--- /dev/null
+--- ./systems/linux/logcheck.sh.sp Thu May 15 06:10:37 1997
++++ ./systems/linux/logcheck.sh Mon Jul 13 12:07:09 1998
+@@ -27,11 +27,13 @@
+ # 5/14/97 -- Added Digital OSF/1 logging support. Big thanks
+ # to Jay Vassos-Libove <libove@compgen.com> for
+ # his changes.
++# 7/12/98 -- Modified to build rpm package under RedHat Linux
++# 5.1 (Manhattan)
+
+
+ # CONFIGURATION SECTION
+
+-PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin
++PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
+
+ # Logcheck is pre-configured to work on most BSD like systems, however it
+ # is a rather dumb program and may need some help to work on other
+@@ -44,7 +46,9 @@
+ # Full path to logtail program.
+ # This program is required to run this script and comes with the package.
+
+-LOGTAIL=/usr/local/bin/logtail
++#LOGTAIL=/usr/local/bin/logtail
++
++LOGTAIL=/usr/sbin/logtail
+
+ # Full path to SECURED (non public writable) /tmp directory.
+ # Prevents Race condition and potential symlink problems. I highly
+@@ -52,7 +56,12 @@
+ # You would also be well advised to make sure all your system/cron scripts
+ # use this directory for their "scratch" area.
+
+-TMPDIR=/usr/local/etc/tmp
++#TMPDIR=/usr/local/etc/tmp
++
++# This will create an own, non publically writeable/readable directory
++# in /tmp for every run of logcheck.
++
++TMPDIR=/tmp/logcheck$$-$RANDOM
+
+ # The 'grep' command. This command MUST support the
+ # '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's
+@@ -89,7 +98,9 @@
+ # look for generic ISS probes (who the hell else looks for
+ # "WIZ" besides ISS?), and obvious sendmail attacks/probes.
+
+-HACKING_FILE=/usr/local/etc/logcheck.hacking
++#HACKING_FILE=/usr/local/etc/logcheck.hacking
++
++HACKING_FILE=/etc/logcheck/logcheck.hacking
+
+ # File of security violation patterns to specifically look for.
+ # This file should contain keywords of information administrators should
+@@ -98,7 +109,9 @@
+ # some items, but these will be caught by the next check. Move suspicious
+ # items into this file to have them reported regularly.
+
+-VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
++#VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
++
++VIOLATIONS_FILE=/etc/logcheck/logcheck.violations
+
+ # File that contains more complete sentences that have keywords from
+ # the violations file. These keywords are normal and are not cause for
+@@ -115,14 +128,18 @@
+ #
+ # Again, be careful what you put in here and DO NOT LEAVE IT EMPTY!
+
+-VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
++#VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
++
++VIOLATIONS_IGNORE_FILE=/etc/logcheck/logcheck.violations.ignore
+
+ # This is the name of a file that contains patterns that we should
+ # ignore if found in a log file. If you have repeated false alarms
+ # or want specific errors ignored, you should put them in here.
+ # Once again, be as specific as possible, and go easy on the wildcards
+
+-IGNORE_FILE=/usr/local/etc/logcheck.ignore
++#IGNORE_FILE=/usr/local/etc/logcheck.ignore
++
++IGNORE_FILE=/etc/logcheck/logcheck.ignore
+
+ # The files are reported in the order of hacking, security
+ # violations, and unusual system events. Notice that this
+@@ -146,6 +163,8 @@
+
+ umask 077
+ rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
++rm -rf $TMPDIR
++mkdir $TMPDIR
+ if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
+ echo "Log files exist in $TMPDIR directory that cannot be removed. This
+ may be an attempt to spoof the log checker." \
+@@ -165,7 +184,7 @@
+ # Generic and Linux Slackware 3.x
+ #$LOGTAIL /var/log/messages > $TMPDIR/check.$$
+
+-# Linux Red Hat Version 3.x, 4.x
++# Linux PLD
+ $LOGTAIL /var/log/messages > $TMPDIR/check.$$
+ $LOGTAIL /var/log/secure >> $TMPDIR/check.$$
+ $LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
+@@ -220,6 +239,7 @@
+
+ if [ ! -s $TMPDIR/check.$$ ]; then
+ rm -f $TMPDIR/check.$$
++ rm -rf $TMPDIR
+ exit 0
+ fi
+
+@@ -270,3 +290,4 @@
+
+ # Clean Up
+ rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
++rm -rf $TMPDIR
+--- ./systems/linux/logcheck.ignore.sp Thu May 15 06:19:40 1997
++++ ./systems/linux/logcheck.ignore Mon Jul 13 12:06:40 1998
+@@ -1,3 +1,5 @@
++PAM_pwdb.*session opened
++PAM_pwdb.*session closed
+ authsrv.*AUTHENTICATE
+ cron.*CMD
+ cron.*RELOAD
+@@ -8,8 +10,14 @@
+ ftpd.*FTP LOGIN FROM
+ ftpd.*retrieved
+ ftpd.*stored
++ftpd.*FTP session closed
++ftpd.*timed out
++ftpd.*connect from
+ http-gw.*: exit host
+ http-gw.*: permit host
++identd.*Successful lookup
++identd.*from:
++login.*: LOGIN ON
+ mail.local
+ named.*Lame delegation
+ named.*Response from
+@@ -17,11 +25,16 @@
+ named.*points to a CNAME
+ named.*reloading
+ named.*starting
++named.*NSTATS
++named.*XSTATS
+ netacl.*: exit host
+ netacl.*: permit host
+ popper.*Unable
+ popper: -ERR POP server at
+ popper: -ERR Unknown command: "uidl".
++pop3d.*connect from
++pop3d.* Login
++pop3d.* Logout
+ qmail.*new msg
+ qmail.*info msg
+ qmail.*starting delivery
+--- ./Makefile.sp Thu May 22 03:55:53 1997
++++ ./Makefile Mon Jul 13 12:07:09 1998
+@@ -4,6 +4,8 @@
+ # Send problems/code hacks to crowland@psionic.com or crowland@vni.net
+ # Thanks to rbulling@obscure.org for cleaning this Makefile up..
+ #
++# Modified for rpm package building.
++#
+
+ # Generic compiler
+ CC = cc
+@@ -19,15 +21,15 @@
+ # the new paths!!
+
+ # This is where keyword files go.
+-INSTALLDIR = /usr/local/etc
++INSTALLDIR = ${RPM_BUILD_ROOT}/etc/logcheck
+
+ # This is where logtail will go
+-INSTALLDIR_BIN = /usr/local/bin
++INSTALLDIR_BIN = ${RPM_BUILD_ROOT}/usr/sbin
+
+ # Some people want the logcheck.sh in /usr/local/bin. Uncomment this
+ # if you want this. /usr/local/etc was kept for compatibility reasons.
+-#INSTALLDIR_SH = /usr/local/bin
+-INSTALLDIR_SH = /usr/local/etc
++INSTALLDIR_SH = ${RPM_BUILD_ROOT}/usr/sbin
++#INSTALLDIR_SH = /usr/local/etc
+
+ # The scratch directory for logcheck files.
+ TMPDIR = /usr/local/etc/tmp
+@@ -63,19 +65,21 @@
+ install:
+ @echo "Making $(SYSTYPE)"
+ $(CC) $(CFLAGS) -o ./src/logtail ./src/logtail.c
+- @echo "Creating temp directory $(TMPDIR)"
+- @if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
+- @echo "Setting temp directory permissions"
+- chmod 700 $(TMPDIR)
++ # These are no longer necessary because it handled by logcheck
++ # itself.
++ #@echo "Creating temp directory $(TMPDIR)"
++ #@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
++ #@echo "Setting temp directory permissions"
++ #chmod 700 $(TMPDIR)
+ @echo "Copying files"
+ cp ./systems/$(SYSTYPE)/logcheck.hacking $(INSTALLDIR)
+ cp ./systems/$(SYSTYPE)/logcheck.violations $(INSTALLDIR)
+ cp ./systems/$(SYSTYPE)/logcheck.violations.ignore $(INSTALLDIR)
+ cp ./systems/$(SYSTYPE)/logcheck.ignore $(INSTALLDIR)
+- cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)
++ cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)/logcheck
+ cp ./src/logtail $(INSTALLDIR_BIN)
+ @echo "Setting permissions"
+- chmod 700 $(INSTALLDIR_SH)/logcheck.sh
++ chmod 700 $(INSTALLDIR_SH)/logcheck
+ chmod 700 $(INSTALLDIR_BIN)/logtail
+ chmod 600 $(INSTALLDIR)/logcheck.violations.ignore
+ chmod 600 $(INSTALLDIR)/logcheck.violations
--- /dev/null
+Summary: Logcheck system log analyzer
+Name: logcheck
+Version: 1.1
+Release: 1d
+Copyright: Free. See LICENSE file.
+Group: Utilities/System
+Source: http://www.psionic.com/abacus/%{name}-%{version}.tar.gz
+Patch: %{name}-pld.patch
+Vendor: Craig Rowland <crowland@psionic.com>
+URL: http://www.psionic.com/abacus
+BuildRoot: /tmp/%{name}-%{version}-%{release}-root
+Summary(pl): Logcheck - analizator logów systemu
+
+%description
+Logcheck is software package that is designed to automatically run and check
+system log files for security violations and unusual activity. Logcheck
+utilizes a program called logtail that remembers the last position it read
+from in a log file and uses this position on subsequent runs to process new
+information. All source code is available for review and the implementation
+was kept simple to avoid problems. This package is a clone of the
+frequentcheck.sh script from the Trusted Information Systems Gauntlet(tm)
+firewall package. TIS has granted permission for me to clone this package.
+
+%description -l pl
+Pakiet zawiera logcheck - aplikacjê przeznaczon± do automatycznego analizowania
+logów systemowych i przesy³aniu ich po wstêpnjej obróbce poczt± elektroniczn±
+do administratora systemu. Aplikacja ta jest klonem skryptu frequentcheck.sh z
+Trusted Information Systems Gauntlet(tm).
+
+%prep
+%setup -q
+%patch -p1
+
+%install
+rm -rf $RPM_BUILD_ROOT
+
+install -d $RPM_BUILD_ROOT/etc/logcheck
+install -d $RPM_BUILD_ROOT/usr/sbin
+
+make CC="gcc" CFLAGS="$RPM_OPT_FLAGS" linux
+
+install -d $RPM_BUILD_ROOT/etc/cron.hourly
+
+cat <<EOF > $RPM_BUILD_ROOT/etc/cron.hourly/logcheck
+#!/bin/bash
+/usr/sbin/logcheck
+EOF
+
+strip $RPM_BUILD_ROOT/usr/sbin/logtail
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files
+%defattr(644,root,root,755)
+%doc CHANGES CREDITS README* systems/linux/README*
+
+%attr(700,root,root) %dir /etc/logcheck
+%attr(600,root,root) %config(noreplace) %verify(not size mtime md5) /etc/logcheck/*
+%attr(700,root,root) %config(missingok) /etc/cron.hourly/logcheck
+%attr(700,root,root) /usr/sbin/logcheck
+%attr(700,root,root) /usr/sbin/logtail
+
+%changelog
+
+* Sat Sep 12 1998 Wojtek ¦lusarczyk <wojtek@shadow.eu.org>
+[1.1-1d]
+- build against glibc-2.1,
+- translation modified for pl,
+- added %defattr support,
+- minor spec's modifications.
+
+* Sun Jul 13 1998 Peter Soos <sp@osb.hu>
+
+- Some modification in handling of tmp files
+- Corrected the permission of document directory
+
+* Wed Jul 1 1998 Peter Soos <sp@osb.hu>
+
+- Initial package
projects / packages / logcheck.git / commitdiff