diff -urN logcheck-1.1.1/Makefile logcheck-1.1.1.patched/Makefile --- logcheck-1.1.1/Makefile Sun Oct 31 16:07:29 1999 +++ logcheck-1.1.1.patched/Makefile Wed Jan 15 11:10:02 2003 @@ -4,6 +4,8 @@ # Send problems/code hacks to crowland@psionic.com or crowland@vni.net # Thanks to rbulling@obscure.org for cleaning this Makefile up.. # +# Modified for rpm package building. +# # Generic compiler CC = cc @@ -19,15 +21,15 @@ # the new paths!! # This is where keyword files go. -INSTALLDIR = /usr/local/etc +INSTALLDIR = ${RPM_BUILD_ROOT}/etc/logcheck # This is where logtail will go -INSTALLDIR_BIN = /usr/local/bin +INSTALLDIR_BIN = ${RPM_BUILD_ROOT}/usr/sbin # Some people want the logcheck.sh in /usr/local/bin. Uncomment this # if you want this. /usr/local/etc was kept for compatibility reasons. -#INSTALLDIR_SH = /usr/local/bin -INSTALLDIR_SH = /usr/local/etc +INSTALLDIR_SH = ${RPM_BUILD_ROOT}/usr/sbin +#INSTALLDIR_SH = /usr/local/etc # The scratch directory for logcheck files. TMPDIR = /usr/local/etc/tmp @@ -63,19 +65,21 @@ install: @echo "Making $(SYSTYPE)" $(CC) $(CFLAGS) -o ./src/logtail ./src/logtail.c - @echo "Creating temp directory $(TMPDIR)" - @if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi - @echo "Setting temp directory permissions" - chmod 700 $(TMPDIR) + # These are no longer necessary because it handled by logcheck + # itself. + #@echo "Creating temp directory $(TMPDIR)" + #@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi + #@echo "Setting temp directory permissions" + #chmod 700 $(TMPDIR) @echo "Copying files" cp ./systems/$(SYSTYPE)/logcheck.hacking $(INSTALLDIR) cp ./systems/$(SYSTYPE)/logcheck.violations $(INSTALLDIR) cp ./systems/$(SYSTYPE)/logcheck.violations.ignore $(INSTALLDIR) cp ./systems/$(SYSTYPE)/logcheck.ignore $(INSTALLDIR) - cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH) + cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)/logcheck cp ./src/logtail $(INSTALLDIR_BIN) @echo "Setting permissions" - chmod 700 $(INSTALLDIR_SH)/logcheck.sh + chmod 700 $(INSTALLDIR_SH)/logcheck chmod 700 $(INSTALLDIR_BIN)/logtail chmod 600 $(INSTALLDIR)/logcheck.violations.ignore chmod 600 $(INSTALLDIR)/logcheck.violations diff -urN logcheck-1.1.1/systems/linux/logcheck.ignore logcheck-1.1.1.patched/systems/linux/logcheck.ignore --- logcheck-1.1.1/systems/linux/logcheck.ignore Sun Oct 31 16:07:29 1999 +++ logcheck-1.1.1.patched/systems/linux/logcheck.ignore Wed Jan 15 11:10:02 2003 @@ -1,3 +1,5 @@ +PAM_pwdb.*session opened +PAM_pwdb.*session closed authsrv.*AUTHENTICATE cron.*CMD cron.*RELOAD @@ -8,8 +10,14 @@ ftpd.*FTP LOGIN FROM ftpd.*retrieved ftpd.*stored +ftpd.*FTP session closed +ftpd.*timed out +ftpd.*connect from http-gw.*: exit host http-gw.*: permit host +identd.*Successful lookup +identd.*from: +login.*: LOGIN ON mail.local named.*Lame delegation named.*Response from @@ -17,11 +25,16 @@ named.*points to a CNAME named.*reloading named.*starting +named.*NSTATS +named.*XSTATS netacl.*: exit host netacl.*: permit host popper.*Unable popper: -ERR POP server at popper: -ERR Unknown command: "uidl". +pop3d.*connect from +pop3d.* Login +pop3d.* Logout qmail.*new msg qmail.*info msg qmail.*starting delivery diff -urN logcheck-1.1.1/systems/linux/logcheck.sh logcheck-1.1.1.patched/systems/linux/logcheck.sh --- logcheck-1.1.1/systems/linux/logcheck.sh Sun Oct 31 16:07:29 1999 +++ logcheck-1.1.1.patched/systems/linux/logcheck.sh Wed Jan 15 11:12:22 2003 @@ -27,11 +27,13 @@ # 5/14/97 -- Added Digital OSF/1 logging support. Big thanks # to Jay Vassos-Libove for # his changes. +# 7/12/98 -- Modified to build rpm package under RedHat Linux +# 5.1 (Manhattan) # CONFIGURATION SECTION -PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin +PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin # Logcheck is pre-configured to work on most BSD like systems, however it # is a rather dumb program and may need some help to work on other @@ -44,7 +46,9 @@ # Full path to logtail program. # This program is required to run this script and comes with the package. -LOGTAIL=/usr/local/bin/logtail +#LOGTAIL=/usr/local/bin/logtail + +LOGTAIL=/usr/sbin/logtail # Full path to SECURED (non public writable) /tmp directory. # Prevents Race condition and potential symlink problems. I highly @@ -52,7 +56,12 @@ # You would also be well advised to make sure all your system/cron scripts # use this directory for their "scratch" area. -TMPDIR=/usr/local/etc/tmp +#TMPDIR=/usr/local/etc/tmp + +# This will create an own, non publically writeable/readable directory +# in /tmp for every run of logcheck. + +TMPDIR=/tmp/logcheck$$-$RANDOM # The 'grep' command. This command MUST support the # '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's @@ -89,7 +98,9 @@ # look for generic ISS probes (who the hell else looks for # "WIZ" besides ISS?), and obvious sendmail attacks/probes. -HACKING_FILE=/usr/local/etc/logcheck.hacking +#HACKING_FILE=/usr/local/etc/logcheck.hacking + +HACKING_FILE=/etc/logcheck/logcheck.hacking # File of security violation patterns to specifically look for. # This file should contain keywords of information administrators should @@ -98,7 +109,9 @@ # some items, but these will be caught by the next check. Move suspicious # items into this file to have them reported regularly. -VIOLATIONS_FILE=/usr/local/etc/logcheck.violations +#VIOLATIONS_FILE=/usr/local/etc/logcheck.violations + +VIOLATIONS_FILE=/etc/logcheck/logcheck.violations # File that contains more complete sentences that have keywords from # the violations file. These keywords are normal and are not cause for @@ -115,14 +128,18 @@ # # Again, be careful what you put in here and DO NOT LEAVE IT EMPTY! -VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore +#VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore + +VIOLATIONS_IGNORE_FILE=/etc/logcheck/logcheck.violations.ignore # This is the name of a file that contains patterns that we should # ignore if found in a log file. If you have repeated false alarms # or want specific errors ignored, you should put them in here. # Once again, be as specific as possible, and go easy on the wildcards -IGNORE_FILE=/usr/local/etc/logcheck.ignore +#IGNORE_FILE=/usr/local/etc/logcheck.ignore + +IGNORE_FILE=/etc/logcheck/logcheck.ignore # The files are reported in the order of hacking, security # violations, and unusual system events. Notice that this @@ -146,6 +163,8 @@ umask 077 rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$ +rm -rf $TMPDIR +mkdir $TMPDIR if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then echo "Log files exist in $TMPDIR directory that cannot be removed. This may be an attempt to spoof the log checker." \ @@ -165,8 +184,9 @@ # Generic and Linux Slackware 3.x #$LOGTAIL /var/log/messages > $TMPDIR/check.$$ -# Linux Red Hat Version 3.x, 4.x +# Linux PLD $LOGTAIL /var/log/messages > $TMPDIR/check.$$ +$LOGTAIL /var/log/syslog >> $TMPDIR/check.$$ $LOGTAIL /var/log/secure >> $TMPDIR/check.$$ $LOGTAIL /var/log/maillog >> $TMPDIR/check.$$ @@ -220,6 +240,7 @@ if [ ! -s $TMPDIR/check.$$ ]; then rm -f $TMPDIR/check.$$ + rm -rf $TMPDIR exit 0 fi @@ -255,7 +276,7 @@ echo >> $TMPDIR/checkreport.$$ echo "Unusual System Events" >> $TMPDIR/checkreport.$$ echo "=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$ - cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$ + cat $TMPDIR/checkoutput.$$ | sort -u >> $TMPDIR/checkreport.$$ FOUND=1 fi fi @@ -270,3 +291,4 @@ # Clean Up rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$ +rm -rf $TMPDIR