|
Server : Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.17 System : Linux localhost 2.6.18-419.el5 #1 SMP Fri Feb 24 22:47:42 UTC 2017 x86_64 User : nobody ( 99) PHP Version : 5.2.17 Disable Function : NONE Directory : /usr/share/logwatch/scripts/services/ |
Upload File : |
##########################################################################
# $Id: secure,v 1.69 2006/03/20 20:42:57 bjorn Exp $
##########################################################################
# $Log: secure,v $
# Revision 1.69 2006/03/20 20:42:57 bjorn
# Additional filtering, by Ivana Varekova.
#
# Revision 1.68 2006/03/13 20:10:31 bjorn
# Additional detection/reporting for user/group add/remove, by Willi Mann.
#
# Revision 1.67 2006/01/31 20:33:30 bjorn
# Correction to previous patch.
#
# Revision 1.66 2006/01/31 20:18:01 bjorn
# Additional filtering, some Debian-specific, by Willi Mann.
#
# Revision 1.65 2006/01/20 22:31:04 bjorn
# Handle new pam_unix format, by Ivana Varekova.
#
# Revision 1.64 2005/12/06 02:37:34 bjorn
# Report cvs password mismatches, by Ivana Varekova.
#
# Revision 1.63 2005/12/01 04:26:20 bjorn
# Fixed uid, gid references in NewUser and NewGroups, and removed newlines.
#
# Revision 1.62 2005/12/01 00:34:43 bjorn
# Changed arrays to strings to keep formatting consistent when printing output.
#
# Revision 1.61 2005/10/26 05:50:21 bjorn
# Allow case insensitivity for uid, gid, by Ivana Varekova
#
# Revision 1.60 2005/09/29 15:02:00 bjorn
# Added password change, userhelper apps, filtering pam_timestamp, all by
# Ivana Varekova.
#
# Revision 1.59 2005/09/28 18:25:55 mike
# Patch from David Baldwin for service_limit and connections per sec -mgt
#
# Revision 1.58 2005/09/28 17:25:48 mike
# pam_abl patch from Gilles Detillieux -mgt
#
# Revision 1.57 2005/09/26 17:23:36 mike
# Patch from David Baldwin, catch non PID loglines -mgt
#
# Revision 1.56 2005/09/13 18:42:58 mike
# Patch from David Baldwin, more su cases and inetd rsh. -mgt
#
# Revision 1.55 2005/08/27 00:40:41 mike
# Solaris 9 patch for su from Markus Lude -mgt
#
# Revision 1.54 2005/08/23 23:15:40 mike
# Added su for openbsd from Shaun O'Meara also the Solaris su patch from mgt -mgt
#
# Revision 1.53 2005/05/10 23:50:01 bjorn
# Changed instance of variable $Name to $Namev to avoid conflict with cvs
#
# Revision 1.52 2005/04/22 13:55:55 bjorn
# Re-ordered some statements, by Paweł Gołaszewski
#
# Revision 1.51 2005/04/21 17:51:00 bjorn
# Handle <no address> instead of IP address
#
# Revision 1.50 2005/04/17 23:33:57 bjorn
# Added password failure checking and pam filtering from Paweł Gołaszewski and
# Paul Wolstenholme
#
# Revision 1.49 2005/02/24 17:08:05 kirk
# Applying consolidated patches from Mike Tremaine
#
# Revision 1.15 2005/02/21 19:09:52 mgt
# Bump to 5.2.8 removed some cvs logs -mgt
#
# Revision 1.14 2005/02/16 00:43:28 mgt
# Added #vi tag to everything, updated ignore.conf with comments, added emerge and netopia to the tree from Laurent -mgt
#
# Revision 1.13 2005/02/13 21:26:13 mgt
# patches from Michael Weiser -mgt
#
# Revision 1.12 2005/02/13 20:28:42 mgt
# More init corrections -mgt
#
# Revision 1.11 2005/02/13 02:27:02 mgt
# fixed uninitalized value -mgt
#
# Revision 1.10 2004/10/15 19:24:07 mgt
# added per service flooring -mgt
#
# Revision 1.9 2004/10/06 21:40:44 mgt
# Patches from Kenneth -mgt
#
# Revision 1.8 2004/07/29 19:33:29 mgt
# Chmod and removed perl call -mgt
#
# Revision 1.7 2004/07/10 01:54:35 mgt
# sync with kirk -mgt
#
##########################################################################
########################################################
# This was written and is maintained by:
# Kirk Bauer <kirk@kaybee.org>
#
# Please send all comments, suggestions, bug reports,
# etc, to kirk@kaybee.org.
########################################################
$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
#$DoLookup = $ENV{'secure_ip_lookup'};
$Ignore = $ENV{'ignore_services'} || 0;
$Summarize = $ENV{'summarize_connections'} || 0;
$ConsoleLock = 0;
$spop3d_opened=0;
$spop3d_errors=0;
$pwd_file_unknown = 0;
$pwd_file_too_short = 0;
$Executed_app = 0;
$PwdChange = 0;
use Logwatch ':ip';
while (defined($ThisLine = <STDIN>)) {
chomp($ThisLine);
$ThisLine =~ s/^... .. ..:..:.. [^ ]+ //;
#Solaris ID filter -mgt
$ThisLine =~ s/\[ID [0-9]+ [a-z]+\.[a-z]+\] //;
my $temp = $ThisLine;
$temp =~ s/^([^[:]+).*/$1/;
if ($Ignore =~ /\b\Q$temp\E\b/i) { next; }
#current sarge
if ($ThisLine =~ /^[^ :]*:( [0-9:\[\]\.]+|) \(pam_(unix|securetty)\)/i ) {next; }
#Woody - specific, thanks to Michael Stovenour
if ($ThisLine =~ /^PAM_unix[\[\]0-9]*:/i ) { next; }
if (
( $ThisLine =~ /pam_succeed_if: requirement "uid < 100" (was|not) met by user /) or
( $ThisLine =~ /pam_rhosts_auth\[\d+\]: allowed to [^ ]+ as \w+/) or
( $ThisLine =~ /^(.*)\(pam_unix\)/) or
( $ThisLine =~ /pam_unix\(.*:.*\)/) or
( $ThisLine =~ m/^[^ ]+\[\d+\]: connect from localhost$/ ) or
( $ThisLine =~ /^\/usr\/bin\/sudo:/) or
( $ThisLine =~ /^halt:/) or
( $ThisLine =~ /^pam_xauth\[\d+\]: call_xauth: child returned \d/) or
( $ThisLine =~ /^su\[\d+\]: pam_authenticate: Authentication failure/) or
( $ThisLine =~ /^passwd\[\d+\]:/) or
( $ThisLine =~ /^reboot:/) or
( $ThisLine =~ /^sudo:/) or
( $ThisLine =~ /^su: pam_unix2: session (started|finished) for user [^ ]+, service [^ ]+/) or
( $ThisLine =~ /^xinetd\[\d+\]: USERID: ([^ ]+) (.+)$/ ) or
( $ThisLine =~ /warning: can.t get client address: Connection refused/) or
( $ThisLine =~ /^(xinetd|xinetd-ipv6)\[\d+\]: EXIT: /) or
( $ThisLine =~ /^crond\(\w+\)\[\d+\]: session /) or
( $ThisLine =~ /^sshd\(\w+\)\[\d+\]: authentication failure/) or
( $ThisLine =~ /^sshd\(\w+\)\[\d+\]: check pass; user unknown/) or
( $ThisLine =~ /^sshd\(\w+\)\[\d+\]: session /) or
( $ThisLine =~ /^ipop3d\[\d+\]:/) or
( $ThisLine =~ /^su\[\d+\]: [+-] .+/) or
( $ThisLine =~ /^su\[\d+\]: Successful su for \S+ by \S+/) or
( $ThisLine =~ /^pam_limits\[\d+\]/ ) or
( $ThisLine =~ /^kcheckpass(\[\d+\]|):/ ) or # done in pam_unix
( $ThisLine =~ /^cyrus\/lmtpd\[\d+\]: [^ ]+ server step [12]/ ) or
( $ThisLine =~ /^cyrus\/imapd\[\d+\]: [^ ]+ server step [12]/ ) or
( $ThisLine =~ /pam_timestamp: updated timestamp file/) or
( $ThisLine =~ /pam_timestamp\(?[^ ]*\)?: timestamp file `([^ ]+)' is only \d+ seconds old, allowing access to ([^ ]+) for user ([^ ]+)/) or
( $ThisLine =~ /pam_timestamp\(?[^ ]*\)?: timestamp file `([^ ]+)'/) or # has unacceptable age \(\d+ seconds\), disallowing access to ([^ ]+) for user ([^ ]+)/) or
( $ThisLine =~ /userhelper\[\d+\]: running '([^ ]+)' with [^ ]+ context/) or
( $ThisLine =~ /pam_timestamp\(.*:session\): updated timestamp file `\/var\/run\/sudo.*'/)
) {
# Ignore these entries
} elsif ($ThisLine =~ /^spop3d/ || $ThisLine =~ /^pop\(\w+\)\[\d+\]:/) {
@line=split(": ",$ThisLine);
if ($line[1]=~/^session opened for user/) {
$spop3d_opened++;
@bzz=split(" ",$line[1]);
$PopUser= $bzz[4];
$PopLogin{$PopUser}++;
} if ($line[1]=~/^authentication failure;/) {
# authentication failure; logname= uid=0 euid=0 tty=
# ruser= rhost= user=xavier
$spop3d_errors++;
@bzz=split(" user=",$line[1]);
$PopErr=$bzz[1];
$PopErrors{$PopErr}++;
}
} elsif ( ($Host,$User) = ($ThisLine =~ /^login: FAILED LOGIN \d+ FROM ([^ ]+) FOR ([^,]+),/ ) ) {
$FailedLogins->{$User}->{$Host}++;
} elsif ( ($Service,$IP) = ($ThisLine =~ /^([^ ]+)\[\d+\]: connect(ion)? from "?(\d+\.\d+\.\d+\.\d+).*/) ) {
$Name = LookupIP($IP);
if ($Summarize =~ /\Q$Service\E/) {
$Connections->{$Service}++;
} else {
$Connections->{$Service}->{$Name}++;
}
} elsif ( ($Service,$Name) = ($ThisLine =~ /^(in\.rshd)\[\d+\]: (.*)/) ) {
if ($Summarize =~ /\Q$Service\E/) {
$Connections->{$Service}++;
} else {
$Connections->{$Service}->{$Name}++;
}
} elsif ( ($Service,$Su_msg) = ($ThisLine =~ /^(su)(?:\[\d+\])?:\s+('su \w+' succeeded for \w+) on/) ) {
#Solaris su messages -mgt
$Connections->{$Service}->{$Su_msg}++;
} elsif ( ($Service,$IP) = ($ThisLine =~ /^([^ ]+)\[\d+\]: refused connect from (\d+\.\d+\.\d+\.\d+)$/) ) {
$Name = LookupIP($IP);
$Refused->{$Service}->{$Name}++;
} elsif ( ($Service,$Name) = ($ThisLine =~ /^([^ ]+)\[\d+\]: refused connect from (.*)$/) ) {
$Refused->{$Service}->{$Name}++;
} elsif ( ($Service,$Name) = ($ThisLine =~ /^([^ ]+)\[\d+\]: connect from ([^\n]+)$/) ) {
if ($Summarize =~ /\Q$Service\E/) {
$Connections->{$Service}++;
} else {
$Connections->{$Service}->{$Name}++;
}
} elsif ( (undef, $Service, $IP) = ($ThisLine =~ /^(xinetd|xinetd-ipv6)\[\d+\]: START: ([^ ]+) pid=\d+ from=([^\n]+)$/) ) {
if ($Ignore =~ /\b\Q$Service\E\b/i) { next; }
if ($Summarize =~ /\Q$Service\E/) {
$Connections->{$Service}++;
} else {
# the following is intended for the <no address> string, but captures
# all non-IP addresses
if ($IP =~ /^[A-Fa-f\d\.:]+$/ ) {
$Name = LookupIP($IP);
} else {
$Name = $IP;
}
$Connections->{$Service}->{$Name}++;
}
#Solaris inetd this works if you start "inetd -s -t" then send daemon.notice to authlog -mgt
} elsif ( ($Service, $IP) = ($ThisLine =~ /^inetd\[\d+\]: (\w+)\[\d+\] from ([^ \n]+) \d+$/) ) {
if ($Ignore =~ /\b\Q$Service\E\b/i) { next; }
if ($Summarize =~ /\Q$Service\E/) {
$Connections->{$Service}++;
} else {
$Name = LookupIP($IP);
$Connections->{$Service}->{$Name}++;
}
} elsif ( ($Service,undef,$Name) = ($ThisLine =~ /^([^ ]+)\[\d+\]: warning: ([^ ]+), line \d+: can't verify hostname: getaddrinfo\(([^ ]+), AF_INET\) failed$/) ) {
$NameVerifyFail{$Service}{$Name}++;
} elsif ( ($Service,undef,$Name,$IP) = ($ThisLine =~ /^([^ ]+)\[\d+\]: warning: ([^ ]+), line \d+: host name\/name mismatch: ([^ ]+) != ([^ ]+)$/) ) {
$NameVerifyFail{$Service}{"$Name != $IP"}++;
} elsif ( ($Display, $User) = ($ThisLine =~ /^xscreensaver\[\d+\]: FAILED LOGIN \d ON DISPLAY \"([^ ]+)\", FOR \"([^ ]+)\"$/) ) {
$FailedSaver{$User}{$Display}++;
} elsif ( $ThisLine =~ s/^([^ ]+)\[\d+\]: warning: can\'t get client address: No route to host$/$1/ ) {
$NoIP->{$ThisLine}++;
} elsif ( $ThisLine =~ s/^([^ ]+)\[\d+\]: warning: can\'t get client address: Network is unreachable$/$1/ ) {
$NoIP->{$ThisLine}++;
} elsif ( $ThisLine =~ s/^([^ ]+)\[\d+\]: warning: can\'t get client address: Connection reset by peer$/$1/ ) {
$NoIP->{$ThisLine}++;
} elsif ( $ThisLine =~ s/^([^ ]+)\[\d+\]: warning: can\'t get client address: Connection timed out$/$1/ ) {
$NoIP->{$ThisLine}++;
} elsif ( $ThisLine =~ s/^([^ ]+)\[\d+\]: connect from unknown$/$1/ ) {
$NoIP->{$ThisLine}++;
} elsif ( ($Service,$Err) = ($ThisLine =~ /^([^ ]+)\[\d+\]: error: (.+)$/) ) {
$Error{$Service}{$Err}++;
} elsif ( ($Service,$Err) = ($ThisLine =~ /^([^ ]+): (FAILED LOGIN SESSION FROM [^ ]+ FOR , .*)$/ ) ) {
$Error{$Service}{$Err}++;
} elsif ( ($Service,$Err) = ($ThisLine =~ /^([^ ]+): (password mismatch for [^ ]+ in [^ ]+):.*$/ ) ) {
$Error{$Service}{$Err}++;
} elsif ( ($Service,$Err) = ($ThisLine =~ /^([^ ]+)\[\d+\]: (changed POP3 password for .*)$/ ) ) {
$Error{$Service}{$Err}++;
} elsif ( ($Service,$Err) = ($ThisLine =~ /^(su)(?:\[\d+\])?: ('su \w+' failed for \w+)/ ) ) {
#Solaris 10 su failed -mgt
$Error{$Service}{$Err}++;
} elsif ( ($Service,$Err) = ($ThisLine =~ /^(su): (FAILED SU \(to \w+\) \w+ on [^ ]+)/ ) ) {
#SuSe su failed
$Error{$Service}{$Err}++;
} elsif ( $ThisLine =~ /^login(\[\d+\])*: ROOT LOGIN\s+(ON|on)\s+`?tty[0-9]+/) {
$RootLoginTTY++
} elsif ( $ThisLine =~ /^login(\[\d+\])*: ROOT LOGIN\s+(ON|on)\s+`?xvc[0-9]+/) {
$RootLoginXVC++
} elsif ( (undef,$User) = ($ThisLine =~ /^login: LOGIN ON (tty|pts\/)[0-9]+ BY ([^ ]+)/ )) {
$UserLogin{$User}++;
} elsif ( $ThisLine =~ s/^userdel\[\d+\]: delete user `(.+)'/$1/ ) {
$DeletedUsers .= " $ThisLine\n";
} elsif ( $ThisLine =~ s/^(?:useradd|adduser)\[\d+\]: new user: name=(.+), (?:uid|UID)=(\d+).*$/$1 ($2)/ ) {
$NewUsers .= " $ThisLine\n";
} elsif ( $ThisLine =~ s/^userdel\[\d+\]: remove(?:d)? group `(\S+)'( owned by \S+)?/$1/ ) {
$DeletedGroups .= " $ThisLine\n";
} elsif ( $ThisLine =~ s/^groupdel\[\d+\]: remove group `(.+)'/$1/ ) {
$DeletedGroups .= " $ThisLine\n";
} elsif ( $ThisLine =~ s/^(?:useradd|adduser)\[\d+\]: new group: name=(.+), (?:gid|GID)=(\d+).*$/$1 ($2)/ ) {
$NewGroups .= " $ThisLine\n";
} elsif ( (undef,$User,,undef,$Group) = ($ThisLine =~ /(usermod|useradd)\[\d+\]: add `([^ ]+)' to (shadow |)group `([^ ]+)'/ )) {
$AddToGroup{$Group}{$User}++;
} elsif ( $ThisLine =~ s/^groupadd\[\d+\]: new group: name=(.+), (?:gid|GID)=(\d+).*$/$1 ($2)/ ) {
$NewGroups .= " $ThisLine\n";
} elsif ( $ThisLine =~ s/^gpasswd\[\d+\]: set members of // ) {
$SetGroupMembers .= " $ThisLine\n";
} elsif ( $ThisLine =~ /^userdel\[\d+\]: delete `(.*)' from (shadow |)group `(.*)'\s*$/ ) {
push @RemoveFromGroup, " user $1 from group $3\n";
# This is an inetd lookup... $1 is the service (i.e. ftp), $2 is the response
# I don't think these are important to log at this time
} elsif ( $ThisLine =~ /^sudo: ([^\s]+) : (command not allowed)?.+ ; COMMAND=(.*)$/ ) {
# sudo unauthorized commands
push @SudoList, "$1: $3\n" unless ($2 eq "");
} elsif ( $ThisLine =~ /^\/usr\/bin\/sudo: ([^\s]+) : (command not allowed)?.+ ; COMMAND=(.*)$/ ) {
# sudo unauthorized commands
push @SudoList, "$1: $3\n" unless ($2 eq "");
} elsif ( ($service, $from) = ($ThisLine =~ /^xinetd\[\d+\]: FAIL: (.+) (?:address|libwrap|service_limit|connections per second) from=([\d.]+)/)) {
if ($Ignore =~ /\b\Q$service\E\b/i) { next; }
$Refused->{$service}->{$from}++;
} elsif ( ($from, $service, $user) = ($ThisLine =~ /^pam_abl\[\d+\]: Blocking access from (.+) to service (.+), user (.+)/)) {
if ($Detail >= 5) {
$Refused->{$service}->{$from."/".$user}++;
} else {
$Refused->{$service}->{$from}++;
}
} elsif ( ($User) = ($ThisLine =~ /^chage\[\d+\]: changed password expiry for ([^ ]+)/)) {
$PasswordExpiry{$User}++;
} elsif ( ($User) = ($ThisLine =~ /^chfn\[\d+\]: changed user `([^ ]+)' information/)) {
$UserInfChange{$User}++;
} elsif ( (undef) = ($ThisLine =~ /^pam_console\[\d+\]: console file lock already in place ([^ ]+)/ )) {
$ConsoleLock++;
} elsif ( ($Message) = ($ThisLine =~ /^pam_xauth\[\d+\]: call_xauth: (.+)/)) {
$XauthMessage{$Message}++;
} elsif ( ($Group,$NewName) = ($ThisLine =~ /^groupmod\[\d+\]: change group `(.*)' to `(.*)'/)) {
$GroupRenamed{"$Group -> $NewName"}++;
} elsif ( ($User,$Home,$NewHome) = ($ThisLine =~ /^usermod\[\d+\]: change user `(.*)' home from `(.*)' to `(.*)'/)) {
$HomeChange{$User}{"$Home -> $NewHome"}++;
} elsif ( ($User,$From,$To) = ($ThisLine =~ /^usermod\[\d+\]:change user `(.*)' UID from `(.*)' to `(.*)'/)) {
$UidChange{"$User: $From -> $To"}++;
} elsif ( ($User,$From,$To) = ($ThisLine =~ /^usermod\[\d+\]: change user `(.*)' GID from `(.*)' to `(.*)'/)) {
$GidChange{"$User: $From -> $To"}++;
# checkpassword-pam
} elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Reading username and password/)) {
} elsif ( ($PID,$Username) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Username '([^']+)'/)) {
$ChkPasswdPam{$PID}{'Username'} = $Username;
} elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Password read successfully/)) {
} elsif ( ($PID,$Service) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Initializing PAM library using service name '([^']+)'/)) {
$ChkPasswdPam{$PID}{'Service'} = $Service;
} elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Pam library initialization succeeded/)) {
} elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: conversation\(\): msg\[0\], style PAM_PROMPT_ECHO_OFF, msg = "Password: "/)) {
} elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Authentication passed/)) {
$ChkPasswdPam{$PID}{'Success'} = 'true';
} elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Account management succeeded/)) {
} elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Setting PAM credentials succeeded/)) {
} elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Terminating PAM library/)) {
} elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Exiting with status 0/)) {
} elsif ( ($User) = ($ThisLine =~ /^pam_tally\[\d+\]: pam_tally: pam_get_uid; no such user ([^ ]+)/)) {
$UnknownUser{$User}++;
} elsif ( ($User) = ($ThisLine =~ /^pam_tally\[\d+\]: Tally overflowed for user ([^ ]+)$/)) {
$TallyOverflow{$User}++;
} elsif ( ($User) = ($ThisLine =~ /^pam_pwdfile\[\d+\]: user not found in password database/) ) {
$pwd_file_unknown++;
} elsif ( ($User) = ($ThisLine =~ /^pam_pwdfile\[\d+\]: wrong password for user ([^ ]+)/)) {
$UnknownUser{$User}++;
} elsif ($ThisLine =~ /^pam_pwdfile\[\d+\]: password too short or NULL/) {
$pwd_file_too_short++;
} elsif ( ($User,$Su) = ($ThisLine =~ /^su: ([^ ]+) to ([^ ]+) on \/dev\/ttyp([0-9]+)/) ) {
$Su_User{$User}{$Su}++;
} elsif ( ($Su,$User) = ($ThisLine =~ /^su: \(to ([^ ]+)\) ([^ ]+) on (?:none|\/dev\/(pts\/|ttyp)([0-9]+))/) ) {
$Su_User{$User}{$Su}++;
} elsif ($ThisLine =~ /^userhelper\[\d+\]: running '([^']+)' with ([^']+) privileges on behalf of '([^']+)'/) {
$Executed_app{"$1,$2,$3"}++;
} elsif ( ($User) = $ThisLine =~ /change user `([^']+)' password/) {
$PwdChange{"$User"}++;
} elsif ( ($User) = ($ThisLine =~ /^cvs: password mismatch for ([^']+): ([^']+) vs. ([^']+)/) ){
$cvs_passwd_mismatch{$User}++;
} elsif ( ($User,$From,$To) = ($ThisLine =~ /usermod\[[0-9]*\]: change user `([^ ]*)' shell from `([^ ]*)' to `([^ ]*)'/) ) {
$ChangedShell{"$User,$From,$To"}++;
} else {
# Unmatched entries...
push @OtherList, "$ThisLine\n";
}
}
#######################################
if ($NewUsers) {
print "New Users:\n$NewUsers\n";
}
if ($DeletedUsers) {
print "Deleted Users:\n$DeletedUsers\n";
}
if ($NewGroups) {
print "New Groups:\n$NewGroups\n";
}
if ($DeletedGroups) {
print "Deleted Groups:\n$DeletedGroups\n";
}
if (keys %GroupRenamed) {
print "Renamed groups:\n";
foreach $Group (sort {$a cmp $b} keys %GroupRenamed) {
print " $Group\n";
}
}
if (keys %AddToGroup) {
print "\nAdded User to group:\n";
foreach $Group (sort {$a cmp $b} keys %AddToGroup) {
print " $Group:\n";
foreach $User (sort {$a cmp $b} keys %{$AddToGroup{$Group}}) {
print " $User\n";
}
}
}
if ($SetGroupMembers) {
print "Set Members of Group:\n$SetGroupMembers\n";
}
if (@RemoveFromGroup) {
print "\nRemoved From Group:\n".join('',@RemoveFromGroup)."\n";
}
if (keys %HomeChange) {
print "\nChanged users home directory:\n";
foreach $User (sort {$a cmp $b} keys %HomeChange) {
print " $User:\n";
# No sorting here - show it by time...
foreach $Home (keys %{$HomeChange{$User}}) {
print " $Home\n";
}
}
}
if (keys %UidChange) {
print "\nChanged users UID:\n";
foreach $Entry (sort {$a cmp $b} keys %UidChange) {
print " $Entry\n";
}
}
if (keys %GidChange) {
print "\nChanged users GID:\n";
foreach $Entry (sort {$a cmp $b} keys %GidChange) {
print " $Entry\n";
}
}
if (keys %PwdChange) {
print "\nChanged users password:\n";
foreach $Entry (keys %PwdChange) {
print " $Entry changed password: $PwdChange{$Entry} Time(s)\n";
}
}
if (keys %UnknownUser) {
print "\nUnknown users:\n";
foreach $User (sort {$a cmp $b} keys %UnknownUser) {
print " $User : $UnknownUser{$User} Time(s)\n";
}
}
if ($pwd_file_unknown > 0) {
print "\nUsers unknown in password database (pwd_file): $pwd_file_unknown\n";
}
if ($pwd_file_too_short > 0) {
print "\nPassword too short or NULL (pwd_file): $pwd_file_too_short Time(s)\n";
}
if (keys %{$Connections}) {
print "\nConnections:\n";
foreach $ThisOne (keys %{$Connections}) {
if ($Summarize =~ /\Q$ThisOne\E/) {
print " Service " . $ThisOne . ": " . $Connections->{$ThisOne} . " Connection(s)\n";
} else {
my $service_check = 0;
if ($ENV{"secure_$ThisOne"}) {
$service_check = $ENV{"secure_$ThisOne"};
print " Service " . $ThisOne . " [Connection(s) more than $service_check per day]:\n";
} else {
print " Service " . $ThisOne . " [Connection(s) per day]:\n";
}
my $Total_Con = 0;
foreach $OtherOne (sort SortIP keys %{$Connections->{$ThisOne}}) {
$Total_Con = $Total_Con + $Connections->{$ThisOne}->{$OtherOne};
if ( $Connections->{$ThisOne}->{$OtherOne} >= $service_check) {
print " " . $OtherOne . ": " . $Connections->{$ThisOne}->{$OtherOne} . " Time(s)\n";
}
}
print " Total Connections: $Total_Con\n";
}
}
}
if (keys %{$Refused}) {
print "\nRefused Connections:\n";
foreach $ThisOne (sort {$a cmp $b} keys %{$Refused}) {
print " Service " . $ThisOne . ":\n";
foreach $OtherOne (sort SortIP keys %{$Refused->{$ThisOne}}) {
print " " . $OtherOne . ": " . $Refused->{$ThisOne}->{$OtherOne} . " Time(s)\n";
}
}
}
if (keys %{$FailedLogins}) {
print "\nFailed logins:\n";
foreach $ThisOne (sort {$a cmp $b} keys %{$FailedLogins}) {
print " User " . $ThisOne . ":\n";
foreach $OtherOne (sort {$a cmp $b} keys %{$FailedLogins->{$ThisOne}}) {
print " " . $OtherOne . ": " . $FailedLogins->{$ThisOne}->{$OtherOne} . " Time(s)\n";
}
}
}
if (keys %{$FailedSaver}) {
print "\nFailed screensaver disable:\n";
foreach $User (sort {$a cmp $b} keys %{$FailedSaver}) {
print " User $User on displays:\n";
foreach $Display (sort {$a cmp $b} keys %{$FailedSaver{$User}}) {
print " $Display : $FailedSaver{$User}{$Display} Time(s)\n";
}
}
}
if (keys %NoIP) {
print "\nCouldn't get client IPs for connections to:\n";
foreach $ThisOne (sort {$a cmp $b} keys %NoIP) {
print " $ThisOne: $NoIP{$ThisOne} Time(s)\n";
}
}
if (keys %NameVerifyFail) {
print "\nHostname verification failed:\n";
foreach $Service (sort {$a cmp $b} keys %NameVerifyFail) {
print " Service $Service:\n";
foreach my $Namev (sort {$a cmp $b} keys %{$NameVerifyFail{$Service}}) {
print " $Namev: $NameVerifyFail{$Service}{$Namev} Time(s)\n";
}
}
}
if (keys %Error) {
print "\nErrors:\n";
foreach $Service (sort {$a cmp $b} keys %Error) {
print " Service $Service:\n";
foreach $Err (sort {$a cmp $b} keys %{$Error{$Service}}) {
print " $Err: $Error{$Service}{$Err} Time(s)\n";
}
}
}
if ($RootLoginTTY) {
print "\nRoot logins on tty\'s: $RootLoginTTY Time(s).\n";
}
if ($RootLoginXVC) {
print "\nRoot logins on xvcs: $RootLoginXVC Time(s).\n";
}
if (keys %UserLogin) {
print "\nUser Login's:\n";
foreach $User (sort {$a cmp $b} keys %UserLogin) {
print " $User : $UserLogin{$User} Time(s)\n";
}
}
if (keys %Su_User) {
print "\nUsers performing Su Changes:\n";
foreach $User ( keys %Su_User) {
print " $User:\n";
foreach $Su ( keys %{$Su_User{$User}}) {
my $val = $Su_User{$User}{$Su};
print " $Su $val time(s)\n";
}
}
}
if ($ConsoleLock > 0) {
print "\nConsole file lock already in place: $ConsoleLock Time(s).\n";
}
if (keys %PasswordExpiry) {
print "\nChanged password expiry for users:\n";
foreach $User (sort {$a cmp $b} keys %PasswordExpiry) {
print " $User : $PasswordExpiry{$User} Time(s)\n";
}
}
if (keys %UserInfChange) {
print "\nChanged user information:\n";
foreach $User (sort {$a cmp $b} keys %UserInfChange) {
print " $User : $UserInfChange{$User} Time(s)\n";
}
}
if (keys %XauthMessage) {
print "\nReported by call_xauth:\n";
foreach $Message (sort {$a cmp $b} keys %XauthMessage) {
print " $Message : $XauthMessage{$Message} Time(s)\n";
}
}
if (keys %PopLogin) {
print "\nspop3d user connections:\n";
foreach $PopUser (sort {$a cmp $b} keys %PopLogin) {
print " $PopUser\:\t$PopLogin{$PopUser} Time(s)\n";
}
}
if (keys %PopErrors) {
print "\nspop3d connection failures:\n";
foreach $PopErr (sort {$a cmp $b} keys %PopErrors) {
print " $PopErr\:\t$PopErrors{$PopErr} Time(s)\n";
}
}
if ($spop3d_opened > 0) {
print "\nspop3d connections(sum):\t".$spop3d_opened."\n";
}
if ($spop3d_errors > 0) {
print "spop3d connection errors:\t".$spop3d_errors."\n";
}
if ($#SudoList >= 0) {
print "\nUnauthorized sudo commands attempted (" . ($#SudoList + 1) . "):\n";
print @SudoList;
}
if (keys %ChkPasswdPam) {
print "\ncheckpassword-pam (SUID root PAM client):\n";
foreach $PID (sort {$a cmp $b} keys %ChkPasswdPam) {
$ServiceUsernamePair = $ChkPasswdPam{$PID}{'Username'}.' => '.$ChkPasswdPam{$PID}{'Service'};
if ($ChkPasswdPam{$PID}{'Success'} eq 'true') {
$Successes{$ServiceUsernamePair}++;
} else {
$Failures{$ServiceUsernamePair}++;
}
}
foreach $ServiceUsernamePair (sort {$a cmp $b} keys %Successes) {
$S = $Successes{$ServiceUsernamePair} ? $Successes{$ServiceUsernamePair} : 0;
$F = $Failures{$ServiceUsernamePair} ? $Failures{$ServiceUsernamePair} : 0;
print " $ServiceUsernamePair : $S success(es), $F failure(s)\n";
}
}
if (keys %TallyOverflow) {
print "\nTally overflowed for user:\n";
foreach $User (sort {$a cmp $b} keys %TallyOverflow) {
print " $User : $TallyOverflow{$User} Time(s)\n";
}
}
if (keys %Executed_app) {
print "\nUserhelper executed applications:\n";
foreach (keys %Executed_app) {
($longapp,$asuser,$user) = split ",";
$app = substr($longapp,rindex($longapp,"/")+1);
print " $user -> $app as $asuser: ".$Executed_app{"$longapp,$asuser,$user"}." Time(s)\n";
}
}
if (keys %ChangedShell) {
print "\nChanged users default login shell: \n";
foreach (keys %ChangedShell) {
($User,$From,$To) = split ",";
print " User " . $User . " change shell from " . $From . " to " . $To . ": " . $ChangedShell{"$User,$From,$To"} . " Time(s)\n";
}
}
if (keys %cvs_passwd_mismatch) {
print "\n cvs:";
print "\n Authentication Failures:\n";
foreach $User (keys %cvs_passwd_mismatch) {
print " $User : $cvs_passwd_mismatch{$User} Time(s)\n";
}
}
if ($#OtherList >= 0) {
print "\n**Unmatched Entries**\n";
print @OtherList;
}
exit(0);
# vi: shiftwidth=3 tabstop=3 syntax=perl et