Index: head/security/logcheck/Makefile =================================================================== --- head/security/logcheck/Makefile (revision 446937) +++ head/security/logcheck/Makefile (revision 446938) @@ -1,105 +1,104 @@ # Created by: Dan Langille # $FreeBSD$ PORTNAME= logcheck -PORTVERSION= 1.3.17 +PORTVERSION= 1.3.18 CATEGORIES= security MASTER_SITES= DEBIAN_POOL DISTNAME= ${PORTNAME}_${PORTVERSION} MAINTAINER= yasu@utahime.org COMMENT= Auditing tool for system logs on Unix boxes LICENSE= GPLv2 +LICENSE_FILE= ${WRKSRC}/LICENSE +BUILD_DEPENDS= docbook-to-man>0:textproc/docbook-to-man RUN_DEPENDS= mime-construct:mail/mime-construct \ lockfile:mail/procmail \ bash:shells/bash LOGCHECK_USER= logcheck LOGCHECK_GROUP= ${LOGCHECK_USER} USERS= ${LOGCHECK_USER} GROUPS= ${LOGCHECK_GROUP} BASEDIR?= # None. portlint compliance DBDIR= ${BASEDIR}/var/db/${PORTNAME} RUNDIR= ${BASEDIR}/var/run/${PORTNAME} OPTIONS_DEFINE= CRON CRON_DESC= Install cron script automatically .if !defined(BATCH) OPTIONS_DEFAULT=CRON .endif # Enable Perl dependency for logtail script USES= perl5 shebangfix tar:xz WRKSRC= ${WRKDIR}/${DISTNAME:S!_!-!} BINMODE= 755 SUB_LIST+= LOGCHECK_USER=${LOGCHECK_USER} \ LOGCHECK_GROUP=${LOGCHECK_GROUP} \ - CRON=${PORT_OPTIONS:MCRON} + DBDIR=${DBDIR} CRON=${PORT_OPTIONS:MCRON} SUB_FILES= pkg-install pkg-deinstall pkg-message PLIST_SUB+= LOGCHECK_USER=${LOGCHECK_USER} \ LOGCHECK_GROUP=${LOGCHECK_GROUP} \ DBDIR=${DBDIR} RUNDIR=${RUNDIR} -SHEBANG_FILES= src/logcheck src/logtail src/logtail2 +SHEBANG_FILES= src/logcheck src/logtail src/logtail2 src/detectrotate/*.dtr CONFIG_DIRS= cracking.d ignore.d.paranoid ignore.d.server \ ignore.d.workstation violations.d violations.ignore.d -DOCS= AUTHORS CHANGES CREDITS LICENSE TODO docs/README* +DOCS= AUTHORS CHANGES CREDITS TODO docs/README* PORTDOCS= ${DOCS:T} -MAN_FILES= logcheck.8 logtail.8 logtail2.8 +MAN1_FILES= logcheck-test.1 +MAN8_FILES= logcheck.8 logtail.8 logtail2.8 +REINPLACE_FILES= debian/logcheck.cron.d docs/logcheck.sgml \ + docs/logtail2.8 docs/README.logcheck \ + docs/README.logcheck-database docs/README.logtail \ + etc/logcheck.conf src/logcheck src/logtail2 -PATCH_LIST= extra-patch-debian__logcheck.cron.d \ - extra-patch-docs__logcheck.8 \ - extra-patch-etc__logcheck.conf \ - extra-patch-src__logcheck \ - extra-patch-src__logtail2 -EXTRA_PATCHES= ${PATCH_LIST:C|^|${WRKDIR}/|g} - .include -pre-patch: -.for patch in ${PATCH_LIST} - @${SED} ${_SUB_LIST_TEMP} ${FILESDIR}/${patch}.in > ${WRKDIR}/${patch} +do-build: +.for file in ${REINPLACE_FILES} + ${REINPLACE_CMD} ${_SUB_LIST_TEMP} ${WRKSRC}/${file} .endfor + docbook-to-man ${WRKSRC}/docs/logcheck.sgml > ${WRKSRC}/docs/logcheck.8 + ${FIND} ${WRKSRC} -type f \( -name \*.orig -o -name \*.bak \) -delete -post-patch: - @${FIND} ${WRKSRC}/rulefiles -type f -name \*.orig -delete - -do-build: - @${REINPLACE_CMD} -e 's!/var/log/syslog!/var/log/messages!' \ - ${WRKSRC}/etc/logcheck.logfiles - do-install: @${MKDIR} ${STAGEDIR}${DATADIR}/detectrotate \ ${STAGEDIR}${DBDIR} \ ${STAGEDIR}${DOCSDIR} \ ${STAGEDIR}${ETCDIR} \ ${STAGEDIR}${EXAMPLESDIR} \ ${STAGEDIR}${RUNDIR} + ${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck-test ${STAGEDIR}${PREFIX}/bin ${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck ${STAGEDIR}${PREFIX}/sbin ${INSTALL_SCRIPT} ${WRKSRC}/src/logtail ${STAGEDIR}${PREFIX}/sbin ${INSTALL_SCRIPT} ${WRKSRC}/src/logtail2 ${STAGEDIR}${PREFIX}/sbin ${INSTALL_DATA} ${WRKSRC}/etc/logcheck.conf \ ${STAGEDIR}${ETCDIR}/logcheck.conf.sample ${INSTALL_DATA} ${WRKSRC}/etc/logcheck.logfiles \ ${STAGEDIR}${ETCDIR}/logcheck.logfiles.sample .for i in ${CONFIG_DIRS} @${MKDIR} ${STAGEDIR}${ETCDIR}/${i} ${INSTALL_DATA} ${WRKSRC}/rulefiles/linux/${i}/* \ ${STAGEDIR}${ETCDIR}/${i} .endfor ${INSTALL_DATA} ${WRKSRC}/src/detectrotate/*.dtr \ ${STAGEDIR}${DATADIR}/detectrotate ${INSTALL_DATA} ${WRKSRC}/debian/logcheck.cron.d \ ${STAGEDIR}${EXAMPLESDIR}/crontab.in @${ECHO_CMD} '@exec ${CHGRP} -R ${LOGCHECK_GROUP} \ ${ETCDIR:S|^${PREFIX}/|%D/|} \ ${DATADIR:S|^${PREFIX}/|%D/|}' >> ${TMPPLIST} -.for i in ${MAN_FILES} +.for i in ${MAN1_FILES} + ${INSTALL_MAN} ${WRKSRC}/docs/$i ${STAGEDIR}${MAN1PREFIX}/man/man1 +.endfor +.for i in ${MAN8_FILES} ${INSTALL_MAN} ${WRKSRC}/docs/$i ${STAGEDIR}${MAN8PREFIX}/man/man8 .endfor cd ${WRKSRC} && ${INSTALL_DATA} ${DOCS} ${STAGEDIR}${DOCSDIR} .include Index: head/security/logcheck/distinfo =================================================================== --- head/security/logcheck/distinfo (revision 446937) +++ head/security/logcheck/distinfo (revision 446938) @@ -1,2 +1,3 @@ -SHA256 (logcheck_1.3.17.tar.xz) = c2d3fc323e8c6555e91d956385dbfd0f67b55872ed0f6a7ad8ad2526a9faf03a -SIZE (logcheck_1.3.17.tar.xz) = 130956 +TIMESTAMP = 1499679623 +SHA256 (logcheck_1.3.18.tar.xz) = 077b9149ccd2b747b52785afa89da844f3d072c017c9e719925dec6acb9a9af4 +SIZE (logcheck_1.3.18.tar.xz) = 131252 Index: head/security/logcheck/files/extra-patch-etc__logcheck.conf.in =================================================================== --- head/security/logcheck/files/extra-patch-etc__logcheck.conf.in (revision 446937) +++ head/security/logcheck/files/extra-patch-etc__logcheck.conf.in (nonexistent) @@ -1,17 +0,0 @@ ---- etc/logcheck.conf.orig 2010-04-15 01:15:34.000000000 +0900 -+++ etc/logcheck.conf 2010-05-12 14:22:13.000000000 +0900 -@@ -53,13 +53,7 @@ - # Controls the base directory for rules file location - # This must be an absolute path - --#RULEDIR="/etc/logcheck" -- --# Controls if syslog-summary is run over each section. --# Alternatively, set to "1" to enable extra summary. --# HINT: syslog-summary needs to be installed. -- --#SYSLOGSUMMARY=0 -+#RULEDIR="%%ETCDIR%%" - - # Controls Subject: lines on logcheck reports: - Property changes on: head/security/logcheck/files/extra-patch-etc__logcheck.conf.in ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/logcheck/files/extra-patch-docs__logcheck.8.in =================================================================== --- head/security/logcheck/files/extra-patch-docs__logcheck.8.in (revision 446937) +++ head/security/logcheck/files/extra-patch-docs__logcheck.8.in (nonexistent) @@ -1,118 +0,0 @@ ---- docs/logcheck.8.orig 2009-12-15 15:03:22.000000000 -0500 -+++ docs/logcheck.8 2009-12-15 15:03:41.000000000 -0500 -@@ -0,0 +1,115 @@ -+.\" This manpage has been automatically generated by docbook2man -+.\" from a DocBook document. This tool can be found at: -+.\" -+.\" Please send any bug reports, improvements, comments, patches, -+.\" etc. to Steve Cheng . -+.TH "Logcheck" "8" "15 December 2009" "" "" -+ -+.SH NAME -+logcheck \- program to scan system logs for interesting lines -+.SH SYNOPSIS -+ -+\fBlogcheck\fR [ \fBOPTIONS\fR ] -+ -+.SH "DESCRIPTION" -+.PP -+The \fBlogcheck\fR program helps spot problems and -+security violations in your logfiles automatically and will send the -+results to you periodically in an e-mail. By default logcheck runs as -+an hourly cronjob just off the hour and after every reboot. -+.PP -+\fBlogcheck\fR supports three level of filtering: -+"paranoid" is for high-security machines running as few services -+as possible. Don't use it if you can't handle its verbose messages. -+"server" is the default and contains rules for many different daemons. -+"workstation" is for sheltered machines and filters most of the messages. -+The ignore rules work in additive manner. "paranoid" rules are also -+included at level "server" and "workstation". -+.PP -+The messages reported are sorted into three layers, system events, -+security events and attack alerts. The verbosity of system events is -+controlled by which level you choose, paranoid, server or workstation. -+However, security events and attack alerts are not affected by this. -+.SH "EXAMPLES" -+.PP -+\fBlogcheck\fR can be invoked directly thanks -+to su(8) or sudo(8), which change the user ID. The following example checks the logfiles -+without updating the offset and outputs everything to STDOUT. -+.PP -+sudo -u logcheck \fBlogcheck\fR -o -t -+.SH "OPTIONS" -+.PP -+A summary of options is included below. -+.TP -+\fB-c CFG \fR -+Overrule default configuration file. -+.TP -+\fB-d \fR -+Debug mode. -+.TP -+\fB-h \fR -+Show usage information. -+.TP -+\fB-H \fR -+Use this hostname string in the subject of logcheck mail. -+.TP -+\fB-l LOG \fR -+Run logfile through logcheck. -+.TP -+\fB-L CFG \fR -+Overrule default logfiles list. -+.TP -+\fB-m \fR -+Mail report to recipient. -+.TP -+\fB-o \fR -+STDOUT mode, not sending mail. -+.TP -+\fB-p \fR -+Set the report level to "paranoid". -+.TP -+\fB-r DIR \fR -+Overrule default rules directory. -+.TP -+\fB-R \fR -+Adds "Reboot:" to the email subject line. -+.TP -+\fB-s \fR -+Set the report level to "server". -+.TP -+\fB-S DIR \fR -+Overrule default state directory. -+.TP -+\fB-t \fR -+Testing mode does not update offset. -+.TP -+\fB-T \fR -+Do not remove the TMPDIR. -+.TP -+\fB-u \fR -+Enable syslog-summary. -+.TP -+\fB-v \fR -+Print current version. -+.TP -+\fB-w \fR -+Set the report level to "workstation". -+.SH "FILES" -+.PP -+%%ETCDIR%%/logcheck.conf is the main configuration file. -+.PP -+%%ETCDIR%%/logcheck.logfiles is the list of files to monitor. -+.PP -+%%DOCSDIR%%/README.logcheck-database for hints on how to write, test and maintain rules. -+.SH "EXIT STATUS" -+.PP -+0 upon success; 1 upon failure -+.SH "SEE ALSO" -+.PP -+\fBlogtail\fR(8) -+.SH "AUTHOR" -+.PP -+logcheck is developed by Debian logcheck Team at alioth: -+http://alioth.debian.org/projects/logcheck/. -+.PP -+This manual page was written by Jon Middleton. Property changes on: head/security/logcheck/files/extra-patch-docs__logcheck.8.in ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/logcheck/files/extra-patch-src__logtail2.in =================================================================== --- head/security/logcheck/files/extra-patch-src__logtail2.in (revision 446937) +++ head/security/logcheck/files/extra-patch-src__logtail2.in (nonexistent) @@ -1,11 +0,0 @@ ---- src/logtail2.orig 2010-01-18 17:24:26.000000000 -0500 -+++ src/logtail2 2010-01-18 17:24:40.000000000 -0500 -@@ -108,7 +108,7 @@ - # function with dateext magic added. - - #print "determine_rotated_logfile $filename $inode\n"; -- for my $codefile (glob("/usr/share/logtail/detectrotate/*.dtr")) { -+ for my $codefile (glob("%%DATADIR%%/detectrotate/*.dtr")) { - my $func = do $codefile; - if (!$func) { - print STDERR "cannot compile $codefile: $!"; Property changes on: head/security/logcheck/files/extra-patch-src__logtail2.in ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/logcheck/files/extra-patch-debian__logcheck.cron.d.in =================================================================== --- head/security/logcheck/files/extra-patch-debian__logcheck.cron.d.in (revision 446937) +++ head/security/logcheck/files/extra-patch-debian__logcheck.cron.d.in (nonexistent) @@ -1,16 +0,0 @@ ---- ./debian/logcheck.cron.d.orig 2006-08-06 19:10:49.000000000 -0400 -+++ ./debian/logcheck.cron.d 2008-09-06 19:11:28.000000000 -0400 -@@ -1,9 +1,5 @@ --# /etc/cron.d/logcheck: crontab entries for the logcheck package -- --PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin -+# crontab entries for the logcheck package -+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin - MAILTO=root -- --@reboot logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi --2 * * * * logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi -- --# EOF -+@reboot if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck -R; fi -+2 * * * * if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck; fi Property changes on: head/security/logcheck/files/extra-patch-debian__logcheck.cron.d.in ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/logcheck/files/extra-patch-src__logcheck.in =================================================================== --- head/security/logcheck/files/extra-patch-src__logcheck.in (revision 446937) +++ head/security/logcheck/files/extra-patch-src__logcheck.in (nonexistent) @@ -1,151 +0,0 @@ ---- src/logcheck.orig 2010-07-07 15:59:57.000000000 -0400 -+++ src/logcheck 2010-07-07 16:19:33.000000000 -0400 -@@ -24,17 +24,10 @@ - - if [ `id -u` = 0 ]; then - echo "logcheck should not be run as root. Use su to invoke logcheck:" -- echo "su -s /bin/bash -c \"/usr/sbin/logcheck${@:+ $@}\" logcheck" -+ echo "su -m %%LOGCHECK_USER%% -c \"%%LOCALBASE%%/bin/bash %%PREFIX%%/sbin/logcheck${@:+ $@}\"" - echo "Or use sudo: sudo -u logcheck logcheck${@:+ $@}." - # you may want to uncomment that hack to let logcheck invoke itself. -- # su -s /bin/bash -c "$0 $*" logcheck -- exit 1 --fi -- --if [ ! -f /usr/bin/lockfile-create -o \ -- ! -f /usr/bin/lockfile-remove -o \ -- ! -f /usr/bin/lockfile-touch ]; then -- echo "fatal: lockfile-progs is a prerequisite for logcheck, and was not found." -+ # su -s %%LOCALBASE%%/bin/bash -c "$0 $*" logcheck - exit 1 - fi - -@@ -69,12 +62,12 @@ - ADDTAG="no" - - # Set the default paths --RULEDIR="/etc/logcheck" --CONFFILE="/etc/logcheck/logcheck.conf" --STATEDIR="/var/lib/logcheck" --LOGFILES_LIST="/etc/logcheck/logcheck.logfiles" --LOGFILE_FALLBACK="/var/log/syslog" --LOGTAIL="/usr/sbin/logtail2" -+RULEDIR="%%ETCDIR%%" -+CONFFILE="%%ETCDIR%%/logcheck.conf" -+STATEDIR="/var/db/logcheck" -+LOGFILES_LIST="%%ETCDIR%%/logcheck.logfiles" -+LOGFILE_FALLBACK="/var/log/messages" -+LOGTAIL="%%PREFIX%%/sbin/logtail2" - CAT="/bin/cat" - SYSLOG_SUMMARY="/usr/bin/syslog-summary" - -@@ -89,20 +82,15 @@ - SORTUNIQ=0 - SUPPORT_CRACKING_IGNORE=0 - SYSLOGSUMMARY=0 --LOCKDIR=/run/lock/logcheck -+LOCKDIR=/var/run/logcheck - LOCKFILE="$LOCKDIR/logcheck" - - # Carry out the clean up tasks - cleanup() { - -- if [ -n "$LOCK" ]; then -- debug "cleanup: Killing lockfile-touch - $LOCK" -- kill "$LOCK" && unset LOCK -- fi -- -- if [ -f "$LOCKFILE.lock" ]; then -- debug "cleanup: Removing lockfile: $LOCKFILE.lock" -- lockfile-remove "$LOCKFILE" -+ if [ -f "$LOCKFILE" ]; then -+ debug "cleanup: Removing lockfile: $LOCKFILE" -+ rm -f "$LOCKFILE" - fi - - if [ -d "$TMPDIR" ]; then -@@ -144,14 +132,9 @@ - if [ "$2" = "noclean" ]; then - debug "error: Not removing lockfile" - else -- if [ -n "$LOCK" ]; then -- debug "error: Killing lockfile-touch - $LOCK" -- kill "$LOCK" && unset LOCK -- fi -- -- if [ -f "$LOCKFILE.lock" ]; then -- debug "error: Removing lockfile: $LOCKFILE.lock" -- lockfile-remove "$LOCKFILE" -+ if [ -f "$LOCKFILE" ]; then -+ debug "error: Removing lockfile: $LOCKFILE" -+ rm -f "$LOCKFILE" - fi - - fi -@@ -170,7 +153,7 @@ - ${TMPDIR:+Check temporary directory: $TMPDIR - } - Also verify that the logcheck user can read all files referenced in --/etc/logcheck/logcheck.logfiles! -+%%ETCDIR%%/logcheck.logfiles! - - $(export) - EOF -@@ -215,7 +198,7 @@ - mkdir "$cleaned" \ - || error "Could not make dir $cleaned for cleaned rulefiles." - fi -- for rulefile in $(run-parts --list "$dir"); do -+ for rulefile in $(ls -1R "$dir"); do - rulefile="$(basename "$rulefile")" - if [ -f "${dir}/${rulefile}" ]; then - debug "cleanrules: ${dir}/${rulefile}" -@@ -529,9 +512,9 @@ - - # Hostname either fully qualified or not. - if [ "$FQDN" -eq 1 ]; then -- HOSTNAME="$(hostname --fqdn 2>/dev/null)" -+ HOSTNAME="$(hostname -f 2>/dev/null)" - else -- HOSTNAME="$(hostname --short 2>/dev/null)" -+ HOSTNAME="$(hostname -s 2>/dev/null)" - fi - - # Now check for the other options -@@ -610,30 +593,25 @@ - - trap 'cleanup' 0 - --debug "Trying to get lockfile: $LOCKFILE.lock" -+debug "Trying to get lockfile: $LOCKFILE" - if [ ! -d "$LOCKDIR" ]; then - mkdir -m 0755 "$LOCKDIR" - fi --lockfile-create --retry 1 "$LOCKFILE" > /dev/null 2>&1 -+lockfile -r 1 "$LOCKFILE" > /dev/null 2>&1 - - - if [ $? -eq 1 ]; then - trap 0 -- if [ -e "${LOCKFILE}.lock" ]; then -+ if [ -e "${LOCKFILE}" ]; then - error "Another logcheck process is still running" "noclean" - else -- error "Failed to get lockfile: $LOCKFILE.lock" "noclean" -+ error "Failed to get lockfile: $LOCKFILE" "noclean" - fi -- --else -- debug "Running lockfile-touch $LOCKFILE.lock" -- lockfile-touch "$LOCKFILE" & -- LOCK="$!" - fi - - # Create the secure temporary directory or exit --TMPDIR="$(mktemp -d -p "${TMP:-/tmp}" logcheck.XXXXXX)" \ -- || TMPDIR="$(mktemp -d -p /var/tmp logcheck.XXXXXX)" \ -+TMPDIR="$(mktemp -d ${TMP:-/tmp}/logcheck.XXXXXX)" \ -+ || TMPDIR="$(mktemp -d /var/tmp/logcheck.XXXXXX)" \ - || error "Could not create temporary directory" - - # Now clean the rulefiles in the directories Property changes on: head/security/logcheck/files/extra-patch-src__logcheck.in ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/logcheck/files/patch-debian_logcheck.cron.d =================================================================== --- head/security/logcheck/files/patch-debian_logcheck.cron.d (nonexistent) +++ head/security/logcheck/files/patch-debian_logcheck.cron.d (revision 446938) @@ -0,0 +1,16 @@ +--- debian/logcheck.cron.d.orig 2017-01-25 21:08:04 UTC ++++ debian/logcheck.cron.d +@@ -1,9 +1,5 @@ +-# /etc/cron.d/logcheck: crontab entries for the logcheck package +- +-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin ++# crontab entries for the logcheck package ++PATH=/sbin:/bin:/usr/sbin:/usr/bin:%%PREFIX%%/sbin:%%PREFIX%%/bin + MAILTO=root +- +-@reboot logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi +-2 * * * * logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi +- +-# EOF ++@reboot if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck -R; fi ++2 * * * * if [ -x %%PREFIX%%/sbin/logcheck ]; then nice -n10 %%PREFIX%%/sbin/logcheck; fi Property changes on: head/security/logcheck/files/patch-debian_logcheck.cron.d ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/logcheck/files/patch-docs_README.logcheck =================================================================== --- head/security/logcheck/files/patch-docs_README.logcheck (nonexistent) +++ head/security/logcheck/files/patch-docs_README.logcheck (revision 446938) @@ -0,0 +1,16 @@ +--- docs/README.logcheck.orig 2017-01-25 21:08:04 UTC ++++ docs/README.logcheck +@@ -17,11 +17,11 @@ don't start overlapping. + ====================================================================== + LOG ENTRIES + ----------- +-These are taken from a specified set of logfiles (usually syslog and ++These are taken from a specified set of logfiles (usually messages and + auth.log); a special Perl utility named "logtail" is used which + "bookmarks" its place in the logs, so that events aren't reported + twice in successive logcheck runs. The offset records are stored as +-(eg) "/var/lib/logcheck/offset.var.log.syslog"; lines to be ++(eg) "%%DBDIR%%/offset.var.log.messages"; lines to be + considered by logcheck are copied into tempfiles in the working + directory "/var/tmp/logcheck". See the corresponding README for + logtail for further notes on complications such as log-rotation. Property changes on: head/security/logcheck/files/patch-docs_README.logcheck ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/logcheck/files/patch-docs_README.logcheck-database =================================================================== --- head/security/logcheck/files/patch-docs_README.logcheck-database (nonexistent) +++ head/security/logcheck/files/patch-docs_README.logcheck-database (revision 446938) @@ -0,0 +1,105 @@ +--- docs/README.logcheck-database.orig 2017-01-25 21:08:04 UTC ++++ docs/README.logcheck-database +@@ -15,7 +15,7 @@ normal egrep pattern-matches, applied in + 1. the "SECURITY ALERTS" layer, designed to detect the traces of active + intrusion attempts. + +- Patterns raising the alarm go in "/etc/logcheck/cracking.d"; any ++ Patterns raising the alarm go in "%%ETCDIR%%/cracking.d"; any + event that matches one of these patterns turns the report + into an urgent "Security Alerts" report, with the relevant + event moved to a special section. The cracking.d standard +@@ -26,7 +26,7 @@ normal egrep pattern-matches, applied in + the default logcheck configuration, but if the local + administrator enables this layer of filtering in + logcheck.conf, then the rules go in the directory +- "/etc/logcheck/cracking.ignore.d". Matches with ++ "%%ETCDIR%%/cracking.ignore.d". Matches with + cracking.ignore rules will then reclassify the alert as a + false alarm (compare violations.ignore below). Note that + this means they are totally ignored - log messages handled +@@ -35,12 +35,12 @@ normal egrep pattern-matches, applied in + 2. the "SECURITY EVENTS" layer, designed to detect less critical + events still considered worthy of special attention. + +- Patterns raising the alarm go in "/etc/logcheck/violations.d"; ++ Patterns raising the alarm go in "%%ETCDIR%%/violations.d"; + matches with these result in a "Security Events" alert, + with the relevant event moved to a special section. + + Patterns cancelling such alarms go in the standard directory +- "/etc/logcheck/violations.ignore.d"; apparent "Security ++ "%%ETCDIR%%/violations.ignore.d"; apparent "Security + Events" that match with violations.ignore patterns are + discarded as false alarms. + +@@ -51,7 +51,7 @@ normal egrep pattern-matches, applied in + from the logfiles are considered for inclusion in the main + "System Events" section. + +- Patterns in the three "/etc/logcheck/ignore.d.*" directories ++ Patterns in the three "%%ETCDIR%%/ignore.d.*" directories + again function to overrule alerts; the log messages that + match them are excluded from the report as trivial. The + specific directories consulted depend on the prevailing +@@ -78,13 +78,13 @@ underscore, and hyphen. + Contains filters relevant to only one Debian package - for example + if "fooserver" logs suspicious events like this: + "$DATE $HOSTNAME fooserver[$PID]: $USER is up to no good" +-then a line in "/etc/logcheck/violations.d/fooserver" with an ++then a line in "%%ETCDIR%%/violations.d/fooserver" with an + appropriate pattern will promote it from a mere "System Event" + to a full "Security Event" in a subsection of the mailing headed + "fooserver". Or then again if that kind of log message is more + trivial than it looks (maybe "foo" is a networked game of + spy-and-counterspy) then a line in +-"/etc/logcheck/ignore.d.server/fooserver" will turn it into a ++"%%ETCDIR%%/ignore.d.server/fooserver" will turn it into a + nonevent for all but the most assiduous of administrators. + + Sometimes a package will have not only special alarm calls which +@@ -107,7 +107,7 @@ that need to be processed. + + Standard "generic" rules go in each directory's "./logcheck" file; + thus for instance any log message at all matching "ATTACK" +-(listed in "/etc/logcheck/cracking.d/logcheck") _always_ triggers ++(listed in "%%ETCDIR%%/cracking.d/logcheck") _always_ triggers + a "Security Alert", unless you deliberately tamper with + "cracking.ignore.d" rules. + +@@ -122,12 +122,12 @@ non-package-specific "flagging" patterns + "fooserver" outputs syslog messages like this: + "$DATE $HOSTNAME fooserver[$PID]: 3 attempts 0 rejected" + then the standard keyword "reject" listed in the generic +-"/etc/logcheck/violations.d/logcheck" file will trigger frequent ++"%%ETCDIR%%/violations.d/logcheck" file will trigger frequent + "Security Events" reports. Putting a filtering pattern in +-"/etc/logcheck/violations.ignore.d/fooserver" won't help here! ++"%%ETCDIR%%/violations.ignore.d/fooserver" won't help here! + The solution is to use a file named in the specially-privileged + ./logcheck- format: +-"/etc/logcheck/violations.ignore.d/logcheck-fooserver". ++"%%ETCDIR%%/violations.ignore.d/logcheck-fooserver". + This can contain patterns provided by that particular package + which nonetheless need to take precedence over the generic rules. + +@@ -137,8 +137,8 @@ Sysadmins can use the "local-*" filename + additions to the "logcheck-*" pattern lists. If you have "ippl" + logging network connections verbosely into syslog then you can put + custom "Security Events" keywords in +-"/etc/logcheck/violations.d/local-ippl" and exceptions in +-"/etc/logcheck/violations.ignore.d/local-ippl". ++"%%ETCDIR%%/violations.d/local-ippl" and exceptions in ++"%%ETCDIR%%/violations.ignore.d/local-ippl". + + + WRITING RULES +@@ -181,7 +181,7 @@ logcheck-test(1)). + Alternatively you can manually grep your log file, and remove trailing + space with something like this: + +- sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep \ ++ sed -e 's/[[:space:]]*$//' /var/log/messages | egrep \ + '^\w{3} [ :0-9]{11} oempc wwwoffled\[[0-9]+\]: WWWOFFLE (On|Off)line\.$' + + If the log line is displayed, then your regex works. Property changes on: head/security/logcheck/files/patch-docs_README.logcheck-database ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/logcheck/files/patch-docs_README.logtail =================================================================== --- head/security/logcheck/files/patch-docs_README.logtail (nonexistent) +++ head/security/logcheck/files/patch-docs_README.logtail (revision 446938) @@ -0,0 +1,11 @@ +--- docs/README.logtail.orig 2017-01-25 21:08:04 UTC ++++ docs/README.logtail +@@ -28,7 +28,7 @@ Logtail2, a different executeable, also + guessing a file name that might have been the target of log rotation + and printing that file's contents starting with the stored offset. If + you have a non-standard rotation scheme, you can drop your own +-heuristic into /usr/share/logtail/detectrotate/ and have it ++heuristic into %%DATADIR%%/detectrotate/ and have it + automatically picked up by logtail2. + ====================================================================== + COMMANDLINE ARGUMENTS Property changes on: head/security/logcheck/files/patch-docs_README.logtail ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/logcheck/files/patch-docs_logcheck-test.1 =================================================================== --- head/security/logcheck/files/patch-docs_logcheck-test.1 (nonexistent) +++ head/security/logcheck/files/patch-docs_logcheck-test.1 (revision 446938) @@ -0,0 +1,26 @@ +--- docs/logcheck-test.1.orig 2017-01-25 21:08:04 UTC ++++ docs/logcheck-test.1 +@@ -38,8 +38,8 @@ Show usage information + .B \-a, \-\-auth.log + Parse /var/log/auth.log for matching lines + .TP +-.B \-s, \-\-syslog +-Parse /var/log/syslog for matching lines ++.B \-m, \-\-messages ++Parse /var/log/messages for matching lines + .TP + .B \-l, \-\-log\-file FILE + Parse FILE for matching lines +@@ -69,10 +69,10 @@ With + .B logcheck-test + you can easily write and test new rules. + .PP +-Test a single rule against /var/log/syslog: ++Test a single rule against /var/log/messages: + .RS + .fam C +-logcheck-test \-s "RULE" ++logcheck-test \-m "RULE" + .fam T + .RE + Property changes on: head/security/logcheck/files/patch-docs_logcheck-test.1 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/logcheck/files/patch-docs_logcheck.sgml =================================================================== --- head/security/logcheck/files/patch-docs_logcheck.sgml (nonexistent) +++ head/security/logcheck/files/patch-docs_logcheck.sgml (revision 446938) @@ -0,0 +1,17 @@ +--- docs/logcheck.sgml.orig 2017-01-25 21:08:04 UTC ++++ docs/logcheck.sgml +@@ -244,10 +244,10 @@ manpage.1: manpage.sgml + + FILES + +- /etc/logcheck/logcheck.conf is the main configuration file. +- /etc/logcheck/logcheck.logfiles is the list of files to monitor. +- /etc/logcheck/logcheck.logfiles.d is the directory of lists of files to monitor. +- /usr/share/doc/logcheck-database/README.logcheck-database.gz for hints on how to write, test and maintain rules. ++ %%ETCDIR%%/logcheck.conf is the main configuration file. ++ %%ETCDIR%%/logcheck.logfiles is the list of files to monitor. ++ %%ETCDIR%%/logcheck.logfiles.d is the directory of lists of files to monitor. ++ %%DOCSDIR%%/README.logcheck-database for hints on how to write, test and maintain rules. + + + EXIT STATUS Property changes on: head/security/logcheck/files/patch-docs_logcheck.sgml ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/logcheck/files/patch-docs_logtail2.8 =================================================================== --- head/security/logcheck/files/patch-docs_logtail2.8 (nonexistent) +++ head/security/logcheck/files/patch-docs_logtail2.8 (revision 446938) @@ -0,0 +1,11 @@ +--- docs/logtail2.8.orig 2017-01-25 21:08:04 UTC ++++ docs/logtail2.8 +@@ -38,7 +38,7 @@ is not empty, the inode of + is checked. If the inode is changed, + .B logtail2 + uses the heuristics stored in +-.I /usr/share/logtail/detectrotate/ ++.I %%DATADIR%%/detectrotate/ + to find a file that might be the rotated + .I logfile + and prints it starting with the stored offset. It then proceeds to Property changes on: head/security/logcheck/files/patch-docs_logtail2.8 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/logcheck/files/patch-etc_logcheck.conf =================================================================== --- head/security/logcheck/files/patch-etc_logcheck.conf (nonexistent) +++ head/security/logcheck/files/patch-etc_logcheck.conf (revision 446938) @@ -0,0 +1,37 @@ +--- etc/logcheck.conf.orig 2017-01-25 21:08:04 UTC ++++ etc/logcheck.conf +@@ -9,7 +9,7 @@ + # Controls the presence of boilerplate at the top of each message: + # Alternatively, set to "0" to disable the introduction. + # +-# If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt ++# If the files %%ETCDIR%%/header.txt and %%ETCDIR%%/footer.txt + # are present their contents will be read and used as the header and + # footer of any generated mails. + +@@ -44,8 +44,8 @@ FQDN=1 + + #SORTUNIQ=0 + +-# Controls whether /etc/logcheck/cracking.ignore.d is scanned for +-# exceptions to the rules in /etc/logcheck/cracking.d: ++# Controls whether %%ETCDIR%%/cracking.ignore.d is scanned for ++# exceptions to the rules in %%ETCDIR%%/cracking.d: + # Alternatively, set to "1" to enable cracking.ignore support + + #SUPPORT_CRACKING_IGNORE=0 +@@ -53,13 +53,7 @@ FQDN=1 + # Controls the base directory for rules file location + # This must be an absolute path + +-#RULEDIR="/etc/logcheck" +- +-# Controls if syslog-summary is run over each section. +-# Alternatively, set to "1" to enable extra summary. +-# HINT: syslog-summary needs to be installed. +- +-#SYSLOGSUMMARY=0 ++#RULEDIR="%%ETCDIR%%" + + # Controls Subject: lines on logcheck reports: + Property changes on: head/security/logcheck/files/patch-etc_logcheck.conf ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/logcheck/files/patch-etc_logcheck.logfiles =================================================================== --- head/security/logcheck/files/patch-etc_logcheck.logfiles (nonexistent) +++ head/security/logcheck/files/patch-etc_logcheck.logfiles (revision 446938) @@ -0,0 +1,8 @@ +--- etc/logcheck.logfiles.orig 2017-01-25 21:08:04 UTC ++++ etc/logcheck.logfiles +@@ -1,4 +1,4 @@ + # these files will be checked by logcheck + # This has been tuned towards a default syslog install +-/var/log/syslog + /var/log/auth.log ++/var/log/messages Property changes on: head/security/logcheck/files/patch-etc_logcheck.logfiles ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh =================================================================== --- head/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh (revision 446937) +++ head/security/logcheck/files/patch-rulefiles__linux__ignore.d.server__ssh (revision 446938) @@ -1,13 +1,13 @@ ---- ./rulefiles/linux/ignore.d.server/ssh.orig 2010-09-03 04:24:30.000000000 -0400 -+++ ./rulefiles/linux/ignore.d.server/ssh 2011-11-23 14:25:31.000000000 -0500 -@@ -21,8 +21,8 @@ +--- rulefiles/linux/ignore.d.server/ssh.orig 2017-01-25 21:08:04 UTC ++++ rulefiles/linux/ignore.d.server/ssh +@@ -27,8 +27,8 @@ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) check pass; user unknown$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) bad username \[[^]]+\]$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: Could not get shadow information for NOUSER$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: Authentication failure for( illegal user)? [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+)$ -^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: User not known to the underlying authentication module for i(llegal|nvalid) user [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: authentication error for( illegal user)? [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+)$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: PAM: unknown user for i(llegal|nvalid) user [^[:space:]]+ from ([:.[:xdigit:]]+|UNKNOWN|[-_.[:alnum:]]+)$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: error: ssh_msg_send: write$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Timeout before authentication for [:[:alnum:].]+$ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Write failed: (Connection (timed out|reset by peer)|Broken pipe)$ Index: head/security/logcheck/files/patch-src_logcheck =================================================================== --- head/security/logcheck/files/patch-src_logcheck (nonexistent) +++ head/security/logcheck/files/patch-src_logcheck (revision 446938) @@ -0,0 +1,153 @@ +--- src/logcheck.orig 2017-07-11 17:32:13 UTC ++++ src/logcheck +@@ -24,17 +24,10 @@ + + if [ `id -u` = 0 ]; then + echo "logcheck should not be run as root. Use su to invoke logcheck:" +- echo "su -s /bin/bash -c \"/usr/sbin/logcheck${@:+ $@}\" logcheck" ++ echo "su -m %%LOGCHECK_USER%% -c \"%%LOCALBASE%%/bin/bash %%PREFIX%%/sbin/logcheck${@:+ $@}\"" + echo "Or use sudo: sudo -u logcheck logcheck${@:+ $@}." + # you may want to uncomment that hack to let logcheck invoke itself. +- # su -s /bin/bash -c "$0 $*" logcheck +- exit 1 +-fi +- +-if [ ! -f /usr/bin/lockfile-create -o \ +- ! -f /usr/bin/lockfile-remove -o \ +- ! -f /usr/bin/lockfile-touch ]; then +- echo "fatal: lockfile-progs is a prerequisite for logcheck, and was not found." ++ # su -s %%LOCALBASE%%/bin/bash -c "$0 $*" logcheck + exit 1 + fi + +@@ -69,13 +62,13 @@ EVENTSSUBJECT="System Events" + ADDTAG="no" + + # Set the default paths +-RULEDIR="/etc/logcheck" +-CONFFILE="/etc/logcheck/logcheck.conf" +-STATEDIR="/var/lib/logcheck" +-LOGFILES_LIST="/etc/logcheck/logcheck.logfiles" +-LOGFILES_LIST_D="/etc/logcheck/logcheck.logfiles.d" +-LOGFILE_FALLBACK="/var/log/syslog" +-LOGTAIL="/usr/sbin/logtail2" ++RULEDIR="%%ETCDIR%%" ++CONFFILE="%%ETCDIR%%/logcheck.conf" ++STATEDIR="%%DBDIR%%" ++LOGFILES_LIST="%%ETCDIR%%/logcheck.logfiles" ++LOGFILES_LIST_D="%%ETCDIR%%/logcheck.logfiles.d" ++LOGFILE_FALLBACK="/var/log/messages" ++LOGTAIL="%%PREFIX%%/sbin/logtail2" + CAT="/bin/cat" + SYSLOG_SUMMARY="/usr/bin/syslog-summary" + +@@ -90,20 +83,15 @@ FQDN=0 + SORTUNIQ=0 + SUPPORT_CRACKING_IGNORE=0 + SYSLOGSUMMARY=0 +-LOCKDIR=/run/lock/logcheck ++LOCKDIR=/var/run/logcheck + LOCKFILE="$LOCKDIR/logcheck" + + # Carry out the clean up tasks + cleanup() { + +- if [ -n "$LOCK" ]; then +- debug "cleanup: Killing lockfile-touch - $LOCK" +- kill "$LOCK" && unset LOCK +- fi +- +- if [ -f "$LOCKFILE.lock" ]; then +- debug "cleanup: Removing lockfile: $LOCKFILE.lock" +- lockfile-remove "$LOCKFILE" ++ if [ -f "$LOCKFILE" ]; then ++ debug "cleanup: Removing lockfile: $LOCKFILE" ++ rm -f "$LOCKFILE" + fi + + if [ -d "$TMPDIR" ]; then +@@ -145,14 +133,9 @@ error() { + if [ "$2" = "noclean" ]; then + debug "error: Not removing lockfile" + else +- if [ -n "$LOCK" ]; then +- debug "error: Killing lockfile-touch - $LOCK" +- kill "$LOCK" && unset LOCK +- fi +- +- if [ -f "$LOCKFILE.lock" ]; then +- debug "error: Removing lockfile: $LOCKFILE.lock" +- lockfile-remove "$LOCKFILE" ++ if [ -f "$LOCKFILE" ]; then ++ debug "error: Removing lockfile: $LOCKFILE" ++ rm -f "$LOCKFILE" + fi + + fi +@@ -171,7 +154,7 @@ $message + ${TMPDIR:+Check temporary directory: $TMPDIR + } + Also verify that the logcheck user can read all files referenced in +-/etc/logcheck/logcheck.logfiles! ++%%ETCDIR%%/logcheck.logfiles! + + $(export) + EOF +@@ -223,7 +206,7 @@ cleanrules() { + error "Couldn't read $x" + fi + done +- for rulefile in $(run-parts --list "$dir"); do ++ for rulefile in $(ls -1R "$dir"); do + rulefile="$(basename "$rulefile")" + if [ -f "${dir}/${rulefile}" ]; then + debug "cleanrules: ${dir}/${rulefile}" +@@ -538,9 +521,9 @@ fi + + # Hostname either fully qualified or not. + if [ "$FQDN" -eq 1 ]; then +- HOSTNAME="$(hostname --fqdn 2>/dev/null)" ++ HOSTNAME="$(hostname -f 2>/dev/null)" + else +- HOSTNAME="$(hostname --short 2>/dev/null)" ++ HOSTNAME="$(hostname -s 2>/dev/null)" + fi + + # Now check for the other options +@@ -623,30 +606,25 @@ fi + + trap 'cleanup' 0 + +-debug "Trying to get lockfile: $LOCKFILE.lock" ++debug "Trying to get lockfile: $LOCKFILE" + if [ ! -d "$LOCKDIR" ]; then + mkdir -m 0755 "$LOCKDIR" + fi +-lockfile-create --retry 1 "$LOCKFILE" > /dev/null 2>&1 ++lockfile -r 1 "$LOCKFILE" > /dev/null 2>&1 + + + if [ $? -eq 1 ]; then + trap 0 +- if [ -e "${LOCKFILE}.lock" ]; then ++ if [ -e "${LOCKFILE}" ]; then + error "Another logcheck process is still running" "noclean" + else +- error "Failed to get lockfile: $LOCKFILE.lock" "noclean" ++ error "Failed to get lockfile: $LOCKFILE" "noclean" + fi +- +-else +- debug "Running lockfile-touch $LOCKFILE.lock" +- lockfile-touch "$LOCKFILE" & +- LOCK="$!" + fi + + # Create the secure temporary directory or exit +-TMPDIR="$(mktemp -d -p "${TMP:-/tmp}" logcheck.XXXXXX)" \ +- || TMPDIR="$(mktemp -d -p /var/tmp logcheck.XXXXXX)" \ ++TMPDIR="$(mktemp -d ${TMP:-/tmp}/logcheck.XXXXXX)" \ ++ || TMPDIR="$(mktemp -d /var/tmp/logcheck.XXXXXX)" \ + || error "Could not create temporary directory" + + # Now clean the rulefiles in the directories Property changes on: head/security/logcheck/files/patch-src_logcheck ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/logcheck/files/patch-src_logcheck-test =================================================================== --- head/security/logcheck/files/patch-src_logcheck-test (nonexistent) +++ head/security/logcheck/files/patch-src_logcheck-test (revision 446938) @@ -0,0 +1,23 @@ +--- src/logcheck-test.orig 2017-01-25 21:08:04 UTC ++++ src/logcheck-test +@@ -38,7 +38,7 @@ usage() { + usage: logcheck-test + -h|--help : Show usage information + -a|--auth.log : Parse /var/log/auth.log +--s|--syslog : Parse /var/log/syslog ++-m|--messages : Parse /var/log/messages + -l|--log-file LOGFILE : Parse LOGFILE + -i|--invert-match : Show lines that don't match the RULE or RULEFILE + -q|--quiet : Suppress rule summary +@@ -103,9 +103,9 @@ while [ -n "${1:-}" ]; do + warn "option -a ignored" + fi + ;; +- -s|--syslog) ++ -m|--messages) + if [ -z "$FILE" ] ; then +- FILE="/var/log/syslog" ++ FILE="/var/log/messages" + else + warn "option -s ignored" + fi Property changes on: head/security/logcheck/files/patch-src_logcheck-test ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/logcheck/files/patch-src_logtail2 =================================================================== --- head/security/logcheck/files/patch-src_logtail2 (nonexistent) +++ head/security/logcheck/files/patch-src_logtail2 (revision 446938) @@ -0,0 +1,11 @@ +--- src/logtail2.orig 2017-07-11 17:32:13 UTC ++++ src/logtail2 +@@ -109,7 +109,7 @@ sub determine_rotated_logfile { + # function with dateext magic added. + + #print "determine_rotated_logfile $filename $inode\n"; +- for my $codefile (glob("/usr/share/logtail/detectrotate/*.dtr")) { ++ for my $codefile (glob("%%DATADIR%%/detectrotate/*.dtr")) { + my $func = do $codefile; + if (!$func) { + print STDERR "cannot compile $codefile: $!"; Property changes on: head/security/logcheck/files/patch-src_logtail2 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/logcheck/pkg-plist =================================================================== --- head/security/logcheck/pkg-plist (revision 446937) +++ head/security/logcheck/pkg-plist (revision 446938) @@ -1,203 +1,207 @@ @mode 640 +%%DATADIR%%/detectrotate/10-savelog.dtr +%%DATADIR%%/detectrotate/20-logrotate.dtr +%%DATADIR%%/detectrotate/30-logrotate-dateext.dtr %%ETCDIR%%/cracking.d/kernel %%ETCDIR%%/cracking.d/rlogind %%ETCDIR%%/cracking.d/rsh %%ETCDIR%%/cracking.d/smartd %%ETCDIR%%/cracking.d/tftpd %%ETCDIR%%/cracking.d/uucico %%ETCDIR%%/ignore.d.paranoid/bind %%ETCDIR%%/ignore.d.paranoid/cron %%ETCDIR%%/ignore.d.paranoid/incron %%ETCDIR%%/ignore.d.paranoid/logcheck %%ETCDIR%%/ignore.d.paranoid/postfix %%ETCDIR%%/ignore.d.paranoid/ppp %%ETCDIR%%/ignore.d.paranoid/pureftp %%ETCDIR%%/ignore.d.paranoid/qpopper %%ETCDIR%%/ignore.d.paranoid/squid %%ETCDIR%%/ignore.d.paranoid/ssh %%ETCDIR%%/ignore.d.paranoid/stunnel %%ETCDIR%%/ignore.d.paranoid/sysklogd %%ETCDIR%%/ignore.d.paranoid/telnetd %%ETCDIR%%/ignore.d.paranoid/tripwire %%ETCDIR%%/ignore.d.paranoid/usb %%ETCDIR%%/ignore.d.server/acpid %%ETCDIR%%/ignore.d.server/amandad %%ETCDIR%%/ignore.d.server/amavisd-new %%ETCDIR%%/ignore.d.server/anacron %%ETCDIR%%/ignore.d.server/anon-proxy %%ETCDIR%%/ignore.d.server/apache %%ETCDIR%%/ignore.d.server/apcupsd %%ETCDIR%%/ignore.d.server/arpwatch %%ETCDIR%%/ignore.d.server/asterisk %%ETCDIR%%/ignore.d.server/automount %%ETCDIR%%/ignore.d.server/bind %%ETCDIR%%/ignore.d.server/bluez-utils %%ETCDIR%%/ignore.d.server/courier %%ETCDIR%%/ignore.d.server/cpqarrayd %%ETCDIR%%/ignore.d.server/cpufreqd %%ETCDIR%%/ignore.d.server/cron %%ETCDIR%%/ignore.d.server/cron-apt %%ETCDIR%%/ignore.d.server/cups-lpd %%ETCDIR%%/ignore.d.server/cvs-pserver %%ETCDIR%%/ignore.d.server/cvsd %%ETCDIR%%/ignore.d.server/cyrus %%ETCDIR%%/ignore.d.server/dcc %%ETCDIR%%/ignore.d.server/ddclient %%ETCDIR%%/ignore.d.server/dhclient %%ETCDIR%%/ignore.d.server/dhcp %%ETCDIR%%/ignore.d.server/dictd %%ETCDIR%%/ignore.d.server/dkfilter %%ETCDIR%%/ignore.d.server/dnsmasq %%ETCDIR%%/ignore.d.server/dovecot %%ETCDIR%%/ignore.d.server/dropbear %%ETCDIR%%/ignore.d.server/dspam %%ETCDIR%%/ignore.d.server/epmd %%ETCDIR%%/ignore.d.server/exim4 %%ETCDIR%%/ignore.d.server/fcron %%ETCDIR%%/ignore.d.server/ftpd %%ETCDIR%%/ignore.d.server/git-daemon %%ETCDIR%%/ignore.d.server/gnu-imap4d %%ETCDIR%%/ignore.d.server/gps %%ETCDIR%%/ignore.d.server/grinch %%ETCDIR%%/ignore.d.server/horde3 %%ETCDIR%%/ignore.d.server/hplip %%ETCDIR%%/ignore.d.server/hylafax %%ETCDIR%%/ignore.d.server/ikiwiki %%ETCDIR%%/ignore.d.server/imap %%ETCDIR%%/ignore.d.server/imapproxy %%ETCDIR%%/ignore.d.server/imp %%ETCDIR%%/ignore.d.server/imp4 %%ETCDIR%%/ignore.d.server/innd %%ETCDIR%%/ignore.d.server/ipppd %%ETCDIR%%/ignore.d.server/isdnlog %%ETCDIR%%/ignore.d.server/isdnutils %%ETCDIR%%/ignore.d.server/jabberd %%ETCDIR%%/ignore.d.server/kernel %%ETCDIR%%/ignore.d.server/klogind %%ETCDIR%%/ignore.d.server/krb5-kdc %%ETCDIR%%/ignore.d.server/libpam-krb5 %%ETCDIR%%/ignore.d.server/libpam-mount %%ETCDIR%%/ignore.d.server/logcheck %%ETCDIR%%/ignore.d.server/login %%ETCDIR%%/ignore.d.server/maradns %%ETCDIR%%/ignore.d.server/mldonkey-server %%ETCDIR%%/ignore.d.server/mon %%ETCDIR%%/ignore.d.server/mountd %%ETCDIR%%/ignore.d.server/nagios %%ETCDIR%%/ignore.d.server/netconsole %%ETCDIR%%/ignore.d.server/nfs %%ETCDIR%%/ignore.d.server/nntpcache %%ETCDIR%%/ignore.d.server/nscd %%ETCDIR%%/ignore.d.server/nslcd %%ETCDIR%%/ignore.d.server/openvpn %%ETCDIR%%/ignore.d.server/otrs %%ETCDIR%%/ignore.d.server/passwd %%ETCDIR%%/ignore.d.server/pdns %%ETCDIR%%/ignore.d.server/perdition %%ETCDIR%%/ignore.d.server/policyd %%ETCDIR%%/ignore.d.server/popa3d %%ETCDIR%%/ignore.d.server/postfix %%ETCDIR%%/ignore.d.server/postfix-policyd %%ETCDIR%%/ignore.d.server/ppp %%ETCDIR%%/ignore.d.server/pptpd %%ETCDIR%%/ignore.d.server/procmail %%ETCDIR%%/ignore.d.server/proftpd %%ETCDIR%%/ignore.d.server/pure-ftpd %%ETCDIR%%/ignore.d.server/pureftp %%ETCDIR%%/ignore.d.server/qpopper %%ETCDIR%%/ignore.d.server/rbldnsd %%ETCDIR%%/ignore.d.server/rpc_statd %%ETCDIR%%/ignore.d.server/rsnapshot %%ETCDIR%%/ignore.d.server/rsync %%ETCDIR%%/ignore.d.server/sa-exim %%ETCDIR%%/ignore.d.server/samba %%ETCDIR%%/ignore.d.server/saned %%ETCDIR%%/ignore.d.server/sasl2-bin %%ETCDIR%%/ignore.d.server/saslauthd %%ETCDIR%%/ignore.d.server/schroot %%ETCDIR%%/ignore.d.server/scponly %%ETCDIR%%/ignore.d.server/slapd %%ETCDIR%%/ignore.d.server/smartd %%ETCDIR%%/ignore.d.server/smbd_audit %%ETCDIR%%/ignore.d.server/smokeping %%ETCDIR%%/ignore.d.server/snmpd %%ETCDIR%%/ignore.d.server/snort %%ETCDIR%%/ignore.d.server/spamc %%ETCDIR%%/ignore.d.server/spamd %%ETCDIR%%/ignore.d.server/squid %%ETCDIR%%/ignore.d.server/ssh %%ETCDIR%%/ignore.d.server/stunnel %%ETCDIR%%/ignore.d.server/su %%ETCDIR%%/ignore.d.server/sudo %%ETCDIR%%/ignore.d.server/sympa %%ETCDIR%%/ignore.d.server/syslogd +%%ETCDIR%%/ignore.d.server/systemd +%%ETCDIR%%/ignore.d.server/systemd-timesyncd %%ETCDIR%%/ignore.d.server/teapop %%ETCDIR%%/ignore.d.server/telnetd %%ETCDIR%%/ignore.d.server/tftpd %%ETCDIR%%/ignore.d.server/thy %%ETCDIR%%/ignore.d.server/ucd-snmp %%ETCDIR%%/ignore.d.server/upsd %%ETCDIR%%/ignore.d.server/uptimed %%ETCDIR%%/ignore.d.server/userv %%ETCDIR%%/ignore.d.server/vsftpd %%ETCDIR%%/ignore.d.server/watchdog %%ETCDIR%%/ignore.d.server/wu-ftpd %%ETCDIR%%/ignore.d.server/xinetd %%ETCDIR%%/ignore.d.workstation/automount %%ETCDIR%%/ignore.d.workstation/bind %%ETCDIR%%/ignore.d.workstation/bluetooth-alsa %%ETCDIR%%/ignore.d.workstation/bluez-utils %%ETCDIR%%/ignore.d.workstation/bonobo %%ETCDIR%%/ignore.d.workstation/dhcpcd %%ETCDIR%%/ignore.d.workstation/francine %%ETCDIR%%/ignore.d.workstation/gconf %%ETCDIR%%/ignore.d.workstation/gdm %%ETCDIR%%/ignore.d.workstation/hald %%ETCDIR%%/ignore.d.workstation/hcid %%ETCDIR%%/ignore.d.workstation/ifplugd %%ETCDIR%%/ignore.d.workstation/ippl %%ETCDIR%%/ignore.d.workstation/kdm %%ETCDIR%%/ignore.d.workstation/kernel %%ETCDIR%%/ignore.d.workstation/laptop-mode-tools %%ETCDIR%%/ignore.d.workstation/libmtp-runtime %%ETCDIR%%/ignore.d.workstation/libpam-gnome-keyring %%ETCDIR%%/ignore.d.workstation/logcheck %%ETCDIR%%/ignore.d.workstation/login %%ETCDIR%%/ignore.d.workstation/net-acct %%ETCDIR%%/ignore.d.workstation/nntpcache %%ETCDIR%%/ignore.d.workstation/polypaudio %%ETCDIR%%/ignore.d.workstation/postfix %%ETCDIR%%/ignore.d.workstation/ppp %%ETCDIR%%/ignore.d.workstation/proftpd %%ETCDIR%%/ignore.d.workstation/pump %%ETCDIR%%/ignore.d.workstation/sendfile %%ETCDIR%%/ignore.d.workstation/slim %%ETCDIR%%/ignore.d.workstation/squid %%ETCDIR%%/ignore.d.workstation/udev %%ETCDIR%%/ignore.d.workstation/wdm %%ETCDIR%%/ignore.d.workstation/winbind %%ETCDIR%%/ignore.d.workstation/wpasupplicant %%ETCDIR%%/ignore.d.workstation/xdm %%ETCDIR%%/ignore.d.workstation/xlockmore +%%ETCDIR%%/logcheck.conf.sample +%%ETCDIR%%/logcheck.logfiles.sample %%ETCDIR%%/violations.d/kernel %%ETCDIR%%/violations.d/logcheck %%ETCDIR%%/violations.d/smartd %%ETCDIR%%/violations.d/su %%ETCDIR%%/violations.d/sudo %%ETCDIR%%/violations.ignore.d/logcheck-su %%ETCDIR%%/violations.ignore.d/logcheck-sudo -%%ETCDIR%%/logcheck.conf.sample -%%ETCDIR%%/logcheck.logfiles.sample -%%DATADIR%%/detectrotate/10-savelog.dtr -%%DATADIR%%/detectrotate/20-logrotate.dtr -%%DATADIR%%/detectrotate/30-logrotate-dateext.dtr @mode +bin/logcheck-test +man/man1/logcheck-test.1.gz man/man8/logcheck.8.gz man/man8/logtail.8.gz man/man8/logtail2.8.gz sbin/logcheck sbin/logtail sbin/logtail2 %%PORTEXAMPLES%%%%EXAMPLESDIR%%/crontab.in @dir(%%LOGCHECK_USER%%,%%LOGCHECK_GROUP%%,) %%DBDIR%% @dir(%%LOGCHECK_USER%%,%%LOGCHECK_GROUP%%,) %%RUNDIR%%