#!/bin/sh
#
#	logcheck.sh: Log file checker
#	Written by Craig Rowland <crowland@psionic.com>
#	Modifications for firewall usage by ArkanoiD
#
#	This file needs the program logtail.c to run
#
#	This script checks logs for unusual activity and blatant
#	attempts at hacking. All items are mailed to administrators
# 	for review. This script and the logtail.c program are based upon 
#       the frequentcheck.sh script idea from the Gauntlet(tm) Firewall
#	(c)Trusted Information Systems Inc. The original authors are 
#	Marcus J. Ranum and Fred Avolio.
#
#	Default search files are tuned towards the TIS Firewall toolkit
# 	the TCP Wrapper program. Custom daemons and reporting facilites
#	can be accounted for as well...read the rest of the script for
#	details.
#
#	Version Information
#
#	1.0 	9/29/96  -- Initial Release
#	1.01	11/01/96 -- Added working /tmp directory for symlink protection
#			    (Thanks Richard Bullington (rbulling@obscure.org)
#	1.1	1/03/97	 -- Made this script more portable for Sun's.
#		1/03/97	 -- Made this script work on HPUX
#               5/14/97  -- Added Digital OSF/1 logging support. Big thanks
#                           to Jay Vassos-Libove <libove@compgen.com> for
#                           his changes.
 

# CONFIGURATION SECTION
if [ ! -r /usr/local/etc/openfwtk.conf ]; then
    echo "Error: /usr/local/etc/openfwtk.conf file is not exist or access to it is denied" 1>&2
    exit 1
fi
. /usr/local/etc/openfwtk.conf
if [ "$OFWTKPATH" = "" ]; then
    echo "Error: OFWTKPATH is empty" 1>&2
    exit 1
fi

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin

PATFILE=$OFWTKPATH/etc/openfwtk/frequentcheck.ignore
ALERTFILE=$OFWTKPATH/etc/openfwtk/securityalerts.ignore
WARNFILE=$OFWTKPATH/etc/openfwtk/securitywarnings.ignore
ERRFILE=$OFWTKPATH/etc/openfwtk/syserr.ignore

# Set the flag variables
FOUND=0
ATTACK=0

# See if the tmp file exists and actually has data to check, 
# if it doesn't we should erase it and exit as our job is done.

cat > /tmp/check.$$
 
if [ ! -s /tmp/check.$$ ]; then
	rm -f /tmp/check.$$	
	exit 0
fi

fromdate=`head -1 /tmp/check.$$ | cut -c1-12`
todate=`tail -1 /tmp/check.$$ | cut -c1-12`
hostname=`hostname -s`

echo "$hostname frequent check output for period since $fromdate to $todate"

# Perform Searches

if [ -f "$ALERTFILE" ]; then
	if grep securityalert /tmp/check.$$ |
 	   grep -v -f $ALERTFILE > /tmp/checkoutput.$$; then
		echo >> /tmp/checkreport.$$
		echo "Security Alerts summary" >> /tmp/checkreport.$$
		echo "=-=-=-=-=-=-=-=-=-=-=-=" >> /tmp/checkreport.$$
		cat /tmp/checkoutput.$$ >> /tmp/checkreport.$$
		FOUND=1
	fi
else
	if grep securityalert /tmp/check.$$  > /tmp/checkoutput.$$; then
		echo >> /tmp/checkreport.$$
		echo "Security Alerts summary" >> /tmp/checkreport.$$
		echo "=-=-=-=-=-=-=-=-=-=-=-=" >> /tmp/checkreport.$$
		cat /tmp/checkoutput.$$ >> /tmp/checkreport.$$
		FOUND=1
	fi
fi

if [ -f "$WARNFILE" ]; then
	if grep securitywarning /tmp/check.$$ |
 	   grep -v -f $WARNFILE > /tmp/checkoutput.$$; then
		echo >> /tmp/checkreport.$$
		echo "Security Warnings summary" >> /tmp/checkreport.$$
		echo "=-=-=-=-=-=-=-=-=-=-=-=-=" >> /tmp/checkreport.$$
		cat /tmp/checkoutput.$$ >> /tmp/checkreport.$$
		FOUND=1
	fi
else
	if grep securitywarning /tmp/check.$$  > /tmp/checkoutput.$$; then
		echo >> /tmp/checkreport.$$
		echo "Security Warnings summary" >> /tmp/checkreport.$$
		echo "=-=-=-=-=-=-=-=-=-=-=-=-=" >> /tmp/checkreport.$$
		cat /tmp/checkoutput.$$ >> /tmp/checkreport.$$
		FOUND=1
	fi
fi

if grep cfgerr /tmp/check.$$ > /tmp/checkoutput.$$; then
	echo >> /tmp/checkreport.$$
	echo "Configuration errors" >> /tmp/checkreport.$$
	echo "=-=-=-=-=-=-=-=-=-=-" >> /tmp/checkreport.$$
	cat /tmp/checkoutput.$$ >> /tmp/checkreport.$$      
        FOUND=1
fi

if [ -f "$ERRFILE" ]; then
	if grep syserr /tmp/check.$$ |
 	   grep -v -f $ERRFILE > /tmp/checkoutput.$$; then
		echo >> /tmp/checkreport.$$
		echo "System Errors" >> /tmp/checkreport.$$
		echo "=-=-=-=-=-=-=" >> /tmp/checkreport.$$
		cat /tmp/checkoutput.$$ >> /tmp/checkreport.$$
		FOUND=1
	fi
else
	if grep syserr /tmp/check.$$  > /tmp/checkoutput.$$; then
		echo >> /tmp/checkreport.$$
		echo "System Errors" >> /tmp/checkreport.$$
		echo "=-=-=-=-=-=-=-=-=-=-=-=-" >> /tmp/checkreport.$$
		cat /tmp/checkoutput.$$ >> /tmp/checkreport.$$
		FOUND=1
	fi
fi


# Do reverse grep on patterns we want to ignore
if [ -f "$PATFILE" ]; then
	if grep -v -f $PATFILE /tmp/check.$$ > /tmp/checkoutput.$$; then
		echo >> /tmp/checkreport.$$
		echo "Possible Items of Interest" >> /tmp/checkreport.$$
		echo "=-=-=-=-=-=-=-=-=-=-=-=-=-" >> /tmp/checkreport.$$
		cat /tmp/checkoutput.$$ >> /tmp/checkreport.$$
		FOUND=1
	fi
fi

# If there are results, mail them to sysadmin

if [ "$FOUND" -eq 1 ]; then
	cat /tmp/checkreport.$$ 
	rm -f /tmp/check.$$ /tmp/checkoutput.$$ /tmp/checkreport.$$
	exit 1
else
	echo
	echo "Frequent check script found nothing of interest to report." 
	echo
	rm -f /tmp/check.$$ /tmp/checkoutput.$$ /tmp/checkreport.$$
	exit 0
fi