]>
Commit | Line | Data |
---|---|---|
eee721d8 AF |
1 | --- ./systems/linux/logcheck.sh.sp Thu May 15 06:10:37 1997 |
2 | +++ ./systems/linux/logcheck.sh Mon Jul 13 12:07:09 1998 | |
3 | @@ -27,11 +27,13 @@ | |
4 | # 5/14/97 -- Added Digital OSF/1 logging support. Big thanks | |
5 | # to Jay Vassos-Libove <libove@compgen.com> for | |
6 | # his changes. | |
7 | +# 7/12/98 -- Modified to build rpm package under RedHat Linux | |
8 | +# 5.1 (Manhattan) | |
9 | ||
10 | ||
11 | # CONFIGURATION SECTION | |
12 | ||
13 | -PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin | |
14 | +PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin | |
15 | ||
16 | # Logcheck is pre-configured to work on most BSD like systems, however it | |
17 | # is a rather dumb program and may need some help to work on other | |
18 | @@ -44,7 +46,9 @@ | |
19 | # Full path to logtail program. | |
20 | # This program is required to run this script and comes with the package. | |
21 | ||
22 | -LOGTAIL=/usr/local/bin/logtail | |
23 | +#LOGTAIL=/usr/local/bin/logtail | |
24 | + | |
25 | +LOGTAIL=/usr/sbin/logtail | |
26 | ||
27 | # Full path to SECURED (non public writable) /tmp directory. | |
28 | # Prevents Race condition and potential symlink problems. I highly | |
29 | @@ -52,7 +56,12 @@ | |
30 | # You would also be well advised to make sure all your system/cron scripts | |
31 | # use this directory for their "scratch" area. | |
32 | ||
33 | -TMPDIR=/usr/local/etc/tmp | |
34 | +#TMPDIR=/usr/local/etc/tmp | |
35 | + | |
36 | +# This will create an own, non publically writeable/readable directory | |
37 | +# in /tmp for every run of logcheck. | |
38 | + | |
39 | +TMPDIR=/tmp/logcheck$$-$RANDOM | |
40 | ||
41 | # The 'grep' command. This command MUST support the | |
42 | # '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's | |
43 | @@ -89,7 +98,9 @@ | |
44 | # look for generic ISS probes (who the hell else looks for | |
45 | # "WIZ" besides ISS?), and obvious sendmail attacks/probes. | |
46 | ||
47 | -HACKING_FILE=/usr/local/etc/logcheck.hacking | |
48 | +#HACKING_FILE=/usr/local/etc/logcheck.hacking | |
49 | + | |
50 | +HACKING_FILE=/etc/logcheck/logcheck.hacking | |
51 | ||
52 | # File of security violation patterns to specifically look for. | |
53 | # This file should contain keywords of information administrators should | |
54 | @@ -98,7 +109,9 @@ | |
55 | # some items, but these will be caught by the next check. Move suspicious | |
56 | # items into this file to have them reported regularly. | |
57 | ||
58 | -VIOLATIONS_FILE=/usr/local/etc/logcheck.violations | |
59 | +#VIOLATIONS_FILE=/usr/local/etc/logcheck.violations | |
60 | + | |
61 | +VIOLATIONS_FILE=/etc/logcheck/logcheck.violations | |
62 | ||
63 | # File that contains more complete sentences that have keywords from | |
64 | # the violations file. These keywords are normal and are not cause for | |
65 | @@ -115,14 +128,18 @@ | |
66 | # | |
67 | # Again, be careful what you put in here and DO NOT LEAVE IT EMPTY! | |
68 | ||
69 | -VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore | |
70 | +#VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore | |
71 | + | |
72 | +VIOLATIONS_IGNORE_FILE=/etc/logcheck/logcheck.violations.ignore | |
73 | ||
74 | # This is the name of a file that contains patterns that we should | |
75 | # ignore if found in a log file. If you have repeated false alarms | |
76 | # or want specific errors ignored, you should put them in here. | |
77 | # Once again, be as specific as possible, and go easy on the wildcards | |
78 | ||
79 | -IGNORE_FILE=/usr/local/etc/logcheck.ignore | |
80 | +#IGNORE_FILE=/usr/local/etc/logcheck.ignore | |
81 | + | |
82 | +IGNORE_FILE=/etc/logcheck/logcheck.ignore | |
83 | ||
84 | # The files are reported in the order of hacking, security | |
85 | # violations, and unusual system events. Notice that this | |
86 | @@ -146,6 +163,8 @@ | |
87 | ||
88 | umask 077 | |
89 | rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$ | |
90 | +rm -rf $TMPDIR | |
91 | +mkdir $TMPDIR | |
92 | if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then | |
93 | echo "Log files exist in $TMPDIR directory that cannot be removed. This | |
94 | may be an attempt to spoof the log checker." \ | |
95 | @@ -165,7 +184,7 @@ | |
96 | # Generic and Linux Slackware 3.x | |
97 | #$LOGTAIL /var/log/messages > $TMPDIR/check.$$ | |
98 | ||
99 | -# Linux Red Hat Version 3.x, 4.x | |
100 | +# Linux PLD | |
101 | $LOGTAIL /var/log/messages > $TMPDIR/check.$$ | |
102 | $LOGTAIL /var/log/secure >> $TMPDIR/check.$$ | |
103 | $LOGTAIL /var/log/maillog >> $TMPDIR/check.$$ | |
104 | @@ -220,6 +239,7 @@ | |
105 | ||
106 | if [ ! -s $TMPDIR/check.$$ ]; then | |
107 | rm -f $TMPDIR/check.$$ | |
108 | + rm -rf $TMPDIR | |
109 | exit 0 | |
110 | fi | |
111 | ||
112 | @@ -270,3 +290,4 @@ | |
113 | ||
114 | # Clean Up | |
115 | rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$ | |
116 | +rm -rf $TMPDIR | |
117 | --- ./systems/linux/logcheck.ignore.sp Thu May 15 06:19:40 1997 | |
118 | +++ ./systems/linux/logcheck.ignore Mon Jul 13 12:06:40 1998 | |
119 | @@ -1,3 +1,5 @@ | |
120 | +PAM_pwdb.*session opened | |
121 | +PAM_pwdb.*session closed | |
122 | authsrv.*AUTHENTICATE | |
123 | cron.*CMD | |
124 | cron.*RELOAD | |
125 | @@ -8,8 +10,14 @@ | |
126 | ftpd.*FTP LOGIN FROM | |
127 | ftpd.*retrieved | |
128 | ftpd.*stored | |
129 | +ftpd.*FTP session closed | |
130 | +ftpd.*timed out | |
131 | +ftpd.*connect from | |
132 | http-gw.*: exit host | |
133 | http-gw.*: permit host | |
134 | +identd.*Successful lookup | |
135 | +identd.*from: | |
136 | +login.*: LOGIN ON | |
137 | mail.local | |
138 | named.*Lame delegation | |
139 | named.*Response from | |
140 | @@ -17,11 +25,16 @@ | |
141 | named.*points to a CNAME | |
142 | named.*reloading | |
143 | named.*starting | |
144 | +named.*NSTATS | |
145 | +named.*XSTATS | |
146 | netacl.*: exit host | |
147 | netacl.*: permit host | |
148 | popper.*Unable | |
149 | popper: -ERR POP server at | |
150 | popper: -ERR Unknown command: "uidl". | |
151 | +pop3d.*connect from | |
152 | +pop3d.* Login | |
153 | +pop3d.* Logout | |
154 | qmail.*new msg | |
155 | qmail.*info msg | |
156 | qmail.*starting delivery | |
157 | --- ./Makefile.sp Thu May 22 03:55:53 1997 | |
158 | +++ ./Makefile Mon Jul 13 12:07:09 1998 | |
159 | @@ -4,6 +4,8 @@ | |
160 | # Send problems/code hacks to crowland@psionic.com or crowland@vni.net | |
161 | # Thanks to rbulling@obscure.org for cleaning this Makefile up.. | |
162 | # | |
163 | +# Modified for rpm package building. | |
164 | +# | |
165 | ||
166 | # Generic compiler | |
167 | CC = cc | |
168 | @@ -19,15 +21,15 @@ | |
169 | # the new paths!! | |
170 | ||
171 | # This is where keyword files go. | |
172 | -INSTALLDIR = /usr/local/etc | |
173 | +INSTALLDIR = ${RPM_BUILD_ROOT}/etc/logcheck | |
174 | ||
175 | # This is where logtail will go | |
176 | -INSTALLDIR_BIN = /usr/local/bin | |
177 | +INSTALLDIR_BIN = ${RPM_BUILD_ROOT}/usr/sbin | |
178 | ||
179 | # Some people want the logcheck.sh in /usr/local/bin. Uncomment this | |
180 | # if you want this. /usr/local/etc was kept for compatibility reasons. | |
181 | -#INSTALLDIR_SH = /usr/local/bin | |
182 | -INSTALLDIR_SH = /usr/local/etc | |
183 | +INSTALLDIR_SH = ${RPM_BUILD_ROOT}/usr/sbin | |
184 | +#INSTALLDIR_SH = /usr/local/etc | |
185 | ||
186 | # The scratch directory for logcheck files. | |
187 | TMPDIR = /usr/local/etc/tmp | |
188 | @@ -63,19 +65,21 @@ | |
189 | install: | |
190 | @echo "Making $(SYSTYPE)" | |
191 | $(CC) $(CFLAGS) -o ./src/logtail ./src/logtail.c | |
192 | - @echo "Creating temp directory $(TMPDIR)" | |
193 | - @if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi | |
194 | - @echo "Setting temp directory permissions" | |
195 | - chmod 700 $(TMPDIR) | |
196 | + # These are no longer necessary because it handled by logcheck | |
197 | + # itself. | |
198 | + #@echo "Creating temp directory $(TMPDIR)" | |
199 | + #@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi | |
200 | + #@echo "Setting temp directory permissions" | |
201 | + #chmod 700 $(TMPDIR) | |
202 | @echo "Copying files" | |
203 | cp ./systems/$(SYSTYPE)/logcheck.hacking $(INSTALLDIR) | |
204 | cp ./systems/$(SYSTYPE)/logcheck.violations $(INSTALLDIR) | |
205 | cp ./systems/$(SYSTYPE)/logcheck.violations.ignore $(INSTALLDIR) | |
206 | cp ./systems/$(SYSTYPE)/logcheck.ignore $(INSTALLDIR) | |
207 | - cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH) | |
208 | + cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)/logcheck | |
209 | cp ./src/logtail $(INSTALLDIR_BIN) | |
210 | @echo "Setting permissions" | |
211 | - chmod 700 $(INSTALLDIR_SH)/logcheck.sh | |
212 | + chmod 700 $(INSTALLDIR_SH)/logcheck | |
213 | chmod 700 $(INSTALLDIR_BIN)/logtail | |
214 | chmod 600 $(INSTALLDIR)/logcheck.violations.ignore | |
215 | chmod 600 $(INSTALLDIR)/logcheck.violations |