diff options
author | root <root@ErichALIX> | 2019-01-30 09:22:24 +0100 |
---|---|---|
committer | root <root@ErichALIX> | 2019-01-30 09:22:24 +0100 |
commit | 92420ca2002ddafb6298a9201c1c99e0ef0ab752 (patch) | |
tree | d7a87685217dfa706be678ba36a05b52d73bedd5 /secure | |
download | logwatch-overrides-92420ca2002ddafb6298a9201c1c99e0ef0ab752.tar.xz |
stuff from debian
Diffstat (limited to 'secure')
-rwxr-xr-x | secure | 964 |
1 files changed, 964 insertions, 0 deletions
@@ -0,0 +1,964 @@ +#!/usr/bin/perl +######################################################################### +# $Id$ +########################################################################## +# $Log: secure,v $ +# Revision 1.86 2009/11/14 16:26:41 kirk +# *** empty log message *** +# +# Revision 1.85 2009/06/02 14:59:58 mike +# Fedora patch from Ivan Varekova -mgt +# +# Revision 1.84 2008/03/24 23:31:26 kirk +# added copyright/license notice to each script +# +# Revision 1.83 2007/11/28 18:51:00 mike +# Irix su format added [I know but I could not help myself] -mgt +# +# Revision 1.82 2007/11/25 20:11:04 bjorn +# Additional filtering, by Ivana Varekova. +# +# Revision 1.81 2007/07/08 18:40:45 mrc +# Fixed spelling typo [Thanks: Justin Pryzby/Willi Mann] +# +# Revision 1.80 2007/06/18 04:07:44 bjorn +# Added some support for VmWare messages, by Hugo van der Kooij. +# +# Revision 1.79 2007/04/28 23:56:32 bjorn +# Filtering closing connection statement, by Ivana Varekova. +# +# Revision 1.78 2007/04/15 19:19:24 bjorn +# Added filtering for pam_rhosts_auth for rsh, by James Tanis. +# +# Revision 1.77 2007/01/29 18:29:14 bjorn +# Handling of "BAD SU", and removing process number, by Markus Lude. +# +# Revision 1.76 2006/12/15 05:45:15 bjorn +# Additional filtering for debian-specific lines that are already reported +# in pam service. Note that debian uses different wording or case than other +# distributions, so it should only be ignored for debian. Changes submitted +# by Willi Mann. +# +# Revision 1.75 2006/12/15 04:40:24 bjorn +# Fixed older patch, and added new string reported by Orion Poplawski. +# +# Revision 1.74 2006/09/15 15:40:58 bjorn +# Additional filtering by Ivana Varekova. +# +# Revision 1.73 2006/07/28 23:38:53 bjorn +# Corrected order "su" statement. +# +# Revision 1.72 2006/07/28 17:41:15 bjorn +# Accounts for log turnover and tty numbering in BSD, and count all 'su', +# by Markus Lude. +# +# Revision 1.71 2006/07/11 15:41:58 bjorn +# Modified filtering for pam_timestamp, by Ivana Varekova. +# +# Revision 1.70 2006/05/18 20:08:00 bjorn +# Additional processing for Mac OS X, by Laurent Dufour. +# +# Revision 1.69 2006/03/20 20:42:57 bjorn +# Additional filtering, by Ivana Varekova. +# +# Revision 1.68 2006/03/13 20:10:31 bjorn +# Additional detection/reporting for user/group add/remove, by Willi Mann. +# +# Revision 1.67 2006/01/31 20:33:30 bjorn +# Correction to previous patch. +# +# Revision 1.66 2006/01/31 20:18:01 bjorn +# Additional filtering, some Debian-specific, by Willi Mann. +# +# Revision 1.65 2006/01/20 22:31:04 bjorn +# Handle new pam_unix format, by Ivana Varekova. +# +# Revision 1.64 2005/12/06 02:37:34 bjorn +# Report cvs password mismatches, by Ivana Varekova. +# +# Revision 1.63 2005/12/01 04:26:20 bjorn +# Fixed uid, gid references in NewUser and NewGroups, and removed newlines. +# +# Revision 1.62 2005/12/01 00:34:43 bjorn +# Changed arrays to strings to keep formatting consistent when printing output. +# +# Revision 1.61 2005/10/26 05:50:21 bjorn +# Allow case insensitivity for uid, gid, by Ivana Varekova +# +# Revision 1.60 2005/09/29 15:02:00 bjorn +# Added password change, userhelper apps, filtering pam_timestamp, all by +# Ivana Varekova. +# +# Revision 1.59 2005/09/28 18:25:55 mike +# Patch from David Baldwin for service_limit and connections per sec -mgt +# +# Revision 1.58 2005/09/28 17:25:48 mike +# pam_abl patch from Gilles Detillieux -mgt +# +# Revision 1.57 2005/09/26 17:23:36 mike +# Patch from David Baldwin, catch non PID loglines -mgt +# +# Revision 1.56 2005/09/13 18:42:58 mike +# Patch from David Baldwin, more su cases and inetd rsh. -mgt +# +# Revision 1.55 2005/08/27 00:40:41 mike +# Solaris 9 patch for su from Markus Lude -mgt +# +# Revision 1.54 2005/08/23 23:15:40 mike +# Added su for openbsd from Shaun O'Meara also the Solaris su patch from mgt -mgt +# +# Revision 1.53 2005/05/10 23:50:01 bjorn +# Changed instance of variable $Name to $Namev to avoid conflict with cvs +# +# Revision 1.52 2005/04/22 13:55:55 bjorn +# Re-ordered some statements, by Paweł Gołaszewski +# +# Revision 1.51 2005/04/21 17:51:00 bjorn +# Handle <no address> instead of IP address +# +# Revision 1.50 2005/04/17 23:33:57 bjorn +# Added password failure checking and pam filtering from Paweł Gołaszewski and +# Paul Wolstenholme +# +# Revision 1.49 2005/02/24 17:08:05 kirk +# Applying consolidated patches from Mike Tremaine +# +# Revision 1.15 2005/02/21 19:09:52 mgt +# Bump to 5.2.8 removed some cvs logs -mgt +# +# Revision 1.14 2005/02/16 00:43:28 mgt +# Added #vi tag to everything, updated ignore.conf with comments, added emerge and netopia to the tree from Laurent -mgt +# +# Revision 1.13 2005/02/13 21:26:13 mgt +# patches from Michael Weiser -mgt +# +# Revision 1.12 2005/02/13 20:28:42 mgt +# More init corrections -mgt +# +# Revision 1.11 2005/02/13 02:27:02 mgt +# fixed uninitalized value -mgt +# +# Revision 1.10 2004/10/15 19:24:07 mgt +# added per service flooring -mgt +# +# Revision 1.9 2004/10/06 21:40:44 mgt +# Patches from Kenneth -mgt +# +# Revision 1.8 2004/07/29 19:33:29 mgt +# Chmod and removed perl call -mgt +# +# Revision 1.7 2004/07/10 01:54:35 mgt +# sync with kirk -mgt +# +########################################################################## + +####################################################### +## Copyright (c) 2008 Kirk Bauer +## Covered under the included MIT/X-Consortium License: +## http://www.opensource.org/licenses/mit-license.php +## All modifications and contributions by other persons to +## this script are assumed to have been donated to the +## Logwatch project and thus assume the above copyright +## and licensing terms. If you want to make contributions +## under your own copyright or a different license this +## must be explicitly stated in the contribution an the +## Logwatch project reserves the right to not accept such +## contributions. If you have made significant +## contributions to this script and want to claim +## copyright please contact logwatch-devel@lists.sourceforge.net. +######################################################### + +$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; +#$DoLookup = $ENV{'secure_ip_lookup'}; +$Ignore = $ENV{'ignore_services'} || 0; +$Summarize = $ENV{'summarize_connections'} || 0; +$ConsoleLock = 0; +$spop3d_opened=0; +$spop3d_errors=0; +$pwd_file_unknown = 0; +$pwd_file_too_short = 0; +$Executed_app = 0; +$PwdChange = 0; +$RequestKeyFailures = 0; +%OtherList = (); +%RootkitHunter = (); +use Logwatch ':ip'; + +while (defined($ThisLine = <STDIN>)) { + chomp($ThisLine); + $ThisLine =~ s/^... .. ..:..:.. [^ ]+ //; + #Solaris ID filter -mgt + $ThisLine =~ s/\[ID [0-9]+ [a-z]+\.[a-z]+\] //; + my $temp = $ThisLine; + $temp =~ s/^([^[:]+).*/$1/; + if ($Ignore =~ /\b\Q$temp\E\b/i) { next; } + + #current sarge + if ($ThisLine =~ /^[^ :]*:( [0-9:\[\]\.]+|) \(pam_(unix|securetty)\)/i ) {next; } + + #Woody - specific, thanks to Michael Stovenour + if ($ThisLine =~ /^PAM_unix[\[\]0-9]*:/i ) { next; } + + if (( $ThisLine =~ /pam_succeed_if(\([a-zA-Z]*:[a-zA-Z]*\))?: requirement \"uid (<|>)=? 1000?\" (was|not) met by user /) or + ( $ThisLine =~ /pam_rhosts_auth\[\d+\]: allowed to [^ ]+ as \w+/) or + ( $ThisLine =~ /pam_rhosts_auth\([^\)]+\): allowed to [^ ]+ as \w+/) or + ( $ThisLine =~ /^(.*)\(pam_unix\)/) or + ( $ThisLine =~ /pam_unix\(.*:.*\)/) or + ( $ThisLine =~ /pam_sss\(.*:.*\)/) or + ( $ThisLine =~ m/^[^ ]+\[\d+\]: connect from localhost$/ ) or + ( $ThisLine =~ /^\/usr\/bin\/sudo:/) or + ( $ThisLine =~ /^halt:/) or + ( $ThisLine =~ /^com.apple.SecurityServer: Succeeded authorizing right system.(preferences|login.console|login.tty|login.done|privilege.admin) by process/) or + ( $ThisLine =~ /^pam_xauth\[\d+\]: call_xauth: child returned \d/) or + ( $ThisLine =~ /^su\[\d+\]: pam_authenticate: Authentication failure/) or + ( $ThisLine =~ /^passwd\[\d+\]:/) or + ( $ThisLine =~ /^passwd: gkr-pam: .*/) or + ( $ThisLine =~ /^reboot:/) or + ( $ThisLine =~ /^sudo:/) or + ( $ThisLine =~ /^su: pam_unix2: session (started|finished) for user [^ ]+, service [^ ]+/) or + ( $ThisLine =~ /^xinetd\[\d+\]: USERID: ([^ ]+) (.+)$/ ) or + ( $ThisLine =~ /warning: can.t get client address: Connection refused/) or + ( $ThisLine =~ /Showing Login Window/) or + ( $ThisLine =~ /User Authenticated: continue login process/) or + ( $ThisLine =~ /com.apple.SecurityServer: Entering service/) or + ( $ThisLine =~ /^(xinetd|xinetd-ipv6)\[\d+\]: EXIT: /) or + ( $ThisLine =~ /^crond\(\w+\)\[\d+\]: session /) or + ( $ThisLine =~ /pam_systemd\(.+:session\): Moving/) or + ( $ThisLine =~ /^sshd\(\w+\)\[\d+\]: authentication failure/) or + ( $ThisLine =~ /^sshd\(\w+\)\[\d+\]: check pass; user unknown/) or + ( $ThisLine =~ /^sshd\(\w+\)\[\d+\]: session /) or + ( $ThisLine =~ /sshd\[\d+\]: Server listening on/) or + ( $ThisLine =~ /sshd\[\d+\]: Received signal \d+; terminating/) or + ( $ThisLine =~ /^ipop3d\[\d+\]:/) or + ( $ThisLine =~ /^su\[\d+\]: [+-] .+/) or + ( $ThisLine =~ /^su\[\d+\]: FAILED su for \S+ by \S+/) or #debian: done in pam_unix + ( $ThisLine =~ /^login\[\d+\]: ROOT LOGIN on '\S+'/) or #debian: done in pam_unix (Similar message on other system is reported) + ( $ThisLine =~ /^login(?:\[\d+\])?: FAILED LOGIN \(\d+\) on ['`]\S+' FOR `\S+', (Authentication failure|User not known to the underlying authentication module)/) or #debian: done in pam_unix + ( $ThisLine =~ /^login: FAILED LOGIN 2 FROM (.*) FOR .*, (Authentication failure|User not known to the underlying authentication module)/) or + ( $ThisLine =~ /^login: pam_securetty(.*): unexpected response from failed conversation function/) or + ( $ThisLine =~ /^login: pam_securetty(.*): access denied: tty '.*' is not secure/) or + ( $ThisLine =~ /^login: pam_securetty(.*): cannot determine username/) or + ( $ThisLine =~ /^pam_limits\[\d+\]/ ) or + ( $ThisLine =~ /^kcheckpass(\[\d+\]|):/ ) or # done in pam_unix + ( $ThisLine =~ /^cyrus\/lmtpd\[\d+\]: [^ ]+ server step [12]/ ) or + ( $ThisLine =~ /^cyrus\/imapd\[\d+\]: [^ ]+ server step [12]/ ) or + ( $ThisLine =~ /pam_timestamp: updated timestamp file/) or + ( $ThisLine =~ /pam_timestamp\(?[^ ]*\)?: timestamp file `([^ ]+)' is only \d+ seconds old, allowing access to ([^ ]+) for user ([^ ]+)/) or + ( $ThisLine =~ /pam_timestamp\(?[^ ]*\)?: timestamp file `([^ ]+)' (has unacceptable age \(\d+ seconds\)|is older than oldest login), disallowing access to ([^ ]+) for user ([^ ]+)/) or + ( $ThisLine =~ /userhelper\[\d+\]: running '([^ ]+)' with [^ ]+ context/) or + ( $ThisLine =~ /pam_timestamp\(.*:session\): updated timestamp file `\/var\/run\/sudo.*'/) or + ( $ThisLine =~ /[^ ]*: pam_keyinit(.*:.*): Unable to change GID to [0-9]* temporarily/) or + ( $ThisLine =~ /password check failed for user \(\S*\)/) or + ( $ThisLine =~ /PAM pam_set_item: attempt to set conv\(\) to NULL/) or + ( $ThisLine =~ /PAM pam_get_item: nowhere to place requested item/) or + ( $ThisLine =~ /pam_succeed_if\(.*:.*\): error retrieving information about user [a-zA-Z]*/ ) or + ( $ThisLine =~ /pam_selinux_permit\(.*:.*\):/ ) or + ( $ThisLine =~ /logfile turned over/) or # newsyslog on OpenBSD + ( $ThisLine =~ /vmware-authd\[[0-9]+\]: PAM \[error: [^ ]+ cannot open shared object file: No such file or directory\]/) or + ( $ThisLine =~ /vmware-authd\[[0-9]+\]: PAM adding faulty module: [^ ]+/) or + ( $ThisLine =~ /Connection closed by/) or + ( $ThisLine =~ /Conversation error/) or + ( $ThisLine =~ /sshd.*: Accepted \S+ for \S+ from [\d\.:a-f]+ port \d+/) or # ssh script reads this log + ( $ThisLine =~ /userhelper.*: running (.*) with context (.*)/) or + ( $ThisLine =~ /userhelper.*: pam_thinkfinger(.*): conversation failed/) or + ( $ThisLine =~ /su: PAM [0-9] more authentication failure; .*/) or + ( $ThisLine =~ /polkit-grant-helper\[\d+\]: granted authorization for [^ ]* to uid [0-9]* \[auth=.*\]/) or + ( $ThisLine =~ /polkit-grant-helper\[\d+\]: granted authorization for [^ ]* to session .* \[uid=[0-9]*\]/) or + ( $ThisLine =~ /polkit-grant-helper-pam\[\d+\]: pam_thinkfinger\(polkit:auth\): conversation failed/) or + ( $ThisLine =~ /polkitd\(authority=.*\): (Unr|R)egistered Authentication Agent/) or + ( $ThisLine =~ /polkitd\(authority=.*\): Operator of unix-session:/) or + ( $ThisLine =~ /(gdm-session-worker|gdm-password|gnome-screensaver-dialog)\[\d+\]: gkr-pam: no password is available for user/) or + ( $ThisLine =~ /gkr-pam: the password for the login keyring was invalid/) or + ( $ThisLine =~ /groupadd\[\d+\]: group added to /) or # Details in other messages + ( $ThisLine =~ /groupmod\[\d+\]: group changed in \/etc\/gshadow /) or # Details in other messages + ( $ThisLine =~ /gdm-session-worker\[\d+\]: pam_namespace\(gdm:session\): Unmount of [^ ]* failed, Device or resource busy/) or + ( $ThisLine =~ /pkexec: pam_systemd(.*): /) or + ( $ThisLine =~ /pkexec: \S+: Executing command /) or + ( $ThisLine =~ /su: pam_systemd(.*): Failed to parse message: /) or + ( $ThisLine =~ /su: pam_systemd\(.*\): Cannot create session: Already running in a session$/) or + ( $ThisLine =~ /systemd-logind\[\d+\]: (New|Removed) session/) + ) { + # Ignore these entries + } elsif ($ThisLine =~ /^spop3d/ || $ThisLine =~ /^pop\(\w+\)\[\d+\]:/) { + @line=split(": ",$ThisLine); + if ($line[1]=~/^session opened for user/) { + $spop3d_opened++; + @bzz=split(" ",$line[1]); + $PopUser= $bzz[4]; + $PopLogin{$PopUser}++; + } if ($line[1]=~/^authentication failure;/) { + # authentication failure; logname= uid=0 euid=0 tty= + # ruser= rhost= user=xavier + $spop3d_errors++; + @bzz=split(" user=",$line[1]); + $PopErr=$bzz[1]; + $PopErrors{$PopErr}++; + } + } elsif ( ($Host,$User) = ($ThisLine =~ /^login: FAILED LOGIN \d+ FROM ([^ ]+) FOR ([^,]+),/ ) ) { + $FailedLogins->{$User}->{$Host}++; + } elsif ( ($Service,$IP) = ($ThisLine =~ /^([^ ]+)\[\d+\]: connect(ion)? from "?(\d+\.\d+\.\d+\.\d+).*/) ) { + $Name = LookupIP($IP); + if ($Summarize =~ /\Q$Service\E/) { + $Connections->{$Service}++; + } else { + $Connections->{$Service}->{$Name}++; + } + } elsif ( ($Service,$Name) = ($ThisLine =~ /^(in\.rshd)\[\d+\]: (.*)/) ) { + if ($Summarize =~ /\Q$Service\E/) { + $Connections->{$Service}++; + } else { + $Connections->{$Service}->{$Name}++; + } + } elsif ( ($Service,$Su_msg) = ($ThisLine =~ /^(su)(?:\[\d+\])?:\s+('su \w+' succeeded for \w+) on/) ) { + #Solaris su messages -mgt + $Connections->{$Service}->{$Su_msg}++; + } elsif ( ($Service,$Su_msg) = ($ThisLine =~ /^(su)(?:\[\d+\])?:\s+succeeded: (\w+ changing from \w+ to \w+)/) ) { + #Irix su messages -mgt + $Connections->{$Service}->{$Su_msg}++; + } elsif ( ($Service,$IP) = ($ThisLine =~ /^([^ ]+)\[\d+\]: refused connect from (\d+\.\d+\.\d+\.\d+)$/) ) { + $Name = LookupIP($IP); + $Refused->{$Service}->{$Name}++; + } elsif ( ($Service,$Name) = ($ThisLine =~ /^([^ ]+)\[\d+\]: refused connect from (.*)$/) ) { + $Refused->{$Service}->{$Name}++; + } elsif ( ($Service,$Name) = ($ThisLine =~ /^([^ ]+)\[\d+\]: connect from ([^\n]+)$/) ) { + if ($Summarize =~ /\Q$Service\E/) { + $Connections->{$Service}++; + } else { + $Connections->{$Service}->{$Name}++; + } + } elsif ( (undef, $Service, $IP) = ($ThisLine =~ /^(xinetd|xinetd-ipv6)\[\d+\]: START: ([^ ]+) pid=\d+ from=([^\n]+)$/) ) { + if ($Ignore =~ /\b\Q$Service\E\b/i) { next; } + if ($Summarize =~ /\Q$Service\E/) { + $Connections->{$Service}++; + } else { + # the following is intended for the <no address> string, but captures + # all non-IP addresses + if ($IP =~ /^[A-Fa-f\d\.:]+$/ ) { + $Name = LookupIP($IP); + } else { + $Name = $IP; + } + $Connections->{$Service}->{$Name}++; + } + #Solaris inetd this works if you start "inetd -s -t" then send daemon.notice to authlog -mgt + } elsif ( ($Service, $IP) = ($ThisLine =~ /^inetd\[\d+\]: (\w+)\[\d+\] from ([^ \n]+) \d+$/) ) { + if ($Ignore =~ /\b\Q$Service\E\b/i) { next; } + if ($Summarize =~ /\Q$Service\E/) { + $Connections->{$Service}++; + } else { + $Name = LookupIP($IP); + $Connections->{$Service}->{$Name}++; + } + } elsif ( ($Service,undef,$Name) = ($ThisLine =~ /^([^ ]+)\[\d+\]: warning: ([^ ]+), line \d+: can't verify hostname: getaddrinfo\(([^ ]+), AF_INET\) failed$/) ) { + $NameVerifyFail{$Service}{$Name}++; + } elsif ( ($Service,undef,$Name,$IP) = ($ThisLine =~ /^([^ ]+)\[\d+\]: warning: ([^ ]+), line \d+: host name\/name mismatch: ([^ ]+) != ([^ ]+)$/) ) { + $NameVerifyFail{$Service}{"$Name != $IP"}++; + } elsif ( ($Display, $User) = ($ThisLine =~ /^xscreensaver\[\d+\]: FAILED LOGIN \d ON DISPLAY \"([^ ]+)\", FOR \"([^ ]+)\"$/) ) { + $FailedSaver->{$User}->{$Display}++; + } elsif ( $ThisLine =~ s/^([^ ]+)\[\d+\]: warning: can\'t get client address: No route to host$/$1/ ) { + $NoIP->{$ThisLine}++; + } elsif ( $ThisLine =~ s/^([^ ]+)\[\d+\]: warning: can\'t get client address: Network is unreachable$/$1/ ) { + $NoIP->{$ThisLine}++; + } elsif ( $ThisLine =~ s/^([^ ]+)\[\d+\]: warning: can\'t get client address: Connection reset by peer$/$1/ ) { + $NoIP->{$ThisLine}++; + } elsif ( $ThisLine =~ s/^([^ ]+)\[\d+\]: warning: can\'t get client address: Connection timed out$/$1/ ) { + $NoIP->{$ThisLine}++; + } elsif ( $ThisLine =~ s/^([^ ]+)\[\d+\]: connect from unknown$/$1/ ) { + $NoIP->{$ThisLine}++; + } elsif ( ($Service,$Err) = ($ThisLine =~ /^([^ ]+)\[\d+\]: error: (.+)$/) ) { + $Error{$Service}{$Err}++; + } elsif ( ($Service,$Err) = ($ThisLine =~ /^([^ ]+): (FAILED LOGIN SESSION FROM [^ ]+ FOR ([^ ]+)?, .*)$/ ) ) { + $Error{$Service}{$Err}++; + } elsif ( ($Service,$Err) = ($ThisLine =~ /^([^ ]+): (password mismatch for [^ ]+ in [^ ]+):.*$/ ) ) { + $Error{$Service}{$Err}++; + } elsif ( ($Service,$Err) = ($ThisLine =~ /^([^ ]+)\[\d+\]: (changed POP3 password for .*)$/ ) ) { + $Error{$Service}{$Err}++; + } elsif ( ($Service,$Err) = ($ThisLine =~ /^(su)(?:\[\d+\])?: ('su \w+' failed for \w+)/ ) ) { + #Solaris 10 su failed -mgt + $Error{$Service}{$Err}++; + } elsif ( ($Service,$Err) = ($ThisLine =~ /^(su): (FAILED SU \(to \w+\) \w+ on [^ ]+)/ ) ) { + #SuSe su failed + $Error{$Service}{$Err}++; + } elsif ( ($Service,$Err) = ($ThisLine =~ /^(su): (BAD SU \w+ to \w+ on [^ ]+)/ ) ) { + #OpenBSD su failed + $Error{$Service}{$Err}++; + } elsif ( $ThisLine =~ /^login(\[\d+\])*: ROOT LOGIN\s+(ON|on)\s+`?tty[0-9]+/) { + $RootLoginTTY++ + } elsif ( $ThisLine =~ /^login(\[\d+\])*: ROOT LOGIN\s+(ON|on)\s+`?xvc[0-9]+/) { + $RootLoginXVC++ + } elsif ( $ThisLine =~ /^com.apple.SecurityServer: authinternal authenticated user root .*/) { + $RootLoginTTY++ + } elsif ( (undef,$User) = ($ThisLine =~ /^login: LOGIN ON (tty|pts\/)[0-9]+ BY ([^ ]+)/ )) { + $UserLogin{$User}++; + } elsif ( ($User,undef) = ($ThisLine =~ /^com.apple.SecurityServer: authinternal authenticated user ([^ ]+) .*/ )) { + $UserLogin{$User}++; + } elsif ( $ThisLine =~ s/^userdel(?:\[\d+\])?: delete user [`'](.+)'/$1/ ) { + $DeletedUsers .= " $ThisLine\n"; + } elsif ( $ThisLine =~ s/^(?:useradd|adduser)(?:\[\d+\])?: new user: name=(.+), (?:uid|UID)=(\d+).*$/$1 ($2)/ ) { + $NewUsers .= " $ThisLine\n"; + } elsif ( $ThisLine =~ s/^userdel(?:\[\d+\])?: remove(?:d)? group [`'](\S+)'( owned by \S+)?/$1/ ) { + $DeletedGroups .= " $ThisLine\n"; + } elsif ( $ThisLine =~ s/^groupdel(?:\[\d+\])?: remove group `(.+)'/$1/ ) { + $DeletedGroups .= " $ThisLine\n"; + } elsif ( $ThisLine =~ s/^(?:useradd|adduser)(?:\[\d+\])?: new group: name=(.+), (?:gid|GID)=(\d+).*$/$1 ($2)/ ) { + $NewGroups .= " $ThisLine\n"; + } elsif ( (undef,$User,,undef,$Group) = ($ThisLine =~ /(usermod|useradd)(?:\[\d+\])?: add [`']([^ ]+)' to (shadow ?|)group [`']([^ ]+)'/ )) { + $AddToGroup{$Group}{$User}++; + } elsif ( $ThisLine =~ s/^groupadd(?:\[\d+\])?: new group: name=(.+), (?:gid|GID)=(\d+).*$/$1 ($2)/ ) { + $NewGroups .= " $ThisLine\n"; + } elsif ( $ThisLine =~ s/^gpasswd(?:\[\d+\])?: set members of // ) { + $SetGroupMembers .= " $ThisLine\n"; + } elsif ( $ThisLine =~ /^(?:userdel|usermod)(?:\[\d+\])?: delete [`'](.*)' from (shadow |)group [`'](.*)'\s*$/ ) { + push @RemoveFromGroup, " user $1 from group $3\n"; + # This is an inetd lookup... $1 is the service (i.e. ftp), $2 is the response + # I don't think these are important to log at this time + } elsif ( $ThisLine =~ /^sudo: ([^\s]+) : (command not allowed)?.+ ; COMMAND=(.*)$/ ) { + # sudo unauthorized commands + push @SudoList, "$1: $3\n" unless ($2 eq ""); + } elsif ( $ThisLine =~ /^\/usr\/bin\/sudo: ([^\s]+) : (command not allowed)?.+ ; COMMAND=(.*)$/ ) { + # sudo unauthorized commands + push @SudoList, "$1: $3\n" unless ($2 eq ""); + } elsif ( ($service, $from) = ($ThisLine =~ /^xinetd\[\d+\]: FAIL: (.+) (?:address|libwrap|service_limit|connections per second) from=([\d.]+)/)) { + if ($Ignore =~ /\b\Q$service\E\b/i) { next; } + $Refused->{$service}->{$from}++; + } elsif ( ($from, $service, $user) = ($ThisLine =~ /^pam_abl\[\d+\]: Blocking access from (.+) to service (.+), user (.+)/)) { + if ($Detail >= 5) { + $Refused->{$service}->{$from."/".$user}++; + } else { + $Refused->{$service}->{$from}++; + } + } elsif ( ($User) = ($ThisLine =~ /^chage\[\d+\]: changed password expiry for ([^ ]+)/)) { + $PasswordExpiry{$User}++; + } elsif ( ($User) = ($ThisLine =~ /^chfn\[\d+\]: changed user `([^ ]+)' information/)) { + $UserInfChange{$User}++; + } elsif ( (undef) = ($ThisLine =~ /^pam_console\[\d+\]: console file lock already in place ([^ ]+)/ )) { + $ConsoleLock++; + } elsif ( ($Message) = ($ThisLine =~ /^pam_xauth\[\d+\]: call_xauth: (.+)/)) { + $XauthMessage{$Message}++; + } elsif ( ($Group,$NewName) = ($ThisLine =~ /^groupmod\[\d+\]: change group `(.*)' to `(.*)'/)) { + $GroupRenamed{"$Group -> $NewName"}++; + } elsif ( $ThisLine =~ s/^groupmod\[\d+\]: group changed in \/etc\/group \(group (.+)\/(\d+)\).*/$1 ($2)/) { + $GroupChanged{"$ThisLine"}++; + } elsif ( $ThisLine =~ s/^groupmod\[\d+\]: group changed in \/etc\/group \(group (.+)\/\d+, new name: (.+)\).*/$1 -> $2/) { + $GroupChanged{"$ThisLine"}++; + } elsif ( ($Pid,$User,$Home,$NewHome) = ($ThisLine =~ /^usermod(\[\d+\])?: change user [`'](.*)' home from [`'](.*)' to [`'](.*)'/)) { + $HomeChange{$User}{"$Home -> $NewHome"}++; + } elsif ( ($User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?:change user `(.*)' UID from `(.*)' to `(.*)'/)) { + $UidChange{"$User: $From -> $To"}++; + } elsif ( ($User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: change user `(.*)' GID from `(.*)' to `(.*)'/)) { + $GidChange{"$User: $From -> $To"}++; + # checkpassword-pam + } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Reading username and password/)) { + } elsif ( ($PID,$Username) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Username '([^']+)'/)) { + $ChkPasswdPam{$PID}{'Username'} = $Username; + } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Password read successfully/)) { + } elsif ( ($PID,$Service) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Initializing PAM library using service name '([^']+)'/)) { + $ChkPasswdPam{$PID}{'Service'} = $Service; + } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Pam library initialization succeeded/)) { + } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: conversation\(\): msg\[0\], style PAM_PROMPT_ECHO_OFF, msg = "Password: "/)) { + } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Authentication passed/)) { + $ChkPasswdPam{$PID}{'Success'} = 'true'; + } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Account management succeeded/)) { + } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Setting PAM credentials succeeded/)) { + } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Terminating PAM library/)) { + } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Exiting with status 0/)) { + } elsif ( ($User) = ($ThisLine =~ /^pam_tally\[\d+\]: pam_tally: pam_get_uid; no such user ([^ ]+)/)) { + $UnknownUser{$User}++; + } elsif ( ($User) = ($ThisLine =~ /^pam_tally\[\d+\]: Tally overflowed for user ([^ ]+)$/)) { + $TallyOverflow{$User}++; + } elsif ( ($User) = ($ThisLine =~ /^pam_pwdfile\[\d+\]: user not found in password database/) ) { + $pwd_file_unknown++; + } elsif ( ($User) = ($ThisLine =~ /^pam_pwdfile\[\d+\]: wrong password for user ([^ ]+)/)) { + $UnknownUser{$User}++; + } elsif ($ThisLine =~ /^pam_pwdfile\[\d+\]: password too short or NULL/) { + $pwd_file_too_short++; + } elsif ( ($User,$Su) = ($ThisLine =~ /^su: ([^ ]+) to ([^ ]+) on \/dev\/ttyp([0-9a-z]+)/) ) { + #$Su_User{$User}{$Su}++; #disabled for debian: reported in pam_unix + } elsif ( ($Su,$User) = ($ThisLine =~ /^su: \(to ([^ ]+)\) ([^ ]+) on (?:none|\/dev\/(pts\/|ttyp)([0-9]+))/) ) { + #$Su_User{$User}{$Su}++; # -|- + } elsif ( ($Su,$User) = ($ThisLine =~ /^su\[\d+\]: Successful su for (\S+) by (\S+)/) ) { + #$Su_User{$User}{$Su}++; # -|- + } elsif ($ThisLine =~ /^userhelper\[\d+\]: running '([^']+)' with ([^']+) privileges on behalf of '([^']+)'/) { + $Executed_app{"$1,$2,$3"}++; + } elsif ( ($User) = $ThisLine =~ /change user `([^']+)' password/) { + $PwdChange{"$User"}++; + } elsif ( ($User) = ($ThisLine =~ /^cvs: password mismatch for ([^']+): ([^']+) vs. ([^']+)/) ){ + $cvs_passwd_mismatch{$User}++; + } elsif ( ($User,$From,$To) = ($ThisLine =~ /usermod\[[0-9]*\]: change user `([^ ]*)' shell from `([^ ]*)' to `([^ ]*)'/) ) { + $ChangedShell{"$User,$From,$To"}++; + } elsif ( ($Name1,$Name2) = ($ThisLine =~ /usermod\[[0-9]*\]: change user name `([^ ]*)' to `([^ ]*)'/)) { + $ChangedUserName{"$Name1,$Name2"}++; + } elsif (($Name,$GID) = ($ThisLine =~ /change GID for `([^ ]*)' to ([0-9]*)/)) { + $ChangedGID{"$Name,$GID"}++; + } elsif (($Name,$UID1,$UID2) = ($ThisLine =~ /change user `([^ ]*)' UID from `([0-9]*)' to `([^ ]*)'/)) { + $ChangedUID{"$Name,$UID1,$UID2"}++; + } elsif (($Module,$Service) = ($ThisLine =~ /Deprecated (pam_[^ ]*) module called from service "([^ ]*)"/)) { + $DeprecateModule{"$Module,$Service"}++; + } elsif ( ($Library) = ($ThisLine =~ /vmware-authd\[\d+\]: PAM unable to dlopen\(([^ ]+)\)/) ) { + $MissingLib{"$Library"}++ + } elsif ( ($Client,$User) = ($ThisLine =~ /vmware-authd\[\d+\]: login from ([0-9\.]+) as ([^ ]+)/) ) { + $UserLogin{$User}++; + } elsif ( ($User) = ($ThisLine =~ /vmware-authd\[\d+\]: pam_unix_auth\(vmware-authd:auth\): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=([^ ]*)/) ) { + } elsif ( ($User) = ($ThisLine =~ /useradd.*failed adding user [`'](.*)',/) ) { + # useradd: failed adding user `rpcuser', data deleted + # useradd: failed adding user `mysql', exit code: 9 + $FailedAddUsers{$User}++; + } elsif (($User,$Reason) = ($ThisLine =~ /dovecot-auth: pam_userdb\(dovecot:auth\): user `(.*)' denied access \((.*)\)/)) { + # dovecot-auth: pam_userdb(dovecot:auth): user `bobok' denied access (incorrect password) + $DeniedAccess{"$User,$Reason"}++; + } elsif ($ThisLine =~ /^request-key: Cannot find command to construct key/) { + $RequestKeyFailures++; + } elsif (my ($type,$from,$response,$client,$service,$e) = ($ThisLine =~ /krb5kdc\[[0-9]*\]: (AS_REQ|TGS_REQ) \([0-9]+ etypes \{[ 0-9]+}\) ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+): (ISSUE|UNKNOWN_SERVER): authtime [0-9]+, (?:etypes \{rep=[0-9]+ tkt=[0-9]+ ses=[0-9]+},)? ([^ ]+) for ([^ ,]+)(?:, )?(.*)$/)) { + if($service=~/^krbtgt\/([^@]+)@\1/) { + $service='Login'; + } + if($response eq 'UNKNOWN_SERVER' && $e eq 'Server not found in Kerberos database') { + $response=$e; + $e=''; + } + $KerbList{$response}{$type}{$from}{$service}{$client}{$e}++; + } elsif (my ($type,$from,$response,$client,$service,$e) = ($ThisLine =~ /krb5kdc\[[0-9]*\]: (AS_REQ|TGS_REQ) \([0-9]+ etypes \{[ 0-9]+}\) ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+): (NEEDED_PREAUTH|PREAUTH_FAILED|CLIENT_NOT_FOUND): ([^ ]+) for ([^ ,]+)(?:, )?(.*)$/)) { + if($service=~/^krbtgt\/([^@]+)@\1/) { + $service='Login'; + } + if($response eq 'CLIENT_NOT_FOUND' && $e eq 'Client not found in Kerberos database') { + $response=$e; + $e=''; + } elsif($response eq 'NEEDED_PREAUTH' && $e eq 'Additional pre-authentication required') { + next unless($Detail > 9||$type ne 'AS_REQ'); + $response=$e; + $e=''; + } + $KerbList{$response}{$type}{$from}{$service}{$client}{$e}++; + } elsif ($ThisLine =~ /Rootkit Hunter:/ ) { + if ($ThisLine =~ /Please inspect this machine/) { + $RootkitHunter{'inspect'}++; + } elsif ($ThisLine =~ /check started/) { + $RootkitHunter{'runs'}++; + } elsif (my ($mins, $secs) = ($ThisLine =~ /Scanning took ([0-9]*) minutes? and ([0-9]*) seconds?/)) { + $RootkitHunter{'time'}+= $mins*60 + $secs; + } + } else { + # Unmatched entries... + $ThisLine =~ s/\[\d+\]:/:/; + $OtherList{$ThisLine}++; + } +} + +####################################### + +if ($NewUsers) { + print "New Users:\n$NewUsers\n"; +} + +if ($DeletedUsers) { + print "Deleted Users:\n$DeletedUsers\n"; +} + +if (keys %FailedAddUsers) { + print "Failed adding users:\n"; + foreach $User (keys %FailedAddUsers) { + print " $User: ". $FailedAddUsers{$User}. " Time(s)\n"; + } + print"\n"; +} + +if ($NewGroups) { + print "New Groups:\n$NewGroups\n"; +} + +if ($DeletedGroups) { + print "Deleted Groups:\n$DeletedGroups\n"; +} + +if (keys %GroupRenamed) { + print "Renamed groups:\n"; + foreach $Group (sort {$a cmp $b} keys %GroupRenamed) { + print " $Group\n"; + } +} + +if (keys %GroupChanged) { + print "Changed groups:\n"; + foreach $Group (sort {$a cmp $b} keys %GroupChanged) { + print " $Group\n"; + } +} + +if (keys %AddToGroup) { + print "\nAdded User to group:\n"; + foreach $Group (sort {$a cmp $b} keys %AddToGroup) { + print " $Group:\n"; + foreach $User (sort {$a cmp $b} keys %{$AddToGroup{$Group}}) { + print " $User\n"; + } + } +} + +if ($SetGroupMembers) { + print "Set Members of Group:\n$SetGroupMembers\n"; +} + +if (@RemoveFromGroup) { + print "\nRemoved From Group:\n".join('',@RemoveFromGroup)."\n"; +} + +if (keys %HomeChange) { + print "\nChanged users home directory:\n"; + foreach $User (sort {$a cmp $b} keys %HomeChange) { + print " $User:\n"; + # No sorting here - show it by time... + foreach $Home (keys %{$HomeChange{$User}}) { + print " $Home\n"; + } + } +} + +if (keys %UidChange) { + print "\nChanged users UID:\n"; + foreach $Entry (sort {$a cmp $b} keys %UidChange) { + print " $Entry\n"; + } +} + +if (keys %GidChange) { + print "\nChanged users GID:\n"; + foreach $Entry (sort {$a cmp $b} keys %GidChange) { + print " $Entry\n"; + } +} + +if (keys %PwdChange) { + print "\nChanged users password:\n"; + foreach $Entry (keys %PwdChange) { + print " $Entry changed password: $PwdChange{$Entry} Time(s)\n"; + } +} + +if (keys %UnknownUser) { + print "\nUnknown users:\n"; + foreach $User (sort {$a cmp $b} keys %UnknownUser) { + print " $User : $UnknownUser{$User} Time(s)\n"; + } +} + +if ($pwd_file_unknown > 0) { + print "\nUsers unknown in password database (pwd_file): $pwd_file_unknown\n"; +} + +if ($pwd_file_too_short > 0) { + print "\nPassword too short or NULL (pwd_file): $pwd_file_too_short Time(s)\n"; +} + +if (keys %{$Connections}) { + print "\nConnections:\n"; + foreach $ThisOne (keys %{$Connections}) { + if ($Summarize =~ /\Q$ThisOne\E/) { + print " Service " . $ThisOne . ": " . $Connections->{$ThisOne} . " Connection(s)\n"; + } else { + my $service_check = 0; + if ($ENV{"secure_$ThisOne"}) { + $service_check = $ENV{"secure_$ThisOne"}; + print " Service " . $ThisOne . " [Connection(s) more than $service_check per day]:\n"; + } else { + print " Service " . $ThisOne . " [Connection(s) per day]:\n"; + } + my $Total_Con = 0; + foreach $OtherOne (sort SortIP keys %{$Connections->{$ThisOne}}) { + $Total_Con = $Total_Con + $Connections->{$ThisOne}->{$OtherOne}; + if ( $Connections->{$ThisOne}->{$OtherOne} >= $service_check) { + print " " . $OtherOne . ": " . $Connections->{$ThisOne}->{$OtherOne} . " Time(s)\n"; + } + } + print " Total Connections: $Total_Con\n"; + } + } +} + +if (keys %{$Refused}) { + print "\nRefused Connections:\n"; + foreach $ThisOne (sort {$a cmp $b} keys %{$Refused}) { + print " Service " . $ThisOne . ":\n"; + foreach $OtherOne (sort SortIP keys %{$Refused->{$ThisOne}}) { + print " " . $OtherOne . ": " . $Refused->{$ThisOne}->{$OtherOne} . " Time(s)\n"; + } + } +} + +if (keys %{$FailedLogins}) { + print "\nFailed logins:\n"; + foreach $ThisOne (sort {$a cmp $b} keys %{$FailedLogins}) { + print " User " . $ThisOne . ":\n"; + foreach $OtherOne (sort {$a cmp $b} keys %{$FailedLogins->{$ThisOne}}) { + print " " . $OtherOne . ": " . $FailedLogins->{$ThisOne}->{$OtherOne} . " Time(s)\n"; + } + } +} + +if (keys %{$FailedSaver}) { + print "\nFailed screensaver disable:\n"; + foreach $User (sort {$a cmp $b} keys %{$FailedSaver}) { + print " User $User on displays:\n"; + foreach $Display (sort {$a cmp $b} keys %{$FailedSaver->{$User}}) { + print " $Display : " . $FailedSaver->{$User}->{$Display} . " Time(s)\n"; + } + } +} + +if (keys %DeniedAccess) { + print "\ndovecot-auth: Denied access\n"; + foreach (keys %DeniedAccess) { + ($User,$Reason) = split ","; + print " for user " . $User . " (reason: " . $Reason . ") :" . $DeniedAccess{"$User,$Reason"} . " Time(s)\n"; + } +} + +if (keys %NoIP) { + print "\nCouldn't get client IPs for connections to:\n"; + foreach $ThisOne (sort {$a cmp $b} keys %NoIP) { + print " $ThisOne: $NoIP{$ThisOne} Time(s)\n"; + } +} + +if (keys %NameVerifyFail) { + print "\nHostname verification failed:\n"; + foreach $Service (sort {$a cmp $b} keys %NameVerifyFail) { + print " Service $Service:\n"; + foreach my $Namev (sort {$a cmp $b} keys %{$NameVerifyFail{$Service}}) { + print " $Namev: $NameVerifyFail{$Service}{$Namev} Time(s)\n"; + } + } +} + +if (keys %Error) { + print "\nErrors:\n"; + foreach $Service (sort {$a cmp $b} keys %Error) { + print " Service $Service:\n"; + foreach $Err (sort {$a cmp $b} keys %{$Error{$Service}}) { + print " $Err: $Error{$Service}{$Err} Time(s)\n"; + } + } +} + +if ($RootLoginTTY) { + print "\nRoot logins on ttys: $RootLoginTTY Time(s).\n"; +} + +if ($RootLoginXVC) { + print "\nRoot logins on xvcs: $RootLoginXVC Time(s).\n"; +} + +if (keys %UserLogin) { + print "\nUser Logins:\n"; + foreach $User (sort {$a cmp $b} keys %UserLogin) { + print " $User : $UserLogin{$User} Time(s)\n"; + } +} + +if (keys %Su_User) { + print "\nUsers performing Su Changes:\n"; + foreach $User ( keys %Su_User) { + print " $User:\n"; + foreach $Su ( keys %{$Su_User{$User}}) { + my $val = $Su_User{$User}{$Su}; + print " $Su $val time(s)\n"; + } + } +} + +if ($ConsoleLock > 0) { + print "\nConsole file lock already in place: $ConsoleLock Time(s).\n"; +} + +if (keys %PasswordExpiry) { + print "\nChanged password expiry for users:\n"; + foreach $User (sort {$a cmp $b} keys %PasswordExpiry) { + print " $User : $PasswordExpiry{$User} Time(s)\n"; + } +} + +if (keys %UserInfChange) { + print "\nChanged user information:\n"; + foreach $User (sort {$a cmp $b} keys %UserInfChange) { + print " $User : $UserInfChange{$User} Time(s)\n"; + } +} + +if (keys %XauthMessage) { + print "\nReported by call_xauth:\n"; + foreach $Message (sort {$a cmp $b} keys %XauthMessage) { + print " $Message : $XauthMessage{$Message} Time(s)\n"; + } +} + +if (keys %PopLogin) { + print "\nspop3d user connections:\n"; + foreach $PopUser (sort {$a cmp $b} keys %PopLogin) { + print " $PopUser\:\t$PopLogin{$PopUser} Time(s)\n"; + } +} + +if (keys %PopErrors) { + print "\nspop3d connection failures:\n"; + foreach $PopErr (sort {$a cmp $b} keys %PopErrors) { + print " $PopErr\:\t$PopErrors{$PopErr} Time(s)\n"; + } +} + +if ($spop3d_opened > 0) { + print "\nspop3d connections(sum):\t".$spop3d_opened."\n"; +} + +if ($spop3d_errors > 0) { + print "spop3d connection errors:\t".$spop3d_errors."\n"; +} + +if ($#SudoList >= 0) { + print "\nUnauthorized sudo commands attempted (" . ($#SudoList + 1) . "):\n"; + print @SudoList; +} + +if (keys %ChkPasswdPam) { + print "\ncheckpassword-pam (SUID root PAM client):\n"; + foreach $PID (sort {$a cmp $b} keys %ChkPasswdPam) { + $ServiceUsernamePair = $ChkPasswdPam{$PID}{'Username'}.' => '.$ChkPasswdPam{$PID}{'Service'}; + if ($ChkPasswdPam{$PID}{'Success'} eq 'true') { + $Successes{$ServiceUsernamePair}++; + } else { + $Failures{$ServiceUsernamePair}++; + } + } + foreach $ServiceUsernamePair (sort {$a cmp $b} keys %Successes) { + $S = $Successes{$ServiceUsernamePair} ? $Successes{$ServiceUsernamePair} : 0; + $F = $Failures{$ServiceUsernamePair} ? $Failures{$ServiceUsernamePair} : 0; + print " $ServiceUsernamePair : $S success(es), $F failure(s)\n"; + } +} + +if (keys %TallyOverflow) { + print "\nTally overflowed for user:\n"; + foreach $User (sort {$a cmp $b} keys %TallyOverflow) { + print " $User : $TallyOverflow{$User} Time(s)\n"; + } +} + +if (keys %Executed_app) { + print "\nUserhelper executed applications:\n"; + foreach (keys %Executed_app) { + ($longapp,$asuser,$user) = split ","; + $app = substr($longapp,rindex($longapp,"/")+1); + print " $user -> $app as $asuser: ".$Executed_app{"$longapp,$asuser,$user"}." Time(s)\n"; + } +} + +if (keys %ChangedUserName) { + print "\nChanged users names:\n"; + foreach (keys %ChangedUserName) { + ($Name1,$Name2) = split ","; + print " User " . $Name1 . " change name to " . $Name2 . $ChangedUserName . "\n"; + } +} + +if (keys %ChangedUID) { + print "\nChanged UID:\n"; + foreach (keys %ChangedUID) { + ($Name,$UID1,$UID2) = split ","; + print " User " . $Name . " changed UID from " . $UID1 . " to " . $UID2 . "\n"; + } +} + +if (keys %ChangedShell) { + print "\nChanged users default login shell: \n"; + foreach (keys %ChangedShell) { + ($User,$From,$To) = split ","; + print " User " . $User . " change shell from " . $From . " to " . $To . ": " . $ChangedShell{"$User,$From,$To"} . " Time(s)\n"; + } + +} + +if (keys %ChangedGID) { + print "\nChanged GID:\n"; + foreach (keys %ChangedGID) { + ($Name,$GID) = split ","; + print " Group " . $Name . " change GID to " . $GID . "\n"; + } +} + +if (keys %cvs_passwd_mismatch) { + print "\ncvs:"; + print "\n Authentication Failures:\n"; + foreach $User (keys %cvs_passwd_mismatch) { + print " $User : $cvs_passwd_mismatch{$User} Time(s)\n"; + } +} + +if (keys %DeprecateModule){ + print "\nDeprecated pam module:\n"; + foreach (keys %DeprecateModule) { + ($Module,$Service) = split ","; + print " deprecated module $Module called from service $Service: " . $DeprecateModule{"$Module,$Service"} . " Time(s)\n"; + } +} + + +if ($RequestKeyFailures) { + print "\nRequest Key Failures (nfs-utils/kernel mismatch): $RequestKeyFailures Time(s)\n"; +} + +if (keys %KerbList) { + print "\nKerberos Entries:\n"; + foreach my $response (sort {$a cmp $b} keys %KerbList) { + print " $response:\n"; + foreach my $type (sort {$a cmp $b} keys %{$KerbList{$response}}) { + print " $type:\n"; + foreach my $from (sort {$a cmp $b} keys %{$KerbList{$response}{$type}}) { + print " $from:\n"; + foreach my $service (sort {$a cmp $b} keys %{$KerbList{$response}{$type}{$from}}) { + print " $service:\n"; + foreach my $client (sort {$a cmp $b} keys %{$KerbList{$response}{$type}{$from}{$service}}) { + if(scalar(keys %{$KerbList{$response}{$type}{$from}{$service}{$client}})==1&&defined($KerbList{$response}{$type}{$from}{$service}{$client}{''})){ + print " $client: $KerbList{$response}{$type}{$from}{$service}{$client}{''} Time(s)\n"; + }else{ + print " $client:\n"; + foreach my $e (sort {$a cmp $b} keys %{$KerbList{$response}{$type}{$from}{$service}{$client}}) { + print " $e: $KerbList{$response}{$type}{$from}{$service}{$client}{$e} Time(s)\n"; + } + } + } + } + } + } + } +} + +if (keys %RootkitHunter) { + use integer; + my ($mins, $secs) = ($RootkitHunter{'time'} / 60, $RootkitHunter{'time'} % 60); + print "\nRootkitHunter:\n"; + print " Runs: $RootkitHunter{'runs'}\n"; + print " Suggested Inspection: $RootkitHunter{'inspect'} Time(s)\n"; + print " Total Runtime: $mins minute(s) $secs second(s)\n"; +} + +if (keys %OtherList) { + print "\n**Unmatched Entries**\n"; + foreach $line (sort {$a cmp $b} keys %OtherList) { + print " $line: $OtherList{$line} Time(s)\n"; + } +} + +if (keys %MissingLib) { + print "\n Missing libraries:\n"; + foreach $Lib (keys %MissingLib) { + print " $Lib : $MissingLib{$Lib} Time(s)\n"; + } +} + +exit(0); + +# vi: shiftwidth=3 tabstop=3 syntax=perl et +# Local Variables: +# mode: perl +# perl-indent-level: 3 +# indent-tabs-mode: nil +# End: |