TMPDIR) | |
47 | @echo "Copying files" | |
48 | cp ./systems/$(SYSTYPE)/logcheck.hacking $(INSTALLDIR) | |
49 | cp ./systems/$(SYSTYPE)/logcheck.violations $(INSTALLDIR) | |
50 | cp ./systems/$(SYSTYPE)/logcheck.violations.ignore $(INSTALLDIR) | |
51 | cp ./systems/$(SYSTYPE)/logcheck.ignore $(INSTALLDIR) | |
52 | - cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH) | |
53 | + cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)/logcheck | |
54 | cp ./src/logtail $(INSTALLDIR_BIN) | |
55 | @echo "Setting permissions" | |
56 | - chmod 700 $(INSTALLDIR_SH)/logcheck.sh | |
57 | + chmod 700 $(INSTALLDIR_SH)/logcheck | |
58 | chmod 700 $(INSTALLDIR_BIN)/logtail | |
59 | chmod 600 $(INSTALLDIR)/logcheck.violations.ignore | |
60 | chmod 600 $(INSTALLDIR)/logcheck.violations | |
61 | diff -urN logcheck-1.1.1/systems/linux/logcheck.ignore logcheck-1.1.1.patched/systems/linux/logcheck.ignore | |
62 | --- logcheck-1.1.1/systems/linux/logcheck.ignore Sun Oct 31 16:07:29 1999 | |
63 | +++ logcheck-1.1.1.patched/systems/linux/logcheck.ignore Wed Jan 15 11:10:02 2003 | |
64 | @@ -1,3 +1,5 @@ | |
65 | +PAM_pwdb.*session opened | |
66 | +PAM_pwdb.*session closed | |
67 | authsrv.*AUTHENTICATE | |
68 | cron.*CMD | |
69 | cron.*RELOAD | |
70 | @@ -8,8 +10,14 @@ | |
71 | ftpd.*FTP LOGIN FROM | |
72 | ftpd.*retrieved | |
73 | ftpd.*stored | |
74 | +ftpd.*FTP session closed | |
75 | +ftpd.*timed out | |
76 | +ftpd.*connect from | |
77 | http-gw.*: exit host | |
78 | http-gw.*: permit host | |
79 | +identd.*Successful lookup | |
80 | +identd.*from: | |
81 | +login.*: LOGIN ON | |
82 | mail.local | |
83 | named.*Lame delegation | |
84 | named.*Response from | |
85 | @@ -17,11 +25,16 @@ | |
86 | named.*points to a CNAME | |
87 | named.*reloading | |
88 | named.*starting | |
89 | +named.*NSTATS | |
90 | +named.*XSTATS | |
91 | netacl.*: exit host | |
92 | netacl.*: permit host | |
93 | popper.*Unable | |
94 | popper: -ERR POP server at | |
95 | popper: -ERR Unknown command: "uidl". | |
96 | +pop3d.*connect from | |
97 | +pop3d.* Login | |
98 | +pop3d.* Logout | |
99 | qmail.*new msg | |
100 | qmail.*info msg | |
101 | qmail.*starting delivery | |
102 | diff -urN logcheck-1.1.1/systems/linux/logcheck.sh logcheck-1.1.1.patched/systems/linux/logcheck.sh | |
103 | --- logcheck-1.1.1/systems/linux/logcheck.sh Sun Oct 31 16:07:29 1999 | |
104 | +++ logcheck-1.1.1.patched/systems/linux/logcheck.sh Wed Jan 15 11:12:22 2003 | |
eee721d8 AF |
105 | @@ -27,11 +27,13 @@ |
106 | # 5/14/97 -- Added Digital OSF/1 logging support. Big thanks | |
107 | # to Jay Vassos-Libove <libove@compgen.com> for | |
108 | # his changes. | |
109 | +# 7/12/98 -- Modified to build rpm package under RedHat Linux | |
110 | +# 5.1 (Manhattan) | |
111 | ||
112 | ||
113 | # CONFIGURATION SECTION | |
114 | ||
115 | -PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin | |
116 | +PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin | |
117 | ||
118 | # Logcheck is pre-configured to work on most BSD like systems, however it | |
119 | # is a rather dumb program and may need some help to work on other | |
120 | @@ -44,7 +46,9 @@ | |
121 | # Full path to logtail program. | |
122 | # This program is required to run this script and comes with the package. | |
123 | ||
124 | -LOGTAIL=/usr/local/bin/logtail | |
125 | +#LOGTAIL=/usr/local/bin/logtail | |
126 | + | |
127 | +LOGTAIL=/usr/sbin/logtail | |
128 | ||
129 | # Full path to SECURED (non public writable) /tmp directory. | |
130 | # Prevents Race condition and potential symlink problems. I highly | |
131 | @@ -52,7 +56,12 @@ | |
132 | # You would also be well advised to make sure all your system/cron scripts | |
133 | # use this directory for their "scratch" area. | |
134 | ||
135 | -TMPDIR=/usr/local/etc/tmp | |
136 | +#TMPDIR=/usr/local/etc/tmp | |
137 | + | |
138 | +# This will create an own, non publically writeable/readable directory | |
139 | +# in /tmp for every run of logcheck. | |
140 | + | |
141 | +TMPDIR=/tmp/logcheck$$-$RANDOM | |
142 | ||
143 | # The 'grep' command. This command MUST support the | |
144 | # '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's | |
145 | @@ -89,7 +98,9 @@ | |
146 | # look for generic ISS probes (who the hell else looks for | |
147 | # "WIZ" besides ISS?), and obvious sendmail attacks/probes. | |
148 | ||
149 | -HACKING_FILE=/usr/local/etc/logcheck.hacking | |
150 | +#HACKING_FILE=/usr/local/etc/logcheck.hacking | |
151 | + | |
152 | +HACKING_FILE=/etc/logcheck/logcheck.hacking | |
153 | ||
154 | # File of security violation patterns to specifically look for. | |
155 | # This file should contain keywords of information administrators should | |
156 | @@ -98,7 +109,9 @@ | |
157 | # some items, but these will be caught by the next check. Move suspicious | |
158 | # items into this file to have them reported regularly. | |
159 | ||
160 | -VIOLATIONS_FILE=/usr/local/etc/logcheck.violations | |
161 | +#VIOLATIONS_FILE=/usr/local/etc/logcheck.violations | |
162 | + | |
163 | +VIOLATIONS_FILE=/etc/logcheck/logcheck.violations | |
164 | ||
165 | # File that contains more complete sentences that have keywords from | |
166 | # the violations file. These keywords are normal and are not cause for | |
167 | @@ -115,14 +128,18 @@ | |
168 | # | |
169 | # Again, be careful what you put in here and DO NOT LEAVE IT EMPTY! | |
170 | ||
171 | -VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore | |
172 | +#VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore | |
173 | + | |
174 | +VIOLATIONS_IGNORE_FILE=/etc/logcheck/logcheck.violations.ignore | |
175 | ||
176 | # This is the name of a file that contains patterns that we should | |
177 | # ignore if found in a log file. If you have repeated false alarms | |
178 | # or want specific errors ignored, you should put them in here. | |
179 | # Once again, be as specific as possible, and go easy on the wildcards | |
180 | ||
181 | -IGNORE_FILE=/usr/local/etc/logcheck.ignore | |
182 | +#IGNORE_FILE=/usr/local/etc/logcheck.ignore | |
183 | + | |
184 | +IGNORE_FILE=/etc/logcheck/logcheck.ignore | |
185 | ||
186 | # The files are reported in the order of hacking, security | |
187 | # violations, and unusual system events. Notice that this | |
188 | @@ -146,6 +163,8 @@ | |
189 | ||
190 | umask 077 | |
191 | rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$ | |
192 | +rm -rf $TMPDIR | |
193 | +mkdir $TMPDIR | |
194 | if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then | |
195 | echo "Log files exist in $TMPDIR directory that cannot be removed. This | |
196 | may be an attempt to spoof the log checker." \ | |
b3f071a2 | 197 | @@ -165,8 +184,9 @@ |
eee721d8 AF |
198 | # Generic and Linux Slackware 3.x |
199 | #$LOGTAIL /var/log/messages > $TMPDIR/check.$$ | |
200 | ||
201 | -# Linux Red Hat Version 3.x, 4.x | |
202 | +# Linux PLD | |
203 | $LOGTAIL /var/log/messages > $TMPDIR/check.$$ | |
b3f071a2 | 204 | +$LOGTAIL /var/log/syslog >> $TMPDIR/check.$$ |
eee721d8 AF |
205 | $LOGTAIL /var/log/secure >> $TMPDIR/check.$$ |
206 | $LOGTAIL /var/log/maillog >> $TMPDIR/check.$$ | |
b3f071a2 | 207 | |
208 | @@ -220,6 +240,7 @@ | |
eee721d8 AF |
209 | |
210 | if [ ! -s $TMPDIR/check.$$ ]; then | |
211 | rm -f $TMPDIR/check.$$ | |
212 | + rm -rf $TMPDIR | |
213 | exit 0 | |
214 | fi | |
215 | ||
b3f071a2 | 216 | @@ -255,7 +276,7 @@ |
217 | echo >> $TMPDIR/checkreport.$$ | |
218 | echo "Unusual System Events" >> $TMPDIR/checkreport.$$ | |
219 | echo "=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$ | |
220 | - cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$ | |
221 | + cat $TMPDIR/checkoutput.$$ | sort -u >> $TMPDIR/checkreport.$$ | |
222 | FOUND=1 | |
223 | fi | |
224 | fi | |
225 | @@ -270,3 +291,4 @@ | |
eee721d8 AF |
226 | |
227 | # Clean Up | |
228 | rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$ | |
229 | +rm -rf $TMPDIR |