Installed library files (mostly kernel modules) not belonging to any package in tiger audit report

2012-11-02 Thread Maarten Derickx 
Dear All,

Today I got the following in my tiger security audit:

# Checking installed files against packages...
--WARN-- [lin001w] File `/lib/init/rw/.ramfs' does not belong to any
package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-5-amd64/modules.softdep' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-5-amd64/modules.symbols' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-5-amd64/modules.dep' does not
belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-5-amd64/modules.dep.bin' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-5-amd64/modules.devname' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-5-amd64/modules.alias.bin'
does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-5-amd64/modules.alias' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.32-5-amd64/modules.symbols.bin'
does not belong to any package.

I suspect all the missing kernel modules are caused by me recently
installing: open-vm-modules-2.6.32-5-amd64 .
But I installed that using apt, so tiger should recognize that they belong
to a package. Looking in dpkg.log it should be one of the following
packages:

2012-11-01 12:51:21 status installed gcc-4.3-base 4.3.5-4
2012-11-01 12:51:21 status installed cpp-4.3 4.3.5-4
2012-11-01 12:51:21 status installed gcc-4.3 4.3.5-4
2012-11-01 12:51:21 status installed linux-headers-2.6.32-5-common 2.6.32-46
2012-11-01 12:51:21 status installed linux-kbuild-2.6.32 2.6.32-1
2012-11-01 12:51:21 status installed linux-headers-2.6.32-5-amd64 2.6.32-46
2012-11-01 12:51:52 status installed open-vm-modules-2.6.32-5-amd64
1:8.4.2-261024-1+2.6.32-46

Is this a bug in one of the packages not claiming ownership of one of the
files it installes?
If so how do I report this?

Thanks Maarten

Bug in logwatch? (not all archives are checked and --logdir is partially ignored).

2012-04-29 Thread Maarten Derickx 
Dear All,

I'm using debian 6.0.4 and recently I ran into trouble using logwatch. I
have installed logwatch using apt-get and the only change I made to the
config related to logwatch is:

--- /dev/null
+++ b/logwatch/conf/logwatch.conf
@@ -0,0 +1 @@
+Range = since -7 days

and I setup a cronjob to get weekly mails. Now I noticed that not all my
login attemps using sshd where shown in these mails so I tried to start
debugging it.

The strange thing is that when I do:

logwatch --service sshd --archives

I get only 3 logins 2 from mderickx and 1 from sageslave. (see Output 1
below)

While a simple grep to the log directory there are in the last week also
2+8=10 logins (see Output 2 below). The 8 aditional logins are in the
auth.log.1 file. According to the documentation of the --archives argument
the auth.log.1 file should also get checked. I quote the documentation:

--archives
Each log-file-group has basic logfiles (i.e. /var/log/messages) as well as
archives (i.e. /var/log/messages.? or /var/log/messages.?.gz).  When used
 with --range all, this option will make Logwatch search through the
archives in addition to the regular logfiles.  For other values of --range,
Logwatch will search the appropriate archived logs.


The strange thing is that if I now do:

root@md:/var/log# gzip auth.log.1

and then

logwatch --service sshd --archives

then I do get the expected amount of 10 logins for the user mderickx in the
logwatch output. So it seems that in contrast to the what the documentation
suggests the uncompressed archive /var/log/auth.log.1 is not checked!


While debugging the above (I rather don't mess with my logfiles when not
nessecary) I copied auth.log and auth.log.1 to /tmp and and modified the
files to see how logwatch would react. And the strange thing is that when I
did

logwatch --logdir /tmp

I also got a lot of logwatch output related to for example apache while
there are no apache logs in /tmp. It seems like it also goes to /var/log
for files it cannot find in /tmp wich again doesn't mach the
documentation.

--logdir directory
  Look in directory for log subdirectories or log files instead
of the default directory.

It clearly sais instead and not in adition to or something like first look
in directory and if not is found look in the default directory.



I hope I didn't scare you by the long mail, but I think it will be more
usefull then a short cryptic question in which it is harder to see what the
exact problem is.

Thanks Maarten


Output 1:

root@md:/var/log# logwatch --service sshd --archives

 ### Logwatch 7.3.6 (05/19/07) 
Processing Initiated: Sun Apr 29 13:46:24 2012
Date Range Processed: since -7 days
  ( 2012-Apr-22 / 2012-Apr-29 )
  Period is day.
Detail Level of Output: 0
Type of Output/Format: stdout / text
Logfiles for Host: md
  ##

 - SSHD Begin 

 Users logging in through sshd:
mderickx:
   82.139.86.4 (ip82-139-86-4.lijbrandt.net): 2 times
sageslave:
   127.0.0.1 (localhost): 1 time

 -- SSHD End -


 ## Logwatch End #




Output 2


root@md:/var/log# grep -r sshd ./ | grep mderickx | grep Accepted
./auth.log.1:Apr 26 13:01:02 mdsage sshd[4001]: Accepted publickey for
mderickx from 82.139.86.4 port 38018 ssh2
./auth.log.1:Apr 26 13:03:09 mdsage sshd[4074]: Accepted publickey for
mderickx from 82.139.86.4 port 45710 ssh2
./auth.log.1:Apr 26 13:03:33 mdsage sshd[4089]: Accepted publickey for
mderickx from 82.139.86.4 port 33735 ssh2
./auth.log.1:Apr 26 16:34:02 mdsage sshd[6821]: Accepted publickey for
mderickx from 82.139.86.4 port 41634 ssh2
./auth.log.1:Apr 26 18:41:18 mdsage sshd[9467]: Accepted publickey for
mderickx from 82.139.86.4 port 35548 ssh2
./auth.log.1:Apr 28 14:41:20 mdsage sshd[1414]: Accepted publickey for
mderickx from 82.139.86.4 port 33067 ssh2
./auth.log.1:Apr 29 01:19:22 mdsage sshd[16827]: Accepted publickey for
mderickx from 82.139.86.4 port 45557 ssh2
./auth.log.1:Apr 29 01:37:01 mdsage sshd[17073]: Accepted publickey for
mderickx from 82.139.86.4 port 45161 ssh2
./auth.log:Apr 29 12:27:53 mdsage sshd[23051]: Accepted publickey for
mderickx from 82.139.86.4 port 43719 ssh2
./auth.log:Apr 29 12:54:08 mdsage sshd[26049]: Accepted publickey for
mderickx from 82.139.86.4 port 43200 ssh2

Re: Bug in logwatch? (not all archives are checked and --logdir is partially ignored).

2012-04-29 Thread Maarten Derickx 
 Look at one of the config files that manages sshd (secure.conf), I think
 there can be a rule pattern definition error there.

 Greetings,

 --
 CamaleĆ³n

Thanks. There where no config files in /etc/ (only a directory
structure). But indeed there was a mistake in the file in
/usr/share/logwatch/default.conf/logfiles/secure.conf

There was a rule wich said:

Archive = authlog.*

But this line should read:

Archive = auth.log.*

A closer inspection of the logfiles I cared about revealed that there
where also related errors. I made a patch with all the changes and
posted it at http://pastebin.com/6vALKDYN . What is the procedure for
getting these fixes in debian?

Thanks,
Maarten

Re: Bug in logwatch? (not all archives are checked and --logdir is partially ignored).

2012-04-29 Thread Maarten Derickx 
2012/4/29 Maarten Derickx m.derickx.stud...@gmail.com


 A closer inspection of the logfiles I cared about revealed that there where 
 also related errors. I made a patch with all the changes and posted it at 
 http://pastebin.com/6vALKDYN . What is the procedure for getting these fixes 
 in debian?


 Thanks,
 Maarten


I filed the bugs and they have numbers: #670877 and #670880 respectively.