- Fixed logcheck script silent failure in previous commit
- Added handling for crontab installation problems - Incorported security fixes from PR opened after previous commit - Added UPDATING entry since configuration options have changed fairly significantly PR: ports/122842 Submitted by: Cezary Morga <cm@therek.net> PR: ports/127255 Submitted by: Yasuhiro KIMURA <yasu at utahime dot org> Reviewed by: glarkin Approved by: beech (mentor, implicit) Approved by: portmgr (marcus) Security: Incorrect addition of logcheck user to wheel group
This commit is contained in:
parent
2f6da9c8fa
commit
6e60a56931
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=220326
2
UIDs
2
UIDs
@ -144,4 +144,4 @@ iserv:*:911:911::0:0:Iserv Daemon:/nonexistent:/usr/sbin/nologin
|
||||
_sj3:*:912:912::0:0:SJ3 Daemon:/nonexistent:/usr/sbin/nologin
|
||||
_relayd:*:913:913::0:0:Relay Daemon:/var/empty:/usr/sbin/nologin
|
||||
bitlbee:*:914:914::0:0:Bitlbee pseudo-user:/nonexistent:/sbin/nologin
|
||||
logcheck:*:915:915::0:0:Logcheck system account:/var/lib/logcheck:/sbin/nologin
|
||||
logcheck:*:915:915::0:0:Logcheck system account:/var/lib/logcheck:/usr/local/bin/bash
|
||||
|
48
UPDATING
48
UPDATING
@ -6,6 +6,54 @@ You should get into the habit of checking this file for changes each
|
||||
time you update your ports collection, before attempting any port
|
||||
upgrades.
|
||||
|
||||
20080909:
|
||||
AFFECTS: users of security/logcheck
|
||||
AUTHOR: glarkin@FreeBSD.org
|
||||
|
||||
logcheck now stores its configuration files in
|
||||
/usr/local/etc/logcheck instead of /usr/local/etc. If you are
|
||||
upgrading the port from version 1.1.1 to version 1.2.54, copy
|
||||
the following files to a temporary directory, in case they are
|
||||
removed during the upgrade:
|
||||
|
||||
/usr/local/etc/logcheck.hacking
|
||||
/usr/local/etc/logcheck.ignore
|
||||
/usr/local/etc/logcheck.violations
|
||||
/usr/local/etc/logcheck.violations.ignore
|
||||
|
||||
e.g.:
|
||||
cd /usr/local/etc
|
||||
mkdir /tmp/logcheck.saveconf
|
||||
cp logcheck.hacking logcheck.ignore logcheck.violations* \
|
||||
/tmp/logcheck.saveconf
|
||||
|
||||
After the upgrade, integrate your local changes to the files listed
|
||||
above into the new configuration files found in the following
|
||||
directories:
|
||||
|
||||
/usr/local/etc/logcheck/cracking.d
|
||||
/usr/local/etc/logcheck/ignore.d.paranoid
|
||||
/usr/local/etc/logcheck/ignore.d.server
|
||||
/usr/local/etc/logcheck/ignore.d.workstation
|
||||
/usr/local/etc/logcheck/violations.d
|
||||
/usr/local/etc/logcheck/violations.ignore.d
|
||||
|
||||
Please consult the following files for more information about
|
||||
logcheck rules and reporting levels:
|
||||
|
||||
/usr/local/share/doc/logcheck/README.logcheck
|
||||
/usr/local/share/doc/logcheck/README.logcheck-database
|
||||
|
||||
Also note that the upgraded port installs a crontab file for user
|
||||
"logcheck" that executes the logcheck script every hour and emails
|
||||
the results to root. If the installation process cannot install
|
||||
the crontab file, it can be installed manually from:
|
||||
|
||||
/usr/local/share/examples/logcheck/crontab.in
|
||||
|
||||
e.g.:
|
||||
crontab -u logcheck /usr/local/share/examples/logcheck/crontab.in
|
||||
|
||||
20080907:
|
||||
AFFECTS: users of www/mediawiki
|
||||
AUTHOR: miwi@FreeBSD.org
|
||||
|
@ -7,10 +7,9 @@
|
||||
|
||||
PORTNAME= logcheck
|
||||
PORTVERSION= 1.2.54
|
||||
PORTREVISION= 1
|
||||
PORTREVISION= 2
|
||||
CATEGORIES= security
|
||||
MASTER_SITES= ftp://ftp.debian.org/debian/pool/main/l/logcheck/ \
|
||||
http://ftp.de.debian.org/debian/pool/main/l/logcheck/
|
||||
MASTER_SITES= ${MASTER_SITE_DEBIAN_POOL}
|
||||
DISTNAME= ${PORTNAME}_${PORTVERSION}
|
||||
|
||||
MAINTAINER= glarkin@FreeBSD.org
|
||||
@ -18,12 +17,23 @@ COMMENT= Auditing tool for system logs on Unix boxes
|
||||
|
||||
BUILD_DEPENDS= docbook-to-man:${PORTSDIR}/textproc/docbook-to-man
|
||||
RUN_DEPENDS= lockfile:${PORTSDIR}/mail/procmail \
|
||||
bash:${PORTSDIR}/shells/bash \
|
||||
perl:${PORTSDIR}/lang/perl5
|
||||
bash:${PORTSDIR}/shells/bash
|
||||
|
||||
LOGCHECK_USER= logcheck
|
||||
LOGCHECK_UID= 915
|
||||
LOGCHECK_GROUP= ${LOGCHECK_USER}
|
||||
LOGCHECK_GID= ${LOGCHECK_UID}
|
||||
|
||||
# Enable Perl dependency for logtail script
|
||||
USE_PERL5= 5.8.0+
|
||||
|
||||
WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}
|
||||
BINMODE= 755
|
||||
SHAREMODE= 640
|
||||
SUB_LIST+= LOGCHECK_USER=${LOGCHECK_USER} \
|
||||
LOGCHECK_UID=${LOGCHECK_UID} \
|
||||
LOGCHECK_GROUP=${LOGCHECK_GROUP} \
|
||||
LOGCHECK_GID=${LOGCHECK_GID}
|
||||
SUB_FILES= pkg-install pkg-deinstall pkg-message
|
||||
CONFIG_DIRS= cracking.d ignore.d.paranoid ignore.d.server \
|
||||
ignore.d.workstation violations.d violations.ignore.d
|
||||
@ -31,39 +41,39 @@ DOCS= AUTHORS CHANGES CREDITS LICENSE TODO docs/README*
|
||||
PORTDOCS= ${DOCS:T}
|
||||
MAN8= logcheck.8 logtail.8
|
||||
|
||||
LOGCHECK_USER= logcheck
|
||||
LOGCHECK_GROUP= ${LOGCHECK_USER}
|
||||
|
||||
do-build:
|
||||
${REINPLACE_CMD} -e 's!/var/log/syslog!/var/log/messages!' \
|
||||
${WRKSRC}/etc/logcheck.logfiles
|
||||
${REINPLACE_CMD} -e 's!/etc/logcheck!/usr/local/etc/logcheck!' \
|
||||
-e 's!/usr/share/doc/logcheck-database/README.logcheck-database.gz!${DOCSDIR}/README.logcheck-database!' \
|
||||
${WRKSRC}/docs/logcheck.sgml
|
||||
${WRKSRC}/etc/logcheck.logfiles
|
||||
${REINPLACE_CMD} -e 's!/etc/logcheck!${ETCDIR}!' \
|
||||
-e 's!/usr/share/doc/logcheck-database/README.logcheck-database.gz!${DOCSDIR}/README.logcheck-database!' \
|
||||
${WRKSRC}/docs/logcheck.sgml
|
||||
docbook-to-man ${WRKSRC}/docs/logcheck.sgml > ${WRKSRC}/docs/logcheck.8
|
||||
|
||||
do-install:
|
||||
${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck ${PREFIX}/sbin
|
||||
${INSTALL_SCRIPT} ${WRKSRC}/src/logtail ${PREFIX}/sbin
|
||||
@PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL
|
||||
@${INSTALL} -d /var/lib/logcheck
|
||||
@${INSTALL} -d /var/db/logcheck
|
||||
@${INSTALL} -d /var/run/logcheck
|
||||
${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/lib/logcheck
|
||||
${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/db/logcheck
|
||||
@${ECHO_CMD} '@exec ${CHOWN} -R ${LOGCHECK_USER}:${LOGCHECK_GROUP} \
|
||||
/var/lib/logcheck' >> ${TMPPLIST}
|
||||
/var/db/logcheck' >> ${TMPPLIST}
|
||||
${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/run/logcheck
|
||||
@${ECHO_CMD} '@exec ${CHOWN} -R ${LOGCHECK_USER}:${LOGCHECK_GROUP} \
|
||||
/var/run/logcheck' >> ${TMPPLIST}
|
||||
@${INSTALL} -d ${ETCDIR}
|
||||
@${INSTALL_DATA} ${WRKSRC}/etc/logcheck.conf ${ETCDIR}/logcheck.conf.sample
|
||||
@${INSTALL_DATA} ${WRKSRC}/etc/logcheck.logfiles ${ETCDIR}/logcheck.logfiles.sample
|
||||
@${INSTALL_DATA} ${WRKSRC}/etc/logcheck.conf \
|
||||
${ETCDIR}/logcheck.conf.sample
|
||||
@${INSTALL_DATA} ${WRKSRC}/etc/logcheck.logfiles \
|
||||
${ETCDIR}/logcheck.logfiles.sample
|
||||
.for i in ${CONFIG_DIRS}
|
||||
@${INSTALL} -d ${ETCDIR}/${i}
|
||||
@${INSTALL_DATA} ${WRKSRC}/rulefiles/linux/${i}/* ${ETCDIR}/${i}
|
||||
.endfor
|
||||
.if !defined(NOPORTEXAMPLES)
|
||||
@${INSTALL} -d ${EXAMPLESDIR}
|
||||
@${INSTALL_DATA} ${WRKSRC}/debian/logcheck.cron.d ${EXAMPLESDIR}/crontab.in
|
||||
@${INSTALL_DATA} ${WRKSRC}/debian/logcheck.cron.d \
|
||||
${EXAMPLESDIR}/crontab.in
|
||||
.endif
|
||||
${CHOWN} -R root:${LOGCHECK_GROUP} ${ETCDIR}
|
||||
@${ECHO_CMD} '@exec ${CHOWN} -R root:${LOGCHECK_GROUP} \
|
||||
|
@ -1,5 +1,5 @@
|
||||
--- ./src/logcheck.orig 2007-01-16 01:13:27.000000000 -0500
|
||||
+++ ./src/logcheck 2008-09-06 19:11:28.000000000 -0400
|
||||
+++ ./src/logcheck 2008-09-09 18:10:02.000000000 -0400
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/bin/bash
|
||||
+#!/usr/local/bin/bash
|
||||
@ -11,7 +11,7 @@
|
||||
if [ $UID == 0 ]; then
|
||||
echo "logcheck should not be run as root. Use su to invoke logcheck:"
|
||||
- echo "su -s /bin/bash -c \"/usr/sbin/logcheck${@:+ $@}\" logcheck"
|
||||
+ echo "su logcheck -c \"/usr/local/bin/bash /usr/local/sbin/logcheck${@:+ $@}\""
|
||||
+ echo "su -m logcheck -c \"/usr/local/bin/bash /usr/local/sbin/logcheck${@:+ $@}\""
|
||||
echo "Or use sudo: sudo -u logcheck logcheck${@:+ $@}."
|
||||
# you may want to uncomment that hack to let logcheck invoke itself.
|
||||
- # su -s /bin/bash -c "$0 $*" logcheck
|
||||
@ -32,19 +32,20 @@
|
||||
# Set the default paths
|
||||
-RULEDIR="/etc/logcheck"
|
||||
-CONFFILE="/etc/logcheck/logcheck.conf"
|
||||
+RULEDIR="/usr/local/etc/logcheck"
|
||||
+CONFFILE="/usr/local/etc/logcheck/logcheck.conf"
|
||||
STATEDIR="/var/lib/logcheck"
|
||||
-STATEDIR="/var/lib/logcheck"
|
||||
-LOGFILES_LIST="/etc/logcheck/logcheck.logfiles"
|
||||
-LOGFILE_FALLBACK="/var/log/syslog"
|
||||
-LOGTAIL="/usr/sbin/logtail"
|
||||
+RULEDIR="/usr/local/etc/logcheck"
|
||||
+CONFFILE="/usr/local/etc/logcheck/logcheck.conf"
|
||||
+STATEDIR="/var/db/logcheck"
|
||||
+LOGFILES_LIST="/usr/local/etc/logcheck/logcheck.logfiles"
|
||||
+LOGFILE_FALLBACK="/var/log/messages"
|
||||
+LOGTAIL="/usr/local/sbin/logtail"
|
||||
CAT="/bin/cat"
|
||||
SYSLOG_SUMMARY="/usr/bin/syslog-summary"
|
||||
|
||||
@@ -87,20 +80,15 @@
|
||||
@@ -87,26 +80,21 @@
|
||||
SORTUNIQ=0
|
||||
SUPPORT_CRACKING_IGNORE=0
|
||||
SYSLOGSUMMARY=0
|
||||
@ -69,6 +70,13 @@
|
||||
fi
|
||||
|
||||
if [ -d $TMPDIR ]; then
|
||||
# Remove the tmp directory
|
||||
if [ $NOCLEANUP -eq 0 ];then
|
||||
- cd /var/lib/logcheck
|
||||
+ cd /var/db/logcheck
|
||||
debug "cleanup: Removing - $TMPDIR"
|
||||
rm -r $TMPDIR
|
||||
else
|
||||
@@ -142,14 +130,9 @@
|
||||
if [ "$2" = "noclean" ]; then
|
||||
debug "error: Not removing lockfile"
|
||||
|
@ -1,7 +1,7 @@
|
||||
#!/bin/sh
|
||||
|
||||
user="logcheck"
|
||||
group="logcheck"
|
||||
user="%%LOGCHECK_USER%%"
|
||||
group="%%LOGCHECK_GROUP%%"
|
||||
configfiles="logcheck.conf logcheck.logfiles"
|
||||
|
||||
case $2 in
|
||||
|
@ -1,10 +1,12 @@
|
||||
#!/bin/sh
|
||||
|
||||
user="logcheck"
|
||||
group="logcheck"
|
||||
user="%%LOGCHECK_USER%%"
|
||||
uid="%%LOGCHECK_UID%%"
|
||||
group="%%LOGCHECK_GROUP%%"
|
||||
gid="%%LOGCHECK_GID%%"
|
||||
descr="Logcheck system account"
|
||||
homedir="/var/lib/logcheck"
|
||||
shell="/usr/bin/false"
|
||||
homedir="/var/db/logcheck"
|
||||
shell="/usr/local/bin/bash"
|
||||
configfiles="logcheck.conf logcheck.logfiles"
|
||||
|
||||
case $2 in
|
||||
@ -12,13 +14,13 @@ PRE-INSTALL)
|
||||
if pw group show ${group} > /dev/null 2>&1; then
|
||||
echo "---> You already have a group \"${group}\", so I will use it."
|
||||
else
|
||||
pw group add "${group}"
|
||||
pw group add "${group}" -g "${gid}"
|
||||
echo "---> Created group \"${group}\"."
|
||||
fi
|
||||
if pw user show ${user} > /dev/null 2>&1; then
|
||||
echo "---> You already have a user \"${user}\", so I will use it."
|
||||
else
|
||||
pw user add -n logcheck -c "${descr}" -d "${homedir}" -s "${shell}" -g logcheck -G wheel
|
||||
pw user add -n ${user} -c "${descr}" -d "${homedir}" -s "${shell}" -g ${group} -u "${uid}"
|
||||
echo "---> Created user \"${user}\"."
|
||||
fi
|
||||
;;
|
||||
@ -34,8 +36,15 @@ POST-INSTALL)
|
||||
echo "---> Installed crontab(5) file for user \"${user}\""
|
||||
fi
|
||||
else
|
||||
/usr/bin/crontab -u "${user}" "%%EXAMPLESDIR%%/crontab.in" || exit 1
|
||||
echo "---> Created crontab(5) file for user \"${user}\""
|
||||
if grep -q "are not allowed to use this program" /tmp/logchecktab$$ ; then
|
||||
echo "---> The logcheck user is not allowed to run crontab."
|
||||
echo "---> Please check the contents of /var/cron/allow and /var/cron/deny"
|
||||
echo "---> and grant access, if necessary."
|
||||
exit 1
|
||||
else
|
||||
/usr/bin/crontab -u "${user}" "%%EXAMPLESDIR%%/crontab.in" || exit 1
|
||||
echo "---> Created crontab(5) file for user \"${user}\""
|
||||
fi
|
||||
fi
|
||||
rm -f /tmp/logchecktab$$
|
||||
fi
|
||||
|
@ -3,8 +3,8 @@ Please make sure that all files listed in
|
||||
|
||||
%%PREFIX%%/etc/logcheck/logcheck.logfiles
|
||||
|
||||
are readable to 'wheel' group (see also /etc/newsyslog.conf), or remove
|
||||
them from the aforementioned logcheck configuration file.
|
||||
are readable to the '%%LOGCHECK_GROUP%%' group (see also /etc/newsyslog.conf),
|
||||
or remove them from the aforementioned logcheck configuration file.
|
||||
|
||||
For information on how to write local rulesets see
|
||||
|
||||
|
@ -182,7 +182,7 @@ sbin/logtail
|
||||
@dirrm %%ETCDIR%%/ignore.d.paranoid
|
||||
@dirrm %%ETCDIR%%/cracking.d
|
||||
@dirrm %%ETCDIR%%
|
||||
@exec mkdir -p /var/lib/logcheck
|
||||
@unexec rm -rf /var/lib/logcheck 2> /dev/null || true
|
||||
@exec mkdir -p /var/db/logcheck
|
||||
@dirrmtry /var/db/logcheck
|
||||
@exec mkdir -p /var/run/logcheck
|
||||
@unexec rm -rf /var/run/logcheck 2> /dev/null || true
|
||||
@dirrmtry /var/run/logcheck
|
||||
|
Loading…
Reference in New Issue
Block a user