#!/bin/sh
#
#	logcheck.sh: Log file checker
#	Written by Craig Rowland <crowland@psionic.com>
#       Heavily modified by Rene Mayrhofer <rmayr@debian.org>
#
#	This file needs the program logtail to run
#
#	This script checks logs for unusual activity and blatant
#	attempts at hacking. All items are mailed to administrators
# 	for review. This script and the logtail.c program are based upon
#       the frequentcheck.sh script idea from the Gauntlet(tm) Firewall
#	(c)Trusted Information Systems Inc. The original authors are
#	Marcus J. Ranum and Fred Avolio.
#
#	Default search files are tuned towards the TIS Firewall toolkit
# 	the TCP Wrapper program. Custom daemons and reporting facilites
#	can be accounted for as well...read the rest of the script for
#	details.
#
#	Version Information
#
#	1.0 	9/29/96  -- Initial Release
#	1.01	11/01/96 -- Added working /tmp directory for symlink protection
#			    (Thanks Richard Bullington (rbulling@obscure.org)
#	1.1	1/03/97	 -- Made this script more portable for Sun's.
#		1/03/97	 -- Made this script work on HPUX
#               5/14/97  -- Added Digital OSF/1 logging support. Big thanks
#                           to Jay Vassos-Libove <libove@compgen.com> for
#                           his changes.


# CONFIGURATION SECTION

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin

# Logcheck is pre-configured to work on most BSD like systems, however it
# is a rather dumb program and may need some help to work on other
# systems. Please check the following command paths to ensure they are
# correct.

# Person to send log activity to.

# Full path to logtail program.
# This program is required to run this script and comes with the package.

#-- changed to meet Debian's location of the package
LOGTAIL=/usr/sbin/logtail

# Full path to SECURED (non public writable) /tmp directory.
# Prevents Race condition and potential symlink problems. I highly
# recommend you do NOT make this a publically writable/readable directory.
# You would also be well advised to make sure all your system/cron scripts
# use this directory for their "scratch" area.

TMPDIR=$(mktemp -d -p /var/tmp logcheck.XXXXXXXX) || {
    echo "Could not create tempary directory, either the drive is full
or there's a active attack" \
    | $MAIL -s "Logcheck: $HOSTNAME $DATE Something went very wrong" $SYSADMIN
    exit 1    
}

# Added for FHS-compliance. Offset files are now kept here.
# Cleaned files are too, because although they are regenerated every time,
# files in here where the original no longer exists seem to persist
# forever (which may or may not be intentional...), which means I consider
# them a "state" thing rather than a temporary thing.

STATEDIR=/var/lib/logcheck

# The 'grep' command. This command MUST support the
# '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's
# good GNUs for you Linux/FreeBSD/BSDI people :) ). The Sun grep I'm told
# does not support these switches, but the 'egrep' command does (Thanks
# Jason <jason@mastaler.com> ). Since grep and egrep are usually the GNU
# variety on most systems (well most Linux, FreeBSD, BSDI, etc) and just
# hard links to each other we'll just specify egrep here. Change this if
# you get errors.

# Linux, FreeBSD, BSDI, Sun, HPUX, etc.
GREP=egrep

# The 'mail' command. Most systems this should be OK to leave as is.
# If your default mail command does not support the '-s' (subject) command
# line switch you will need to change this command one one that does.
# The only system I've seen this to be a problem on are HPUX boxes.
# Naturally, the HPUX is so superior to the rest of UNIX OS's that they
# feel they need to do everything differently to remind the rest that
# they are the best ;).

# Linux, FreeBSD, BSDI, Sun, etc.
MAIL=mail
# HPUX 10.x and others(?)
#MAIL=mailx
# Digital OSF/1, Irix
#MAIL=Mail

CONFDIR=/etc/logcheck
CONFDIR_CLEANED=$TMPDIR/cleaned

# File of known active hacking attack messages to look for.
# Only put messages in here if you are sure they won't cause
# false alarms. This is a rather generic way of checking for
# malicious activity and can be inaccurate unless you know
# what past hacking activity looks like. The default is to
# look for generic ISS probes (who the hell else looks for
# "WIZ" besides ISS?), and obvious sendmail attacks/probes.

CRACKING_FILE=$CONFDIR/logcheck.cracking
CRACKING_DIR=$CONFDIR/cracking.d
CRACKING_FILE_CLEANED=${CONFDIR_CLEANED}/logcheck.cracking
CRACKING_DIR_CLEANED=${CONFDIR_CLEANED}/cracking.d

# File of security violation patterns to specifically look for.
# This file should contain keywords of information administrators should
# probably be aware of. May or may not cause false alarms sometimes.
# Generally, anything that is "negative" is put in this file. It may miss
# some items, but these will be caught by the next check. Move suspicious
# items into this file to have them reported regularly.

VIOLATIONS_FILE=$CONFDIR/logcheck.violations
VIOLATIONS_DIR=$CONFDIR/violations.d
VIOLATIONS_FILE_CLEANED=${CONFDIR_CLEANED}/logcheck.violations
VIOLATIONS_DIR_CLEANED=${CONFDIR_CLEANED}/violations.d

# File that contains more complete sentences that have keywords from
# the violations file. These keywords are normal and are not cause for
# concern but could cause a false alarm. An example of this is the word
# "refused" which is often reported by sendmail if a message cannot be
# delivered or can be a more serious security violation of a system
# attaching to illegal ports. Obviously you would put the sendmail
# warning as part of this file. Use your judgement before putting words
# in here or you can miss really important events. The default is to leave
# this file with only a couple entries. DO NOT LEAVE THE FILE EMPTY. Some
# grep's will assume that an EMPTY file means a wildcard and will ignore
# everything! The basic configuration allows for the more frequent sendmail
# error.
#
# Again, be careful what you put in here and DO NOT LEAVE IT EMPTY!

VIOLATIONS_IGNORE_FILE=$CONFDIR/logcheck.violations.ignore
VIOLATIONS_IGNORE_DIR=$CONFDIR/violations.ignore.d
VIOLATIONS_IGNORE_FILE_CLEANED=${CONFDIR_CLEANED}/logcheck.violations.ignore
VIOLATIONS_IGNORE_DIR_CLEANED=${CONFDIR_CLEANED}/violations.ignore.d

# This is the name of a file that contains patterns that we should
# ignore if found in a log file. If you have repeated false alarms
# or want specific errors ignored, you should put them in here.
# Once again, be as specific as possible, and go easy on the wildcards

IGNORE_FILE=$CONFDIR/logcheck.ignore
IGNORE_DIR=$CONFDIR/ignore.d
IGNORE_FILE_CLEANED=${CONFDIR_CLEANED}/logcheck.ignore
IGNORE_DIR_CLEANED=${CONFDIR_CLEANED}/ignore.d

# The files are reported in the order of hacking, security
# violations, and unusual system events. Notice that this
# script uses the principle of "That which is not explicitely
# ignored is reported" in that the script will report all items
# that you do not tell it to ignore specificially. Be careful
# how you use wildcards in the logcheck.ignore file or you
# may miss important entries.

# Make sure we really did clean up from the last run.
# Also this ensures that people aren't trying to trick us into
# overwriting files that we aren't supposed to. This is still a race
# condition, but if you are in a temp directory that does not have
# generic luser access it is not a problem. Do not allow this program
# to write to a generic /tmp directory where others can watch and/or
# create files!!

# Shouldn't need to touch these...
HOSTNAME=`hostname`
DATE=`date +%m/%d/%y:%H.%M`

# This file should contain the list of logfiles to check
LOGLIST=/etc/logcheck/logcheck.logfiles

. /etc/logcheck/logcheck.conf
SYSADMIN=$SENDMAILTO

umask 077
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
	echo "Log files exist in $TMPDIR directory that cannot be removed. This
may be an attempt to spoof the log checker." \
	| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
	exit 1
fi

# LOG FILE CONFIGURATION SECTION
# You might have to customize these entries depending on how
# you have syslogd configured. Be sure you check all relevant logs.
# The logtail utility is required to read and mark log files.
# See INSTALL for more information. Again, using one log file
# is preferred and is easier to manage. Be sure you know what the
# > and >> operators do before you change them. LOG FILES SHOULD
# ALWAYS BE chmod 600 OWNER root!!

# Generic and Linux Slackware 3.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$

# Linux Red Hat Version 3.x, 4.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
#$LOGTAIL /var/log/syslog >> $TMPDIR/check.$$
#$LOGTAIL /var/log/auth.log >> $TMPDIR/check.$$
#$LOGTAIL /var/log/mail.log >> $TMPDIR/check.$$
#$LOGTAIL /var/log/daemon.log >> $TMPDIR/check.$$

# Debian systems with logcheck.logfiles file
# Handle log rotation correctly, idea taken from Wiktor Niesiobedzki.
cat $LOGLIST | egrep -v "^#" | while read file; do
	offsetfile="$STATEDIR/offset`echo $file|tr / .`"
	if [ -s "$offsetfile" ]; then
		if [ `cat $file | wc -c` -lt `cat $offsetfile | tail -n 1` ] && \
		   [ -e $file.0 ]; then
			$LOGTAIL $file.0 $offsetfile
			rm -f $offsetfile
		fi
	fi
	$LOGTAIL $file $offsetfile
done > $TMPDIR/check.$$

# FreeBSD 2.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$

# BSDI 2.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
#$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
#$LOGTAIL /var/log/ftp.log >> $TMPDIR/check.$$
# Un-comment out the line below if you are using BSDI 2.1
#$LOGTAIL /var/log/daemon.log >> $TMPDIR/check.$$

# SunOS, Sun Solaris 2.5
#$LOGTAIL /var/log/syslog > $TMPDIR/check.$$
#$LOGTAIL /var/adm/messages >> $TMPDIR/check.$$

# HPUX 10.x and others(?)
#$LOGTAIL /var/adm/syslog/syslog.log > $TMPDIR/check.$$

# Digital OSF/1
# OSF/1 - uses rotating log directory with date & time in name
#        LOGDIRS=`find /var/adm/syslog.dated/* -type d -prune -print`
#        LOGDIR=`ls -dtr1 $LOGDIRS | tail -1`
#        if [ ! -d "$LOGDIR" ]
#        then
#          echo "Can't identify current log directory." >> $TMPDIR/checkrepo$
#        else
#                $LOGTAIL  $LOGDIR/auth.log >> $TMPDIR/check.$$
#                $LOGTAIL  $LOGDIR/daemon.log >> $TMPDIR/check.$$
#                $LOGTAIL  $LOGDIR/kern.log >> $TMPDIR/check.$$
#                $LOGTAIL  $LOGDIR/lpr.log >> $TMPDIR/check.$$
#                $LOGTAIL  $LOGDIR/mail.log >> $TMPDIR/check.$$
#                $LOGTAIL  $LOGDIR/syslog.log >> $TMPDIR/check.$$
#                $LOGTAIL  $LOGDIR/user.log >> $TMPDIR/check.$$
#        fi
#


# END CONFIGURATION SECTION. YOU SHOULDN'T HAVE TO EDIT ANYTHING
# BELOW THIS LINE.

# Set the flag variables
FOUND=0
ATTACK=0

# See if the tmp file exists and actually has data to check,
# if it doesn't we should erase it and exit as our job is done.

if [ ! -s $TMPDIR/check.$$ ]; then
	rm -rf ${TMPDIR}
	exit 0
fi

# Perform Searches
# first sort the logs to remove duplicate lines (from different logfiles with
# the same lines) and reduce CPU and memory usage afterwards.
sort -k 1,3 -s $TMPDIR/check.$$ | uniq > $TMPDIR/check-sorted.$$
mv $TMPDIR/check-sorted.$$ $TMPDIR/check.$$

# Add an identification line at the beginning of the sent mail
# (text by Rainer Dorsch)
echo "This mail is sent by logcheck. If you do not want to receive it any more," \
	>> $TMPDIR/checkreport.$$
echo "please modify the configuration files in /etc/logcheck or deinstall logcheck." \
	>> $TMPDIR/checkreport.$$

# Before using the rules files, remove any empty lines that might be in them
# and use the "cleaned" files for grepping afterwards.
RULEFILES="$CRACKING_FILE $VIOLATIONS_FILE $VIOLATIONS_IGNORE_FILE $IGNORE_FILE"
# if any of the rule dirs contains files, then use them too
for ruledir in $CRACKING_DIR $VIOLATIONS_DIR $VIOLATIONS_IGNORE_DIR $IGNORE_DIR
do
	if [ `ls $ruledir/ | wc -l` -ne 0 ]; then
		for rulefile in $ruledir/*; do
			RULEFILES="$RULEFILES $rulefile"
		done
	fi
done
for rulefile in $RULEFILES; do
	rulefile_cleaned="$CONFDIR_CLEANED/`expr \"$rulefile\" : \"$CONFDIR/\(.*\)\"`"
	rm -f $rulefile_cleaned
	if [ -f $rulefile_cleaned ]; then
		echo "Cleaned rules files exist in $CONFDIR_CLEANED directory that
cannot be removed. This may be an attempt to spoof the log checker." \
		| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
		exit 1
	fi
	if [ ! -d `dirname $rulefile_cleaned` ]; then
		if ! mkdir -p `dirname "$rulefile_cleaned"`; then
			echo "Directory `dirname $rulefile_cleaned` does not
exist and cannot be created. This may be attempt to spoof the log checker." \
			| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
			exit 1
		fi
	fi
	egrep -v '^\s*$' $rulefile > $rulefile_cleaned
done

# Check for blatant cracking attempts
if [ -f "$CRACKING_FILE_CLEANED" ]; then
	if $GREP -i -f $CRACKING_FILE_CLEANED $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then
		echo >> $TMPDIR/checkreport.$$
		echo "Active System Attack Alerts" >> $TMPDIR/checkreport.$$
		echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
		cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
		FOUND=1
		ATTACK=1
	fi
fi
if [ -d $CRACKING_DIR_CLEANED ] && [ `ls $CRACKING_DIR_CLEANED/ | wc -l` -ne 0 ]; then
	for file in $CRACKING_DIR_CLEANED/*; do
		if $GREP -i -f $file $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then
			echo >> $TMPDIR/checkreport.$$
			echo "Active System Attack Alerts for package `basename $file`" \
				>> $TMPDIR/checkreport.$$
			echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=" \
				>> $TMPDIR/checkreport.$$
			cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
			FOUND=1
			ATTACK=1
		fi
	done
fi
# Check for security violations
if [ -f "$VIOLATIONS_FILE_CLEANED" ]; then
	$GREP -i -f $VIOLATIONS_FILE_CLEANED $TMPDIR/check.$$ \
	   | $GREP -v -f $VIOLATIONS_IGNORE_FILE_CLEANED > $TMPDIR/checkoutput.$$
	if [ -s $TMPDIR/checkoutput.$$ ]; then
		# also use local ignore files
		if [ -d $VIOLATIONS_IGNORE_DIR_CLEANED ] && \
		   [ `ls $VIOLATIONS_IGNORE_DIR_CLEANED/ | wc -l` -ne 0 ]; then
			for file in $VIOLATIONS_IGNORE_DIR_CLEANED/*; do
				$GREP -v -f $file $TMPDIR/checkoutput.$$ > \
				   $TMPDIR/checkoutput.tmp.$$
				mv $TMPDIR/checkoutput.tmp.$$ $TMPDIR/checkoutput.$$
			done
		fi
		if [ -s $TMPDIR/checkoutput.$$ ]; then
			echo >> $TMPDIR/checkreport.$$
			echo "Possible Security Violations" >> $TMPDIR/checkreport.$$
			echo "=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
			cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
			FOUND=1
		fi
	fi
fi
if [ -d $VIOLATIONS_DIR_CLEANED ] && [ `ls $VIOLATIONS_DIR_CLEANED/ | wc -l` -ne 0 ]; then
	for file in $VIOLATIONS_DIR_CLEANED/*; do
		pack_violations_ignore="$VIOLATIONS_IGNORE_DIR_CLEANED/`basename $file`"
		if [ -f $pack_violations_ignore ]; then
			$GREP -i -f $file $TMPDIR/check.$$ \
			   | $GREP -v -f $pack_violations_ignore \
			   > $TMPDIR/checkoutput.$$
		else
			$GREP -i -f $file $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$
		fi
		if [ -s $TMPDIR/checkoutput.$$ ]; then
			echo >> $TMPDIR/checkreport.$$
			echo "Possible Security Violations for package `basename $file`" \
			>> $TMPDIR/checkreport.$$
			echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=" \
				>> $TMPDIR/checkreport.$$
			cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
			FOUND=1
		fi
	done
fi

# Do reverse grep on patterns we want to ignore
if [ -f "$IGNORE_FILE_CLEANED" ]; then
	$GREP -v -f $IGNORE_FILE_CLEANED $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$
	if [ -s $TMPDIR/checkoutput.$$ ]; then
		# also use local ignore files
		if [ -d $IGNORE_DIR_CLEANED ] && [ `ls $IGNORE_DIR_CLEANED/ | wc -l` -ne 0 ]; then
			for file in $IGNORE_DIR_CLEANED/*; do
				$GREP -v -f $file $TMPDIR/checkoutput.$$ > \
				   $TMPDIR/checkoutput.tmp.$$
				mv $TMPDIR/checkoutput.tmp.$$ $TMPDIR/checkoutput.$$
			done
		fi
		if [ -s $TMPDIR/checkoutput.$$ ]; then
			echo >> $TMPDIR/checkreport.$$
			echo "Unusual System Events" >> $TMPDIR/checkreport.$$
			echo "=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
			cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
			FOUND=1
		fi
	fi
fi

# If there are results, mail them to sysadmin

if [ "$ATTACK" -eq 1 ]; then
	cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
elif [ "$FOUND" -eq 1 ]; then
	cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE system check" $SYSADMIN
fi

# Clean Up
rm -r ${TMPDIR}
