From 0a50d441e44840fcdaa18d36fd69d0de3bdae6c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Kl=C3=AD=C4=8D?= Date: Wed, 16 Dec 2009 15:41:22 +0000 Subject: [PATCH] added patches from F10 parsing several unmatched entries --- logwatch-7.3.6-audit4.patch | 22 ++++++++++++++ logwatch-7.3.6-dhcpd.patch | 14 +++++++++ logwatch-7.3.6-dovecot2.patch | 36 +++++++++++++++++++++++ logwatch-7.3.6-named6.patch | 15 ++++++++++ logwatch-7.3.6-openvpn4.patch | 24 +++++++++++++++ logwatch-7.3.6-pam_unix4.patch | 54 ++++++++++++++++++++++++++++++++++ logwatch-7.3.6-secure3.patch | 36 +++++++++++++++++++++++ logwatch.spec | 18 ++++++++++++ 8 files changed, 219 insertions(+) create mode 100644 logwatch-7.3.6-audit4.patch create mode 100644 logwatch-7.3.6-dhcpd.patch create mode 100644 logwatch-7.3.6-dovecot2.patch create mode 100644 logwatch-7.3.6-named6.patch create mode 100644 logwatch-7.3.6-openvpn4.patch create mode 100644 logwatch-7.3.6-pam_unix4.patch create mode 100644 logwatch-7.3.6-secure3.patch diff --git a/logwatch-7.3.6-audit4.patch b/logwatch-7.3.6-audit4.patch new file mode 100644 index 0000000..60baf67 --- /dev/null +++ b/logwatch-7.3.6-audit4.patch @@ -0,0 +1,22 @@ +diff -up logwatch-7.3.6/scripts/services/audit.pom logwatch-7.3.6/scripts/services/audit +--- logwatch-7.3.6/scripts/services/audit.pom 2009-10-12 12:42:39.000000000 +0200 ++++ logwatch-7.3.6/scripts/services/audit 2009-10-12 12:47:19.000000000 +0200 +@@ -70,7 +70,7 @@ while ($ThisLine = ) { + chomp($ThisLine); + if (( $ThisLine =~ /initializing netlink socket \(disabled\)/) or + ( $ThisLine =~ /audit_pid=[0-9]* old=[0-9]*(?: by auid=[0-9]*)?/) or +- ( $ThisLine =~ /(arch=[0-9]+ )?syscall=[0-9]+ (success=(no|yes) )?exit=[0-9-]+( a[0-3]=[0-9a-f]+)* items=[0-9]+ pid=[0-9]+ (loginuid=[0-9-]+ )?(auid=[0-9]+ )?uid=[0-9]+ gid=[0-9]+ euid=[0-9]+ suid=[0-9]+ fsuid=[0-9]+ egid=[0-9]+ sgid=[0-9]+ fsgid=[0-9]+/) or ++ ( $ThisLine =~ /(arch=[0-9]+ )?syscall=[0-9]+ (success=(no|yes) )?exit=[0-9-]+( a[0-3]=[0-9a-f]+)* items=[0-9]+ (ppid=[0-9]+ )?pid=[0-9]+ (loginuid=[0-9-]+ )?(auid=[0-9]+ )?uid=[0-9]+ gid=[0-9]+ euid=[0-9]+ suid=[0-9]+ fsuid=[0-9]+ egid=[0-9]+ sgid=[0-9]+ fsgid=[0-9]+/) or + ( $ThisLine =~ /Audit daemon rotating log files/) or + ( $ThisLine =~ /audit_backlog_limit=[0-9]* old=[0-9]*(?: by auid=[0-9]*)?/) or + ( $ThisLine =~ /SELinux: unrecognized netlink message type=[0-9]+ for sclass=[0-9]+/) or +@@ -83,7 +83,8 @@ while ($ThisLine = ) { + ( $ThisLine =~ /audit\([0-9.]+:[0-9]+\): (selinux=[0-9]+|auid=[0-9]+|prom=[0-9]+|old_prom=[0-9]+|dev=[^ ]+| )+$/) or + ( $ThisLine =~ /auditd[ ]+S [0-9A-F]+ [0-9]+ [0-9]+[ ]+[0-9]([ ]*[0-9]+[ ]*|[ ]*)[0-9]+ [0-9]+ \(NOTLB\)/) or + ( $ThisLine =~ /Started dispatcher: \/sbin\/audispd pid: [0-9]+/) or +- ( $ThisLine =~ /audit\([0-9.]*:[0-9]*\): bool=.* val=.* old_val=.* auid=[0-9]*/) ++ ( $ThisLine =~ /audit\([0-9.]*:[0-9]*\): bool=.* val=.* old_val=.* auid=[0-9]*/) or ++ ( $ThisLine =~ /item=[0-9] name="\S*" inode=[0-9]+ dev=\S* mode=[0-9]* ouid=[0-9]* ogid=[0-9]* rdev=[0-9:]* obj=\S*/) + ) { + # Ignore these entries + } elsif ( $ThisLine =~ /audit\([0-9]{10}.[0-9]{3}:[0-9]\): initialized$/) { diff --git a/logwatch-7.3.6-dhcpd.patch b/logwatch-7.3.6-dhcpd.patch new file mode 100644 index 0000000..8489ea2 --- /dev/null +++ b/logwatch-7.3.6-dhcpd.patch @@ -0,0 +1,14 @@ +diff -up logwatch-7.3.6/scripts/services/dhcpd.p logwatch-7.3.6/scripts/services/dhcpd +--- logwatch-7.3.6/scripts/services/dhcpd.p 2006-10-20 23:12:27.000000000 +0200 ++++ logwatch-7.3.6/scripts/services/dhcpd 2009-11-03 14:15:43.000000000 +0100 +@@ -127,6 +127,10 @@ while (my $line = ) { + if ($Detail >= 3) { + $data{'Warnings'}{$line}++; + } ++ } elsif ($line =~ s/uid lease ([\d.]*) for client ([^ ]*) is duplicate on ([^ ]*)/uid lease $1 for client $2 is duplicate/) { ++ if ($Detail >= 3) { ++ $data{'Duplicate lease'}{$line}++; ++ } + } else { + $data{'Unknown Entries'}{$line}++; + } diff --git a/logwatch-7.3.6-dovecot2.patch b/logwatch-7.3.6-dovecot2.patch new file mode 100644 index 0000000..c34115a --- /dev/null +++ b/logwatch-7.3.6-dovecot2.patch @@ -0,0 +1,36 @@ +diff -up logwatch-7.3.6/scripts/services/dovecot.pom logwatch-7.3.6/scripts/services/dovecot +--- logwatch-7.3.6/scripts/services/dovecot.pom 2009-10-12 12:48:21.000000000 +0200 ++++ logwatch-7.3.6/scripts/services/dovecot 2009-10-12 13:19:04.000000000 +0200 +@@ -103,6 +103,8 @@ while (defined($ThisLine = )) { + $Disconnected{"no reason"}++; + } elsif (($Reason) = ($ThisLine =~ /Disconnected: (.*) \[/) ) { + $Disconnected{$Reason}++; ++ } elsif (($Reason) = ($ThisLine =~ /Disconnected \((.*)\):/) ) { ++ $Disconnected{$Reason}++; + } elsif (($Reason, $Host) = ($ThisLine =~ /TLS initialization failed/) ) { + $TLSInitFail++; + } elsif (($Host) = ($ThisLine =~ /Aborted login \[(.*)\]/)) { +@@ -135,6 +137,9 @@ while (defined($ThisLine = )) { + } elsif (($Error) = ($ThisLine =~ /child \d* \(login\) returned error (.*)/)) { + # dovecot: child 23747 (login) returned error 89 + $ChildErr{$Error}++; ++ } elsif (($Name) = ($ThisLine =~ /dovecot: IMAP\((.*)\): .*(.*) failed: Disk quota exceeded/)) { ++ # dovecot: IMAP(podracka): mkdir(/home/LF/KLINIKY/podracka/mail/.imap/saved-messages) failed: Disk quota exceeded ++ $DiskQuotaExceed{$Name}++; + } else { + # Report any unmatched entries... + chomp($ThisLine); +@@ -261,6 +266,13 @@ if ($TLSInitFail > 0) { + print "\n\nTLS Initialization failed $TLSInitFail Time(s)"; + } + ++if (keys %DiskQuotaExceed) { ++ print "\n\nDisk quota exceeded:"; ++ foreach my $Name (sort keys %DiskQuotaExceed) { ++ print "\n disk quota for user '". $Name . "' exceeded: ". $DiskQuotaExceed{$Name} ." Time(s)"; ++ } ++} ++ + if (keys %OtherList) { + print "\n\n**Unmatched Entries**\n"; + foreach $line (sort {$a cmp $b} keys %OtherList) { diff --git a/logwatch-7.3.6-named6.patch b/logwatch-7.3.6-named6.patch new file mode 100644 index 0000000..fce8a79 --- /dev/null +++ b/logwatch-7.3.6-named6.patch @@ -0,0 +1,15 @@ +diff -up logwatch-7.3.6/scripts/services/named.named6 logwatch-7.3.6/scripts/services/named +--- logwatch-7.3.6/scripts/services/named.named6 2009-12-16 15:04:47.000000000 +0100 ++++ logwatch-7.3.6/scripts/services/named 2009-12-16 15:08:25.836379108 +0100 +@@ -190,7 +190,10 @@ while (defined($ThisLine = )) { + ($ThisLine =~ /using default UDP\/IPv[46] port range: \[[0-9]*, [0-9]*\]/) or + ($ThisLine =~ /adjusted limit on open files from [0-9]* to [0-9]*/) or + ($ThisLine =~ /using up to [0-9]* sockets/) or +- ($ThisLine =~ /built with/) ++ ($ThisLine =~ /built with/) or ++ ($ThisLine =~ /'.*': TTL differs in rdataset, adjusting [0-9]* -> [0-9]*/) or ++ ($ThisLine =~ /max open files \([0-9]*\) is smaller than max sockets \([0-9]*\)/) or ++ ($ThisLine =~ /clients-per-query decreased to .*/) + # too many timeouts resolving 'ns-ext.nrt1.isc.org/AAAA' (in '.'?): disabling EDNS: 3 Time(s) + ) { + # Don't care about these... diff --git a/logwatch-7.3.6-openvpn4.patch b/logwatch-7.3.6-openvpn4.patch new file mode 100644 index 0000000..0a821c9 --- /dev/null +++ b/logwatch-7.3.6-openvpn4.patch @@ -0,0 +1,24 @@ +diff -up logwatch-7.3.6/scripts/services/openvpn.pom logwatch-7.3.6/scripts/services/openvpn +--- logwatch-7.3.6/scripts/services/openvpn.pom 2009-10-12 14:51:50.000000000 +0200 ++++ logwatch-7.3.6/scripts/services/openvpn 2009-10-12 14:51:25.000000000 +0200 +@@ -71,7 +71,7 @@ while (defined($ThisLine = )) { + ($ThisLine =~ /^TLS: soft reset/) or + ($ThisLine =~ /^TLS: tls_process: killed expiring key$/) or + ($ThisLine =~ /^TLS: move_session: dest=.* src=.* reinit_src=[0-9]*/) or +- ($ThisLine =~ /^TLS: tls_multi_process: untrusted session promoted to trusted/) or ++ ($ThisLine =~ /^TLS: tls_multi_process: untrusted session promoted to (semi-)?trusted/) or + ($ThisLine =~ /^TLS: new session incoming connection from .*/) or + ($ThisLine =~ /^TUN\/TAP device \w+ opened/) or + ($ThisLine =~ /^UDPv4 link /) or +@@ -81,6 +81,11 @@ while (defined($ThisLine = )) { + ($ThisLine =~ /TUN\/TAP TX queue length set to [0-9]*/) or + ($ThisLine =~ /Socket Buffers: R=\[[0-9]+->[0-9]+\] S=\[[0-9]+->[0-9]+\]/) or + ($ThisLine =~ /OpenVPN .* built on [A-Z][a-z]{2} [ 12]?[0-9] [0-9]{4}/) or ++ ($ThisLine =~ /CRL CHECK OK: \/.*\//) or ++ ($ThisLine =~ /TLS: tls_multi_process: killed expiring key/) or ++ ($ThisLine =~ /read UDPv4 \[.*\]: No route to host \(code=[0-9]*\)/) or ++ ($ThisLine =~ /TLS Error: TLS object -> incoming plaintext read error/) or ++ ($ThisLine =~ /TLS ERROR: received control packet with stale session-id=.*/) or + ($ThisLine =~ /Authenticate\/Decrypt packet error: bad packet ID \(may be a replay\): \[ #.* \] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings/) + ) { + # Don't care about these... diff --git a/logwatch-7.3.6-pam_unix4.patch b/logwatch-7.3.6-pam_unix4.patch new file mode 100644 index 0000000..3e77d44 --- /dev/null +++ b/logwatch-7.3.6-pam_unix4.patch @@ -0,0 +1,54 @@ +diff -up logwatch-7.3.6/scripts/services/pam_unix.pom logwatch-7.3.6/scripts/services/pam_unix +--- logwatch-7.3.6/scripts/services/pam_unix.pom 2009-10-12 14:55:08.000000000 +0200 ++++ logwatch-7.3.6/scripts/services/pam_unix 2009-10-12 15:06:46.000000000 +0200 +@@ -204,6 +204,8 @@ while ($line = ) { + } elsif ($service eq 'dovecot') { + if ($line =~ s/^authentication failure; .*user=(.+)$/$1/) { + $data{$service}{'Authentication Failures'}{$line}++; ++ } elsif ($line =~ /check pass; user unknown/) { ++ $data{$service}{'Invalid Users'}{'Unknown Account'}++; + } else { + $data{$service}{'Unknown Entries'}{$line}++; + } +@@ -225,11 +227,13 @@ while ($line = ) { + } else { + $data{$service}{'Unknown Entries'}{$line}++; + } +- } elsif ($service eq 'pure-ftpd') { ++ } elsif (($service eq 'pure-ftpd') || ($service eq 'vsftpd')){ + if ($line =~ s/^session opened for user (.+)/$1/) { + $data{$service}{'Sessions Opened'}{$line}++; + } elsif ($line =~ s/^check pass; (.+)/$1/) { + $data{$service}{'Password Failures'}{$line}++; ++ } elsif ($line =~ s/^authentication failure; .*user=(.+)$/$1/) { ++ $data{$service}{'Authentication Failures'}{$line}++; + } else { + $data{$service}{'Unknown Entries'}{$line}++; + } +@@ -255,7 +259,7 @@ while ($line = ) { + $data{$service}{'Unknown Entries'}{$line}++; + } + } elsif (($service eq 'samba') or ($service eq 'smbd')) { +- if ($line =~ s/^session opened for user ([a-zA-Z\d]+) by (.+)/$1/) { ++ if ($line =~ s/^session opened for user (\S+) by (.+)/$1/) { + ($Detail >= 5) && $data{$service}{'Sessions Opened'}{$line}++; + } elsif ($line =~ s/^session closed for user (.+)/$1/) { + ($Detail >= 8) && $data{$service}{'Sessions Closed'}{$line}++; +@@ -297,7 +301,16 @@ while ($line = ) { + } else { + $data{$service}{'Unknown Entries'}{$line}++; + } +- ++ } elsif ($service eq 'smtp') { ++ if ($line =~ s/^authentication failure; logname=(\S*) uid=(\d+).*user=(\S*)$/$1($2) -> $3/) { ++ $data{$service}{'Authentication Failures'}{$line}++; ++ } elsif ($line =~ /authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=/) { ++ # ignore this line ++ } elsif ($line =~ /check pass; user unknown/) { ++ $data{$service}{'Invalid Users'}{'Unknown Account'}++; ++ } else { ++ $data{$service}{'Unknown Entries'}{$line}++; ++ } + } else { + $data{$service}{'Unknown Entries'}{$line}++; + } diff --git a/logwatch-7.3.6-secure3.patch b/logwatch-7.3.6-secure3.patch new file mode 100644 index 0000000..8f363a3 --- /dev/null +++ b/logwatch-7.3.6-secure3.patch @@ -0,0 +1,36 @@ +diff -up logwatch-7.3.6/scripts/services/secure.pom logwatch-7.3.6/scripts/services/secure +--- logwatch-7.3.6/scripts/services/secure.pom 2009-10-12 11:33:15.000000000 +0200 ++++ logwatch-7.3.6/scripts/services/secure 2009-10-12 12:38:29.000000000 +0200 +@@ -435,6 +435,9 @@ while (defined($ThisLine = )) { + } elsif ( ($User) = ($ThisLine =~ /useradd.*failed adding user `(.*)', data deleted/) ) {# failed adding user/)) {# (.*), data deleted/)) { + # useradd: failed adding user `rpcuser', data deleted + $FailedAddUsers{$User}++; ++ } elsif (($User,$Reason) = ($ThisLine =~ /dovecot-auth: pam_userdb\(dovecot:auth\): user `(.*)' denied access \((.*)\)/)) { ++ # dovecot-auth: pam_userdb(dovecot:auth): user `bobok' denied access (incorrect password) ++ $DeniedAccess{"$User,$Reason"}++; + } else { + # Unmatched entries... + $ThisLine =~ s/\[\d+\]:/:/; +@@ -535,6 +538,7 @@ if (keys %UnknownUser) { + if ($pwd_file_unknown > 0) { + print "\nUsers unknown in password database (pwd_file): $pwd_file_unknown\n"; + } ++ + if ($pwd_file_too_short > 0) { + print "\nPassword too short or NULL (pwd_file): $pwd_file_too_short Time(s)\n"; + } +@@ -594,6 +598,14 @@ if (keys %{$FailedSaver}) { + } + } + ++if (keys %DeniedAccess) { ++ print "\ndovecot-auth: Denied access\n"; ++ foreach (keys %DeniedAccess) { ++ ($User,$Reason) = split ","; ++ print " for user " . $User . " (reason: " . $Reason . ") :" . $DeniedAccess{"$User,$Reason"} . " Time(s)\n"; ++ } ++} ++ + if (keys %NoIP) { + print "\nCouldn't get client IPs for connections to:\n"; + foreach $ThisOne (sort {$a cmp $b} keys %NoIP) { diff --git a/logwatch.spec b/logwatch.spec index 79db2c9..e422eac 100644 --- a/logwatch.spec +++ b/logwatch.spec @@ -58,6 +58,13 @@ Patch57: logwatch-7.3.6-named5.patch Patch58: logwatch-7.3.6-iptables.patch # Not sent to upstream. Patch59: logwatch-7.3.6-lost-connection.patch +Patch60: logwatch-7.3.6-secure3.patch +Patch61: logwatch-7.3.6-audit4.patch +Patch62: logwatch-7.3.6-dovecot2.patch +Patch63: logwatch-7.3.6-openvpn4.patch +Patch64: logwatch-7.3.6-pam_unix4.patch +Patch65: logwatch-7.3.6-dhcpd.patch +Patch66: logwatch-7.3.6-named6.patch Requires: textutils sh-utils grep mailx Requires: perl(Date::Manip) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -121,6 +128,13 @@ of the package on many systems. %patch57 -p1 %patch58 -p1 %patch59 -p1 +%patch60 -p1 +%patch61 -p1 +%patch62 -p1 +%patch63 -p1 +%patch64 -p1 +%patch65 -p1 +%patch66 -p1 rm -f scripts/services/*.orig %build @@ -247,6 +261,10 @@ rm -rf %{buildroot} * Wed Dec 2 2009 Karel Klic 7.3.6-49 - Add 802.1q subinterface support to iptables report; iptables.patch (#507743) - Fixed error in the RE that matches "lost connection" lines in postfix script; lost-connection.patch (#525903) +- Added patches parsing several unmatched entries (from F-10); + audit4.patch modified to make ppid optional; + openvpn4.patch modified to make "semi-" optional; + pam_unix4.patch modified (user name matched by \S+) * Tue Aug 11 2009 Ivana Varekova 7.3.6-48 - parse a few unmatched entries in named script (#513853)