#!/bin/sh
#	logcheck.sh: Log file checker
#	Written by Craig Rowland <crowland@psionic.com>
#       Heavily modified by Rene Mayrhofer <rmayr@debian.org>
#       Heavily modified by Jon Middleton <jjm@debian.org>
#
#	This file needs the program logtail to run
#
#	This script checks logs for unusual activity and blatant
#	attempts at hacking. All items are mailed to administrators
# 	for review. This script and the logtail.c program are based upon
#       the frequentcheck.sh script idea from the Gauntlet(tm) Firewall
#	(c)Trusted Information Systems Inc. The original authors are
#	Marcus J. Ranum and Fred Avolio.
#
#	Default search files are tuned towards the TIS Firewall toolkit
# 	the TCP Wrapper program. Custom daemons and reporting facilites
#	can be accounted for as well...read the rest of the script for
#	details.
#
#	Version Information
#
#	1.0 	9/29/96  -- Initial Release
#	1.01	11/01/96 -- Added working /tmp directory for symlink protection
#			    (Thanks Richard Bullington (rbulling@obscure.org)
#	1.1	1/03/97	 -- Made this script more portable for Sun's.
#		1/03/97	 -- Made this script work on HPUX
#               5/14/97  -- Added Digital OSF/1 logging support. Big thanks
#                           to Jay Vassos-Libove <libove@compgen.com> for
#                           his changes.

# Exit on a error
#set -e

# Set the flag variables
FOUND=0
ATTACK=0

# Set the umask
#umask 077

# Make sure that we do not use utf-8 locale
#unset LC_CTYPE

# CONFIGURATION SECTION

# Logcheck is pre-configured to work on most BSD like systems, however it
# is a rather dumb program and may need some help to work on other
# systems. Please check the following command paths to ensure they are
# correct.

# Person to send log activity to.

# Full path to logtail program.
# This program is required to run this script and comes with the package.

# Location of needed programs
LOGTAIL="/usr/sbin/logtail"
GREP="/bin/egrep --directories=skip --text"
MAIL="/usr/bin/mail"
MV="/bin/mv"
SORT="/usr/bin/sort"
CAT="/bin/cat"
RM="/bin/rm"

# Shouldn't need to touch these...
HOSTNAME=`hostname`
DATE=`date +%m/%d/%y:%H.%M`
INTRO="yes"

# This file should contain the list of logfiles to check
LOGLIST=/etc/logcheck/logcheck.logfiles

. /etc/logcheck/logcheck.conf
SYSADMIN=$SENDMAILTO

# Full path to SECURED (non public writable) /tmp directory.
# Prevents Race condition and potential symlink problems. I highly
# recommend you do NOT make this a publically writable/readable directory.
# You would also be well advised to make sure all your system/cron scripts
# use this directory for their "scratch" area.

TMPDIR=$(/bin/mktemp -d -p /var/tmp logcheck.XXXXXXXX) || {
    echo "Could not create tempary directory, either the drive is full
or there's a active attack" \
    | $MAIL -s "Logcheck: $HOSTNAME $DATE Something went very wrong" $SYSADMIN
    exit 1    
}

# Added for FHS-compliance. Offset files are now kept here.
# Cleaned files are too, because although they are regenerated every time,
# files in here where the original no longer exists seem to persist
# forever (which may or may not be intentional...), which means I consider
# them a "state" thing rather than a temporary thing.

STATEDIR=/var/lib/logcheck

# The 'grep' command. This command MUST support the
# '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's
# good GNUs for you Linux/FreeBSD/BSDI people :) ). The Sun grep I'm told
# does not support these switches, but the 'egrep' command does (Thanks
# Jason <jason@mastaler.com> ). Since grep and egrep are usually the GNU
# variety on most systems (well most Linux, FreeBSD, BSDI, etc) and just
# hard links to each other we'll just specify egrep here. Change this if
# you get errors.

# Linux, FreeBSD, BSDI, Sun, HPUX, etc.


# The 'mail' command. Most systems this should be OK to leave as is.
# If your default mail command does not support the '-s' (subject) command
# line switch you will need to change this command one one that does.
# The only system I've seen this to be a problem on are HPUX boxes.
# Naturally, the HPUX is so superior to the rest of UNIX OS's that they
# feel they need to do everything differently to remind the rest that
# they are the best ;).

# Linux, FreeBSD, BSDI, Sun, etc.


CONFDIR=/etc/logcheck
CONFDIR_CLEANED=$TMPDIR/cleaned

# File of known active hacking attack messages to look for.
# Only put messages in here if you are sure they won't cause
# false alarms. This is a rather generic way of checking for
# malicious activity and can be inaccurate unless you know
# what past hacking activity looks like. The default is to
# look for generic ISS probes (who the hell else looks for
# "WIZ" besides ISS?), and obvious sendmail attacks/probes.

CRACKING_FILE=$CONFDIR/logcheck.cracking
CRACKING_DIR=$CONFDIR/cracking.d
CRACKING_FILE_CLEANED=${CONFDIR_CLEANED}/logcheck.cracking
CRACKING_DIR_CLEANED=${CONFDIR_CLEANED}/cracking.d

# File of security violation patterns to specifically look for.
# This file should contain keywords of information administrators should
# probably be aware of. May or may not cause false alarms sometimes.
# Generally, anything that is "negative" is put in this file. It may miss
# some items, but these will be caught by the next check. Move suspicious
# items into this file to have them reported regularly.

VIOLATIONS_FILE=$CONFDIR/logcheck.violations
VIOLATIONS_DIR=$CONFDIR/violations.d
VIOLATIONS_FILE_CLEANED=${CONFDIR_CLEANED}/logcheck.violations
VIOLATIONS_DIR_CLEANED=${CONFDIR_CLEANED}/violations.d

# File that contains more complete sentences that have keywords from
# the violations file. These keywords are normal and are not cause for
# concern but could cause a false alarm. An example of this is the word
# "refused" which is often reported by sendmail if a message cannot be
# delivered or can be a more serious security violation of a system
# attaching to illegal ports. Obviously you would put the sendmail
# warning as part of this file. Use your judgement before putting words
# in here or you can miss really important events. The default is to leave
# this file with only a couple entries. DO NOT LEAVE THE FILE EMPTY. Some
# grep's will assume that an EMPTY file means a wildcard and will ignore
# everything! The basic configuration allows for the more frequent sendmail
# error.
#
# Again, be careful what you put in here and DO NOT LEAVE IT EMPTY!

VIOLATIONS_IGNORE_FILE=$CONFDIR/logcheck.violations.ignore
VIOLATIONS_IGNORE_DIR=$CONFDIR/violations.ignore.d
VIOLATIONS_IGNORE_FILE_CLEANED=${CONFDIR_CLEANED}/logcheck.violations.ignore
VIOLATIONS_IGNORE_DIR_CLEANED=${CONFDIR_CLEANED}/violations.ignore.d

# This is the name of a file that contains patterns that we should
# ignore if found in a log file. If you have repeated false alarms
# or want specific errors ignored, you should put them in here.
# Once again, be as specific as possible, and go easy on the wildcards

IGNORE_FILE=$CONFDIR/logcheck.ignore
IGNORE_DIR=$CONFDIR/ignore.d
IGNORE_FILE_CLEANED=${CONFDIR_CLEANED}/logcheck.ignore
IGNORE_DIR_CLEANED=${CONFDIR_CLEANED}/ignore.d

# The files are reported in the order of hacking, security
# violations, and unusual system events. Notice that this
# script uses the principle of "That which is not explicitely
# ignored is reported" in that the script will report all items
# that you do not tell it to ignore specificially. Be careful
# how you use wildcards in the logcheck.ignore file or you
# may miss important entries.

# Make sure we really did clean up from the last run.
# Also this ensures that people aren't trying to trick us into
# overwriting files that we aren't supposed to. This is still a race
# condition, but if you are in a temp directory that does not have
# generic luser access it is not a problem. Do not allow this program
# to write to a generic /tmp directory where others can watch and/or
# create files!!

# Functions
cleanup() {
    $RM -r ${TMPDIR}
}

umask 077
$RM -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
	echo "Log files exist in $TMPDIR directory that cannot be removed. This
may be an attempt to spoof the log checker." \
	| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
	exit 1
fi

# LOG FILE CONFIGURATION SECTION
# You might have to customize these entries depending on how
# you have syslogd configured. Be sure you check all relevant logs.
# The logtail utility is required to read and mark log files.
# See INSTALL for more information. Again, using one log file
# is preferred and is easier to manage. Be sure you know what the
# > and >> operators do before you change them. LOG FILES SHOULD
# ALWAYS BE chmod 600 OWNER root!!

# Debian systems with logcheck.logfiles file
# Handle log rotation correctly, idea taken from Wiktor Niesiobedzki.
for file in $($GREP -v "^#" $LOGLIST); do
    offsetfile="$STATEDIR/offset$(echo $file|tr / .)"
    if [ -s "$offsetfile" ]; then
	if [ $(wc -c $file | awk '{print $1}') -lt $(tail -n 1  $offsetfile) ] && \
	    [ -e $file.0 ]; then
	    $LOGTAIL $file.0 $offsetfile
	    $RM -f $offsetfile
	fi
    fi
    $LOGTAIL $file $offsetfile
done > $TMPDIR/check.$$

# END CONFIGURATION SECTION. YOU SHOULDN'T HAVE TO EDIT ANYTHING
# BELOW THIS LINE.

# See if the tmp file exists and actually has data to check,
# if it doesn't we should erase it and exit as our job is done.

if [ ! -s $TMPDIR/check.$$ ]; then
	cleanup
	exit 1
fi

# Perform Searches
# first sort the logs to remove duplicate lines (from different logfiles with
# the same lines) and reduce CPU and memory usage afterwards.
$SORT -k 1,3 -s $TMPDIR/check.$$ | uniq > $TMPDIR/check-sorted.$$
$MV $TMPDIR/check-sorted.$$ $TMPDIR/check.$$

# Add an identification line at the beginning of the sent mail
# (text by Rainer Dorsch)
if [ "$INTRO" = "yes" ]; then
    echo "This mail is sent by logcheck. If you do not want to receive it any more," \
	>> $TMPDIR/checkreport.$$
    echo "please modify the configuration files in /etc/logcheck or deinstall logcheck." \
	>> $TMPDIR/checkreport.$$
fi

# Before using the rules files, remove any empty lines that might be in them
# and use the "cleaned" files for grepping afterwards.
RULEFILES="$CRACKING_FILE $VIOLATIONS_FILE $VIOLATIONS_IGNORE_FILE $IGNORE_FILE"
# if any of the rule dirs contains files, then use them too
for ruledir in $CRACKING_DIR $VIOLATIONS_DIR $VIOLATIONS_IGNORE_DIR $IGNORE_DIR; do
  if [ `ls $ruledir/ | wc -l` -ne 0 ]; then
      for rulefile in $( ls $ruledir/* | $GREP -v "[#~]"); do
	  case "$(basename $rulefile)" in
	      *.dpkg*) ;;
	      *) RULEFILES="$RULEFILES $rulefile"
	  esac
      done
  fi
done

for rulefile in $RULEFILES; do
	rulefile_cleaned="$CONFDIR_CLEANED/`expr \"$rulefile\" : \"$CONFDIR/\(.*\)\"`"
	$RM -f $rulefile_cleaned
	if [ -f $rulefile_cleaned ]; then
		echo "Cleaned rules files exist in $CONFDIR_CLEANED directory that
cannot be removed. This may be an attempt to spoof the log checker." \
		| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
		exit 1
	fi
	if [ ! -d `dirname $rulefile_cleaned` ]; then
		if ! mkdir -p `dirname "$rulefile_cleaned"`; then
			echo "Directory `dirname $rulefile_cleaned` does not
exist and cannot be created. This may be attempt to spoof the log checker." \
			| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
			exit 1
		fi
	fi
	$GREP -v '^\s*$' $rulefile > $rulefile_cleaned
        # Remove empty lines and comments
	#$GREP -v '^\s*$' $rulefile | $GREP -v "^#" > $rulefile_cleaned
done

# Check for blatant cracking attempts
if [ -f "$CRACKING_FILE_CLEANED" ]; then
	if $GREP -i -f $CRACKING_FILE_CLEANED $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then
		echo >> $TMPDIR/checkreport.$$
		echo "Active System Attack Alerts" >> $TMPDIR/checkreport.$$
		echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
		$CAT $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
		FOUND=1
		ATTACK=1
	fi
fi
if [ -d $CRACKING_DIR_CLEANED ] && [ `ls $CRACKING_DIR_CLEANED/ | wc -l` -ne 0 ]; then
	for file in $CRACKING_DIR_CLEANED/*; do
		if $GREP -i -f $file $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then
			echo >> $TMPDIR/checkreport.$$
			echo "Active System Attack Alerts for package `basename $file`" \
				>> $TMPDIR/checkreport.$$
			echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=" \
				>> $TMPDIR/checkreport.$$
			$CAT $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
			FOUND=1
			ATTACK=1
		fi
	done
fi
# Check for security violations
if [ -f "$VIOLATIONS_FILE_CLEANED" ]; then
	$GREP -i -f $VIOLATIONS_FILE_CLEANED $TMPDIR/check.$$ \
	   | $GREP -v -f $VIOLATIONS_IGNORE_FILE_CLEANED > $TMPDIR/checkoutput.$$
	if [ -s $TMPDIR/checkoutput.$$ ]; then
		# also use local ignore files
		if [ -d $VIOLATIONS_IGNORE_DIR_CLEANED ] && \
		   [ `ls $VIOLATIONS_IGNORE_DIR_CLEANED/ | wc -l` -ne 0 ]; then
			for file in $VIOLATIONS_IGNORE_DIR_CLEANED/*; do
				$GREP -v -f $file $TMPDIR/checkoutput.$$ > \
				   $TMPDIR/checkoutput.tmp.$$
				$MV $TMPDIR/checkoutput.tmp.$$ $TMPDIR/checkoutput.$$
			done
		fi
		if [ -s $TMPDIR/checkoutput.$$ ]; then
			echo >> $TMPDIR/checkreport.$$
			echo "Possible Security Violations" >> $TMPDIR/checkreport.$$
			echo "=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
			$CAT $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
			FOUND=1
		fi
	fi
fi
if [ -d $VIOLATIONS_DIR_CLEANED ] && [ `ls $VIOLATIONS_DIR_CLEANED/ | wc -l` -ne 0 ]; then
	for file in $VIOLATIONS_DIR_CLEANED/*; do
		pack_violations_ignore="$VIOLATIONS_IGNORE_DIR_CLEANED/`basename $file`"
		if [ -f $pack_violations_ignore ]; then
			$GREP -i -f $file $TMPDIR/check.$$ \
			   | $GREP -v -f $pack_violations_ignore \
			   > $TMPDIR/checkoutput.$$
		else
			$GREP -i -f $file $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$
		fi
		if [ -s $TMPDIR/checkoutput.$$ ]; then
			echo >> $TMPDIR/checkreport.$$
			echo "Possible Security Violations for package `basename $file`" \
			>> $TMPDIR/checkreport.$$
			echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=" \
				>> $TMPDIR/checkreport.$$
			$CAT $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
			FOUND=1
		fi
	done
fi

# Do reverse grep on patterns we want to ignore
if [ -f "$IGNORE_FILE_CLEANED" ]; then
	$GREP -v -f $IGNORE_FILE_CLEANED $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$
	if [ -s $TMPDIR/checkoutput.$$ ]; then
		# also use local ignore files
		if [ -d $IGNORE_DIR_CLEANED ] && [ `ls $IGNORE_DIR_CLEANED/ | wc -l` -ne 0 ]; then
			for file in $IGNORE_DIR_CLEANED/*; do
				$GREP -v -f $file $TMPDIR/checkoutput.$$ > \
				   $TMPDIR/checkoutput.tmp.$$
				$MV $TMPDIR/checkoutput.tmp.$$ $TMPDIR/checkoutput.$$
			done
		fi
		if [ -s $TMPDIR/checkoutput.$$ ]; then
			echo >> $TMPDIR/checkreport.$$
			echo "Unusual System Events" >> $TMPDIR/checkreport.$$
			echo "=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
			$CAT $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
			FOUND=1
		fi
	fi
fi

# If there are results, mail them to sysadmin

if [ "$ATTACK" -eq 1 ]; then
	$CAT $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
elif [ "$FOUND" -eq 1 ]; then
	$CAT $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE system check" $SYSADMIN
fi

# Clean Up
cleanup

