From 0b230704cb1dfb77ce2967465120699a40dfdcc2 Mon Sep 17 00:00:00 2001 From: Ivana Varekova Date: Fri, 4 Apr 2008 11:32:09 +0000 Subject: [PATCH] - Resolves: #440534 Some unmatched OpenVPN log lines - add parsing of new logw to audit and cron service --- logwatch-7.3.6-audit2.patch | 30 ++++++++++++++++++++++++++++ logwatch-7.3.6-cron2.patch | 2 +- logwatch-7.3.6-openvpn2.patch | 37 +++++++++++++++++++++++++++++++++++ logwatch.spec | 13 ++++++++++-- 4 files changed, 79 insertions(+), 3 deletions(-) create mode 100644 logwatch-7.3.6-audit2.patch create mode 100644 logwatch-7.3.6-openvpn2.patch diff --git a/logwatch-7.3.6-audit2.patch b/logwatch-7.3.6-audit2.patch new file mode 100644 index 0000000..1271bcd --- /dev/null +++ b/logwatch-7.3.6-audit2.patch @@ -0,0 +1,30 @@ +diff -up logwatch-7.3.6/scripts/services/audit.pom logwatch-7.3.6/scripts/services/audit +--- logwatch-7.3.6/scripts/services/audit.pom 2008-03-05 11:18:41.000000000 +0100 ++++ logwatch-7.3.6/scripts/services/audit 2008-04-04 11:05:07.000000000 +0200 +@@ -115,6 +115,8 @@ while ($ThisLine = ) { + $grants{$2.' '.$3.' ('.$1.$4 . ')'}++; + } elsif ($ThisLine =~ /security_compute_sid:\s*invalid context\s*(\S+)\s*for\s*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) { + $InvalidContext{$4." running as ".$2." acting on ".$3." \nshould transit to invalid ".$1}++; ++ } elsif ($ThisLine =~ /security_sid_mls_copy:\s*invalid context\s*(\S+)/) { ++ $InvalidContext{"context: ".$1}++; + } else { + $othercount++; + $ThisLine =~ s/^\s*//; +@@ -129,6 +131,8 @@ while ($ThisLine = ) { + $grants{$1.' '.$2.' ('.$3 . ')'}++; + } elsif ($ThisLine =~ /security_compute_sid:\s*invalid context\s*(\S+)\s*for\s*scontext=(\S+)\s*tcontext=\S+\s*tclass=(\S+)/ ) { + $InvalidContext{$3." running as ".$2." should transit to invalid ".$1}++; ++ } elsif ($ThisLine =~ /security_sid_mls_copy:\s*invalid context\s*(\S+)/) { ++ $InvalidContext{"context: ".$1}++; + } else { + $othercount++; + $ThisLine =~ s/^\s*//; +@@ -143,6 +147,8 @@ while ($ThisLine = ) { + $grants{$1.' '.$2.' ('.$3 . ')'}++; + } elsif ($ThisLine =~ /security_compute_sid:\s*invalid context\s*(\S+)\s*for\s*scontext=(\S+)\s*tcontext=\S+\s*tclass=(\S+)/ ) { + $InvalidContext{$3." running as ".$2." should transit to invalid ".$1}++; ++ } elsif ($ThisLine =~ /security_sid_mls_copy:\s*invalid context\s*(\S+)/) { ++ $InvalidContext{"context: ".$1}++; + } else { + $othercount++; + $ThisLine =~ s/^\s*//; diff --git a/logwatch-7.3.6-cron2.patch b/logwatch-7.3.6-cron2.patch index a6ee08b..d8eb813 100644 --- a/logwatch-7.3.6-cron2.patch +++ b/logwatch-7.3.6-cron2.patch @@ -5,7 +5,7 @@ ) ) { $INCRONDErr{$Error}++; + } elsif ( ($ThisLine =~ /crond/) && -+ (($Error) = ($ThisLine =~ /(failed to open PAM security session: Permission denied)/)) ++ (($Error) = ($ThisLine =~ /(failed to open PAM security session: (Permission denied|Module is unknown))/)) + ) { + $CRONDErr{$Error}++; } else { diff --git a/logwatch-7.3.6-openvpn2.patch b/logwatch-7.3.6-openvpn2.patch new file mode 100644 index 0000000..53a6e2a --- /dev/null +++ b/logwatch-7.3.6-openvpn2.patch @@ -0,0 +1,37 @@ +diff -up logwatch-7.3.6/scripts/services/openvpn.pom logwatch-7.3.6/scripts/services/openvpn +--- logwatch-7.3.6/scripts/services/openvpn.pom 2008-04-04 12:35:34.000000000 +0200 ++++ logwatch-7.3.6/scripts/services/openvpn 2008-04-04 13:22:18.000000000 +0200 +@@ -51,7 +51,7 @@ while (defined($ThisLine = )) { + ($ThisLine =~ /^MULTI: multi_create_instance called/) or + ($ThisLine =~ /^MULTI: primary virtual IP for/) or + ($ThisLine =~ /^MULTI: TCP INIT maxclients=\d+ maxevents=\d+/) or +- ($ThisLine =~ /^MULTI: bad source address from client .*, packet dropped/) or ++ ($ThisLine =~ /MULTI: bad source address from client .*, packet dropped/) or + ($ThisLine =~ /^Need IPv6 code in mroute_extract_addr_from_packet/) or + ($ThisLine =~ /^NOTE: UID\/GID downgrade will be delayed because of --client, --pull, or --up-delay/) or + ($ThisLine =~ /^OPTIONS IMPORT/) or +@@ -108,6 +108,9 @@ while (defined($ThisLine = )) { + $ConnErrors{$error}{"$proto"}++; + } elsif (($name) = ($ThisLine =~ /MULTI: new connection by client '(.*)' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect./)) { + $ConnectCauseDrop{$name}++; ++ } elsif ((($Err) = ($ThisLine =~ /(read UDPv4 \[ECONNREFUSED\]: Connection refused \(code=111\))/)) or ++ (($Err) = ($ThisLine =~ /(read UDPv4 \[EHOSTUNREACH\]: No route to host \(code=113\))/))) { ++ $Error{$Err}++; + } else { + # Report any unmatched entries... + # remove PID from named messages +@@ -199,6 +202,14 @@ if (keys %ConnectCauseDrop) { + } + } + ++if (keys %Error) { ++ print "\n UDPv4 errors:\n"; ++ foreach $Err (sort keys %Error) { ++ print " " . $Err . ": " .$Error{$Err}. " Time(s)\n"; ++ } ++} ++ ++ + if (keys %OtherList) { + print "\n**Unmatched Entries**\n"; + foreach $line (sort {$a cmp $b} keys %OtherList) { diff --git a/logwatch.spec b/logwatch.spec index ed8255c..4ae99dd 100644 --- a/logwatch.spec +++ b/logwatch.spec @@ -1,7 +1,7 @@ Summary: A log file analysis program Name: logwatch Version: 7.3.6 -Release: 20%{?dist} +Release: 21%{?dist} License: MIT Group: Applications/System URL: http://www.logwatch.org/ @@ -37,6 +37,8 @@ Patch31: logwatch-7.3.6-openvpn.patch Patch32: logwatch-7.3.6-postfix.patch Patch33: logwatch-7.3.6-cron4.patch Patch34: logwatch-7.3.6-dovecot_back.patch +Patch35: logwatch-7.3.6-audit2.patch +Patch36: logwatch-7.3.6-openvpn2.patch Requires: textutils sh-utils grep mailx Requires: perl(Date::Manip) @@ -82,6 +84,8 @@ of the package on many systems. %patch32 -p1 %patch33 -p1 %patch34 -p1 +%patch35 -p1 +%patch36 -p1 rm -f scripts/services/*.orig %build @@ -195,8 +199,13 @@ rm -rf %{buildroot} %doc License project/CHANGES %changelog +* Fri Apr 4 2008 Ivana Varekova 7.3.6-21 +- Resolves: #440534 + Some unmatched OpenVPN log lines +- add parsing of new logw to audit and cron service + * Wed Mar 5 2008 Ivana Varekova 7.3.6-20 -- resolves 436058 +- Resolves: #436058 dovecot script for logwatch needs fix for IPv6 * Thu Feb 14 2008 Ivana Varekova 7.3.6-19