- Resolves: #440534 Some unmatched OpenVPN log lines

- add parsing of new logw to audit and cron service
2008-04-04 11:32:09 +00:00 · 2008-04-04 11:32:09 +00:00 · 0b230704cb
commit 0b230704cb
parent 76f3cdb747
4 changed files with 79 additions and 3 deletions
--- a/logwatch-7.3.6-audit2.patch
+++ b/logwatch-7.3.6-audit2.patch
@ -0,0 +1,30 @@
+diff -up logwatch-7.3.6/scripts/services/audit.pom logwatch-7.3.6/scripts/services/audit
+--- logwatch-7.3.6/scripts/services/audit.pom	2008-03-05 11:18:41.000000000 +0100
+++ logwatch-7.3.6/scripts/services/audit	2008-04-04 11:05:07.000000000 +0200
+@@ -115,6 +115,8 @@ while ($ThisLine = <STDIN>) {
+ 	    $grants{$2.' '.$3.' ('.$1.$4 . ')'}++;
+ 	} elsif ($ThisLine =~ /security_compute_sid:\s*invalid context\s*(\S+)\s*for\s*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
+ 	    $InvalidContext{$4." running as ".$2." acting on ".$3." \nshould transit to invalid ".$1}++;
+        } elsif ($ThisLine =~ /security_sid_mls_copy:\s*invalid context\s*(\S+)/) {
+                    $InvalidContext{"context: ".$1}++;
+ 	} else { 
+             $othercount++;
+             $ThisLine =~ s/^\s*//;
+@@ -129,6 +131,8 @@ while ($ThisLine = <STDIN>) {
+ 	    $grants{$1.' '.$2.' ('.$3 . ')'}++;
+ 	} elsif ($ThisLine =~ /security_compute_sid:\s*invalid context\s*(\S+)\s*for\s*scontext=(\S+)\s*tcontext=\S+\s*tclass=(\S+)/ ) {
+ 	    $InvalidContext{$3." running as ".$2." should transit to invalid ".$1}++;
+        } elsif ($ThisLine =~ /security_sid_mls_copy:\s*invalid context\s*(\S+)/) {
+            $InvalidContext{"context: ".$1}++;                    
+ 	} else {
+             $othercount++;
+             $ThisLine =~ s/^\s*//;
+@@ -143,6 +147,8 @@ while ($ThisLine = <STDIN>) {
+ 	    $grants{$1.' '.$2.' ('.$3 . ')'}++;
+ 	} elsif ($ThisLine =~ /security_compute_sid:\s*invalid context\s*(\S+)\s*for\s*scontext=(\S+)\s*tcontext=\S+\s*tclass=(\S+)/ ) {
+    	    $InvalidContext{$3." running as ".$2." should transit to invalid ".$1}++;  
+   	} elsif ($ThisLine =~ /security_sid_mls_copy:\s*invalid context\s*(\S+)/) { 
+   	    $InvalidContext{"context: ".$1}++;
+ 	} else {
+             $othercount++;
+             $ThisLine =~ s/^\s*//;
--- a/logwatch-7.3.6-cron2.patch
+++ b/logwatch-7.3.6-cron2.patch
@ -5,7 +5,7 @@
       )  ) {
       $INCRONDErr{$Error}++;
 +   } elsif ( ($ThisLine =~ /crond/) &&
-+	(($Error) = ($ThisLine =~ /(failed to open PAM security session: Permission denied)/)) 
+	(($Error) = ($ThisLine =~ /(failed to open PAM security session: (Permission denied|Module is unknown))/)) 
 +	) {
 +      $CRONDErr{$Error}++;
    } else {
--- a/logwatch-7.3.6-openvpn2.patch
+++ b/logwatch-7.3.6-openvpn2.patch
@ -0,0 +1,37 @@
+diff -up logwatch-7.3.6/scripts/services/openvpn.pom logwatch-7.3.6/scripts/services/openvpn
+--- logwatch-7.3.6/scripts/services/openvpn.pom	2008-04-04 12:35:34.000000000 +0200
+++ logwatch-7.3.6/scripts/services/openvpn	2008-04-04 13:22:18.000000000 +0200
+@@ -51,7 +51,7 @@ while (defined($ThisLine = <STDIN>)) {
+       ($ThisLine =~ /^MULTI: multi_create_instance called/) or
+       ($ThisLine =~ /^MULTI: primary virtual IP for/) or
+       ($ThisLine =~ /^MULTI: TCP INIT maxclients=\d+ maxevents=\d+/) or
+-      ($ThisLine =~ /^MULTI: bad source address from client .*, packet dropped/) or
+      ($ThisLine =~ /MULTI: bad source address from client .*, packet dropped/) or
+       ($ThisLine =~ /^Need IPv6 code in mroute_extract_addr_from_packet/) or
+       ($ThisLine =~ /^NOTE: UID\/GID downgrade will be delayed because of --client, --pull, or --up-delay/) or
+       ($ThisLine =~ /^OPTIONS IMPORT/) or
+@@ -108,6 +108,9 @@ while (defined($ThisLine = <STDIN>)) {
+       $ConnErrors{$error}{"$proto"}++;
+    } elsif (($name) = ($ThisLine =~ /MULTI: new connection by client '(.*)' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect./)) {
+       $ConnectCauseDrop{$name}++;
+   } elsif ((($Err) = ($ThisLine =~ /(read UDPv4 \[ECONNREFUSED\]: Connection refused \(code=111\))/)) or
+	    (($Err) = ($ThisLine =~ /(read UDPv4 \[EHOSTUNREACH\]: No route to host \(code=113\))/))) {
+      $Error{$Err}++;
+   } else {
+       # Report any unmatched entries...
+       # remove PID from named messages
+@@ -199,6 +202,14 @@ if (keys %ConnectCauseDrop) {
+    }
+ }
+ 
+if (keys %Error) {
+   print "\n UDPv4 errors:\n";
+   foreach $Err (sort keys %Error) {
+     print "   " . $Err . ": " .$Error{$Err}. " Time(s)\n";
+   }
+}
+
+
+ if (keys %OtherList) {
+    print "\n**Unmatched Entries**\n";
+    foreach $line (sort {$a cmp $b} keys %OtherList) {
--- a/logwatch.spec
+++ b/logwatch.spec
@ -1,7 +1,7 @@
 Summary: A log file analysis program
 Name: logwatch
 Version: 7.3.6
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: MIT
 Group: Applications/System
 URL: http://www.logwatch.org/
@ -37,6 +37,8 @@ Patch31: logwatch-7.3.6-openvpn.patch
 Patch32: logwatch-7.3.6-postfix.patch
 Patch33: logwatch-7.3.6-cron4.patch
 Patch34: logwatch-7.3.6-dovecot_back.patch
+Patch35: logwatch-7.3.6-audit2.patch
+Patch36: logwatch-7.3.6-openvpn2.patch

 Requires: textutils sh-utils grep mailx
 Requires: perl(Date::Manip)
@ -82,6 +84,8 @@ of the package on many systems.
 %patch32 -p1
 %patch33 -p1
 %patch34 -p1
+%patch35 -p1
+%patch36 -p1
 rm -f scripts/services/*.orig

 %build
@ -195,8 +199,13 @@ rm -rf %{buildroot}
 %doc License project/CHANGES 

 %changelog
+* Fri Apr  4 2008 Ivana Varekova <varekova@redhat.com> 7.3.6-21
+- Resolves: #440534 
+  Some unmatched OpenVPN log lines
+- add parsing of new logw to audit and cron service
+
 * Wed Mar  5 2008 Ivana Varekova <varekova@redhat.com> 7.3.6-20
- resolves 436058
+- Resolves: #436058
  dovecot script for logwatch needs fix for IPv6

 * Thu Feb 14 2008 Ivana Varekova <varekova@redhat.com> 7.3.6-19