Import of logcheck-1.1.1:

-- Logcheck is a scheduled auditing tool that scans system log files for security violations and unusual activity. Reports of suspicious log entries are mailed to a specified user (usually root). WWW: http://www.psionic.com/abacus/logcheck MAINTAINER= Srebrenko Sehic <haver@insecure.dk>
2001-12-03 19:17:33 +00:00 · 2001-12-03 19:17:33 +00:00 · d1edbcc265
commit d1edbcc265
parent d23bbcb381
7 changed files with 265 additions and 0 deletions
--- a/security/logcheck/Makefile
+++ b/security/logcheck/Makefile
@ -0,0 +1,46 @@
+# $OpenBSD: Makefile,v 1.1.1.1 2001/12/03 19:17:33 jsyn Exp $
+
+COMMENT=	"logfile auditing tool"
+
+DISTNAME=	logcheck-1.1.1
+CATEGORIES=	security
+NEED_VERSION=	1.500
+
+HOMEPAGE=	http://www.psionic.com/abacus/logcheck
+
+MAINTAINER=	Srebrenko Sehic <haver@insecure.dk>
+
+PERMIT_PACKAGE_CDROM=  	Yes
+PERMIT_PACKAGE_FTP=    	Yes
+PERMIT_DISTFILES_CDROM=	Yes
+PERMIT_DISTFILES_FTP= 	Yes
+
+MASTER_SITES=	http://www.psionic.com/tools/ \
+		http://packetstormsecurity.org/UNIX/IDS/
+
+NO_REGRESS=	Yes
+
+DOC_DIR=	${PREFIX}/share/doc/logcheck
+DOC_FILES=	CREDITS INSTALL README README.how.to.interpret README.keywords
+CFG_DIR=	${PREFIX}/share/examples/logcheck
+CFG_FILES=	logcheck.sh logcheck.hacking logcheck.ignore \
+		 logcheck.violations logcheck.violations.ignore
+
+do-build:
+	${CC} ${CFLAGS} -o ${WRKSRC}/src/logtail ${WRKSRC}/src/logtail.c
+
+do-install:
+	${INSTALL_PROGRAM} ${WRKSRC}/src/logtail ${PREFIX}/bin
+	${INSTALL_DATA_DIR} ${DOC_DIR}
+.for i in ${DOC_FILES}
+	${INSTALL_DATA} ${WRKSRC}/$i ${DOC_DIR}
+.endfor
+	${INSTALL_DATA_DIR} ${CFG_DIR}
+.for i in ${CFG_FILES}
+	${INSTALL_DATA} ${WRKSRC}/systems/generic/$i ${CFG_DIR}
+.endfor
+	@perl -pi -e 's,%%LOCALBASE%%,${LOCALBASE},;' \
+	 -e 's,%%LOGCHECK_TMP%%,/var/tmp/logcheck,;' \
+	 -e 's,%%SYSCONFDIR%%,${SYSCONFDIR},;' ${CFG_DIR}/logcheck.sh
+
+.include <bsd.port.mk> 
--- a/security/logcheck/distinfo
+++ b/security/logcheck/distinfo
@ -0,0 +1,3 @@
+MD5 (logcheck-1.1.1.tar.gz) = e97c2f096e219e20310c1b80e9e1bc29
+RMD160 (logcheck-1.1.1.tar.gz) = 1865f598b4bf32af466d4aec5e0803249a61c442
+SHA1 (logcheck-1.1.1.tar.gz) = 18f89f0dacfe9ff31076c006d58e1bcfedaa7f22
--- a/security/logcheck/patches/patch-logcheck_sh
+++ b/security/logcheck/patches/patch-logcheck_sh
@ -0,0 +1,78 @@
+$OpenBSD: patch-logcheck_sh,v 1.1.1.1 2001/12/03 19:17:33 jsyn Exp $
+--- systems/generic/logcheck.sh.orig	Sun Dec  2 14:40:46 2001
+++ systems/generic/logcheck.sh	Sun Dec  2 15:21:27 2001
+@@ -31,7 +31,7 @@
+ 
+ # CONFIGURATION SECTION
+ 
+-PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin
+PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
+ 
+ # Logcheck is pre-configured to work on most BSD like systems, however it
+ # is a rather dumb program and may need some help to work on other
+@@ -44,7 +44,7 @@ SYSADMIN=root
+ # Full path to logtail program.
+ # This program is required to run this script and comes with the package.
+ 
+-LOGTAIL=/usr/local/bin/logtail
+LOGTAIL=%%LOCALBASE%%/bin/logtail
+ 
+ # Full path to SECURED (non public writable) /tmp directory.
+ # Prevents Race condition and potential symlink problems. I highly
+@@ -52,7 +52,7 @@ LOGTAIL=/usr/local/bin/logtail
+ # You would also be well advised to make sure all your system/cron scripts
+ # use this directory for their "scratch" area. 
+ 
+-TMPDIR=/usr/local/etc/tmp
+TMPDIR=%%LOGCHECK_TMP%%
+ 
+ # The 'grep' command. This command MUST support the
+ # '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's
+@@ -89,7 +89,7 @@ MAIL=mail
+ # look for generic ISS probes (who the hell else looks for 
+ # "WIZ" besides ISS?), and obvious sendmail attacks/probes.
+ 
+-HACKING_FILE=/usr/local/etc/logcheck.hacking
+HACKING_FILE=%%SYSCONFDIR%%/logcheck/logcheck.hacking
+ 
+ # File of security violation patterns to specifically look for.
+ # This file should contain keywords of information administrators should
+@@ -98,7 +98,7 @@ HACKING_FILE=/usr/local/etc/logcheck.hac
+ # some items, but these will be caught by the next check. Move suspicious
+ # items into this file to have them reported regularly.
+ 
+-VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
+VIOLATIONS_FILE=%%SYSCONFDIR%%/logcheck/logcheck.violations
+ 
+ # File that contains more complete sentences that have keywords from
+ # the violations file. These keywords are normal and are not cause for 
+@@ -115,14 +115,14 @@ VIOLATIONS_FILE=/usr/local/etc/logcheck.
+ #
+ # Again, be careful what you put in here and DO NOT LEAVE IT EMPTY!
+ 
+-VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
+VIOLATIONS_IGNORE_FILE=%%SYSCONFDIR%%/logcheck/logcheck.violations.ignore
+ 
+ # This is the name of a file that contains patterns that we should
+ # ignore if found in a log file. If you have repeated false alarms
+ # or want specific errors ignored, you should put them in here.
+ # Once again, be as specific as possible, and go easy on the wildcards
+ 
+-IGNORE_FILE=/usr/local/etc/logcheck.ignore
+IGNORE_FILE=%%SYSCONFDIR%%/logcheck/logcheck.ignore
+ 
+ # The files are reported in the order of hacking, security 
+ # violations, and unusual system events. Notice that this
+@@ -163,7 +163,12 @@ fi
+ # ALWAYS BE chmod 600 OWNER root!!
+ 
+ # Generic and Linux Slackware 3.x
+#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
+
+# OpenBSD 2.x, 3.x
+ $LOGTAIL /var/log/messages > $TMPDIR/check.$$
+$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
+$LOGTAIL /var/log/authlog >> $TMPDIR/check.$$
+ 
+ # Linux Red Hat Version 3.x, 4.x
+ #$LOGTAIL /var/log/messages > $TMPDIR/check.$$
--- a/security/logcheck/pkg/DEINSTALL
+++ b/security/logcheck/pkg/DEINSTALL
@ -0,0 +1,27 @@
+#!/bin/sh
+# $OpenBSD: DEINSTALL,v 1.1.1.1 2001/12/03 19:17:33 jsyn Exp $
+#
+# logcheck de-installation
+
+set -e
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+PREFIX=${PKG_PREFIX:-/usr/local}
+CONFIG_DIR=${SYSCONFDIR}/logcheck
+TMP_DIR=/var/tmp/logcheck
+
+if [ -d $CONFIG_DIR ]; then
+    echo
+    echo "+---------------"
+    echo "| To completely deinstall the $1 package you need to perform"
+    echo "| these steps as root:"
+    echo "|"
+    echo "|           rm -rf ${CONFIG_DIR}"
+    echo "|           rm -rf ${TMP_DIR}"
+    echo "|"
+    echo "| Do not do this if you plan on re-installing $1"
+    echo "| at some future time."
+    echo "+---------------"
+    echo
+fi
+
+exit 0
--- a/security/logcheck/pkg/DESCR
+++ b/security/logcheck/pkg/DESCR
@ -0,0 +1,5 @@
+Logcheck is a scheduled auditing tool that scans system log files
+for security violations and unusual activity.  Reports of suspicious
+log entries are mailed to a specified user (usually root).
+
+WWW: ${HOMEPAGE}
--- a/security/logcheck/pkg/INSTALL
+++ b/security/logcheck/pkg/INSTALL
@ -0,0 +1,92 @@
+#!/bin/sh
+# $OpenBSD: INSTALL,v 1.1.1.1 2001/12/03 19:17:33 jsyn Exp $
+#
+# Pre/post-installation setup of logcheck
+
+# exit on errors, use a sane path and install prefix
+
+set -e
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+CONFIG_DIR=${SYSCONFDIR}/logcheck
+EXAMPLE_DIR=${PREFIX}/share/examples/logcheck
+DOC_DIR=${PREFIX}/share/doc/logcheck
+TMP_DIR=/var/tmp/logcheck
+
+do_notice()
+{
+    echo
+    echo "+---------------"
+    echo "| The existing $1 configuration files in ${CONFIG_DIR},"
+    echo "| have NOT been changed. You may want to compare them to the"
+    echo "| current sample files in ${EXAMPLE_DIR},"
+    echo "| and update your configuration as needed."
+    echo "|"
+    echo "| Also, verify that your crontab is configured as indicated"
+    echo "| in ${DOC_DIR}/INSTALL."
+    echo "+---------------"
+    echo
+}
+
+do_install()
+{
+    mkdir -m 600 ${SYSCONFDIR}/logcheck
+    if [ ! -d ${TMP_DIR} ]; then
+       mkdir -m 600 ${TMP_DIR}
+    fi
+    install -o root -g wheel -m 700 ${EXAMPLE_DIR}/logcheck.sh ${CONFIG_DIR}
+    install -o root -g wheel -m 600 ${EXAMPLE_DIR}/logcheck.hacking \
+       ${CONFIG_DIR}
+    install -o root -g wheel -m 600 ${EXAMPLE_DIR}/logcheck.ignore ${CONFIG_DIR}
+    install -o root -g wheel -m 600 ${EXAMPLE_DIR}/logcheck.violations \
+       ${CONFIG_DIR}
+    install -o root -g wheel -m 600 ${EXAMPLE_DIR}/logcheck.violations.ignore \
+       ${CONFIG_DIR}
+
+    echo
+    echo "+---------------"
+    echo "| The $1 configuration files have been installed at"
+    echo "| ${CONFIG_DIR}. Please view these files and change the" 
+    echo "| configuration to meet your needs."
+    echo "|"
+    echo "| Currently $1 will check the following files:"
+    echo "|"
+    echo "| /var/log/messages"
+    echo "| /var/log/maillog"
+    echo "| /var/log/authlog"
+    echo "|"
+    echo "| Edit ${CONFIG_DIR}/logcheck.sh if you want to add more files."
+    echo "|"
+    echo "| Be sure to configure your crontab as indicated by"
+    echo "| ${DOC_DIR}/INSTALL so that $1"
+    echo "| is run regularly."
+    echo "+---------------"
+    echo
+}
+
+# verify proper execution
+#
+if [ $# -ne 2 ]; then
+    echo "usage: $0 distname { PRE-INSTALL | POST-INSTALL }" >&2
+    exit 1
+fi
+
+# Verify/process the command
+#
+case $2 in
+    PRE-INSTALL)
+	: nothing to pre-install for this port
+	;;
+    POST-INSTALL)
+	if [ ! -d $CONFIG_DIR ]; then
+	    do_install $1
+	else
+	    do_notice $1
+	fi
+	;;
+    *)
+	echo "usage: $0 distname { PRE-INSTALL | POST-INSTALL }" >&2
+	exit 1
+	;;
+esac
+
+exit 0
--- a/security/logcheck/pkg/PLIST
+++ b/security/logcheck/pkg/PLIST
@ -0,0 +1,14 @@
+@comment $OpenBSD: PLIST,v 1.1.1.1 2001/12/03 19:17:33 jsyn Exp $
+bin/logtail
+share/doc/logcheck/CREDITS
+share/doc/logcheck/INSTALL
+share/doc/logcheck/README
+share/doc/logcheck/README.how.to.interpret
+share/doc/logcheck/README.keywords
+share/examples/logcheck/logcheck.hacking
+share/examples/logcheck/logcheck.ignore
+share/examples/logcheck/logcheck.sh
+share/examples/logcheck/logcheck.violations
+share/examples/logcheck/logcheck.violations.ignore
+@dirrm share/examples/logcheck
+@dirrm share/doc/logcheck