rpms/logwatch/devel logwatch-6.1.2-audit.patch, NONE, 1.1 logwatch.spec, 1.22, 1.23

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Fri Sep 30 08:41:58 UTC 2005


Author: varekova

Update of /cvs/dist/rpms/logwatch/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv12331

Modified Files:
	logwatch.spec 
Added Files:
	logwatch-6.1.2-audit.patch 
Log Message:
add audit script patch to recognize number of unmatched entries


logwatch-6.1.2-audit.patch:
 audit |  145 +++++++++++++++++++++++++++++++++++++++++++++++++++---------------
 1 files changed, 114 insertions(+), 31 deletions(-)

--- NEW FILE logwatch-6.1.2-audit.patch ---
--- logwatch-6.1.2/scripts/services/audit.p02	2005-06-07 20:43:32.000000000 +0200
+++ logwatch-6.1.2/scripts/services/audit	2005-09-30 10:10:47.031136856 +0200
@@ -27,54 +27,91 @@
 my $othercount = 0;
 my $Debug = ($ENV{'LOGWATCH_DEBUG'} || 0);
 my $Detail = ($ENV{'LOGWATCH_DETAIL_LEVEL'} || 0);
+my $NumberOfInits = 0;
+my $NumberOfDStarts = 0;
+my $NumberOfDStartsPid = 0;
+my $NumberOfDStops = 0;
+my $NumberOfDdStarts = 0;
+my $NumberOfDdStops = 0;
+my $NumberOfLostMessages = 0;
+my %InvalidContext = ();
+my %BugLog = ();
+my $UELimit = 10;
+my $ThisLine; 
 
 # No sense in running if selinux doesn't even exist on this system
 exit(0) unless -d '/selinux';
 
 print STDERR "\n\nDEBUG: Inside audit filter\n\n" if ( $Debug >= 5 );
 
-if ( $Detail > 9 ) {
-    while (<STDIN>) {
-	chomp;
-	if ( /avc:\s*denied\s*{\s*([^}]+).*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
+while ($ThisLine = <STDIN>) {
+    chomp($ThisLine);
+    if (( $ThisLine =~ /initializing netlink socket \(disabled\)/) or 
+	( $ThisLine =~ /audit_pid=[0-9]* old=[0-9]*(?: by auid=[0-9]*)?/) or
+	( $ThisLine =~ /syscall=[0-9]+ exit=[0-9]+( a[0-3]=[0-9a-f]*)* items=[0-9]* pid=[0-9]* loginuid=[0-9-]* uid=[0-9]* gid=[0-9]* euid=[0-9]* suid=[0-9]* fsuid=[0-9]* egid=[0-9]* sgid=[0-9]* fsgid=[0-9]*/) or
+	( $ThisLine =~ /Audit daemon rotating log files/) or
+	( $ThisLine =~ /audit_backlog_limit=[0-9]* old=[0-9]*(?: by auid=[0-9]*)?/)
+    ) { 
+	# Ignore these entries
+    } elsif ( $ThisLine =~ /audit\([0-9]{10}.[0-9]{3}:[0-9]\): initialized$/) {
+      $NumberOfInits++;
+    } elsif ( $ThisLine =~ /Init complete, audit pid set to: [0-9]+/) {
+      $NumberOfDStartsPid++;
+    } elsif ( $ThisLine =~ /Init complete, auditd [0-9,.]+ listening for events/) {
+      $NumberOfDStarts++; 
+    } elsif ( $ThisLine =~ /The audit daemon is exiting./) {
+      $NumberOfDStops++;
+    } elsif ( $ThisLine =~ /audit_lost=[0-9]+ audit_backlog=[0-9]+ audit_rate_limit=[0-9]+ audit_backlog_limit=[0-9]+$/) {
+      $NumberOfLostMessages++;
+    } elsif ( $ThisLine =~ /auditd startup succeeded/) {
+      $NumberOfDdStarts++;
+    } elsif ( $ThisLine =~ /auditd shutdown succeeded/) {
+      $NumberOfDdStops++;
+    } elsif (( $ThisLine =~ /netlink socket too busy/) or 
+             ( $ThisLine =~ /Error sending signal_info request \(Invalid argument\)/) or 
+	     ( $ThisLine =~ /major=[0-9]+ name_count=[0-9]+: freeing multiple contexts \([1-2]\)/)) {
+      $ThisLine =~ s/audit\(:[0-9]+\): //;
+      $BugLog{$ThisLine}++;
+    } elsif ( $Detail > 9 ) {
+	if ( $ThisLine =~ /avc:\s*denied\s*{\s*([^}]+).*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
 	    $denials{$2.' '.$3.' ('.$1.$4 . ')'}++;
-	} elsif ( /avc:\s*granted\s*{\s*([^}]+).*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
+	} elsif ( $ThisLine =~ /avc:\s*granted\s*{\s*([^}]+).*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
 	    $grants{$2.' '.$3.' ('.$1.$4 . ')'}++;
-	} else {
+	} elsif ($ThisLine =~ /security_compute_sid:\s*invalid context\s*(\S+)\s*for\s*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
+	    $InvalidContext{$4." running as ".$2." acting on ".$3." \nshould transit to invalid ".$1}++;
+	} else { 
             $othercount++;
-            s/^\s*//;
-            if ($othercount < 11) {
-	       push @OtherList, $_;
+            $ThisLine =~ s/^\s*//;
+            if ($othercount < $UELimit+1) {
+	       push @OtherList, $ThisLine;
             }
 	}
-    }
-} elsif ( $Detail > 4 ) {
-    while (<STDIN>) {
-	chomp;
-	if ( /avc:\s*denied\s*{\s*[^}]+.*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
+    } elsif ( $Detail > 4 ) {
+	if ( $ThisLine =~ /avc:\s*denied\s*{\s*[^}]+.*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
 	    $denials{$1.' '.$2.' ('.$3 . ')'}++;
-	} elsif ( /avc:\s*granted\s*{\s*[^}]+}.*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
+	} elsif ( $ThisLine =~ /avc:\s*granted\s*{\s*[^}]+}.*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
 	    $grants{$1.' '.$2.' ('.$3 . ')'}++;
+	} elsif ($ThisLine =~ /security_compute_sid:\s*invalid context\s*(\S+)\s*for\s*scontext=(\S+)\s*tcontext=\S+\s*tclass=(\S+)/ ) {
+	    $InvalidContext{$3." running as ".$2." should transit to invalid ".$1}++;
 	} else {
             $othercount++;
-            s/^\s*//;
-            if ($othercount < 11) {
-	       push @OtherList, $_;
+            $ThisLine =~ s/^\s*//;
+            if ($othercount < $UELimit+1) {
+	       push @OtherList, $ThisLine;
             }
 	}
-    }
-} else {
-    while (<STDIN>) {
-	chomp;
-	if ( /avc:\s*denied\s*{\s*[^}]+.*scontext=([^:]+):[^:]+:\S+\s*tcontext=([^:]+):[^:]+:\S+\s*tclass=(\S+)/ ) {
+    } else {
+	if ( $ThisLine =~ /avc:\s*denied\s*{\s*[^}]+.*scontext=([^:]+):[^:]+:\S+\s*tcontext=([^:]+):[^:]+:\S+\s*tclass=(\S+)/ ) {
 	    $denials{$1.' '.$2.' ('.$3 . ')'}++;
-	} elsif ( /avc:\s*granted\s*{\s*[^}]+.*scontext=([^:]+):[^:]+:\S+\s*tcontext=([^:]+):[^:]+:\S+\s*tclass=(\S+)/ ) {
+	} elsif ( $ThisLine =~ /avc:\s*granted\s*{\s*[^}]+.*scontext=([^:]+):[^:]+:\S+\s*tcontext=([^:]+):[^:]+:\S+\s*tclass=(\S+)/ ) {
 	    $grants{$1.' '.$2.' ('.$3 . ')'}++;
+	} elsif ($ThisLine =~ /security_compute_sid:\s*invalid context\s*(\S+)\s*for\s*scontext=(\S+)\s*tcontext=\S+\s*tclass=(\S+)/ ) {
+   	    $InvalidContext{$3." running as ".$2." should transit to invalid ".$1}++;  
 	} else {
             $othercount++;
-            s/^\s*//;
-            if ($othercount < 11) {
-	       push @OtherList, $_;
+            $ThisLine =~ s/^\s*//;
+            if ($othercount < $UELimit+1) {
+	       push @OtherList, $ThisLine;
             }
 	}
     }
@@ -83,23 +120,69 @@
 if ( keys %denials ) {
     print "\n\n*** Denials ***\n";
     foreach my $key (sort keys %denials) {
-    	print " $key: ". $denials{$key} . " times\n";
+    	print "   $key: ". $denials{$key} . " times\n";
     }
 }
 
 if ( keys %grants ) {
     print "\n\n*** Grants ***\n";
     foreach my $key (sort keys %grants) {
-    	print " $key: ". $grants{$key} . " times\n";
+    	print "   $key: ". $grants{$key} . " times\n";
+    }
+}
+
+if ( keys %InvalidContext) {
+    print "\n\n*** Invalid Context ***\n";
+    foreach my $key (sort keys %InvalidContext) {
+        print "   $key: ". $InvalidContext{$key} . " times\n";
+    }
+}
+		    
+
+
+if ($NumberOfDStarts+$NumberOfDStartsPid) {
+    print "\n Number of audit daemon starts: ",$NumberOfDStarts+$NumberOfDStartsPid," \n";
+}
+
+if (($Detail >9) and ($NumberOfDStartsPid)) {
+    print "        starts with pid change: $NumberOfDStartsPid \n"
+}
+
+if ($NumberOfDStops)  {
+    print "\n Number of audit daemon stops: $NumberOfDStops \n";
+}
+
+if ($NumberOfLostMessages) {
+    print "\n Number of lost messages: $NumberOfLostMessages\n";
+}
+
+if ($Detail>9) {
+    if ($NumberOfInits) {
+        print "\n Number of audit initializations: $NumberOfInits \n";
+    }
+    if ($NumberOfDdStarts) {
+      print "\n Number of auditd daemon starts: $NumberOfDdStarts \n";
+    }
+    if ($NumberOfDdStops) {
+      print "\n Number of auditd daemon stops: $NumberOfDdStops \n";
     }
 }
+    
+if ( %BugLog) {
+  print "\n*** Logs which could mean a bug ***\n";
+  foreach my $Entry (keys %BugLog) {
+    print "   $Entry\n";
+  }
+}
 
 if ( $#OtherList >= 0 ) {
     print "\n**Unmatched Entries** ";
-    if ($othercount > 10) {
-       print "(Only first 10 out of $othercount are printed)";
+    if ($othercount > $UELimit) {
+       print "(Only first $UELimit out of $othercount are printed)";
     }
     print "\n ";
     print join("\n ", @OtherList);
+    print "\n";
 }
+
 exit(0);


Index: logwatch.spec
===================================================================
RCS file: /cvs/dist/rpms/logwatch/devel/logwatch.spec,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- logwatch.spec	26 Sep 2005 10:26:29 -0000	1.22
+++ logwatch.spec	30 Sep 2005 08:41:56 -0000	1.23
@@ -1,7 +1,7 @@
 Summary: A log file analysis program.
 Name: logwatch
 Version: 6.1.2
-Release: 5
+Release: 6
 License: MIT
 Group: Applications/System
 URL: http://www.logwatch.org/
@@ -14,6 +14,8 @@
 Patch7: logwatch-6.1.2-up2date.patch
 Patch8: logwatch-6.1.2-named.patch
 Patch9: logwatch-6.1.2-sshd.patch
+Patch10: logwatch-6.1.2-audit.patch
+
 Requires: textutils sh-utils grep mailx
 BuildRoot: %{_tmppath}/logwatch-build
 BuildArchitectures: noarch
@@ -36,6 +38,7 @@
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
 
 %install
 rm -rf %{buildroot}
@@ -113,6 +116,9 @@
 %doc License project/CHANGES project/TODO
 
 %changelog
+* Fri Sep 30 2005 Ivana Varekova <varekova at redhat.com> 6.1.2-6
+- add audit script patch to recognize number of unmatched entries
+
 * Mon Sep 26 2005 Ivana Varekova <varekova at redhat.com> 6.1.2-5
 - change secure script patch
 - add sshd script patch (sshd part should not display 0.0.0.0 




More information about the fedora-cvs-commits mailing list