svn commit: r446938 - in head/security/logcheck: . files
Matthew Seaman
matthew at FreeBSD.org
Sun Jul 30 15:48:02 UTC 2017
Author: matthew
Date: Sun Jul 30 15:47:59 2017
New Revision: 446938
URL: https://svnweb.freebsd.org/changeset/ports/446938
Log:
* Update to 1.3.18.
* Process to fix paths in script and configuration files are simplified.
* Now man page of logcheck is generated from DocBook SGML source file by using textproc/docbook-to-man.
* Sort pkg-plist.
* Add forgotten files/patch-etc_logcheck.logfiles.
* Update files/patch-etc_logcheck.conf
* Move backup file cleaning up from post-patch to do-build so 'make makepatch' works as expected.
PR: 220609
Submitted by: yasu at utahime.org (maintainer)
Added:
head/security/logcheck/files/patch-debian_logcheck.cron.d (contents, props changed)
head/security/logcheck/files/patch-docs_README.logcheck (contents, props changed)
head/security/logcheck/files/patch-docs_README.logcheck-database (contents, props changed)
head/security/logcheck/files/patch-docs_README.logtail (contents, props changed)
head/security/logcheck/files/patch-docs_logcheck-test.1 (contents, props changed)
head/security/logcheck/files/patch-docs_logcheck.sgml (contents, props changed)
head/security/logcheck/files/patch-docs_logtail2.8 (contents, props changed)
head/security/logcheck/files/patch-etc_logcheck.conf (contents, props changed)
head/security/logcheck/files/patch-etc_logcheck.logfiles (contents, props changed)
head/security/logcheck/files/patch-src_logcheck (contents, props changed)
head/security/logcheck/files/patch-src_logcheck-test (contents, props changed)
head/security/logcheck/files/patch-src_logtail2 (contents, props changed)
Deleted:
head/security/logcheck/files/extra-patch-debian__logcheck.cron.d.in
head/security/logcheck/files/extra-patch-docs__logcheck.8.in
head/security/logcheck/files/extra-patch-etc__logcheck.conf.in
head/security/logcheck/files/extra-patch-src__logcheck.in
head/security/logcheck/files/extra-patch-src__logtail2.in
Modified:
head/security/logcheck/Makefile
head/security/logcheck/distinfo
head/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh
head/security/logcheck/pkg-plist
Modified: head/security/logcheck/Makefile
==============================================================================
--- head/security/logcheck/Makefile Sun Jul 30 15:31:55 2017 (r446937)
+++ head/security/logcheck/Makefile Sun Jul 30 15:47:59 2017 (r446938)
@@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= logcheck
-PORTVERSION= 1.3.17
+PORTVERSION= 1.3.18
CATEGORIES= security
MASTER_SITES= DEBIAN_POOL
DISTNAME= ${PORTNAME}_${PORTVERSION}
@@ -11,7 +11,9 @@ MAINTAINER= yasu at utahime.org
COMMENT= Auditing tool for system logs on Unix boxes
LICENSE= GPLv2
+LICENSE_FILE= ${WRKSRC}/LICENSE
+BUILD_DEPENDS= docbook-to-man>0:textproc/docbook-to-man
RUN_DEPENDS= mime-construct:mail/mime-construct \
lockfile:mail/procmail \
bash:shells/bash
@@ -38,39 +40,32 @@ WRKSRC= ${WRKDIR}/${DISTNAME:S!_!-!}
BINMODE= 755
SUB_LIST+= LOGCHECK_USER=${LOGCHECK_USER} \
LOGCHECK_GROUP=${LOGCHECK_GROUP} \
- CRON=${PORT_OPTIONS:MCRON}
+ DBDIR=${DBDIR} CRON=${PORT_OPTIONS:MCRON}
SUB_FILES= pkg-install pkg-deinstall pkg-message
PLIST_SUB+= LOGCHECK_USER=${LOGCHECK_USER} \
LOGCHECK_GROUP=${LOGCHECK_GROUP} \
DBDIR=${DBDIR} RUNDIR=${RUNDIR}
-SHEBANG_FILES= src/logcheck src/logtail src/logtail2
+SHEBANG_FILES= src/logcheck src/logtail src/logtail2 src/detectrotate/*.dtr
CONFIG_DIRS= cracking.d ignore.d.paranoid ignore.d.server \
ignore.d.workstation violations.d violations.ignore.d
-DOCS= AUTHORS CHANGES CREDITS LICENSE TODO docs/README*
+DOCS= AUTHORS CHANGES CREDITS TODO docs/README*
PORTDOCS= ${DOCS:T}
-MAN_FILES= logcheck.8 logtail.8 logtail2.8
+MAN1_FILES= logcheck-test.1
+MAN8_FILES= logcheck.8 logtail.8 logtail2.8
+REINPLACE_FILES= debian/logcheck.cron.d docs/logcheck.sgml \
+ docs/logtail2.8 docs/README.logcheck \
+ docs/README.logcheck-database docs/README.logtail \
+ etc/logcheck.conf src/logcheck src/logtail2
-PATCH_LIST= extra-patch-debian__logcheck.cron.d \
- extra-patch-docs__logcheck.8 \
- extra-patch-etc__logcheck.conf \
- extra-patch-src__logcheck \
- extra-patch-src__logtail2
-EXTRA_PATCHES= ${PATCH_LIST:C|^|${WRKDIR}/|g}
-
.include <bsd.port.pre.mk>
-pre-patch:
-.for patch in ${PATCH_LIST}
- @${SED} ${_SUB_LIST_TEMP} ${FILESDIR}/${patch}.in > ${WRKDIR}/${patch}
+do-build:
+.for file in ${REINPLACE_FILES}
+ ${REINPLACE_CMD} ${_SUB_LIST_TEMP} ${WRKSRC}/${file}
.endfor
+ docbook-to-man ${WRKSRC}/docs/logcheck.sgml > ${WRKSRC}/docs/logcheck.8
+ ${FIND} ${WRKSRC} -type f \( -name \*.orig -o -name \*.bak \) -delete
-post-patch:
- @${FIND} ${WRKSRC}/rulefiles -type f -name \*.orig -delete
-
-do-build:
- @${REINPLACE_CMD} -e 's!/var/log/syslog!/var/log/messages!' \
- ${WRKSRC}/etc/logcheck.logfiles
-
do-install:
@${MKDIR} ${STAGEDIR}${DATADIR}/detectrotate \
${STAGEDIR}${DBDIR} \
@@ -78,6 +73,7 @@ do-install:
${STAGEDIR}${ETCDIR} \
${STAGEDIR}${EXAMPLESDIR} \
${STAGEDIR}${RUNDIR}
+ ${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck-test ${STAGEDIR}${PREFIX}/bin
${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck ${STAGEDIR}${PREFIX}/sbin
${INSTALL_SCRIPT} ${WRKSRC}/src/logtail ${STAGEDIR}${PREFIX}/sbin
${INSTALL_SCRIPT} ${WRKSRC}/src/logtail2 ${STAGEDIR}${PREFIX}/sbin
@@ -97,7 +93,10 @@ do-install:
@${ECHO_CMD} '@exec ${CHGRP} -R ${LOGCHECK_GROUP} \
${ETCDIR:S|^${PREFIX}/|%D/|} \
${DATADIR:S|^${PREFIX}/|%D/|}' >> ${TMPPLIST}
-.for i in ${MAN_FILES}
+.for i in ${MAN1_FILES}
+ ${INSTALL_MAN} ${WRKSRC}/docs/$i ${STAGEDIR}${MAN1PREFIX}/man/man1
+.endfor
+.for i in ${MAN8_FILES}
${INSTALL_MAN} ${WRKSRC}/docs/$i ${STAGEDIR}${MAN8PREFIX}/man/man8
.endfor
cd ${WRKSRC} && ${INSTALL_DATA} ${DOCS} ${STAGEDIR}${DOCSDIR}
Modified: head/security/logcheck/distinfo
==============================================================================
--- head/security/logcheck/distinfo Sun Jul 30 15:31:55 2017 (r446937)
+++ head/security/logcheck/distinfo Sun Jul 30 15:47:59 2017 (r446938)
@@ -1,2 +1,3 @@
-SHA256 (logcheck_1.3.17.tar.xz) = c2d3fc323e8c6555e91d956385dbfd0f67b55872ed0f6a7ad8ad2526a9faf03a
-SIZE (logcheck_1.3.17.tar.xz) = 130956
+TIMESTAMP = 1499679623
+SHA256 (logcheck_1.3.18.tar.xz) = 077b9149ccd2b747b52785afa89da844f3d072c017c9e719925dec6acb9a9af4
+SIZE (logcheck_1.3.18.tar.xz) = 131252
Added: head/security/logcheck/files/patch-debian_logcheck.cron.d
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/logcheck/files/patch-debian_logcheck.cron.d Sun Jul 30 15:47:59 2017 (r446938)
@@ -0,0 +1,16 @@
+--- debian/logcheck.cron.d.orig 2017-01-25 21:08:04 UTC
++++ debian/logcheck.cron.d
+@@ -1,9 +1,5 @@
+-# /etc/cron.d/logcheck: crontab entries for the logcheck package
+-
+-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
++# crontab entries for the logcheck package
++PATH=/sbin:/bin:/usr/sbin:/usr/bin:%%PREFIX%%/sbin:%%PREFIX%%/bin
+ MAILTO=root
+-
+- at reboot logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi
+-2 * * * * logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi
+-
+-# EOF
++ at reboot if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck -R; fi
++2 * * * * if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck; fi
Added: head/security/logcheck/files/patch-docs_README.logcheck
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/logcheck/files/patch-docs_README.logcheck Sun Jul 30 15:47:59 2017 (r446938)
@@ -0,0 +1,16 @@
+--- docs/README.logcheck.orig 2017-01-25 21:08:04 UTC
++++ docs/README.logcheck
+@@ -17,11 +17,11 @@ don't start overlapping.
+ ======================================================================
+ LOG ENTRIES
+ -----------
+-These are taken from a specified set of logfiles (usually syslog and
++These are taken from a specified set of logfiles (usually messages and
+ auth.log); a special Perl utility named "logtail" is used which
+ "bookmarks" its place in the logs, so that events aren't reported
+ twice in successive logcheck runs. The offset records are stored as
+-(eg) "/var/lib/logcheck/offset.var.log.syslog"; lines to be
++(eg) "%%DBDIR%%/offset.var.log.messages"; lines to be
+ considered by logcheck are copied into tempfiles in the working
+ directory "/var/tmp/logcheck". See the corresponding README for
+ logtail for further notes on complications such as log-rotation.
Added: head/security/logcheck/files/patch-docs_README.logcheck-database
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/logcheck/files/patch-docs_README.logcheck-database Sun Jul 30 15:47:59 2017 (r446938)
@@ -0,0 +1,105 @@
+--- docs/README.logcheck-database.orig 2017-01-25 21:08:04 UTC
++++ docs/README.logcheck-database
+@@ -15,7 +15,7 @@ normal egrep pattern-matches, applied in
+ 1. the "SECURITY ALERTS" layer, designed to detect the traces of active
+ intrusion attempts.
+
+- Patterns raising the alarm go in "/etc/logcheck/cracking.d"; any
++ Patterns raising the alarm go in "%%ETCDIR%%/cracking.d"; any
+ event that matches one of these patterns turns the report
+ into an urgent "Security Alerts" report, with the relevant
+ event moved to a special section. The cracking.d standard
+@@ -26,7 +26,7 @@ normal egrep pattern-matches, applied in
+ the default logcheck configuration, but if the local
+ administrator enables this layer of filtering in
+ logcheck.conf, then the rules go in the directory
+- "/etc/logcheck/cracking.ignore.d". Matches with
++ "%%ETCDIR%%/cracking.ignore.d". Matches with
+ cracking.ignore rules will then reclassify the alert as a
+ false alarm (compare violations.ignore below). Note that
+ this means they are totally ignored - log messages handled
+@@ -35,12 +35,12 @@ normal egrep pattern-matches, applied in
+ 2. the "SECURITY EVENTS" layer, designed to detect less critical
+ events still considered worthy of special attention.
+
+- Patterns raising the alarm go in "/etc/logcheck/violations.d";
++ Patterns raising the alarm go in "%%ETCDIR%%/violations.d";
+ matches with these result in a "Security Events" alert,
+ with the relevant event moved to a special section.
+
+ Patterns cancelling such alarms go in the standard directory
+- "/etc/logcheck/violations.ignore.d"; apparent "Security
++ "%%ETCDIR%%/violations.ignore.d"; apparent "Security
+ Events" that match with violations.ignore patterns are
+ discarded as false alarms.
+
+@@ -51,7 +51,7 @@ normal egrep pattern-matches, applied in
+ from the logfiles are considered for inclusion in the main
+ "System Events" section.
+
+- Patterns in the three "/etc/logcheck/ignore.d.*" directories
++ Patterns in the three "%%ETCDIR%%/ignore.d.*" directories
+ again function to overrule alerts; the log messages that
+ match them are excluded from the report as trivial. The
+ specific directories consulted depend on the prevailing
+@@ -78,13 +78,13 @@ underscore, and hyphen.
+ Contains filters relevant to only one Debian package - for example
+ if "fooserver" logs suspicious events like this:
+ "$DATE $HOSTNAME fooserver[$PID]: $USER is up to no good"
+-then a line in "/etc/logcheck/violations.d/fooserver" with an
++then a line in "%%ETCDIR%%/violations.d/fooserver" with an
+ appropriate pattern will promote it from a mere "System Event"
+ to a full "Security Event" in a subsection of the mailing headed
+ "fooserver". Or then again if that kind of log message is more
+ trivial than it looks (maybe "foo" is a networked game of
+ spy-and-counterspy) then a line in
+-"/etc/logcheck/ignore.d.server/fooserver" will turn it into a
++"%%ETCDIR%%/ignore.d.server/fooserver" will turn it into a
+ nonevent for all but the most assiduous of administrators.
+
+ Sometimes a package will have not only special alarm calls which
+@@ -107,7 +107,7 @@ that need to be processed.
+
+ Standard "generic" rules go in each directory's "./logcheck" file;
+ thus for instance any log message at all matching "ATTACK"
+-(listed in "/etc/logcheck/cracking.d/logcheck") _always_ triggers
++(listed in "%%ETCDIR%%/cracking.d/logcheck") _always_ triggers
+ a "Security Alert", unless you deliberately tamper with
+ "cracking.ignore.d" rules.
+
+@@ -122,12 +122,12 @@ non-package-specific "flagging" patterns
+ "fooserver" outputs syslog messages like this:
+ "$DATE $HOSTNAME fooserver[$PID]: 3 attempts 0 rejected"
+ then the standard keyword "reject" listed in the generic
+-"/etc/logcheck/violations.d/logcheck" file will trigger frequent
++"%%ETCDIR%%/violations.d/logcheck" file will trigger frequent
+ "Security Events" reports. Putting a filtering pattern in
+-"/etc/logcheck/violations.ignore.d/fooserver" won't help here!
++"%%ETCDIR%%/violations.ignore.d/fooserver" won't help here!
+ The solution is to use a file named in the specially-privileged
+ ./logcheck-<packagename> format:
+-"/etc/logcheck/violations.ignore.d/logcheck-fooserver".
++"%%ETCDIR%%/violations.ignore.d/logcheck-fooserver".
+ This can contain patterns provided by that particular package
+ which nonetheless need to take precedence over the generic rules.
+
+@@ -137,8 +137,8 @@ Sysadmins can use the "local-*" filename
+ additions to the "logcheck-*" pattern lists. If you have "ippl"
+ logging network connections verbosely into syslog then you can put
+ custom "Security Events" keywords in
+-"/etc/logcheck/violations.d/local-ippl" and exceptions in
+-"/etc/logcheck/violations.ignore.d/local-ippl".
++"%%ETCDIR%%/violations.d/local-ippl" and exceptions in
++"%%ETCDIR%%/violations.ignore.d/local-ippl".
+
+
+ WRITING RULES
+@@ -181,7 +181,7 @@ logcheck-test(1)).
+ Alternatively you can manually grep your log file, and remove trailing
+ space with something like this:
+
+- sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep \
++ sed -e 's/[[:space:]]*$//' /var/log/messages | egrep \
+ '^\w{3} [ :0-9]{11} oempc wwwoffled\[[0-9]+\]: WWWOFFLE (On|Off)line\.$'
+
+ If the log line is displayed, then your regex works.
Added: head/security/logcheck/files/patch-docs_README.logtail
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/logcheck/files/patch-docs_README.logtail Sun Jul 30 15:47:59 2017 (r446938)
@@ -0,0 +1,11 @@
+--- docs/README.logtail.orig 2017-01-25 21:08:04 UTC
++++ docs/README.logtail
+@@ -28,7 +28,7 @@ Logtail2, a different executeable, also
+ guessing a file name that might have been the target of log rotation
+ and printing that file's contents starting with the stored offset. If
+ you have a non-standard rotation scheme, you can drop your own
+-heuristic into /usr/share/logtail/detectrotate/ and have it
++heuristic into %%DATADIR%%/detectrotate/ and have it
+ automatically picked up by logtail2.
+ ======================================================================
+ COMMANDLINE ARGUMENTS
Added: head/security/logcheck/files/patch-docs_logcheck-test.1
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/logcheck/files/patch-docs_logcheck-test.1 Sun Jul 30 15:47:59 2017 (r446938)
@@ -0,0 +1,26 @@
+--- docs/logcheck-test.1.orig 2017-01-25 21:08:04 UTC
++++ docs/logcheck-test.1
+@@ -38,8 +38,8 @@ Show usage information
+ .B \-a, \-\-auth.log
+ Parse /var/log/auth.log for matching lines
+ .TP
+-.B \-s, \-\-syslog
+-Parse /var/log/syslog for matching lines
++.B \-m, \-\-messages
++Parse /var/log/messages for matching lines
+ .TP
+ .B \-l, \-\-log\-file FILE
+ Parse FILE for matching lines
+@@ -69,10 +69,10 @@ With
+ .B logcheck-test
+ you can easily write and test new rules.
+ .PP
+-Test a single rule against /var/log/syslog:
++Test a single rule against /var/log/messages:
+ .RS
+ .fam C
+-logcheck-test \-s "RULE"
++logcheck-test \-m "RULE"
+ .fam T
+ .RE
+
Added: head/security/logcheck/files/patch-docs_logcheck.sgml
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/logcheck/files/patch-docs_logcheck.sgml Sun Jul 30 15:47:59 2017 (r446938)
@@ -0,0 +1,17 @@
+--- docs/logcheck.sgml.orig 2017-01-25 21:08:04 UTC
++++ docs/logcheck.sgml
+@@ -244,10 +244,10 @@ manpage.1: manpage.sgml
+ <refsect1>
+ <title>FILES</title>
+
+- <para>/etc/logcheck/logcheck.conf is the main configuration file.</para>
+- <para>/etc/logcheck/logcheck.logfiles is the list of files to monitor.</para>
+- <para>/etc/logcheck/logcheck.logfiles.d is the directory of lists of files to monitor.</para>
+- <para>/usr/share/doc/logcheck-database/README.logcheck-database.gz for hints on how to write, test and maintain rules.</para>
++ <para>%%ETCDIR%%/logcheck.conf is the main configuration file.</para>
++ <para>%%ETCDIR%%/logcheck.logfiles is the list of files to monitor.</para>
++ <para>%%ETCDIR%%/logcheck.logfiles.d is the directory of lists of files to monitor.</para>
++ <para>%%DOCSDIR%%/README.logcheck-database for hints on how to write, test and maintain rules.</para>
+ </refsect1>
+ <refsect1>
+ <title>EXIT STATUS</title>
Added: head/security/logcheck/files/patch-docs_logtail2.8
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/logcheck/files/patch-docs_logtail2.8 Sun Jul 30 15:47:59 2017 (r446938)
@@ -0,0 +1,11 @@
+--- docs/logtail2.8.orig 2017-01-25 21:08:04 UTC
++++ docs/logtail2.8
+@@ -38,7 +38,7 @@ is not empty, the inode of
+ is checked. If the inode is changed,
+ .B logtail2
+ uses the heuristics stored in
+-.I /usr/share/logtail/detectrotate/
++.I %%DATADIR%%/detectrotate/
+ to find a file that might be the rotated
+ .I logfile
+ and prints it starting with the stored offset. It then proceeds to
Added: head/security/logcheck/files/patch-etc_logcheck.conf
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/logcheck/files/patch-etc_logcheck.conf Sun Jul 30 15:47:59 2017 (r446938)
@@ -0,0 +1,37 @@
+--- etc/logcheck.conf.orig 2017-01-25 21:08:04 UTC
++++ etc/logcheck.conf
+@@ -9,7 +9,7 @@
+ # Controls the presence of boilerplate at the top of each message:
+ # Alternatively, set to "0" to disable the introduction.
+ #
+-# If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt
++# If the files %%ETCDIR%%/header.txt and %%ETCDIR%%/footer.txt
+ # are present their contents will be read and used as the header and
+ # footer of any generated mails.
+
+@@ -44,8 +44,8 @@ FQDN=1
+
+ #SORTUNIQ=0
+
+-# Controls whether /etc/logcheck/cracking.ignore.d is scanned for
+-# exceptions to the rules in /etc/logcheck/cracking.d:
++# Controls whether %%ETCDIR%%/cracking.ignore.d is scanned for
++# exceptions to the rules in %%ETCDIR%%/cracking.d:
+ # Alternatively, set to "1" to enable cracking.ignore support
+
+ #SUPPORT_CRACKING_IGNORE=0
+@@ -53,13 +53,7 @@ FQDN=1
+ # Controls the base directory for rules file location
+ # This must be an absolute path
+
+-#RULEDIR="/etc/logcheck"
+-
+-# Controls if syslog-summary is run over each section.
+-# Alternatively, set to "1" to enable extra summary.
+-# HINT: syslog-summary needs to be installed.
+-
+-#SYSLOGSUMMARY=0
++#RULEDIR="%%ETCDIR%%"
+
+ # Controls Subject: lines on logcheck reports:
+
Added: head/security/logcheck/files/patch-etc_logcheck.logfiles
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/logcheck/files/patch-etc_logcheck.logfiles Sun Jul 30 15:47:59 2017 (r446938)
@@ -0,0 +1,8 @@
+--- etc/logcheck.logfiles.orig 2017-01-25 21:08:04 UTC
++++ etc/logcheck.logfiles
+@@ -1,4 +1,4 @@
+ # these files will be checked by logcheck
+ # This has been tuned towards a default syslog install
+-/var/log/syslog
+ /var/log/auth.log
++/var/log/messages
Modified: head/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh
==============================================================================
--- head/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh Sun Jul 30 15:31:55 2017 (r446937)
+++ head/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh Sun Jul 30 15:47:59 2017 (r446938)
@@ -1,6 +1,6 @@
---- ./rulefiles/linux/ignore.d.server/ssh.orig 2010-09-03 04:24:30.000000000 -0400
-+++ ./rulefiles/linux/ignore.d.server/ssh 2011-11-23 14:25:31.000000000 -0500
-@@ -21,8 +21,8 @@
+--- rulefiles/linux/ignore.d.server/ssh.orig 2017-01-25 21:08:04 UTC
++++ rulefiles/linux/ignore.d.server/ssh
+@@ -27,8 +27,8 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) check pass; user unknown$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) bad username \[[^]]+\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Could not get shadow information for NOUSER$
Added: head/security/logcheck/files/patch-src_logcheck
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/logcheck/files/patch-src_logcheck Sun Jul 30 15:47:59 2017 (r446938)
@@ -0,0 +1,153 @@
+--- src/logcheck.orig 2017-07-11 17:32:13 UTC
++++ src/logcheck
+@@ -24,17 +24,10 @@
+
+ if [ `id -u` = 0 ]; then
+ echo "logcheck should not be run as root. Use su to invoke logcheck:"
+- echo "su -s /bin/bash -c \"/usr/sbin/logcheck${@:+ $@}\" logcheck"
++ echo "su -m %%LOGCHECK_USER%% -c \"%%LOCALBASE%%/bin/bash %%PREFIX%%/sbin/logcheck${@:+ $@}\""
+ echo "Or use sudo: sudo -u logcheck logcheck${@:+ $@}."
+ # you may want to uncomment that hack to let logcheck invoke itself.
+- # su -s /bin/bash -c "$0 $*" logcheck
+- exit 1
+-fi
+-
+-if [ ! -f /usr/bin/lockfile-create -o \
+- ! -f /usr/bin/lockfile-remove -o \
+- ! -f /usr/bin/lockfile-touch ]; then
+- echo "fatal: lockfile-progs is a prerequisite for logcheck, and was not found."
++ # su -s %%LOCALBASE%%/bin/bash -c "$0 $*" logcheck
+ exit 1
+ fi
+
+@@ -69,13 +62,13 @@ EVENTSSUBJECT="System Events"
+ ADDTAG="no"
+
+ # Set the default paths
+-RULEDIR="/etc/logcheck"
+-CONFFILE="/etc/logcheck/logcheck.conf"
+-STATEDIR="/var/lib/logcheck"
+-LOGFILES_LIST="/etc/logcheck/logcheck.logfiles"
+-LOGFILES_LIST_D="/etc/logcheck/logcheck.logfiles.d"
+-LOGFILE_FALLBACK="/var/log/syslog"
+-LOGTAIL="/usr/sbin/logtail2"
++RULEDIR="%%ETCDIR%%"
++CONFFILE="%%ETCDIR%%/logcheck.conf"
++STATEDIR="%%DBDIR%%"
++LOGFILES_LIST="%%ETCDIR%%/logcheck.logfiles"
++LOGFILES_LIST_D="%%ETCDIR%%/logcheck.logfiles.d"
++LOGFILE_FALLBACK="/var/log/messages"
++LOGTAIL="%%PREFIX%%/sbin/logtail2"
+ CAT="/bin/cat"
+ SYSLOG_SUMMARY="/usr/bin/syslog-summary"
+
+@@ -90,20 +83,15 @@ FQDN=0
+ SORTUNIQ=0
+ SUPPORT_CRACKING_IGNORE=0
+ SYSLOGSUMMARY=0
+-LOCKDIR=/run/lock/logcheck
++LOCKDIR=/var/run/logcheck
+ LOCKFILE="$LOCKDIR/logcheck"
+
+ # Carry out the clean up tasks
+ cleanup() {
+
+- if [ -n "$LOCK" ]; then
+- debug "cleanup: Killing lockfile-touch - $LOCK"
+- kill "$LOCK" && unset LOCK
+- fi
+-
+- if [ -f "$LOCKFILE.lock" ]; then
+- debug "cleanup: Removing lockfile: $LOCKFILE.lock"
+- lockfile-remove "$LOCKFILE"
++ if [ -f "$LOCKFILE" ]; then
++ debug "cleanup: Removing lockfile: $LOCKFILE"
++ rm -f "$LOCKFILE"
+ fi
+
+ if [ -d "$TMPDIR" ]; then
+@@ -145,14 +133,9 @@ error() {
+ if [ "$2" = "noclean" ]; then
+ debug "error: Not removing lockfile"
+ else
+- if [ -n "$LOCK" ]; then
+- debug "error: Killing lockfile-touch - $LOCK"
+- kill "$LOCK" && unset LOCK
+- fi
+-
+- if [ -f "$LOCKFILE.lock" ]; then
+- debug "error: Removing lockfile: $LOCKFILE.lock"
+- lockfile-remove "$LOCKFILE"
++ if [ -f "$LOCKFILE" ]; then
++ debug "error: Removing lockfile: $LOCKFILE"
++ rm -f "$LOCKFILE"
+ fi
+
+ fi
+@@ -171,7 +154,7 @@ $message
+ ${TMPDIR:+Check temporary directory: $TMPDIR
+ }
+ Also verify that the logcheck user can read all files referenced in
+-/etc/logcheck/logcheck.logfiles!
++%%ETCDIR%%/logcheck.logfiles!
+
+ $(export)
+ EOF
+@@ -223,7 +206,7 @@ cleanrules() {
+ error "Couldn't read $x"
+ fi
+ done
+- for rulefile in $(run-parts --list "$dir"); do
++ for rulefile in $(ls -1R "$dir"); do
+ rulefile="$(basename "$rulefile")"
+ if [ -f "${dir}/${rulefile}" ]; then
+ debug "cleanrules: ${dir}/${rulefile}"
+@@ -538,9 +521,9 @@ fi
+
+ # Hostname either fully qualified or not.
+ if [ "$FQDN" -eq 1 ]; then
+- HOSTNAME="$(hostname --fqdn 2>/dev/null)"
++ HOSTNAME="$(hostname -f 2>/dev/null)"
+ else
+- HOSTNAME="$(hostname --short 2>/dev/null)"
++ HOSTNAME="$(hostname -s 2>/dev/null)"
+ fi
+
+ # Now check for the other options
+@@ -623,30 +606,25 @@ fi
+
+ trap 'cleanup' 0
+
+-debug "Trying to get lockfile: $LOCKFILE.lock"
++debug "Trying to get lockfile: $LOCKFILE"
+ if [ ! -d "$LOCKDIR" ]; then
+ mkdir -m 0755 "$LOCKDIR"
+ fi
+-lockfile-create --retry 1 "$LOCKFILE" > /dev/null 2>&1
++lockfile -r 1 "$LOCKFILE" > /dev/null 2>&1
+
+
+ if [ $? -eq 1 ]; then
+ trap 0
+- if [ -e "${LOCKFILE}.lock" ]; then
++ if [ -e "${LOCKFILE}" ]; then
+ error "Another logcheck process is still running" "noclean"
+ else
+- error "Failed to get lockfile: $LOCKFILE.lock" "noclean"
++ error "Failed to get lockfile: $LOCKFILE" "noclean"
+ fi
+-
+-else
+- debug "Running lockfile-touch $LOCKFILE.lock"
+- lockfile-touch "$LOCKFILE" &
+- LOCK="$!"
+ fi
+
+ # Create the secure temporary directory or exit
+-TMPDIR="$(mktemp -d -p "${TMP:-/tmp}" logcheck.XXXXXX)" \
+- || TMPDIR="$(mktemp -d -p /var/tmp logcheck.XXXXXX)" \
++TMPDIR="$(mktemp -d ${TMP:-/tmp}/logcheck.XXXXXX)" \
++ || TMPDIR="$(mktemp -d /var/tmp/logcheck.XXXXXX)" \
+ || error "Could not create temporary directory"
+
+ # Now clean the rulefiles in the directories
Added: head/security/logcheck/files/patch-src_logcheck-test
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/logcheck/files/patch-src_logcheck-test Sun Jul 30 15:47:59 2017 (r446938)
@@ -0,0 +1,23 @@
+--- src/logcheck-test.orig 2017-01-25 21:08:04 UTC
++++ src/logcheck-test
+@@ -38,7 +38,7 @@ usage() {
+ usage: logcheck-test
+ -h|--help : Show usage information
+ -a|--auth.log : Parse /var/log/auth.log
+--s|--syslog : Parse /var/log/syslog
++-m|--messages : Parse /var/log/messages
+ -l|--log-file LOGFILE : Parse LOGFILE
+ -i|--invert-match : Show lines that don't match the RULE or RULEFILE
+ -q|--quiet : Suppress rule summary
+@@ -103,9 +103,9 @@ while [ -n "${1:-}" ]; do
+ warn "option -a ignored"
+ fi
+ ;;
+- -s|--syslog)
++ -m|--messages)
+ if [ -z "$FILE" ] ; then
+- FILE="/var/log/syslog"
++ FILE="/var/log/messages"
+ else
+ warn "option -s ignored"
+ fi
Added: head/security/logcheck/files/patch-src_logtail2
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/logcheck/files/patch-src_logtail2 Sun Jul 30 15:47:59 2017 (r446938)
@@ -0,0 +1,11 @@
+--- src/logtail2.orig 2017-07-11 17:32:13 UTC
++++ src/logtail2
+@@ -109,7 +109,7 @@ sub determine_rotated_logfile {
+ # function with dateext magic added.
+
+ #print "determine_rotated_logfile $filename $inode\n";
+- for my $codefile (glob("/usr/share/logtail/detectrotate/*.dtr")) {
++ for my $codefile (glob("%%DATADIR%%/detectrotate/*.dtr")) {
+ my $func = do $codefile;
+ if (!$func) {
+ print STDERR "cannot compile $codefile: $!";
Modified: head/security/logcheck/pkg-plist
==============================================================================
--- head/security/logcheck/pkg-plist Sun Jul 30 15:31:55 2017 (r446937)
+++ head/security/logcheck/pkg-plist Sun Jul 30 15:47:59 2017 (r446938)
@@ -1,4 +1,7 @@
@mode 640
+%%DATADIR%%/detectrotate/10-savelog.dtr
+%%DATADIR%%/detectrotate/20-logrotate.dtr
+%%DATADIR%%/detectrotate/30-logrotate-dateext.dtr
%%ETCDIR%%/cracking.d/kernel
%%ETCDIR%%/cracking.d/rlogind
%%ETCDIR%%/cracking.d/rsh
@@ -131,6 +134,8 @@
%%ETCDIR%%/ignore.d.server/sudo
%%ETCDIR%%/ignore.d.server/sympa
%%ETCDIR%%/ignore.d.server/syslogd
+%%ETCDIR%%/ignore.d.server/systemd
+%%ETCDIR%%/ignore.d.server/systemd-timesyncd
%%ETCDIR%%/ignore.d.server/teapop
%%ETCDIR%%/ignore.d.server/telnetd
%%ETCDIR%%/ignore.d.server/tftpd
@@ -179,6 +184,8 @@
%%ETCDIR%%/ignore.d.workstation/wpasupplicant
%%ETCDIR%%/ignore.d.workstation/xdm
%%ETCDIR%%/ignore.d.workstation/xlockmore
+%%ETCDIR%%/logcheck.conf.sample
+%%ETCDIR%%/logcheck.logfiles.sample
%%ETCDIR%%/violations.d/kernel
%%ETCDIR%%/violations.d/logcheck
%%ETCDIR%%/violations.d/smartd
@@ -186,12 +193,9 @@
%%ETCDIR%%/violations.d/sudo
%%ETCDIR%%/violations.ignore.d/logcheck-su
%%ETCDIR%%/violations.ignore.d/logcheck-sudo
-%%ETCDIR%%/logcheck.conf.sample
-%%ETCDIR%%/logcheck.logfiles.sample
-%%DATADIR%%/detectrotate/10-savelog.dtr
-%%DATADIR%%/detectrotate/20-logrotate.dtr
-%%DATADIR%%/detectrotate/30-logrotate-dateext.dtr
@mode
+bin/logcheck-test
+man/man1/logcheck-test.1.gz
man/man8/logcheck.8.gz
man/man8/logtail.8.gz
man/man8/logtail2.8.gz
More information about the svn-ports-head
mailing list