Package: logcheck
Version: 1.3.24
Severity: important
Tags: patch
X-Debbugs-Cc: richard.lewis.deb...@googlemail.com
Dear Maintainer,
logcheck currently has a broken testsuite, and no autopkgtests. The first
attached patch fixes both of these
The second patch adds salsa-ci.yml so these run on salsa.debian.org - piuparts
will fail: I will submit a patch
to fix that as a separate bug report
The 3rd patch allows logcheck to work if there are no /etc/logcheck/ignore.d.*
directories - this is a separate bug, but
if i recall correctly, the test will fail until this is fixed.
(Can submit as a MR on salsa once the ryslog bug is fixed - i have omitted some
other local patch, but i've been using these locally
for nearly a year)
-- System Information:
Debian Release: 11.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-15-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages logcheck depends on:
ii adduser 3.118
ii exim4-daemon-light [mail-transport-agent] 4.94.2-7
ii lockfile-progs 0.1.18
ii logtail 1.3.24+local6
ii mime-construct 1.11+nmu3
Versions of packages logcheck recommends:
ii logcheck-database 1.3.25+local1
Versions of packages logcheck suggests:
ii cron [cron-daemon] 3.0pl1-137
ii rsyslog [system-log-daemon] 8.2102.0-2+deb11u1
ii systemd 247.3-7+deb11u1
-- Configuration Files:
/etc/logcheck/header.txt [Errno 13] Permission denied:
'/etc/logcheck/header.txt'
/etc/logcheck/logcheck.conf [Errno 13] Permission denied:
'/etc/logcheck/logcheck.conf'
/etc/logcheck/logcheck.logfiles [Errno 13] Permission denied:
'/etc/logcheck/logcheck.logfiles'
/etc/logcheck/logcheck.logfiles.d/journal.logfiles [Errno 13] Permission
denied: '/etc/logcheck/logcheck.logfiles.d/journal.logfiles'
/etc/logcheck/logcheck.logfiles.d/syslog.logfiles [Errno 13] Permission denied:
'/etc/logcheck/logcheck.logfiles.d/syslog.logfiles'
-- no debconf information
diff --git a/debian/tests/01-logcheck b/debian/tests/01-logcheck
index fae06f4d..b305cb48 100644
--- a/debian/tests/01-logcheck
+++ b/debian/tests/01-logcheck
@@ -1,20 +1,205 @@
-#!/bin/bash
+#!/bin/bash -ue
-set -eu
+LOGFILE="$(mktemp)"
+STATE="$(mktemp -d)"
+#shellcheck disable=SC2064 # we want to expand variables now
+trap "rm -rf '$LOGFILE' '$STATE'" 0 INT QUIT ABRT PIPE TERM
-LOGFILE=$(mktemp)
-trap 'rm -f ${LOGFILE}' 0 INT QUIT ABRT PIPE TERM
+chown root:adm "$LOGFILE"
+chmod 0640 "$LOGFILE"
+chown logcheck:logcheck "$STATE"
+chmod 0750 "$STATE"
-chmod 0640 "${LOGFILE}"
-chgrp adm "${LOGFILE}"
-echo "Jan 31 06:51:07 debian-sid-amd64 su: pam_unix(su-l:auth) failure;
logname=testuser uid=1000 euid=0 tty=pts/7 ruser=testuser rhost= user=root" >>
"${LOGFILE}"
-echo "Jan 31 06:51:09 debian-sid-amd64 su: FAILED SU (to root) testuser on
pts/7" >> "${LOGFILE}"
+STATUS="PASS"
-echo "Jan 31 07:15:01 debian-sid-amd64 CRON[588228]: (root) CMD (command -v
debian-sa1 > /dev/null && debian-sa1 1 1)" >> "${LOGFILE}"
-echo "Jan 31 07:17:01 debian-sid-amd64 CRON[588240]: (root) CMD ( cd / &&
run-parts --report /etc/cron.hourly)" >> "${LOGFILE}"
+# usage: run_test "name of test - description" \
+# ./expected_output.file <expected exit
status> \
+# command_to_test arg1 arg2...
+# The global variable "$STATUS" is set to "FAIL" if this test fails
+run_test(){
+ local name="$1"
+ local expected_file="$2"
+ local expected_exit="$3"
+ shift 3
+ local my_status=""
+ local diff="" code="0"
-EXPECTED_OUTPUT="This email is sent by logcheck. If you no longer wish to
receive
+ "$@" > ./actual_file 2>&1 || code="$?"
+
+ diff="$(diff -u -- "$expected_file" ./actual_file 2>&1 || :)"
+
+ if [ "$code" != "$expected_exit" ]; then
+ my_status="ERROR (expected exit:
$expected_exit, actual: $code)"
+ elif [ -z "$diff" ]; then
+ my_status="PASS"
+ else
+ my_status="FAIL"
+ fi
+
+ echo "** $my_status: $name"
+ if [ "$my_status" != "PASS" ]; then
+ STATUS=FAIL
+ cat <<EOF
+
+== [ EXPECTED: $name ] ======
+$(< "$expected_file")
+=============================
+
+== [ ACTUAL: $name ] ========
+$(< ./actual_file)
+=============================
+
+== [ DIFF: $name ] ==========
+$diff
+=============================
+
+EOF
+ fi
+}
+
+# for debugging only
+Xrun_test(){
+ echo "** DISABLED: $1"
+}
+
+cat > "${LOGFILE}" <<EOF
+Jan 31 06:51:07 debian-sid-amd64 su: pam_unix(su-l:auth) failure;
logname=testuser uid=1000 euid=0 tty=pts/7 ruser=testuser rhost= user=root
+Jan 31 06:51:09 debian-sid-amd64 su: FAILED SU (to root) testuser on pts/7
+Jan 31 07:15:01 debian-sid-amd64 CRON[588228]: (root) CMD (command -v
debian-sa1 > /dev/null && debian-sa1 1 1)
+Jan 31 07:17:01 debian-sid-amd64 CRON[588240]: (root) CMD ( cd / &&
run-parts --report /etc/cron.hourly)
+EOF
+
+cat > as-root<<EOF
+logcheck should not be run as root. Use su to invoke logcheck:
+su -s /bin/bash -c "/usr/sbin/logcheck" logcheck
+Or use sudo: sudo -u logcheck logcheck.
+EOF
+run_test "needs-root" ./as-root 1 logcheck
+
+cat > as-root-with-args<<EOF
+logcheck should not be run as root. Use su to invoke logcheck:
+su -s /bin/bash -c "/usr/sbin/logcheck arg1 arg2" logcheck
+Or use sudo: sudo -u logcheck logcheck arg1 arg2.
+EOF
+run_test "needs-root-with-args" ./as-root-with-args 1 logcheck arg1 arg2
+
+cat > expected <<EOF
+Error: /no-such-file does not exist or cannot be read.
+EOF
+run_test "-L /nonexist" expected 1 \
+ su -s /bin/bash -c \
+ "/usr/sbin/logcheck -o -L /no-such-file
-D /dev/null" \
+ logcheck
+
+cat > expected <<EOF
+Error: E: File could not be read: /no-such-file.
+EOF
+
+echo "/no-such-file" > list
+run_test "-L list where list contains unreadable file" expected 1 \
+ su -s /bin/bash -c \
+ "/usr/sbin/logcheck -o -L ./list -D
/dev/null" \
+ logcheck
+
+
+
+## Testing of output
+run_test "logcheck (1a: with header disabled)" \
+ ./test/results/intro/disabled 0 \
+ su -s /bin/bash -c \
+ "/usr/sbin/logcheck -o -S '$STATE' -L
test/logs/intro/files -D /dev/null -c test/conf/intro-disabled -r
test/rulefiles" \
+ logcheck
+
+run_test "logcheck (repeating 1a: no more results)" \
+ ./test/results/empty 0 \
+ su -s /bin/bash -c \
+ "/usr/sbin/logcheck -o -S '$STATE' -L
test/logs/intro/files -D /dev/null -c test/conf/intro-disabled -r
test/rulefiles" \
+ logcheck
+rm -f "$STATE"/offset*
+
+
+run_test "logcheck (1b: with header enabled)" \
+ ./test/results/intro/enabled 0 \
+ su -s /bin/bash -c \
+ "/usr/sbin/logcheck -o -S '$STATE' -L
test/logs/intro/files -D /dev/null -c test/conf/intro-enabled -r
test/rulefiles" \
+ logcheck
+
+run_test "logcheck (repeating 1b: no more results)" \
+ ./test/results/empty 0 \
+ su -s /bin/bash -c \
+ "/usr/sbin/logcheck -o -S '$STATE' -L
test/logs/intro/files -D /dev/null -c test/conf/intro-enabled -r
test/rulefiles" \
+ logcheck
+rm -f "$STATE"/offset*
+
+
+run_test "logcheck (1c: INTRO=yes is the same as INTRO=1 - both enable the
intro)" \
+ ./test/results/intro/enabled 0 \
+ su -s /bin/bash -c \
+ "/usr/sbin/logcheck -o -S '$STATE' -L
test/logs/intro/files -D /dev/null -c test/conf/intro-yes -r test/rulefiles" \
+ logcheck
+rm -f "$STATE"/offset*
+
+run_test "logcheck (1d: INTRO=no is treated the same as disabling the intro)" \
+ ./test/results/intro/disabled 0 \
+ su -s /bin/bash -c \
+ "/usr/sbin/logcheck -o -S '$STATE' -L
test/logs/intro/files -D /dev/null -c test/conf/intro-no -r test/rulefiles" \
+ logcheck
+rm -f "$STATE"/offset*
+
+
+run_test "logcheck (2a: with cracking-ignore enabled - just one line is
flagged)" \
+ ./test/results/cracking-ignore/enabled 0 \
+ su -s /bin/bash -c \
+ "/usr/sbin/logcheck -o -S '$STATE' -L
test/logs/cracking-ignore/files -D /dev/null -c
test/conf/cracking-ignore-enabled -r test/rulefiles" \
+ logcheck
+rm -f "$STATE"/offset*
+
+run_test "logcheck (2b: with cracking-ignore disabled - both lines are
flagged)" \
+ ./test/results/cracking-ignore/disabled
0 \
+ su -s /bin/bash -c \
+ "/usr/sbin/logcheck -o -S '$STATE' -L
test/logs/cracking-ignore/files -D /dev/null -c test/conf/intro-enabled -r
test/rulefiles" \
+ logcheck
+rm -f "$STATE"/offset*
+
+run_test "logcheck (3: violations.ignore.d - only one of the 2 lines is
flagged)" \
+ ./test/results/violations.ignore.d/test 0 \
+ su -s /bin/bash -c \
+ "/usr/sbin/logcheck -o -S '$STATE' -L
test/logs/violations.ignore.d/files -D /dev/null -r test/rulefiles" \
+ logcheck
+rm -f "$STATE"/offset*
+
+run_test "logcheck (4a: reportlevel - paranoid)" \
+ ./test/results/reportlevel/paranoid 0 \
+ su -s /bin/bash -c \
+ "/usr/sbin/logcheck -o -S '$STATE' -c
test/conf/paranoid -L test/logs/reportlevel/files -D /dev/null -r
test/rulefiles" \
+ logcheck
+rm -f "$STATE"/offset*
+
+run_test "logcheck (4b: reportlevel - server)" \
+ ./test/results/reportlevel/server 0 \
+ su -s /bin/bash -c \
+ "/usr/sbin/logcheck -o -S '$STATE' -c
test/conf/server -L test/logs/reportlevel/files -D /dev/null -r test/rulefiles"
\
+ logcheck
+rm -f "$STATE"/offset*
+
+run_test "logcheck (4c: reportlevel - workstation)" \
+ ./test/results/reportlevel/workstation 0 \
+ su -s /bin/bash -c \
+ "/usr/sbin/logcheck -o -S '$STATE' -c
test/conf/workstation -L test/logs/reportlevel/files -D /dev/null -r
test/rulefiles" \
+ logcheck
+rm -f "$STATE"/offset*
+
+run_test "logcheck (5: all - paranoid)" \
+ ./test/results/all/paranoid 0 \
+ su -s /bin/bash -c \
+ "/usr/sbin/logcheck -o -S '$STATE' -c
test/conf/paranoid -L test/logs/all/files -D /dev/null -r test/rulefiles" \
+ logcheck
+rm -f "$STATE"/offset*
+
+
+
+printf "This email is sent by logcheck. If you no longer wish to receive
such mail, you can either uninstall the logcheck package or modify
its configuration file (/etc/logcheck/logcheck.conf).
@@ -22,5 +207,18 @@ Security Events for su
=-=-=-=-=-=-=-=-=-=-=-
Jan 31 06:51:07 debian-sid-amd64 su: pam_unix(su-l:auth) failure;
logname=testuser uid=1000 euid=0 tty=pts/7 ruser=testuser rhost= user=root
Jan 31 06:51:09 debian-sid-amd64 su: FAILED SU (to root) testuser on pts/7
-"
-diff <(su -s /bin/bash -c "/usr/sbin/logcheck -o -l ${LOGFILE}" logcheck)
<(echo "$EXPECTED_OUTPUT")
+\n" > expected
+
+rm -f "$STATE"/offset*
+run_test "logcheck (actual rules and config)" expected 0 \
+ su -s /bin/bash -c "/usr/sbin/logcheck -o -l
'$LOGFILE' -S '$STATE'" logcheck
+
+
+
+if [ "$STATUS" = "PASS" ]; then
+ echo "* $0: PASS"
+ exit 0
+else
+ echo "* $0: $STATUS"
+ exit 1
+fi
diff --git a/debian/tests/control b/debian/tests/control
index 6b582acb..bdd37a69 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,2 +1,3 @@
Tests: 01-logcheck
+Depends: @, bash, logcheck-database
Restrictions: needs-root
diff --git a/test/conf/cracking-ignore-enabled
b/test/conf/cracking-ignore-enabled
index c63077aa..05fdbefb 100644
--- a/test/conf/cracking-ignore-enabled
+++ b/test/conf/cracking-ignore-enabled
@@ -1,43 +1 @@
-# The following variable settings are the initial default values,
-# which can be uncommented and modified to alter logcheck's behaviour
-
-# Controls the format of date-/time-stamps in subject lines:
-# Alternatively, set the format to suit your locale
-
-#DATE="$(date +'%Y-%m-%d %H:%M')"
-
-# Controls the presence of boilerplate at the top of each message:
-# Set to "no" to eliminate the boilerplate
-
-#INTRO=1
-
-# Controls the level of filtering:
-# Can be Set to "workstation", "server" or "paranoid" for different
-# levels of filtering. Defaults to paranoid if not set.
-
-REPORTLEVEL="server"
-
-# Controls the address mail goes to:
-# *NOTE* the script does not set a default value for this variable!
-# May be set to "emailaddr...@some.domain.tld"
-
-SENDMAILTO="root"
-
-# Controls whether "sort -u" is used on log entries (which will
-# eliminate duplicates but destroy the original ordering); the
-# default is to use "sort -k 1,3 -s":
-# Alternatively, set to "1" to enable unique sorting
-
-#SORTUNIQ=0
-
-# Controls whether /etc/logcheck/cracking.ignore.d is scanned for
-# exceptions to the rules in /etc/logcheck/cracking.d:
-# Alternatively, set to "1" to enable cracking.ignore support
-
SUPPORT_CRACKING_IGNORE=1
-
-# Controls Subject: lines on logcheck reports:
-
-#ATTACKSUBJECT="Attack Alerts"
-#SECURITYSUBJECT="Security Events"
-#EVENTSSUBJECT="System Events"
diff --git a/test/conf/intro-disabled b/test/conf/intro-disabled
index 21da399b..53c80d7e 100644
--- a/test/conf/intro-disabled
+++ b/test/conf/intro-disabled
@@ -1,29 +1 @@
-# Uncommet the following to change the date and time format for the
-# subject of e-Mails to the format for your locale
-#DATE=$(/bin/date +'%X %x')
-
-# Uncomment to remove the introduction
INTRO=0
-
-# Level of filtering for the emails
-REPORTLEVEL="server"
-
-# Uncomment the below line to enable debugging into to stderr
-# Setting it to 2 will not cleanup TMPDIR when logcheck has run
-#LOGCHECKDEBUG=1
-
-# Uncommenting the below will change the subject lines on the emails
-#ATTACKSUBJECT="Attack Alerts"
-#SECURITYSUBJECT="Security Events"
-#EVENTSSUBJECT="System Events"
-
-# Uncomment the below to use sort -u, this will destory the
-# orginal log order
-#SORTUNIQ=1
-
-# To enable the cracking.ignore support uncomment the below line
-# And put your rulefiles in /etc/logcheck/cracking.ignore.d
-#SUPPORT_CRACKING_IGNORE=1
-
-# Where we send mailto
-SENDMAILTO="root"
diff --git a/test/conf/intro-enabled b/test/conf/intro-enabled
new file mode 100644
index 00000000..b1af8fd2
--- /dev/null
+++ b/test/conf/intro-enabled
@@ -0,0 +1 @@
+INTRO=1
diff --git a/test/conf/intro-no b/test/conf/intro-no
index 4974bf25..5cccbfee 100644
--- a/test/conf/intro-no
+++ b/test/conf/intro-no
@@ -1,29 +1 @@
-# Uncommet the following to change the date and time format for the
-# subject of e-Mails to the format for your locale
-#DATE=$(/bin/date +'%X %x')
-
-# Uncomment to remove the introduction
INTRO="no"
-
-# Level of filtering for the emails
-REPORTLEVEL="server"
-
-# Uncomment the below line to enable debugging into to stderr
-# Setting it to 2 will not cleanup TMPDIR when logcheck has run
-#LOGCHECKDEBUG=1
-
-# Uncommenting the below will change the subject lines on the emails
-#ATTACKSUBJECT="Attack Alerts"
-#SECURITYSUBJECT="Security Events"
-#EVENTSSUBJECT="System Events"
-
-# Uncomment the below to use sort -u, this will destory the
-# orginal log order
-#SORTUNIQ=1
-
-# To enable the cracking.ignore support uncomment the below line
-# And put your rulefiles in /etc/logcheck/cracking.ignore.d
-#SUPPORT_CRACKING_IGNORE=1
-
-# Where we send mailto
-SENDMAILTO="root"
diff --git a/test/conf/intro-yes b/test/conf/intro-yes
index 5871f237..66182461 100644
--- a/test/conf/intro-yes
+++ b/test/conf/intro-yes
@@ -1,29 +1 @@
-# Uncommet the following to change the date and time format for the
-# subject of e-Mails to the format for your locale
-#DATE=$(/bin/date +'%X %x')
-
-# Uncomment to remove the introduction
INTRO="yes"
-
-# Level of filtering for the emails
-REPORTLEVEL="server"
-
-# Uncomment the below line to enable debugging into to stderr
-# Setting it to 2 will not cleanup TMPDIR when logcheck has run
-#LOGCHECKDEBUG=1
-
-# Uncommenting the below will change the subject lines on the emails
-#ATTACKSUBJECT="Attack Alerts"
-#SECURITYSUBJECT="Security Events"
-#EVENTSSUBJECT="System Events"
-
-# Uncomment the below to use sort -u, this will destory the
-# orginal log order
-#SORTUNIQ=1
-
-# To enable the cracking.ignore support uncomment the below line
-# And put your rulefiles in /etc/logcheck/cracking.ignore.d
-#SUPPORT_CRACKING_IGNORE=1
-
-# Where we send mailto
-SENDMAILTO="root"
diff --git a/test/conf/paranoid b/test/conf/paranoid
new file mode 100644
index 00000000..d9208131
--- /dev/null
+++ b/test/conf/paranoid
@@ -0,0 +1 @@
+REPORTLEVEL="paranoid"
diff --git a/test/conf/server b/test/conf/server
new file mode 100644
index 00000000..6b6bd845
--- /dev/null
+++ b/test/conf/server
@@ -0,0 +1 @@
+REPORTLEVEL="server"
diff --git a/test/conf/workstation b/test/conf/workstation
new file mode 100644
index 00000000..3b115018
--- /dev/null
+++ b/test/conf/workstation
@@ -0,0 +1 @@
+REPORTLEVEL="workstation"
diff --git a/test/logs/all/files b/test/logs/all/files
new file mode 100644
index 00000000..f951c3b7
--- /dev/null
+++ b/test/logs/all/files
@@ -0,0 +1 @@
+test/logs/all/log
diff --git a/test/logs/all/log b/test/logs/all/log
new file mode 100644
index 00000000..da1ef633
--- /dev/null
+++ b/test/logs/all/log
@@ -0,0 +1,9 @@
+cracking
+unmatched
+local-test
+local-test-ignore
+paranoid
+cracking ignore
+workstation
+server
+unmatched
diff --git a/test/logs/cracking-ignore/files b/test/logs/cracking-ignore/files
index 844a5ef4..fcba859d 100644
--- a/test/logs/cracking-ignore/files
+++ b/test/logs/cracking-ignore/files
@@ -1 +1 @@
-logs/cracking-ignore/log
+test/logs/cracking-ignore/log
diff --git a/test/logs/intro/files b/test/logs/intro/files
index faf7fb93..7c35653b 100644
--- a/test/logs/intro/files
+++ b/test/logs/intro/files
@@ -1 +1 @@
-logs/intro/log
+test/logs/intro/log
diff --git a/test/logs/reportlevel/files b/test/logs/reportlevel/files
new file mode 100644
index 00000000..c5635bc9
--- /dev/null
+++ b/test/logs/reportlevel/files
@@ -0,0 +1 @@
+test/logs/reportlevel/log
diff --git a/test/logs/reportlevel/log b/test/logs/reportlevel/log
new file mode 100644
index 00000000..a3bc3417
--- /dev/null
+++ b/test/logs/reportlevel/log
@@ -0,0 +1,4 @@
+workstation
+paranoid
+server
+unmatched
diff --git a/test/logs/violations.ignore.d-local/files
b/test/logs/violations.ignore.d-local/files
deleted file mode 100644
index caa2933c..00000000
--- a/test/logs/violations.ignore.d-local/files
+++ /dev/null
@@ -1 +0,0 @@
-logs/violations.ignore.d-local/log
diff --git a/test/logs/violations.ignore.d/files
b/test/logs/violations.ignore.d/files
new file mode 100644
index 00000000..905c1e63
--- /dev/null
+++ b/test/logs/violations.ignore.d/files
@@ -0,0 +1 @@
+test/logs/violations.ignore.d/log
diff --git a/test/logs/violations.ignore.d-local/log
b/test/logs/violations.ignore.d/log
similarity index 100%
rename from test/logs/violations.ignore.d-local/log
rename to test/logs/violations.ignore.d/log
diff --git a/test/results/all/paranoid b/test/results/all/paranoid
new file mode 100644
index 00000000..555c92ea
--- /dev/null
+++ b/test/results/all/paranoid
@@ -0,0 +1,17 @@
+<This is the header from rulefiles/header.txt>
+Security Alerts
+=-=-=-=-=-=-=-=
+cracking
+cracking ignore
+
+Security Events for name
+=-=-=-=-=-=-=-=-=-=-=-=-
+local-test
+
+System Events
+=-=-=-=-=-=-=
+server
+unmatched
+unmatched
+workstation
+
diff --git a/test/results/cracking-ignore/disabled
b/test/results/cracking-ignore/disabled
index 497c26f9..a2fd5c66 100644
--- a/test/results/cracking-ignore/disabled
+++ b/test/results/cracking-ignore/disabled
@@ -1,7 +1,4 @@
-This email is sent by logcheck. If you wish to no-longer receive it,
-you can either uninstall the logcheck package or modify its
-configuration file (../etc/logcheck.conf).
-
+<This is the header from rulefiles/header.txt>
Security Alerts
=-=-=-=-=-=-=-=
cracking
diff --git a/test/results/cracking-ignore/enabled
b/test/results/cracking-ignore/enabled
index ea0d213e..1d681530 100644
--- a/test/results/cracking-ignore/enabled
+++ b/test/results/cracking-ignore/enabled
@@ -1,7 +1,4 @@
-This email is sent by logcheck. If you wish to no-longer receive it,
-you can either uninstall the logcheck package or modify its
-configuration file (./conf/cracking-ignore-enabled).
-
+<This is the header from rulefiles/header.txt>
Security Alerts
=-=-=-=-=-=-=-=
cracking
diff --git a/test/results/empty b/test/results/empty
new file mode 100644
index 00000000..e69de29b
diff --git a/test/results/intro/enabled b/test/results/intro/enabled
index 9c8fc585..7949b03a 100644
--- a/test/results/intro/enabled
+++ b/test/results/intro/enabled
@@ -1,9 +1,5 @@
-This email is sent by logcheck. If you wish to no-longer receive it,
-you can either uninstall the logcheck package or modify its
-configuration file (../etc/logcheck.conf).
-
+<This is the header from rulefiles/header.txt>
System Events
=-=-=-=-=-=-=
Dec 27 15:44:33 chac kernel: Uniform CD-ROM driver Revision: 3.12
- This report was produced by logcheck version 1.2.14
diff --git a/test/results/intro/yes b/test/results/intro/yes
deleted file mode 100644
index 954805e1..00000000
--- a/test/results/intro/yes
+++ /dev/null
@@ -1,9 +0,0 @@
-This email is sent by logcheck. If you wish to no-longer receive it,
-you can either uninstall the logcheck package or modify its
-configuration file (./conf/intro-yes).
-
-System Events
-=-=-=-=-=-=-=
-Dec 27 15:44:33 chac kernel: Uniform CD-ROM driver Revision: 3.12
-
- This report was produced by logcheck version 1.2.14
diff --git a/test/results/reportlevel/paranoid
b/test/results/reportlevel/paranoid
new file mode 100644
index 00000000..547ac41c
--- /dev/null
+++ b/test/results/reportlevel/paranoid
@@ -0,0 +1,7 @@
+<This is the header from rulefiles/header.txt>
+System Events
+=-=-=-=-=-=-=
+server
+unmatched
+workstation
+
diff --git a/test/results/reportlevel/server b/test/results/reportlevel/server
new file mode 100644
index 00000000..7a61ff51
--- /dev/null
+++ b/test/results/reportlevel/server
@@ -0,0 +1,6 @@
+<This is the header from rulefiles/header.txt>
+System Events
+=-=-=-=-=-=-=
+unmatched
+workstation
+
diff --git a/test/results/reportlevel/workstation
b/test/results/reportlevel/workstation
new file mode 100644
index 00000000..45bff331
--- /dev/null
+++ b/test/results/reportlevel/workstation
@@ -0,0 +1,5 @@
+<This is the header from rulefiles/header.txt>
+System Events
+=-=-=-=-=-=-=
+unmatched
+
diff --git a/test/results/violations.ignore.d-local/test
b/test/results/violations.ignore.d-local/test
deleted file mode 100644
index 517e051d..00000000
--- a/test/results/violations.ignore.d-local/test
+++ /dev/null
@@ -1,9 +0,0 @@
-This email is sent by logcheck. If you wish to no-longer receive it,
-you can either uninstall the logcheck package or modify its
-configuration file (../etc/logcheck.conf).
-
-Security Events
-=-=-=-=-=-=-=-=-=-=
-local-test
-
- This report was produced by logcheck version 1.2.14
diff --git a/test/results/violations.ignore.d/test
b/test/results/violations.ignore.d/test
new file mode 100644
index 00000000..7e866517
--- /dev/null
+++ b/test/results/violations.ignore.d/test
@@ -0,0 +1,5 @@
+<This is the header from rulefiles/header.txt>
+Security Events for name
+=-=-=-=-=-=-=-=-=-=-=-=-
+local-test
+
diff --git a/test/rulefiles/header.txt b/test/rulefiles/header.txt
new file mode 100644
index 00000000..3e12e7ca
--- /dev/null
+++ b/test/rulefiles/header.txt
@@ -0,0 +1 @@
+<This is the header from rulefiles/header.txt>
diff --git a/test/rulefiles/ignore.d.paranoid/paranoid
b/test/rulefiles/ignore.d.paranoid/paranoid
new file mode 100644
index 00000000..a9a06354
--- /dev/null
+++ b/test/rulefiles/ignore.d.paranoid/paranoid
@@ -0,0 +1,8 @@
+^am$
+^i$
+^just$
+paranoid?
+
+# comments and blank lines are ignored,
+# so the next should not hide 'server'
+#?server
diff --git a/test/rulefiles/ignore.d.server/server
b/test/rulefiles/ignore.d.server/server
new file mode 100644
index 00000000..6cefaef8
--- /dev/null
+++ b/test/rulefiles/ignore.d.server/server
@@ -0,0 +1 @@
+server$
diff --git a/test/rulefiles/ignore.d.workstation/workstation
b/test/rulefiles/ignore.d.workstation/workstation
new file mode 100644
index 00000000..979fbd07
--- /dev/null
+++ b/test/rulefiles/ignore.d.workstation/workstation
@@ -0,0 +1 @@
+^w.rkst[a-z]*t+ion(a|b)?$
diff --git a/test/rulefiles/violations.d/logcheck
b/test/rulefiles/violations.d/name
similarity index 100%
rename from test/rulefiles/violations.d/logcheck
rename to test/rulefiles/violations.d/name
diff --git a/test/rulefiles/violations.ignore.d/irrelevant
b/test/rulefiles/violations.ignore.d/irrelevant
new file mode 100644
index 00000000..8d98f9de
--- /dev/null
+++ b/test/rulefiles/violations.ignore.d/irrelevant
@@ -0,0 +1 @@
+.*
diff --git a/test/rulefiles/violations.ignore.d/local-test
b/test/rulefiles/violations.ignore.d/name
similarity index 100%
rename from test/rulefiles/violations.ignore.d/local-test
rename to test/rulefiles/violations.ignore.d/name
diff --git a/test/state/offsetlogs.cracking-ignore.log
b/test/state/offsetlogs.cracking-ignore.log
deleted file mode 100644
index cd005699..00000000
--- a/test/state/offsetlogs.cracking-ignore.log
+++ /dev/null
@@ -1,2 +0,0 @@
-867401
-24
diff --git a/test/state/offsetlogs.intro.log b/test/state/offsetlogs.intro.log
deleted file mode 100644
index 2bf30f1c..00000000
--- a/test/state/offsetlogs.intro.log
+++ /dev/null
@@ -1,2 +0,0 @@
-867404
-66
diff --git a/test/state/offsetlogs.violations.ignore.d-local.log
b/test/state/offsetlogs.violations.ignore.d-local.log
deleted file mode 100644
index ecfd9659..00000000
--- a/test/state/offsetlogs.violations.ignore.d-local.log
+++ /dev/null
@@ -1,2 +0,0 @@
-867407
-28
diff --git a/test/test.py b/test/test.py
deleted file mode 100755
index 743eee1f..00000000
--- a/test/test.py
+++ /dev/null
@@ -1,255 +0,0 @@
-#!/usr/bin/python
-
-# Copyright (C) 2002,2003 Jonathan Middleton <j...@ixtab.org.uk>
-
-# This file is part of Logcheck
-
-# Logcheck is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-
-# Logcheck is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with Logcheck; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-
-import os
-import sys
-
-class Logcheck:
-
- def __init__(self, conf, logfiles, rulefiles):
- self.conf = conf
- self.logfiles = logfiles
- self.rules = rulefiles
-
- self.command = "../src/logcheck -o -S ./state/ -c %s -l %s -r %s" % \
- ( self.conf,
- self.logfiles,
- self.rules)
-
- def Run(self):
-
- run = os.popen(self.command)
-
- self.output = run.read()
-
- run.close()
-
- def Check(self, expected):
- if self.output == expected:
- return 1
- else:
- return 0
-
- def Result(self):
- return self.output
-
-class Results:
-
- def __init__(self, dir):
-
- read = open(os.path.join(dir, "intro/disabled"))
- self.test1a = read.read()
- read.close()
-
- read = open(os.path.join(dir, "intro/enabled"))
- self.test1b = read.read()
- read.close()
-
- read = open(os.path.join(dir, "cracking-ignore/enabled"))
- self.test2a = read.read()
- read.close()
-
- read = open(os.path.join(dir, "cracking-ignore/disabled"))
- self.test2b = read.read()
- read.close()
-
- read = open(os.path.join(dir, "violations.ignore.d-local/test"))
- self.test3 = read.read()
- read.close()
-
- read = open(os.path.join(dir, "intro/disabled"))
- self.test4a = read.read()
- read.close()
-
- read = open(os.path.join(dir, "intro/yes"))
- self.test4b = read.read()
- read.close()
-
-
- def Test1a(self):
- return self.test1a
-
- def Test1b(self):
- return self.test1b
-
- def Test2a(self):
- return self.test2a
-
- def Test2b(self):
- return self.test2b
-
- def Test3(self):
- return self.test3
-
- def Test4a(self):
- return self.test4a
-
- def Test4b(self):
- return self.test4b
-
-expected = Results("./results")
-
-fail = 0
-
-path = os.environ.get("PATH")
-os.putenv("PATH", "../src:%s" % path)
-
-# Test Intro (disabled)
-print "Testing disabled intro...",
-
-test1a = Logcheck("./conf/intro-disabled",
- "./logs/intro/files",
- "rulefiles")
-
-if os.path.isfile("state/offsetlogs.intro.log"):
- os.remove("state/offsetlogs.intro.log")
-
-test1a.Run()
-
-if test1a.Check(expected.Test1a() ):
- print "success"
-else:
- print "failed"
- print test1a.Result(),
- fail = 1
-
-# Test 1b - Intro (enabled)
-print "Testing enabled intro...",
-
-test1b = Logcheck("../etc/logcheck.conf",
- "./logs/intro/files",
- "rulefiles")
-
-if os.path.isfile("state/offsetlogs.intro.log"):
- os.remove("state/offsetlogs.intro.log")
-
-test1b.Run()
-
-if test1b.Check(expected.Test1b()):
- print "success"
-else:
- print "failed"
- print test1b.Result(),
- fail = 1
-
-# Test 2a and 2b still need to be finished.
-
-# Test 2a - cracking ignore support: enabled
-print "Testing enabled cracking ignore...",
-
-test2a = Logcheck("./conf/cracking-ignore-enabled",
- "./logs/cracking-ignore/files",
- "rulefiles")
-
-if os.path.isfile("state/offsetlogs.cracking-ignore.log"):
- os.remove("state/offsetlogs.cracking-ignore.log")
-
-test2a.Run()
-
-if test2a.Check(expected.Test2a()):
- print "success"
-else:
- print "failed"
- print test2a.Result(),
- fail = 1
-
-# Test 2b - cracking ignore support: disabled
-print "Testing disabled cracking ignore...",
-
-test2b = Logcheck("../etc/logcheck.conf",
- "./logs/cracking-ignore/files",
- "rulefiles")
-
-if os.path.isfile("state/offsetlogs.cracking-ignore.log"):
- os.remove("state/offsetlogs.cracking-ignore.log")
-
-test2b.Run()
-
-if test2b.Check(expected.Test2b()):
- print "success"
-else:
- print "failed"
- print test2b.Result(),
- fail = 1
-
-
-# Test 3 - violations.ignore.d/local-*
-print "Testing violations.ignore.d/local-*...",
-
-test3 = Logcheck("../etc/logcheck.conf",
- "./logs/violations.ignore.d-local/files",
- "rulefiles")
-
-if os.path.isfile("state/offsetlogs.violations.ignore.d-local.log"):
- os.remove("state/offsetlogs.violations.ignore.d-local.log")
-
-test3.Run()
-
-if test3.Check(expected.Test3()):
- print "success"
-else:
- print "failed"
- print test3.Result(),
- fail = 1
-
-# Test 4a - Intro "yes" (disabled)
-print "Testing old style disabled intro...",
-
-test4a = Logcheck("./conf/intro-no",
- "./logs/intro/files",
- "rulefiles")
-
-if os.path.isfile("state/offsetlogs.intro.log"):
- os.remove("state/offsetlogs.intro.log")
-
-test4a.Run()
-
-if test4a.Check(expected.Test4a() ):
- print "success"
-else:
- print "failed"
- print test4a.Result(),
- fail = 1
-
-# Test 4b - Intro "no" (enabled)
-print "Testing old style enabled intro...",
-
-test4b = Logcheck("./conf/intro-yes",
- "./logs/intro/files",
- "rulefiles")
-
-if os.path.isfile("state/offsetlogs.intro.log"):
- os.remove("state/offsetlogs.intro.log")
-
-test4b.Run()
-
-if test4b.Check(expected.Test4b()):
- print "success"
-else:
- print "failed"
- print test4b.Result(),
- fail = 1
-
-# Set the exit status
-
-if fail:
- sys.exit(1)
-else:
- sys.exit(0)
diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml
new file mode 100644
index 00000000..8424db44
--- /dev/null
+++ b/debian/salsa-ci.yml
@@ -0,0 +1,3 @@
+---
+include:
+ -
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
diff --git a/usr/sbin/logcheck b/usr/sbin/logcheck
index cb623671..c8230a33 100755
--- a/usr/sbin/logcheck
+++ b/usr/sbin/logcheck
@@ -795,22 +795,21 @@ if [ -d "$TMPDIR/violations" ]; then
fi
# Do reverse grep on patterns we want to ignore
+cp "$TMPDIR/logoutput-sorted" "$TMPDIR/checked" \
+ || error "Could not copy $TMPDIR/logoutput-sorted to
$TMPDIR/checked"
if [ -d "$TMPDIR/ignore" ]; then
debug "Checking for system events"
- cp "$TMPDIR/logoutput-sorted" "$TMPDIR/checked" \
- || error "Could not copy
$TMPDIR/logoutput-sorted to $TMPDIR/checked"
cleanchecked "$TMPDIR/ignore"
-
- if [ -s "$TMPDIR/checked" ]; then
- debug "Removing alerts from system events"
- cleanchecked "$TMPDIR/cracking"
- fi
- if [ -s "$TMPDIR/checked" ]; then
- debug "Removing violations from system events"
- cleanchecked "$TMPDIR/violations"
- fi
- report "$EVENTSSUBJECT" && SYSTEM="1"
fi
+if [ -s "$TMPDIR/checked" ]; then
+ debug "Removing alerts from system events"
+ cleanchecked "$TMPDIR/cracking"
+fi
+if [ -s "$TMPDIR/checked" ]; then
+ debug "Removing violations from system events"
+ cleanchecked "$TMPDIR/violations"
+fi
+report "$EVENTSSUBJECT" && SYSTEM="1"
# Add warnings to report
if [ -f "$TMPDIR/warnings" ]; then
