From f2ce25a0f4e4b3aeea3901de12366995b800b925 Mon Sep 17 00:00:00 2001 From: nra Date: Tue, 17 Jul 2001 15:00:48 +0000 Subject: Add logcheck-1.1.1. PR #13271 by Martti Kuparinen. Auditing tool for system logs on Unix boxes. Logcheck helps spot problems and security violations in your logfiles automatically and will send the results to you in e-mail. Logcheck is part of the Abacus Project of security tools. It is a program created to help in the processing of UNIX system logfiles generated by the various Abacus Project tools, system daemons, Wietse Venema's TCP Wrapper and Log Daemon packages, and the Firewall Toolkit(c) by Trusted Information Systems Inc.(TIS). Logcheck also works very well at reporting on other common operating system security violations and strange events. --- security/logcheck/Makefile | 25 +++++++++++ security/logcheck/distinfo | 6 +++ security/logcheck/patches/patch-aa | 90 ++++++++++++++++++++++++++++++++++++++ security/logcheck/patches/patch-ab | 78 +++++++++++++++++++++++++++++++++ security/logcheck/pkg/DEINSTALL | 8 ++++ security/logcheck/pkg/DESCR | 14 ++++++ security/logcheck/pkg/MESSAGE.in | 14 ++++++ security/logcheck/pkg/PLIST | 7 +++ 8 files changed, 242 insertions(+) create mode 100644 security/logcheck/Makefile create mode 100644 security/logcheck/distinfo create mode 100644 security/logcheck/patches/patch-aa create mode 100644 security/logcheck/patches/patch-ab create mode 100755 security/logcheck/pkg/DEINSTALL create mode 100644 security/logcheck/pkg/DESCR create mode 100644 security/logcheck/pkg/MESSAGE.in create mode 100644 security/logcheck/pkg/PLIST diff --git a/security/logcheck/Makefile b/security/logcheck/Makefile new file mode 100644 index 00000000000..6e19f400496 --- /dev/null +++ b/security/logcheck/Makefile @@ -0,0 +1,25 @@ +# $NetBSD: Makefile,v 1.1.1.1 2001/07/17 15:00:48 nra Exp $ + +DISTNAME= logcheck-1.1.1 +CATEGORIES= security +MASTER_SITES= http://www.psionic.com/tools/ + +MAINTAINER= packages@netbsd.org +HOMEPAGE= http://www.psionic.com/ +COMMENT= Auditing tool for system logs on Unix boxes + +PKGMESSAGE= ${WRKDIR}/MESSAGE + +post-patch: + @${MV} ${WRKSRC}/Makefile ${WRKSRC}/Makefile.old + @${SED} -e "s+/usr/local+${PREFIX}+g" \ + < ${WRKSRC}/Makefile.old > ${WRKSRC}/Makefile + +post-build: + @${SED} -e "s+%%PREFIX%%+${PREFIX}+g" \ + ${PKGDIR}/MESSAGE.in > ${PKGMESSAGE} + +post-install: + @${CAT} ${PKGMESSAGE} + +.include "../../mk/bsd.pkg.mk" diff --git a/security/logcheck/distinfo b/security/logcheck/distinfo new file mode 100644 index 00000000000..d5998d9621e --- /dev/null +++ b/security/logcheck/distinfo @@ -0,0 +1,6 @@ +$NetBSD: distinfo,v 1.1.1.1 2001/07/17 15:00:48 nra Exp $ + +SHA1 (logcheck-1.1.1.tar.gz) = 18f89f0dacfe9ff31076c006d58e1bcfedaa7f22 +Size (logcheck-1.1.1.tar.gz) = 30267 bytes +SHA1 (patch-aa) = a0d57a4554d670add82c8df7df7ec84515497b3d +SHA1 (patch-ab) = 8dd4c3a6c7bba07792c5fc6ac5caaf5e7cde7242 diff --git a/security/logcheck/patches/patch-aa b/security/logcheck/patches/patch-aa new file mode 100644 index 00000000000..7be2ec21ef4 --- /dev/null +++ b/security/logcheck/patches/patch-aa @@ -0,0 +1,90 @@ +$NetBSD: patch-aa,v 1.1.1.1 2001/07/17 15:00:48 nra Exp $ + +--- Makefile.orig Sun Oct 31 16:07:29 1999 ++++ Makefile Thu Jun 21 09:19:45 2001 +@@ -5,13 +5,15 @@ + # Thanks to rbulling@obscure.org for cleaning this Makefile up.. + # + ++SYSTYPE=freebsd ++ + # Generic compiler +- CC = cc ++ CC ?= cc + # GNU.. + # CC = gcc + + # Normal systems flags +-CFLAGS = -O ++CFLAGS ?= -O + # Braindead HPUX compiler flags + #CFLAGS = -O -Aa + +@@ -30,24 +32,12 @@ + INSTALLDIR_SH = /usr/local/etc + + # The scratch directory for logcheck files. +-TMPDIR = /usr/local/etc/tmp ++TMPDIR = /var/adm/tmp + + # Debug mode for logtail + # CFLAGS = -g -DDEBUG + +-all: +- @echo "Usage: make " +- @echo " is one of: " +- @echo " linux, bsdos, freebsd, sun, generic, hpux, digital" +- @echo "" +- @echo "NOTE: This will make and install the package in these" +- @echo " directories:" +- @echo " logcheck configuration files : $(INSTALLDIR)" +- @echo " logcheck.sh shell script : $(INSTALLDIR_SH)" +- @echo " logtail program : $(INSTALLDIR_BIN)" +- @echo "" +- @echo "Edit the makefile if you wish to change these paths." +- @echo "Any existing files will be overwritten." ++all: build + + clean: + /bin/rm ./src/logtail ./src/logtail.o +@@ -60,27 +50,29 @@ + /bin/rm $(INSTALLDIR)/logcheck.violations.ignore + /bin/rm $(INSTALLDIR_BIN)/logtail + +-install: ++build: + @echo "Making $(SYSTYPE)" + $(CC) $(CFLAGS) -o ./src/logtail ./src/logtail.c ++ ++install: + @echo "Creating temp directory $(TMPDIR)" +- @if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi ++ @if [ ! -d $(TMPDIR) ]; then /bin/mkdir -p $(TMPDIR); fi + @echo "Setting temp directory permissions" + chmod 700 $(TMPDIR) + @echo "Copying files" +- cp ./systems/$(SYSTYPE)/logcheck.hacking $(INSTALLDIR) +- cp ./systems/$(SYSTYPE)/logcheck.violations $(INSTALLDIR) +- cp ./systems/$(SYSTYPE)/logcheck.violations.ignore $(INSTALLDIR) +- cp ./systems/$(SYSTYPE)/logcheck.ignore $(INSTALLDIR) +- cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH) ++ cp ./systems/$(SYSTYPE)/logcheck.hacking $(INSTALLDIR)/logcheck.hacking.sample ++ cp ./systems/$(SYSTYPE)/logcheck.violations $(INSTALLDIR)/logcheck.violations.sample ++ cp ./systems/$(SYSTYPE)/logcheck.violations.ignore $(INSTALLDIR)/logcheck.violations.ignore.sample ++ cp ./systems/$(SYSTYPE)/logcheck.ignore $(INSTALLDIR)/logcheck.ignore.sample ++ cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)/logcheck.sh + cp ./src/logtail $(INSTALLDIR_BIN) + @echo "Setting permissions" + chmod 700 $(INSTALLDIR_SH)/logcheck.sh + chmod 700 $(INSTALLDIR_BIN)/logtail +- chmod 600 $(INSTALLDIR)/logcheck.violations.ignore +- chmod 600 $(INSTALLDIR)/logcheck.violations +- chmod 600 $(INSTALLDIR)/logcheck.hacking +- chmod 600 $(INSTALLDIR)/logcheck.ignore ++ chmod 600 $(INSTALLDIR)/logcheck.violations.ignore.sample ++ chmod 600 $(INSTALLDIR)/logcheck.violations.sample ++ chmod 600 $(INSTALLDIR)/logcheck.hacking.sample ++ chmod 600 $(INSTALLDIR)/logcheck.ignore.sample + @echo "Done. Don't forget to set your crontab." + + generic: diff --git a/security/logcheck/patches/patch-ab b/security/logcheck/patches/patch-ab new file mode 100644 index 00000000000..54cc08844bf --- /dev/null +++ b/security/logcheck/patches/patch-ab @@ -0,0 +1,78 @@ +$NetBSD: patch-ab,v 1.1.1.1 2001/07/17 15:00:48 nra Exp $ + +--- systems/freebsd/logcheck.sh.orig Sun Oct 31 16:07:29 1999 ++++ systems/freebsd/logcheck.sh Thu Jun 21 08:42:39 2001 +@@ -31,7 +31,7 @@ + + # CONFIGURATION SECTION + +-PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin ++PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/pkg/sbin:/usr/pkg/bin + + # Logcheck is pre-configured to work on most BSD like systems, however it + # is a rather dumb program and may need some help to work on other +@@ -44,7 +44,7 @@ + # Full path to logtail program. + # This program is required to run this script and comes with the package. + +-LOGTAIL=/usr/local/bin/logtail ++LOGTAIL=/usr/pkg/bin/logtail + + # Full path to SECURED (non public writable) /tmp directory. + # Prevents Race condition and potential symlink problems. I highly +@@ -52,7 +52,7 @@ + # You would also be well advised to make sure all your system/cron scripts + # use this directory for their "scratch" area. + +-TMPDIR=/usr/local/etc/tmp ++TMPDIR=/var/adm/tmp + + # The 'grep' command. This command MUST support the + # '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's +@@ -89,7 +89,7 @@ + # look for generic ISS probes (who the hell else looks for + # "WIZ" besides ISS?), and obvious sendmail attacks/probes. + +-HACKING_FILE=/usr/local/etc/logcheck.hacking ++HACKING_FILE=/usr/pkg/etc/logcheck.hacking + + # File of security violation patterns to specifically look for. + # This file should contain keywords of information administrators should +@@ -98,7 +98,7 @@ + # some items, but these will be caught by the next check. Move suspicious + # items into this file to have them reported regularly. + +-VIOLATIONS_FILE=/usr/local/etc/logcheck.violations ++VIOLATIONS_FILE=/usr/pkg/etc/logcheck.violations + + # File that contains more complete sentences that have keywords from + # the violations file. These keywords are normal and are not cause for +@@ -115,14 +115,14 @@ + # + # Again, be careful what you put in here and DO NOT LEAVE IT EMPTY! + +-VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore ++VIOLATIONS_IGNORE_FILE=/usr/pkg/etc/logcheck.violations.ignore + + # This is the name of a file that contains patterns that we should + # ignore if found in a log file. If you have repeated false alarms + # or want specific errors ignored, you should put them in here. + # Once again, be as specific as possible, and go easy on the wildcards + +-IGNORE_FILE=/usr/local/etc/logcheck.ignore ++IGNORE_FILE=/usr/pkg/etc/logcheck.ignore + + # The files are reported in the order of hacking, security + # violations, and unusual system events. Notice that this +@@ -170,9 +170,10 @@ + #$LOGTAIL /var/log/secure >> $TMPDIR/check.$$ + #$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$ + +-# FreeBSD 2.x ++# NetBSD + $LOGTAIL /var/log/messages > $TMPDIR/check.$$ + $LOGTAIL /var/log/maillog >> $TMPDIR/check.$$ ++$LOGTAIL /var/log/authlog >> $TMPDIR/check.$$ + + # BSDI 2.x + #$LOGTAIL /var/log/messages > $TMPDIR/check.$$ diff --git a/security/logcheck/pkg/DEINSTALL b/security/logcheck/pkg/DEINSTALL new file mode 100755 index 00000000000..f8dfee1d9eb --- /dev/null +++ b/security/logcheck/pkg/DEINSTALL @@ -0,0 +1,8 @@ +#!/bin/sh +# +# $NetBSD: DEINSTALL,v 1.1.1.1 2001/07/17 15:00:48 nra Exp $ +# + +[ -d /var/adm/tmp ] && rmdir /var/adm/tmp +[ -d /var/adm ] && rmdir /var/adm +exit 0 diff --git a/security/logcheck/pkg/DESCR b/security/logcheck/pkg/DESCR new file mode 100644 index 00000000000..91ccbe4c5b7 --- /dev/null +++ b/security/logcheck/pkg/DESCR @@ -0,0 +1,14 @@ +Logcheck helps spot problems and security violations in your logfiles +automatically and will send the results to you in e-mail. + +Logcheck is part of the Abacus Project of security tools. It is a program +created to help in the processing of UNIX system logfiles generated by the +various Abacus Project tools, system daemons, Wietse Venema's TCP Wrapper +and Log Daemon packages, and the Firewall Toolkit(c) by Trusted Information +Systems Inc.(TIS). Logcheck also works very well at reporting on other +common operating system security violations and strange events. + +WWW: http://www.psionic.com/ + +- Dan Langille +dan@freebsddiary.org diff --git a/security/logcheck/pkg/MESSAGE.in b/security/logcheck/pkg/MESSAGE.in new file mode 100644 index 00000000000..5dae1b02af9 --- /dev/null +++ b/security/logcheck/pkg/MESSAGE.in @@ -0,0 +1,14 @@ +---------------------------------------------------------------------------- + + Remember to copy the sample files to the real file names. + Here is an example what you need to do: + + cd %%PREFIX%%/etc/ + cp logcheck.ignore.sample logcheck.ignore + cp logcheck.violations.ignore.sample logcheck.violations.ignore + cp logcheck.violations.sample logcheck.violations + cp logcheck.hacking.sample logcheck.hacking + + Note that logcheck is started with %%PREFIX%%/etc/logcheck.sh + +---------------------------------------------------------------------------- diff --git a/security/logcheck/pkg/PLIST b/security/logcheck/pkg/PLIST new file mode 100644 index 00000000000..be909d84380 --- /dev/null +++ b/security/logcheck/pkg/PLIST @@ -0,0 +1,7 @@ +@comment $NetBSD: PLIST,v 1.1.1.1 2001/07/17 15:00:48 nra Exp $ +bin/logtail +etc/logcheck.hacking.sample +etc/logcheck.ignore.sample +etc/logcheck.sh +etc/logcheck.violations.ignore.sample +etc/logcheck.violations.sample -- cgit v1.2.3