Auditing tool for system logs on Unix boxes.
Logcheck helps spot problems and security violations in your logfiles
automatically and will send the results to you in e-mail.
Logcheck is part of the Abacus Project of security tools. It is a program
created to help in the processing of UNIX system logfiles generated by the
various Abacus Project tools, system daemons, Wietse Venema's TCP Wrapper
and Log Daemon packages, and the Firewall Toolkit(c) by Trusted Information
Systems Inc.(TIS). Logcheck also works very well at reporting on other
common operating system security violations and strange events.
Sun Jun 17 23:27:52 2001 GOTOU YUUZOU <gotoyuzo@notwork.org>
* make it the release 0.3.0
Sun Jun 17 16:23:19 2001 GOTOU YUUZOU <gotoyuzo@notwork.org>
* sample/verify_cb.rb: for SSLSocket#verify_callback=
* sample/x509.rb: new sample for X509.
* sample/login.rb: new sample for Net::Telnet.
Sun Jun 17 16:07:12 2001 GOTOU YUUZOU <gotoyuzo@notwork.org>
* lib/net/protocols.rb: split NetPrivate from https.rb.
Sun Jun 17 15:03:02 2001 GOTOU YUUZOU <gotoyuzo@notwork.org>
* lib/net/https.rb: use forwardable.rb.
* lib/net/https: follow SSLSocket.
* lib/net/telnets: ditto.
Sun Jun 17 13:00:37 2001 GOTOU YUUZOU <gotoyuzo@notwork.org>
* ssl.c: use instance variable (rb_ivar_set/rb_ivar_get) instead
of the fields in C structure.
* ssl.c: new methods SSLSocket#timeout, SSLSocket#ciphers=,
SSLSocket#verify_depth=.
* ssl.c: new class X509_STORE_CTX. and fix arguments for the Proc#call
at verify callback.
* ssl.c: new methods X509#sigAlgor, X509#key_type, X509#extension,
X509#verify, #X509#to_s
* ssl.c: change the sequence of arguments of SSLSocket.new.
Sun Jun 17 12:59:50 2001 GOTOU YUUZOU <gotoyuzo@notwork.org>
* ChangeLog: new file.
for systems where the dependent libraries aren't part of the base system.
Don't include tcl/buildlink.mk as the libraries aren't required for the
build -- only the tclsh binary is required at run-time. Also honor CFLAGS
passed in from environment during the build.
ruby-sha1 - A Ruby interface to the SHA-1 Secure Hash Algorithm
This is a Ruby extension which implements the SHA-1 Secure Hash
Algorithm by NIST (the US' National Institute of Standards and
Technology), described in FIPS PUB 180-1.
so remove it from package Makefiles. Also move the inclusion of the
buildlink.mk files to the end of the Makefile to just before bsd.pkg.mk
to ensure that any Makefile settings occur before the buildlink.mk files.
Zebedee Secure Tunnel
=====================
Zebedee is a simple program to establish an encrypted, compressed
"tunnel" for TCP/IP or UDP traffic between two systems. This
allows data from, for example, telnet, ftp and X sessions to be
protected from snooping. You can also use compression, either
with or without data encryption, to gain performance over
low-bandwidth networks.
The main goals for Zebedee are to:
* Provide client and server functionality under both UNIX
and Windows 95/98/NT.
* Be easy to install, use and maintain with little or no
configuration required.
* Have a small footprint, low wire protocol overhead and
give significant traffic reduction by the use of
compression.
* Use only algorithms that are either unpatented or for
which the patent has expired.
* Be entirely free for commercial or non-commercial use and
distributed under the term of the GNU General Public
Licence (see LICENCE.txt for details).
For further information on how to use Zebedee see the file
zebedee.html in the distribution (or the manual page for
zebedee(1) under UNIX -- it is basically the same text). Example
configuration files are also provided.
FOO_REQD=1.0 being converted to foo>=1.0, one can now directly specify
the dependency pattern as FOO_DEPENDS=foo>=1.0. This allows things like
JPEG_DEPENDS=jpeg-6b, or fancier expressions like for postgresql-lib.
Change existing FOO_REQD definitions in Makefiles to FOO_DEPENDS.
when X11 forwarding = yes.
20010617
- (djm) Pull in small fix from -CURRENT for session.c:
typo, use pid not s->pid, mstone@cs.loyola.edu
20010615
- (stevesk) don't set SA_RESTART and set SIGCHLD to SIG_DFL
around grantpt().
20010614
- (bal) Applied X11 Cookie Patch. X11 Cookie behavior has changed to
no longer use /tmp/ssh-XXXXX/
20010528
- (tim) [conifgure.in] add setvbuf test needed for sftp-int.c
Patch by Corinna Vinschen <vinschen@redhat.com>
20010512
- (bal) Patch to partial sync up contrib/solaris/ packaging software.
Patch by pete <ninjaz@webexpress.com>
20010509
- (bal) UseLogin patch for Solaris/UNICOS. Patch by Wayne Davison
<wayne@blorf.net>
- (bal) ./configure support to disable SIA on OSF1. Patch by
Chris Adams <cmadams@hiwaay.net>
- (bal) Updates from the Sony NEWS-OS platform by NAKAJI Hiroyuki
<nakaji@tutrp.tut.ac.jp>
20010508
- (bal) Fixed configure test for USE_SIA.
20010506
- (djm) Update config.guess and config.sub with latest versions (from
ftp://ftp.gnu.org/gnu/config/) to allow configure on ia64-hpux.
Suggested by Jason Mader <jason@ncac.gwu.edu>
20010504
- (bal) Updated Cygwin README by Corinna Vinschen <vinschen@redhat.com>
- (bal) Avoid socket file security issues in ssh-agent for Cygwin.
Patch by Egor Duda <deo@logos-m.ru>
20010430
- (djm) Add .cvsignore files, suggested by Wayne Davison <wayne@blorf.net>
- (tim) [contrib/caldera/openssh.spec] add Requires line for Caldera 3.1
- various bugfixes
- fixed fd leak in KB and session saving
- possibly fixed connections problems between the client and
the server
- updated config.guess and config.sub
- many new plugins
key changes since 20010403:
- be more picky about isakmpd.policy permission
- debug: dump decoded IKE packets in pcap(3) format
- cert improvements
- RFC2367 compliance
- bug fixes: correct SA refcnt, memory alloc and doc fixes
linked from a particular package, and add a pre-configure target to
the buildlink.mk file to more painlessly use buildlink.mk files. A
${BUILDLINK_TARGETS} variable still exists in case a package _must_
define NO_CONFIGURE.
* Use NetBSD's getpass() function instead of the homegrown one, as the
homegrown one doesn't seem to hide the password when it is being entered.
* Add a rc.d style script to start cfsd, and also install the documentation
for the filesystem.
* Rename c* commands to cfs_* to avoid conflicts with coda programs with
a similar name.
homegrown one doesn't seem to hide the password when it is being entered.
* Add a rc.d style script to start cfsd, and also install the documentation
for the filesystem.
* Rename c* commands to cfs_* to avoid conflicts with coda programs with
a similar name.
CFS pushes encryption services into the UN*X file system. It supports
secure storage at the system level through a standard UN*X file system
interface to encrypted files. Users associate a cryptographic key with the
directories they wish to protect. Files in these directories (as well as
their pathname components) are transparently encrypted and decrypted with
the specified key without further user intervention; cleartext is never
stored on a disk or sent to a remote file server. CFS employs a novel
combination of DES stream and codebook cipher modes to provide high
security with good performance on a modern workstation. CFS can use any
available file system for its underlying storage without modification,
including remote file servers such as NFS. System management functions,
such as file backup, work in a normal manner and without knowledge of the
key.
packages collection.
CFS is an encrypting file system for Unix-like OSs. It uses NFS as
its interface, and so is reasonably portable. The FS code dates back
to 1989, and the crypto to 1992, so it is showing signs of age. This
code should be regarded as completely unsupported; a complete rewrite
will follow eventually.
Please don't download this code if you're in a place that's forbidden
(under US or local law) to export cryptographic software from the US
to, or if you're on the State Department's "Denied Persons List." If
you aren't sure, ask a good lawyer.
Changes:
Fixed a format string bug which is exploitable if --batch is not used.
Checked all translations for format strings bugs.
Removed the Russian translation due to too many bugs.
Fixed keyserver access and expire time calculation.
0.11 2001/05/20
* Defining line_not_blank().
Stefan H. Holek <stefan@epy.co.at>
* Enhancing Public_Key_Encrypted_Session_Key_Packet().
Stefan H. Holek <stefan@epy.co.at>
Brian M. Carlson <karlsson@hal-pc.org>
0.10 2001/05/08
* Fixing key_server_preferences().
* Fixing signature_multi_precision_integer().
0.09 2001/05/05
* Implementing additional_decryption_key() like revocation_key().
Stefan H. Holek <stefan@epy.co.at>
Important Changes:
==================
WARNING: SSH protocol v2 is now the default protocol version
use the 'Protocol' option from ssh(1) and sshd(8) if
you want to change this.
SSH protocol v2 implementation adds support for:
HostbasedAuthentication, similar to RhostsRSA in SSH protocol
v1
Rekeying (negotiate new encryption keys for the current SSH
session, try ~R in interactive SSH sessions)
updated DH group exchange:
draft-ietf-secsh-dh-group-exchange-01.txt
client option HostKeyAlgorithms
server options ClientAliveInterval and ClientAliveCountMax
tty mode passing
general:
gid swapping in sshd (fixes access to /home/group/user based
directory structures)
Dan Kaminsky <dankamin@cisco.com> contributed an experimental
SOCKS4 proxy to the ssh client (yes, client not the server).
Use 'ssh -D 1080 server' if you want to try this out.
server option PrintLastLog
improvements for scp > 2GB
improved ListenAddress option.
You can now use ListenAddress host:port
improved interoperability (bug detection for older implementations)
improved documentation
Some pkg related changes by me.
Changes since 1.0.4:
* WARNING: The semantics of --verify have changed to address a
problem with detached signature detection. --verify now ignores
signed material given on stdin unless this is requested by using
a "-" as the name for the file with the signed material. Please
check all your detached signature handling applications and make
sure that they don't pipe the signed material to stdin without
using a filename together with "-" on the the command line.
* WARNING: Corrected hash calculation for input data larger than
512M - it was just wrong, so you might notice bad signature in
some very big files. It may be wise to keep an old copy of
GnuPG around.
* Secret keys are no longer imported unless you use the new option
--allow-secret-key-import. This is a kludge and future versions will
handle it in another way.
* New command "showpref" in the --edit-key menu to show an easier
to understand preference listing.
* There is now the notation of a primary user ID. For example, it
is printed with a signature verification as the first user ID;
revoked user IDs are not printed there anymore. In general the
primary user ID is the one with the latest self-signature.
* New --charset=utf-8 to bypass all internal conversions.
* Large File Support (LFS) is now working.
* New options: --ignore-crc-error, --no-sig-create-check,
--no-sig-cache, --fixed_list_mode, --no-expensive-trust-checks,
--enable-special-filenames and --use-agent. See man page.
* New command --pipemode, which can be used to run gpg as a
co-process. Currently only the verification of detached
signatures are working. See doc/DETAILS.
* Rewritten key selection code so that GnuPG can better cope with
multiple subkeys, expire dates and so. The drawback is that it
is slower.
* A whole lot of bug fixes.
* The verification status of self-signatures are now cached. To
increase the speed of key list operations for existing keys you
can do the following in your GnuPG homedir (~/.gnupg):
$ cp pubring.gpg pubring.gpg.save && $ gpg --export-all >x && \
rm pubring.gpg && gpg --import x
Only v4 keys (i.e not the old RSA keys) benefit from this caching.
* New translations: Estonian, Turkish.
replace security/py-crypto (which isn't python-2.0-ready, and failed the
last dozen bulk builds for that reason).
Some help provided by Ty Sarna -- thanks!