rpms/logwatch
7
0
Fork 0
Code Issues Pull Requests Releases Activity

handle DNSSEC messages in named; patch by Frank Crawford; rhbz#666394

Browse Source
This commit is contained in:
Karel Klic 2011-03-28 14:18:22 +02:00
parent 43c5f900a1
commit 1b449a15e4
3 changed files with 145 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

137
logwatch-named-dnssec.patch Normal file
View File

@ -0,0 +1,137 @@
diff -up logwatch-svn46/scripts/services/named.dnssec logwatch-svn46/scripts/services/named
--- logwatch-svn46/scripts/services/named.dnssec 2011-03-28 13:54:24.212725223 +0200
+++ logwatch-svn46/scripts/services/named 2011-03-28 14:08:21.044509429 +0200
@@ -228,6 +228,7 @@ while (defined($ThisLine = <STDIN>)) {
($ThisLine =~ /too many timeouts resolving '.*' .*: disabling EDNS/) or
($ThisLine =~ /too many timeouts resolving '.*' .*: reducing the advertised EDNS UDP packet size to .* octets/) or
($ThisLine =~ /reloading zones succeeded/) or
+ ($ThisLine =~ /generating session key/) or
($ThisLine =~ /success resolving '.*' \(in '.*'?\) after disabling EDNS/) or
($ThisLine =~ /success resolving '.*' \(in '.*'?\) after reducing the advertised EDNS UDP packet size to 512 octets/) or
($ThisLine =~ /the working directory is not writable/) or
@@ -249,6 +250,11 @@ while (defined($ThisLine = <STDIN>)) {
($ThisLine =~ /refresh in progress, refresh check queued/) or
($ThisLine =~ /refresh: NODATA response from master/) or
($ThisLine =~ /update with no effect/) or
+ ($ThisLine =~ /reading built-in trusted keys from file/) or
+ ($ThisLine =~ /using built-in trusted-keys/) or
+ ($ThisLine =~ /set up managed keys zone/) or
+ # the following seems okay since it says "success"
+ ($ThisLine =~ /managed-keys-zone .*: No DNSKEY RRSIGs found for '.*': success/) or
# ignore this line because the following line describes the error
($ThisLine =~ /unexpected error/)
) {
@@ -269,7 +275,8 @@ while (defined($ThisLine = <STDIN>)) {
$ShutdownNamed++;
} elsif ( $ThisLine =~ /named shutdown failed/ ) {
$ShutdownNamedFail++;
- } elsif ( ($Host, $Zone) = ( $ThisLine =~ /client ([^\#]+)#[^\:]+: zone transfer '(.+)' denied/ ) ) {
+ } elsif ( (($Host, $Zone) = ( $ThisLine =~ /client ([^\#]+)#[^\:]+: (?:view \w+: )?zone transfer '(.+)' denied/ )) or
+ (($Host, $Zone) = ( $ThisLine =~ /client ([^\#]+)#[^\:]+: (?:view \w+: )?bad zone transfer request: '(.+)':/ )) ) {
$DeniedZoneTransfers{$Host}{$Zone}++;
} elsif ( ($Zone) = ( $ThisLine =~ /zone (.+) zone transfer deferred due to quota/ ) ) {
$DeferredZoneTransfers{$Zone}++;
@@ -291,14 +298,13 @@ while (defined($ThisLine = <STDIN>)) {
$ZoneLoaded{$Zone}++;
} elsif ( (undef,$Addr,undef,$Server) = ( $ThisLine =~ /ame server (on|resolving) '(.+)' \(in .+\):\s+(\[.+\]\.\d+)?\s*'?(.+)'?:?/ ) ) {
$LameServer{"$Addr ($Server)"}++;
- } elsif ( ($Zone) = ( $ThisLine =~ /Zone \"(.+)\" was removed/ ) ) {
+ } elsif ( (($Zone) = ( $ThisLine =~ /Zone \"(.+)\" was removed/ )) or
+ (($Zone) = ( $ThisLine =~ /zone (.+): \(.*\) removed/ )) ) {
$ZoneRemoved{$Zone}++;
} elsif ( ($Zone) = ( $ThisLine =~ /received notify for zone '(.*)'/ ) ) {
$ZoneReceivedNotify{$Zone}++;
} elsif ( ($Zone) = ( $ThisLine =~ /zone (.*): notify from .* up to date/ ) ) {
$ZoneReceivedNotify{$Zone}++;
- } elsif ( ($Zone) = ( $ThisLine =~ /zone (.*): notify from .* up to date/ ) ) {
- $ZoneReceivedNotify{$Zone}++;
} elsif ( ($Zone) = ( $ThisLine =~ /zone (.+)\/IN: refused notify from non-master/ ) ) {
$ZoneRefusedNotify{$Zone}++;
# } elsif ( ($Rhost,$Ldom,$Reason) = ( $ThisLine =~ /client ([\d\.a-fA-F:]+) bad zone transfer request: '(.+)': (.+)$/ ) ) {
@@ -321,13 +327,13 @@ while (defined($ThisLine = <STDIN>)) {
} elsif ( ($Client) = ( $ThisLine =~ /warning: client (.*) no more TCP clients/ ) ) {
$FullClient = LookupIP ($Client);
$DeniedTCPClient{$FullClient}++;
- } elsif ( ($Client) = ( $ThisLine =~ /client (.*)#\d+: query \(cache\) denied/ ) ) {
+ } elsif ( ($Client) = ( $ThisLine =~ /client (.*)#\d+: (?:view \w+: )?query \(cache\) denied/ ) ) {
$FullClient = LookupIP ($Client);
$DeniedQuery{$FullClient}++;
} elsif ( ($Client) = ( $ThisLine =~ /client (.*)#\d+: query '.*\/IN' denied/ ) ) {
$FullClient = LookupIP ($Client);
$DeniedQueryNoCache{$FullClient}++;
- } elsif ( ($Rhost, $ViewName, $Ldom) = ($ThisLine =~ /client ([\.0-9a-fA-F:]+)#\d+:(?: view ([^ ]+):)? update '(.*)' denied/)) {
+ } elsif ( ($Rhost, $ViewName, $Ldom) = ($ThisLine =~ /client ([\.0-9a-fA-F:]+)#\d+: (?:view \w+: )?update '(.*)' denied/)) {
$ViewName = ($ViewName ? "/$ViewName" : "");
$UpdateDenied{"$Rhost ($Ldom$ViewName)"}++;
} elsif ( ($Rhost, $Ldom) = ($ThisLine =~ /client ([\d\.]+)#\d+: update forwarding '(.*)' denied/)) {
@@ -384,6 +390,18 @@ while (defined($ThisLine = <STDIN>)) {
$NoSOA{$Client}++;
} elsif (($Hint) = ($ThisLine =~ /checkhints: (.*)/) ) {
$Hints{$Hint}++;
+ } elsif (($Zone,$RR) = ($ThisLine =~ /^\s*validating \@0x[[:xdigit:]]+: (.*) (\w+): got insecure response; parent indicates it should be secure/)) {
+ $DNSSECInsec{'__Total__'}++;
+ $DNSSECInsec{$Zone}{$RR}++;
+ } elsif (($Zone,$RR) = ($ThisLine =~ /^\s*validating \@0x[[:xdigit:]]+: (.*) (\w+): no valid signature found/)) {
+ $DNSSECInvalid{'__Total__'}++;
+ $DNSSECInvalid{$Zone}{$RR}++;
+ } elsif (($Zone,$RR) = ($ThisLine =~ /^\s*validating \@0x[[:xdigit:]]+: (.*) (\w+): bad cache hit/)) {
+ $DNSSECBadCache{'__Total__'}++;
+ $DNSSECBadCache{$Zone}{$RR}++;
+ } elsif (($Error,$Host) = ($ThisLine =~ /error \((.*)\) resolving '([^']+)':/)) {
+ $DNSSECError{$Error}{'__Total__'}++;
+ $DNSSECError{$Error}{$Host}++;
} else {
# Report any unmatched entries...
# remove PID from named messages
@@ -713,6 +731,51 @@ if (keys %Hints) {
}
}
+if (($Detail >= 5) and (keys %DNSSECInsec)) {
+ print "\n DNSSEC Insecure Responses: " . $DNSSECInsec{'__Total__'} . " Time(s)\n";
+ foreach $Zone (sort keys %DNSSECInsec) {
+ if (($Detail >= 10) and ($Zone =~ /.+/) and ($Zone ne '__Total__')) {
+ foreach $RR (sort keys %{$DNSSECInsec{$Zone}}) {
+ print " " . "$Zone/$RR: " . $DNSSECInsec{$Zone}{$RR} . " Time(s)\n";
+ }
+ }
+ }
+}
+
+if (($Detail >= 5) and (keys %DNSSECInvalid)) {
+ print "\n DNSSEC No Valid Signature: " . $DNSSECInvalid{'__Total__'} . " Time(s)\n";
+ foreach $Zone (sort keys %DNSSECInvalid) {
+ if (($Detail >= 10) and ($Zone =~ /.+/) and ($Zone ne '__Total__')) {
+ foreach $RR (sort keys %{$DNSSECInvalid{$Zone}}) {
+ print " " . "$Zone/$RR: " . $DNSSECInvalid{$Zone}{$RR} . " Time(s)\n";
+ }
+ }
+ }
+}
+
+if (($Detail >= 5) and (keys %DNSSECBadCache)) {
+ print "\n DNSSEC Bad Cache hit: " . $DNSSECBadCache{'__Total__'} . " Time(s)\n";
+ foreach $Zone (sort keys %DNSSECBadCache) {
+ if (($Detail >= 10) and ($Zone =~ /.+/) and ($Zone ne '__Total__')) {
+ foreach $RR (sort keys %{$DNSSECBadCache{$Zone}}) {
+ print " " . "$Zone/$RR: " . $DNSSECBadCache{$Zone}{$RR} . " Time(s)\n";
+ }
+ }
+ }
+}
+
+if (($Detail >= 5) and (keys %DNSSECError)) {
+ print "\n DNS Errors:\n";
+ foreach $Error (sort keys %DNSSECError) {
+ print " $Error: " . $DNSSECError{$Error}{'__Total__'} . " Time(s)\n";
+ if ($Detail >= 10) {
+ foreach $Host (sort keys %{$DNSSECError{$Error}}) {
+ print " " . "$Host: " . $DNSSECError{$Error}{$Host} . " Time(s)\n" unless ($Host eq '__Total__');
+ }
+ }
+ }
+}
+
if (keys %OtherList) {
print "\n**Unmatched Entries**\n";
foreach $line (sort {$a cmp $b} keys %OtherList) {

95
logwatch-postfix.patch
View File

@ -1,95 +0,0 @@
diff -up logwatch-7.3.6/scripts/services/postfix.pom logwatch-7.3.6/scripts/services/postfix
--- logwatch-7.3.6/scripts/services/postfix.pom 2007-05-14 19:27:27.000000000 +0200
+++ logwatch-7.3.6/scripts/services/postfix 2008-10-29 13:37:05.000000000 +0100
@@ -693,7 +693,7 @@ while ( <> ) {
my ($helo, $relay, $from, $origto, $to, $domain, $status,
$type, $reason, $reason2, $filter, $site, $cmd, $qid, $p2,
- $rej_action, $host, $hostip);
+ $rej_action, $host, $hostip, $size);
# ^fatal: ...
if ( ($reason) = ($p1 =~ /^fatal: (.*)$/ )) {
@@ -769,8 +769,9 @@ while ( <> ) {
#TD disconnect from mail.example.com[2001:dead:beef::1]
$Totals{'Disconnection'}++;
}
- elsif (($host,$hostip,$reason) = ($p1 =~ /^connect to ([^[]*)\[($re_IP)\]: (.*)$/o)) {
+ elsif (($host,$hostip,$reason) = ($p1 =~ /^connect to ([^[]*)\[($re_IP)\]:?[0-9]*: (.*)$/o)) {
# all "connect to" messages indicate a problem with the connection
+ #TD connect to mail.bues.ru[82.146.62.193]:25: Connection refused
#TD connect to example.org[10.0.0.1]: Connection refused (port 25)
#TD connect to mail.sample.com[10.0.0.1]: No route to host (port 25)
#TD connect to sample.net[192.168.0.1]: read timeout (port 25)
@@ -1521,6 +1522,11 @@ while ( <> ) {
$Totals{'RejectMilter'}++;
#$Counts{'RejectMilter'}{$cmd}{formathost($hostip,$host)}{$reason}{$p3}++;
$Counts{'RejectMilter'}{$cmd}{formathost($hostip,$host)}{$reason}++;
+
+ } elsif ( ($host,$hostip,$reason) = ($p1 =~ /host ([^ ]*)\[([^ ]*)\] refused to talk to me: [0-9]* .*: Connection refused. (.*)/)) {
+ # TD host mx10.hanmail.net[211.43.197.142] refused to talk to me: 554 5.7.1 CCRX 80.95.96.6: Connection refused. Your IP address is blocked(anti-spam)
+ $Totals{'ConnectToFailure'}++;
+ $Counts{'ConnectToFailure'}{$reason}{formathost($hostip,$host)}++;
} else {
# keep this as the last condition in this else clause
@@ -1530,8 +1536,9 @@ while ( <> ) {
# end of $re_QID section
# see also ConnectionLost in $re_QID section
- elsif ( ($reason,$host,$hostip) = ($p1 =~ /lost connection (after [^ ]*) from ([^[]*)\[($re_IP|unknown)\]$/o )) {
+ elsif ( ($reason,$host,$hostip) = ($p1 =~ /lost connection (after [^ ]*) (\(\d+ bytes\) )?from ([^[]*)\[($re_IP|unknown)\]$/o )) {
unless ($hostip =~ /unknown/) {
+ #TD lost connection after DATA (0 bytes) from mail.example.com[192.168.0.1]
#TD lost connection after CONNECT from mail.example.com[192.168.0.1]
$Totals{'ConnectionLost'}++;
$Counts{'ConnectionLost'}{"\u$reason"}{formathost($hostip,$host)}++;
@@ -1570,7 +1577,8 @@ while ( <> ) {
}
# see also TimeoutInbound in $re_QID section
- elsif ( ($reason,$host,$hostip) = ($p1 =~ /^timeout (after [^ ]*) from ([^[]*)\[($re_IP)\]$/o)) {
+ elsif ( ($reason,$host,$hostip) = ($p1 =~ /^timeout (after [^ ]*) (\(\d+ bytes\) )?from ([^[]*)\[($re_IP)\]$/o)) {
+ #TD timeout after DATA (0 bytes) from unknown[85.102.182.31]
#TD timeout after RSET from example.com[192.168.0.1]
$Totals{'TimeoutInbound'}++;
$Counts{'TimeoutInbound'}{"\u$reason"}{formathost($hostip,$host)}++;
@@ -1593,7 +1601,8 @@ while ( <> ) {
### smtpd_tls_loglevel >= 1
# Server TLS messages
- elsif ( ($status,$host,$hostip,$type) = ($p1 =~ /^(?:(Trusted|Untrusted) )?TLS connection established from ([^[]+)\[($re_IP)\]: (.*)$/o )) {
+ elsif ( ($status,$host,$hostip,$type) = ($p1 =~ /^(?:(Trusted|Untrusted|Anonymous) )?TLS connection established from ([^[]+)\[($re_IP)\]: (.*)$/o )) {
+ #DT Anonymous TLS connection established from fractal.kaosol.net[216.150.215.72]: TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)
#TD TLS connection established from example.com[192.168.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
# Postfix 2.5+: status: Untrusted or Trusted
#TD Untrusted TLS connection established from example.com[192.168.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
@@ -1625,12 +1634,18 @@ while ( <> ) {
$Totals{'TlsUnverified'}++;
$Counts{'TlsUnverified'}{$cert}++;
+ } elsif ( ($cert) = ($p1 =~ /: Untrusted: (subject_CN=.*)/)) {
+ #TD Untrusted: subject_CN=EXAMPLE-MAIL, issuer=EXAMPLE-MAIL,
+ $Totals{'TlsUnverified'}++;
+ $Counts{'TlsUnverified'}{$cert}++;
+
} elsif ( ($p1 =~ m/(lookup )?table ([^ ]+ )?has changed -- (restarting|exiting)$/)) {
#TD table hash:/etc/postfix/helo_checks has changed -- restarting
$Totals{'TableChanged'}++;
- } elsif ( ($cmd,$host,$hostip) = ($p1 =~ /too many errors after ([^ ]*) from ([^[]*)\[($re_IP)\]$/o)) {
+ } elsif ( ($cmd,$size,$host,$hostip) = ($p1 =~ /too many errors after ([^ ]*) (\(\d+ bytes\) )?from ([^[]*)\[($re_IP)\]$/o)) {
#TD too many errors after AUTH from sample.net[10.0.0.1]
+ #TD too many errors after DATA (0 bytes) from aasq46.neoplus.adsl.tpnet.pl[83.5.228.46]
$Totals{'TooManyErrors'}++;
$Counts{'TooManyErrors'}{"After $cmd"}{formathost($hostip,$host)}++;
@@ -2163,7 +2178,7 @@ sub cleanhostreply($ $ $ $) {
#print "HOSTREPLY: \"$hostreply\"\n";
if (($host,$r1) = ($hostreply =~ /host (\S+) said: $re_DSN[\- ]"?(.*)"?$/o)) {
# Strip recipient address from host's reply - we already have it in $recip.
- $r1 =~ s/[<(]?$recip[>)]?\W*//ig;
+ $r1 =~ s/[<(]?\Q$recip\E[>)]?\W*//ig;
# Strip and capture "in reply to XYZ command" from host's reply
if ($r1 =~ s/\s*[(]?(in reply to .* command)[)]?//) {

14
logwatch.spec
View File

@ -1,7 +1,7 @@
Summary: A log file analysis program
Name: logwatch
Version: 7.3.6
Release: 67.20110228svn46%{?dist}
Release: 68.20110228svn46%{?dist}
License: MIT
Group: Applications/System
URL: http://www.logwatch.org/
@ -15,12 +15,10 @@ Source0: logwatch-svn46.tar.xz
Patch0: logwatch-vsftpd.patch
# Not applied by upstream.
Patch1: logwatch-oldfiles.patch
# Cannot be applied, as the postfix service has been reverted to some
# older version by upstream due to licensing issues. Some parts are
# solved by upstream.
#Patch2: logwatch-postfix.patch
# Fixes not yet in upstream for /var/log/secure (rhbz#673760)
Patch3: logwatch-secure.patch
Patch2: logwatch-secure.patch
# Fixes not yet in upstream for DNSSEC messages in named service (rhbz#666394)
Patch3: logwatch-named-dnssec.patch
Requires: textutils sh-utils grep mailx
Requires: perl(Date::Manip)
BuildArchitectures: noarch
@ -35,6 +33,7 @@ of the package on many systems.
%setup -q -n logwatch-svn46
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
rm -f scripts/services/*.orig
@ -130,6 +129,9 @@ echo "# Configuration overrides for specific logfiles/services may be placed her
%doc LICENSE
%changelog
* Mon Mar 28 2011 Karel Klíč <kklic@redhat.com> - 7.3.6-68.20110228svn46
- Added -named-dnessec patch to handle DNSSEC messages in named (rhbz#666394)
* Sun Mar 6 2011 Frank Crawford <frank@crawford.emu.id.au> - 7.3.6-67.20110228svn46
- Handle additional messages in /var/log/secure (rhbz#673760)