Here is patches that addresses the bug report:
- Add GNU --long options. This is implemented with pure sh.
- The "-v" option is many times understood (cf. "ssh")
as "--verbose", so this was changed to -V|--version instead.
There were also few EOL whitespaces. The last patch removes
those.Alternatively you might want to run this at top level:
perl -i.bak -pe 's/[ \t]+$//;' $(find debian src docs -type f)
find . -name "*.bak" | xargs rm
Jari
>From 0cec1369eeeecdd267a3756ca8304d404da0c8f4 Mon Sep 17 00:00:00 2001
From: Jari Aalto <[EMAIL PROTECTED]>
Date: Thu, 18 Sep 2008 18:03:38 +0300
Subject: [PATCH] Change code (remove getopt) to support --long options. Add long options.
Signed-off-by: Jari Aalto <[EMAIL PROTECTED]>
---
src/logcheck | 151 ++++++++++++++++++++++++++++++++--------------------------
1 files changed, 84 insertions(+), 67 deletions(-)
diff --git a/src/logcheck b/src/logcheck
index ee94707..452e1fa 100755
--- a/src/logcheck
+++ b/src/logcheck
@@ -46,9 +46,6 @@ SYSTEM=0
SECURITY=0
ATTACK=0
-# Set the getopts string
-GETOPTS="c:dhH:l:L:m:opr:RsS:tTuvw"
-
# Get the details for the email message
DATE="$(date +'%Y-%m-%d %H:%M')"
VERSION="1.2.61"
@@ -440,64 +437,75 @@ logoutput() {
# Show all the cli options to our users.
usage() {
debug "usage: Printing usage and exiting"
- cat<<EOF
-usage: logcheck [-c CFG] [-d] [-h] [-H HOST] [-l LOG] [-L CFG] [-m MAIL] [-o]
+ cat << "EOF"
+usage: logcheck [-c CFG] [-d] [-h] [-H HOST] [-l LOG] [-L CFG] [-m MAIL] [-o]
[-r DIR] [-s|-p|-w] [-R] [-S DIR] [-t] [-T] [-u]
- -c CFG = override default configuration file
- -d = debug mode
- -h = print this usage information and exit
- -H HOST = use this hostname in the subject of any generated mail
- -l LOG = check the specified logfile
- -L CFG = override default logfiles list
- -m MAIL = send the report to the specified recipient
- -o = send the report to stdout, no mail will be sent
- -p = use the "paranoid" runlevel
- -r DIR = override default rules directory
- -R = adds "Reboot:" to email subject
- -s = use the "server" runlevel
- -S DIR = override default state directory
- -t = testing mode, don't update the logfile offsets
- -T = do not remove the TMPDIR
- -u = enable syslog-summary
- -v = print version
- -w = use the "workstation" runlevel
+ -c|--config CFG = override default configuration file
+ -d|--debug = debug mode
+ -h|--help = print this usage information and exit
+ -H|--host HOST = use this hostname in the subject of any generated mail
+ -l|--log LOG = check the specified logfile
+ -L|--log-config CFG = override default logfiles list
+ -m|--mail MAIL = send the report to the specified recipient
+ -o|--stdout = send the report to stdout, no mail will be sent
+ -p|--reportlevel-paranoid = use the 'paranoid' runlevel
+ -r|--rules-dir DIR = override default rules directory
+ -R|--email-subject-reboot = adds 'Reboot:' to email subject
+ -s|--server = use the 'server' runlevel
+ -S|--state-dir DIR = override default state directory
+ -t|--test = testing mode, don't update the logfile offsets
+ -T|--keep-tmpdir = do not remove the TMPDIR '$TMPDIR'
+ -u|--syslog-summary = enable syslog-summary
+ -V|--version = print version
+ -w|--reportlevel-workstation = use the 'workstation' runlevel
EOF
}
# Check the commandline options for a change to the config file option
-while getopts $GETOPTS opt; do
- case "$opt" in
- c)
+while :
+do
+ case "$1" in
+ -c|--config)
debug "Setting CONFFILE to $OPTARG"
- CONFFILE="$OPTARG"
- if [ ! -r $CONFFILE ]; then
- error "Config file $CONFFILE unreadable or does not exists"
+ CONFFILE="$2"
+
+ if [ ! "$CONFFILE" ] || [ ! -r $CONFFILE ]; then
+ error "Config file '$CONFFILE' unreadable or does not exists"
fi
+
+ shift 2
;;
- d)
+ -d|--debug)
+ shift
LOGCHECKDEBUG=1
debug "Turning debug mode on"
;;
- h)
+ -h|--help)
+ shift
usage
exit 0
;;
- T)
+ -T|--keep-tmpdir)
+ shift
debug "Setting NOCLEANUP to 1"
NOCLEANUP=1
;;
- v)
+ -V|--version)
+ shift
echo "logcheck $VERSION"
exit 0
;;
- \?)
+ -[?])
+ shift
usage
exit 1
;;
+ *) # no more options. Stop while loop
+ break;
esac
done
-# Now reset $OPTIND to 1
+# Now reset $OPTIND to 1
OPTIND=1
debug "Sourcing - $CONFFILE"
@@ -521,7 +529,7 @@ else
fi
fi
-# Use sort -u or -k 1,3 -s
+# Use sort -u or -k 1,3 -s
if [ $SORTUNIQ -eq 1 ];then
SORT="sort -u"
else
@@ -534,70 +542,79 @@ if [ $FQDN -eq 1 ]; then
else
HOSTNAME="$(hostname --short)" > /dev/null 2>&1
fi
-
+
# Now check for the other options
-while getopts $GETOPTS opt; do
- case "$opt" in
- H)
- debug "Setting HOSTNAME to $OPTARG"
- HOSTNAME="$OPTARG"
- ;;
- l)
- debug "Setting LOGFILE to $OPTARG"
- LOGFILE="$OPTARG"
+while :
+do
+ case "$1" in
+ -H|--host)
+ debug "Setting HOSTNAME to $2"
+ HOSTNAME="$2"
+ shift 2
+ ;;
+ -l|--log)
+ debug "Setting LOGFILE to $2"
+ LOGFILE="$2"
+ shift 2
;;
- L)
- debug "Setting LOGFILES_LIST to $OPTARG"
+ -L|--log-config)
+ debug "Setting LOGFILES_LIST to $2"
LOGFILES_LIST="$OPTARG"
+ shift 2
;;
- m)
- debug "Setting SENDMAILTO to $OPTARG"
- SENDMAILTO="$OPTARG"
+ -m|--mail)
+ debug "Setting SENDMAILTO to $2"
+ SENDMAILTO="$2"
+ shift 2
;;
- o)
+ -o|--stdout)
debug "Setting MAILOUT to 1"
MAILOUT="1"
;;
- p)
+ -p|--reportlevel-paranoid)
debug "Setting REPORTLEVEL to paranoid"
REPORTLEVEL="paranoid"
;;
- r)
- debug "Setting RULEDIR to $OPTARG"
- RULEDIR="$OPTARG"
+ -r|--rules-dir)
+ debug "Setting RULEDIR to $2"
+ RULEDIR="$2"
+ shift 2
;;
- R)
+ -R|--email-subject-reboot)
debug "Setting REBOOT to 1"
REBOOT=1
;;
- s)
+ -s|--server)
debug "Setting REPORTLEVEL to server"
REPORTLEVEL="server"
;;
- S)
- debug "Setting STATEDIR to $OPTARG"
- STATEDIR="$OPTARG"
+ -S|--state-dir)
+ debug "Setting STATEDIR to $2"
+ STATEDIR="$2"
+ shift 2
;;
- u)
+ -u|--syslog-summary)
debug "Setting SYSLOGSUMMARY to 1"
SYSLOGSUMMARY="1"
;;
- t)
+ -t|--test)
debug "Setting LOGTAIL_OPTS to -t"
LOGTAIL_OPTS=' -t'
;;
- w)
+ -w|--reportlevel-workstation)
debug "Setting REPORTLEVEL to workstation"
REPORTLEVEL="workstation"
;;
- \?)
+ -[?])
usage
exit 1
;;
+ -*)
+ error "Unknown option: $1"
+ shift
+ ;;
esac
done
-debug "Finished getopts $GETOPTS"
-shift `expr $OPTIND - 1`
if [ $REPORTLEVEL = "workstation" ]; then
REPORTLEVELS="workstation server paranoid"
--
1.5.6.5
>From d4df2647b16cf99dfc31cbc4b8724671e4297d51 Mon Sep 17 00:00:00 2001
From: Jari Aalto <[EMAIL PROTECTED]>
Date: Thu, 18 Sep 2008 18:10:21 +0300
Subject: [PATCH] docs/logcheck.sgml: Document new --long options.
Signed-off-by: Jari Aalto <[EMAIL PROTECTED]>
---
docs/logcheck.sgml | 38 +++++++++++++++++++-------------------
1 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/docs/logcheck.sgml b/docs/logcheck.sgml
index a87c2da..52fdda3 100644
--- a/docs/logcheck.sgml
+++ b/docs/logcheck.sgml
@@ -106,126 +106,126 @@ manpage.1: manpage.sgml
<variablelist>
<varlistentry>
- <term><option>-c CFG</option>
+ <term><option>-c|--config CFG</option>
</term>
<listitem>
<para>Overrule default configuration file.</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>-d</option>
+ <term><option>-d|--debug</option>
</term>
<listitem>
<para>Debug mode.</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>-h</option>
+ <term><option>-h|--help</option>
</term>
<listitem>
<para>Show usage information.</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>-H</option>
+ <term><option>-H|--host HOST</option>
</term>
<listitem>
- <para>Use this hostname string in the subject of logcheck mail.</para>
+ <para>Use HOST hostname string in the subject of logcheck mail.</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>-l LOG</option>
+ <term><option>-l|--log LOG</option>
</term>
<listitem>
<para>Run logfile through logcheck.</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>-L CFG</option>
+ <term><option>-L|--log-config CFG</option>
</term>
<listitem>
<para>Overrule default logfiles list.</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>-m</option>
+ <term><option>-m|--mail</option>
</term>
<listitem>
<para>Mail report to recipient.</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>-o</option>
+ <term><option>-o|--stdout</option>
</term>
<listitem>
<para>STDOUT mode, not sending mail.</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>-p</option>
+ <term><option>-p|--reportlevel-paranoid</option>
</term>
<listitem>
<para>Set the report level to "paranoid".</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>-r DIR</option>
+ <term><option>-r|--rules-dir DIR</option>
</term>
<listitem>
<para>Overrule default rules directory.</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>-R</option>
+ <term><option>-R|--email-subject-reboot</option>
</term>
<listitem>
<para>Adds "Reboot:" to the email subject line.</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>-s</option>
+ <term><option>-s|--server</option>
</term>
<listitem>
<para>Set the report level to "server".</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>-S DIR</option>
+ <term><option>-S|--state-dir DIR</option>
</term>
<listitem>
<para>Overrule default state directory.</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>-t</option>
+ <term><option>-t|--test</option>
</term>
<listitem>
<para>Testing mode does not update offset.</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>-T</option>
+ <term><option>-T|--keep-tmpdir</option>
</term>
<listitem>
<para>Do not remove the TMPDIR.</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>-u</option>
+ <term><option>-u|--syslog-summary</option>
</term>
<listitem>
<para>Enable syslog-summary.</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>-v</option>
+ <term><option>-V|--version</option>
</term>
<listitem>
<para>Print current version.</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><option>-w</option>
+ <term><option>-w|--reportlevel-workstation</option>
</term>
<listitem>
<para>Set the report level to "workstation".</para>
--
1.5.6.5
>From 82823550175f418b554691aaf10ba8a4e1d89456 Mon Sep 17 00:00:00 2001
From: Jari Aalto <[EMAIL PROTECTED]>
Date: Thu, 18 Sep 2008 18:23:33 +0300
Subject: [PATCH] Remove EOL whitespaces
Signed-off-by: Jari Aalto <[EMAIL PROTECTED]>
---
docs/README-psionic | 112 ++++++++++++++++++++--------------------
docs/README.Maintainer | 8 ++--
docs/README.how.to.interpret | 58 +++++++++++-----------
docs/README.keywords | 18 +++---
docs/README.logcheck | 10 ++--
docs/README.logcheck-database | 4 +-
docs/README.logtail | 8 ++--
docs/logcheck.sgml | 10 ++--
docs/logtail.8 | 6 +-
docs/logtail2.8 | 6 +-
docs/tools/log-summary-ssh | 10 ++--
src/dh_installlogcheck | 2 +-
src/logcheck | 48 +++++++++---------
src/logtail2 | 6 +-
14 files changed, 153 insertions(+), 153 deletions(-)
diff --git a/docs/README-psionic b/docs/README-psionic
index 65e4fc5..827e90d 100644
--- a/docs/README-psionic
+++ b/docs/README-psionic
@@ -6,103 +6,103 @@ Warranty: Money back guarantee. Not responsible for any consequences from use!!
Abstract
-Logcheck is software package that is designed to automatically run and check
-system log files for security violations and unusual activity. Logcheck
-utilizes a program called logtail that remembers the last position it read
-from in a log file and uses this position on subsequent runs to process new
-information. All source code is available for review and the implementation
-was kept simple to avoid problems. This package is a clone of the
-frequentcheck.sh script from the Trusted Information Systems Gauntlet(tm)
+Logcheck is software package that is designed to automatically run and check
+system log files for security violations and unusual activity. Logcheck
+utilizes a program called logtail that remembers the last position it read
+from in a log file and uses this position on subsequent runs to process new
+information. All source code is available for review and the implementation
+was kept simple to avoid problems. This package is a clone of the
+frequentcheck.sh script from the Trusted Information Systems Gauntlet(tm)
firewall package. TIS has granted permission for me to clone this package.
Purpose
-It bothers me to read stories of system administrators who have had a
-break-in realize it too late and report "Well I checked the logs from two
-weeks ago and found such and such had happened..." or "We've never had
+It bothers me to read stories of system administrators who have had a
+break-in realize it too late and report "Well I checked the logs from two
+weeks ago and found such and such had happened..." or "We've never had
problems on that system before so we never bothered to check the logs.."
-Auditing and logging system events is important! What is more important is
-that system administrators be aware of these events so they can prevent
-problems that will inevitably occur if you have a system connected to the
+Auditing and logging system events is important! What is more important is
+that system administrators be aware of these events so they can prevent
+problems that will inevitably occur if you have a system connected to the
Internet.
-What is great about Unix is that virtually all modern implementations support
-the syslog(8) facility to report, and quite extensively if configured
-and supported correctly, virtually all happenings good or bad on the host
-system. This allows the creation of an audit trail that can be used very
-effectively to subvert potential attacks and alert system administrators
+What is great about Unix is that virtually all modern implementations support
+the syslog(8) facility to report, and quite extensively if configured
+and supported correctly, virtually all happenings good or bad on the host
+system. This allows the creation of an audit trail that can be used very
+effectively to subvert potential attacks and alert system administrators
that action should be taken.
-Unfortunately for most Unices (and Windows NT <ahem>) it doesn't matter how
+Unfortunately for most Unices (and Windows NT <ahem>) it doesn't matter how
much you log activity if nobody ever checks the logs which is often the case.
-This is where logcheck will help. Logcheck automates the auditing process
-and weeds out "normal" log information to give you a condensed look at
+This is where logcheck will help. Logcheck automates the auditing process
+and weeds out "normal" log information to give you a condensed look at
problems and potential troublemakers mailed to wherever you please.
So you ask: There are other programs out there that do the same thing,
why do I need this one?
-Well I say try the other ones and see which one fits your needs. There are
-many out there that are very good (i.e. swatch), and they all come at a
-great price (free).
+Well I say try the other ones and see which one fits your needs. There are
+many out there that are very good (i.e. swatch), and they all come at a
+great price (free).
-This package has some features though that may be easier for you to use
-because it doesn't require a constantly running program and can mail all
-findings from many systems back to a single location. Additionally, it
-reports any unusual system messages that you may not have seen before, a
-distinct advantage as it is often impossible to know every possible syslog
-message that may come into the logs from the daemons.
+This package has some features though that may be easier for you to use
+because it doesn't require a constantly running program and can mail all
+findings from many systems back to a single location. Additionally, it
+reports any unusual system messages that you may not have seen before, a
+distinct advantage as it is often impossible to know every possible syslog
+message that may come into the logs from the daemons.
Design
-Logcheck is based upon a log checking program called frequentcheck.sh featured
-in the Gauntlet(tm) firewall package by Trusted Information Systems Inc.
+Logcheck is based upon a log checking program called frequentcheck.sh featured
+in the Gauntlet(tm) firewall package by Trusted Information Systems Inc.
(http://www.tis.com). The logcheck shell script and logtail.c program have been
-completely re-written from scratch and is implemented in a slightly
+completely re-written from scratch and is implemented in a slightly
different manner to accommodate for two methods of log file auditing:
1) By reporting everything you tell it to specifically look for via keywords.
2) By reporting everything you didn't tell it to ignore via keywords.
-This ensures that important messages are specifically brought to your
-attention (via the keywords you look for) and that important messages that
-you may have overlooked are also reported (by only ignoring items you tell
-it to). The original frequentcheck.sh script was implemented in a somewhat
+This ensures that important messages are specifically brought to your
+attention (via the keywords you look for) and that important messages that
+you may have overlooked are also reported (by only ignoring items you tell
+it to). The original frequentcheck.sh script was implemented in a somewhat
similar manner.
-The script is a simple shell programming model and the logtail.c program
-uses basic ANSI C compatible functions with comments and easy to follow
-source. Unusual tricks and "golly-gee" features have been left out to
+The script is a simple shell programming model and the logtail.c program
+uses basic ANSI C compatible functions with comments and easy to follow
+source. Unusual tricks and "golly-gee" features have been left out to
prevent problems.
-The logcheck script should be run at least hourly on your hosts from the
-cron daemon. This script will check files for unusual activity through the
-use of simple grep(1) commands and will mail all findings (if any) to the
-administrator. If nothing is found you'll receive no mail.
+The logcheck script should be run at least hourly on your hosts from the
+cron daemon. This script will check files for unusual activity through the
+use of simple grep(1) commands and will mail all findings (if any) to the
+administrator. If nothing is found you'll receive no mail.
System Information
-This program comes with default keyword filter files tuned for the firewall
-toolkit by TIS and systems running Wietse Venema's TCP Wrapper package
-(Which ALL systems should be running IMHO). This program is also very
-BSDish so you may have to tune it a little if you are running something
-other than a BSD variant (as if there are any other types of unix ;) ).
+This program comes with default keyword filter files tuned for the firewall
+toolkit by TIS and systems running Wietse Venema's TCP Wrapper package
+(Which ALL systems should be running IMHO). This program is also very
+BSDish so you may have to tune it a little if you are running something
+other than a BSD variant (as if there are any other types of unix ;) ).
I've tested the program extensively on BSDI 2.x, Linux, HPUX 10.x and
-FreeBSD 2.x without any hassles or major explosions of any type (although
+FreeBSD 2.x without any hassles or major explosions of any type (although
on HPUX you may need to get a real compiler and not that braindead piece
of garbage that ships with it).
-I am _always_ looking for comments and suggestions. Additionally if you
-have a keyword file you find is nicely tuned for your version
-of Unix (IRIX, AIX, HP, Solaris, etc. ) please send it to me for
-inclusion in any subsequent updates. Basic keyword files that work well
+I am _always_ looking for comments and suggestions. Additionally if you
+have a keyword file you find is nicely tuned for your version
+of Unix (IRIX, AIX, HP, Solaris, etc. ) please send it to me for
+inclusion in any subsequent updates. Basic keyword files that work well
for BSDI 2.x, FreeBSD, HPUX, Solaris, SunOS and Linux are included.
-PLEASE read the INSTALL file for proper installation procedures and other
-tips. If you have any questions, comments, flames, then please e-mail me at
+PLEASE read the INSTALL file for proper installation procedures and other
+tips. If you have any questions, comments, flames, then please e-mail me at
[EMAIL PROTECTED]
Thanks,
diff --git a/docs/README.Maintainer b/docs/README.Maintainer
index 96d4cd4..6e7dc7c 100644
--- a/docs/README.Maintainer
+++ b/docs/README.Maintainer
@@ -20,13 +20,13 @@ files that a package can include are
- /etc/logcheck/ignore.d.workstation/<packagename>
As the higher level ignore.d directories include the lower levels
-(i.e. server = server + paranoid) you should try to split your
+(i.e. server = server + paranoid) you should try to split your
rulefile between the different ignore.d directories.
If during the normal operation of your package it produces ignorable
syslog messages that are included by
/etc/logcheck/violations.d/<packagename> have to also include the
-following rulefile
+following rulefile
- /etc/logcheck/violations.ignore.d/<packagename>
@@ -37,7 +37,7 @@ but install separate files into each level; note that it is no longer
necessary anyway for rules to be repeated in each ignore.d.*
directory. We are now using run-parts (see run-parts(8) for more
details) directly for listing the rulefiles, and this will ignore
-symlinks. If your filename contains .'s you should replace them with _'s
+symlinks. If your filename contains .'s you should replace them with _'s
so that the file will be included.
The following directory is for local admin use only and packages
@@ -50,7 +50,7 @@ any files to be parsed.
If you are planning on adding rules for your package, please check to
see if we have included them first. If we already have rules and you
-would like to maintain your own, please let us know before you upload
+would like to maintain your own, please let us know before you upload
so we can avoid filename confilcts.
-- Debian Logcheck Team <[EMAIL PROTECTED]>
diff --git a/docs/README.how.to.interpret b/docs/README.how.to.interpret
index 1c1a10c..40228e9 100644
--- a/docs/README.how.to.interpret
+++ b/docs/README.how.to.interpret
@@ -1,45 +1,45 @@
Interpreting Logcheck Results
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-Only experience will tell you what is a problem and what is a mistake.
-Generally though you can assume that accidents don't repeat themselves
-and do not manifest themselves in unusual ways through normal use of
+Only experience will tell you what is a problem and what is a mistake.
+Generally though you can assume that accidents don't repeat themselves
+and do not manifest themselves in unusual ways through normal use of
system resources. If you have a hacker probing your system you can take
a couple of stances:
1) Gandhi
2) Atila the Hun
-The Gandhi administrator just lets by-gones be by-gones and allows
-the person causing a problem to simply go away, this is a pretty
-good idea to follow and prevents provoking the hacker into doing
+The Gandhi administrator just lets by-gones be by-gones and allows
+the person causing a problem to simply go away, this is a pretty
+good idea to follow and prevents provoking the hacker into doing
something nasty like a denial of service attack.
-The Atila the Hun administrator takes all actions seriously and
-defensively, they may try to find the hacker, or may set up
-automated tools to find out who the person is as the attack is in
-progress all while paging the administrator to notify them of
-trouble. This I think is excessive, for one, any system
-connected to the Internet should at least have good enough
-security to fend off an attack for a few hours. Personally, I'd
-rather be doing something else at 3AM than answering a page
+The Atila the Hun administrator takes all actions seriously and
+defensively, they may try to find the hacker, or may set up
+automated tools to find out who the person is as the attack is in
+progress all while paging the administrator to notify them of
+trouble. This I think is excessive, for one, any system
+connected to the Internet should at least have good enough
+security to fend off an attack for a few hours. Personally, I'd
+rather be doing something else at 3AM than answering a page
by my firewall for an attack that is going to fail anyway.
-Typically you want to fall somewhere in between the two types. You
-should be passive for the more mundane probers and ankle-biters.
-Simply put, they aren't worth the time and energy to find. The more
-aggressive attackers should probably be dealt with through either
-denied hosts lists, or router filters. In the more aggressive
-stages I will also notify the system administrator of the site and
-the host-master for the domain of the problem and include a cut of the
-log file showing the infraction.
-
-Most importantly, DON'T OVER-REACT!! It is not necessary to flame
-a sysadmin of a site that has a hacker coming from it. A nice and
-polite note will usually be OK and will solve the problem! I prefer
-to let the site admins know that an account is being used for the
-activity because chances are good that the same account was hacked
-from them.
+Typically you want to fall somewhere in between the two types. You
+should be passive for the more mundane probers and ankle-biters.
+Simply put, they aren't worth the time and energy to find. The more
+aggressive attackers should probably be dealt with through either
+denied hosts lists, or router filters. In the more aggressive
+stages I will also notify the system administrator of the site and
+the host-master for the domain of the problem and include a cut of the
+log file showing the infraction.
+
+Most importantly, DON'T OVER-REACT!! It is not necessary to flame
+a sysadmin of a site that has a hacker coming from it. A nice and
+polite note will usually be OK and will solve the problem! I prefer
+to let the site admins know that an account is being used for the
+activity because chances are good that the same account was hacked
+from them.
-- Craig
diff --git a/docs/README.keywords b/docs/README.keywords
index b1a379a..e0fddd4 100644
--- a/docs/README.keywords
+++ b/docs/README.keywords
@@ -7,7 +7,7 @@ number of sources:
1) Review of daemon, wrapper, and Firewall Toolkit (FWTK) source code.
2) Submissions by testers and users.
-3) Guessing.
+3) Guessing.
The first one of course is obvious, I review source code to find key
components that indicate security problems and I record what they show via
@@ -15,7 +15,7 @@ syslog (I also put in a tag of "securityalert:" to make these more clear,
this is a FWTK convention that I think is really nice to have).
The second one is a great help for systems I don't have access to. Many of
-the system specific files were contributed to by end users and testers.
+the system specific files were contributed to by end users and testers.
The third of course is pretty un-scientific, but is based on a few rules:
@@ -25,7 +25,7 @@ The third of course is pretty un-scientific, but is based on a few rules:
2) The security event is typically generated when an automated probe is
made of the host system. I use a variety of freely available tools and
scripts to generate these (strobe, netcat, etc), as well as some custom
-tools I've developed for personal use. Don't let the media image
+tools I've developed for personal use. Don't let the media image
fool you, most hackers you'll run across are not very crafty and make a
lot of noise rattling your system's door knob...then again they can be
as noisy as they want really because there is a %99.99 chance the
@@ -35,7 +35,7 @@ sysadmins won't know anyway.
variety of sites by myself (legitimately :) ), or on actual cases where
I've cleaned out intruders from systems. Since I do system penetration
audits for a living, you'll just have to take my word that what I'm
-looking for is legitimate.
+looking for is legitimate.
Of course this is all speculation. I recommend that any system on the
Internet have all code reviewed for any system daemons listening on an
@@ -43,7 +43,7 @@ Internet available socket. The logging of errors should have a common word
associated with the failure (ala FWTK's "securityalert:" messages) so that
it can be grep'ed for quickly and reliably. If you are an author of a
network daemon, please consider dropping in a similar notation for
-security-relevant events.
+security-relevant events.
A final note...(really and then I'll shutup)..
@@ -60,13 +60,13 @@ there are too many to find reliably. Therefore, the key to system
security is to not let intruders onto your host to begin with (as if
you needed me to tell you that).
-In the case of an actual system intrusion, perhaps logcheck will
+In the case of an actual system intrusion, perhaps logcheck will
have given you enough of a warning to contain the problem quickly.
Since I always assume that any Internet connected host will
-eventually be compromised, this is (to me) almost as good as not
-letting the hacker on in the first place.
+eventually be compromised, this is (to me) almost as good as not
+letting the hacker on in the first place.
Have fun,
-- Craig
-
+
diff --git a/docs/README.logcheck b/docs/README.logcheck
index 494883e..75cff69 100644
--- a/docs/README.logcheck
+++ b/docs/README.logcheck
@@ -3,7 +3,7 @@ SYNOPSIS
--------
Logcheck compares recent log entries with a series of sets of egrep
pattern-matching rules that flag them as urgent or filter them out
-as routine, and mails the results to the administrator.
+as routine, and mails the results to the administrator.
======================================================================
SCHEDULING
----------
@@ -13,7 +13,7 @@ reduce the frequency, but it's often better to tune the filtering
rules instead (see below on REPORTLEVELS). On the other hand if you
need to be sure of spotting security incidents while they're
happening then the shorter the interval the better, as long as runs
-don't start overlapping.
+don't start overlapping.
======================================================================
LOG ENTRIES
-----------
@@ -31,7 +31,7 @@ RULES DIRECTORIES
Installing "logcheck" should also have pulled in the package
"logcheck-database", which provides pattern-matching "rules" files;
see the corresponding README for that package for details of how
-they are organised.
+they are organised.
======================================================================
REPORTLEVEL
-----------
@@ -41,7 +41,7 @@ medium and low "security ratings", not to be confused with the three
filtering layers used by the logcheck-database directories.
Reportlevels only affect the handling of the leftover log-messages
of the final "System Events" layer, functioning rather like
-verbosity settings:
+verbosity settings:
"paranoid" is "high verbosity" - meaning that only the minimal set
of filters in ignore.d.paranoid should be applied. This is
@@ -66,4 +66,4 @@ well have stayed in "/var/log/*". However, as long as you're
prepared to tune logcheck's output with local filters, a verbose
REPORTLEVEL can be a valuable debugging aid even on an unnetworked
home PC; see the logcheck-database README section on WRITING RULES.
-######################################################################
\ No newline at end of file
+######################################################################
diff --git a/docs/README.logcheck-database b/docs/README.logcheck-database
index d221ea8..e99fdfb 100644
--- a/docs/README.logcheck-database
+++ b/docs/README.logcheck-database
@@ -71,7 +71,7 @@ following kinds:
./<packagename>
-The rule filename must only contain characters compatible with
+The rule filename must only contain characters compatible with
run-parts(8). As of this writing, this includes alphanumeric characters,
underscore, and hyphen.
@@ -92,7 +92,7 @@ _do_ need to be "Security Events" triggers but also exceptional
variants which _don't_ - maybe it logs either
"$DATE $HOSTNAME fooserver[$PID]: $USER barred"
or
- "$DATE $HOSTNAME fooserver[$PID]: none barred".
+ "$DATE $HOSTNAME fooserver[$PID]: none barred".
In this situation the alarm can be overruled by a
violations.ignore rulefile named "fooserver" which filters
"none barred". This will _not_ affect other "Security Events"
diff --git a/docs/README.logtail b/docs/README.logtail
index 1262b81..ef5b70c 100644
--- a/docs/README.logtail
+++ b/docs/README.logtail
@@ -4,7 +4,7 @@ SYNOPSIS
Logtail is so named because it can be used to read the last few
messages in a constantly-growing file; but rather than showing a
fixed proportion of the log, it bookmarks its place and only prints
-out the material added since your last visit.
+out the material added since your last visit.
This utility was originally provided as part of the package
"logcheck", but can now be installed independently.
@@ -20,7 +20,7 @@ is read from the beginning.
Inode information is taken into account so that logtail can detect
the case where a file has been replaced by another of the same name
(but probably with different content, so it's all printed) - a
-common effect of logfile rotation. On the other hand a file
+common effect of logfile rotation. On the other hand a file
shrinking _without_ moving is a possible symptom of intruders
covering their tracks, and triggers prominent warnings in the output.
@@ -36,11 +36,11 @@ COMMANDLINE ARGUMENTS
See logtail(8) and logtail2(8).
The first, compulsory argument is the name of the input logfile;
-unlike tail, logtail cannot use stdin!
+unlike tail, logtail cannot use stdin!
The second, optional argument specifies the filename to which offset
records should be written. By default it simply adds .offset to the
name of the input file, which leaves it up to the user to handle
security issues such as directory write-access; for any serious
purpose a dedicated offsets directory should be specified.
-######################################################################
\ No newline at end of file
+######################################################################
diff --git a/docs/logcheck.sgml b/docs/logcheck.sgml
index 52fdda3..9cfe243 100644
--- a/docs/logcheck.sgml
+++ b/docs/logcheck.sgml
@@ -8,7 +8,7 @@
manpage.1: manpage.sgml
docbook-to-man $< > $@
-
+
The docbook-to-man binary is found in the docbook-to-man package.
Please remember that if you create the nroff version in one of the
debian/rules file targets (such as build), you will need to include
@@ -71,7 +71,7 @@ manpage.1: manpage.sgml
<para>The <command>&dhpackage;</command> program helps spot problems and
security violations in your logfiles automatically and will send the
- results to you periodically in an e-mail. By default logcheck runs as
+ results to you periodically in an e-mail. By default logcheck runs as
an hourly cronjob just off the hour and after every reboot.</para>
<para><command>&dhpackage;</command> supports three level of filtering:
@@ -83,8 +83,8 @@ manpage.1: manpage.sgml
included at level "server" and "workstation".</para>
<para>The messages reported are sorted into three layers, system events,
- security events and attack alerts. The verbosity of system events is
- controlled by which level you choose, paranoid, server or workstation.
+ security events and attack alerts. The verbosity of system events is
+ controlled by which level you choose, paranoid, server or workstation.
However, security events and attack alerts are not affected by this.</para>
</refsect1>
@@ -254,7 +254,7 @@ manpage.1: manpage.sgml
<refsect1>
<title>AUTHOR</title>
- <para>&dhpackage; is developed by Debian &dhpackage; Team at alioth:
+ <para>&dhpackage; is developed by Debian &dhpackage; Team at alioth:
http://alioth.debian.org/projects/logcheck/.</para>
<para>This manual page was written by &dhusername;.</para>
diff --git a/docs/logtail.8 b/docs/logtail.8
index dd1e2b9..666fe69 100644
--- a/docs/logtail.8
+++ b/docs/logtail.8
@@ -15,7 +15,7 @@ which has not been read by previous runs of
It prints the appropriate number of bytes from the end of
.IR logfile ,
assuming that all changes that are made to it are to add new
-characters to it.
+characters to it.
.P
.I logfile
must be a plain file. A symlink is not allowed.
@@ -46,11 +46,11 @@ it writes a warning message to the standard output.
.SH OPTIONS
.TP
.B \-f
-.I logfile
+.I logfile
to be read after offset
.TP
.B \-o
-.I offsetfile
+.I offsetfile
stores offset of previous run
.TP
.B \-t
diff --git a/docs/logtail2.8 b/docs/logtail2.8
index bbad265..a9b1267 100644
--- a/docs/logtail2.8
+++ b/docs/logtail2.8
@@ -15,7 +15,7 @@ which has not been read by previous runs of
It prints the appropriate number of bytes from the end of
.IR logfile ,
assuming that all changes that are made to it are to add new
-characters to it.
+characters to it.
.P
.I logfile
must be a plain file. A symlink is not allowed.
@@ -54,11 +54,11 @@ it writes a warning message to the standard output.
.SH OPTIONS
.TP
.B \-f
-.I logfile
+.I logfile
to be read after offset
.TP
.B \-o
-.I offsetfile
+.I offsetfile
stores offset of previous run
.TP
.B \-t
diff --git a/docs/tools/log-summary-ssh b/docs/tools/log-summary-ssh
index 3274cc8..2056e01 100644
--- a/docs/tools/log-summary-ssh
+++ b/docs/tools/log-summary-ssh
@@ -2,24 +2,24 @@
# log-summary-ssh
# Selects two lines that are very common with ssh scans.
-# This script removes those from output and prints out aggregate
+# This script removes those from output and prints out aggregate
# statistics for those (both by host and by attempted user names).
#
# Reads from stdin or from command line arguments and prints to stdout.
#
-# If you want to use this with logcheck, copy this to
-# /usr/local/sbin/log-summary-ssh and add following lines to
+# If you want to use this with logcheck, copy this to
+# /usr/local/sbin/log-summary-ssh and add following lines to
# /etc/logcheck/logcheck.conf (or your config file):
#
# SYSLOGSUMMARY=1
# SYSLOG_SUMMARY=/usr/local/sbin/log-summary-ssh
#
-# If you want to use both syslog-summary and this script, you need to
+# If you want to use both syslog-summary and this script, you need to
# write a some kind of wrapper around those.
# #!/bin/sh
# syslog-summary $* | log-summary-sh
#
-# Markus Peuhkuri <[EMAIL PROTECTED]> 2005
+# Markus Peuhkuri <[EMAIL PROTECTED]> 2005
# Use of this file is unrestricted.
use strict;
diff --git a/src/dh_installlogcheck b/src/dh_installlogcheck
index 634f33a..e1b0fae 100755
--- a/src/dh_installlogcheck
+++ b/src/dh_installlogcheck
@@ -53,7 +53,7 @@ foreach my $package (@{$dh{DOPACKAGES}}) {
L<debhelper(7)>
This program is a part of debhelper.
-
+
=head1 AUTHOR
Jon Middleton <[EMAIL PROTECTED]>
diff --git a/src/logcheck b/src/logcheck
index 452e1fa..98d6a54 100755
--- a/src/logcheck
+++ b/src/logcheck
@@ -1,6 +1,6 @@
#!/bin/bash
#
-# Copyright (C) 2004-2007 Debian Logcheck Team
+# Copyright (C) 2004-2007 Debian Logcheck Team
# <[EMAIL PROTECTED]>
# Copyright (C) 2002,2003 Jonathan Middleton <[EMAIL PROTECTED]>
# Copyright (C) 1999-2002 Rene Mayrhofer <[EMAIL PROTECTED]>
@@ -101,9 +101,9 @@ cleanup() {
if [ -d $TMPDIR ]; then
# Remove the tmp directory
- if [ $NOCLEANUP -eq 0 ];then
+ if [ $NOCLEANUP -eq 0 ];then
cd /var/lib/logcheck
- debug "cleanup: Removing - $TMPDIR"
+ debug "cleanup: Removing - $TMPDIR"
rm -r $TMPDIR
else
debug "cleanup: Not removing - $TMPDIR"
@@ -114,7 +114,7 @@ cleanup() {
# Log debug output to standard error
debug() {
if [ $LOGCHECKDEBUG -eq 1 ]; then
- echo "D: [$(date +%s)] $1" >&2
+ echo "D: [$(date +%s)] $1" >&2
fi
}
@@ -147,7 +147,7 @@ error() {
debug "error: Removing lockfile: $LOCKFILE.lock"
lockfile-remove $LOCKFILE
fi
-
+
fi
debug "Error: $message"
@@ -170,7 +170,7 @@ $(export)
EOF
} | mail -s "Logcheck: $HOSTNAME $DATE exiting due to errors" \
"$SENDMAILTO"
-
+
elif [ $MAILOUT -eq 1 ]; then
{
echo "Error: $message."
@@ -203,7 +203,7 @@ cleanrules() {
dir=$1
cleaned=$2
- if [ -d $dir ]; then
+ if [ -d $dir ]; then
if [ ! -d $cleaned ]; then
mkdir $cleaned \
|| error "Could not make dir $cleaned for cleaned rulefiles."
@@ -327,19 +327,19 @@ greplogoutput() {
# apply different ignore rules
if [ -s $TMPDIR/checked ]; then
debug "greplogoutput: Entries in checked"
-
+
if [ -n "$ignore" -a -f "$ignore/$(basename $grepfile)" ]; then
cleanchecked "$ignore/$(basename $grepfile)"
fi
- # quick and dirty fix for ignoring logcheck-foo files
+ # quick and dirty fix for ignoring logcheck-foo files
# in the case logcheck itself has no raised entry
if [ -n "$ignore" -a -f "$ignore/logcheck-$(basename $grepfile)" ]; then
cleanchecked "$ignore/logcheck-$(basename $grepfile)"
fi
-
+
# If it's the logcheck file, we do something special
- if [ "$(basename $grepfile)" = "logcheck" ]; then
+ if [ "$(basename $grepfile)" = "logcheck" ]; then
# Now ignore all entries from the ignore dir
# old logcheck versions only ignored logcheck-<package> files
@@ -350,9 +350,9 @@ greplogoutput() {
cleanchecked "$ignore/$file"
done
else
- debug "No Logcheck override files"
+ debug "No Logcheck override files"
fi
-
+
debug "Cleaning logcheck"
# Remove any entries already reported
for file in $(ls $raise/ | grep -v '^logcheck') ; do
@@ -361,7 +361,7 @@ greplogoutput() {
done
fi
- if [ -n "$ignorehigher" ]; then
+ if [ -n "$ignorehigher" ]; then
if [ -d $ignorehigher -a -s $TMPDIR/checked ]; then
cleanchecked "$ignorehigher"
fi
@@ -395,7 +395,7 @@ greplogoutput() {
cleanchecked() {
clean=$1
- if [ -f $clean ]; then
+ if [ -f $clean ]; then
debug "cleanchecked - file: $clean"
egrep --text -v -f $clean $TMPDIR/checked | cat >> $TMPDIR/checked.1 \
|| error "Could not output to $TMPDIR/checked.1."
@@ -629,16 +629,16 @@ fi
trap 'cleanup' 0
debug "Trying to get lockfile: $LOCKFILE.lock"
-if [ ! -d $LOCKDIR ]; then
+if [ ! -d $LOCKDIR ]; then
mkdir -m 0755 $LOCKDIR
fi
lockfile-create --retry 1 $LOCKFILE > /dev/null 2>&1
-if [ $? -eq 1 ]; then
+if [ $? -eq 1 ]; then
trap 0
error "Failed to get lockfile: $LOCKFILE.lock" "noclean"
-else
+else
debug "Running lockfile-touch $LOCKFILE.lock"
lockfile-touch $LOCKFILE &
LOCK="$!"
@@ -655,7 +655,7 @@ cleanrules "$RULEDIR/violations.d" $TMPDIR/violations
cleanrules "$RULEDIR/violations.ignore.d" $TMPDIR/violations-ignore
# Now clean the ignore rulefiles for the report levels
-for level in $REPORTLEVELS; do
+for level in $REPORTLEVELS; do
cleanrules "$RULEDIR/ignore.d.$level" $TMPDIR/ignore
done
@@ -673,7 +673,7 @@ mkdir $TMPDIR/logoutput \
if [ ! $LOGFILE ] && [ -r $LOGFILES_LIST ]; then
for file in $(egrep --text -v "(^#|^[[:space:]]*$)" $LOGFILES_LIST); do
logoutput "$file"
- done
+ done
elif [ $LOGFILE ]; then
if [ -f $LOGFILE ] && [ -r $LOGFILE ]; then
logoutput "$LOGFILE"
@@ -692,7 +692,7 @@ debug "Sorting logs"
$SORT $TMPDIR/logoutput/* | sed -e 's/[[:space:]]\+$//' | cat \
> $TMPDIR/logoutput-sorted \
|| error "Could not output to $TMPDIR/logoutput-sorted."
-
+
# See if the tmp file exists and actually has data to check,
# if it doesn't we should erase it and exit as our job is done.
@@ -711,7 +711,7 @@ else
fi
if [ -f $TMPDIR/errors ]; then
- {
+ {
cat<<EOF
$(cat $TMPDIR/errors)
@@ -739,7 +739,7 @@ fi
# Check for security events
if [ -d $TMPDIR/violations ]; then
debug "Checking for security events"
- rm -f $TMPDIR/checked
+ rm -f $TMPDIR/checked
if [ $ATTACK -eq 1 ]; then
greplogoutput $TMPDIR/violations "$SECURITYSUBJECT" \
@@ -761,7 +761,7 @@ if [ -d $TMPDIR/ignore ]; then
debug "Removing alerts from system events"
cleanchecked $TMPDIR/cracking
fi
- if [ -s $TMPDIR/checked ]; then
+ if [ -s $TMPDIR/checked ]; then
debug "Removing violations from system events"
cleanchecked $TMPDIR/violations
fi
diff --git a/src/logtail2 b/src/logtail2
index ae04a11..08e054b 100755
--- a/src/logtail2
+++ b/src/logtail2
@@ -106,7 +106,7 @@ sub determine_rotated_logfile {
# this subroutine tries to guess to where a given log file was
# rotated. Its magic is mainly taken from logcheck's logoutput()
# function with dateext magic added.
-
+
#print "determine_rotated_logfile $filename $inode\n";
for my $codefile (glob("/usr/share/logtail/detectrotate/*.dtr")) {
my $func = do $codefile;
@@ -154,7 +154,7 @@ if ($offsetfile) {
}
}
}
-
+
# determine log file inode and size
unless (($ino,$size) = (stat($logfile))[1,7]) {
print STDERR "Cannot get $logfile file size: $!\n";
@@ -174,7 +174,7 @@ if ($offsetfile) {
if ($inode != $ino) {
# this is the interesting case: inode has changed.
- # So the file might have been rotated. We need to print the
+ # So the file might have been rotated. We need to print the
# entire file.
# Additionally, we might want to see whether we can find the
# previous instance of the file and to process it from here.
--
1.5.6.5
