- massive attack: source-md5

[packages/logcheck.git] / logcheck-pld.patch

diff -urN logcheck-1.1.1/Makefile logcheck-1.1.1.patched/Makefile
--- logcheck-1.1.1/Makefile	Sun Oct 31 16:07:29 1999
+++ logcheck-1.1.1.patched/Makefile	Wed Jan 15 11:10:02 2003
@@ -4,6 +4,8 @@
 # Send problems/code hacks to crowland@psionic.com or crowland@vni.net
 # Thanks to rbulling@obscure.org for cleaning this Makefile up..
 #
+# Modified for rpm package building.
+#
 
 # Generic compiler
  CC = cc
@@ -19,15 +21,15 @@
 # the new paths!!
 
 # This is where keyword files go.
-INSTALLDIR = /usr/local/etc
+INSTALLDIR = ${RPM_BUILD_ROOT}/etc/logcheck
 
 # This is where logtail will go
-INSTALLDIR_BIN = /usr/local/bin
+INSTALLDIR_BIN = ${RPM_BUILD_ROOT}/usr/sbin
 
 # Some people want the logcheck.sh in /usr/local/bin. Uncomment this
 # if you want this. /usr/local/etc was kept for compatibility reasons.
-#INSTALLDIR_SH = /usr/local/bin
-INSTALLDIR_SH = /usr/local/etc
+INSTALLDIR_SH = ${RPM_BUILD_ROOT}/usr/sbin
+#INSTALLDIR_SH = /usr/local/etc
 
 # The scratch directory for logcheck files.
 TMPDIR = /usr/local/etc/tmp
@@ -63,19 +65,21 @@
 install:	
 		@echo "Making $(SYSTYPE)"
 		$(CC) $(CFLAGS) -o ./src/logtail ./src/logtail.c
-		@echo "Creating temp directory $(TMPDIR)"
-		@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
-		@echo "Setting temp directory permissions"
-		chmod 700 $(TMPDIR)
+		# These are no longer necessary because it handled by logcheck
+		# itself.
+		#@echo "Creating temp directory $(TMPDIR)"
+		#@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
+		#@echo "Setting temp directory permissions"
+		#chmod 700 $(TMPDIR)
 		@echo "Copying files"
 		cp ./systems/$(SYSTYPE)/logcheck.hacking $(INSTALLDIR)
 		cp ./systems/$(SYSTYPE)/logcheck.violations $(INSTALLDIR)
 		cp ./systems/$(SYSTYPE)/logcheck.violations.ignore $(INSTALLDIR)
 		cp ./systems/$(SYSTYPE)/logcheck.ignore $(INSTALLDIR)
-		cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)
+		cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)/logcheck
 		cp ./src/logtail $(INSTALLDIR_BIN)
 		@echo "Setting permissions"
-		chmod 700 $(INSTALLDIR_SH)/logcheck.sh
+		chmod 700 $(INSTALLDIR_SH)/logcheck
 		chmod 700 $(INSTALLDIR_BIN)/logtail
 		chmod 600 $(INSTALLDIR)/logcheck.violations.ignore
 		chmod 600 $(INSTALLDIR)/logcheck.violations
diff -urN logcheck-1.1.1/systems/linux/logcheck.ignore logcheck-1.1.1.patched/systems/linux/logcheck.ignore
--- logcheck-1.1.1/systems/linux/logcheck.ignore	Sun Oct 31 16:07:29 1999
+++ logcheck-1.1.1.patched/systems/linux/logcheck.ignore	Wed Jan 15 11:10:02 2003
@@ -1,3 +1,5 @@
+PAM_pwdb.*session opened
+PAM_pwdb.*session closed
 authsrv.*AUTHENTICATE
 cron.*CMD
 cron.*RELOAD
@@ -8,8 +10,14 @@
 ftpd.*FTP LOGIN FROM
 ftpd.*retrieved
 ftpd.*stored
+ftpd.*FTP session closed
+ftpd.*timed out
+ftpd.*connect from
 http-gw.*: exit host
 http-gw.*: permit host
+identd.*Successful lookup
+identd.*from:
+login.*: LOGIN ON
 mail.local
 named.*Lame delegation
 named.*Response from
@@ -17,11 +25,16 @@
 named.*points to a CNAME
 named.*reloading
 named.*starting
+named.*NSTATS
+named.*XSTATS
 netacl.*: exit host
 netacl.*: permit host
 popper.*Unable
 popper: -ERR POP server at
 popper: -ERR Unknown command: "uidl".
+pop3d.*connect from
+pop3d.* Login
+pop3d.* Logout
 qmail.*new msg
 qmail.*info msg
 qmail.*starting delivery
diff -urN logcheck-1.1.1/systems/linux/logcheck.sh logcheck-1.1.1.patched/systems/linux/logcheck.sh
--- logcheck-1.1.1/systems/linux/logcheck.sh	Sun Oct 31 16:07:29 1999
+++ logcheck-1.1.1.patched/systems/linux/logcheck.sh	Wed Jan 15 11:12:22 2003
@@ -27,11 +27,13 @@
 #               5/14/97  -- Added Digital OSF/1 logging support. Big thanks
 #                           to Jay Vassos-Libove <libove@compgen.com> for
 #                           his changes.
+#		7/12/98  -- Modified to build rpm package under RedHat Linux
+#		            5.1 (Manhattan)
  
 
 # CONFIGURATION SECTION
 
-PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin
+PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
 
 # Logcheck is pre-configured to work on most BSD like systems, however it
 # is a rather dumb program and may need some help to work on other
@@ -44,7 +46,9 @@
 # Full path to logtail program.
 # This program is required to run this script and comes with the package.
 
-LOGTAIL=/usr/local/bin/logtail
+#LOGTAIL=/usr/local/bin/logtail
+
+LOGTAIL=/usr/sbin/logtail
 
 # Full path to SECURED (non public writable) /tmp directory.
 # Prevents Race condition and potential symlink problems. I highly
@@ -52,7 +56,12 @@
 # You would also be well advised to make sure all your system/cron scripts
 # use this directory for their "scratch" area. 
 
-TMPDIR=/usr/local/etc/tmp
+#TMPDIR=/usr/local/etc/tmp
+
+# This will create an own, non publically writeable/readable directory
+# in /tmp for every run of logcheck.
+
+TMPDIR=/tmp/logcheck$$-$RANDOM
 
 # The 'grep' command. This command MUST support the
 # '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's
@@ -89,7 +98,9 @@
 # look for generic ISS probes (who the hell else looks for 
 # "WIZ" besides ISS?), and obvious sendmail attacks/probes.
 
-HACKING_FILE=/usr/local/etc/logcheck.hacking
+#HACKING_FILE=/usr/local/etc/logcheck.hacking
+
+HACKING_FILE=/etc/logcheck/logcheck.hacking
 
 # File of security violation patterns to specifically look for.
 # This file should contain keywords of information administrators should
@@ -98,7 +109,9 @@
 # some items, but these will be caught by the next check. Move suspicious
 # items into this file to have them reported regularly.
 
-VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
+#VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
+
+VIOLATIONS_FILE=/etc/logcheck/logcheck.violations
 
 # File that contains more complete sentences that have keywords from
 # the violations file. These keywords are normal and are not cause for 
@@ -115,14 +128,18 @@
 #
 # Again, be careful what you put in here and DO NOT LEAVE IT EMPTY!
 
-VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
+#VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
+
+VIOLATIONS_IGNORE_FILE=/etc/logcheck/logcheck.violations.ignore
 
 # This is the name of a file that contains patterns that we should
 # ignore if found in a log file. If you have repeated false alarms
 # or want specific errors ignored, you should put them in here.
 # Once again, be as specific as possible, and go easy on the wildcards
 
-IGNORE_FILE=/usr/local/etc/logcheck.ignore
+#IGNORE_FILE=/usr/local/etc/logcheck.ignore
+
+IGNORE_FILE=/etc/logcheck/logcheck.ignore
 
 # The files are reported in the order of hacking, security 
 # violations, and unusual system events. Notice that this
@@ -146,6 +163,8 @@
 
 umask 077
 rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
+rm -rf $TMPDIR
+mkdir $TMPDIR
 if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
 	echo "Log files exist in $TMPDIR directory that cannot be removed. This 
 may be an attempt to spoof the log checker." \
@@ -165,8 +184,9 @@
 # Generic and Linux Slackware 3.x
 #$LOGTAIL /var/log/messages > $TMPDIR/check.$$
 
-# Linux Red Hat Version 3.x, 4.x
+# Linux PLD 
 $LOGTAIL /var/log/messages > $TMPDIR/check.$$
+$LOGTAIL /var/log/syslog >> $TMPDIR/check.$$
 $LOGTAIL /var/log/secure >> $TMPDIR/check.$$
 $LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
 
@@ -220,6 +240,7 @@
  
 if [ ! -s $TMPDIR/check.$$ ]; then
 	rm -f $TMPDIR/check.$$	
+	rm -rf $TMPDIR
 	exit 0
 fi
 
@@ -255,7 +276,7 @@
 		echo >> $TMPDIR/checkreport.$$
 		echo "Unusual System Events" >> $TMPDIR/checkreport.$$
 		echo "=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
-		cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
+		cat $TMPDIR/checkoutput.$$ | sort -u  >> $TMPDIR/checkreport.$$
 		FOUND=1
 	fi
 fi
@@ -270,3 +291,4 @@
 
 # Clean Up
 rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
+rm -rf $TMPDIR