Import from AlmaLinux stable repository

.logwatch.metadata

@@ -1 +0,0 @@
-8a4c3889c478e27a62488a9f1619d938016faf4d SOURCES/logwatch-7.4.3.tar.gz

SOURCES/auditd-startup-messages.patch

@@ -0,0 +1,19 @@
+--- a/scripts/services/audit	2022/01/22 17:22:03
++++ b/scripts/services/audit	2022/01/22 17:35:34
+@@ -134,10 +134,13 @@
+         ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): table=/) or
+         ( $ThisLine =~ /audit_printk_skb: [0-9]* callbacks suppressed/) or
+ 	( $ThisLine =~ /item=[0-9] name="\S*" inode=[0-9]+ dev=\S* mode=[0-9]* ouid=[0-9]* ogid=[0-9]* rdev=[0-9:]* obj=\S*/) or
+-	( $ThisLine =~ /^auditctl(?:\[[0-9]+\])?: No rules$/ )
++	( $ThisLine =~ /^auditctl(?:\[[0-9]+\])?: No rules$/ ) or
++	( $ThisLine =~ /No plugins found, not dispatching events/ )
+     ) {
+ 	# Ignore these entries
+-    } elsif ( $ThisLine =~ /audit\([0-9]{10}.[0-9]{3}:[0-9]\): initialized$/) {
++    } elsif (( $ThisLine =~ /audit\([0-9]{10}.[0-9]{3}:[0-9]\): initialized$/ ) or
++	     ( $ThisLine =~ /audit\([0-9]{10}.[0-9]{3}:[0-9]\): state=initialized / )
++    ) {
+       $NumberOfInits++;
+     } elsif ( $ThisLine =~ /Init complete, audit pid set to: [0-9]+/) {
+       $NumberOfDStartsPid++;
+

SOURCES/deduplicate-sudo.patch

@@ -0,0 +1,11 @@
+--- a/conf/services/secure.conf	2016-03-30 23:32:33.000000000 +0200
++++ b/conf/services/secure.conf	2023-06-27 19:42:42.296713366 +0200
+@@ -24,7 +24,7 @@
+ # Use this to ignore certain services in the secure log.
+ # You can ignore as many services as you would like.
+ # (we ignore sshd because its entries are processed by the sshd script)
+-$ignore_services = sshd Pluto stunnel proftpd saslauthd imapd postfix/smtpd
++$ignore_services = sshd Pluto stunnel proftpd saslauthd imapd postfix/smtpd sudo
+ 
+ # For these services, summarize only (i.e. don't least each IP, just
+ # list the number of connections total)

SOURCES/ignore-server-ready.patch

@@ -0,0 +1,13 @@
+--- a/scripts/services/fail2ban
++++ b/scripts/services/fail2ban
+@@ -91,7 +91,8 @@
+          ($ThisLine =~ /INFO\s+(Stopping all jails|Exiting Fail2ban)/) or
+          ($ThisLine =~ /INFO\s+Initiated '.*' backend/) or
+          ($ThisLine =~ /INFO\s+(Added logfile = .*|Set maxRetry = \d+|Set findtime = \d+|Set banTime = \d+)/) or
+-         ($ThisLine =~ /Unable to find a corresponding IP address for .*: \[Errno -2\] Name or service not known/)
++         ($ThisLine =~ /Unable to find a corresponding IP address for .*: \[Errno -2\] Name or service not known/) or
++         ($ThisLine =~ /: Server ready$/)
+        )
+     {
+         if ( $Debug >= 6 ) {
+

SOURCES/logwatch-failed-login.patch

@@ -0,0 +1,20 @@
+--- a/scripts/services/sshd	2022/01/20 15:28:35	1.1
++++ b/scripts/services/sshd	2022/01/20 15:32:01
+@@ -1,3 +1,5 @@
++#!/usr/bin/env perl
++
+ ##########################################################################
+ # $Id$
+ ##########################################################################
+@@ -376,6 +378,11 @@
+          print STDERR "DEBUG: Found -Failed login- line\n";
+       }
+       $BadLogins{$Host}{"$User/$Method"}++;
++   } elsif ( my ($User,$Host) = ( $ThisLine =~ m/^Disconnected from authenticating user (\S+) (\S+) / ) ) {
++      if ( $Debug >= 5 ) {
++         print STDERR "DEBUG: Found -Disconnected Failed login- line\n";
++      }
++      $BadLogins{$Host}{$User}++;
+    } elsif ($ThisLine =~ s/^(log: )?Could not reverse map address ([^ ]*).*$/$2/) {
+       $NoRevMap{$ThisLine}++;
+    } elsif ( my ($Address) = ($ThisLine =~ /^reverse mapping checking getaddrinfo for (\S+( \[\S+\])?) failed - POSSIBLE BREAK-IN ATTEMPT!/)) {

SOURCES/logwatch-pam-unix.patch

@@ -0,0 +1,20 @@
+===================================================================
+RCS file: /usr/share/logwatch/scripts/services/RCS/pam_unix,v
+retrieving revision 1.1
+diff -u -r1.1 /usr/share/logwatch/scripts/services/pam_unix
+--- a/scripts/services/pam_unix	2022/01/20 14:21:24	1.1
++++ b/scripts/services/pam_unix	2022/01/20 14:22:35
+@@ -340,6 +340,12 @@
+       } else  {
+          $data{$service}{'Unknown Entries'}{$line}++;
+       }
++   } elsif ($service eq 'systemd-user') {
++      if ($line =~ /session (?:opened|closed) for user /) {
++         # ignore this line
++      } else {
++         $data{$service}{'Unknown Entries'}{$line}++;
++      }
+    } else {
+       $data{$service}{'Unknown Entries'}{$line}++;
+    }
+

SOURCES/polkit-startup-messages.patch

@@ -0,0 +1,13 @@
+--- a/scripts/services/secure
++++ b/scripts/services/secure
+@@ -273,6 +273,9 @@
+       ( $ThisLine =~ /polkit-grant-helper-pam\[\d+\]: pam_thinkfinger\(polkit:auth\): conversation failed/) or
+       ( $ThisLine =~ /polkitd\(authority=.*\): (Unr|R)egistered Authentication Agent/) or
+       ( $ThisLine =~ /polkitd\(authority=.*\): Operator of unix-session:/) or
++      ( $ThisLine =~ /polkitd.*Acquired the name .* on the system bus/) or
++      ( $ThisLine =~ /polkitd.*Finished loading, compiling/) or
++      ( $ThisLine =~ /polkitd.*Loading rules from directory /) or
+       ( $ThisLine =~ /(gdm-session-worker|gdm-password|gnome-screensaver-dialog)\[\d+\]: gkr-pam: no password is available for user/) or
+       ( $ThisLine =~ /gkr-pam: the password for the login keyring was invalid/) or
+       ( $ThisLine =~ /groupadd\[\d+\]: group added to /) or    # Details in other messages
+

SOURCES/ras-correctable-errors.patch

@@ -0,0 +1,11 @@
+--- a/scripts/services/kernel
++++ b/scripts/services/kernel
+@@ -135,6 +135,7 @@
+       $SkipError = 1 if $ThisLine =~ /ERST: Error Record Serialization Table \(ERST\) support is initialized/;
+       $SkipError = 1 if $ThisLine =~ /GHES: Generic hardware error source: \d+ notified via .* is not supported/;
+       $SkipError = 1 if $ThisLine =~ /PCIe errors handled by (?:BIOS|OS)/;
++      $SkipError = 1 if $ThisLine =~ /RAS: Correctable Errors collector initialized\.$/;
+       # These happen when kerberos tickets expire, which can be normal
+       $SkipError = 1 if $ThisLine =~ /Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server/ && $Ignore_rpcsec_expired;
+       # filter out mount options
+

SOURCES/sendmail-6-digit-pid.patch

@@ -0,0 +1,12 @@
+--- a/scripts/services/sendmail
++++ b/scripts/services/sendmail
+@@ -388,7 +388,7 @@
+ }
+ 
+ # QueueID formats: in 8.11 it was \w{7}\d{5}, in 8.12+ it is \w{8}\d{6}
+-my $QueueIDFormat = "(?:\\w{7,9}\\d{5}|NOQUEUE)";
++my $QueueIDFormat = "(?:\\w{7,9}\\d{5,6}|NOQUEUE)";
+ 
+ # ENOENT refers to "no such file or directory"
+ my $ENOENT = Errno::ENOENT();
+

SOURCES/sshd-sort-by-count.patch

@@ -0,0 +1,23 @@
+--- a/scripts/services/sshd
++++ b/scripts/services/sshd
+@@ -566,7 +566,8 @@
+ 
+ if (keys %BadLogins) {
+    print "\nFailed logins from:\n";
+-   foreach my $ip (sort SortIP keys %BadLogins) {
++   my $totalSort = TotalCountOrder(%BadLogins, \&SortIP);
++   foreach my $ip (sort $totalSort keys %BadLogins) {
+       my $name = LookupIP($ip);
+       my $totcount = 0;
+       foreach my $user (keys %{$BadLogins{$ip}}) {
+@@ -587,7 +588,8 @@
+ 
+ if (keys %IllegalUsers) {
+    print "\nIllegal users from:\n";
+-   foreach my $ip (sort SortIP keys %IllegalUsers) {
++   my $totalSort = TotalCountOrder(%IllegalUsers, \&SortIP);
++   foreach my $ip (sort $totalSort keys %IllegalUsers) {
+       my $name = LookupIP($ip);
+       my $totcount = 0;
+       foreach my $user (keys %{$IllegalUsers{$ip}}) {
+

SOURCES/systemd-noise-filter.patch

@@ -0,0 +1,31 @@
+--- a/scripts/services/systemd	2022/01/20 16:00:56	1.1
++++ b/scripts/services/systemd	2022/01/20 16:14:16
+@@ -42,7 +42,7 @@
+        $ThisLine =~ / failed\.$/ or
+        $ThisLine =~ /: (control|main) process exited, code=(exited|killed),? status=/ or
+        # Informational
+-       $ThisLine =~ /^Closed .* socket\.$/ or
++       $ThisLine =~ /^Closed .* [Ss]ocket\.$/ or
+        $ThisLine =~ /^Closed udev / or
+        $ThisLine =~ /^Detected (architecture|virtualization) / or
+        $ThisLine =~ /^Found device / or
+@@ -76,11 +76,17 @@
+        $ThisLine =~ /^Configuration file \/usr\/lib\/systemd\/system\/wpa_supplicant\.service is marked executable/ or
+        # https://bugzilla.redhat.com/show_bug.cgi?id=1306452 
+        $ThisLine =~ /^tmp\.mount: Directory \/tmp to mount over is not empty, mounting anyway\.$/ or
+-       $ThisLine =~ /^Received SIGRTMIN\+2[01] from PID \d+ \(plymouthd\)\.$/ or
++       $ThisLine =~ /^Received SIGRTMIN\+2[01] from PID \d+ \((?:plymouthd|n\/a)\)\.$/ or
+        # https://bugzilla.redhat.com/show_bug.cgi?id=1072368
+        $ThisLine =~ /^Received SIGRTMIN\+24 from PID \d+ \(kill\)\.$/ or
+        $ThisLine =~ /^Removed slice / or
+-       $ThisLine =~ /^pam_unix\(systemd-user:session\): session (?:opened|closed) for user/
++       $ThisLine =~ /^pam_unix\(systemd-user:session\): session (?:opened|closed) for user/ or
++       # Ex: user-runtime-dir@1001.service: Succeeded.
++       $ThisLine =~ /: Succeeded\.$/ or
++       # Ex: Reloading Fail2Ban Service.
++       $ThisLine =~ /^Reloading .*\.$/ or
++       # Ex: Set up automount Arbitrary Executable File Formats File System Automount Point.
++       $ThisLine =~ /^Set up .*\.$/
+    ) {
+       # Ignore these
+    } elsif (my ($service) = ($ThisLine =~ /^Unit (.*) entered failed state\.$/)) {

SPECS/logwatch.spec

@@ -1,7 +1,7 @@
 Summary: A log file analysis program
 Name: logwatch
 Version: 7.4.3
-Release: 11%{?dist}
+Release: 21%{?dist}
 License: MIT
 Group: Applications/System
 URL: http://www.logwatch.org/
@@ -24,6 +24,16 @@ Patch7: logwatch-sshd-2.patch
 # https://sourceforge.net/p/logwatch/git/ci/b325c68f83ef6c3e3ec9f35c8fdeff5b43fd8559/
 # cherry-pick hunk at @@ -224,7 +224,7 @@
 Patch8: logwatch-dovecot.patch
+Patch9: logwatch-pam-unix.patch
+Patch10: logwatch-failed-login.patch
+Patch11: systemd-noise-filter.patch
+Patch12: auditd-startup-messages.patch
+Patch13: ignore-server-ready.patch
+Patch14: ras-correctable-errors.patch
+Patch15: deduplicate-sudo.patch
+Patch16: polkit-startup-messages.patch
+Patch17: sshd-sort-by-count.patch
+Patch18: sendmail-6-digit-pid.patch
 
 BuildRequires: perl-generators
 Requires: grep mailx
@@ -50,6 +60,16 @@ of the package on many systems.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
 rm -f scripts/services/*.orig
 
 %build
@@ -149,6 +169,46 @@ echo "# Configuration overrides for specific logfiles/services may be placed her
 %{_mandir}/man*/*
 
 %changelog
+* Wed Jun 28 2023 Pavel Šimovec <psimovec@redhat.com> - 7.4.3-21
+- fix sendmail logwatch script to allow 6-digit PIDs
+- Resolves: rhbz#2046459
+
+* Wed Jun 28 2023 Pavel Šimovec <psimovec@redhat.com> - 7.4.3-20
+- sshd sort failed logins and illegal users by count, not IP address
+- Resolves: rhbz#2044101
+
+* Wed Jun 28 2023 Pavel Šimovec <psimovec@redhat.com> - 7.4.3-19
+- ignore harmless polkit startup messages
+- Resolves: rhbz#2043952
+
+* Tue Jun 27 2023 Pavel Šimovec <psimovec@redhat.com> - 7.4.3-18
+- ignore sudo service as it is already reported in secure service
+- Resolves: rhbz#2043951
+
+* Tue Jun 27 2023 Pavel Šimovec <psimovec@redhat.com> - 7.4.3-17
+- do not treat "RAS: Correctable Errors collector initialized" message as an error
+- Resolves: rhbz#2043946
+
+* Tue Jun 27 2023 Pavel Šimovec <psimovec@redhat.com> - 7.4.3-16
+- ignore normal "Server ready" startup message from fail2ban
+- Resolves: rhbz#2043944
+
+* Tue Jun 27 2023 Pavel Šimovec <psimovec@redhat.com> - 7.4.3-15
+- ignore a couple of normal auditd startup messages
+- Resolves: rhbz#2043942
+
+* Tue Jun 27 2023 Pavel Šimovec <psimovec@redhat.com> - 7.4.3-14
+- patch to logwatch systemd script to add some filtering
+- Resolves: rhbz#2043109
+
+* Thu Apr 20 2023 Pavel Šimovec <psimovec@redhat.com> - 7.4.3-13
+- fix unrecognized "Disconnected from authenticating user" failed logins
+- Resolves: rhbz#2043088
+
+* Thu Apr 20 2023 Pavel Šimovec <psimovec@redhat.com> - 7.4.3-12
+- add logwatch-pam-unix.patch
+- Resolves: rhbz#2043044
+
 * Fri May 07 2021 Vincent Mihalkovic <vmihalko@redhat.com> - 7.4.3-11
 - add gating.yaml file