From 056b8a48fb9033d9d8b3b59c2a1ae486f1e982b2 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Mon, 11 Dec 2023 16:37:20 +0300 Subject: [PATCH] import logwatch-7.4.3-21.el8 --- SOURCES/auditd-startup-messages.patch | 19 ++++++++ SOURCES/deduplicate-sudo.patch | 11 +++++ SOURCES/ignore-server-ready.patch | 13 ++++++ SOURCES/logwatch-failed-login.patch | 20 +++++++++ SOURCES/logwatch-pam-unix.patch | 20 +++++++++ SOURCES/polkit-startup-messages.patch | 13 ++++++ SOURCES/ras-correctable-errors.patch | 11 +++++ SOURCES/sendmail-6-digit-pid.patch | 12 ++++++ SOURCES/sshd-sort-by-count.patch | 23 ++++++++++ SOURCES/systemd-noise-filter.patch | 31 ++++++++++++++ SPECS/logwatch.spec | 62 ++++++++++++++++++++++++++- 11 files changed, 234 insertions(+), 1 deletion(-) create mode 100644 SOURCES/auditd-startup-messages.patch create mode 100644 SOURCES/deduplicate-sudo.patch create mode 100644 SOURCES/ignore-server-ready.patch create mode 100644 SOURCES/logwatch-failed-login.patch create mode 100644 SOURCES/logwatch-pam-unix.patch create mode 100644 SOURCES/polkit-startup-messages.patch create mode 100644 SOURCES/ras-correctable-errors.patch create mode 100644 SOURCES/sendmail-6-digit-pid.patch create mode 100644 SOURCES/sshd-sort-by-count.patch create mode 100644 SOURCES/systemd-noise-filter.patch diff --git a/SOURCES/auditd-startup-messages.patch b/SOURCES/auditd-startup-messages.patch new file mode 100644 index 0000000..5e809db --- /dev/null +++ b/SOURCES/auditd-startup-messages.patch @@ -0,0 +1,19 @@ +--- a/scripts/services/audit 2022/01/22 17:22:03 ++++ b/scripts/services/audit 2022/01/22 17:35:34 +@@ -134,10 +134,13 @@ + ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): table=/) or + ( $ThisLine =~ /audit_printk_skb: [0-9]* callbacks suppressed/) or + ( $ThisLine =~ /item=[0-9] name="\S*" inode=[0-9]+ dev=\S* mode=[0-9]* ouid=[0-9]* ogid=[0-9]* rdev=[0-9:]* obj=\S*/) or +- ( $ThisLine =~ /^auditctl(?:\[[0-9]+\])?: No rules$/ ) ++ ( $ThisLine =~ /^auditctl(?:\[[0-9]+\])?: No rules$/ ) or ++ ( $ThisLine =~ /No plugins found, not dispatching events/ ) + ) { + # Ignore these entries +- } elsif ( $ThisLine =~ /audit\([0-9]{10}.[0-9]{3}:[0-9]\): initialized$/) { ++ } elsif (( $ThisLine =~ /audit\([0-9]{10}.[0-9]{3}:[0-9]\): initialized$/ ) or ++ ( $ThisLine =~ /audit\([0-9]{10}.[0-9]{3}:[0-9]\): state=initialized / ) ++ ) { + $NumberOfInits++; + } elsif ( $ThisLine =~ /Init complete, audit pid set to: [0-9]+/) { + $NumberOfDStartsPid++; + diff --git a/SOURCES/deduplicate-sudo.patch b/SOURCES/deduplicate-sudo.patch new file mode 100644 index 0000000..ed92d4b --- /dev/null +++ b/SOURCES/deduplicate-sudo.patch @@ -0,0 +1,11 @@ +--- a/conf/services/secure.conf 2016-03-30 23:32:33.000000000 +0200 ++++ b/conf/services/secure.conf 2023-06-27 19:42:42.296713366 +0200 +@@ -24,7 +24,7 @@ + # Use this to ignore certain services in the secure log. + # You can ignore as many services as you would like. + # (we ignore sshd because its entries are processed by the sshd script) +-$ignore_services = sshd Pluto stunnel proftpd saslauthd imapd postfix/smtpd ++$ignore_services = sshd Pluto stunnel proftpd saslauthd imapd postfix/smtpd sudo + + # For these services, summarize only (i.e. don't least each IP, just + # list the number of connections total) diff --git a/SOURCES/ignore-server-ready.patch b/SOURCES/ignore-server-ready.patch new file mode 100644 index 0000000..02085a8 --- /dev/null +++ b/SOURCES/ignore-server-ready.patch @@ -0,0 +1,13 @@ +--- a/scripts/services/fail2ban ++++ b/scripts/services/fail2ban +@@ -91,7 +91,8 @@ + ($ThisLine =~ /INFO\s+(Stopping all jails|Exiting Fail2ban)/) or + ($ThisLine =~ /INFO\s+Initiated '.*' backend/) or + ($ThisLine =~ /INFO\s+(Added logfile = .*|Set maxRetry = \d+|Set findtime = \d+|Set banTime = \d+)/) or +- ($ThisLine =~ /Unable to find a corresponding IP address for .*: \[Errno -2\] Name or service not known/) ++ ($ThisLine =~ /Unable to find a corresponding IP address for .*: \[Errno -2\] Name or service not known/) or ++ ($ThisLine =~ /: Server ready$/) + ) + { + if ( $Debug >= 6 ) { + diff --git a/SOURCES/logwatch-failed-login.patch b/SOURCES/logwatch-failed-login.patch new file mode 100644 index 0000000..a7cd5be --- /dev/null +++ b/SOURCES/logwatch-failed-login.patch @@ -0,0 +1,20 @@ +--- a/scripts/services/sshd 2022/01/20 15:28:35 1.1 ++++ b/scripts/services/sshd 2022/01/20 15:32:01 +@@ -1,3 +1,5 @@ ++#!/usr/bin/env perl ++ + ########################################################################## + # $Id$ + ########################################################################## +@@ -376,6 +378,11 @@ + print STDERR "DEBUG: Found -Failed login- line\n"; + } + $BadLogins{$Host}{"$User/$Method"}++; ++ } elsif ( my ($User,$Host) = ( $ThisLine =~ m/^Disconnected from authenticating user (\S+) (\S+) / ) ) { ++ if ( $Debug >= 5 ) { ++ print STDERR "DEBUG: Found -Disconnected Failed login- line\n"; ++ } ++ $BadLogins{$Host}{$User}++; + } elsif ($ThisLine =~ s/^(log: )?Could not reverse map address ([^ ]*).*$/$2/) { + $NoRevMap{$ThisLine}++; + } elsif ( my ($Address) = ($ThisLine =~ /^reverse mapping checking getaddrinfo for (\S+( \[\S+\])?) failed - POSSIBLE BREAK-IN ATTEMPT!/)) { diff --git a/SOURCES/logwatch-pam-unix.patch b/SOURCES/logwatch-pam-unix.patch new file mode 100644 index 0000000..0ec20f1 --- /dev/null +++ b/SOURCES/logwatch-pam-unix.patch @@ -0,0 +1,20 @@ +=================================================================== +RCS file: /usr/share/logwatch/scripts/services/RCS/pam_unix,v +retrieving revision 1.1 +diff -u -r1.1 /usr/share/logwatch/scripts/services/pam_unix +--- a/scripts/services/pam_unix 2022/01/20 14:21:24 1.1 ++++ b/scripts/services/pam_unix 2022/01/20 14:22:35 +@@ -340,6 +340,12 @@ + } else { + $data{$service}{'Unknown Entries'}{$line}++; + } ++ } elsif ($service eq 'systemd-user') { ++ if ($line =~ /session (?:opened|closed) for user /) { ++ # ignore this line ++ } else { ++ $data{$service}{'Unknown Entries'}{$line}++; ++ } + } else { + $data{$service}{'Unknown Entries'}{$line}++; + } + diff --git a/SOURCES/polkit-startup-messages.patch b/SOURCES/polkit-startup-messages.patch new file mode 100644 index 0000000..7196be1 --- /dev/null +++ b/SOURCES/polkit-startup-messages.patch @@ -0,0 +1,13 @@ +--- a/scripts/services/secure ++++ b/scripts/services/secure +@@ -273,6 +273,9 @@ + ( $ThisLine =~ /polkit-grant-helper-pam\[\d+\]: pam_thinkfinger\(polkit:auth\): conversation failed/) or + ( $ThisLine =~ /polkitd\(authority=.*\): (Unr|R)egistered Authentication Agent/) or + ( $ThisLine =~ /polkitd\(authority=.*\): Operator of unix-session:/) or ++ ( $ThisLine =~ /polkitd.*Acquired the name .* on the system bus/) or ++ ( $ThisLine =~ /polkitd.*Finished loading, compiling/) or ++ ( $ThisLine =~ /polkitd.*Loading rules from directory /) or + ( $ThisLine =~ /(gdm-session-worker|gdm-password|gnome-screensaver-dialog)\[\d+\]: gkr-pam: no password is available for user/) or + ( $ThisLine =~ /gkr-pam: the password for the login keyring was invalid/) or + ( $ThisLine =~ /groupadd\[\d+\]: group added to /) or # Details in other messages + diff --git a/SOURCES/ras-correctable-errors.patch b/SOURCES/ras-correctable-errors.patch new file mode 100644 index 0000000..b583fa6 --- /dev/null +++ b/SOURCES/ras-correctable-errors.patch @@ -0,0 +1,11 @@ +--- a/scripts/services/kernel ++++ b/scripts/services/kernel +@@ -135,6 +135,7 @@ + $SkipError = 1 if $ThisLine =~ /ERST: Error Record Serialization Table \(ERST\) support is initialized/; + $SkipError = 1 if $ThisLine =~ /GHES: Generic hardware error source: \d+ notified via .* is not supported/; + $SkipError = 1 if $ThisLine =~ /PCIe errors handled by (?:BIOS|OS)/; ++ $SkipError = 1 if $ThisLine =~ /RAS: Correctable Errors collector initialized\.$/; + # These happen when kerberos tickets expire, which can be normal + $SkipError = 1 if $ThisLine =~ /Error: state manager encountered RPCSEC_GSS session expired against NFSv4 server/ && $Ignore_rpcsec_expired; + # filter out mount options + diff --git a/SOURCES/sendmail-6-digit-pid.patch b/SOURCES/sendmail-6-digit-pid.patch new file mode 100644 index 0000000..74590c8 --- /dev/null +++ b/SOURCES/sendmail-6-digit-pid.patch @@ -0,0 +1,12 @@ +--- a/scripts/services/sendmail ++++ b/scripts/services/sendmail +@@ -388,7 +388,7 @@ + } + + # QueueID formats: in 8.11 it was \w{7}\d{5}, in 8.12+ it is \w{8}\d{6} +-my $QueueIDFormat = "(?:\\w{7,9}\\d{5}|NOQUEUE)"; ++my $QueueIDFormat = "(?:\\w{7,9}\\d{5,6}|NOQUEUE)"; + + # ENOENT refers to "no such file or directory" + my $ENOENT = Errno::ENOENT(); + diff --git a/SOURCES/sshd-sort-by-count.patch b/SOURCES/sshd-sort-by-count.patch new file mode 100644 index 0000000..3da8e95 --- /dev/null +++ b/SOURCES/sshd-sort-by-count.patch @@ -0,0 +1,23 @@ +--- a/scripts/services/sshd ++++ b/scripts/services/sshd +@@ -566,7 +566,8 @@ + + if (keys %BadLogins) { + print "\nFailed logins from:\n"; +- foreach my $ip (sort SortIP keys %BadLogins) { ++ my $totalSort = TotalCountOrder(%BadLogins, \&SortIP); ++ foreach my $ip (sort $totalSort keys %BadLogins) { + my $name = LookupIP($ip); + my $totcount = 0; + foreach my $user (keys %{$BadLogins{$ip}}) { +@@ -587,7 +588,8 @@ + + if (keys %IllegalUsers) { + print "\nIllegal users from:\n"; +- foreach my $ip (sort SortIP keys %IllegalUsers) { ++ my $totalSort = TotalCountOrder(%IllegalUsers, \&SortIP); ++ foreach my $ip (sort $totalSort keys %IllegalUsers) { + my $name = LookupIP($ip); + my $totcount = 0; + foreach my $user (keys %{$IllegalUsers{$ip}}) { + diff --git a/SOURCES/systemd-noise-filter.patch b/SOURCES/systemd-noise-filter.patch new file mode 100644 index 0000000..a8f2806 --- /dev/null +++ b/SOURCES/systemd-noise-filter.patch @@ -0,0 +1,31 @@ +--- a/scripts/services/systemd 2022/01/20 16:00:56 1.1 ++++ b/scripts/services/systemd 2022/01/20 16:14:16 +@@ -42,7 +42,7 @@ + $ThisLine =~ / failed\.$/ or + $ThisLine =~ /: (control|main) process exited, code=(exited|killed),? status=/ or + # Informational +- $ThisLine =~ /^Closed .* socket\.$/ or ++ $ThisLine =~ /^Closed .* [Ss]ocket\.$/ or + $ThisLine =~ /^Closed udev / or + $ThisLine =~ /^Detected (architecture|virtualization) / or + $ThisLine =~ /^Found device / or +@@ -76,11 +76,17 @@ + $ThisLine =~ /^Configuration file \/usr\/lib\/systemd\/system\/wpa_supplicant\.service is marked executable/ or + # https://bugzilla.redhat.com/show_bug.cgi?id=1306452 + $ThisLine =~ /^tmp\.mount: Directory \/tmp to mount over is not empty, mounting anyway\.$/ or +- $ThisLine =~ /^Received SIGRTMIN\+2[01] from PID \d+ \(plymouthd\)\.$/ or ++ $ThisLine =~ /^Received SIGRTMIN\+2[01] from PID \d+ \((?:plymouthd|n\/a)\)\.$/ or + # https://bugzilla.redhat.com/show_bug.cgi?id=1072368 + $ThisLine =~ /^Received SIGRTMIN\+24 from PID \d+ \(kill\)\.$/ or + $ThisLine =~ /^Removed slice / or +- $ThisLine =~ /^pam_unix\(systemd-user:session\): session (?:opened|closed) for user/ ++ $ThisLine =~ /^pam_unix\(systemd-user:session\): session (?:opened|closed) for user/ or ++ # Ex: user-runtime-dir@1001.service: Succeeded. ++ $ThisLine =~ /: Succeeded\.$/ or ++ # Ex: Reloading Fail2Ban Service. ++ $ThisLine =~ /^Reloading .*\.$/ or ++ # Ex: Set up automount Arbitrary Executable File Formats File System Automount Point. ++ $ThisLine =~ /^Set up .*\.$/ + ) { + # Ignore these + } elsif (my ($service) = ($ThisLine =~ /^Unit (.*) entered failed state\.$/)) { diff --git a/SPECS/logwatch.spec b/SPECS/logwatch.spec index db2c422..f8eb932 100644 --- a/SPECS/logwatch.spec +++ b/SPECS/logwatch.spec @@ -1,7 +1,7 @@ Summary: A log file analysis program Name: logwatch Version: 7.4.3 -Release: 11%{?dist} +Release: 21%{?dist} License: MIT Group: Applications/System URL: http://www.logwatch.org/ @@ -24,6 +24,16 @@ Patch7: logwatch-sshd-2.patch # https://sourceforge.net/p/logwatch/git/ci/b325c68f83ef6c3e3ec9f35c8fdeff5b43fd8559/ # cherry-pick hunk at @@ -224,7 +224,7 @@ Patch8: logwatch-dovecot.patch +Patch9: logwatch-pam-unix.patch +Patch10: logwatch-failed-login.patch +Patch11: systemd-noise-filter.patch +Patch12: auditd-startup-messages.patch +Patch13: ignore-server-ready.patch +Patch14: ras-correctable-errors.patch +Patch15: deduplicate-sudo.patch +Patch16: polkit-startup-messages.patch +Patch17: sshd-sort-by-count.patch +Patch18: sendmail-6-digit-pid.patch BuildRequires: perl-generators Requires: grep mailx @@ -50,6 +60,16 @@ of the package on many systems. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 rm -f scripts/services/*.orig %build @@ -149,6 +169,46 @@ echo "# Configuration overrides for specific logfiles/services may be placed her %{_mandir}/man*/* %changelog +* Wed Jun 28 2023 Pavel Šimovec - 7.4.3-21 +- fix sendmail logwatch script to allow 6-digit PIDs +- Resolves: rhbz#2046459 + +* Wed Jun 28 2023 Pavel Šimovec - 7.4.3-20 +- sshd sort failed logins and illegal users by count, not IP address +- Resolves: rhbz#2044101 + +* Wed Jun 28 2023 Pavel Šimovec - 7.4.3-19 +- ignore harmless polkit startup messages +- Resolves: rhbz#2043952 + +* Tue Jun 27 2023 Pavel Šimovec - 7.4.3-18 +- ignore sudo service as it is already reported in secure service +- Resolves: rhbz#2043951 + +* Tue Jun 27 2023 Pavel Šimovec - 7.4.3-17 +- do not treat "RAS: Correctable Errors collector initialized" message as an error +- Resolves: rhbz#2043946 + +* Tue Jun 27 2023 Pavel Šimovec - 7.4.3-16 +- ignore normal "Server ready" startup message from fail2ban +- Resolves: rhbz#2043944 + +* Tue Jun 27 2023 Pavel Šimovec - 7.4.3-15 +- ignore a couple of normal auditd startup messages +- Resolves: rhbz#2043942 + +* Tue Jun 27 2023 Pavel Šimovec - 7.4.3-14 +- patch to logwatch systemd script to add some filtering +- Resolves: rhbz#2043109 + +* Thu Apr 20 2023 Pavel Šimovec - 7.4.3-13 +- fix unrecognized "Disconnected from authenticating user" failed logins +- Resolves: rhbz#2043088 + +* Thu Apr 20 2023 Pavel Šimovec - 7.4.3-12 +- add logwatch-pam-unix.patch +- Resolves: rhbz#2043044 + * Fri May 07 2021 Vincent Mihalkovic - 7.4.3-11 - add gating.yaml file