1 --- ./systems/linux/logcheck.sh.sp Thu May 15 06:10:37 1997
2 +++ ./systems/linux/logcheck.sh Mon Jul 13 12:07:09 1998
4 # 5/14/97 -- Added Digital OSF/1 logging support. Big thanks
5 # to Jay Vassos-Libove <libove@compgen.com> for
7 +# 7/12/98 -- Modified to build rpm package under RedHat Linux
11 # CONFIGURATION SECTION
13 -PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin
14 +PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
16 # Logcheck is pre-configured to work on most BSD like systems, however it
17 # is a rather dumb program and may need some help to work on other
19 # Full path to logtail program.
20 # This program is required to run this script and comes with the package.
22 -LOGTAIL=/usr/local/bin/logtail
23 +#LOGTAIL=/usr/local/bin/logtail
25 +LOGTAIL=/usr/sbin/logtail
27 # Full path to SECURED (non public writable) /tmp directory.
28 # Prevents Race condition and potential symlink problems. I highly
30 # You would also be well advised to make sure all your system/cron scripts
31 # use this directory for their "scratch" area.
33 -TMPDIR=/usr/local/etc/tmp
34 +#TMPDIR=/usr/local/etc/tmp
36 +# This will create an own, non publically writeable/readable directory
37 +# in /tmp for every run of logcheck.
39 +TMPDIR=/tmp/logcheck$$-$RANDOM
41 # The 'grep' command. This command MUST support the
42 # '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's
44 # look for generic ISS probes (who the hell else looks for
45 # "WIZ" besides ISS?), and obvious sendmail attacks/probes.
47 -HACKING_FILE=/usr/local/etc/logcheck.hacking
48 +#HACKING_FILE=/usr/local/etc/logcheck.hacking
50 +HACKING_FILE=/etc/logcheck/logcheck.hacking
52 # File of security violation patterns to specifically look for.
53 # This file should contain keywords of information administrators should
55 # some items, but these will be caught by the next check. Move suspicious
56 # items into this file to have them reported regularly.
58 -VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
59 +#VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
61 +VIOLATIONS_FILE=/etc/logcheck/logcheck.violations
63 # File that contains more complete sentences that have keywords from
64 # the violations file. These keywords are normal and are not cause for
67 # Again, be careful what you put in here and DO NOT LEAVE IT EMPTY!
69 -VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
70 +#VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
72 +VIOLATIONS_IGNORE_FILE=/etc/logcheck/logcheck.violations.ignore
74 # This is the name of a file that contains patterns that we should
75 # ignore if found in a log file. If you have repeated false alarms
76 # or want specific errors ignored, you should put them in here.
77 # Once again, be as specific as possible, and go easy on the wildcards
79 -IGNORE_FILE=/usr/local/etc/logcheck.ignore
80 +#IGNORE_FILE=/usr/local/etc/logcheck.ignore
82 +IGNORE_FILE=/etc/logcheck/logcheck.ignore
84 # The files are reported in the order of hacking, security
85 # violations, and unusual system events. Notice that this
89 rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
92 if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
93 echo "Log files exist in $TMPDIR directory that cannot be removed. This
94 may be an attempt to spoof the log checker." \
96 # Generic and Linux Slackware 3.x
97 #$LOGTAIL /var/log/messages > $TMPDIR/check.$$
99 -# Linux Red Hat Version 3.x, 4.x
101 $LOGTAIL /var/log/messages > $TMPDIR/check.$$
102 $LOGTAIL /var/log/secure >> $TMPDIR/check.$$
103 $LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
106 if [ ! -s $TMPDIR/check.$$ ]; then
107 rm -f $TMPDIR/check.$$
115 rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
117 --- ./systems/linux/logcheck.ignore.sp Thu May 15 06:19:40 1997
118 +++ ./systems/linux/logcheck.ignore Mon Jul 13 12:06:40 1998
120 +PAM_pwdb.*session opened
121 +PAM_pwdb.*session closed
122 authsrv.*AUTHENTICATE
129 +ftpd.*FTP session closed
133 http-gw.*: permit host
134 +identd.*Successful lookup
138 named.*Lame delegation
141 named.*points to a CNAME
147 netacl.*: permit host
149 popper: -ERR POP server at
150 popper: -ERR Unknown command: "uidl".
156 qmail.*starting delivery
157 --- ./Makefile.sp Thu May 22 03:55:53 1997
158 +++ ./Makefile Mon Jul 13 12:07:09 1998
160 # Send problems/code hacks to crowland@psionic.com or crowland@vni.net
161 # Thanks to rbulling@obscure.org for cleaning this Makefile up..
163 +# Modified for rpm package building.
171 # This is where keyword files go.
172 -INSTALLDIR = /usr/local/etc
173 +INSTALLDIR = ${RPM_BUILD_ROOT}/etc/logcheck
175 # This is where logtail will go
176 -INSTALLDIR_BIN = /usr/local/bin
177 +INSTALLDIR_BIN = ${RPM_BUILD_ROOT}/usr/sbin
179 # Some people want the logcheck.sh in /usr/local/bin. Uncomment this
180 # if you want this. /usr/local/etc was kept for compatibility reasons.
181 -#INSTALLDIR_SH = /usr/local/bin
182 -INSTALLDIR_SH = /usr/local/etc
183 +INSTALLDIR_SH = ${RPM_BUILD_ROOT}/usr/sbin
184 +#INSTALLDIR_SH = /usr/local/etc
186 # The scratch directory for logcheck files.
187 TMPDIR = /usr/local/etc/tmp
190 @echo "Making $(SYSTYPE)"
191 $(CC) $(CFLAGS) -o ./src/logtail ./src/logtail.c
192 - @echo "Creating temp directory $(TMPDIR)"
193 - @if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
194 - @echo "Setting temp directory permissions"
195 - chmod 700 $(TMPDIR)
196 + # These are no longer necessary because it handled by logcheck
198 + #@echo "Creating temp directory $(TMPDIR)"
199 + #@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
200 + #@echo "Setting temp directory permissions"
201 + #chmod 700 $(TMPDIR)
202 @echo "Copying files"
203 cp ./systems/$(SYSTYPE)/logcheck.hacking $(INSTALLDIR)
204 cp ./systems/$(SYSTYPE)/logcheck.violations $(INSTALLDIR)
205 cp ./systems/$(SYSTYPE)/logcheck.violations.ignore $(INSTALLDIR)
206 cp ./systems/$(SYSTYPE)/logcheck.ignore $(INSTALLDIR)
207 - cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)
208 + cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)/logcheck
209 cp ./src/logtail $(INSTALLDIR_BIN)
210 @echo "Setting permissions"
211 - chmod 700 $(INSTALLDIR_SH)/logcheck.sh
212 + chmod 700 $(INSTALLDIR_SH)/logcheck
213 chmod 700 $(INSTALLDIR_BIN)/logtail
214 chmod 600 $(INSTALLDIR)/logcheck.violations.ignore
215 chmod 600 $(INSTALLDIR)/logcheck.violations