systraq NEWS - user visible changes (and some other changes also.) Refer to ChangeLog for detailed per-file info. systraq version 20201231 - The Geefhuishof Release - man/st_snapshot.pod: get rid of VERSION-related "FIXME". - bootstap: use automake 1.16, not 1.15. This requires Debian >= buster (current stable) for building from a git clone. - install GPL-2 as COPYING, no longer rely on automake's --install --symlink. - man/Makefile.am: deal with utf8 in input .pod documents. systraq version 20160803 - The Pidjiguiti Release - etc/systraq_is_unconfigured: update initial configuration instructions. (If "make -C /etc/systraq" is skipped, the cronjob "filetraq /etc/systraq/filetraq.conf /var/lib/systraq/filetraq" will have more work to do each hour it runs: it recursively creates directories /var/lib/systraq/filetraq/filetraq/filetraq ... ) - THANKS: updated. systraq version 20160316 - The Sơn Mỹ Release - doc/manual.dbx: lots of updates, to reflect changes of the last 12 year. - man/st_snapshot.hourly.dbx, systraq.dbx: modernize XML from 4.2 to 4.5. systraq version 20160303 - The තංගල්ල Release - lib/Makefile.am: no longer install '/etcsystraq/systraq.d/': substitute '$(sysconfdir)$(PACKAGE)' with '$(sysconfdir)/$(PACKAGE)'. - LICENSE, configure.ac: update copyright years. systraq version 20151218 - The חֲנֻכָּה Release - etc/Makefile.am: no longer install '/@SYSCONF_PATH@/filetraq.default' (sic!): substitute 'etcdir = @SYSCONF_PATH@' with 'etcdir = $(sysconfdir)/$(PACKAGE)'. systraq version 20151214 - The Čhaŋšúška Wakpá Release - This release is dedicated to Tȟatȟáŋka Íyotake (± 1831 - Dec 15, 1890) - configure.ac: s/AC_MSG_ERROR/AC_MSG_NOTICE/: do no longer fail hard on missing typesetting tools. People building from a .tar.xz distribution do not need them. systraq version 20151105 - The Blaak Release - Typesetted manpages and the typesetted systraq Manual are now shipped with the systraq sources. The tools pod2man, $(XP) (e.g. xsltproc), $(JADE) (e.g. jade), $(JADETEX) (e.g. jadetex), $(PDFJADETEX) (e.g. pdfjadetex) and $(DVIPS) (e.g. dvips) are no longer needed to build/install systraq from the .tar.gz distribution. + {man,doc}/Makefile.am, doc/manual.dbx: Updated list of build requirements in the systraq manual. + Makefile.am, configure.ac, doc/Makefile.am, man.ent.i, man.ent.in, man/Makefile.am, setversion: man.ent no longer generated by configure from (now removed file) man.ent.in, but at bootstrap time by setversion from new file man.ent.i. + systraq/setversion: date format optimized for kinyarwanda - configure.ac: renamed foo.in too foo: no more expansion of @*_PATH@ during ./configure. + etc/{systraq,filetraq.conf,snapshot_pub.list}{,.in}, script/st_snapshot.hourly{,.in}: Replaced @SYSCONF_PATH@ with hardcoded /etc/systraq, @LOCALSTATE_PATH@ with hardcoded /var/lib/systraq, @DOC_PATH@ with hardcoded /usr/share/doc/systraq. + script/systraq.in: Replaced @BIN_PATH@ with hardcoded /usr/bin, @HOME_PATH@ with hardcoded /var/lib/systraq. + script/Makefile.am, etc/Makefile.am: adjusted accordingly. - bootstap: use automake 1.15, not 1.14. This requires Debian >= stretch (current testing) for building from a git clone. (We might relax in a later release to automake 1.11, which is shipped with lots of Debian releases.) - Makefile.am: dist-xz: no longer ship systraq-VERSION.tar.bz2, do ship systraq-VERSION.tar.xz. - etc/systraq: systraq cronjob no longer installed in /etc/cron.d/, but in doc/systraq/examples. Shipping one cronjob file for all supported platforms turned out to be impossible. - doc/Makefile.am: no longer ship or install ChangeLog.2004: it's a generated file, git2cl yields the same information. - .cvsignore, {doc,etc,lib,man,script}/.cvsignore: renamed to .gitignore, */.gitignore: leftover from migration to git 20150913 (and from migrating from CVS, in 20050213...) systraq version 20150913 - The de Sy à My release - This software is no longer maintained using Subversion, but using git. Still at alioth.debian.org, now in collab-maint. + Makefile.am, bootstrap: s/svn2cl/git2cl/ + contrib/Makefile.am contrib/run-parts doc/Makefile.am etc/Makefile.am etc/filetraq.conf.in etc/filetraq.default etc/snapshot_pub.homelist etc/snapshot_pub.list.in etc/snapshot_root.homelist etc/snapshot_root.list etc/systraq.in etc/systraq_is_not_upgraded etc/systraq_is_unconfigured lib/Makefile.am lib/ae-release lib/ah-uname lib/ak-uptime lib/bb-free lib/cc-df lib/ck-mdstat lib/dd-last lib/ee-lastlog lib/ff-netstat lib/gg-ps lib/ii-shellrc lib/nn-debsums lib/rr-localdigest lib/ww-signature man/Makefile.am man/st_snapshot.pod script/Makefile.am script/st_snapshot script/st_snapshot.hourly.in, LICENSE, Makefile.am, NEWS, README, THANKS, TODO, bootstrap, configure.ac, man.ent.in, setversion: remove $Id$ and $URL$ SVN tags + doc/html.dsl doc/manual.dbx doc/print.dsl man/st_snapshot.hourly.dbx man/systraq.dbx: replace $Id$ with &date; and &version; - Buildsystem upgrade + bootstap: use autotools 1.14, not 1.9 + configure.ac, man.ent.in: get rid of AC_DEFINE_DIR, no longer use @BIN_PATH@ @SBIN_PATH@ @LIBEXEC_PATH@ @DOC_PATH@ @HOME_PATH@ @CRON_PATH@ @LOCALSTATE_PATH@ in build system. - bootstrap: no longer try to symlink ac_define_dir.m4 - lib/Makefile.am: replace $(SYSCONF_PATH) with $(sysconfdir)$(PACKAGE), replace $(LIBEXEC_PATH) with $(pkglibexecdir) - etc/snapshot_pub.list.in: replace @SBIN_PATH@ with hardcoded /usr/sbin + setversion: date in rw_RW (Rwanda) locale. Make sure no non-ascii characters show up in .dbx source. - lib/ff-netstat: change "netstat -a -A inet -A inet6" to "netstat --wide --all --numeric --tcp --udp". We want --numeric since DNS lookups take time, and DNS's response is less trustworthy than raw IPs. We no longer list unix domain sockets. We no longer have to specify "-A inet -A inet6", with recent netstat. Thanks Wessel Dankers for idea. - lib/bb-free: change "free" to "free --human": systraq's output is to be read by humans. - doc/manual.dbx: fix some typos. systraq version 20081217 - etc/systraq_is_not_upgraded: Fixed reference to upgrade instructions. - script/st_snapshot: bugfix: use getent(1) as shipped with the GNU C library, not /etc/passwd to query the password database. We now support stuff like NIS and LDAP user databases. - NEWS: improved upgrade instructions: using rr-localdigest and /var/lib/systraq/systraq.md5sums is optional. systraq version 20081214 - Moved upgrade instructions from 20081119 entry to this news entry. - Add rationale for migrating from md5sum to sha256sum to 20081119 news entry. - Honor {,/usr/local}/etc/systraq/systraq_is_not_upgraded. - man/systraq.dbx: add notes to systraq(8) manpage on debsums (and our wrapper nn-debsums) using md5sum only (not sha256sum). - etc/systraq.in: bugfix: do not send mail to user "systraq", but to user "_systraq". - etc/Makefile.am: install systraq_is_unconfigured in doc/systraq/examples/. - lib/rr-localdigest: No longer run md5sum, but sha256sum (or the value of ST_SUM) to check local message digests. This is an INCOMPATIBLE change in the behaviour of systraq(8). - script/systraq.in, etc/filetraq.conf.in, etc/snapshot_pub.list.in, ...: systraq.md5sums (typically installed in /var/lib/systraq/) has been renamed to systraq.sums. This is a backwards INCOMPATIBLE change, see the upgrade instructions below. UPGRADE INSTRUCTIONS -------------------- These are instructions for upgrading from version 20070301 or earlier to version 20081214. 1. If you don't have time to carry out these instructions between the actual upgrade and 00:00, temporarily disable the systraq cronjob; e.g. by running # mv /etc/cron.d/systraq /etc/cron.d/systraq~ . If you don't do this, your first daily [Systraq] report will contain something like: ST_LDIGESTS set to non-readable file /var/lib/systraq/systraq.sums: ignoring After the new systraq version is installed, the st_snapshot.hourly cronjobs should no longer be running st_snapshot: the newly installed file {,/usr/local}/etc/systraq/systraq_is_not_upgraded disables that. Notifications about changed monitored files are delayed. (In case {,/usr/local}/etc/systraq/systraq_is_not_upgraded is not installed, run # touch $sysconfdir/systraq/systraq_is_not_upgraded where $sysconfdir should probably be either /usr/local/etc or /etc)). 2. If the file /var/lib/systraq/systraq.md5sums exists on your system, you'll have to adapt to the new rr-localdigest behaviour. There are at least 2 ways to do this: 2.1 If you really want to stay with the not truly secure md5sum message digests, set ST_SUM to md5sum in the daily systraq job in your systraq crontab file. After this change, this line in /etc/cron.d/systraq could e.g. read: 0 0 * * * _systraq command -v systraq >/dev/null && \ ST_SUM=md5sum systraq | mailx -s "[Systraq] `hostname` `date +\%Y\%m\%d`" \ _systraq You can now continue using the old systraq sums file: Execute # mv /var/lib/systraq/systraq.md5sums /var/lib/systraq/systraq.sums . Or: 2.2 Manually check integrity of the files: As user _systraq (or debian-systraq), run $ ST_LDIGESTS=/var/lib/systraq/systraq.md5sums ST_SUM=md5sum \ /etc/systraq/systraq.d/rr-localdigest If integrity is fine, create /var/lib/systraq/systraq.sums, see "2.6. Inspecting current state of your system, making the first snapshot" in The systraq Manual for instructions. You can remove /var/lib/systraq/systraq.md5sums once the new file is created. 3. If you've disabled the systraq cronjob in step 1., enable it again now by executing # mv /etc/cron.d/systraq~ /etc/cron.d/systraq 4. For adapting to the new st_snapshot behaviour, you now have at least 3 options: 4.1 If you have sha256sum installed: don't do anything. Assume nothing evil has happened in the hour around the upgrade. systraq will convert the md5 checksums of monitored files to sha256 checksums. The first time the st_snapshot.hourly cronjob runs after the upgrade, systaq will complain about your old md5sum checksum files, and report them as invalid. Specifically, the sections on "md5sums of critical files" in the monitored files /var/lib/systraq/snapshot_pub.stat and /var/lib/systraq/snapshot_root.stat will be changed. sha256sum's of these files will get calculated; these will be kept for tracking the files. If you are sure no unauthorized tampering with these monitored files has happened in this hour, you can ignore this one time st_snapshot.hourly warning message. Or: 4.2 If you really want to stay with the not truly secure md5sum message digests, set ST_SUM to md5sum in the st_snapshot.hourly jobs in your systraq crontab file. After this change, these lines in /etc/cron.d/systraq could e.g. read: 0 * * * * _systraq command -v st_snapshot.hourly >/dev/null && \ ST_SUM=md5sum st_snapshot.hourly (on one line) and 0 * * * * root command -v st_snapshot.hourly >/dev/null && \ ST_SUM=md5sum ST_MODE=root st_snapshot.hourly (on one line). Or: 4.3 If you feel like switching to the recommended sha256sum tool, follow the fresh install procedure in The systraq Manual from "2.6. Inspecting current state of your system, making the first snapshot" onwards. Once you've done this: 5. Re-enable the systraq cronjobs, e.g. by executing # rm /etc/systraq/systraq_is_not_upgraded (or rm /usr/local/etc/systraq/systraq_is_not_upgraded) systraq version 20081119 - This release is UNSTABLE EXPERIMENTAL BLEEDING EDGE stuff. Don't use, unless you're interested in getting hit by bugs. - lib/Makefile.am: Actually _ship_ script ah-uname. It has been in our repository since 2005-07-10, but didn't actually make it with the 20070118 release. Now systraq should show which kernel is running. - lib/ck-mdstat, lib/ae-release, lib/Makefile.am: systraq now reports on status of MD devices (Linux Software RAID), if applicable; and shows the Linux release (using the LSB interface). - bootstrap: use the autoreconf wrapper for auto{make,conf}. - man/st_snapshot.pod, script/st_snapshot, man/st_snapshot.hourly.dbx, script/st_snapshot.hourly.in: st_snapshot.hourly and st_snapshot now honor the ST_SUM environment variable. Backwards incompatible change: st_snapshot no longer defaults to using md5sum. st_snapshot.hourly makes st_snapshot use sha256sum if available. Warning: systaq will COMPLAIN about your old md5sum checksum files, and report them as INVALID. RATIONALE FOR DROPPING md5sum AS DEFAULT ---------------------------------------- The md5sum message digest is not truly secure. Rüdiger Weis and Stefan Lucks have described this in a paper presented at the SANE 2006 conference, see http://www.sane.nl/sane2006/program/abstract.php?eventid=24. An article describing this issue is available online at http://www.cryptolabs.org/hash/LucksWeisSicherheitHash0305.html. Ulrich Drepper e.a. write in the GNU Coreutils documentation, release 6.10, 2008-01: "[md5sum] should not be considered truly secure against malicious tampering: although finding a file with a given MD5 fingerprint, or modifying a file so as to retain its MD5 are considered infeasible at the moment, it is known how to produce different files with identical MD5 (a "collision"), something which can be a security issue in certain contexts." sha256sum is shipped with GNU Coreutils since release 6.0 (2006-08-15). sha1sum isn't truly secure either. Fine (as of april 2006) are: the SHA-2 standard (sha224sum, sha512sum), gpg --print-md RIPEMD160, and gpg --print-md SHA256. Message digest tools are shipped with GNU coreutils, with GnuPG, with OpenSSL, with libdigest-sha-perl and with sleuthkit. See also the thread on "dpkg-sig support wanted?", November 2005, at http://lists.debian.org/debian-devel/2005/11/thrd3.html#01325. Read e.g. these contributions: http://lists.debian.org/debian-devel/2005/11/msg01578.html http://lists.debian.org/debian-devel/2005/11/msg01633.html http://lists.debian.org/debian-devel/2005/11/msg01694.html http://lists.debian.org/debian-devel/2005/11/msg01653.html . In 2007, NIST announced the SHA-3 Cryptographic Hash Algorithm Competition, in order to develop one or more hash functions through a public competition (in response to a SHA-1 vulnerability announced in Feb. 2005). The proclamation of a winner and publication of the new standard are scheduled to take place in 2012. See http://www.nist.gov/hash-competition and http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo. Changing the hash function used by systraq is now much more easy. If sha256sum turns out to be a suboptimal choice, and a better alternative is available, switching is easy. systraq version 20070301 - script/st_snapshot: Deal with unusual characters in filenames, like spaces. Thanks Daniel Sheridan. Fixes http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=409777. - doc/manual.dbx, man/systraq.dbx: Added systraq(8), based upon the one by Laurent Fousse as shipped with the Debian package. Moved stuff from The Systraq Manual to the manpage. Add notes on adding/disabling specific scripts. - man/Makefile.am: running "make html" now generates manpages in HTML. systraq version 20070118 - Ship alternative run-parts implementation in contrib/ directory. - Show which kernel is running: new script ah-uname added. - ff-netstat: redirect netstat stderr to stdout: make sure stuff like "warning, got bogus tcp line." does not cause an extra email message to get send, when called from cron. - In systraq cronjobs, test wether commands are available before executing them: this is nice for package installations, which might choose too keep the cron file after removing the executables. Thanks Antti-Juhani Kaijanaho. - Various documentation updates. systraq version 20050213 - Systraq now is maintained using Subversion on http://alioth.debian.org/ . SVN commits get sent to the systraq-commit@lists.alioth.debian.org list, see http://lists.alioth.debian.org/mailman/listinfo/systraq-commit . Notes for hackers in manual adjusted. - New script st_snapshot.hourly, which uses new config files systraq_is_unconfigured and i_want_a_broken_systraq. This makes systraq behave more friendly for people doing a fresh install from a binary package: hourly cron messages are now actually helpful. See st_snapshot.hourly(1). (on 2005-02-11, Laurent Fousse published systraq_0.0.20050209.orig.tar.gz) systraq version 20041118 - Beware! When upgrading, do * mv /usr/local/var/state/systraq /usr/local/var/lib/ * edit filetraq.tail.conf: s|/usr/local/var/state/systraq|/usr/local/var/lib/systraq| and regenerate filetraq.conf * edit /usr/local/etc/systraq/snapshot_pub.list: s|/usr/local/bin|/usr/local/sbin| . Some default file locations have changed. - We no longer install default config files: there are likely not suited for everybody. The shipped example config files are now installed in /usr/local/share/doc/systraq/examples/ . Installation instructions adjusted. systraq version 20041015-cvs.9 - Fixed bug which caused symlinks in systraq.d to point to /* . This caused the systraq script to fail miserably. - Cosmetics in systraq manual. systraq version 20041015-cvs.8 - Another CVS snapshot. - Since version 20041015-cvs.7 we depend upon run-parts during run time. - No longer installs systraq and st_snapshot in bindir, but in sbindir ( /usr/local/sbin per default.) - Bugfix: find run-parts and expand the accompanying macro. systraq version 20041015-cvs.7 - Another CVS snapshot. - systraq now is split in little snippets in systraq.d/*, processed by run-parts(1). One now can easily disable the snippets: run e.g mv gg-ps gg-ps.old to disable the ps output in the daily email. Alternatively, one can remove the symlink in systraq.d/ . New documentation about this is upcoming. - Ship new file LICENSE, listing copyright ownership. systraq version 20041015-cvs.6 - Another CVS snapshot. - Due to a minor change in st_snapshot in 20041015-cvs.2, the generated files snapshot_pub.stat and snapshot_root.stat will look minorly different. When upgrading, systraq will complain about this. Of course, _this_ warning can be ignored. - We now use pdfjadetex for generating manual.pdf. Build dependencies for manual.* updated in the the systraq manual. systraq version 20041015-cvs.5 - Another CVS snapshot. - Now fails if needed documentation build tools are lacking. We optionally use lynx (if w3m is missing) and jade (if openjade is missing). systraq version 20041015-cvs.4 - Another CVS snapshot. - No user visible changes, merely housekeeping systraq version 20041015-cvs.3 - Another CVS snapshot. - The systraq command no longer uses hardcoded pathnames: pathnames moved to environment variable, cronjob invocation adjust. See the systraq manual for details. systraq version 20041015-cvs.2 - Another CVS snapshot. - st_snapshot no longer has hardcoded pathnames. st_snapshot user interface changed: all paths are passed as arguments. The cronjob is updated accordingly. systraq version 20041015-cvs.1 - Another CVS snapshot. - The systraq manual now honors ./configure-time set pathnames. Therefore, it now is typesetted during buildtime, and we require documentation build-tools: Jade and friends. See the manual for details. systraq version 20041015 - Consider this a pre-release. Some items from TODO will be handled "real soon now". - This file, NEWS, is now non-empty. - The example configuration files etc/filetraq.conf, etc/snapshot_pub.list as well as the cron file etc/systraq now no longer have hardcoded /usr/local in their contents, but respect the --prefix as passed to ./configure. This is especially nice for package builders. - For building from CVS, one now needs: - cvs2cl - automake 1.9 - autoconf-archive since these changes have been made: - bootstrap, configure.{ac,in}, Makefile.am, setversion: overhaul of buildsystem: use automake 1.9 features. We automagically build a .tar.bz2 too, make distcheck is now more strict, we have a hook to inspect sysconfdir, bindir, etc. - AUTHORS, ChangeLog, NEWS: ChangeLog now gets build from CVS commit messages, old ChangeLog contents moved to NEWS. AUTHORS in syntax, parseable by cvs2cl. systraq version 20040804 - doc/manual.dbx, script/Makefile.am: We no longer ship filetraq, but require it: now that the Debian version has fixed a bug, it's fine for our use. - etc/snapshot_root.homelist: change .procmail to .procmailrc: the last file is what we want to monitor, not .procmail/log, of course. Thanks Lionel Elie Mamane for bugreport. - script/st_snapshot: On systems were / is a homedir for lots of users, systraq was behaving bad. We now explicitly exclude / from the list of monitored homedirs (and thus no longer monitor ~/etc/ for such users, which was pretty silly). Thanks Lionel for bugreport. systraq version 20040526 - script/filetraq, etc/filetraq.default: filetraq taken from improved Debian package, which now uses extra configuration file. filetraq.default contains sane defaults. See systraq manual for installation instructions. - script/filetraq.patch: updated patch from upstream filetraq v0.2 to filetraq from Debian package 0.2-9. Furthermore, hacked the patch to do something sane when diff exits with code 2. We believe this should _finally_ fix the problem with changes in binary files not being recorded in the backupdir. - etc/snapshot_root.homelist: .procmail and .mailfilter added: some systems use procmail or maildrop as MDA; on such systems, these files are the equivalent of .forward. GnuPG private key stuff added. - doc/manual.dbx: updated notes on FAM and diffmon (thanks Lionel) - etc/systraq: use mailx instead of mail: portability (some /bin/mail's don't grok -s option). new subject in mail: easier sorting. Added note on problems with some cron versions. systraq version 20030209 - script/filetraq: We still got it wrong with the -a -u hassle in diff call. systraq release 20030117 is borken. refixed. - doc/manual.dbx: some more notes on configuration and setup. - scripts/systraq: add /etc/zsh-beta/ stuff: that's where a Debian packaged zsh installs stuff. Check for existence of system-wide shell startup scripts before grepping in them. systraq version 20030117 - TODO: more notes on FAM - etc/systraq: daily mail gets sent to systraq, not root: easier configurable via mail aliases. systraq version 20021128 - script/filetraq: if $FT_DIFF is unset, we no longer run diff with the --text option set. Previous release introduced this bug, and didn't fix the one it claimed to fix. - doc/manual.dbx: updated date, added note about fam. - TODO: updated systraq version 20021014 - script/filetraq: added --text option to diff invocation, in order to get sane results when diffing binary files. Updated --help output. (This fixes a bug which caused the backing up of binary files to fail.) - etc/systraq: added -a (--text) to FT_DIFF variable - doc/Makefile.am: now docs get rebuild after `make maintainerclean'. - doc/manual.dbx: mentions diffmon, another tool. some finetuning of notes on how to manually generate md5sums on Debian packages. Note on maintenance when upgrading software in /usr/local/. - TODO: note on .procmailrc. systraq version 20020228 - script/systraq: md5sum stderr redirection. now no longer stops in case md5sums or debsums fails. systraq version 20020223 - script/systraq: debsums stderr redirected, apparently output filehandle changed in recent debsums version. - doc/manual.dbx: documented how to manually generate md5sums from Debian packages. systraq version 20020113 - snapshot_pub.list: the scripts themselves are monitored too now (tnx Fruit). - systraq: added (.)zlogout to list of shell files (tnx Fruit). - etc/systraq: crontab now in syntax which is grokked by cron < 3.0pl1-68, so that it executes ok on Debian potato systems: no longer uses @{reboot,hourly,etc.} style time indicators. systraq version 20011209 - Set up configure.in and Makefile.am's. It's a proper tarball now. systraq version 20011208 - First public release. Wrote filetraq patch.