diff --git a/abck b/abck index 6ede15f..449a9da 100755 --- a/abck +++ b/abck @@ -7,17 +7,23 @@ # # Build a report of all unauthorized access attempts # -# Usage: abck [String To Match In Log Record] +# Usage: abck [-d date offset] -s [String To Match In Log Record] ########## +VERSION = "$Id: abck,v 1.9 2001/07/18 22:18:56 tundra Exp $" + + + #################### # Imports #################### import commands +import getopt import re import sys +import time #################### # Booleans @@ -34,12 +40,20 @@ ANS = ";; ANSWER SECTION:" AUTH = ";; AUTHORITY SECTION:" +DLEN = 24*60*60 DIG = "dig -t ptr -x " LOG = "/var/log/messages" +MOS = ["", "Jan", "Feb", "Mar", "Apr", "May", "Jun", + "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"] OUT = "./ABUSERS" +PROMPT = "\nLog Record:\n%s\n\nWho Gets Message for: <%s>? %s[%s] " WHO = "whois " -VERSION = "$Id: abck,v 1.8 2001/07/18 09:01:40 tundra Exp $" +USAGE = "abck " + VERSION.split()[2] + " " + \ + "Copyright (c) 2001, TundraWare Inc. All Rights Reserved.\n" + \ + " usage:\n" + \ + " abck [-d # days to look back] [-s string to match]\n" + #################### # Data Structures @@ -170,11 +184,9 @@ default = HostDepth(hostname, depth) # Ask the user about it - st = raw_input("\nLog Record: %s\n Who Gets Message for: <%s>? %s [%s] " % - (logrecord, - hostname[-40:], - " " * (40 - len(hostname)), - default)) + st = raw_input(PROMPT % (logrecord, hostname[-40:], + " " * (40 - len(hostname)), + default)) # Parse the response if st == "s": # Skip this record @@ -226,15 +238,70 @@ #------------------------- Program Entry And Mail Loop -----------------------# + + +# Program entry and command line processing + +try: + opts, args = getopt.getopt(sys.argv[1:], '-d:s:') +except getopt.GetoptError: + print USAGE + sys.exit(2) + +OLDEST = 0 +MATCHSTRING = "" + +for opt, val in opts: + if opt == "-d": + OLDEST = time.time() - (int(val) * DLEN) + if opt == "-s": + MATCHSTRING = val + + +# Loop through the log, processing matching records + logfile = open(LOG) abuserfile = open(OUT, "w") # Read in the whole log logfileile for logrecord in logfile.read().splitlines(): - # Go check the record in no command line constraint given - # or a constraint is given and exits in the record - if (len(sys.argv) == 1) or logrecord.count(sys.argv[1]): + # Check to see whether this record should even be + # processed. + + DOIT = TRUE + # Did user limit how far back to look? + if OLDEST: + # Parse the record's time into into a list + logfields = logrecord.split() + logtime = logfields[2].split(":") + EventTime = [None, logfields[0], logfields[1], + logtime[0], logtime[1], logtime[2]] + + # Figure out what year - not in the log explicitly + # We do this by comparing the Month in the log entry + # against today's month. We get away with this so long + # as the log never is allowed to get so big that it has + # entries over a year old in it. (Which should be the case + # for any reasonably administered system. + + lt = time.localtime() + logyear = int(lt[0]) + if MOS.index(EventTime[1]) > int(lt[1]): # Log shows a later month + logyear -= 1 # 'Must be last year + EventTime[0] = str(logyear) + + # Don't process if older than the oldest allowed + if time.mktime(time.strptime("%s %s %s %s %s %s" % tuple(EventTime), + "%Y %b %d %H %M %S")) < OLDEST: + DOIT = FALSE + + # Did user specify a selection matching string? + if not logrecord.count(MATCHSTRING): + DOIT = FALSE + + # If we passed all those tests, it's time to process this record. + if DOIT: sendto = ProcessLogRecord(logrecord) if sendto: