[packages/logcheck.git] / logcheck-pld.patch

--- ./systems/linux/logcheck.sh.sp	Thu May 15 06:10:37 1997
+++ ./systems/linux/logcheck.sh	Mon Jul 13 12:07:09 1998
@@ -27,11 +27,13 @@
 #               5/14/97  -- Added Digital OSF/1 logging support. Big thanks
 #                           to Jay Vassos-Libove <libove@compgen.com> for
 #                           his changes.
+#		7/12/98  -- Modified to build rpm package under RedHat Linux
+#		            5.1 (Manhattan)
  
 
 # CONFIGURATION SECTION
 
-PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin
+PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
 
 # Logcheck is pre-configured to work on most BSD like systems, however it
 # is a rather dumb program and may need some help to work on other
@@ -44,7 +46,9 @@
 # Full path to logtail program.
 # This program is required to run this script and comes with the package.
 
-LOGTAIL=/usr/local/bin/logtail
+#LOGTAIL=/usr/local/bin/logtail
+
+LOGTAIL=/usr/sbin/logtail
 
 # Full path to SECURED (non public writable) /tmp directory.
 # Prevents Race condition and potential symlink problems. I highly
@@ -52,7 +56,12 @@
 # You would also be well advised to make sure all your system/cron scripts
 # use this directory for their "scratch" area. 
 
-TMPDIR=/usr/local/etc/tmp
+#TMPDIR=/usr/local/etc/tmp
+
+# This will create an own, non publically writeable/readable directory
+# in /tmp for every run of logcheck.
+
+TMPDIR=/tmp/logcheck$$-$RANDOM
 
 # The 'grep' command. This command MUST support the
 # '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's
@@ -89,7 +98,9 @@
 # look for generic ISS probes (who the hell else looks for 
 # "WIZ" besides ISS?), and obvious sendmail attacks/probes.
 
-HACKING_FILE=/usr/local/etc/logcheck.hacking
+#HACKING_FILE=/usr/local/etc/logcheck.hacking
+
+HACKING_FILE=/etc/logcheck/logcheck.hacking
 
 # File of security violation patterns to specifically look for.
 # This file should contain keywords of information administrators should
@@ -98,7 +109,9 @@
 # some items, but these will be caught by the next check. Move suspicious
 # items into this file to have them reported regularly.
 
-VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
+#VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
+
+VIOLATIONS_FILE=/etc/logcheck/logcheck.violations
 
 # File that contains more complete sentences that have keywords from
 # the violations file. These keywords are normal and are not cause for 
@@ -115,14 +128,18 @@
 #
 # Again, be careful what you put in here and DO NOT LEAVE IT EMPTY!
 
-VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
+#VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
+
+VIOLATIONS_IGNORE_FILE=/etc/logcheck/logcheck.violations.ignore
 
 # This is the name of a file that contains patterns that we should
 # ignore if found in a log file. If you have repeated false alarms
 # or want specific errors ignored, you should put them in here.
 # Once again, be as specific as possible, and go easy on the wildcards
 
-IGNORE_FILE=/usr/local/etc/logcheck.ignore
+#IGNORE_FILE=/usr/local/etc/logcheck.ignore
+
+IGNORE_FILE=/etc/logcheck/logcheck.ignore
 
 # The files are reported in the order of hacking, security 
 # violations, and unusual system events. Notice that this
@@ -146,6 +163,8 @@
 
 umask 077
 rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
+rm -rf $TMPDIR
+mkdir $TMPDIR
 if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
 	echo "Log files exist in $TMPDIR directory that cannot be removed. This 
 may be an attempt to spoof the log checker." \
@@ -165,7 +184,7 @@
 # Generic and Linux Slackware 3.x
 #$LOGTAIL /var/log/messages > $TMPDIR/check.$$
 
-# Linux Red Hat Version 3.x, 4.x
+# Linux PLD 
 $LOGTAIL /var/log/messages > $TMPDIR/check.$$
 $LOGTAIL /var/log/secure >> $TMPDIR/check.$$
 $LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
@@ -220,6 +239,7 @@
  
 if [ ! -s $TMPDIR/check.$$ ]; then
 	rm -f $TMPDIR/check.$$	
+	rm -rf $TMPDIR
 	exit 0
 fi
 
@@ -270,3 +290,4 @@
 
 # Clean Up
 rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
+rm -rf $TMPDIR
--- ./systems/linux/logcheck.ignore.sp	Thu May 15 06:19:40 1997
+++ ./systems/linux/logcheck.ignore	Mon Jul 13 12:06:40 1998
@@ -1,3 +1,5 @@
+PAM_pwdb.*session opened
+PAM_pwdb.*session closed
 authsrv.*AUTHENTICATE
 cron.*CMD
 cron.*RELOAD
@@ -8,8 +10,14 @@
 ftpd.*FTP LOGIN FROM
 ftpd.*retrieved
 ftpd.*stored
+ftpd.*FTP session closed
+ftpd.*timed out
+ftpd.*connect from
 http-gw.*: exit host
 http-gw.*: permit host
+identd.*Successful lookup
+identd.*from:
+login.*: LOGIN ON
 mail.local
 named.*Lame delegation
 named.*Response from
@@ -17,11 +25,16 @@
 named.*points to a CNAME
 named.*reloading
 named.*starting
+named.*NSTATS
+named.*XSTATS
 netacl.*: exit host
 netacl.*: permit host
 popper.*Unable
 popper: -ERR POP server at
 popper: -ERR Unknown command: "uidl".
+pop3d.*connect from
+pop3d.* Login
+pop3d.* Logout
 qmail.*new msg
 qmail.*info msg
 qmail.*starting delivery
--- ./Makefile.sp	Thu May 22 03:55:53 1997
+++ ./Makefile	Mon Jul 13 12:07:09 1998
@@ -4,6 +4,8 @@
 # Send problems/code hacks to crowland@psionic.com or crowland@vni.net
 # Thanks to rbulling@obscure.org for cleaning this Makefile up..
 #
+# Modified for rpm package building.
+#
 
 # Generic compiler
  CC = cc
@@ -19,15 +21,15 @@
 # the new paths!!
 
 # This is where keyword files go.
-INSTALLDIR = /usr/local/etc
+INSTALLDIR = ${RPM_BUILD_ROOT}/etc/logcheck
 
 # This is where logtail will go
-INSTALLDIR_BIN = /usr/local/bin
+INSTALLDIR_BIN = ${RPM_BUILD_ROOT}/usr/sbin
 
 # Some people want the logcheck.sh in /usr/local/bin. Uncomment this
 # if you want this. /usr/local/etc was kept for compatibility reasons.
-#INSTALLDIR_SH = /usr/local/bin
-INSTALLDIR_SH = /usr/local/etc
+INSTALLDIR_SH = ${RPM_BUILD_ROOT}/usr/sbin
+#INSTALLDIR_SH = /usr/local/etc
 
 # The scratch directory for logcheck files.
 TMPDIR = /usr/local/etc/tmp
@@ -63,19 +65,21 @@
 install:	
 		@echo "Making $(SYSTYPE)"
 		$(CC) $(CFLAGS) -o ./src/logtail ./src/logtail.c
-		@echo "Creating temp directory $(TMPDIR)"
-		@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
-		@echo "Setting temp directory permissions"
-		chmod 700 $(TMPDIR)
+		# These are no longer necessary because it handled by logcheck
+		# itself.
+		#@echo "Creating temp directory $(TMPDIR)"
+		#@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
+		#@echo "Setting temp directory permissions"
+		#chmod 700 $(TMPDIR)
 		@echo "Copying files"
 		cp ./systems/$(SYSTYPE)/logcheck.hacking $(INSTALLDIR)
 		cp ./systems/$(SYSTYPE)/logcheck.violations $(INSTALLDIR)
 		cp ./systems/$(SYSTYPE)/logcheck.violations.ignore $(INSTALLDIR)
 		cp ./systems/$(SYSTYPE)/logcheck.ignore $(INSTALLDIR)
-		cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)
+		cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)/logcheck
 		cp ./src/logtail $(INSTALLDIR_BIN)
 		@echo "Setting permissions"
-		chmod 700 $(INSTALLDIR_SH)/logcheck.sh
+		chmod 700 $(INSTALLDIR_SH)/logcheck
 		chmod 700 $(INSTALLDIR_BIN)/logtail
 		chmod 600 $(INSTALLDIR)/logcheck.violations.ignore
 		chmod 600 $(INSTALLDIR)/logcheck.violations
Commit	Line	Data
eee721d8 AF	1	--- ./systems/linux/logcheck.sh.sp Thu May 15 06:10:37 1997
	2	+++ ./systems/linux/logcheck.sh Mon Jul 13 12:07:09 1998
	3	@@ -27,11 +27,13 @@
	4	# 5/14/97 -- Added Digital OSF/1 logging support. Big thanks
	5	# to Jay Vassos-Libove <libove@compgen.com> for
	6	# his changes.
	7	+# 7/12/98 -- Modified to build rpm package under RedHat Linux
	8	+# 5.1 (Manhattan)
	9
	10
	11	# CONFIGURATION SECTION
	12
	13	-PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin
	14	+PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
	15
	16	# Logcheck is pre-configured to work on most BSD like systems, however it
	17	# is a rather dumb program and may need some help to work on other
	18	@@ -44,7 +46,9 @@
	19	# Full path to logtail program.
	20	# This program is required to run this script and comes with the package.
	21
	22	-LOGTAIL=/usr/local/bin/logtail
	23	+#LOGTAIL=/usr/local/bin/logtail
	24	+
	25	+LOGTAIL=/usr/sbin/logtail
	26
	27	# Full path to SECURED (non public writable) /tmp directory.
	28	# Prevents Race condition and potential symlink problems. I highly
	29	@@ -52,7 +56,12 @@
	30	# You would also be well advised to make sure all your system/cron scripts
	31	# use this directory for their "scratch" area.
	32
	33	-TMPDIR=/usr/local/etc/tmp
	34	+#TMPDIR=/usr/local/etc/tmp
	35	+
	36	+# This will create an own, non publically writeable/readable directory
	37	+# in /tmp for every run of logcheck.
	38	+
	39	+TMPDIR=/tmp/logcheck$$-$RANDOM
	40
	41	# The 'grep' command. This command MUST support the
	42	# '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's
	43	@@ -89,7 +98,9 @@
	44	# look for generic ISS probes (who the hell else looks for
	45	# "WIZ" besides ISS?), and obvious sendmail attacks/probes.
	46
	47	-HACKING_FILE=/usr/local/etc/logcheck.hacking
	48	+#HACKING_FILE=/usr/local/etc/logcheck.hacking
	49	+
	50	+HACKING_FILE=/etc/logcheck/logcheck.hacking
	51
	52	# File of security violation patterns to specifically look for.
	53	# This file should contain keywords of information administrators should
	54	@@ -98,7 +109,9 @@
	55	# some items, but these will be caught by the next check. Move suspicious
	56	# items into this file to have them reported regularly.
	57
	58	-VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
	59	+#VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
	60	+
	61	+VIOLATIONS_FILE=/etc/logcheck/logcheck.violations
	62
	63	# File that contains more complete sentences that have keywords from
	64	# the violations file. These keywords are normal and are not cause for
65	@@ -115,14 +128,18 @@
66	#
67	# Again, be careful what you put in here and DO NOT LEAVE IT EMPTY!
68
69	-VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
70	+#VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
71	+
72	+VIOLATIONS_IGNORE_FILE=/etc/logcheck/logcheck.violations.ignore
73
74	# This is the name of a file that contains patterns that we should
75	# ignore if found in a log file. If you have repeated false alarms
76	# or want specific errors ignored, you should put them in here.
77	# Once again, be as specific as possible, and go easy on the wildcards
78
79	-IGNORE_FILE=/usr/local/etc/logcheck.ignore
80	+#IGNORE_FILE=/usr/local/etc/logcheck.ignore
81	+
82	+IGNORE_FILE=/etc/logcheck/logcheck.ignore
83
84	# The files are reported in the order of hacking, security
85	# violations, and unusual system events. Notice that this
86	@@ -146,6 +163,8 @@
87
88	umask 077
89	rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
90	+rm -rf $TMPDIR
91	+mkdir $TMPDIR
92	if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
93	echo "Log files exist in $TMPDIR directory that cannot be removed. This
94	may be an attempt to spoof the log checker." \
95	@@ -165,7 +184,7 @@
96	# Generic and Linux Slackware 3.x
97	#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
98
99	-# Linux Red Hat Version 3.x, 4.x
100	+# Linux PLD
101	$LOGTAIL /var/log/messages > $TMPDIR/check.$$
102	$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
103	$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
104	@@ -220,6 +239,7 @@
105
106	if [ ! -s $TMPDIR/check.$$ ]; then
107	rm -f $TMPDIR/check.$$
108	+ rm -rf $TMPDIR
109	exit 0
110	fi
111
112	@@ -270,3 +290,4 @@
113
114	# Clean Up
115	rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
116	+rm -rf $TMPDIR
117	--- ./systems/linux/logcheck.ignore.sp Thu May 15 06:19:40 1997
118	+++ ./systems/linux/logcheck.ignore Mon Jul 13 12:06:40 1998
119	@@ -1,3 +1,5 @@
120	+PAM_pwdb.*session opened
121	+PAM_pwdb.*session closed
122	authsrv.*AUTHENTICATE
123	cron.*CMD
124	cron.*RELOAD
125	@@ -8,8 +10,14 @@
126	ftpd.*FTP LOGIN FROM
127	ftpd.*retrieved
128	ftpd.*stored
129	+ftpd.*FTP session closed
130	+ftpd.*timed out
131	+ftpd.*connect from
132	http-gw.*: exit host
133	http-gw.*: permit host
134	+identd.*Successful lookup
135	+identd.*from:
136	+login.*: LOGIN ON
137	mail.local
138	named.*Lame delegation
139	named.*Response from
140	@@ -17,11 +25,16 @@
141	named.*points to a CNAME
142	named.*reloading
143	named.*starting
144	+named.*NSTATS
145	+named.*XSTATS
146	netacl.*: exit host
147	netacl.*: permit host
148	popper.*Unable
149	popper: -ERR POP server at
150	popper: -ERR Unknown command: "uidl".
151	+pop3d.*connect from
152	+pop3d.* Login
153	+pop3d.* Logout
154	qmail.*new msg
155	qmail.*info msg
156	qmail.*starting delivery
157	--- ./Makefile.sp Thu May 22 03:55:53 1997
158	+++ ./Makefile Mon Jul 13 12:07:09 1998
159	@@ -4,6 +4,8 @@
160	# Send problems/code hacks to crowland@psionic.com or crowland@vni.net
161	# Thanks to rbulling@obscure.org for cleaning this Makefile up..
162	#
163	+# Modified for rpm package building.
164	+#
165
166	# Generic compiler
167	CC = cc
168	@@ -19,15 +21,15 @@
169	# the new paths!!
170
171	# This is where keyword files go.
172	-INSTALLDIR = /usr/local/etc
173	+INSTALLDIR = ${RPM_BUILD_ROOT}/etc/logcheck
174
175	# This is where logtail will go
176	-INSTALLDIR_BIN = /usr/local/bin
177	+INSTALLDIR_BIN = ${RPM_BUILD_ROOT}/usr/sbin
178
179	# Some people want the logcheck.sh in /usr/local/bin. Uncomment this
180	# if you want this. /usr/local/etc was kept for compatibility reasons.
181	-#INSTALLDIR_SH = /usr/local/bin
182	-INSTALLDIR_SH = /usr/local/etc
183	+INSTALLDIR_SH = ${RPM_BUILD_ROOT}/usr/sbin
184	+#INSTALLDIR_SH = /usr/local/etc
185
186	# The scratch directory for logcheck files.
187	TMPDIR = /usr/local/etc/tmp
188	@@ -63,19 +65,21 @@
189	install:
190	@echo "Making $(SYSTYPE)"
191	$(CC) $(CFLAGS) -o ./src/logtail ./src/logtail.c
192	- @echo "Creating temp directory $(TMPDIR)"
193	- @if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
194	- @echo "Setting temp directory permissions"
195	- chmod 700 $(TMPDIR)
196	+ # These are no longer necessary because it handled by logcheck
197	+ # itself.
198	+ #@echo "Creating temp directory $(TMPDIR)"
199	+ #@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
200	+ #@echo "Setting temp directory permissions"
201	+ #chmod 700 $(TMPDIR)
202	@echo "Copying files"
203	cp ./systems/$(SYSTYPE)/logcheck.hacking $(INSTALLDIR)
204	cp ./systems/$(SYSTYPE)/logcheck.violations $(INSTALLDIR)
205	cp ./systems/$(SYSTYPE)/logcheck.violations.ignore $(INSTALLDIR)
206	cp ./systems/$(SYSTYPE)/logcheck.ignore $(INSTALLDIR)
207	- cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)
208	+ cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)/logcheck
209	cp ./src/logtail $(INSTALLDIR_BIN)
210	@echo "Setting permissions"
211	- chmod 700 $(INSTALLDIR_SH)/logcheck.sh
212	+ chmod 700 $(INSTALLDIR_SH)/logcheck
213	chmod 700 $(INSTALLDIR_BIN)/logtail
214	chmod 600 $(INSTALLDIR)/logcheck.violations.ignore
215	chmod 600 $(INSTALLDIR)/logcheck.violations