Ajout logcheck

Il faudra ajuster logcheck.ignore et logcheck.logfiles en fonction des
serveurs/services, et des rresultatsinitiaux.
Je fais la mise a jour sur egon, komaz et rouge pour l'instant, demain
on verra ce que ca donne ... (On peut aussi regarder logcheck -o mais
ca fera des logchecks incomplets dans les mails ...)

darcs-hash:20080731192522-ddb99-e93bdf6bee498033207ba1aa16df26a592ee046b.gz

Bundler/logcheck.xml

@@ -0,0 +1,9 @@
+<Bundle name="logcheck">
+  <ConfigFile name="/etc/cron.d/logcheck"/>
+  <ConfigFile name="/etc/logcheck/logcheck.conf"/>
+  <ConfigFile name="/etc/logcheck/logcheck.ignore"/>
+  <ConfigFile name="/etc/logcheck/logcheck.logfiles"/>
+  <Package name="logcheck"/>
+  <Package name="logcheck-database"/>
+  <Package name="syslog-summary"/>
+</Bundle>

Cfg/etc/cron.d/logcheck/info.xml

@@ -0,0 +1,3 @@
+<FileInfo>
+    <Info owner='root' group='root' perms='0644' encoding='base64'/>
+</FileInfo>

Cfg/etc/cron.d/logcheck/logcheck

@@ -0,0 +1,9 @@
+# /etc/cron.d/logcheck: crontab entries for the logcheck package
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+MAILTO=root
+
+@reboot         logcheck    if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi
+2 6 * * *       logcheck    if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi
+
+# EOF

Cfg/etc/logcheck/logcheck.conf/info.xml

@@ -0,0 +1,3 @@
+<FileInfo>
+    <Info owner='root' group='logcheck' perms='0644'/>
+</FileInfo>

Cfg/etc/logcheck/logcheck.conf/logcheck.conf

@@ -0,0 +1,61 @@
+# The following variable settings are the initial default values,
+# which can be uncommented and modified to alter logcheck's behaviour
+
+# Controls the format of date-/time-stamps in subject lines:
+# Alternatively, set the format to suit your locale
+
+#DATE="$(date +'%Y-%m-%d %H:%M')"
+
+#
+# Controls the presence of boilerplate at the top of each message:
+# Alternatively, set to "0" to disable the introduction.
+#
+# If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt
+# are present their contents will be read and used as the header and
+# footer of any generated mails.
+INTRO=0
+
+# Controls the level of filtering: 
+# Can be Set to "workstation", "server" or "paranoid" for different
+# levels of filtering. Defaults to server if not set.
+REPORTLEVEL="server"
+
+# Controls the address mail goes to:
+# *NOTE* the script does not set a default value for this variable!
+# Should be set to an offsite "emailaddress@some.domain.tld"
+SENDMAILTO="root"
+
+# Should the hostname in the subject of generated mails be fully qualified?
+FQDN=1
+
+# Controls whether "sort -u" is used on log entries (which will
+# eliminate duplicates but destroy the original ordering); the
+# default is to use "sort -k 1,3 -s":
+# Alternatively, set to "1" to enable unique sorting
+
+#SORTUNIQ=0
+
+# Controls whether /etc/logcheck/cracking.ignore.d is scanned for
+# exceptions to the rules in /etc/logcheck/cracking.d:
+# Alternatively, set to "1" to enable cracking.ignore support
+
+#SUPPORT_CRACKING_IGNORE=0
+
+# Controls the base directory for rules file location
+# This must be an absolute path
+
+#RULEDIR="/etc/logcheck"
+
+# Controls if syslog-summary is run over each section.
+# Alternatively, set to "1" to enable extra summary.
+SYSLOGSUMMARY=1
+
+# Controls Subject: lines on logcheck reports:
+
+#ATTACKSUBJECT="Security Alerts"
+#SECURITYSUBJECT="Security Events"
+#EVENTSSUBJECT="System Events"
+
+# Controls [logcheck] prefix on Subject: lines
+
+# ADDTAG="no"

Cfg/etc/logcheck/logcheck.ignore/info.xml

@@ -0,0 +1,3 @@
+<FileInfo>
+    <Info owner='root' group='logcheck' perms='0644' encoding='base64'/>
+</FileInfo>

Cfg/etc/logcheck/logcheck.ignore/logcheck.ignore

@@ -0,0 +1,157 @@
+apcupsd\[.*\]: apcupsd shutdown succeeded
+authsrv.*AUTHENTICATE
+automount.*: attempting to mount entry
+automount.*: do_mount
+automount.*: expanded entry:
+automount.*: lookup(file): 
+automount.*: mount(generic): calling mkdir
+automount.*: mount(generic): calling mount
+automount.*: parse(sun):
+cracklib: updating dictionary .* .* words\.
+cron.*CMD
+CRON.*CMD
+cron.*RELOAD
+cron.*STARTUP
+exiting on signal 15
+fetchnews.*: connected to
+fetchnews.*: .*: no new articles
+fetchnews.*: Read server info from
+fetchnews.*: verbosity level
+ftpd.*ANONYMOUS FTP LOGIN
+ftpd.*FTP LOGIN FROM
+ftpd.*retrieved
+ftpd.*stored
+ftp-gw.*: exit host
+ftp-gw.*: exit host
+ftp-gw.*: permit host
+ftp-gw.*: permit host
+http-gw.*: exit host
+http-gw.*: permit host
+icmplogd: ping from ([[:graph:]]* )?[[][[:graph:]]*[]]
+identd.*: started
+in.ftpd\[.*\]: connect from .*
+init: Switching to runlevel:
+in.qpopper.*: connect from
+kernel:
+kernel: VFS: Disk change detected on device
+last message repeated .* times
+mail.local
+-- MARK --
+--- MARK --
+named\[.*\]: .*
+named\[.*\]: answer queries
+named\[.*\]: approved AXFR from .* for
+named\[.*\]: Cleaned cache of
+named\[.*\]: deleting interface
+named\[.*\]: Lame delegation
+named\[.*\]: Lame server on '.*' \(in '.*'?\): \[.*\]\..* '.*'
+named\[.*\]: listening on \[.*\]\.53 \(.*\)
+named\[.*\]: NSTATS .* .* A=.*( PTR=.*)?( AAAA=.*)?
+named\[.*\]: NSTATS .* .* A=.*( SOA=.*)?( MX=.*)? AAAA=.*( AXFR=.*)?
+named\[.*\]: points to a CNAME
+named\[.*\]: reloading
+named\[.*\]: Response from
+named\[.*\]: Sent NOTIFY for
+named\[.*\]: starting
+named\[.*\]: suppressing duplicate notify
+named\[.*\]: USAGE .* .* CPU=.*/.* CHILDCPU=.*/.*
+named-xfer\[.*\]: send AXFR query 0 to 138\.231\.136\.6
+named\[.*\]: XSTATS .* .* RR=.* RNXD=.* RFwdR=.* RDupR=.* RFail=.* RFErr=.* RErr=.* RAXFR=.* RLame=.* ROpts=.* SSysQ=.* SAns=.* SFwdQ=.* SDupQ=.* SErr=.* RQ=.* RIQ=.* RFwdQ=.* RDupQ=.* RTCP=.* SFwdR=.* SFail=.* SFErr=.* SNaAns=.* SNXD=.*
+named\[.*\]: XX+/127\.0\.0\.1/.*/A/IN
+named\[.*\]: XX+/192\.168\.*/.*/A/IN
+named\[.*\]: zone transfer \(AXFR\) of .* to
+netacl.*: exit host
+netacl.*: permit host
+net-snmp\[.*\]: Connection from 138\.231\.136\.6
+PAM_.*: .* session closed for user .*
+PAM_.*: .* session opened for user .*
+PAM_unix\[.*\]: \(cron\) session closed for user .*
+PAM_unix\[.*\]: \(cron\) session opened for user .*
+popper: -ERR POP server at
+popper: -ERR Unknown command: "uidl".
+popper.*Unable
+portsentry\[.*\]: adminalert
+postfix.*alias database.*rebuilt
+postfix.*aliases.*longest
+postfix/cleanup\[.*\]: .*: .*message-id=
+postfix.*from=
+postfix/local\[.*\]: .*: to=.*, relay=
+postfix.*lost input channel
+postfix/master
+postfix.*message-id=
+postfix/pickup\[.*\]: .*: uid=.* from=
+postfix.*putoutmsg
+postfix/qmgr\[.*\]: .*: from=
+postfix.*return to sender
+postfix/smtp
+postfix/smtpd\[.*\]: .*: client=
+postfix/smtpd\[.*\]: connect from
+postfix/smtpd\[.*\]: disconnect from
+postfix/smtp\[.*\]: .*: to=.*, relay=
+postfix.*status=
+postfix.*timeout waiting
+postfix.*User Unknown
+pppd\[.*\]: rcvd \[LCP EchoRep id=.* magic=.*\]
+pppd\[.*\]: rcvd \[LCP EchoReq id=.* magic=.*\]
+pppd\[.*\]: sent \[LCP EchoRep id=.* magic=.*\]
+pppd\[.*\]: sent \[LCP EchoReq id=.* magic=.*\]
+proftpd.*FTP session closed.
+qmail.*delivery
+qmail.*end msg
+qmail.*info msg
+qmail.*new msg
+qmail.*starting delivery
+rlogin-gw.*: exit host
+rlogin-gw.*: permit host
+root 1
+sendmail.*alias database.*rebuilt
+sendmail.*aliases.*longest
+sendmail.*from=
+sendmail.*lost input channel
+sendmail.*message-id=
+sendmail.*putoutmsg
+sendmail.*return to sender
+sendmail.*return to sender
+sendmail.*stat=
+sendmail.*timeout waiting
+sendmail.*User Unknown
+sendmail.*User Unknown
+smapd.*daemon running
+smapd.*daemon running
+smapd.*delivered
+smapd.*delivered
+smap.*host=
+smap.*host=
+smbd.*: connect from
+squid.*NETDB state saved;
+squid\[.*\]: sslReadServer: FD .*: read failure: .* Connection reset by peer
+squid\[.*\]: sslReadServer: FD .*: read failure: .* Connexion ré-initialisée par le correspondant
+squid\[.*\]: this be aioCancel
+squid\[.*\]: urlParse: Illegal character in hostname .*
+squid\[.*\]: urlParse: URL too large .*
+sshd\[.*\]: Accepted publickey for .* from .* port .* ssh2
+sshd.*: fatal: Connection closed by remote host.
+sshd.*log: Closing connecting to 
+sshd.*: log: .* from localhost
+sshd.*log: Generating new .* key.
+sshd.*log: key generation complete.
+sshd.*log: Password authentication for .* accepted.
+sshd.*log: RSA authentication for .* accepted.
+sshd.*: log: RSA key generation complete.
+su\[.*\]: \+ .* root-
+syslogd.*: restart.
+syslogd.*: restart (remote reception).
+syslogd.*: restart \(remote reception\)\.
+syslog-ng\[.*\]: new configuration initialized
+syslog-ng\[.*\]: SIGHUP received, restarting syslog-ng
+syslog-ng\[.*\]: STATS: dropped 0
+tcplogd: (port [[:digit:]]+|(www|ftp|auth|socks|imap2|smtp)) connection attempt from
+telnetd.*ttloop:  peer died
+texpire.*: .* articles deleted
+tn-gw.*: exit host
+tn-gw.*: permit host
+/USR/SBIN/CRON\[.*\]: (mail) CMD (  if \[ -x /usr/sbin/exim \]; then /usr/sbin/exim -q >/dev/null 2>&1; fi) 
+/USR/SBIN/CRON\[.*\]: \(mail\) CMD \(  if \[ -x /usr/sbin/exim \]; then /usr/sbin/exim -q >/dev/null 2>&1; fi\)
+x-gw.*: exit host
+x-gw.*: permit host
+xntpd.*Previous time adjustment didn't complete

Metadata/groups.xml

@@ -211,6 +211,7 @@
 
     <Bundle name="apt"/>
     <Bundle name="apt-keys"/>
+    <Bundle name="logcheck"/>
     <Bundle name="nss"/>
     <Bundle name="monit"/>
   </Group>

Python/etc/logcheck/logcheck.logfiles

@@ -0,0 +1,26 @@
+# -*- coding: utf-8; mode: python -*-
+
+info["owner"] = "root"
+info["group"] = "logcheck"
+info["perms"] = 0644
+
+header("Fichiers surveilles par logcheck")
+
+@/var/log/auth.log
+@/var/log/messages
+@/var/log/kern.log
+@/var/log/syslog
+@/var/log/user.log
+
+if has("firewall"):
+	@/var/log/firewall/iptables.err
+
+if has("mailman"):
+	@/var/log/mailman/error
+
+if has("news"):
+	@/var/log/news/news.crit
+
+if has("postfix"):
+	@/var/log/mail.log
+	@/var/log/mail.err