diff options
| author | Matthew Seaman <matthew@FreeBSD.org> | 2017-07-30 15:47:59 +0000 |
|---|---|---|
| committer | Matthew Seaman <matthew@FreeBSD.org> | 2017-07-30 15:47:59 +0000 |
| commit | 64f6103079472d2b33d56a74f31382d71e424d44 (patch) | |
| tree | cc256c6cad761521c3e70088d78feef82acf4cbc /security/logcheck | |
| parent | a26a4be0f252b588c55a626010bef300856fa7d1 (diff) | |
| download | ports-64f6103079472d2b33d56a74f31382d71e424d44.tar.gz ports-64f6103079472d2b33d56a74f31382d71e424d44.zip | |
* Update to 1.3.18.
* Process to fix paths in script and configuration files are simplified.
* Now man page of logcheck is generated from DocBook SGML source file by using textproc/docbook-to-man.
* Sort pkg-plist.
* Add forgotten files/patch-etc_logcheck.logfiles.
* Update files/patch-etc_logcheck.conf
* Move backup file cleaning up from post-patch to do-build so 'make makepatch' works as expected.
PR: 220609
Submitted by: yasu@utahime.org (maintainer)
Notes
Notes:
svn path=/head/; revision=446938
Diffstat (limited to 'security/logcheck')
18 files changed, 313 insertions, 188 deletions
diff --git a/security/logcheck/Makefile b/security/logcheck/Makefile index 7c0314fdee8d..3d8ebe95b742 100644 --- a/security/logcheck/Makefile +++ b/security/logcheck/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= logcheck -PORTVERSION= 1.3.17 +PORTVERSION= 1.3.18 CATEGORIES= security MASTER_SITES= DEBIAN_POOL DISTNAME= ${PORTNAME}_${PORTVERSION} @@ -11,7 +11,9 @@ MAINTAINER= yasu@utahime.org COMMENT= Auditing tool for system logs on Unix boxes LICENSE= GPLv2 +LICENSE_FILE= ${WRKSRC}/LICENSE +BUILD_DEPENDS= docbook-to-man>0:textproc/docbook-to-man RUN_DEPENDS= mime-construct:mail/mime-construct \ lockfile:mail/procmail \ bash:shells/bash @@ -38,38 +40,31 @@ WRKSRC= ${WRKDIR}/${DISTNAME:S!_!-!} BINMODE= 755 SUB_LIST+= LOGCHECK_USER=${LOGCHECK_USER} \ LOGCHECK_GROUP=${LOGCHECK_GROUP} \ - CRON=${PORT_OPTIONS:MCRON} + DBDIR=${DBDIR} CRON=${PORT_OPTIONS:MCRON} SUB_FILES= pkg-install pkg-deinstall pkg-message PLIST_SUB+= LOGCHECK_USER=${LOGCHECK_USER} \ LOGCHECK_GROUP=${LOGCHECK_GROUP} \ DBDIR=${DBDIR} RUNDIR=${RUNDIR} -SHEBANG_FILES= src/logcheck src/logtail src/logtail2 +SHEBANG_FILES= src/logcheck src/logtail src/logtail2 src/detectrotate/*.dtr CONFIG_DIRS= cracking.d ignore.d.paranoid ignore.d.server \ ignore.d.workstation violations.d violations.ignore.d -DOCS= AUTHORS CHANGES CREDITS LICENSE TODO docs/README* +DOCS= AUTHORS CHANGES CREDITS TODO docs/README* PORTDOCS= ${DOCS:T} -MAN_FILES= logcheck.8 logtail.8 logtail2.8 - -PATCH_LIST= extra-patch-debian__logcheck.cron.d \ - extra-patch-docs__logcheck.8 \ - extra-patch-etc__logcheck.conf \ - extra-patch-src__logcheck \ - extra-patch-src__logtail2 -EXTRA_PATCHES= ${PATCH_LIST:C|^|${WRKDIR}/|g} +MAN1_FILES= logcheck-test.1 +MAN8_FILES= logcheck.8 logtail.8 logtail2.8 +REINPLACE_FILES= debian/logcheck.cron.d docs/logcheck.sgml \ + docs/logtail2.8 docs/README.logcheck \ + docs/README.logcheck-database docs/README.logtail \ + etc/logcheck.conf src/logcheck src/logtail2 .include <bsd.port.pre.mk> -pre-patch: -.for patch in ${PATCH_LIST} - @${SED} ${_SUB_LIST_TEMP} ${FILESDIR}/${patch}.in > ${WRKDIR}/${patch} -.endfor - -post-patch: - @${FIND} ${WRKSRC}/rulefiles -type f -name \*.orig -delete - do-build: - @${REINPLACE_CMD} -e 's!/var/log/syslog!/var/log/messages!' \ - ${WRKSRC}/etc/logcheck.logfiles +.for file in ${REINPLACE_FILES} + ${REINPLACE_CMD} ${_SUB_LIST_TEMP} ${WRKSRC}/${file} +.endfor + docbook-to-man ${WRKSRC}/docs/logcheck.sgml > ${WRKSRC}/docs/logcheck.8 + ${FIND} ${WRKSRC} -type f \( -name \*.orig -o -name \*.bak \) -delete do-install: @${MKDIR} ${STAGEDIR}${DATADIR}/detectrotate \ @@ -78,6 +73,7 @@ do-install: ${STAGEDIR}${ETCDIR} \ ${STAGEDIR}${EXAMPLESDIR} \ ${STAGEDIR}${RUNDIR} + ${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck-test ${STAGEDIR}${PREFIX}/bin ${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck ${STAGEDIR}${PREFIX}/sbin ${INSTALL_SCRIPT} ${WRKSRC}/src/logtail ${STAGEDIR}${PREFIX}/sbin ${INSTALL_SCRIPT} ${WRKSRC}/src/logtail2 ${STAGEDIR}${PREFIX}/sbin @@ -97,7 +93,10 @@ do-install: @${ECHO_CMD} '@exec ${CHGRP} -R ${LOGCHECK_GROUP} \ ${ETCDIR:S|^${PREFIX}/|%D/|} \ ${DATADIR:S|^${PREFIX}/|%D/|}' >> ${TMPPLIST} -.for i in ${MAN_FILES} +.for i in ${MAN1_FILES} + ${INSTALL_MAN} ${WRKSRC}/docs/$i ${STAGEDIR}${MAN1PREFIX}/man/man1 +.endfor +.for i in ${MAN8_FILES} ${INSTALL_MAN} ${WRKSRC}/docs/$i ${STAGEDIR}${MAN8PREFIX}/man/man8 .endfor cd ${WRKSRC} && ${INSTALL_DATA} ${DOCS} ${STAGEDIR}${DOCSDIR} diff --git a/security/logcheck/distinfo b/security/logcheck/distinfo index 7daf3ac6ee56..0bb56d2182bc 100644 --- a/security/logcheck/distinfo +++ b/security/logcheck/distinfo @@ -1,2 +1,3 @@ -SHA256 (logcheck_1.3.17.tar.xz) = c2d3fc323e8c6555e91d956385dbfd0f67b55872ed0f6a7ad8ad2526a9faf03a -SIZE (logcheck_1.3.17.tar.xz) = 130956 +TIMESTAMP = 1499679623 +SHA256 (logcheck_1.3.18.tar.xz) = 077b9149ccd2b747b52785afa89da844f3d072c017c9e719925dec6acb9a9af4 +SIZE (logcheck_1.3.18.tar.xz) = 131252 diff --git a/security/logcheck/files/extra-patch-docs__logcheck.8.in b/security/logcheck/files/extra-patch-docs__logcheck.8.in deleted file mode 100644 index e190ae0b4e7c..000000000000 --- a/security/logcheck/files/extra-patch-docs__logcheck.8.in +++ /dev/null @@ -1,118 +0,0 @@ ---- docs/logcheck.8.orig 2009-12-15 15:03:22.000000000 -0500 -+++ docs/logcheck.8 2009-12-15 15:03:41.000000000 -0500 -@@ -0,0 +1,115 @@ -+.\" This manpage has been automatically generated by docbook2man -+.\" from a DocBook document. This tool can be found at: -+.\" <http://shell.ipoline.com/~elmert/comp/docbook2X/> -+.\" Please send any bug reports, improvements, comments, patches, -+.\" etc. to Steve Cheng <steve@ggi-project.org>. -+.TH "Logcheck" "8" "15 December 2009" "" "" -+ -+.SH NAME -+logcheck \- program to scan system logs for interesting lines -+.SH SYNOPSIS -+ -+\fBlogcheck\fR [ \fBOPTIONS\fR ] -+ -+.SH "DESCRIPTION" -+.PP -+The \fBlogcheck\fR program helps spot problems and -+security violations in your logfiles automatically and will send the -+results to you periodically in an e-mail. By default logcheck runs as -+an hourly cronjob just off the hour and after every reboot. -+.PP -+\fBlogcheck\fR supports three level of filtering: -+"paranoid" is for high-security machines running as few services -+as possible. Don't use it if you can't handle its verbose messages. -+"server" is the default and contains rules for many different daemons. -+"workstation" is for sheltered machines and filters most of the messages. -+The ignore rules work in additive manner. "paranoid" rules are also -+included at level "server" and "workstation". -+.PP -+The messages reported are sorted into three layers, system events, -+security events and attack alerts. The verbosity of system events is -+controlled by which level you choose, paranoid, server or workstation. -+However, security events and attack alerts are not affected by this. -+.SH "EXAMPLES" -+.PP -+\fBlogcheck\fR can be invoked directly thanks -+to su(8) or sudo(8), which change the user ID. The following example checks the logfiles -+without updating the offset and outputs everything to STDOUT. -+.PP -+sudo -u logcheck \fBlogcheck\fR -o -t -+.SH "OPTIONS" -+.PP -+A summary of options is included below. -+.TP -+\fB-c CFG \fR -+Overrule default configuration file. -+.TP -+\fB-d \fR -+Debug mode. -+.TP -+\fB-h \fR -+Show usage information. -+.TP -+\fB-H \fR -+Use this hostname string in the subject of logcheck mail. -+.TP -+\fB-l LOG \fR -+Run logfile through logcheck. -+.TP -+\fB-L CFG \fR -+Overrule default logfiles list. -+.TP -+\fB-m \fR -+Mail report to recipient. -+.TP -+\fB-o \fR -+STDOUT mode, not sending mail. -+.TP -+\fB-p \fR -+Set the report level to "paranoid". -+.TP -+\fB-r DIR \fR -+Overrule default rules directory. -+.TP -+\fB-R \fR -+Adds "Reboot:" to the email subject line. -+.TP -+\fB-s \fR -+Set the report level to "server". -+.TP -+\fB-S DIR \fR -+Overrule default state directory. -+.TP -+\fB-t \fR -+Testing mode does not update offset. -+.TP -+\fB-T \fR -+Do not remove the TMPDIR. -+.TP -+\fB-u \fR -+Enable syslog-summary. -+.TP -+\fB-v \fR -+Print current version. -+.TP -+\fB-w \fR -+Set the report level to "workstation". -+.SH "FILES" -+.PP -+%%ETCDIR%%/logcheck.conf is the main configuration file. -+.PP -+%%ETCDIR%%/logcheck.logfiles is the list of files to monitor. -+.PP -+%%DOCSDIR%%/README.logcheck-database for hints on how to write, test and maintain rules. -+.SH "EXIT STATUS" -+.PP -+0 upon success; 1 upon failure -+.SH "SEE ALSO" -+.PP -+\fBlogtail\fR(8) -+.SH "AUTHOR" -+.PP -+logcheck is developed by Debian logcheck Team at alioth: -+http://alioth.debian.org/projects/logcheck/. -+.PP -+This manual page was written by Jon Middleton. diff --git a/security/logcheck/files/extra-patch-etc__logcheck.conf.in b/security/logcheck/files/extra-patch-etc__logcheck.conf.in deleted file mode 100644 index c058a2d81f36..000000000000 --- a/security/logcheck/files/extra-patch-etc__logcheck.conf.in +++ /dev/null @@ -1,17 +0,0 @@ ---- etc/logcheck.conf.orig 2010-04-15 01:15:34.000000000 +0900 -+++ etc/logcheck.conf 2010-05-12 14:22:13.000000000 +0900 -@@ -53,13 +53,7 @@ - # Controls the base directory for rules file location - # This must be an absolute path - --#RULEDIR="/etc/logcheck" -- --# Controls if syslog-summary is run over each section. --# Alternatively, set to "1" to enable extra summary. --# HINT: syslog-summary needs to be installed. -- --#SYSLOGSUMMARY=0 -+#RULEDIR="%%ETCDIR%%" - - # Controls Subject: lines on logcheck reports: - diff --git a/security/logcheck/files/extra-patch-debian__logcheck.cron.d.in b/security/logcheck/files/patch-debian_logcheck.cron.d index cbe5eaa7129b..e72f3f982fee 100644 --- a/security/logcheck/files/extra-patch-debian__logcheck.cron.d.in +++ b/security/logcheck/files/patch-debian_logcheck.cron.d @@ -1,11 +1,11 @@ ---- ./debian/logcheck.cron.d.orig 2006-08-06 19:10:49.000000000 -0400 -+++ ./debian/logcheck.cron.d 2008-09-06 19:11:28.000000000 -0400 +--- debian/logcheck.cron.d.orig 2017-01-25 21:08:04 UTC ++++ debian/logcheck.cron.d @@ -1,9 +1,5 @@ -# /etc/cron.d/logcheck: crontab entries for the logcheck package - -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +# crontab entries for the logcheck package -+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin ++PATH=/sbin:/bin:/usr/sbin:/usr/bin:%%PREFIX%%/sbin:%%PREFIX%%/bin MAILTO=root - -@reboot logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi diff --git a/security/logcheck/files/patch-docs_README.logcheck b/security/logcheck/files/patch-docs_README.logcheck new file mode 100644 index 000000000000..0ad63ce7b395 --- /dev/null +++ b/security/logcheck/files/patch-docs_README.logcheck @@ -0,0 +1,16 @@ +--- docs/README.logcheck.orig 2017-01-25 21:08:04 UTC ++++ docs/README.logcheck +@@ -17,11 +17,11 @@ don't start overlapping. + ====================================================================== + LOG ENTRIES + ----------- +-These are taken from a specified set of logfiles (usually syslog and ++These are taken from a specified set of logfiles (usually messages and + auth.log); a special Perl utility named "logtail" is used which + "bookmarks" its place in the logs, so that events aren't reported + twice in successive logcheck runs. The offset records are stored as +-(eg) "/var/lib/logcheck/offset.var.log.syslog"; lines to be ++(eg) "%%DBDIR%%/offset.var.log.messages"; lines to be + considered by logcheck are copied into tempfiles in the working + directory "/var/tmp/logcheck". See the corresponding README for + logtail for further notes on complications such as log-rotation. diff --git a/security/logcheck/files/patch-docs_README.logcheck-database b/security/logcheck/files/patch-docs_README.logcheck-database new file mode 100644 index 000000000000..736ed9f5cb86 --- /dev/null +++ b/security/logcheck/files/patch-docs_README.logcheck-database @@ -0,0 +1,105 @@ +--- docs/README.logcheck-database.orig 2017-01-25 21:08:04 UTC ++++ docs/README.logcheck-database +@@ -15,7 +15,7 @@ normal egrep pattern-matches, applied in + 1. the "SECURITY ALERTS" layer, designed to detect the traces of active + intrusion attempts. + +- Patterns raising the alarm go in "/etc/logcheck/cracking.d"; any ++ Patterns raising the alarm go in "%%ETCDIR%%/cracking.d"; any + event that matches one of these patterns turns the report + into an urgent "Security Alerts" report, with the relevant + event moved to a special section. The cracking.d standard +@@ -26,7 +26,7 @@ normal egrep pattern-matches, applied in + the default logcheck configuration, but if the local + administrator enables this layer of filtering in + logcheck.conf, then the rules go in the directory +- "/etc/logcheck/cracking.ignore.d". Matches with ++ "%%ETCDIR%%/cracking.ignore.d". Matches with + cracking.ignore rules will then reclassify the alert as a + false alarm (compare violations.ignore below). Note that + this means they are totally ignored - log messages handled +@@ -35,12 +35,12 @@ normal egrep pattern-matches, applied in + 2. the "SECURITY EVENTS" layer, designed to detect less critical + events still considered worthy of special attention. + +- Patterns raising the alarm go in "/etc/logcheck/violations.d"; ++ Patterns raising the alarm go in "%%ETCDIR%%/violations.d"; + matches with these result in a "Security Events" alert, + with the relevant event moved to a special section. + + Patterns cancelling such alarms go in the standard directory +- "/etc/logcheck/violations.ignore.d"; apparent "Security ++ "%%ETCDIR%%/violations.ignore.d"; apparent "Security + Events" that match with violations.ignore patterns are + discarded as false alarms. + +@@ -51,7 +51,7 @@ normal egrep pattern-matches, applied in + from the logfiles are considered for inclusion in the main + "System Events" section. + +- Patterns in the three "/etc/logcheck/ignore.d.*" directories ++ Patterns in the three "%%ETCDIR%%/ignore.d.*" directories + again function to overrule alerts; the log messages that + match them are excluded from the report as trivial. The + specific directories consulted depend on the prevailing +@@ -78,13 +78,13 @@ underscore, and hyphen. + Contains filters relevant to only one Debian package - for example + if "fooserver" logs suspicious events like this: + "$DATE $HOSTNAME fooserver[$PID]: $USER is up to no good" +-then a line in "/etc/logcheck/violations.d/fooserver" with an ++then a line in "%%ETCDIR%%/violations.d/fooserver" with an + appropriate pattern will promote it from a mere "System Event" + to a full "Security Event" in a subsection of the mailing headed + "fooserver". Or then again if that kind of log message is more + trivial than it looks (maybe "foo" is a networked game of + spy-and-counterspy) then a line in +-"/etc/logcheck/ignore.d.server/fooserver" will turn it into a ++"%%ETCDIR%%/ignore.d.server/fooserver" will turn it into a + nonevent for all but the most assiduous of administrators. + + Sometimes a package will have not only special alarm calls which +@@ -107,7 +107,7 @@ that need to be processed. + + Standard "generic" rules go in each directory's "./logcheck" file; + thus for instance any log message at all matching "ATTACK" +-(listed in "/etc/logcheck/cracking.d/logcheck") _always_ triggers ++(listed in "%%ETCDIR%%/cracking.d/logcheck") _always_ triggers + a "Security Alert", unless you deliberately tamper with + "cracking.ignore.d" rules. + +@@ -122,12 +122,12 @@ non-package-specific "flagging" patterns + "fooserver" outputs syslog messages like this: + "$DATE $HOSTNAME fooserver[$PID]: 3 attempts 0 rejected" + then the standard keyword "reject" listed in the generic +-"/etc/logcheck/violations.d/logcheck" file will trigger frequent ++"%%ETCDIR%%/violations.d/logcheck" file will trigger frequent + "Security Events" reports. Putting a filtering pattern in +-"/etc/logcheck/violations.ignore.d/fooserver" won't help here! ++"%%ETCDIR%%/violations.ignore.d/fooserver" won't help here! + The solution is to use a file named in the specially-privileged + ./logcheck-<packagename> format: +-"/etc/logcheck/violations.ignore.d/logcheck-fooserver". ++"%%ETCDIR%%/violations.ignore.d/logcheck-fooserver". + This can contain patterns provided by that particular package + which nonetheless need to take precedence over the generic rules. + +@@ -137,8 +137,8 @@ Sysadmins can use the "local-*" filename + additions to the "logcheck-*" pattern lists. If you have "ippl" + logging network connections verbosely into syslog then you can put + custom "Security Events" keywords in +-"/etc/logcheck/violations.d/local-ippl" and exceptions in +-"/etc/logcheck/violations.ignore.d/local-ippl". ++"%%ETCDIR%%/violations.d/local-ippl" and exceptions in ++"%%ETCDIR%%/violations.ignore.d/local-ippl". + + + WRITING RULES +@@ -181,7 +181,7 @@ logcheck-test(1)). + Alternatively you can manually grep your log file, and remove trailing + space with something like this: + +- sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep \ ++ sed -e 's/[[:space:]]*$//' /var/log/messages | egrep \ + '^\w{3} [ :0-9]{11} oempc wwwoffled\[[0-9]+\]: WWWOFFLE (On|Off)line\.$' + + If the log line is displayed, then your regex works. diff --git a/security/logcheck/files/patch-docs_README.logtail b/security/logcheck/files/patch-docs_README.logtail new file mode 100644 index 000000000000..17d42a2bb195 --- /dev/null +++ b/security/logcheck/files/patch-docs_README.logtail @@ -0,0 +1,11 @@ +--- docs/README.logtail.orig 2017-01-25 21:08:04 UTC ++++ docs/README.logtail +@@ -28,7 +28,7 @@ Logtail2, a different executeable, also + guessing a file name that might have been the target of log rotation + and printing that file's contents starting with the stored offset. If + you have a non-standard rotation scheme, you can drop your own +-heuristic into /usr/share/logtail/detectrotate/ and have it ++heuristic into %%DATADIR%%/detectrotate/ and have it + automatically picked up by logtail2. + ====================================================================== + COMMANDLINE ARGUMENTS diff --git a/security/logcheck/files/patch-docs_logcheck-test.1 b/security/logcheck/files/patch-docs_logcheck-test.1 new file mode 100644 index 000000000000..0479807cc670 --- /dev/null +++ b/security/logcheck/files/patch-docs_logcheck-test.1 @@ -0,0 +1,26 @@ +--- docs/logcheck-test.1.orig 2017-01-25 21:08:04 UTC ++++ docs/logcheck-test.1 +@@ -38,8 +38,8 @@ Show usage information + .B \-a, \-\-auth.log + Parse /var/log/auth.log for matching lines + .TP +-.B \-s, \-\-syslog +-Parse /var/log/syslog for matching lines ++.B \-m, \-\-messages ++Parse /var/log/messages for matching lines + .TP + .B \-l, \-\-log\-file FILE + Parse FILE for matching lines +@@ -69,10 +69,10 @@ With + .B logcheck-test + you can easily write and test new rules. + .PP +-Test a single rule against /var/log/syslog: ++Test a single rule against /var/log/messages: + .RS + .fam C +-logcheck-test \-s "RULE" ++logcheck-test \-m "RULE" + .fam T + .RE + diff --git a/security/logcheck/files/patch-docs_logcheck.sgml b/security/logcheck/files/patch-docs_logcheck.sgml new file mode 100644 index 000000000000..798972606dec --- /dev/null +++ b/security/logcheck/files/patch-docs_logcheck.sgml @@ -0,0 +1,17 @@ +--- docs/logcheck.sgml.orig 2017-01-25 21:08:04 UTC ++++ docs/logcheck.sgml +@@ -244,10 +244,10 @@ manpage.1: manpage.sgml + <refsect1> + <title>FILES</title> + +- <para>/etc/logcheck/logcheck.conf is the main configuration file.</para> +- <para>/etc/logcheck/logcheck.logfiles is the list of files to monitor.</para> +- <para>/etc/logcheck/logcheck.logfiles.d is the directory of lists of files to monitor.</para> +- <para>/usr/share/doc/logcheck-database/README.logcheck-database.gz for hints on how to write, test and maintain rules.</para> ++ <para>%%ETCDIR%%/logcheck.conf is the main configuration file.</para> ++ <para>%%ETCDIR%%/logcheck.logfiles is the list of files to monitor.</para> ++ <para>%%ETCDIR%%/logcheck.logfiles.d is the directory of lists of files to monitor.</para> ++ <para>%%DOCSDIR%%/README.logcheck-database for hints on how to write, test and maintain rules.</para> + </refsect1> + <refsect1> + <title>EXIT STATUS</title> diff --git a/security/logcheck/files/patch-docs_logtail2.8 b/security/logcheck/files/patch-docs_logtail2.8 new file mode 100644 index 000000000000..21598020691d --- /dev/null +++ b/security/logcheck/files/patch-docs_logtail2.8 @@ -0,0 +1,11 @@ +--- docs/logtail2.8.orig 2017-01-25 21:08:04 UTC ++++ docs/logtail2.8 +@@ -38,7 +38,7 @@ is not empty, the inode of + is checked. If the inode is changed, + .B logtail2 + uses the heuristics stored in +-.I /usr/share/logtail/detectrotate/ ++.I %%DATADIR%%/detectrotate/ + to find a file that might be the rotated + .I logfile + and prints it starting with the stored offset. It then proceeds to diff --git a/security/logcheck/files/patch-etc_logcheck.conf b/security/logcheck/files/patch-etc_logcheck.conf new file mode 100644 index 000000000000..4af58e20395b --- /dev/null +++ b/security/logcheck/files/patch-etc_logcheck.conf @@ -0,0 +1,37 @@ +--- etc/logcheck.conf.orig 2017-01-25 21:08:04 UTC ++++ etc/logcheck.conf +@@ -9,7 +9,7 @@ + # Controls the presence of boilerplate at the top of each message: + # Alternatively, set to "0" to disable the introduction. + # +-# If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt ++# If the files %%ETCDIR%%/header.txt and %%ETCDIR%%/footer.txt + # are present their contents will be read and used as the header and + # footer of any generated mails. + +@@ -44,8 +44,8 @@ FQDN=1 + + #SORTUNIQ=0 + +-# Controls whether /etc/logcheck/cracking.ignore.d is scanned for +-# exceptions to the rules in /etc/logcheck/cracking.d: ++# Controls whether %%ETCDIR%%/cracking.ignore.d is scanned for ++# exceptions to the rules in %%ETCDIR%%/cracking.d: + # Alternatively, set to "1" to enable cracking.ignore support + + #SUPPORT_CRACKING_IGNORE=0 +@@ -53,13 +53,7 @@ FQDN=1 + # Controls the base directory for rules file location + # This must be an absolute path + +-#RULEDIR="/etc/logcheck" +- +-# Controls if syslog-summary is run over each section. +-# Alternatively, set to "1" to enable extra summary. +-# HINT: syslog-summary needs to be installed. +- +-#SYSLOGSUMMARY=0 ++#RULEDIR="%%ETCDIR%%" + + # Controls Subject: lines on logcheck reports: + diff --git a/security/logcheck/files/patch-etc_logcheck.logfiles b/security/logcheck/files/patch-etc_logcheck.logfiles new file mode 100644 index 000000000000..5b53b848f9ca --- /dev/null +++ b/security/logcheck/files/patch-etc_logcheck.logfiles @@ -0,0 +1,8 @@ +--- etc/logcheck.logfiles.orig 2017-01-25 21:08:04 UTC ++++ etc/logcheck.logfiles +@@ -1,4 +1,4 @@ + # these files will be checked by logcheck + # This has been tuned towards a default syslog install +-/var/log/syslog + /var/log/auth.log ++/var/log/messages diff --git a/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh b/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh index c482cb8536ac..a2f03376fa88 100644 --- a/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh +++ b/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh @@ -1,6 +1,6 @@ ---- ./rulefiles/linux/ignore.d.server/ssh.orig 2010-09-03 04:24:30.000000000 -0400 -+++ ./rulefiles/linux/ignore.d.server/ssh 2011-11-23 14:25:31.000000000 -0500 -@@ -21,8 +21,8 @@ +--- rulefiles/linux/ignore.d.server/ssh.orig 2017-01-25 21:08:04 UTC ++++ rulefiles/linux/ignore.d.server/ssh +@@ -27,8 +27,8 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) check pass; user unknown$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) bad username \[[^]]+\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Could not get shadow information for NOUSER$ diff --git a/security/logcheck/files/extra-patch-src__logcheck.in b/security/logcheck/files/patch-src_logcheck index d4dc8582a938..701eaeba10c6 100644 --- a/security/logcheck/files/extra-patch-src__logcheck.in +++ b/security/logcheck/files/patch-src_logcheck @@ -1,5 +1,5 @@ ---- src/logcheck.orig 2010-07-07 15:59:57.000000000 -0400 -+++ src/logcheck 2010-07-07 16:19:33.000000000 -0400 +--- src/logcheck.orig 2017-07-11 17:32:13 UTC ++++ src/logcheck @@ -24,17 +24,10 @@ if [ `id -u` = 0 ]; then @@ -20,7 +20,7 @@ exit 1 fi -@@ -69,12 +62,12 @@ +@@ -69,13 +62,13 @@ EVENTSSUBJECT="System Events" ADDTAG="no" # Set the default paths @@ -28,18 +28,20 @@ -CONFFILE="/etc/logcheck/logcheck.conf" -STATEDIR="/var/lib/logcheck" -LOGFILES_LIST="/etc/logcheck/logcheck.logfiles" +-LOGFILES_LIST_D="/etc/logcheck/logcheck.logfiles.d" -LOGFILE_FALLBACK="/var/log/syslog" -LOGTAIL="/usr/sbin/logtail2" +RULEDIR="%%ETCDIR%%" +CONFFILE="%%ETCDIR%%/logcheck.conf" -+STATEDIR="/var/db/logcheck" ++STATEDIR="%%DBDIR%%" +LOGFILES_LIST="%%ETCDIR%%/logcheck.logfiles" ++LOGFILES_LIST_D="%%ETCDIR%%/logcheck.logfiles.d" +LOGFILE_FALLBACK="/var/log/messages" +LOGTAIL="%%PREFIX%%/sbin/logtail2" CAT="/bin/cat" SYSLOG_SUMMARY="/usr/bin/syslog-summary" -@@ -89,20 +82,15 @@ +@@ -90,20 +83,15 @@ FQDN=0 SORTUNIQ=0 SUPPORT_CRACKING_IGNORE=0 SYSLOGSUMMARY=0 @@ -64,7 +66,7 @@ fi if [ -d "$TMPDIR" ]; then -@@ -144,14 +132,9 @@ +@@ -145,14 +133,9 @@ error() { if [ "$2" = "noclean" ]; then debug "error: Not removing lockfile" else @@ -82,7 +84,7 @@ fi fi -@@ -170,7 +153,7 @@ +@@ -171,7 +154,7 @@ $message ${TMPDIR:+Check temporary directory: $TMPDIR } Also verify that the logcheck user can read all files referenced in @@ -91,16 +93,16 @@ $(export) EOF -@@ -215,7 +198,7 @@ - mkdir "$cleaned" \ - || error "Could not make dir $cleaned for cleaned rulefiles." - fi +@@ -223,7 +206,7 @@ cleanrules() { + error "Couldn't read $x" + fi + done - for rulefile in $(run-parts --list "$dir"); do + for rulefile in $(ls -1R "$dir"); do rulefile="$(basename "$rulefile")" if [ -f "${dir}/${rulefile}" ]; then debug "cleanrules: ${dir}/${rulefile}" -@@ -529,9 +512,9 @@ +@@ -538,9 +521,9 @@ fi # Hostname either fully qualified or not. if [ "$FQDN" -eq 1 ]; then @@ -112,7 +114,7 @@ fi # Now check for the other options -@@ -610,30 +593,25 @@ +@@ -623,30 +606,25 @@ fi trap 'cleanup' 0 diff --git a/security/logcheck/files/patch-src_logcheck-test b/security/logcheck/files/patch-src_logcheck-test new file mode 100644 index 000000000000..b4975603443f --- /dev/null +++ b/security/logcheck/files/patch-src_logcheck-test @@ -0,0 +1,23 @@ +--- src/logcheck-test.orig 2017-01-25 21:08:04 UTC ++++ src/logcheck-test +@@ -38,7 +38,7 @@ usage() { + usage: logcheck-test + -h|--help : Show usage information + -a|--auth.log : Parse /var/log/auth.log +--s|--syslog : Parse /var/log/syslog ++-m|--messages : Parse /var/log/messages + -l|--log-file LOGFILE : Parse LOGFILE + -i|--invert-match : Show lines that don't match the RULE or RULEFILE + -q|--quiet : Suppress rule summary +@@ -103,9 +103,9 @@ while [ -n "${1:-}" ]; do + warn "option -a ignored" + fi + ;; +- -s|--syslog) ++ -m|--messages) + if [ -z "$FILE" ] ; then +- FILE="/var/log/syslog" ++ FILE="/var/log/messages" + else + warn "option -s ignored" + fi diff --git a/security/logcheck/files/extra-patch-src__logtail2.in b/security/logcheck/files/patch-src_logtail2 index 8c145bd7f7f0..bb18b85904a0 100644 --- a/security/logcheck/files/extra-patch-src__logtail2.in +++ b/security/logcheck/files/patch-src_logtail2 @@ -1,8 +1,8 @@ ---- src/logtail2.orig 2010-01-18 17:24:26.000000000 -0500 -+++ src/logtail2 2010-01-18 17:24:40.000000000 -0500 -@@ -108,7 +108,7 @@ +--- src/logtail2.orig 2017-07-11 17:32:13 UTC ++++ src/logtail2 +@@ -109,7 +109,7 @@ sub determine_rotated_logfile { # function with dateext magic added. - + #print "determine_rotated_logfile $filename $inode\n"; - for my $codefile (glob("/usr/share/logtail/detectrotate/*.dtr")) { + for my $codefile (glob("%%DATADIR%%/detectrotate/*.dtr")) { diff --git a/security/logcheck/pkg-plist b/security/logcheck/pkg-plist index 5b536bf0f127..b1b6a7c28958 100644 --- a/security/logcheck/pkg-plist +++ b/security/logcheck/pkg-plist @@ -1,4 +1,7 @@ @mode 640 +%%DATADIR%%/detectrotate/10-savelog.dtr +%%DATADIR%%/detectrotate/20-logrotate.dtr +%%DATADIR%%/detectrotate/30-logrotate-dateext.dtr %%ETCDIR%%/cracking.d/kernel %%ETCDIR%%/cracking.d/rlogind %%ETCDIR%%/cracking.d/rsh @@ -131,6 +134,8 @@ %%ETCDIR%%/ignore.d.server/sudo %%ETCDIR%%/ignore.d.server/sympa %%ETCDIR%%/ignore.d.server/syslogd +%%ETCDIR%%/ignore.d.server/systemd +%%ETCDIR%%/ignore.d.server/systemd-timesyncd %%ETCDIR%%/ignore.d.server/teapop %%ETCDIR%%/ignore.d.server/telnetd %%ETCDIR%%/ignore.d.server/tftpd @@ -179,6 +184,8 @@ %%ETCDIR%%/ignore.d.workstation/wpasupplicant %%ETCDIR%%/ignore.d.workstation/xdm %%ETCDIR%%/ignore.d.workstation/xlockmore +%%ETCDIR%%/logcheck.conf.sample +%%ETCDIR%%/logcheck.logfiles.sample %%ETCDIR%%/violations.d/kernel %%ETCDIR%%/violations.d/logcheck %%ETCDIR%%/violations.d/smartd @@ -186,12 +193,9 @@ %%ETCDIR%%/violations.d/sudo %%ETCDIR%%/violations.ignore.d/logcheck-su %%ETCDIR%%/violations.ignore.d/logcheck-sudo -%%ETCDIR%%/logcheck.conf.sample -%%ETCDIR%%/logcheck.logfiles.sample -%%DATADIR%%/detectrotate/10-savelog.dtr -%%DATADIR%%/detectrotate/20-logrotate.dtr -%%DATADIR%%/detectrotate/30-logrotate-dateext.dtr @mode +bin/logcheck-test +man/man1/logcheck-test.1.gz man/man8/logcheck.8.gz man/man8/logtail.8.gz man/man8/logtail2.8.gz |