[Logwatch-Devel] My logwatch Todo list

Mike Tremaine mgt at stellarcore.net
Sat Aug 7 15:26:44 MST 2004


As long as I'm think about this I thought I'd write it down. Here are
the issues/features that I think need to be dealt with.


1) logwatch.conf needs to be expanded. There are lots of service
configuration variables that need to be found and moved into
logwatch.conf and commented. That way normal users can get the most out
of specific configurations.

Example: In then sendmail service there is an $UnknownUsersThreshold =
0; which is a nice feature (even though it was broken). I just fixed it
and moved it into logwatch.conf.


2) Code review of all the services. This is ugly but after seeing the
secure and automount bugs it really needs to be done. Basically all the
filters should be checked to see that they are getting all their values
set. 

Example: From automount we saw lines like this

   elsif ($ThisLine =~ /^mount\(nfs\): entry .* lookup failure$/) {
      $Failed{$Mount}{'nfsl'}++;
   }

Where $Mount was not set in the regex but instead was "assumed" to be
set above in another one. This style of course is easy to break once the
log format changes.  
 

3) Mail Module. Now that we have 3 different possible mail calls (mail,
mailx, sendmail) it makes sense to try and move all that to an external
library. Either in Logwatch.pm or something like Logwatch_Mail.pm. Once
it is ripped out of the main script it can really become more modular.

4) Cat and system calls. I started down this road but it is not really
done yet. I'd like to do some benchmarking and come up with the best
possible way of opening logfiles and applying the filters in a secure
way. I would not be surprised to find that the original way of calling
cat with backticks really is the fastest but all it is going to take is
one weak permission on something like /usr/games/fortune to bring down
another root exploit. Better safe then sorry I think.


Thats everything that has been lurking on my mind, and as I get free
time I fully intend to do all these. But if anyone wants to beat me too
it ;)....

-- 
Mike Tremaine
mgt at stellarcore.net
http://www.stellarcore.net



More information about the Logwatch-Devel mailing list