rpms/logwatch/devel logwatch-6.1.2-audit.patch, NONE, 1.1 logwatch.spec, 1.22, 1.23
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Sep 30 08:41:58 UTC 2005
Author: varekova
Update of /cvs/dist/rpms/logwatch/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv12331
Modified Files:
logwatch.spec
Added Files:
logwatch-6.1.2-audit.patch
Log Message:
add audit script patch to recognize number of unmatched entries
logwatch-6.1.2-audit.patch:
audit | 145 +++++++++++++++++++++++++++++++++++++++++++++++++++---------------
1 files changed, 114 insertions(+), 31 deletions(-)
--- NEW FILE logwatch-6.1.2-audit.patch ---
--- logwatch-6.1.2/scripts/services/audit.p02 2005-06-07 20:43:32.000000000 +0200
+++ logwatch-6.1.2/scripts/services/audit 2005-09-30 10:10:47.031136856 +0200
@@ -27,54 +27,91 @@
my $othercount = 0;
my $Debug = ($ENV{'LOGWATCH_DEBUG'} || 0);
my $Detail = ($ENV{'LOGWATCH_DETAIL_LEVEL'} || 0);
+my $NumberOfInits = 0;
+my $NumberOfDStarts = 0;
+my $NumberOfDStartsPid = 0;
+my $NumberOfDStops = 0;
+my $NumberOfDdStarts = 0;
+my $NumberOfDdStops = 0;
+my $NumberOfLostMessages = 0;
+my %InvalidContext = ();
+my %BugLog = ();
+my $UELimit = 10;
+my $ThisLine;
# No sense in running if selinux doesn't even exist on this system
exit(0) unless -d '/selinux';
print STDERR "\n\nDEBUG: Inside audit filter\n\n" if ( $Debug >= 5 );
-if ( $Detail > 9 ) {
- while (<STDIN>) {
- chomp;
- if ( /avc:\s*denied\s*{\s*([^}]+).*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
+while ($ThisLine = <STDIN>) {
+ chomp($ThisLine);
+ if (( $ThisLine =~ /initializing netlink socket \(disabled\)/) or
+ ( $ThisLine =~ /audit_pid=[0-9]* old=[0-9]*(?: by auid=[0-9]*)?/) or
+ ( $ThisLine =~ /syscall=[0-9]+ exit=[0-9]+( a[0-3]=[0-9a-f]*)* items=[0-9]* pid=[0-9]* loginuid=[0-9-]* uid=[0-9]* gid=[0-9]* euid=[0-9]* suid=[0-9]* fsuid=[0-9]* egid=[0-9]* sgid=[0-9]* fsgid=[0-9]*/) or
+ ( $ThisLine =~ /Audit daemon rotating log files/) or
+ ( $ThisLine =~ /audit_backlog_limit=[0-9]* old=[0-9]*(?: by auid=[0-9]*)?/)
+ ) {
+ # Ignore these entries
+ } elsif ( $ThisLine =~ /audit\([0-9]{10}.[0-9]{3}:[0-9]\): initialized$/) {
+ $NumberOfInits++;
+ } elsif ( $ThisLine =~ /Init complete, audit pid set to: [0-9]+/) {
+ $NumberOfDStartsPid++;
+ } elsif ( $ThisLine =~ /Init complete, auditd [0-9,.]+ listening for events/) {
+ $NumberOfDStarts++;
+ } elsif ( $ThisLine =~ /The audit daemon is exiting./) {
+ $NumberOfDStops++;
+ } elsif ( $ThisLine =~ /audit_lost=[0-9]+ audit_backlog=[0-9]+ audit_rate_limit=[0-9]+ audit_backlog_limit=[0-9]+$/) {
+ $NumberOfLostMessages++;
+ } elsif ( $ThisLine =~ /auditd startup succeeded/) {
+ $NumberOfDdStarts++;
+ } elsif ( $ThisLine =~ /auditd shutdown succeeded/) {
+ $NumberOfDdStops++;
+ } elsif (( $ThisLine =~ /netlink socket too busy/) or
+ ( $ThisLine =~ /Error sending signal_info request \(Invalid argument\)/) or
+ ( $ThisLine =~ /major=[0-9]+ name_count=[0-9]+: freeing multiple contexts \([1-2]\)/)) {
+ $ThisLine =~ s/audit\(:[0-9]+\): //;
+ $BugLog{$ThisLine}++;
+ } elsif ( $Detail > 9 ) {
+ if ( $ThisLine =~ /avc:\s*denied\s*{\s*([^}]+).*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
$denials{$2.' '.$3.' ('.$1.$4 . ')'}++;
- } elsif ( /avc:\s*granted\s*{\s*([^}]+).*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
+ } elsif ( $ThisLine =~ /avc:\s*granted\s*{\s*([^}]+).*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
$grants{$2.' '.$3.' ('.$1.$4 . ')'}++;
- } else {
+ } elsif ($ThisLine =~ /security_compute_sid:\s*invalid context\s*(\S+)\s*for\s*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
+ $InvalidContext{$4." running as ".$2." acting on ".$3." \nshould transit to invalid ".$1}++;
+ } else {
$othercount++;
- s/^\s*//;
- if ($othercount < 11) {
- push @OtherList, $_;
+ $ThisLine =~ s/^\s*//;
+ if ($othercount < $UELimit+1) {
+ push @OtherList, $ThisLine;
}
}
- }
-} elsif ( $Detail > 4 ) {
- while (<STDIN>) {
- chomp;
- if ( /avc:\s*denied\s*{\s*[^}]+.*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
+ } elsif ( $Detail > 4 ) {
+ if ( $ThisLine =~ /avc:\s*denied\s*{\s*[^}]+.*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
$denials{$1.' '.$2.' ('.$3 . ')'}++;
- } elsif ( /avc:\s*granted\s*{\s*[^}]+}.*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
+ } elsif ( $ThisLine =~ /avc:\s*granted\s*{\s*[^}]+}.*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
$grants{$1.' '.$2.' ('.$3 . ')'}++;
+ } elsif ($ThisLine =~ /security_compute_sid:\s*invalid context\s*(\S+)\s*for\s*scontext=(\S+)\s*tcontext=\S+\s*tclass=(\S+)/ ) {
+ $InvalidContext{$3." running as ".$2." should transit to invalid ".$1}++;
} else {
$othercount++;
- s/^\s*//;
- if ($othercount < 11) {
- push @OtherList, $_;
+ $ThisLine =~ s/^\s*//;
+ if ($othercount < $UELimit+1) {
+ push @OtherList, $ThisLine;
}
}
- }
-} else {
- while (<STDIN>) {
- chomp;
- if ( /avc:\s*denied\s*{\s*[^}]+.*scontext=([^:]+):[^:]+:\S+\s*tcontext=([^:]+):[^:]+:\S+\s*tclass=(\S+)/ ) {
+ } else {
+ if ( $ThisLine =~ /avc:\s*denied\s*{\s*[^}]+.*scontext=([^:]+):[^:]+:\S+\s*tcontext=([^:]+):[^:]+:\S+\s*tclass=(\S+)/ ) {
$denials{$1.' '.$2.' ('.$3 . ')'}++;
- } elsif ( /avc:\s*granted\s*{\s*[^}]+.*scontext=([^:]+):[^:]+:\S+\s*tcontext=([^:]+):[^:]+:\S+\s*tclass=(\S+)/ ) {
+ } elsif ( $ThisLine =~ /avc:\s*granted\s*{\s*[^}]+.*scontext=([^:]+):[^:]+:\S+\s*tcontext=([^:]+):[^:]+:\S+\s*tclass=(\S+)/ ) {
$grants{$1.' '.$2.' ('.$3 . ')'}++;
+ } elsif ($ThisLine =~ /security_compute_sid:\s*invalid context\s*(\S+)\s*for\s*scontext=(\S+)\s*tcontext=\S+\s*tclass=(\S+)/ ) {
+ $InvalidContext{$3." running as ".$2." should transit to invalid ".$1}++;
} else {
$othercount++;
- s/^\s*//;
- if ($othercount < 11) {
- push @OtherList, $_;
+ $ThisLine =~ s/^\s*//;
+ if ($othercount < $UELimit+1) {
+ push @OtherList, $ThisLine;
}
}
}
@@ -83,23 +120,69 @@
if ( keys %denials ) {
print "\n\n*** Denials ***\n";
foreach my $key (sort keys %denials) {
- print " $key: ". $denials{$key} . " times\n";
+ print " $key: ". $denials{$key} . " times\n";
}
}
if ( keys %grants ) {
print "\n\n*** Grants ***\n";
foreach my $key (sort keys %grants) {
- print " $key: ". $grants{$key} . " times\n";
+ print " $key: ". $grants{$key} . " times\n";
+ }
+}
+
+if ( keys %InvalidContext) {
+ print "\n\n*** Invalid Context ***\n";
+ foreach my $key (sort keys %InvalidContext) {
+ print " $key: ". $InvalidContext{$key} . " times\n";
+ }
+}
+
+
+
+if ($NumberOfDStarts+$NumberOfDStartsPid) {
+ print "\n Number of audit daemon starts: ",$NumberOfDStarts+$NumberOfDStartsPid," \n";
+}
+
+if (($Detail >9) and ($NumberOfDStartsPid)) {
+ print " starts with pid change: $NumberOfDStartsPid \n"
+}
+
+if ($NumberOfDStops) {
+ print "\n Number of audit daemon stops: $NumberOfDStops \n";
+}
+
+if ($NumberOfLostMessages) {
+ print "\n Number of lost messages: $NumberOfLostMessages\n";
+}
+
+if ($Detail>9) {
+ if ($NumberOfInits) {
+ print "\n Number of audit initializations: $NumberOfInits \n";
+ }
+ if ($NumberOfDdStarts) {
+ print "\n Number of auditd daemon starts: $NumberOfDdStarts \n";
+ }
+ if ($NumberOfDdStops) {
+ print "\n Number of auditd daemon stops: $NumberOfDdStops \n";
}
}
+
+if ( %BugLog) {
+ print "\n*** Logs which could mean a bug ***\n";
+ foreach my $Entry (keys %BugLog) {
+ print " $Entry\n";
+ }
+}
if ( $#OtherList >= 0 ) {
print "\n**Unmatched Entries** ";
- if ($othercount > 10) {
- print "(Only first 10 out of $othercount are printed)";
+ if ($othercount > $UELimit) {
+ print "(Only first $UELimit out of $othercount are printed)";
}
print "\n ";
print join("\n ", @OtherList);
+ print "\n";
}
+
exit(0);
Index: logwatch.spec
===================================================================
RCS file: /cvs/dist/rpms/logwatch/devel/logwatch.spec,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- logwatch.spec 26 Sep 2005 10:26:29 -0000 1.22
+++ logwatch.spec 30 Sep 2005 08:41:56 -0000 1.23
@@ -1,7 +1,7 @@
Summary: A log file analysis program.
Name: logwatch
Version: 6.1.2
-Release: 5
+Release: 6
License: MIT
Group: Applications/System
URL: http://www.logwatch.org/
@@ -14,6 +14,8 @@
Patch7: logwatch-6.1.2-up2date.patch
Patch8: logwatch-6.1.2-named.patch
Patch9: logwatch-6.1.2-sshd.patch
+Patch10: logwatch-6.1.2-audit.patch
+
Requires: textutils sh-utils grep mailx
BuildRoot: %{_tmppath}/logwatch-build
BuildArchitectures: noarch
@@ -36,6 +38,7 @@
%patch7 -p1
%patch8 -p1
%patch9 -p1
+%patch10 -p1
%install
rm -rf %{buildroot}
@@ -113,6 +116,9 @@
%doc License project/CHANGES project/TODO
%changelog
+* Fri Sep 30 2005 Ivana Varekova <varekova at redhat.com> 6.1.2-6
+- add audit script patch to recognize number of unmatched entries
+
* Mon Sep 26 2005 Ivana Varekova <varekova at redhat.com> 6.1.2-5
- change secure script patch
- add sshd script patch (sshd part should not display 0.0.0.0
More information about the fedora-cvs-commits
mailing list