From 5b613c2361a79468adff79697323fa6bec96d1d0 Mon Sep 17 00:00:00 2001 From: Michel Blockelet Date: Thu, 31 Jul 2008 21:25:22 +0200 Subject: [PATCH] Ajout logcheck Il faudra ajuster logcheck.ignore et logcheck.logfiles en fonction des serveurs/services, et des rresultatsinitiaux. Je fais la mise a jour sur egon, komaz et rouge pour l'instant, demain on verra ce que ca donne ... (On peut aussi regarder logcheck -o mais ca fera des logchecks incomplets dans les mails ...) darcs-hash:20080731192522-ddb99-e93bdf6bee498033207ba1aa16df26a592ee046b.gz --- Bundler/logcheck.xml | 9 + Cfg/etc/cron.d/logcheck/info.xml | 3 + Cfg/etc/cron.d/logcheck/logcheck | 9 + Cfg/etc/logcheck/logcheck.conf/info.xml | 3 + Cfg/etc/logcheck/logcheck.conf/logcheck.conf | 61 +++++++ Cfg/etc/logcheck/logcheck.ignore/info.xml | 3 + .../logcheck/logcheck.ignore/logcheck.ignore | 157 ++++++++++++++++++ Metadata/groups.xml | 1 + Python/etc/logcheck/logcheck.logfiles | 26 +++ 9 files changed, 272 insertions(+) create mode 100644 Bundler/logcheck.xml create mode 100644 Cfg/etc/cron.d/logcheck/info.xml create mode 100644 Cfg/etc/cron.d/logcheck/logcheck create mode 100644 Cfg/etc/logcheck/logcheck.conf/info.xml create mode 100644 Cfg/etc/logcheck/logcheck.conf/logcheck.conf create mode 100644 Cfg/etc/logcheck/logcheck.ignore/info.xml create mode 100644 Cfg/etc/logcheck/logcheck.ignore/logcheck.ignore create mode 100644 Python/etc/logcheck/logcheck.logfiles diff --git a/Bundler/logcheck.xml b/Bundler/logcheck.xml new file mode 100644 index 0000000..791d64b --- /dev/null +++ b/Bundler/logcheck.xml @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/Cfg/etc/cron.d/logcheck/info.xml b/Cfg/etc/cron.d/logcheck/info.xml new file mode 100644 index 0000000..31e22d8 --- /dev/null +++ b/Cfg/etc/cron.d/logcheck/info.xml @@ -0,0 +1,3 @@ + + + diff --git a/Cfg/etc/cron.d/logcheck/logcheck b/Cfg/etc/cron.d/logcheck/logcheck new file mode 100644 index 0000000..e796bf6 --- /dev/null +++ b/Cfg/etc/cron.d/logcheck/logcheck @@ -0,0 +1,9 @@ +# /etc/cron.d/logcheck: crontab entries for the logcheck package + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +MAILTO=root + +@reboot logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi +2 6 * * * logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi + +# EOF diff --git a/Cfg/etc/logcheck/logcheck.conf/info.xml b/Cfg/etc/logcheck/logcheck.conf/info.xml new file mode 100644 index 0000000..37272a1 --- /dev/null +++ b/Cfg/etc/logcheck/logcheck.conf/info.xml @@ -0,0 +1,3 @@ + + + diff --git a/Cfg/etc/logcheck/logcheck.conf/logcheck.conf b/Cfg/etc/logcheck/logcheck.conf/logcheck.conf new file mode 100644 index 0000000..b3d4fd3 --- /dev/null +++ b/Cfg/etc/logcheck/logcheck.conf/logcheck.conf @@ -0,0 +1,61 @@ +# The following variable settings are the initial default values, +# which can be uncommented and modified to alter logcheck's behaviour + +# Controls the format of date-/time-stamps in subject lines: +# Alternatively, set the format to suit your locale + +#DATE="$(date +'%Y-%m-%d %H:%M')" + +# +# Controls the presence of boilerplate at the top of each message: +# Alternatively, set to "0" to disable the introduction. +# +# If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt +# are present their contents will be read and used as the header and +# footer of any generated mails. +INTRO=0 + +# Controls the level of filtering: +# Can be Set to "workstation", "server" or "paranoid" for different +# levels of filtering. Defaults to server if not set. +REPORTLEVEL="server" + +# Controls the address mail goes to: +# *NOTE* the script does not set a default value for this variable! +# Should be set to an offsite "emailaddress@some.domain.tld" +SENDMAILTO="root" + +# Should the hostname in the subject of generated mails be fully qualified? +FQDN=1 + +# Controls whether "sort -u" is used on log entries (which will +# eliminate duplicates but destroy the original ordering); the +# default is to use "sort -k 1,3 -s": +# Alternatively, set to "1" to enable unique sorting + +#SORTUNIQ=0 + +# Controls whether /etc/logcheck/cracking.ignore.d is scanned for +# exceptions to the rules in /etc/logcheck/cracking.d: +# Alternatively, set to "1" to enable cracking.ignore support + +#SUPPORT_CRACKING_IGNORE=0 + +# Controls the base directory for rules file location +# This must be an absolute path + +#RULEDIR="/etc/logcheck" + +# Controls if syslog-summary is run over each section. +# Alternatively, set to "1" to enable extra summary. +SYSLOGSUMMARY=1 + +# Controls Subject: lines on logcheck reports: + +#ATTACKSUBJECT="Security Alerts" +#SECURITYSUBJECT="Security Events" +#EVENTSSUBJECT="System Events" + +# Controls [logcheck] prefix on Subject: lines + +# ADDTAG="no" diff --git a/Cfg/etc/logcheck/logcheck.ignore/info.xml b/Cfg/etc/logcheck/logcheck.ignore/info.xml new file mode 100644 index 0000000..2ebd863 --- /dev/null +++ b/Cfg/etc/logcheck/logcheck.ignore/info.xml @@ -0,0 +1,3 @@ + + + diff --git a/Cfg/etc/logcheck/logcheck.ignore/logcheck.ignore b/Cfg/etc/logcheck/logcheck.ignore/logcheck.ignore new file mode 100644 index 0000000..5767aa3 --- /dev/null +++ b/Cfg/etc/logcheck/logcheck.ignore/logcheck.ignore @@ -0,0 +1,157 @@ +apcupsd\[.*\]: apcupsd shutdown succeeded +authsrv.*AUTHENTICATE +automount.*: attempting to mount entry +automount.*: do_mount +automount.*: expanded entry: +automount.*: lookup(file): +automount.*: mount(generic): calling mkdir +automount.*: mount(generic): calling mount +automount.*: parse(sun): +cracklib: updating dictionary .* .* words\. +cron.*CMD +CRON.*CMD +cron.*RELOAD +cron.*STARTUP +exiting on signal 15 +fetchnews.*: connected to +fetchnews.*: .*: no new articles +fetchnews.*: Read server info from +fetchnews.*: verbosity level +ftpd.*ANONYMOUS FTP LOGIN +ftpd.*FTP LOGIN FROM +ftpd.*retrieved +ftpd.*stored +ftp-gw.*: exit host +ftp-gw.*: exit host +ftp-gw.*: permit host +ftp-gw.*: permit host +http-gw.*: exit host +http-gw.*: permit host +icmplogd: ping from ([[:graph:]]* )?[[][[:graph:]]*[]] +identd.*: started +in.ftpd\[.*\]: connect from .* +init: Switching to runlevel: +in.qpopper.*: connect from +kernel: +kernel: VFS: Disk change detected on device +last message repeated .* times +mail.local +-- MARK -- +--- MARK -- +named\[.*\]: .* +named\[.*\]: answer queries +named\[.*\]: approved AXFR from .* for +named\[.*\]: Cleaned cache of +named\[.*\]: deleting interface +named\[.*\]: Lame delegation +named\[.*\]: Lame server on '.*' \(in '.*'?\): \[.*\]\..* '.*' +named\[.*\]: listening on \[.*\]\.53 \(.*\) +named\[.*\]: NSTATS .* .* A=.*( PTR=.*)?( AAAA=.*)? +named\[.*\]: NSTATS .* .* A=.*( SOA=.*)?( MX=.*)? AAAA=.*( AXFR=.*)? +named\[.*\]: points to a CNAME +named\[.*\]: reloading +named\[.*\]: Response from +named\[.*\]: Sent NOTIFY for +named\[.*\]: starting +named\[.*\]: suppressing duplicate notify +named\[.*\]: USAGE .* .* CPU=.*/.* CHILDCPU=.*/.* +named-xfer\[.*\]: send AXFR query 0 to 138\.231\.136\.6 +named\[.*\]: XSTATS .* .* RR=.* RNXD=.* RFwdR=.* RDupR=.* RFail=.* RFErr=.* RErr=.* RAXFR=.* RLame=.* ROpts=.* SSysQ=.* SAns=.* SFwdQ=.* SDupQ=.* SErr=.* RQ=.* RIQ=.* RFwdQ=.* RDupQ=.* RTCP=.* SFwdR=.* SFail=.* SFErr=.* SNaAns=.* SNXD=.* +named\[.*\]: XX+/127\.0\.0\.1/.*/A/IN +named\[.*\]: XX+/192\.168\.*/.*/A/IN +named\[.*\]: zone transfer \(AXFR\) of .* to +netacl.*: exit host +netacl.*: permit host +net-snmp\[.*\]: Connection from 138\.231\.136\.6 +PAM_.*: .* session closed for user .* +PAM_.*: .* session opened for user .* +PAM_unix\[.*\]: \(cron\) session closed for user .* +PAM_unix\[.*\]: \(cron\) session opened for user .* +popper: -ERR POP server at +popper: -ERR Unknown command: "uidl". +popper.*Unable +portsentry\[.*\]: adminalert +postfix.*alias database.*rebuilt +postfix.*aliases.*longest +postfix/cleanup\[.*\]: .*: .*message-id= +postfix.*from= +postfix/local\[.*\]: .*: to=.*, relay= +postfix.*lost input channel +postfix/master +postfix.*message-id= +postfix/pickup\[.*\]: .*: uid=.* from= +postfix.*putoutmsg +postfix/qmgr\[.*\]: .*: from= +postfix.*return to sender +postfix/smtp +postfix/smtpd\[.*\]: .*: client= +postfix/smtpd\[.*\]: connect from +postfix/smtpd\[.*\]: disconnect from +postfix/smtp\[.*\]: .*: to=.*, relay= +postfix.*status= +postfix.*timeout waiting +postfix.*User Unknown +pppd\[.*\]: rcvd \[LCP EchoRep id=.* magic=.*\] +pppd\[.*\]: rcvd \[LCP EchoReq id=.* magic=.*\] +pppd\[.*\]: sent \[LCP EchoRep id=.* magic=.*\] +pppd\[.*\]: sent \[LCP EchoReq id=.* magic=.*\] +proftpd.*FTP session closed. +qmail.*delivery +qmail.*end msg +qmail.*info msg +qmail.*new msg +qmail.*starting delivery +rlogin-gw.*: exit host +rlogin-gw.*: permit host +root 1 +sendmail.*alias database.*rebuilt +sendmail.*aliases.*longest +sendmail.*from= +sendmail.*lost input channel +sendmail.*message-id= +sendmail.*putoutmsg +sendmail.*return to sender +sendmail.*return to sender +sendmail.*stat= +sendmail.*timeout waiting +sendmail.*User Unknown +sendmail.*User Unknown +smapd.*daemon running +smapd.*daemon running +smapd.*delivered +smapd.*delivered +smap.*host= +smap.*host= +smbd.*: connect from +squid.*NETDB state saved; +squid\[.*\]: sslReadServer: FD .*: read failure: .* Connection reset by peer +squid\[.*\]: sslReadServer: FD .*: read failure: .* Connexion ré-initialisée par le correspondant +squid\[.*\]: this be aioCancel +squid\[.*\]: urlParse: Illegal character in hostname .* +squid\[.*\]: urlParse: URL too large .* +sshd\[.*\]: Accepted publickey for .* from .* port .* ssh2 +sshd.*: fatal: Connection closed by remote host. +sshd.*log: Closing connecting to +sshd.*: log: .* from localhost +sshd.*log: Generating new .* key. +sshd.*log: key generation complete. +sshd.*log: Password authentication for .* accepted. +sshd.*log: RSA authentication for .* accepted. +sshd.*: log: RSA key generation complete. +su\[.*\]: \+ .* root- +syslogd.*: restart. +syslogd.*: restart (remote reception). +syslogd.*: restart \(remote reception\)\. +syslog-ng\[.*\]: new configuration initialized +syslog-ng\[.*\]: SIGHUP received, restarting syslog-ng +syslog-ng\[.*\]: STATS: dropped 0 +tcplogd: (port [[:digit:]]+|(www|ftp|auth|socks|imap2|smtp)) connection attempt from +telnetd.*ttloop: peer died +texpire.*: .* articles deleted +tn-gw.*: exit host +tn-gw.*: permit host +/USR/SBIN/CRON\[.*\]: (mail) CMD ( if \[ -x /usr/sbin/exim \]; then /usr/sbin/exim -q >/dev/null 2>&1; fi) +/USR/SBIN/CRON\[.*\]: \(mail\) CMD \( if \[ -x /usr/sbin/exim \]; then /usr/sbin/exim -q >/dev/null 2>&1; fi\) +x-gw.*: exit host +x-gw.*: permit host +xntpd.*Previous time adjustment didn't complete diff --git a/Metadata/groups.xml b/Metadata/groups.xml index 59641c1..0c29718 100644 --- a/Metadata/groups.xml +++ b/Metadata/groups.xml @@ -211,6 +211,7 @@ + diff --git a/Python/etc/logcheck/logcheck.logfiles b/Python/etc/logcheck/logcheck.logfiles new file mode 100644 index 0000000..db065fe --- /dev/null +++ b/Python/etc/logcheck/logcheck.logfiles @@ -0,0 +1,26 @@ +# -*- coding: utf-8; mode: python -*- + +info["owner"] = "root" +info["group"] = "logcheck" +info["perms"] = 0644 + +header("Fichiers surveilles par logcheck") + +@/var/log/auth.log +@/var/log/messages +@/var/log/kern.log +@/var/log/syslog +@/var/log/user.log + +if has("firewall"): + @/var/log/firewall/iptables.err + +if has("mailman"): + @/var/log/mailman/error + +if has("news"): + @/var/log/news/news.crit + +if has("postfix"): + @/var/log/mail.log + @/var/log/mail.err