Bug#344553: [Logcheck-devel] Bug#344553: logcheck: Fails silently to read config file
Maximilian Attems wrote: no the debian packaging takes care of that, no need to issue an error in that case. if you change the permissions of the CONFFILE you are on your own. In NO CASE should program functionality depend on some package management system. The program should be able to work as well without or with random package management system. Considering that debian userid management is something that is very fragile, I would prefer that the script also checks possible problems with configuration. Even more important this is when it is about logcheck, whose sole purpose is to detect unintended events in systems. -- Markus Peuhkuri | http://www.iki.fi/puhuri/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#344553: [Logcheck-devel] Bug#344553: logcheck: Fails silently to read config file
Maximilian Attems wrote: second you give _no_ argument why CONFFILE is so important. logcheck works fine without it. If config file is defined on command line argument, it should be read in and an error given if it not readable. If the config file exists, it should be read. third the nacked change introduces potential break-ups on current working setups. we wont change semantics for $random_reasons. The case that gets broken is that if the /etc/logcheck/logcheck.conf is not readable by logcheck user. I do not know, if there is any setup like that, but lets say it is a quite interesting setup. I would value clear error messages or at least warnings over that. we check about real reasons like not readable log files. thus are worth to alert the admin. I think that existing config file that is unreadable is something abnormal, but YMMV. fourth why is the debian userid managment fragile? works very nicely for me on lots of boxes. Maybe I just cannot do it, but as I had recently to do system reinstall because of disk crash. I recovered config files from backups but those ended up with wrong ownerships and I had to fix them by hand. The system UIDs were different on different installations: the other was installed, packages add, upgraded, and packages add while the later had about all packages installed at once. fifth why did you change the ownerships of CONFFILE? there might be many cool reasons to think about, none was named. The problem was that I wanted to experiment with new config file. It was owned by my $LUSER UID, and then I ran sudo -u logcheck logcheck -c config -t . Unfortunatly, the config file was mode 600, and logcheck did not provide any error, just used default settings and I was totaly lost with that wondering why my changes were not visible. One may change ownership of configuration file unintentionaly (pick you $EDITOR right) first calm down your words. :) getting enerved is not a good way to push something. It was no intended such, more like emphasis what I value in building robust systems (would *no* *case* been better?). It is good that package management makes sure that everything is ok, but each input must be validated and checked for. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#344553: [Logcheck-devel] Bug#344553: logcheck: Fails silently to read config file
Todd Troxell wrote: I see your point. The config is not really essential. What do you think about this: if [ -f $CONFFILE -a -r $CONFFILE]; then The problem is still that if CONFFILE is somehow mistyped, it still fails silently even if the fragment fixes the error I had with permissions. For my view the correct operation would be following: 1) if CONFFILE (from command line) is set, use it. If it does not exists or is unreadable, issue an error 2) if CONFFILE is not set, but the default CONFFILE exists AND is readable use it 3) if default CONFFILE exists, but is unreadable, provide an error 4) if default CONFFILE does not exists, use defauls To have 1), command line argument processing should be modified as below case $opt in c) debug Setting CONFFILE to $OPTARG CONFFILE=$OPTARG if [ ! -r $CONFFILE ]; then error Config file $CONFFILE unreadable or does not exists fi ;; For 2) and 4), the existing condition is ok, but needs additional condition for 3). if [ -r $CONFFILE ]; then . $CONFFILE elif [ -f $CONFFILE ]; then # this provides 3) error Config file $CONFFILE unreadable fi (sorry, if line wrap is problem). -- Markus Peuhkuri | http://www.iki.fi/puhuri/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#344553: [Logcheck-devel] Bug#344553: logcheck: Fails silently to read config file
Maximilian Attems wrote: if [ -r $CONFFILE ]; then i'm less then sure that this the right way to go, we shouldn't need the $CONFFILE? what was the error message you were seeing? The problem is that logcheck fails silently, if there is some problem with config file; either typo or some problem with permissions. Maybe a good alternative would be checking if $CONFIGFILE is set, like below: if [ -r $CONFFILE ]; then . $CONFFILE elif [ ! -z $CONFFILE ]; then error Config file $CONFFILE not exists or readable fi Now, if CONFFILE is not set, then no error is printed, but if CONFFILE is set but the file is not readable (or exists) then an error is printed. The reason I suggested this was that I spent a good time wondering why my changes did not change reporting while testing for #307585. The problem was that my temporary config file was mode 600 with my userid and when run with sudo -u logcheck logcheck -t -c newconfig, the logcheck uid was unable to read it but did not report any error. -- Markus Peuhkuri | http://www.iki.fi/puhuri/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#344553: logcheck: Fails silently to read config file
Package: logcheck Version: 1.2.42 Severity: minor Tags: patch Logcheck does not report any error if the config file is not readable or does not exists. This may easily happen, as logcheck is run as logcheck user and while one is testing a new configuration on live system with running configuration intact. Following fragment may help: # Now source the config file - before things that should not be changed if [ -r $CONFFILE ]; then - . $CONFFILE + . $CONFFILE +else +error Config file $CONFFILE not exists or readable fi -- System Information: Debian Release: 3.1 APT prefers stable APT policy: (900, 'stable'), (400, 'testing'), (300, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.15-rc4 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages logcheck depends on: ii adduser 3.80Add and remove users and groups ii cron 3.0pl1-92 management of regular background p ii debconf [debconf 1.4.62 Debian configuration management sy ii debianutils 2.15.1 Miscellaneous utilities specific t ii grep 2.5.1.ds2-4 GNU grep, egrep and fgrep ii lockfile-progs 0.1.10 Programs for locking and unlocking ii logcheck-databas 1.2.42 database of system log rules for t ii logtail 1.2.42 Print log file lines that have not ii mailx1:8.1.2-0.20050715cvs-1 A simple mail user agent ii sendmail-bin [ma 8.13.4-3powerful, efficient, and scalable ii sysklogd [system 1.4.1-17System Logging Daemon logcheck recommends no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#307585: ssh summaries for logcheck: a helper script
As original submiter wrote, the ssh scan noise is a problem as important
log entries may get hidden into hundreads of scan lines and workarounds
(rate limits, port changes etc.) result just problems for legimite use.
I wrote a small perl script that one can run instead of syslog-summary
by defining two lines in logcheck.conf:
SYSLOGSUMMARY=1
SYSLOG_SUMMARY=/usr/sbin/log-summary-ssh
This will print out (instead of 1000+ lines of ssh entries) lines like
ones below:
(normal logcheck output...)
Dec 21 21:55:30 host getty[4302]: tty1: input overrun
Invalid SSH login attempts: 1056
425 192.0.2.1
391 192.0.2.2
121 192.0.2.3
59 192.0.2.42
44 192.0.2.9
12 192.0.2.65
3 192.0.2.39
1 192.0.2.144
User names tried:
0002593w (1), 127 (1), 16 (1), 1a4 (1), 1dd (1), 22b (1), 2a (1),
4ct (1), 511 (1), 561 (1), 587 (1), 72 (2), 75 (1), 9ia (1),
Aaron (2), Aba (2), Abel (2), Account (1), Barrera (1), Castro (1),
(cut...)
Inverse mapping failures: 44
44 192.0.2.9 != www.example.com
--
Markus Peuhkuri | http://www.iki.fi/puhuri/
#!/usr/bin/perl -wT
# log-summary-ssh
# Selects two lines that are very common with ssh scans.
# This script removes those from output and prints out aggregate
# statistics for those (both by host and by attempted user names).
#
# Reads from stdin or from command line arguments and prints to stdout.
#
# If you want to use this with logcheck, copy this to
# /usr/local/sbin/log-summary-ssh and add following lines to
# /etc/logcheck/logcheck.conf (or your config file):
#
# SYSLOGSUMMARY=1
# SYSLOG_SUMMARY=/usr/local/sbin/log-summary-ssh
#
# If you want to use both syslog-summary and this script, you need to
# write a some kind of wrapper around those.
# #!/bin/sh
# syslog-summary $* | log-summary-sh
#
# Markus Peuhkuri [EMAIL PROTECTED] 2005
# Use of this file is unrestricted.
use strict;
use Text::Wrap qw/wrap/;
my %h; # hosts for failed attempts
my %u; # user names for failed attemts
my $sshc = 0; # flag values
my %inv;# failed ip = host mappings
my $invf = 0; # flag values
while () {
if (m/^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Illegal user (.*)
from (.*)$/) {
my $ip = $2;
chomp $ip;
$h{$ip} ++;
$u{$1} ++;
$sshc++;
} elsif (m/^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Address (.*)
maps to (.*), but this does not map back to the address - POSSIBLE BREAKIN
ATTEMPT!/) {
$inv{$1}{$2}++;
$invf++;
} else {
print $_; # just print
}
}
if ($sshc 0) {
printf \nInvalid SSH login attempts: %d\n, $sshc;
for (sort {$h{$b} = $h{$a}} keys %h) {
printf % 4d %s\n, $h{$_}, $_;
}
my @users;
for (sort keys %u) {
push @users, sprintf(%s (%d), $_, $u{$_});
}
print \nUser names tried:\n, wrap( , , join(, , @users)), \n;
}
if ($invf 0) {
printf \nInverse mapping failures: %d\n, $invf;
for my $ip (sort keys %inv) {
for (sort keys %{$inv{$ip}}) {
printf % 5d %s != %s\n, $inv{$ip}{$_}, $ip, $_;
}
}
}
Bug#169960: at: Uncondition /bin/sh warning (patch included)
Package: at
Version: 3.1.9
Tags: patch
I first planned to submit a bug for too verbose at command, but then I
found this old one. I added a new flag '-s' for 'silent' that inhibits
POSIX2-required warning of using /bin/sh and printing of time.
Other alternative would be defining some environment variable like
'SHUT_UP_AT_I_KNOW_YOU_USE_BIN_SH_THANKS' :-) and check for that.
if (getenv(SHUT_UP_AT_I_KNOW_YOU_USE_BIN_SH_THANKS))
silent = 1;
instead of that fragment in getopt-switch.
--
Markus Peuhkuri | http://iki.fi/puhuri/
--- at.c~ 2005-08-02 12:15:24.0 +0300
+++ at.c2005-09-29 21:20:29.362365032 +0300
@@ -131,7 +131,7 @@
static void sigc(int signo);
static void alarmc(int signo);
static char *cwdname(void);
-static void writefile(time_t runtimer, char queue);
+static void writefile(time_t runtimer, char queue, int silent);
static void list_jobs(void);
/* Signal catching functions */
@@ -220,7 +220,7 @@
}
static void
-writefile(time_t runtimer, char queue)
+writefile(time_t runtimer, char queue, int silent)
{
/* This does most of the work if at or batch are invoked for writing a job.
*/
@@ -494,7 +494,8 @@
runtime = localtime(runtimer);
strftime(timestr, TIMESIZE, TIMEFORMAT_POSIX, runtime);
-fprintf(stderr, job %ld at %s\n, jobno, timestr);
+if (!silent)
+ fprintf(stderr, job %ld at %s\n, jobno, timestr);
/* Signal atd, if present. Usual precautions taken... */
fd = open(PIDFILE, O_RDONLY);
@@ -727,8 +728,9 @@
char *pgm;
int program = AT; /* our default program */
-char *options = q:f:MmvldhVc;/* default options for at */
+char *options = q:f:MmvldhVcs; /* default options for at */
int disp_version = 0;
+int silent = 0;
time_t timer;
struct passwd *pwe;
struct group *ge;
@@ -828,6 +830,10 @@
disp_version = 1;
break;
+ case 's':
+ silent = 1;
+ break;
+
case 'c':
program = CAT;
options = ;
@@ -910,9 +916,10 @@
It also alows a warning diagnostic to be printed. Because of the
possible variance, we always output the diagnostic. */
- fprintf(stderr, warning: commands will be executed using /bin/sh\n);
+ if (!silent)
+ fprintf(stderr, warning: commands will be executed using /bin/sh\n);
- writefile(timer, queue);
+ writefile(timer, queue, silent);
break;
case BATCH:
@@ -930,7 +937,7 @@
struct tm *tm = localtime(timer);
fprintf(stderr, %s\n, asctime(tm));
}
- writefile(timer, queue);
+ writefile(timer, queue, silent);
break;
default:
--- at.1.in~2005-08-02 11:53:11.0 +0300
+++ at.1.in 2005-09-29 21:23:12.847511512 +0300
@@ -9,7 +9,7 @@
.IR queue ]
.RB [ -f
.IR file ]
-.RB [ -mldbv ]
+.RB [ -mldbvs ]
.B TIME
.br
.B at -c
@@ -27,6 +27,7 @@
.RI [ job... ]
.br
.B batch
+.RB [ -s ]
.SH DESCRIPTION
.B at
and
@@ -227,6 +228,10 @@
.B
\-c
cats the jobs listed on the command line to standard output.
+.TP
+.B
+\-s
+does not print diagnostic output.
.SH FILES
.I @ATJBD@
.br
Bug#298291: logcheck-database: Printer out-of-paper reported
Package: logcheck-database
Version: 1.2.34
Severity: minor
I have parallel port attached printer and kernel reports whenever
printer is out of paper:
Mar 6 12:38:50 host kernel: lp0 out of paper
However, this is not a situation that should be reported by default
(IMHO) by logcheck sending report email. Thus I propose adding
following line to ignore.d.workstation/logcheck (possibly to .server
too):
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: lp\d out of paper
I get a lot of those because I have old HP Laserjet5L with paper feed
problems...
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.9
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages logcheck-database depends on:
ii debconf [debconf-2.0] 1.4.30.11 Debian configuration management sy
-- debconf information:
logcheck-database/conffile-cleanup: false
logcheck-database/rules-directories-note:
logcheck-database/standard-rename-note:
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
