1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
--- ../arpwatch.orig/report.c Sat Sep 30 19:41:10 2000
+++ ./report.c Fri Sep 12 18:57:04 2003
@@ -45,6 +45,8 @@
#include <ctype.h>
#include <errno.h>
+#include <fcntl.h>
+#include <paths.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
@@ -70,6 +72,8 @@
#define PLURAL(n) ((n) == 1 || (n) == -1 ? "" : "s")
+extern char *Watcher;
+
static int cdepth; /* number of outstanding children */
static char *fmtdate(time_t);
@@ -232,15 +236,16 @@
}
void
-report(register char *title, register u_int32_t a, register u_char *e1,
- register u_char *e2, register time_t *t1p, register time_t *t2p)
+report(evt_type event, register u_int32_t a, register u_char *e1,
+ register u_char *e2, register time_t *t1p, register time_t *t2p,
+ register char *interface, register char *old_interface)
{
register char *cp, *hn;
register int fd, pid;
register FILE *f;
char tempfile[64], cpu[64], os[64];
char *fmt = "%20s: %s\n";
- char *watcher = WATCHER;
+ char *watcher = Watcher ? Watcher : WATCHER;
char *watchee = WATCHEE;
char *sendmail = PATH_SENDMAIL;
char *unknown = "<unknown>";
@@ -251,9 +256,15 @@
if (initializing)
return;
+ /* these types are sent to syslog instead of reported on.
+ * only continue if there are other events as well
+ */
+ if (event == NULL || (event & ~(IP_ETHER_REUSE | FLIPFLOP_DECNET) == 0))
+ return;
+
if (debug) {
if (debug > 1) {
- dosyslog(LOG_NOTICE, title, a, e1, e2);
+ dosyslog(LOG_NOTICE, "event", a, e1, e2);
return;
}
f = stdout;
@@ -270,7 +281,7 @@
}
/* Syslog this event too */
- dosyslog(LOG_NOTICE, title, a, e1, e2);
+ dosyslog(LOG_NOTICE, "event", a, e1, e2);
/* Update child depth */
++cdepth;
@@ -304,12 +315,31 @@
(void)fprintf(f, "To: %s\n", watcher);
hn = gethname(a);
if (!isdigit(*hn))
- (void)fprintf(f, "Subject: %s (%s)\n", title, hn);
+ (void)fprintf(f, "Subject: Arpwatch Event (%s)\n", hn);
else {
- (void)fprintf(f, "Subject: %s\n", title);
+ (void)fprintf(f, "Subject: Arpwatch Event\n");
hn = unknown;
}
(void)putc('\n', f);
+
+ if (event & ETHER_NEW)
+ (void)fprintf(f, fmt, "event", "new ethernet device");
+ if (event & ETHER_IFCHG)
+ (void)fprintf(f, fmt, "event", "ethernet device changed interfaces");
+ if (event & ACTIVITY_NEW)
+ (void)fprintf(f, fmt, "event", "new activity");
+ if (event & IP_NEW)
+ (void)fprintf(f, fmt, "event", "new active IP address");
+ if (event & IP_ETHERCHG)
+ (void)fprintf(f, fmt, "event", "IP changed ethernet address");
+ if (event & FLIPFLOP)
+ (void)fprintf(f, fmt, "event", "flip flop");
+
+ (void)fprintf(f, fmt, "interface", interface);
+
+ if (old_interface != NULL)
+ (void)fprintf(f, fmt, "old interface", old_interface);
+
(void)fprintf(f, fmt, "hostname", hn);
(void)fprintf(f, fmt, "ip address", intoa(a));
(void)fprintf(f, fmt, "ethernet address", e2str(e1));
@@ -344,6 +374,25 @@
exit(1);
}
/* XXX Need to freopen()? */
+
+ /*
+ * Open /dev/null as stdout and stderr so that sendmail 8.12.1 (and
+ * above ?) won't complain about missing file descriptors.
+ */
+ if ((fd = open(_PATH_DEVNULL, O_RDWR)) == -1) {
+ syslog(LOG_ERR, "Cannot open %s: %m", _PATH_DEVNULL);
+ exit(1);
+ }
+ if (dup2(fd, STDOUT_FILENO) == -1) {
+ syslog(LOG_ERR, "Cannot dup2 %s to stdout: %m", _PATH_DEVNULL);
+ exit(1);
+ }
+ if (dup2(fd, STDERR_FILENO) == -1) {
+ syslog(LOG_ERR, "Cannot dup2 %s to stderr: %m", _PATH_DEVNULL);
+ exit(1);
+ }
+ close(fd);
+
/* Always Deliver interactively (pause when child depth gets large) */
execl(sendmail, "sendmail", "-odi", watcher, NULL);
syslog(LOG_ERR, "execl: %s: %m", sendmail);
|
