diff options
| author | Erich Eckner <git@eckner.net> | 2020-04-07 09:55:04 +0200 |
|---|---|---|
| committer | Erich Eckner <git@eckner.net> | 2020-04-07 09:55:04 +0200 |
| commit | fb1f67eb24c1404b0788ef4cb374e784b75efa67 (patch) | |
| tree | 6d0f15e847f340441b829eebc62d5ae33813cfeb | |
| parent | 62dcef14edf09feb4cd0ed0250a3855901b9f9ac (diff) | |
| download | logwatch-overrides-fb1f67eb24c1404b0788ef4cb374e784b75efa67.tar.xz | |
secure: merged upstream
| -rw-r--r-- | secure | 282 |
1 files changed, 106 insertions, 176 deletions
@@ -1,156 +1,11 @@ -#!/usr/bin/perl -######################################################################### -# $Id$ -########################################################################## -# $Log: secure,v $ -# Revision 1.86 2009/11/14 16:26:41 kirk -# *** empty log message *** -# -# Revision 1.85 2009/06/02 14:59:58 mike -# Fedora patch from Ivan Varekova -mgt -# -# Revision 1.84 2008/03/24 23:31:26 kirk -# added copyright/license notice to each script -# -# Revision 1.83 2007/11/28 18:51:00 mike -# Irix su format added [I know but I could not help myself] -mgt -# -# Revision 1.82 2007/11/25 20:11:04 bjorn -# Additional filtering, by Ivana Varekova. -# -# Revision 1.81 2007/07/08 18:40:45 mrc -# Fixed spelling typo [Thanks: Justin Pryzby/Willi Mann] -# -# Revision 1.80 2007/06/18 04:07:44 bjorn -# Added some support for VmWare messages, by Hugo van der Kooij. -# -# Revision 1.79 2007/04/28 23:56:32 bjorn -# Filtering closing connection statement, by Ivana Varekova. -# -# Revision 1.78 2007/04/15 19:19:24 bjorn -# Added filtering for pam_rhosts_auth for rsh, by James Tanis. -# -# Revision 1.77 2007/01/29 18:29:14 bjorn -# Handling of "BAD SU", and removing process number, by Markus Lude. -# -# Revision 1.76 2006/12/15 05:45:15 bjorn -# Additional filtering for debian-specific lines that are already reported -# in pam service. Note that debian uses different wording or case than other -# distributions, so it should only be ignored for debian. Changes submitted -# by Willi Mann. -# -# Revision 1.75 2006/12/15 04:40:24 bjorn -# Fixed older patch, and added new string reported by Orion Poplawski. -# -# Revision 1.74 2006/09/15 15:40:58 bjorn -# Additional filtering by Ivana Varekova. -# -# Revision 1.73 2006/07/28 23:38:53 bjorn -# Corrected order "su" statement. -# -# Revision 1.72 2006/07/28 17:41:15 bjorn -# Accounts for log turnover and tty numbering in BSD, and count all 'su', -# by Markus Lude. -# -# Revision 1.71 2006/07/11 15:41:58 bjorn -# Modified filtering for pam_timestamp, by Ivana Varekova. -# -# Revision 1.70 2006/05/18 20:08:00 bjorn -# Additional processing for Mac OS X, by Laurent Dufour. -# -# Revision 1.69 2006/03/20 20:42:57 bjorn -# Additional filtering, by Ivana Varekova. -# -# Revision 1.68 2006/03/13 20:10:31 bjorn -# Additional detection/reporting for user/group add/remove, by Willi Mann. -# -# Revision 1.67 2006/01/31 20:33:30 bjorn -# Correction to previous patch. -# -# Revision 1.66 2006/01/31 20:18:01 bjorn -# Additional filtering, some Debian-specific, by Willi Mann. -# -# Revision 1.65 2006/01/20 22:31:04 bjorn -# Handle new pam_unix format, by Ivana Varekova. -# -# Revision 1.64 2005/12/06 02:37:34 bjorn -# Report cvs password mismatches, by Ivana Varekova. -# -# Revision 1.63 2005/12/01 04:26:20 bjorn -# Fixed uid, gid references in NewUser and NewGroups, and removed newlines. -# -# Revision 1.62 2005/12/01 00:34:43 bjorn -# Changed arrays to strings to keep formatting consistent when printing output. -# -# Revision 1.61 2005/10/26 05:50:21 bjorn -# Allow case insensitivity for uid, gid, by Ivana Varekova -# -# Revision 1.60 2005/09/29 15:02:00 bjorn -# Added password change, userhelper apps, filtering pam_timestamp, all by -# Ivana Varekova. -# -# Revision 1.59 2005/09/28 18:25:55 mike -# Patch from David Baldwin for service_limit and connections per sec -mgt -# -# Revision 1.58 2005/09/28 17:25:48 mike -# pam_abl patch from Gilles Detillieux -mgt -# -# Revision 1.57 2005/09/26 17:23:36 mike -# Patch from David Baldwin, catch non PID loglines -mgt -# -# Revision 1.56 2005/09/13 18:42:58 mike -# Patch from David Baldwin, more su cases and inetd rsh. -mgt -# -# Revision 1.55 2005/08/27 00:40:41 mike -# Solaris 9 patch for su from Markus Lude -mgt -# -# Revision 1.54 2005/08/23 23:15:40 mike -# Added su for openbsd from Shaun O'Meara also the Solaris su patch from mgt -mgt -# -# Revision 1.53 2005/05/10 23:50:01 bjorn -# Changed instance of variable $Name to $Namev to avoid conflict with cvs -# -# Revision 1.52 2005/04/22 13:55:55 bjorn -# Re-ordered some statements, by Paweł Gołaszewski -# -# Revision 1.51 2005/04/21 17:51:00 bjorn -# Handle <no address> instead of IP address -# -# Revision 1.50 2005/04/17 23:33:57 bjorn -# Added password failure checking and pam filtering from Paweł Gołaszewski and -# Paul Wolstenholme -# -# Revision 1.49 2005/02/24 17:08:05 kirk -# Applying consolidated patches from Mike Tremaine -# -# Revision 1.15 2005/02/21 19:09:52 mgt -# Bump to 5.2.8 removed some cvs logs -mgt -# -# Revision 1.14 2005/02/16 00:43:28 mgt -# Added #vi tag to everything, updated ignore.conf with comments, added emerge and netopia to the tree from Laurent -mgt -# -# Revision 1.13 2005/02/13 21:26:13 mgt -# patches from Michael Weiser -mgt -# -# Revision 1.12 2005/02/13 20:28:42 mgt -# More init corrections -mgt -# -# Revision 1.11 2005/02/13 02:27:02 mgt -# fixed uninitalized value -mgt -# -# Revision 1.10 2004/10/15 19:24:07 mgt -# added per service flooring -mgt -# -# Revision 1.9 2004/10/06 21:40:44 mgt -# Patches from Kenneth -mgt -# -# Revision 1.8 2004/07/29 19:33:29 mgt -# Chmod and removed perl call -mgt -# -# Revision 1.7 2004/07/10 01:54:35 mgt -# sync with kirk -mgt -# -########################################################################## + +######################################################## +# Please file all bug reports, patches, and feature +# requests under: +# https://sourceforge.net/p/logwatch/_list/tickets +# Help requests and discusion can be filed under: +# https://sourceforge.net/p/logwatch/discussion/ +######################################################## ####################################################### ## Copyright (c) 2008 Kirk Bauer @@ -182,6 +37,7 @@ $PwdChange = 0; $RequestKeyFailures = 0; %OtherList = (); %RootkitHunter = (); +%sshguardAttackers = (); use Logwatch ':ip'; while (defined($ThisLine = <STDIN>)) { @@ -191,7 +47,7 @@ while (defined($ThisLine = <STDIN>)) { $ThisLine =~ s/\[ID [0-9]+ [a-z]+\.[a-z]+\] //; my $temp = $ThisLine; $temp =~ s/^([^[:]+).*/$1/; - if ($Ignore =~ /\b\Q$temp\E\b/i) { next; } + if ($Ignore =~ /(\s|^)\Q$temp\E(\s|$)/i) { next; } #current sarge if ($ThisLine =~ /^[^ :]*:( [0-9:\[\]\.]+|) \(pam_(unix|securetty)\)/i ) {next; } @@ -199,14 +55,13 @@ while (defined($ThisLine = <STDIN>)) { #Woody - specific, thanks to Michael Stovenour if ($ThisLine =~ /^PAM_unix[\[\]0-9]*:/i ) { next; } - if (( $ThisLine =~ /pam_succeed_if(\([a-zA-Z]*:[a-zA-Z]*\))?: requirement \"uid (<|>)=? 1000?\" (was|not) met by user /) or + if (( $ThisLine =~ /pam_succeed_if(\([a-zA-Z]*:[a-zA-Z]*\))?: requirement \"uid (<|>)=? (5|10)00?\" (was|not) met by user /) or ( $ThisLine =~ /pam_rhosts_auth\[\d+\]: allowed to [^ ]+ as \w+/) or ( $ThisLine =~ /pam_rhosts_auth\([^\)]+\): allowed to [^ ]+ as \w+/) or ( $ThisLine =~ /^(.*)\(pam_unix\)/) or ( $ThisLine =~ /pam_unix\(.*:.*\)/) or ( $ThisLine =~ /pam_sss\(.*:.*\)/) or ( $ThisLine =~ m/^[^ ]+\[\d+\]: connect from localhost$/ ) or - ( $ThisLine =~ /^\/usr\/bin\/sudo:/) or ( $ThisLine =~ /^halt:/) or ( $ThisLine =~ /^com.apple.SecurityServer: Succeeded authorizing right system.(preferences|login.console|login.tty|login.done|privilege.admin) by process/) or ( $ThisLine =~ /^pam_xauth\[\d+\]: call_xauth: child returned \d/) or @@ -214,7 +69,7 @@ while (defined($ThisLine = <STDIN>)) { ( $ThisLine =~ /^passwd\[\d+\]:/) or ( $ThisLine =~ /^passwd: gkr-pam: .*/) or ( $ThisLine =~ /^reboot:/) or - ( $ThisLine =~ /^sudo:/) or + ( $ThisLine =~ /^(?:\/usr\/bin\/)?sudo(?:\[\d+\])?:/) or ( $ThisLine =~ /^su: pam_unix2: session (started|finished) for user [^ ]+, service [^ ]+/) or ( $ThisLine =~ /^xinetd\[\d+\]: USERID: ([^ ]+) (.+)$/ ) or ( $ThisLine =~ /warning: can.t get client address: Connection refused/) or @@ -229,6 +84,9 @@ while (defined($ThisLine = <STDIN>)) { ( $ThisLine =~ /^sshd\(\w+\)\[\d+\]: session /) or ( $ThisLine =~ /sshd\[\d+\]: Server listening on/) or ( $ThisLine =~ /sshd\[\d+\]: Received signal \d+; terminating/) or + ( $ThisLine =~ /sshd\[\d+\]: Disconnected from user/) or + ( $ThisLine =~ /sshd\[\d+\]: Received disconnect from/) or + ( $ThisLine =~ /sshd\[\d+\]: message repeated/) or ( $ThisLine =~ /^ipop3d\[\d+\]:/) or ( $ThisLine =~ /^su\[\d+\]: [+-] .+/) or ( $ThisLine =~ /^su\[\d+\]: FAILED su for \S+ by \S+/) or #debian: done in pam_unix @@ -262,21 +120,43 @@ while (defined($ThisLine = <STDIN>)) { ( $ThisLine =~ /userhelper.*: running (.*) with context (.*)/) or ( $ThisLine =~ /userhelper.*: pam_thinkfinger(.*): conversation failed/) or ( $ThisLine =~ /su: PAM [0-9] more authentication failure; .*/) or + ( $ThisLine =~ /su: No passwd entry for user '(.*)'/) or ( $ThisLine =~ /polkit-grant-helper\[\d+\]: granted authorization for [^ ]* to uid [0-9]* \[auth=.*\]/) or ( $ThisLine =~ /polkit-grant-helper\[\d+\]: granted authorization for [^ ]* to session .* \[uid=[0-9]*\]/) or ( $ThisLine =~ /polkit-grant-helper-pam\[\d+\]: pam_thinkfinger\(polkit:auth\): conversation failed/) or - ( $ThisLine =~ /polkitd\(authority=.*\): (Unr|R)egistered Authentication Agent/) or - ( $ThisLine =~ /polkitd\(authority=.*\): Operator of unix-session:/) or + ( $ThisLine =~ /polkitd(\(authority=.*\)|\[\d+\])?: (Unr|R)egistered Authentication Agent/) or + ( $ThisLine =~ /polkitd(\(authority=.*\)|\[\d+\])?: Operator of unix-session:/) or + ( $ThisLine =~ /polkitd(\(authority=.*\)|\[\d+\])?: Acquired the name [^ ]* on the system bus$/) or + ( $ThisLine =~ /polkitd(\(authority=.*\)|\[\d+\])?: Lost the name [^ ]* - exiting$/) or + ( $ThisLine =~ /polkitd(\(authority=.*\)|\[\d+\])?: Loading rules from directory /) or + ( $ThisLine =~ /polkitd(\(authority=.*\)|\[\d+\])?: Reloading rules/) or + ( $ThisLine =~ /polkitd(\(authority=.*\)|\[\d+\])?: Finished loading, compiling and executing \d+ rules$/) or + ( $ThisLine =~ /polkitd(\(authority=.*\)|\[\d+\])?: Collecting garbage unconditionally/) or ( $ThisLine =~ /(gdm-session-worker|gdm-password|gnome-screensaver-dialog)\[\d+\]: gkr-pam: no password is available for user/) or ( $ThisLine =~ /gkr-pam: the password for the login keyring was invalid/) or + ( $ThisLine =~ /gkr-pam: unlocked login keyring/) or ( $ThisLine =~ /groupadd\[\d+\]: group added to /) or # Details in other messages ( $ThisLine =~ /groupmod\[\d+\]: group changed in \/etc\/gshadow /) or # Details in other messages ( $ThisLine =~ /gdm-session-worker\[\d+\]: pam_namespace\(gdm:session\): Unmount of [^ ]* failed, Device or resource busy/) or ( $ThisLine =~ /pkexec: pam_systemd(.*): /) or - ( $ThisLine =~ /pkexec: \S+: Executing command /) or + ( $ThisLine =~ /pkexec(?:\[\d+\])?: \S+: Executing command /) or ( $ThisLine =~ /su: pam_systemd(.*): Failed to parse message: /) or - ( $ThisLine =~ /su\[\d+\]: pam_systemd\(.*\): Cannot create session: Already running in a session$/) or - ( $ThisLine =~ /systemd-logind\[\d+\]: (New|Removed) session/) + ( $ThisLine =~ /pam_systemd\(su:session\): Cannot create session: Already (running in|occupied by) a session/) or + ( $ThisLine =~ /pam_systemd\(su.*:session\): Failed to release session:/) or + ( $ThisLine =~ /systemd-logind\[\d+\]: (New|Removed) session/) or + ( $ThisLine =~ /systemd-logind\[\d+\]: New seat seat\d+\./) or + ( $ThisLine =~ /systemd-logind\[\d+\]: Watching system buttons on /) or + ( $ThisLine =~ /systemd-logind\[\d+\]: Failed to start session scope (\S+): Transaction is destructive\./) or + ( $ThisLine =~ /systemd-logind\[\d+\]: Session \d+ logged out/) or + ( $ThisLine =~ /DIGEST-MD5 common mech free/) or + ( $ThisLine =~ /sshguard\[\d+\]: Reloading rotated file /) or + ( $ThisLine =~ /sshguard\[\d+\]: Session \d+ logged out/) or + ( $ThisLine =~ /sshguard\[\d+\]: Exiting on signal/) or + ( $ThisLine =~ /sshguard\[\d+\]: Monitoring attacks from /) or + ( $ThisLine =~ /sshguard\[\d+\]: (?:message repeated \d+ times: \[ )?\S+: not blocking /) or + ( $ThisLine =~ /sshguard\[\d+\]: Received EOF from stdin/) or + ( $ThisLine =~ /sshguard\[\d+\]: .*has already been blocked/) or + 0 # This line prevents blame shifting as lines are added above ) { # Ignore these entries } elsif ($ThisLine =~ /^spop3d/ || $ThisLine =~ /^pop\(\w+\)\[\d+\]:/) { @@ -388,7 +268,7 @@ while (defined($ThisLine = <STDIN>)) { $RootLoginXVC++ } elsif ( $ThisLine =~ /^com.apple.SecurityServer: authinternal authenticated user root .*/) { $RootLoginTTY++ - } elsif ( (undef,$User) = ($ThisLine =~ /^login: LOGIN ON (tty|pts\/)[0-9]+ BY ([^ ]+)/ )) { + } elsif ( (undef,undef,$User) = ($ThisLine =~ /^login(\[\d+\])*: LOGIN ON (tty|pts\/)[0-9]+ BY ([^ ]+)/ )) { $UserLogin{$User}++; } elsif ( ($User,undef) = ($ThisLine =~ /^com.apple.SecurityServer: authinternal authenticated user ([^ ]+) .*/ )) { $UserLogin{$User}++; @@ -396,7 +276,7 @@ while (defined($ThisLine = <STDIN>)) { $DeletedUsers .= " $ThisLine\n"; } elsif ( $ThisLine =~ s/^(?:useradd|adduser)(?:\[\d+\])?: new user: name=(.+), (?:uid|UID)=(\d+).*$/$1 ($2)/ ) { $NewUsers .= " $ThisLine\n"; - } elsif ( $ThisLine =~ s/^userdel(?:\[\d+\])?: remove(?:d)? group [`'](\S+)'( owned by \S+)?/$1/ ) { + } elsif ( $ThisLine =~ s/^userdel(?:\[\d+\])?: remove(?:d)? (?:shadow )?group [`'](\S+)'( owned by \S+)?/$1/ ) { $DeletedGroups .= " $ThisLine\n"; } elsif ( $ThisLine =~ s/^groupdel(?:\[\d+\])?: remove group `(.+)'/$1/ ) { $DeletedGroups .= " $ThisLine\n"; @@ -404,6 +284,8 @@ while (defined($ThisLine = <STDIN>)) { $NewGroups .= " $ThisLine\n"; } elsif ( (undef,$User,,undef,$Group) = ($ThisLine =~ /(usermod|useradd)(?:\[\d+\])?: add [`']([^ ]+)' to (shadow ?|)group [`']([^ ]+)'/ )) { $AddToGroup{$Group}{$User}++; + } elsif ( ($User,undef,$Group) = ($ThisLine =~ /gpasswd: user (.+) added by (.+) to group (.+)/)) { + $AddToGroup{$Group}{$User}++; } elsif ( $ThisLine =~ s/^groupadd(?:\[\d+\])?: new group: name=(.+), (?:gid|GID)=(\d+).*$/$1 ($2)/ ) { $NewGroups .= " $ThisLine\n"; } elsif ( $ThisLine =~ s/^gpasswd(?:\[\d+\])?: set members of // ) { @@ -441,12 +323,16 @@ while (defined($ThisLine = <STDIN>)) { $GroupChanged{"$ThisLine"}++; } elsif ( $ThisLine =~ s/^groupmod\[\d+\]: group changed in \/etc\/group \(group (.+)\/\d+, new name: (.+)\).*/$1 -> $2/) { $GroupChanged{"$ThisLine"}++; - } elsif ( ($Pid,$User,$Home,$NewHome) = ($ThisLine =~ /^usermod(\[\d+\])?: change user [`'](.*)' home from [`'](.*)' to [`'](.*)'/)) { - $HomeChange{$User}{"$Home -> $NewHome"}++; - } elsif ( ($User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?:change user `(.*)' UID from `(.*)' to `(.*)'/)) { + } elsif ( ($Pid,$User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' home from [`'](.*)' to [`'](.*)'/)) { + $HomeChange{$User}{"$From -> $To"}++; + } elsif ( ($Pid,$User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' shell from [`'](.*)' to [`'](.*)'/)) { + $ShellChange{$User}{"$From -> $To"}++; + } elsif ( ($Pid,$User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' UID from [`'](.*)' to [`'](.*)'/)) { $UidChange{"$User: $From -> $To"}++; - } elsif ( ($User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: change user `(.*)' GID from `(.*)' to `(.*)'/)) { + } elsif ( ($Pid,$User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' GID from [`'](.*)' to [`'](.*)'/)) { $GidChange{"$User: $From -> $To"}++; + } elsif ( ($Pid,$User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' expiration from [`'](.*)' to [`'](.*)'/)) { + $AccountExpiry{"$User: $From -> $To"}++; # checkpassword-pam } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Reading username and password/)) { } elsif ( ($PID,$Username) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Username '([^']+)'/)) { @@ -473,19 +359,23 @@ while (defined($ThisLine = <STDIN>)) { } elsif ($ThisLine =~ /^pam_pwdfile\[\d+\]: password too short or NULL/) { $pwd_file_too_short++; } elsif ( ($User,$Su) = ($ThisLine =~ /^su: ([^ ]+) to ([^ ]+) on \/dev\/ttyp([0-9a-z]+)/) ) { - #$Su_User{$User}{$Su}++; #disabled for debian: reported in pam_unix + $Su_User{$User}{$Su}++; } elsif ( ($Su,$User) = ($ThisLine =~ /^su: \(to ([^ ]+)\) ([^ ]+) on (?:none|\/dev\/(pts\/|ttyp)([0-9]+))/) ) { - #$Su_User{$User}{$Su}++; # -|- + $Su_User{$User}{$Su}++; } elsif ( ($Su,$User) = ($ThisLine =~ /^su\[\d+\]: Successful su for (\S+) by (\S+)/) ) { - #$Su_User{$User}{$Su}++; # -|- + $Su_User{$User}{$Su}++; } elsif ($ThisLine =~ /^userhelper\[\d+\]: running '([^']+)' with ([^']+) privileges on behalf of '([^']+)'/) { $Executed_app{"$1,$2,$3"}++; - } elsif ( ($User) = $ThisLine =~ /change user `([^']+)' password/) { + } elsif ($ThisLine =~ /^polkitd\[\d+\]: Operator of unix-process:\d+:\d+ successfully authenticated as unix-user:([^ ]+) to gain ONE-SHOT authorization for action org\.freedesktop\..* for system-bus-name::[\d.]+ \[([^\]]*)\] \(owned by unix-user:(\w+)\)/) { + $Executed_app{"$2,$1,$3"}++; + } elsif ( ($User) = $ThisLine =~ /change user [`']([^']+)' password/) { $PwdChange{"$User"}++; } elsif ( ($User) = ($ThisLine =~ /^cvs: password mismatch for ([^']+): ([^']+) vs. ([^']+)/) ){ $cvs_passwd_mismatch{$User}++; } elsif ( ($User,$From,$To) = ($ThisLine =~ /usermod\[[0-9]*\]: change user `([^ ]*)' shell from `([^ ]*)' to `([^ ]*)'/) ) { $ChangedShell{"$User,$From,$To"}++; + } elsif ( ($User,$To) = ($ThisLine =~ /chsh\[[0-9]*\]: change user [`']([^ ]*)' shell to [`']([^ ]*)'/) ) { + $ChangedShell{"$User,,$To"}++; } elsif ( ($Name1,$Name2) = ($ThisLine =~ /usermod\[[0-9]*\]: change user name `([^ ]*)' to `([^ ]*)'/)) { $ChangedUserName{"$Name1,$Name2"}++; } elsif (($Name,$GID) = ($ThisLine =~ /change GID for `([^ ]*)' to ([0-9]*)/)) { @@ -530,7 +420,7 @@ while (defined($ThisLine = <STDIN>)) { $e=''; } $KerbList{$response}{$type}{$from}{$service}{$client}{$e}++; - } elsif ($ThisLine =~ /Rootkit Hunter:/ ) { + } elsif ($ThisLine =~ /(Rootkit Hunter|rkhunter)(\[\d+\])?:/ ) { if ($ThisLine =~ /Please inspect this machine/) { $RootkitHunter{'inspect'}++; } elsif ($ThisLine =~ /check started/) { @@ -538,6 +428,11 @@ while (defined($ThisLine = <STDIN>)) { } elsif (my ($mins, $secs) = ($ThisLine =~ /Scanning took ([0-9]*) minutes? and ([0-9]*) seconds?/)) { $RootkitHunter{'time'}+= $mins*60 + $secs; } + } elsif ($ThisLine =~ /systemd-logind(?:\[\d+\])?: New session \d+ of user (\w+)\./){ + $UserLogin{$1}++; + } elsif ($ThisLine =~ /sshguard\[\d+\]: Blocking (.*) for (.*)/) { + my ($attacker, $details) = ($1, $2); + $sshguardAttackers{$attacker} = $details; } else { # Unmatched entries... $ThisLine =~ s/\[\d+\]:/:/; @@ -614,6 +509,16 @@ if (keys %HomeChange) { } } +if (keys %ShellChange) { + print "\nChanged shell:\n"; + foreach $User (sort {$a cmp $b} keys %ShellChange) { + # No sorting here - show it by time... + foreach $Shell (keys %{$ShellChange{$User}}) { + print " $User: $Shell\n"; + } + } +} + if (keys %UidChange) { print "\nChanged users UID:\n"; foreach $Entry (sort {$a cmp $b} keys %UidChange) { @@ -757,7 +662,7 @@ if (keys %UserLogin) { if (keys %Su_User) { print "\nUsers performing Su Changes:\n"; - foreach $User ( keys %Su_User) { + foreach $User (sort {$a cmp $b} keys %Su_User) { print " $User:\n"; foreach $Su ( keys %{$Su_User{$User}}) { my $val = $Su_User{$User}{$Su}; @@ -770,6 +675,13 @@ if ($ConsoleLock > 0) { print "\nConsole file lock already in place: $ConsoleLock Time(s).\n"; } +if (keys %AccountExpiry) { + print "\nChanged account expiry for users:\n"; + foreach $User (sort {$a cmp $b} keys %AccountExpiry) { + print " $User : $AccountExpiry{$User} Time(s)\n"; + } +} + if (keys %PasswordExpiry) { print "\nChanged password expiry for users:\n"; foreach $User (sort {$a cmp $b} keys %PasswordExpiry) { @@ -846,8 +758,13 @@ if (keys %Executed_app) { print "\nUserhelper executed applications:\n"; foreach (keys %Executed_app) { ($longapp,$asuser,$user) = split ","; + $longapp_orig = $longapp; + $i = index($longapp, " "); + if ($i > 0) { + $longapp = substr($longapp, 0, $i); + } $app = substr($longapp,rindex($longapp,"/")+1); - print " $user -> $app as $asuser: ".$Executed_app{"$longapp,$asuser,$user"}." Time(s)\n"; + print " $user -> $app as $asuser: ".$Executed_app{"$longapp_orig,$asuser,$user"}." Time(s)\n"; } } @@ -871,7 +788,11 @@ if (keys %ChangedShell) { print "\nChanged users default login shell: \n"; foreach (keys %ChangedShell) { ($User,$From,$To) = split ","; - print " User " . $User . " change shell from " . $From . " to " . $To . ": " . $ChangedShell{"$User,$From,$To"} . " Time(s)\n"; + if ($From ne '') { + print " User " . $User . " change shell from " . $From . " to " . $To . ": " . $ChangedShell{"$User,$From,$To"} . " Time(s)\n"; + } else { + print " User " . $User . " change shell to " . $To . ": " . $ChangedShell{"$User,$From,$To"} . " Time(s)\n"; + } } } @@ -934,12 +855,21 @@ if (keys %KerbList) { if (keys %RootkitHunter) { use integer; my ($mins, $secs) = ($RootkitHunter{'time'} / 60, $RootkitHunter{'time'} % 60); + $RootkitHunter{'inspect'} = 0 unless $RootkitHunter{'inspect'}; print "\nRootkitHunter:\n"; print " Runs: $RootkitHunter{'runs'}\n"; print " Suggested Inspection: $RootkitHunter{'inspect'} Time(s)\n"; print " Total Runtime: $mins minute(s) $secs second(s)\n"; } +if (keys %sshguardAttackers) { + print "\nSSHGuard blocked:\n"; + foreach $attacker (sort {$a cmp $b} keys %sshguardAttackers) { + my $details = $sshguardAttackers{$attacker}; + print " $attacker: $details\n"; + } +} + if (keys %OtherList) { print "\n**Unmatched Entries**\n"; foreach $line (sort {$a cmp $b} keys %OtherList) { |