search for: offsetfile

Package: logcheck Version: 1.2.41 Problem: Logcheck try to detect if log file have been rotate or not by file size way. Possible attack: - current log file (sizeA) - run logcheck, (logcheck/logtail put inode in offsetfile), offset=sizeA - [attacker run attack 1] - run logrotate - [attacker run attack 2] - run logcheck may don't detect the rotation and don't check the log for attack 1 duration. attack 1 : The real attack, this attack log will not be checked by logcheck if attack 2 run succesfully. attack 2 G...

Package: logtail Version: 1.2.52 Severity: normal Tags: patch Hi, When a logfile is rotated, logtail misses the lines logged between the last logtail run and the logfile rotation. The attached patch allows to set an alternate logfile that logtail tries to use as the old logfile if the inode has changed. It can be used as: logtail -f /var/log/syslog -a /var/log/syslog.1 (Please note that this

...4-11-11 02:10:55.000000000 +1030 @@ -21,7 +21,7 @@ use strict; use warnings; -my ($size); +my ($size, $rotsize); use Getopt::Std; my %opts = (); @@ -52,7 +52,7 @@ exit 66; } -my ($inode, $ino, $offset) = (0, 0, 0); +my ($inode, $ino, $offset, $rotatedino) = (0, 0, 0, 0); unless (not $offsetfile) { if (open(OFFSET, $offsetfile)) { @@ -82,6 +82,22 @@ print "*************** This could indicate tampering.\n"; } } + + # Check for the existence of a rotated log + + if ((undef,$rotatedino,undef,undef,undef,undef,undef,$rotsize) = stat "$logfil...

...er other users of logtail next time you change something. That notwithstanding, since logtail prints its error messages to standard output, the error message about the incorrect argument format is lost. One would expect the normal usage of logtail would have been something like: logtail logfile offsetfile | some_program With the new version of logtail, this produces an error message to standard output, which is then sent to 'some_program'. I would claim that the correct behaviour is to send the message to standard error, so logtail is not silently broken by installing logtail from sarge....

...+101,11 @@ } print OFFSET "$ino\n$size\n"; close OFFSET; + + # make shure if invoked as root that file remains readable for cronjob + my ($login,$pass,$uid,$gid) = getpwnam($user) + or print "$user not in passwd file" and exit 73; + chown $uid, $gid, $offsetfile; + } exit 0; -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040712/64b21a4d/attachment.pgp

Package: logcheck Version: 1.2.27 Severity: wishlist hello, in ignore.d.server/oidentd you have: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ oidentd\[[0-9]+\]: Connection from \ [._[:alnum:]-]+ \([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\):[0-9]{1,5}$ anyway, some oidentd logs don't have a hostname: oidentd[34562]: Connection from 241.145.24.135:2353 therefore you have to add: ^\w{3} [

Package: logcheck-database Version: 1.2.23 Severity: minor Hi, a couple of minor corrections to the dhcp rule sets: First of all, the hostname matching parts need to include the "._-" signs (maybe . is not needed but it might be). Then when using failover, log lines of type DHCPDISCOVER and DHCPREQUEST may be entailed by the string ": load balance to peer <somestring>".