rpms/logwatch/F-12 logwatch-7.3.6-audit4.patch, NONE, 1.1 logwatch-7.3.6-dhcpd.patch, NONE, 1.1 logwatch-7.3.6-dovecot2.patch, NONE, 1.1 logwatch-7.3.6-named6.patch, NONE, 1.1 logwatch-7.3.6-openvpn4.patch, NONE, 1.1 logwatch-7.3.6-pam_unix4.patch, NONE, 1.1 logwatch-7.3.6-secure3.patch, NONE, 1.1 logwatch.spec, 1.120, 1.121
Karel Klíč
kklic at fedoraproject.org
Wed Dec 16 15:50:06 UTC 2009
Author: kklic
Update of /cvs/extras/rpms/logwatch/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7214
Modified Files:
logwatch.spec
Added Files:
logwatch-7.3.6-audit4.patch logwatch-7.3.6-dhcpd.patch
logwatch-7.3.6-dovecot2.patch logwatch-7.3.6-named6.patch
logwatch-7.3.6-openvpn4.patch logwatch-7.3.6-pam_unix4.patch
logwatch-7.3.6-secure3.patch
Log Message:
added patches from F10 parsing several unmatched entries
logwatch-7.3.6-audit4.patch:
audit | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- NEW FILE logwatch-7.3.6-audit4.patch ---
diff -up logwatch-7.3.6/scripts/services/audit.pom logwatch-7.3.6/scripts/services/audit
--- logwatch-7.3.6/scripts/services/audit.pom 2009-10-12 12:42:39.000000000 +0200
+++ logwatch-7.3.6/scripts/services/audit 2009-10-12 12:47:19.000000000 +0200
@@ -70,7 +70,7 @@ while ($ThisLine = <STDIN>) {
chomp($ThisLine);
if (( $ThisLine =~ /initializing netlink socket \(disabled\)/) or
( $ThisLine =~ /audit_pid=[0-9]* old=[0-9]*(?: by auid=[0-9]*)?/) or
- ( $ThisLine =~ /(arch=[0-9]+ )?syscall=[0-9]+ (success=(no|yes) )?exit=[0-9-]+( a[0-3]=[0-9a-f]+)* items=[0-9]+ pid=[0-9]+ (loginuid=[0-9-]+ )?(auid=[0-9]+ )?uid=[0-9]+ gid=[0-9]+ euid=[0-9]+ suid=[0-9]+ fsuid=[0-9]+ egid=[0-9]+ sgid=[0-9]+ fsgid=[0-9]+/) or
+ ( $ThisLine =~ /(arch=[0-9]+ )?syscall=[0-9]+ (success=(no|yes) )?exit=[0-9-]+( a[0-3]=[0-9a-f]+)* items=[0-9]+ (ppid=[0-9]+ )?pid=[0-9]+ (loginuid=[0-9-]+ )?(auid=[0-9]+ )?uid=[0-9]+ gid=[0-9]+ euid=[0-9]+ suid=[0-9]+ fsuid=[0-9]+ egid=[0-9]+ sgid=[0-9]+ fsgid=[0-9]+/) or
( $ThisLine =~ /Audit daemon rotating log files/) or
( $ThisLine =~ /audit_backlog_limit=[0-9]* old=[0-9]*(?: by auid=[0-9]*)?/) or
( $ThisLine =~ /SELinux: unrecognized netlink message type=[0-9]+ for sclass=[0-9]+/) or
@@ -83,7 +83,8 @@ while ($ThisLine = <STDIN>) {
( $ThisLine =~ /audit\([0-9.]+:[0-9]+\): (selinux=[0-9]+|auid=[0-9]+|prom=[0-9]+|old_prom=[0-9]+|dev=[^ ]+| )+$/) or
( $ThisLine =~ /auditd[ ]+S [0-9A-F]+ [0-9]+ [0-9]+[ ]+[0-9]([ ]*[0-9]+[ ]*|[ ]*)[0-9]+ [0-9]+ \(NOTLB\)/) or
( $ThisLine =~ /Started dispatcher: \/sbin\/audispd pid: [0-9]+/) or
- ( $ThisLine =~ /audit\([0-9.]*:[0-9]*\): bool=.* val=.* old_val=.* auid=[0-9]*/)
+ ( $ThisLine =~ /audit\([0-9.]*:[0-9]*\): bool=.* val=.* old_val=.* auid=[0-9]*/) or
+ ( $ThisLine =~ /item=[0-9] name="\S*" inode=[0-9]+ dev=\S* mode=[0-9]* ouid=[0-9]* ogid=[0-9]* rdev=[0-9:]* obj=\S*/)
) {
# Ignore these entries
} elsif ( $ThisLine =~ /audit\([0-9]{10}.[0-9]{3}:[0-9]\): initialized$/) {
logwatch-7.3.6-dhcpd.patch:
dhcpd | 4 ++++
1 file changed, 4 insertions(+)
--- NEW FILE logwatch-7.3.6-dhcpd.patch ---
diff -up logwatch-7.3.6/scripts/services/dhcpd.p logwatch-7.3.6/scripts/services/dhcpd
--- logwatch-7.3.6/scripts/services/dhcpd.p 2006-10-20 23:12:27.000000000 +0200
+++ logwatch-7.3.6/scripts/services/dhcpd 2009-11-03 14:15:43.000000000 +0100
@@ -127,6 +127,10 @@ while (my $line = <STDIN>) {
if ($Detail >= 3) {
$data{'Warnings'}{$line}++;
}
+ } elsif ($line =~ s/uid lease ([\d.]*) for client ([^ ]*) is duplicate on ([^ ]*)/uid lease $1 for client $2 is duplicate/) {
+ if ($Detail >= 3) {
+ $data{'Duplicate lease'}{$line}++;
+ }
} else {
$data{'Unknown Entries'}{$line}++;
}
logwatch-7.3.6-dovecot2.patch:
dovecot | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- NEW FILE logwatch-7.3.6-dovecot2.patch ---
diff -up logwatch-7.3.6/scripts/services/dovecot.pom logwatch-7.3.6/scripts/services/dovecot
--- logwatch-7.3.6/scripts/services/dovecot.pom 2009-10-12 12:48:21.000000000 +0200
+++ logwatch-7.3.6/scripts/services/dovecot 2009-10-12 13:19:04.000000000 +0200
@@ -103,6 +103,8 @@ while (defined($ThisLine = <STDIN>)) {
$Disconnected{"no reason"}++;
} elsif (($Reason) = ($ThisLine =~ /Disconnected: (.*) \[/) ) {
$Disconnected{$Reason}++;
+ } elsif (($Reason) = ($ThisLine =~ /Disconnected \((.*)\):/) ) {
+ $Disconnected{$Reason}++;
} elsif (($Reason, $Host) = ($ThisLine =~ /TLS initialization failed/) ) {
$TLSInitFail++;
} elsif (($Host) = ($ThisLine =~ /Aborted login \[(.*)\]/)) {
@@ -135,6 +137,9 @@ while (defined($ThisLine = <STDIN>)) {
} elsif (($Error) = ($ThisLine =~ /child \d* \(login\) returned error (.*)/)) {
# dovecot: child 23747 (login) returned error 89
$ChildErr{$Error}++;
+ } elsif (($Name) = ($ThisLine =~ /dovecot: IMAP\((.*)\): .*(.*) failed: Disk quota exceeded/)) {
+ # dovecot: IMAP(podracka): mkdir(/home/LF/KLINIKY/podracka/mail/.imap/saved-messages) failed: Disk quota exceeded
+ $DiskQuotaExceed{$Name}++;
} else {
# Report any unmatched entries...
chomp($ThisLine);
@@ -261,6 +266,13 @@ if ($TLSInitFail > 0) {
print "\n\nTLS Initialization failed $TLSInitFail Time(s)";
}
+if (keys %DiskQuotaExceed) {
+ print "\n\nDisk quota exceeded:";
+ foreach my $Name (sort keys %DiskQuotaExceed) {
+ print "\n disk quota for user '". $Name . "' exceeded: ". $DiskQuotaExceed{$Name} ." Time(s)";
+ }
+}
+
if (keys %OtherList) {
print "\n\n**Unmatched Entries**\n";
foreach $line (sort {$a cmp $b} keys %OtherList) {
logwatch-7.3.6-named6.patch:
named | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- NEW FILE logwatch-7.3.6-named6.patch ---
diff -up logwatch-7.3.6/scripts/services/named.named6 logwatch-7.3.6/scripts/services/named
--- logwatch-7.3.6/scripts/services/named.named6 2009-12-16 15:04:47.000000000 +0100
+++ logwatch-7.3.6/scripts/services/named 2009-12-16 15:08:25.836379108 +0100
@@ -190,7 +190,10 @@ while (defined($ThisLine = <STDIN>)) {
($ThisLine =~ /using default UDP\/IPv[46] port range: \[[0-9]*, [0-9]*\]/) or
($ThisLine =~ /adjusted limit on open files from [0-9]* to [0-9]*/) or
($ThisLine =~ /using up to [0-9]* sockets/) or
- ($ThisLine =~ /built with/)
+ ($ThisLine =~ /built with/) or
+ ($ThisLine =~ /'.*': TTL differs in rdataset, adjusting [0-9]* -> [0-9]*/) or
+ ($ThisLine =~ /max open files \([0-9]*\) is smaller than max sockets \([0-9]*\)/) or
+ ($ThisLine =~ /clients-per-query decreased to .*/)
# too many timeouts resolving 'ns-ext.nrt1.isc.org/AAAA' (in '.'?): disabling EDNS: 3 Time(s)
) {
# Don't care about these...
logwatch-7.3.6-openvpn4.patch:
openvpn | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- NEW FILE logwatch-7.3.6-openvpn4.patch ---
diff -up logwatch-7.3.6/scripts/services/openvpn.pom logwatch-7.3.6/scripts/services/openvpn
--- logwatch-7.3.6/scripts/services/openvpn.pom 2009-10-12 14:51:50.000000000 +0200
+++ logwatch-7.3.6/scripts/services/openvpn 2009-10-12 14:51:25.000000000 +0200
@@ -71,7 +71,7 @@ while (defined($ThisLine = <STDIN>)) {
($ThisLine =~ /^TLS: soft reset/) or
($ThisLine =~ /^TLS: tls_process: killed expiring key$/) or
($ThisLine =~ /^TLS: move_session: dest=.* src=.* reinit_src=[0-9]*/) or
- ($ThisLine =~ /^TLS: tls_multi_process: untrusted session promoted to trusted/) or
+ ($ThisLine =~ /^TLS: tls_multi_process: untrusted session promoted to (semi-)?trusted/) or
($ThisLine =~ /^TLS: new session incoming connection from .*/) or
($ThisLine =~ /^TUN\/TAP device \w+ opened/) or
($ThisLine =~ /^UDPv4 link /) or
@@ -81,6 +81,11 @@ while (defined($ThisLine = <STDIN>)) {
($ThisLine =~ /TUN\/TAP TX queue length set to [0-9]*/) or
($ThisLine =~ /Socket Buffers: R=\[[0-9]+->[0-9]+\] S=\[[0-9]+->[0-9]+\]/) or
($ThisLine =~ /OpenVPN .* built on [A-Z][a-z]{2} [ 12]?[0-9] [0-9]{4}/) or
+ ($ThisLine =~ /CRL CHECK OK: \/.*\//) or
+ ($ThisLine =~ /TLS: tls_multi_process: killed expiring key/) or
+ ($ThisLine =~ /read UDPv4 \[.*\]: No route to host \(code=[0-9]*\)/) or
+ ($ThisLine =~ /TLS Error: TLS object -> incoming plaintext read error/) or
+ ($ThisLine =~ /TLS ERROR: received control packet with stale session-id=.*/) or
($ThisLine =~ /Authenticate\/Decrypt packet error: bad packet ID \(may be a replay\): \[ #.* \] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings/)
) {
# Don't care about these...
logwatch-7.3.6-pam_unix4.patch:
pam_unix | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
--- NEW FILE logwatch-7.3.6-pam_unix4.patch ---
diff -up logwatch-7.3.6/scripts/services/pam_unix.pom logwatch-7.3.6/scripts/services/pam_unix
--- logwatch-7.3.6/scripts/services/pam_unix.pom 2009-10-12 14:55:08.000000000 +0200
+++ logwatch-7.3.6/scripts/services/pam_unix 2009-10-12 15:06:46.000000000 +0200
@@ -204,6 +204,8 @@ while ($line = <STDIN>) {
} elsif ($service eq 'dovecot') {
if ($line =~ s/^authentication failure; .*user=(.+)$/$1/) {
$data{$service}{'Authentication Failures'}{$line}++;
+ } elsif ($line =~ /check pass; user unknown/) {
+ $data{$service}{'Invalid Users'}{'Unknown Account'}++;
} else {
$data{$service}{'Unknown Entries'}{$line}++;
}
@@ -225,11 +227,13 @@ while ($line = <STDIN>) {
} else {
$data{$service}{'Unknown Entries'}{$line}++;
}
- } elsif ($service eq 'pure-ftpd') {
+ } elsif (($service eq 'pure-ftpd') || ($service eq 'vsftpd')){
if ($line =~ s/^session opened for user (.+)/$1/) {
$data{$service}{'Sessions Opened'}{$line}++;
} elsif ($line =~ s/^check pass; (.+)/$1/) {
$data{$service}{'Password Failures'}{$line}++;
+ } elsif ($line =~ s/^authentication failure; .*user=(.+)$/$1/) {
+ $data{$service}{'Authentication Failures'}{$line}++;
} else {
$data{$service}{'Unknown Entries'}{$line}++;
}
@@ -255,7 +259,7 @@ while ($line = <STDIN>) {
$data{$service}{'Unknown Entries'}{$line}++;
}
} elsif (($service eq 'samba') or ($service eq 'smbd')) {
- if ($line =~ s/^session opened for user ([a-zA-Z\d]+) by (.+)/$1/) {
+ if ($line =~ s/^session opened for user (\S+) by (.+)/$1/) {
($Detail >= 5) && $data{$service}{'Sessions Opened'}{$line}++;
} elsif ($line =~ s/^session closed for user (.+)/$1/) {
($Detail >= 8) && $data{$service}{'Sessions Closed'}{$line}++;
@@ -297,7 +301,16 @@ while ($line = <STDIN>) {
} else {
$data{$service}{'Unknown Entries'}{$line}++;
}
-
+ } elsif ($service eq 'smtp') {
+ if ($line =~ s/^authentication failure; logname=(\S*) uid=(\d+).*user=(\S*)$/$1($2) -> $3/) {
+ $data{$service}{'Authentication Failures'}{$line}++;
+ } elsif ($line =~ /authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=/) {
+ # ignore this line
+ } elsif ($line =~ /check pass; user unknown/) {
+ $data{$service}{'Invalid Users'}{'Unknown Account'}++;
+ } else {
+ $data{$service}{'Unknown Entries'}{$line}++;
+ }
} else {
$data{$service}{'Unknown Entries'}{$line}++;
}
logwatch-7.3.6-secure3.patch:
secure | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- NEW FILE logwatch-7.3.6-secure3.patch ---
diff -up logwatch-7.3.6/scripts/services/secure.pom logwatch-7.3.6/scripts/services/secure
--- logwatch-7.3.6/scripts/services/secure.pom 2009-10-12 11:33:15.000000000 +0200
+++ logwatch-7.3.6/scripts/services/secure 2009-10-12 12:38:29.000000000 +0200
@@ -435,6 +435,9 @@ while (defined($ThisLine = <STDIN>)) {
} elsif ( ($User) = ($ThisLine =~ /useradd.*failed adding user `(.*)', data deleted/) ) {# failed adding user/)) {# (.*), data deleted/)) {
# useradd: failed adding user `rpcuser', data deleted
$FailedAddUsers{$User}++;
+ } elsif (($User,$Reason) = ($ThisLine =~ /dovecot-auth: pam_userdb\(dovecot:auth\): user `(.*)' denied access \((.*)\)/)) {
+ # dovecot-auth: pam_userdb(dovecot:auth): user `bobok' denied access (incorrect password)
+ $DeniedAccess{"$User,$Reason"}++;
} else {
# Unmatched entries...
$ThisLine =~ s/\[\d+\]:/:/;
@@ -535,6 +538,7 @@ if (keys %UnknownUser) {
if ($pwd_file_unknown > 0) {
print "\nUsers unknown in password database (pwd_file): $pwd_file_unknown\n";
}
+
if ($pwd_file_too_short > 0) {
print "\nPassword too short or NULL (pwd_file): $pwd_file_too_short Time(s)\n";
}
@@ -594,6 +598,14 @@ if (keys %{$FailedSaver}) {
}
}
+if (keys %DeniedAccess) {
+ print "\ndovecot-auth: Denied access\n";
+ foreach (keys %DeniedAccess) {
+ ($User,$Reason) = split ",";
+ print " for user " . $User . " (reason: " . $Reason . ") :" . $DeniedAccess{"$User,$Reason"} . " Time(s)\n";
+ }
+}
+
if (keys %NoIP) {
print "\nCouldn't get client IPs for connections to:\n";
foreach $ThisOne (sort {$a cmp $b} keys %NoIP) {
Index: logwatch.spec
===================================================================
RCS file: /cvs/extras/rpms/logwatch/F-12/logwatch.spec,v
retrieving revision 1.120
retrieving revision 1.121
diff -u -p -r1.120 -r1.121
--- logwatch.spec 16 Dec 2009 11:22:56 -0000 1.120
+++ logwatch.spec 16 Dec 2009 15:50:06 -0000 1.121
@@ -54,9 +54,17 @@ Patch54: logwatch-7.3.6-exim2.patch
Patch55: logwatch-7.3.6-removeservice.patch
Patch56: logwatch-7.3.6-cron_conf.patch
Patch57: logwatch-7.3.6-named5.patch
+# Sent to upstream.
Patch58: logwatch-7.3.6-iptables.patch
# Not sent to upstream.
Patch59: logwatch-7.3.6-lost-connection.patch
+Patch60: logwatch-7.3.6-secure3.patch
+Patch61: logwatch-7.3.6-audit4.patch
+Patch62: logwatch-7.3.6-dovecot2.patch
+Patch63: logwatch-7.3.6-openvpn4.patch
+Patch64: logwatch-7.3.6-pam_unix4.patch
+Patch65: logwatch-7.3.6-dhcpd.patch
+Patch66: logwatch-7.3.6-named6.patch
Requires: textutils sh-utils grep mailx
Requires: perl(Date::Manip)
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -120,6 +128,13 @@ of the package on many systems.
%patch57 -p1
%patch58 -p1
%patch59 -p1
+%patch60 -p1
+%patch61 -p1
+%patch62 -p1
+%patch63 -p1
+%patch64 -p1
+%patch65 -p1
+%patch66 -p1
rm -f scripts/services/*.orig
%build
@@ -244,8 +259,12 @@ rm -rf %{buildroot}
%changelog
* Wed Dec 2 2009 Karel Klic <kklic at redhat.com> 7.3.6-49
-- Add 802.1q subinterface support to iptables report (#507743)
+- Add 802.1q subinterface support to iptables report; iptables.patch (#507743)
- Fixed error in the RE that matches "lost connection" lines in postfix script; lost-connection.patch (#525903)
+- Added patches parsing several unmatched entries (from F-10);
+ audit4.patch modified to make ppid optional;
+ openvpn4.patch modified to make "semi-" optional;
+ pam_unix4.patch modified (user name matched by \S+)
* Tue Aug 11 2009 Ivana Varekova <varekova at redhat.com> 7.3.6-48
- parse a few unmatched entries in named script (#513853)
More information about the scm-commits
mailing list