Date: Sun, 30 Jul 2017 15:47:59 +0000 (UTC) From: Matthew Seaman <matthew@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r446938 - in head/security/logcheck: . files Message-ID: <201707301547.v6UFlxiN016514@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: matthew Date: Sun Jul 30 15:47:59 2017 New Revision: 446938 URL: https://svnweb.freebsd.org/changeset/ports/446938 Log: * Update to 1.3.18. * Process to fix paths in script and configuration files are simplified. * Now man page of logcheck is generated from DocBook SGML source file by using textproc/docbook-to-man. * Sort pkg-plist. * Add forgotten files/patch-etc_logcheck.logfiles. * Update files/patch-etc_logcheck.conf * Move backup file cleaning up from post-patch to do-build so 'make makepatch' works as expected. PR: 220609 Submitted by: yasu@utahime.org (maintainer) Added: head/security/logcheck/files/patch-debian_logcheck.cron.d (contents, props changed) head/security/logcheck/files/patch-docs_README.logcheck (contents, props changed) head/security/logcheck/files/patch-docs_README.logcheck-database (contents, props changed) head/security/logcheck/files/patch-docs_README.logtail (contents, props changed) head/security/logcheck/files/patch-docs_logcheck-test.1 (contents, props changed) head/security/logcheck/files/patch-docs_logcheck.sgml (contents, props changed) head/security/logcheck/files/patch-docs_logtail2.8 (contents, props changed) head/security/logcheck/files/patch-etc_logcheck.conf (contents, props changed) head/security/logcheck/files/patch-etc_logcheck.logfiles (contents, props changed) head/security/logcheck/files/patch-src_logcheck (contents, props changed) head/security/logcheck/files/patch-src_logcheck-test (contents, props changed) head/security/logcheck/files/patch-src_logtail2 (contents, props changed) Deleted: head/security/logcheck/files/extra-patch-debian__logcheck.cron.d.in head/security/logcheck/files/extra-patch-docs__logcheck.8.in head/security/logcheck/files/extra-patch-etc__logcheck.conf.in head/security/logcheck/files/extra-patch-src__logcheck.in head/security/logcheck/files/extra-patch-src__logtail2.in Modified: head/security/logcheck/Makefile head/security/logcheck/distinfo head/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh head/security/logcheck/pkg-plist Modified: head/security/logcheck/Makefile ============================================================================== --- head/security/logcheck/Makefile Sun Jul 30 15:31:55 2017 (r446937) +++ head/security/logcheck/Makefile Sun Jul 30 15:47:59 2017 (r446938) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= logcheck -PORTVERSION= 1.3.17 +PORTVERSION= 1.3.18 CATEGORIES= security MASTER_SITES= DEBIAN_POOL DISTNAME= ${PORTNAME}_${PORTVERSION} @@ -11,7 +11,9 @@ MAINTAINER= yasu@utahime.org COMMENT= Auditing tool for system logs on Unix boxes LICENSE= GPLv2 +LICENSE_FILE= ${WRKSRC}/LICENSE +BUILD_DEPENDS= docbook-to-man>0:textproc/docbook-to-man RUN_DEPENDS= mime-construct:mail/mime-construct \ lockfile:mail/procmail \ bash:shells/bash @@ -38,39 +40,32 @@ WRKSRC= ${WRKDIR}/${DISTNAME:S!_!-!} BINMODE= 755 SUB_LIST+= LOGCHECK_USER=${LOGCHECK_USER} \ LOGCHECK_GROUP=${LOGCHECK_GROUP} \ - CRON=${PORT_OPTIONS:MCRON} + DBDIR=${DBDIR} CRON=${PORT_OPTIONS:MCRON} SUB_FILES= pkg-install pkg-deinstall pkg-message PLIST_SUB+= LOGCHECK_USER=${LOGCHECK_USER} \ LOGCHECK_GROUP=${LOGCHECK_GROUP} \ DBDIR=${DBDIR} RUNDIR=${RUNDIR} -SHEBANG_FILES= src/logcheck src/logtail src/logtail2 +SHEBANG_FILES= src/logcheck src/logtail src/logtail2 src/detectrotate/*.dtr CONFIG_DIRS= cracking.d ignore.d.paranoid ignore.d.server \ ignore.d.workstation violations.d violations.ignore.d -DOCS= AUTHORS CHANGES CREDITS LICENSE TODO docs/README* +DOCS= AUTHORS CHANGES CREDITS TODO docs/README* PORTDOCS= ${DOCS:T} -MAN_FILES= logcheck.8 logtail.8 logtail2.8 +MAN1_FILES= logcheck-test.1 +MAN8_FILES= logcheck.8 logtail.8 logtail2.8 +REINPLACE_FILES= debian/logcheck.cron.d docs/logcheck.sgml \ + docs/logtail2.8 docs/README.logcheck \ + docs/README.logcheck-database docs/README.logtail \ + etc/logcheck.conf src/logcheck src/logtail2 -PATCH_LIST= extra-patch-debian__logcheck.cron.d \ - extra-patch-docs__logcheck.8 \ - extra-patch-etc__logcheck.conf \ - extra-patch-src__logcheck \ - extra-patch-src__logtail2 -EXTRA_PATCHES= ${PATCH_LIST:C|^|${WRKDIR}/|g} - .include <bsd.port.pre.mk> -pre-patch: -.for patch in ${PATCH_LIST} - @${SED} ${_SUB_LIST_TEMP} ${FILESDIR}/${patch}.in > ${WRKDIR}/${patch} +do-build: +.for file in ${REINPLACE_FILES} + ${REINPLACE_CMD} ${_SUB_LIST_TEMP} ${WRKSRC}/${file} .endfor + docbook-to-man ${WRKSRC}/docs/logcheck.sgml > ${WRKSRC}/docs/logcheck.8 + ${FIND} ${WRKSRC} -type f \( -name \*.orig -o -name \*.bak \) -delete -post-patch: - @${FIND} ${WRKSRC}/rulefiles -type f -name \*.orig -delete - -do-build: - @${REINPLACE_CMD} -e 's!/var/log/syslog!/var/log/messages!' \ - ${WRKSRC}/etc/logcheck.logfiles - do-install: @${MKDIR} ${STAGEDIR}${DATADIR}/detectrotate \ ${STAGEDIR}${DBDIR} \ @@ -78,6 +73,7 @@ do-install: ${STAGEDIR}${ETCDIR} \ ${STAGEDIR}${EXAMPLESDIR} \ ${STAGEDIR}${RUNDIR} + ${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck-test ${STAGEDIR}${PREFIX}/bin ${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck ${STAGEDIR}${PREFIX}/sbin ${INSTALL_SCRIPT} ${WRKSRC}/src/logtail ${STAGEDIR}${PREFIX}/sbin ${INSTALL_SCRIPT} ${WRKSRC}/src/logtail2 ${STAGEDIR}${PREFIX}/sbin @@ -97,7 +93,10 @@ do-install: @${ECHO_CMD} '@exec ${CHGRP} -R ${LOGCHECK_GROUP} \ ${ETCDIR:S|^${PREFIX}/|%D/|} \ ${DATADIR:S|^${PREFIX}/|%D/|}' >> ${TMPPLIST} -.for i in ${MAN_FILES} +.for i in ${MAN1_FILES} + ${INSTALL_MAN} ${WRKSRC}/docs/$i ${STAGEDIR}${MAN1PREFIX}/man/man1 +.endfor +.for i in ${MAN8_FILES} ${INSTALL_MAN} ${WRKSRC}/docs/$i ${STAGEDIR}${MAN8PREFIX}/man/man8 .endfor cd ${WRKSRC} && ${INSTALL_DATA} ${DOCS} ${STAGEDIR}${DOCSDIR} Modified: head/security/logcheck/distinfo ============================================================================== --- head/security/logcheck/distinfo Sun Jul 30 15:31:55 2017 (r446937) +++ head/security/logcheck/distinfo Sun Jul 30 15:47:59 2017 (r446938) @@ -1,2 +1,3 @@ -SHA256 (logcheck_1.3.17.tar.xz) = c2d3fc323e8c6555e91d956385dbfd0f67b55872ed0f6a7ad8ad2526a9faf03a -SIZE (logcheck_1.3.17.tar.xz) = 130956 +TIMESTAMP = 1499679623 +SHA256 (logcheck_1.3.18.tar.xz) = 077b9149ccd2b747b52785afa89da844f3d072c017c9e719925dec6acb9a9af4 +SIZE (logcheck_1.3.18.tar.xz) = 131252 Added: head/security/logcheck/files/patch-debian_logcheck.cron.d ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/logcheck/files/patch-debian_logcheck.cron.d Sun Jul 30 15:47:59 2017 (r446938) @@ -0,0 +1,16 @@ +--- debian/logcheck.cron.d.orig 2017-01-25 21:08:04 UTC ++++ debian/logcheck.cron.d +@@ -1,9 +1,5 @@ +-# /etc/cron.d/logcheck: crontab entries for the logcheck package +- +-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin ++# crontab entries for the logcheck package ++PATH=/sbin:/bin:/usr/sbin:/usr/bin:%%PREFIX%%/sbin:%%PREFIX%%/bin + MAILTO=root +- +-@reboot logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi +-2 * * * * logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi +- +-# EOF ++@reboot if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck -R; fi ++2 * * * * if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck; fi Added: head/security/logcheck/files/patch-docs_README.logcheck ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/logcheck/files/patch-docs_README.logcheck Sun Jul 30 15:47:59 2017 (r446938) @@ -0,0 +1,16 @@ +--- docs/README.logcheck.orig 2017-01-25 21:08:04 UTC ++++ docs/README.logcheck +@@ -17,11 +17,11 @@ don't start overlapping. + ====================================================================== + LOG ENTRIES + ----------- +-These are taken from a specified set of logfiles (usually syslog and ++These are taken from a specified set of logfiles (usually messages and + auth.log); a special Perl utility named "logtail" is used which + "bookmarks" its place in the logs, so that events aren't reported + twice in successive logcheck runs. The offset records are stored as +-(eg) "/var/lib/logcheck/offset.var.log.syslog"; lines to be ++(eg) "%%DBDIR%%/offset.var.log.messages"; lines to be + considered by logcheck are copied into tempfiles in the working + directory "/var/tmp/logcheck". See the corresponding README for + logtail for further notes on complications such as log-rotation. Added: head/security/logcheck/files/patch-docs_README.logcheck-database ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/logcheck/files/patch-docs_README.logcheck-database Sun Jul 30 15:47:59 2017 (r446938) @@ -0,0 +1,105 @@ +--- docs/README.logcheck-database.orig 2017-01-25 21:08:04 UTC ++++ docs/README.logcheck-database +@@ -15,7 +15,7 @@ normal egrep pattern-matches, applied in + 1. the "SECURITY ALERTS" layer, designed to detect the traces of active + intrusion attempts. + +- Patterns raising the alarm go in "/etc/logcheck/cracking.d"; any ++ Patterns raising the alarm go in "%%ETCDIR%%/cracking.d"; any + event that matches one of these patterns turns the report + into an urgent "Security Alerts" report, with the relevant + event moved to a special section. The cracking.d standard +@@ -26,7 +26,7 @@ normal egrep pattern-matches, applied in + the default logcheck configuration, but if the local + administrator enables this layer of filtering in + logcheck.conf, then the rules go in the directory +- "/etc/logcheck/cracking.ignore.d". Matches with ++ "%%ETCDIR%%/cracking.ignore.d". Matches with + cracking.ignore rules will then reclassify the alert as a + false alarm (compare violations.ignore below). Note that + this means they are totally ignored - log messages handled +@@ -35,12 +35,12 @@ normal egrep pattern-matches, applied in + 2. the "SECURITY EVENTS" layer, designed to detect less critical + events still considered worthy of special attention. + +- Patterns raising the alarm go in "/etc/logcheck/violations.d"; ++ Patterns raising the alarm go in "%%ETCDIR%%/violations.d"; + matches with these result in a "Security Events" alert, + with the relevant event moved to a special section. + + Patterns cancelling such alarms go in the standard directory +- "/etc/logcheck/violations.ignore.d"; apparent "Security ++ "%%ETCDIR%%/violations.ignore.d"; apparent "Security + Events" that match with violations.ignore patterns are + discarded as false alarms. + +@@ -51,7 +51,7 @@ normal egrep pattern-matches, applied in + from the logfiles are considered for inclusion in the main + "System Events" section. + +- Patterns in the three "/etc/logcheck/ignore.d.*" directories ++ Patterns in the three "%%ETCDIR%%/ignore.d.*" directories + again function to overrule alerts; the log messages that + match them are excluded from the report as trivial. The + specific directories consulted depend on the prevailing +@@ -78,13 +78,13 @@ underscore, and hyphen. + Contains filters relevant to only one Debian package - for example + if "fooserver" logs suspicious events like this: + "$DATE $HOSTNAME fooserver[$PID]: $USER is up to no good" +-then a line in "/etc/logcheck/violations.d/fooserver" with an ++then a line in "%%ETCDIR%%/violations.d/fooserver" with an + appropriate pattern will promote it from a mere "System Event" + to a full "Security Event" in a subsection of the mailing headed + "fooserver". Or then again if that kind of log message is more + trivial than it looks (maybe "foo" is a networked game of + spy-and-counterspy) then a line in +-"/etc/logcheck/ignore.d.server/fooserver" will turn it into a ++"%%ETCDIR%%/ignore.d.server/fooserver" will turn it into a + nonevent for all but the most assiduous of administrators. + + Sometimes a package will have not only special alarm calls which +@@ -107,7 +107,7 @@ that need to be processed. + + Standard "generic" rules go in each directory's "./logcheck" file; + thus for instance any log message at all matching "ATTACK" +-(listed in "/etc/logcheck/cracking.d/logcheck") _always_ triggers ++(listed in "%%ETCDIR%%/cracking.d/logcheck") _always_ triggers + a "Security Alert", unless you deliberately tamper with + "cracking.ignore.d" rules. + +@@ -122,12 +122,12 @@ non-package-specific "flagging" patterns + "fooserver" outputs syslog messages like this: + "$DATE $HOSTNAME fooserver[$PID]: 3 attempts 0 rejected" + then the standard keyword "reject" listed in the generic +-"/etc/logcheck/violations.d/logcheck" file will trigger frequent ++"%%ETCDIR%%/violations.d/logcheck" file will trigger frequent + "Security Events" reports. Putting a filtering pattern in +-"/etc/logcheck/violations.ignore.d/fooserver" won't help here! ++"%%ETCDIR%%/violations.ignore.d/fooserver" won't help here! + The solution is to use a file named in the specially-privileged + ./logcheck-<packagename> format: +-"/etc/logcheck/violations.ignore.d/logcheck-fooserver". ++"%%ETCDIR%%/violations.ignore.d/logcheck-fooserver". + This can contain patterns provided by that particular package + which nonetheless need to take precedence over the generic rules. + +@@ -137,8 +137,8 @@ Sysadmins can use the "local-*" filename + additions to the "logcheck-*" pattern lists. If you have "ippl" + logging network connections verbosely into syslog then you can put + custom "Security Events" keywords in +-"/etc/logcheck/violations.d/local-ippl" and exceptions in +-"/etc/logcheck/violations.ignore.d/local-ippl". ++"%%ETCDIR%%/violations.d/local-ippl" and exceptions in ++"%%ETCDIR%%/violations.ignore.d/local-ippl". + + + WRITING RULES +@@ -181,7 +181,7 @@ logcheck-test(1)). + Alternatively you can manually grep your log file, and remove trailing + space with something like this: + +- sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep \ ++ sed -e 's/[[:space:]]*$//' /var/log/messages | egrep \ + '^\w{3} [ :0-9]{11} oempc wwwoffled\[[0-9]+\]: WWWOFFLE (On|Off)line\.$' + + If the log line is displayed, then your regex works. Added: head/security/logcheck/files/patch-docs_README.logtail ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/logcheck/files/patch-docs_README.logtail Sun Jul 30 15:47:59 2017 (r446938) @@ -0,0 +1,11 @@ +--- docs/README.logtail.orig 2017-01-25 21:08:04 UTC ++++ docs/README.logtail +@@ -28,7 +28,7 @@ Logtail2, a different executeable, also + guessing a file name that might have been the target of log rotation + and printing that file's contents starting with the stored offset. If + you have a non-standard rotation scheme, you can drop your own +-heuristic into /usr/share/logtail/detectrotate/ and have it ++heuristic into %%DATADIR%%/detectrotate/ and have it + automatically picked up by logtail2. + ====================================================================== + COMMANDLINE ARGUMENTS Added: head/security/logcheck/files/patch-docs_logcheck-test.1 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/logcheck/files/patch-docs_logcheck-test.1 Sun Jul 30 15:47:59 2017 (r446938) @@ -0,0 +1,26 @@ +--- docs/logcheck-test.1.orig 2017-01-25 21:08:04 UTC ++++ docs/logcheck-test.1 +@@ -38,8 +38,8 @@ Show usage information + .B \-a, \-\-auth.log + Parse /var/log/auth.log for matching lines + .TP +-.B \-s, \-\-syslog +-Parse /var/log/syslog for matching lines ++.B \-m, \-\-messages ++Parse /var/log/messages for matching lines + .TP + .B \-l, \-\-log\-file FILE + Parse FILE for matching lines +@@ -69,10 +69,10 @@ With + .B logcheck-test + you can easily write and test new rules. + .PP +-Test a single rule against /var/log/syslog: ++Test a single rule against /var/log/messages: + .RS + .fam C +-logcheck-test \-s "RULE" ++logcheck-test \-m "RULE" + .fam T + .RE + Added: head/security/logcheck/files/patch-docs_logcheck.sgml ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/logcheck/files/patch-docs_logcheck.sgml Sun Jul 30 15:47:59 2017 (r446938) @@ -0,0 +1,17 @@ +--- docs/logcheck.sgml.orig 2017-01-25 21:08:04 UTC ++++ docs/logcheck.sgml +@@ -244,10 +244,10 @@ manpage.1: manpage.sgml + <refsect1> + <title>FILES</title> + +- <para>/etc/logcheck/logcheck.conf is the main configuration file.</para> +- <para>/etc/logcheck/logcheck.logfiles is the list of files to monitor.</para> +- <para>/etc/logcheck/logcheck.logfiles.d is the directory of lists of files to monitor.</para> +- <para>/usr/share/doc/logcheck-database/README.logcheck-database.gz for hints on how to write, test and maintain rules.</para> ++ <para>%%ETCDIR%%/logcheck.conf is the main configuration file.</para> ++ <para>%%ETCDIR%%/logcheck.logfiles is the list of files to monitor.</para> ++ <para>%%ETCDIR%%/logcheck.logfiles.d is the directory of lists of files to monitor.</para> ++ <para>%%DOCSDIR%%/README.logcheck-database for hints on how to write, test and maintain rules.</para> + </refsect1> + <refsect1> + <title>EXIT STATUS</title> Added: head/security/logcheck/files/patch-docs_logtail2.8 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/logcheck/files/patch-docs_logtail2.8 Sun Jul 30 15:47:59 2017 (r446938) @@ -0,0 +1,11 @@ +--- docs/logtail2.8.orig 2017-01-25 21:08:04 UTC ++++ docs/logtail2.8 +@@ -38,7 +38,7 @@ is not empty, the inode of + is checked. If the inode is changed, + .B logtail2 + uses the heuristics stored in +-.I /usr/share/logtail/detectrotate/ ++.I %%DATADIR%%/detectrotate/ + to find a file that might be the rotated + .I logfile + and prints it starting with the stored offset. It then proceeds to Added: head/security/logcheck/files/patch-etc_logcheck.conf ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/logcheck/files/patch-etc_logcheck.conf Sun Jul 30 15:47:59 2017 (r446938) @@ -0,0 +1,37 @@ +--- etc/logcheck.conf.orig 2017-01-25 21:08:04 UTC ++++ etc/logcheck.conf +@@ -9,7 +9,7 @@ + # Controls the presence of boilerplate at the top of each message: + # Alternatively, set to "0" to disable the introduction. + # +-# If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt ++# If the files %%ETCDIR%%/header.txt and %%ETCDIR%%/footer.txt + # are present their contents will be read and used as the header and + # footer of any generated mails. + +@@ -44,8 +44,8 @@ FQDN=1 + + #SORTUNIQ=0 + +-# Controls whether /etc/logcheck/cracking.ignore.d is scanned for +-# exceptions to the rules in /etc/logcheck/cracking.d: ++# Controls whether %%ETCDIR%%/cracking.ignore.d is scanned for ++# exceptions to the rules in %%ETCDIR%%/cracking.d: + # Alternatively, set to "1" to enable cracking.ignore support + + #SUPPORT_CRACKING_IGNORE=0 +@@ -53,13 +53,7 @@ FQDN=1 + # Controls the base directory for rules file location + # This must be an absolute path + +-#RULEDIR="/etc/logcheck" +- +-# Controls if syslog-summary is run over each section. +-# Alternatively, set to "1" to enable extra summary. +-# HINT: syslog-summary needs to be installed. +- +-#SYSLOGSUMMARY=0 ++#RULEDIR="%%ETCDIR%%" + + # Controls Subject: lines on logcheck reports: + Added: head/security/logcheck/files/patch-etc_logcheck.logfiles ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/logcheck/files/patch-etc_logcheck.logfiles Sun Jul 30 15:47:59 2017 (r446938) @@ -0,0 +1,8 @@ +--- etc/logcheck.logfiles.orig 2017-01-25 21:08:04 UTC ++++ etc/logcheck.logfiles +@@ -1,4 +1,4 @@ + # these files will be checked by logcheck + # This has been tuned towards a default syslog install +-/var/log/syslog + /var/log/auth.log ++/var/log/messages Modified: head/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh ============================================================================== --- head/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh Sun Jul 30 15:31:55 2017 (r446937) +++ head/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh Sun Jul 30 15:47:59 2017 (r446938) @@ -1,6 +1,6 @@ ---- ./rulefiles/linux/ignore.d.server/ssh.orig 2010-09-03 04:24:30.000000000 -0400 -+++ ./rulefiles/linux/ignore.d.server/ssh 2011-11-23 14:25:31.000000000 -0500 -@@ -21,8 +21,8 @@ +--- rulefiles/linux/ignore.d.server/ssh.orig 2017-01-25 21:08:04 UTC ++++ rulefiles/linux/ignore.d.server/ssh +@@ -27,8 +27,8 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) check pass; user unknown$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) bad username \[[^]]+\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Could not get shadow information for NOUSER$ Added: head/security/logcheck/files/patch-src_logcheck ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/logcheck/files/patch-src_logcheck Sun Jul 30 15:47:59 2017 (r446938) @@ -0,0 +1,153 @@ +--- src/logcheck.orig 2017-07-11 17:32:13 UTC ++++ src/logcheck +@@ -24,17 +24,10 @@ + + if [ `id -u` = 0 ]; then + echo "logcheck should not be run as root. Use su to invoke logcheck:" +- echo "su -s /bin/bash -c \"/usr/sbin/logcheck${@:+ $@}\" logcheck" ++ echo "su -m %%LOGCHECK_USER%% -c \"%%LOCALBASE%%/bin/bash %%PREFIX%%/sbin/logcheck${@:+ $@}\"" + echo "Or use sudo: sudo -u logcheck logcheck${@:+ $@}." + # you may want to uncomment that hack to let logcheck invoke itself. +- # su -s /bin/bash -c "$0 $*" logcheck +- exit 1 +-fi +- +-if [ ! -f /usr/bin/lockfile-create -o \ +- ! -f /usr/bin/lockfile-remove -o \ +- ! -f /usr/bin/lockfile-touch ]; then +- echo "fatal: lockfile-progs is a prerequisite for logcheck, and was not found." ++ # su -s %%LOCALBASE%%/bin/bash -c "$0 $*" logcheck + exit 1 + fi + +@@ -69,13 +62,13 @@ EVENTSSUBJECT="System Events" + ADDTAG="no" + + # Set the default paths +-RULEDIR="/etc/logcheck" +-CONFFILE="/etc/logcheck/logcheck.conf" +-STATEDIR="/var/lib/logcheck" +-LOGFILES_LIST="/etc/logcheck/logcheck.logfiles" +-LOGFILES_LIST_D="/etc/logcheck/logcheck.logfiles.d" +-LOGFILE_FALLBACK="/var/log/syslog" +-LOGTAIL="/usr/sbin/logtail2" ++RULEDIR="%%ETCDIR%%" ++CONFFILE="%%ETCDIR%%/logcheck.conf" ++STATEDIR="%%DBDIR%%" ++LOGFILES_LIST="%%ETCDIR%%/logcheck.logfiles" ++LOGFILES_LIST_D="%%ETCDIR%%/logcheck.logfiles.d" ++LOGFILE_FALLBACK="/var/log/messages" ++LOGTAIL="%%PREFIX%%/sbin/logtail2" + CAT="/bin/cat" + SYSLOG_SUMMARY="/usr/bin/syslog-summary" + +@@ -90,20 +83,15 @@ FQDN=0 + SORTUNIQ=0 + SUPPORT_CRACKING_IGNORE=0 + SYSLOGSUMMARY=0 +-LOCKDIR=/run/lock/logcheck ++LOCKDIR=/var/run/logcheck + LOCKFILE="$LOCKDIR/logcheck" + + # Carry out the clean up tasks + cleanup() { + +- if [ -n "$LOCK" ]; then +- debug "cleanup: Killing lockfile-touch - $LOCK" +- kill "$LOCK" && unset LOCK +- fi +- +- if [ -f "$LOCKFILE.lock" ]; then +- debug "cleanup: Removing lockfile: $LOCKFILE.lock" +- lockfile-remove "$LOCKFILE" ++ if [ -f "$LOCKFILE" ]; then ++ debug "cleanup: Removing lockfile: $LOCKFILE" ++ rm -f "$LOCKFILE" + fi + + if [ -d "$TMPDIR" ]; then +@@ -145,14 +133,9 @@ error() { + if [ "$2" = "noclean" ]; then + debug "error: Not removing lockfile" + else +- if [ -n "$LOCK" ]; then +- debug "error: Killing lockfile-touch - $LOCK" +- kill "$LOCK" && unset LOCK +- fi +- +- if [ -f "$LOCKFILE.lock" ]; then +- debug "error: Removing lockfile: $LOCKFILE.lock" +- lockfile-remove "$LOCKFILE" ++ if [ -f "$LOCKFILE" ]; then ++ debug "error: Removing lockfile: $LOCKFILE" ++ rm -f "$LOCKFILE" + fi + + fi +@@ -171,7 +154,7 @@ $message + ${TMPDIR:+Check temporary directory: $TMPDIR + } + Also verify that the logcheck user can read all files referenced in +-/etc/logcheck/logcheck.logfiles! ++%%ETCDIR%%/logcheck.logfiles! + + $(export) + EOF +@@ -223,7 +206,7 @@ cleanrules() { + error "Couldn't read $x" + fi + done +- for rulefile in $(run-parts --list "$dir"); do ++ for rulefile in $(ls -1R "$dir"); do + rulefile="$(basename "$rulefile")" + if [ -f "${dir}/${rulefile}" ]; then + debug "cleanrules: ${dir}/${rulefile}" +@@ -538,9 +521,9 @@ fi + + # Hostname either fully qualified or not. + if [ "$FQDN" -eq 1 ]; then +- HOSTNAME="$(hostname --fqdn 2>/dev/null)" ++ HOSTNAME="$(hostname -f 2>/dev/null)" + else +- HOSTNAME="$(hostname --short 2>/dev/null)" ++ HOSTNAME="$(hostname -s 2>/dev/null)" + fi + + # Now check for the other options +@@ -623,30 +606,25 @@ fi + + trap 'cleanup' 0 + +-debug "Trying to get lockfile: $LOCKFILE.lock" ++debug "Trying to get lockfile: $LOCKFILE" + if [ ! -d "$LOCKDIR" ]; then + mkdir -m 0755 "$LOCKDIR" + fi +-lockfile-create --retry 1 "$LOCKFILE" > /dev/null 2>&1 ++lockfile -r 1 "$LOCKFILE" > /dev/null 2>&1 + + + if [ $? -eq 1 ]; then + trap 0 +- if [ -e "${LOCKFILE}.lock" ]; then ++ if [ -e "${LOCKFILE}" ]; then + error "Another logcheck process is still running" "noclean" + else +- error "Failed to get lockfile: $LOCKFILE.lock" "noclean" ++ error "Failed to get lockfile: $LOCKFILE" "noclean" + fi +- +-else +- debug "Running lockfile-touch $LOCKFILE.lock" +- lockfile-touch "$LOCKFILE" & +- LOCK="$!" + fi + + # Create the secure temporary directory or exit +-TMPDIR="$(mktemp -d -p "${TMP:-/tmp}" logcheck.XXXXXX)" \ +- || TMPDIR="$(mktemp -d -p /var/tmp logcheck.XXXXXX)" \ ++TMPDIR="$(mktemp -d ${TMP:-/tmp}/logcheck.XXXXXX)" \ ++ || TMPDIR="$(mktemp -d /var/tmp/logcheck.XXXXXX)" \ + || error "Could not create temporary directory" + + # Now clean the rulefiles in the directories Added: head/security/logcheck/files/patch-src_logcheck-test ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/logcheck/files/patch-src_logcheck-test Sun Jul 30 15:47:59 2017 (r446938) @@ -0,0 +1,23 @@ +--- src/logcheck-test.orig 2017-01-25 21:08:04 UTC ++++ src/logcheck-test +@@ -38,7 +38,7 @@ usage() { + usage: logcheck-test + -h|--help : Show usage information + -a|--auth.log : Parse /var/log/auth.log +--s|--syslog : Parse /var/log/syslog ++-m|--messages : Parse /var/log/messages + -l|--log-file LOGFILE : Parse LOGFILE + -i|--invert-match : Show lines that don't match the RULE or RULEFILE + -q|--quiet : Suppress rule summary +@@ -103,9 +103,9 @@ while [ -n "${1:-}" ]; do + warn "option -a ignored" + fi + ;; +- -s|--syslog) ++ -m|--messages) + if [ -z "$FILE" ] ; then +- FILE="/var/log/syslog" ++ FILE="/var/log/messages" + else + warn "option -s ignored" + fi Added: head/security/logcheck/files/patch-src_logtail2 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/logcheck/files/patch-src_logtail2 Sun Jul 30 15:47:59 2017 (r446938) @@ -0,0 +1,11 @@ +--- src/logtail2.orig 2017-07-11 17:32:13 UTC ++++ src/logtail2 +@@ -109,7 +109,7 @@ sub determine_rotated_logfile { + # function with dateext magic added. + + #print "determine_rotated_logfile $filename $inode\n"; +- for my $codefile (glob("/usr/share/logtail/detectrotate/*.dtr")) { ++ for my $codefile (glob("%%DATADIR%%/detectrotate/*.dtr")) { + my $func = do $codefile; + if (!$func) { + print STDERR "cannot compile $codefile: $!"; Modified: head/security/logcheck/pkg-plist ============================================================================== --- head/security/logcheck/pkg-plist Sun Jul 30 15:31:55 2017 (r446937) +++ head/security/logcheck/pkg-plist Sun Jul 30 15:47:59 2017 (r446938) @@ -1,4 +1,7 @@ @mode 640 +%%DATADIR%%/detectrotate/10-savelog.dtr +%%DATADIR%%/detectrotate/20-logrotate.dtr +%%DATADIR%%/detectrotate/30-logrotate-dateext.dtr %%ETCDIR%%/cracking.d/kernel %%ETCDIR%%/cracking.d/rlogind %%ETCDIR%%/cracking.d/rsh @@ -131,6 +134,8 @@ %%ETCDIR%%/ignore.d.server/sudo %%ETCDIR%%/ignore.d.server/sympa %%ETCDIR%%/ignore.d.server/syslogd +%%ETCDIR%%/ignore.d.server/systemd +%%ETCDIR%%/ignore.d.server/systemd-timesyncd %%ETCDIR%%/ignore.d.server/teapop %%ETCDIR%%/ignore.d.server/telnetd %%ETCDIR%%/ignore.d.server/tftpd @@ -179,6 +184,8 @@ %%ETCDIR%%/ignore.d.workstation/wpasupplicant %%ETCDIR%%/ignore.d.workstation/xdm %%ETCDIR%%/ignore.d.workstation/xlockmore +%%ETCDIR%%/logcheck.conf.sample +%%ETCDIR%%/logcheck.logfiles.sample %%ETCDIR%%/violations.d/kernel %%ETCDIR%%/violations.d/logcheck %%ETCDIR%%/violations.d/smartd @@ -186,12 +193,9 @@ %%ETCDIR%%/violations.d/sudo %%ETCDIR%%/violations.ignore.d/logcheck-su %%ETCDIR%%/violations.ignore.d/logcheck-sudo -%%ETCDIR%%/logcheck.conf.sample -%%ETCDIR%%/logcheck.logfiles.sample -%%DATADIR%%/detectrotate/10-savelog.dtr -%%DATADIR%%/detectrotate/20-logrotate.dtr -%%DATADIR%%/detectrotate/30-logrotate-dateext.dtr @mode +bin/logcheck-test +man/man1/logcheck-test.1.gz man/man8/logcheck.8.gz man/man8/logtail.8.gz man/man8/logtail2.8.gz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201707301547.v6UFlxiN016514>