xNightR00T File Manager

#########################################################################
# $Id$
##########################################################################
# $Log: secure,v $
# Revision 1.86  2009/11/14 16:26:41  kirk
# *** empty log message ***
#
# Revision 1.85  2009/06/02 14:59:58  mike
# Fedora patch from Ivan Varekova -mgt
#
# Revision 1.84  2008/03/24 23:31:26  kirk
# added copyright/license notice to each script
#
# Revision 1.83  2007/11/28 18:51:00  mike
# Irix su format added [I know but I could not help myself] -mgt
#
# Revision 1.82  2007/11/25 20:11:04  bjorn
# Additional filtering, by Ivana Varekova.
#
# Revision 1.81  2007/07/08 18:40:45  mrc
# Fixed spelling typo [Thanks: Justin Pryzby/Willi Mann]
#
# Revision 1.80  2007/06/18 04:07:44  bjorn
# Added some support for VmWare messages, by Hugo van der Kooij.
#
# Revision 1.79  2007/04/28 23:56:32  bjorn
# Filtering closing connection statement, by Ivana Varekova.
#
# Revision 1.78  2007/04/15 19:19:24  bjorn
# Added filtering for pam_rhosts_auth for rsh, by James Tanis.
#
# Revision 1.77  2007/01/29 18:29:14  bjorn
# Handling of "BAD SU", and removing process number, by Markus Lude.
#
# Revision 1.76  2006/12/15 05:45:15  bjorn
# Additional filtering for debian-specific lines that are already reported
# in pam service.  Note that debian uses different wording or case than other
# distributions, so it should only be ignored for debian.  Changes submitted
# by Willi Mann.
#
# Revision 1.75  2006/12/15 04:40:24  bjorn
# Fixed older patch, and added new string reported by Orion Poplawski.
#
# Revision 1.74  2006/09/15 15:40:58  bjorn
# Additional filtering by Ivana Varekova.
#
# Revision 1.73  2006/07/28 23:38:53  bjorn
# Corrected order "su" statement.
#
# Revision 1.72  2006/07/28 17:41:15  bjorn
# Accounts for log turnover and tty numbering in BSD, and count all 'su',
# by Markus Lude.
#
# Revision 1.71  2006/07/11 15:41:58  bjorn
# Modified filtering for pam_timestamp, by Ivana Varekova.
#
# Revision 1.70  2006/05/18 20:08:00  bjorn
# Additional processing for Mac OS X, by Laurent Dufour.
#
# Revision 1.69  2006/03/20 20:42:57  bjorn
# Additional filtering, by Ivana Varekova.
#
# Revision 1.68  2006/03/13 20:10:31  bjorn
# Additional detection/reporting for user/group add/remove, by Willi Mann.
#
# Revision 1.67  2006/01/31 20:33:30  bjorn
# Correction to previous patch.
#
# Revision 1.66  2006/01/31 20:18:01  bjorn
# Additional filtering, some Debian-specific, by Willi Mann.
#
# Revision 1.65  2006/01/20 22:31:04  bjorn
# Handle new pam_unix format, by Ivana Varekova.
#
# Revision 1.64  2005/12/06 02:37:34  bjorn
# Report cvs password mismatches, by Ivana Varekova.
#
# Revision 1.63  2005/12/01 04:26:20  bjorn
# Fixed uid, gid references in NewUser and NewGroups, and removed newlines.
#
# Revision 1.62  2005/12/01 00:34:43  bjorn
# Changed arrays to strings to keep formatting consistent when printing output.
#
# Revision 1.61  2005/10/26 05:50:21  bjorn
# Allow case insensitivity for uid, gid, by Ivana Varekova
#
# Revision 1.60  2005/09/29 15:02:00  bjorn
# Added password change, userhelper apps, filtering pam_timestamp, all by
# Ivana Varekova.
#
# Revision 1.59  2005/09/28 18:25:55  mike
# Patch from David Baldwin for service_limit and connections per sec -mgt
#
# Revision 1.58  2005/09/28 17:25:48  mike
# pam_abl patch from Gilles Detillieux -mgt
#
# Revision 1.57  2005/09/26 17:23:36  mike
# Patch from David Baldwin, catch non PID loglines -mgt
#
# Revision 1.56  2005/09/13 18:42:58  mike
# Patch from David Baldwin, more su cases and inetd rsh. -mgt
#
# Revision 1.55  2005/08/27 00:40:41  mike
# Solaris 9 patch for su from Markus Lude -mgt
#
# Revision 1.54  2005/08/23 23:15:40  mike
# Added su for openbsd from Shaun O'Meara also the Solaris su patch from mgt -mgt
#
# Revision 1.53  2005/05/10 23:50:01  bjorn
# Changed instance of variable $Name to $Namev to avoid conflict with cvs
#
# Revision 1.52  2005/04/22 13:55:55  bjorn
# Re-ordered some statements, by Paweł Gołaszewski
#
# Revision 1.51  2005/04/21 17:51:00  bjorn
# Handle <no address> instead of IP address
#
# Revision 1.50  2005/04/17 23:33:57  bjorn
# Added password failure checking and pam filtering from Paweł Gołaszewski and
# Paul Wolstenholme
#
# Revision 1.49  2005/02/24 17:08:05  kirk
# Applying consolidated patches from Mike Tremaine
#
# Revision 1.15  2005/02/21 19:09:52  mgt
# Bump to 5.2.8 removed some cvs logs -mgt
#
# Revision 1.14  2005/02/16 00:43:28  mgt
# Added #vi tag to everything, updated ignore.conf with comments, added emerge and netopia to the tree from Laurent -mgt
#
# Revision 1.13  2005/02/13 21:26:13  mgt
# patches from Michael Weiser -mgt
#
# Revision 1.12  2005/02/13 20:28:42  mgt
# More init corrections -mgt
#
# Revision 1.11  2005/02/13 02:27:02  mgt
# fixed uninitalized value -mgt
#
# Revision 1.10  2004/10/15 19:24:07  mgt
#  added per service flooring -mgt
#
# Revision 1.9  2004/10/06 21:40:44  mgt
# Patches from Kenneth -mgt
#
# Revision 1.8  2004/07/29 19:33:29  mgt
# Chmod and removed perl call -mgt
#
# Revision 1.7  2004/07/10 01:54:35  mgt
# sync with kirk -mgt
#
##########################################################################

#######################################################
## Copyright (c) 2008 Kirk Bauer
## Covered under the included MIT/X-Consortium License:
##    http://www.opensource.org/licenses/mit-license.php
## All modifications and contributions by other persons to
## this script are assumed to have been donated to the
## Logwatch project and thus assume the above copyright
## and licensing terms.  If you want to make contributions
## under your own copyright or a different license this
## must be explicitly stated in the contribution an the
## Logwatch project reserves the right to not accept such
## contributions.  If you have made significant
## contributions to this script and want to claim
## copyright please contact logwatch-devel@lists.sourceforge.net.
#########################################################

$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
#$DoLookup = $ENV{'secure_ip_lookup'};
$Ignore = $ENV{'ignore_services'} || 0;
$Summarize = $ENV{'summarize_connections'} || 0;
$ConsoleLock = 0;
$spop3d_opened=0;
$spop3d_errors=0;
$pwd_file_unknown = 0;
$pwd_file_too_short = 0;
$Executed_app = 0;
$PwdChange = 0;
$RequestKeyFailures = 0;
%OtherList = ();
%RootkitHunter = ();
use Logwatch ':ip';

while (defined($ThisLine = <STDIN>)) {
   chomp($ThisLine);
   $ThisLine =~ s/^... .. ..:..:.. [^ ]+ //;
   #Solaris ID filter -mgt
   $ThisLine =~ s/\[ID [0-9]+ [a-z]+\.[a-z]+\] //;
   my $temp = $ThisLine;
   $temp =~ s/^([^[:]+).*/$1/;
   if ($Ignore =~ /\b\Q$temp\E\b/i) { next; }

   #current sarge
   if ($ThisLine =~ /^[^ :]*:( [0-9:\[\]\.]+|) \(pam_(unix|securetty)\)/i ) {next; }

   #Woody - specific, thanks to Michael Stovenour
   if ($ThisLine =~ /^PAM_unix[\[\]0-9]*:/i ) { next; }

   if (( $ThisLine =~ /pam_succeed_if(\([a-zA-Z]*:[a-zA-Z]*\))?: requirement \"uid (<|>)=? 1000?\" (was|not) met by user /) or
      ( $ThisLine =~ /pam_rhosts_auth\[\d+\]: allowed to [^ ]+ as \w+/) or
      ( $ThisLine =~ /pam_rhosts_auth\([^\)]+\): allowed to [^ ]+ as \w+/) or
      ( $ThisLine =~ /^(.*)\(pam_unix\)/) or
      ( $ThisLine =~ /pam_unix\(.*:.*\)/) or
      ( $ThisLine =~ /pam_sss\(.*:.*\)/) or
      ( $ThisLine =~ m/^[^ ]+\[\d+\]: connect from localhost$/ ) or
      ( $ThisLine =~ /^\/usr\/bin\/sudo:/) or
      ( $ThisLine =~ /^halt:/) or
      ( $ThisLine =~ /^com.apple.SecurityServer: Succeeded authorizing right system.(preferences|login.console|login.tty|login.done|privilege.admin) by process/) or
      ( $ThisLine =~ /^pam_xauth\[\d+\]: call_xauth: child returned \d/) or
      ( $ThisLine =~ /^su\[\d+\]: pam_authenticate: Authentication failure/) or
      ( $ThisLine =~ /^passwd\[\d+\]:/) or
      ( $ThisLine =~ /^passwd: gkr-pam: .*/) or
      ( $ThisLine =~ /^reboot:/) or
      ( $ThisLine =~ /^sudo:/) or
      ( $ThisLine =~ /^su: pam_unix2: session (started|finished) for user [^ ]+, service [^ ]+/) or
      ( $ThisLine =~ /^xinetd\[\d+\]: USERID: ([^ ]+) (.+)$/ ) or
      ( $ThisLine =~ /warning: can.t get client address: Connection refused/) or
      ( $ThisLine =~ /Showing Login Window/) or
      ( $ThisLine =~ /User Authenticated: continue login process/) or
      ( $ThisLine =~ /com.apple.SecurityServer: Entering service/) or
      ( $ThisLine =~ /^(xinetd|xinetd-ipv6)\[\d+\]: EXIT: /) or
      ( $ThisLine =~ /^crond\(\w+\)\[\d+\]: session /) or
      ( $ThisLine =~ /pam_systemd\(.+:session\): Moving/) or
      ( $ThisLine =~ /^sshd\(\w+\)\[\d+\]: authentication failure/) or
      ( $ThisLine =~ /^sshd\(\w+\)\[\d+\]: check pass; user unknown/) or
      ( $ThisLine =~ /^sshd\(\w+\)\[\d+\]: session /) or
      ( $ThisLine =~ /sshd\[\d+\]: Server listening on/) or
      ( $ThisLine =~ /sshd\[\d+\]: Received signal \d+; terminating/) or
      ( $ThisLine =~ /^ipop3d\[\d+\]:/) or
      ( $ThisLine =~ /^su\[\d+\]: [+-] .+/) or
      ( $ThisLine =~ /^su\[\d+\]: FAILED su for \S+ by \S+/) or #debian: done in pam_unix
      ( $ThisLine =~ /^login\[\d+\]: ROOT LOGIN  on '\S+'/) or #debian: done in pam_unix (Similar message on other system is reported)
      ( $ThisLine =~ /^login(?:\[\d+\])?: FAILED LOGIN \(\d+\) on ['`]\S+' FOR `\S+', (Authentication failure|User not known to the underlying authentication module)/) or #debian: done in pam_unix
      ( $ThisLine =~ /^login: FAILED LOGIN 2 FROM (.*) FOR .*, (Authentication failure|User not known to the underlying authentication module)/) or
      ( $ThisLine =~ /^login: pam_securetty(.*): unexpected response from failed conversation function/) or
      ( $ThisLine =~ /^login: pam_securetty(.*): access denied: tty '.*' is not secure/) or
      ( $ThisLine =~ /^login: pam_securetty(.*): cannot determine username/) or
      ( $ThisLine =~ /^pam_limits\[\d+\]/ ) or
      ( $ThisLine =~ /^kcheckpass(\[\d+\]|):/ ) or   # done in pam_unix
      ( $ThisLine =~ /^cyrus\/lmtpd\[\d+\]: [^ ]+ server step [12]/ ) or
      ( $ThisLine =~ /^cyrus\/imapd\[\d+\]: [^ ]+ server step [12]/ ) or
      ( $ThisLine =~ /pam_timestamp: updated timestamp file/) or
      ( $ThisLine =~ /pam_timestamp\(?[^ ]*\)?: timestamp file `([^ ]+)' is only \d+ seconds old, allowing access to ([^ ]+) for user ([^ ]+)/) or
      ( $ThisLine =~ /pam_timestamp\(?[^ ]*\)?: timestamp file `([^ ]+)' (has unacceptable age \(\d+ seconds\)|is older than oldest login), disallowing access to ([^ ]+) for user ([^ ]+)/) or
      ( $ThisLine =~ /userhelper\[\d+\]: running '([^ ]+)' with [^ ]+ context/) or
      ( $ThisLine =~ /pam_timestamp\(.*:session\): updated timestamp file `\/var\/run\/sudo.*'/) or
      ( $ThisLine =~ /[^ ]*: pam_keyinit(.*:.*): Unable to change GID to [0-9]* temporarily/) or
      ( $ThisLine =~ /password check failed for user \(\S*\)/) or
      ( $ThisLine =~ /PAM pam_set_item: attempt to set conv\(\) to NULL/) or
      ( $ThisLine =~ /PAM pam_get_item: nowhere to place requested item/) or
      ( $ThisLine =~ /pam_succeed_if\(.*:.*\): error retrieving information about user [a-zA-Z]*/ ) or
      ( $ThisLine =~ /pam_selinux_permit\(.*:.*\):/ ) or
      ( $ThisLine =~ /logfile turned over/) or # newsyslog on OpenBSD
      ( $ThisLine =~ /vmware-authd\[[0-9]+\]: PAM \[error: [^ ]+ cannot open shared object file: No such file or directory\]/) or
      ( $ThisLine =~ /vmware-authd\[[0-9]+\]: PAM adding faulty module: [^ ]+/) or
      ( $ThisLine =~ /Connection closed by/) or
      ( $ThisLine =~ /Conversation error/) or
      ( $ThisLine =~ /sshd.*: Accepted \S+ for \S+ from [\d\.:a-f]+ port \d+/) or # ssh script reads this log
      ( $ThisLine =~ /userhelper.*: running (.*) with context (.*)/) or
      ( $ThisLine =~ /userhelper.*: pam_thinkfinger(.*): conversation failed/) or
      ( $ThisLine =~ /su: PAM [0-9] more authentication failure; .*/) or
      ( $ThisLine =~ /polkit-grant-helper\[\d+\]: granted authorization for [^ ]* to uid [0-9]* \[auth=.*\]/) or
      ( $ThisLine =~ /polkit-grant-helper\[\d+\]: granted authorization for [^ ]* to session .* \[uid=[0-9]*\]/) or
      ( $ThisLine =~ /polkit-grant-helper-pam\[\d+\]: pam_thinkfinger\(polkit:auth\): conversation failed/) or
      ( $ThisLine =~ /polkitd\(authority=.*\): (Unr|R)egistered Authentication Agent/) or
      ( $ThisLine =~ /polkitd\(authority=.*\): Operator of unix-session:/) or
      ( $ThisLine =~ /(gdm-session-worker|gdm-password|gnome-screensaver-dialog)\[\d+\]: gkr-pam: no password is available for user/) or
      ( $ThisLine =~ /gkr-pam: the password for the login keyring was invalid/) or
      ( $ThisLine =~ /groupadd\[\d+\]: group added to /) or    # Details in other messages
      ( $ThisLine =~ /groupmod\[\d+\]: group changed in \/etc\/gshadow /) or    # Details in other messages
      ( $ThisLine =~ /gdm-session-worker\[\d+\]: pam_namespace\(gdm:session\): Unmount of [^ ]* failed, Device or resource busy/) or
      ( $ThisLine =~ /pkexec: pam_systemd(.*): /) or
      ( $ThisLine =~ /pkexec: \S+: Executing command /) or
      ( $ThisLine =~ /su: pam_systemd(.*): Failed to parse message: /) or
      ( $ThisLine =~ /systemd-logind\[\d+\]: (New|Removed) session/)
   ) {
      # Ignore these entries
   } elsif ($ThisLine =~ /^spop3d/ || $ThisLine =~ /^pop\(\w+\)\[\d+\]:/) {
      @line=split(": ",$ThisLine);
      if ($line[1]=~/^session opened for user/) {
         $spop3d_opened++;
         @bzz=split(" ",$line[1]);
         $PopUser= $bzz[4];
         $PopLogin{$PopUser}++;
      } if ($line[1]=~/^authentication failure;/) {
         # authentication failure; logname= uid=0 euid=0 tty=
         # ruser= rhost=  user=xavier
         $spop3d_errors++;
         @bzz=split(" user=",$line[1]);
         $PopErr=$bzz[1];
         $PopErrors{$PopErr}++;
      }
   } elsif ( ($Host,$User) = ($ThisLine =~ /^login: FAILED LOGIN \d+ FROM ([^ ]+) FOR ([^,]+),/ ) ) {
      $FailedLogins->{$User}->{$Host}++;
   } elsif ( ($Service,$IP) = ($ThisLine =~ /^([^ ]+)\[\d+\]: connect(ion)? from "?(\d+\.\d+\.\d+\.\d+).*/) ) {
      $Name = LookupIP($IP);
      if ($Summarize =~ /\Q$Service\E/) {
         $Connections->{$Service}++;
      } else {
         $Connections->{$Service}->{$Name}++;
      }
   } elsif ( ($Service,$Name) = ($ThisLine =~ /^(in\.rshd)\[\d+\]: (.*)/) ) {
      if ($Summarize =~ /\Q$Service\E/) {
         $Connections->{$Service}++;
      } else {
         $Connections->{$Service}->{$Name}++;
      }
   } elsif ( ($Service,$Su_msg) = ($ThisLine =~ /^(su)(?:\[\d+\])?:\s+('su \w+' succeeded for \w+) on/) ) {
      #Solaris su messages -mgt
      $Connections->{$Service}->{$Su_msg}++;
   } elsif ( ($Service,$Su_msg) = ($ThisLine =~ /^(su)(?:\[\d+\])?:\s+succeeded: (\w+ changing from \w+ to \w+)/) ) {
      #Irix su messages -mgt
      $Connections->{$Service}->{$Su_msg}++;
   } elsif ( ($Service,$IP) = ($ThisLine =~ /^([^ ]+)\[\d+\]: refused connect from (\d+\.\d+\.\d+\.\d+)$/) ) {
      $Name = LookupIP($IP);
      $Refused->{$Service}->{$Name}++;
   } elsif ( ($Service,$Name) = ($ThisLine =~ /^([^ ]+)\[\d+\]: refused connect from (.*)$/) ) {
      $Refused->{$Service}->{$Name}++;
   } elsif ( ($Service,$Name) = ($ThisLine =~ /^([^ ]+)\[\d+\]: connect from ([^\n]+)$/) ) {
      if ($Summarize =~ /\Q$Service\E/) {
         $Connections->{$Service}++;
      } else {
         $Connections->{$Service}->{$Name}++;
      }
   } elsif ( (undef, $Service, $IP) = ($ThisLine =~ /^(xinetd|xinetd-ipv6)\[\d+\]: START: ([^ ]+) pid=\d+ from=([^\n]+)$/) ) {
      if ($Ignore =~ /\b\Q$Service\E\b/i) { next; }
      if ($Summarize =~ /\Q$Service\E/) {
         $Connections->{$Service}++;
      } else {
         # the following is intended for the <no address> string, but captures
         # all non-IP addresses
         if ($IP =~ /^[A-Fa-f\d\.:]+$/ ) {
            $Name = LookupIP($IP);
         } else {
            $Name = $IP;
         }
         $Connections->{$Service}->{$Name}++;
      }
   #Solaris inetd this works if you start "inetd -s -t" then send daemon.notice to authlog -mgt
   } elsif ( ($Service, $IP) = ($ThisLine =~ /^inetd\[\d+\]: (\w+)\[\d+\] from ([^ \n]+) \d+$/) ) {
      if ($Ignore =~ /\b\Q$Service\E\b/i) { next; }
      if ($Summarize =~ /\Q$Service\E/) {
         $Connections->{$Service}++;
      } else {
         $Name = LookupIP($IP);
         $Connections->{$Service}->{$Name}++;
      }
   } elsif ( ($Service,undef,$Name) = ($ThisLine =~ /^([^ ]+)\[\d+\]: warning: ([^ ]+), line \d+: can't verify hostname: getaddrinfo\(([^ ]+), AF_INET\) failed$/) ) {
      $NameVerifyFail{$Service}{$Name}++;
   } elsif ( ($Service,undef,$Name,$IP) = ($ThisLine =~ /^([^ ]+)\[\d+\]: warning: ([^ ]+), line \d+: host name\/name mismatch: ([^ ]+) != ([^ ]+)$/) ) {
      $NameVerifyFail{$Service}{"$Name != $IP"}++;
   } elsif ( ($Display, $User) = ($ThisLine =~ /^xscreensaver\[\d+\]: FAILED LOGIN \d ON DISPLAY \"([^ ]+)\", FOR \"([^ ]+)\"$/) ) {
      $FailedSaver->{$User}->{$Display}++;
   } elsif ( $ThisLine =~ s/^([^ ]+)\[\d+\]: warning: can\'t get client address: No route to host$/$1/ ) {
      $NoIP->{$ThisLine}++;
   } elsif ( $ThisLine =~ s/^([^ ]+)\[\d+\]: warning: can\'t get client address: Network is unreachable$/$1/ ) {
      $NoIP->{$ThisLine}++;
   } elsif ( $ThisLine =~ s/^([^ ]+)\[\d+\]: warning: can\'t get client address: Connection reset by peer$/$1/ ) {
      $NoIP->{$ThisLine}++;
   } elsif ( $ThisLine =~ s/^([^ ]+)\[\d+\]: warning: can\'t get client address: Connection timed out$/$1/ ) {
      $NoIP->{$ThisLine}++;
   } elsif ( $ThisLine =~ s/^([^ ]+)\[\d+\]: connect from unknown$/$1/ ) {
      $NoIP->{$ThisLine}++;
   } elsif ( ($Service,$Err) = ($ThisLine =~ /^([^ ]+)\[\d+\]: error: (.+)$/) ) {
      $Error{$Service}{$Err}++;
   } elsif ( ($Service,$Err) = ($ThisLine =~ /^([^ ]+): (FAILED LOGIN SESSION FROM [^ ]+ FOR ([^ ]+)?, .*)$/ ) ) {
      $Error{$Service}{$Err}++;
   } elsif ( ($Service,$Err) = ($ThisLine =~ /^([^ ]+): (password mismatch for [^ ]+ in [^ ]+):.*$/ ) ) {
      $Error{$Service}{$Err}++;
   } elsif ( ($Service,$Err) = ($ThisLine =~ /^([^ ]+)\[\d+\]: (changed POP3 password for .*)$/ ) ) {
      $Error{$Service}{$Err}++;
   } elsif ( ($Service,$Err) = ($ThisLine =~ /^(su)(?:\[\d+\])?: ('su \w+' failed for \w+)/ ) ) {
   #Solaris 10 su failed -mgt
      $Error{$Service}{$Err}++;
   } elsif ( ($Service,$Err) = ($ThisLine =~ /^(su): (FAILED SU \(to \w+\) \w+ on [^ ]+)/ ) ) {
   #SuSe su failed
      $Error{$Service}{$Err}++;
   } elsif ( ($Service,$Err) = ($ThisLine =~ /^(su): (BAD SU \w+ to \w+ on [^ ]+)/ ) ) {
   #OpenBSD su failed
      $Error{$Service}{$Err}++;
   } elsif ( $ThisLine =~ /^login(\[\d+\])*: ROOT LOGIN\s+(ON|on)\s+`?tty[0-9]+/) {
      $RootLoginTTY++
   } elsif ( $ThisLine =~ /^login(\[\d+\])*: ROOT LOGIN\s+(ON|on)\s+`?xvc[0-9]+/) {
      $RootLoginXVC++
   } elsif ( $ThisLine =~ /^com.apple.SecurityServer: authinternal authenticated user root .*/) {
      $RootLoginTTY++
   } elsif ( (undef,$User) = ($ThisLine =~ /^login: LOGIN ON (tty|pts\/)[0-9]+ BY ([^ ]+)/ )) {
      $UserLogin{$User}++;
   } elsif ( ($User,undef) = ($ThisLine =~ /^com.apple.SecurityServer: authinternal authenticated user ([^ ]+) .*/ )) {
      $UserLogin{$User}++;
   } elsif ( $ThisLine =~ s/^userdel(?:\[\d+\])?: delete user [`'](.+)'/$1/ ) {
      $DeletedUsers .= "   $ThisLine\n";
   } elsif ( $ThisLine =~ s/^(?:useradd|adduser)(?:\[\d+\])?: new user: name=(.+), (?:uid|UID)=(\d+).*$/$1 ($2)/ ) {
      $NewUsers .= "   $ThisLine\n";
   } elsif ( $ThisLine =~ s/^userdel(?:\[\d+\])?: remove(?:d)? group [`'](\S+)'( owned by \S+)?/$1/ ) {
      $DeletedGroups .= "   $ThisLine\n";
   } elsif ( $ThisLine =~ s/^groupdel(?:\[\d+\])?: remove group `(.+)'/$1/ ) {
      $DeletedGroups .= "   $ThisLine\n";
   } elsif ( $ThisLine =~ s/^(?:useradd|adduser)(?:\[\d+\])?: new group: name=(.+), (?:gid|GID)=(\d+).*$/$1 ($2)/ ) {
      $NewGroups .= "   $ThisLine\n";
   } elsif ( (undef,$User,,undef,$Group) = ($ThisLine =~ /(usermod|useradd)(?:\[\d+\])?: add [`']([^ ]+)' to (shadow ?|)group [`']([^ ]+)'/ )) {
      $AddToGroup{$Group}{$User}++;
   } elsif ( $ThisLine =~ s/^groupadd(?:\[\d+\])?: new group: name=(.+), (?:gid|GID)=(\d+).*$/$1 ($2)/ ) {
      $NewGroups .= "   $ThisLine\n";
   } elsif ( $ThisLine =~ s/^gpasswd(?:\[\d+\])?: set members of // ) {
      $SetGroupMembers .= "   $ThisLine\n";
   } elsif ( $ThisLine =~ /^(?:userdel|usermod)(?:\[\d+\])?: delete [`'](.*)' from (shadow |)group [`'](.*)'\s*$/ ) {
      push @RemoveFromGroup, "    user $1 from group $3\n";
      # This is an inetd lookup... $1 is the service (i.e. ftp), $2 is the response
      # I don't think these are important to log at this time
   } elsif ( $ThisLine =~ /^sudo: ([^\s]+) : (command not allowed)?.+ ; COMMAND=(.*)$/ ) {
      # sudo unauthorized commands
      push @SudoList, "$1: $3\n" unless ($2 eq "");
   } elsif ( $ThisLine =~ /^\/usr\/bin\/sudo: ([^\s]+) : (command not allowed)?.+ ; COMMAND=(.*)$/ ) {
      # sudo unauthorized commands
      push @SudoList, "$1: $3\n" unless ($2 eq "");
   } elsif ( ($service, $from) = ($ThisLine =~ /^xinetd\[\d+\]: FAIL: (.+) (?:address|libwrap|service_limit|connections per second) from=([\d.]+)/)) {
      if ($Ignore =~ /\b\Q$service\E\b/i) { next; }
      $Refused->{$service}->{$from}++;
   } elsif ( ($from, $service, $user) = ($ThisLine =~ /^pam_abl\[\d+\]: Blocking access from (.+) to service (.+), user (.+)/)) {
      if ($Detail >= 5) {
         $Refused->{$service}->{$from."/".$user}++;
      } else {
         $Refused->{$service}->{$from}++;
      }
   } elsif ( ($User) = ($ThisLine =~ /^chage\[\d+\]: changed password expiry for ([^ ]+)/)) {
      $PasswordExpiry{$User}++;
   } elsif ( ($User) = ($ThisLine =~ /^chfn\[\d+\]: changed user `([^ ]+)' information/)) {
      $UserInfChange{$User}++;
   } elsif ( (undef) = ($ThisLine =~ /^pam_console\[\d+\]: console file lock already in place ([^ ]+)/ )) {
      $ConsoleLock++;
   } elsif ( ($Message) = ($ThisLine =~ /^pam_xauth\[\d+\]: call_xauth: (.+)/)) {
      $XauthMessage{$Message}++;
   } elsif ( ($Group,$NewName) = ($ThisLine =~ /^groupmod\[\d+\]: change group `(.*)' to `(.*)'/)) {
      $GroupRenamed{"$Group -> $NewName"}++;
   } elsif ( $ThisLine =~ s/^groupmod\[\d+\]: group changed in \/etc\/group \(group (.+)\/(\d+)\).*/$1 ($2)/) {
      $GroupChanged{"$ThisLine"}++;
   } elsif ( $ThisLine =~ s/^groupmod\[\d+\]: group changed in \/etc\/group \(group (.+)\/\d+, new name: (.+)\).*/$1 -> $2/) {
      $GroupChanged{"$ThisLine"}++;
   } elsif ( ($Pid,$User,$Home,$NewHome) = ($ThisLine =~ /^usermod(\[\d+\])?: change user [`'](.*)' home from [`'](.*)' to [`'](.*)'/)) {
      $HomeChange{$User}{"$Home -> $NewHome"}++;
   } elsif ( ($User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?:change user `(.*)' UID from `(.*)' to `(.*)'/)) {
      $UidChange{"$User: $From -> $To"}++;
   } elsif ( ($User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: change user `(.*)' GID from `(.*)' to `(.*)'/)) {
      $GidChange{"$User: $From -> $To"}++;
   # checkpassword-pam
   } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Reading username and password/)) {
   } elsif ( ($PID,$Username) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Username '([^']+)'/)) {
      $ChkPasswdPam{$PID}{'Username'} = $Username;
   } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Password read successfully/)) {
   } elsif ( ($PID,$Service) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Initializing PAM library using service name '([^']+)'/)) {
      $ChkPasswdPam{$PID}{'Service'} = $Service;
   } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Pam library initialization succeeded/)) {
   } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: conversation\(\): msg\[0\], style PAM_PROMPT_ECHO_OFF, msg = "Password: "/)) {
   } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Authentication passed/)) {
      $ChkPasswdPam{$PID}{'Success'} = 'true';
   } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Account management succeeded/)) {
   } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Setting PAM credentials succeeded/)) {
   } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Terminating PAM library/)) {
   } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Exiting with status 0/)) {
   } elsif ( ($User) = ($ThisLine =~ /^pam_tally\[\d+\]: pam_tally: pam_get_uid; no such user ([^ ]+)/)) {
      $UnknownUser{$User}++;
   } elsif ( ($User) = ($ThisLine =~ /^pam_tally\[\d+\]: Tally overflowed for user ([^ ]+)$/)) {
      $TallyOverflow{$User}++;
   } elsif ( ($User) = ($ThisLine =~ /^pam_pwdfile\[\d+\]: user not found in password database/) ) {
      $pwd_file_unknown++;
   } elsif ( ($User) = ($ThisLine =~ /^pam_pwdfile\[\d+\]: wrong password for user ([^ ]+)/)) {
      $UnknownUser{$User}++;
   } elsif ($ThisLine =~ /^pam_pwdfile\[\d+\]: password too short or NULL/) {
      $pwd_file_too_short++;
   } elsif ( ($User,$Su) = ($ThisLine =~ /^su: ([^ ]+) to ([^ ]+) on \/dev\/ttyp([0-9a-z]+)/) ) {
      $Su_User{$User}{$Su}++;
   } elsif ( ($Su,$User) = ($ThisLine =~ /^su: \(to ([^ ]+)\) ([^ ]+) on (?:none|\/dev\/(pts\/|ttyp)([0-9]+))/) ) {
      $Su_User{$User}{$Su}++;
   } elsif ( ($Su,$User) = ($ThisLine =~ /^su\[\d+\]: Successful su for (\S+) by (\S+)/) ) {
      $Su_User{$User}{$Su}++;
   } elsif ($ThisLine =~ /^userhelper\[\d+\]: running '([^']+)' with ([^']+) privileges on behalf of '([^']+)'/) {
      $Executed_app{"$1,$2,$3"}++;
   } elsif ( ($User) = $ThisLine =~ /change user `([^']+)' password/) {
      $PwdChange{"$User"}++;
   } elsif ( ($User) = ($ThisLine =~ /^cvs: password mismatch for ([^']+): ([^']+) vs. ([^']+)/) ){
      $cvs_passwd_mismatch{$User}++;
   } elsif ( ($User,$From,$To) = ($ThisLine =~ /usermod\[[0-9]*\]: change user `([^ ]*)' shell from `([^ ]*)' to `([^ ]*)'/) ) {
      $ChangedShell{"$User,$From,$To"}++;
   } elsif ( ($Name1,$Name2) = ($ThisLine =~ /usermod\[[0-9]*\]: change user name `([^ ]*)' to `([^ ]*)'/)) {
      $ChangedUserName{"$Name1,$Name2"}++;
   } elsif (($Name,$GID) = ($ThisLine =~ /change GID for `([^ ]*)' to ([0-9]*)/)) {
      $ChangedGID{"$Name,$GID"}++;
   } elsif (($Name,$UID1,$UID2) = ($ThisLine =~ /change user `([^ ]*)' UID from `([0-9]*)' to `([^ ]*)'/)) {
      $ChangedUID{"$Name,$UID1,$UID2"}++;
   } elsif (($Module,$Service) = ($ThisLine =~ /Deprecated (pam_[^ ]*) module called from service "([^ ]*)"/)) {
      $DeprecateModule{"$Module,$Service"}++;
   } elsif ( ($Library) = ($ThisLine =~ /vmware-authd\[\d+\]: PAM unable to dlopen\(([^ ]+)\)/) ) {
      $MissingLib{"$Library"}++
   } elsif ( ($Client,$User) = ($ThisLine =~ /vmware-authd\[\d+\]: login from ([0-9\.]+) as ([^ ]+)/) ) {
      $UserLogin{$User}++;
   } elsif ( ($User) = ($ThisLine =~ /vmware-authd\[\d+\]: pam_unix_auth\(vmware-authd:auth\): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=([^ ]*)/) ) {
   } elsif ( ($User) = ($ThisLine =~ /useradd.*failed adding user [`'](.*)',/) ) {
      # useradd: failed adding user `rpcuser', data deleted
      # useradd: failed adding user `mysql', exit code: 9
      $FailedAddUsers{$User}++;
   } elsif (($User,$Reason) = ($ThisLine =~ /dovecot-auth: pam_userdb\(dovecot:auth\): user `(.*)' denied access \((.*)\)/)) {
      # dovecot-auth: pam_userdb(dovecot:auth): user `bobok' denied access (incorrect password)
      $DeniedAccess{"$User,$Reason"}++;
   } elsif ($ThisLine =~ /^request-key: Cannot find command to construct key/) {
      $RequestKeyFailures++;
   } elsif (my ($type,$from,$response,$client,$service,$e) = ($ThisLine =~ /krb5kdc\[[0-9]*\]: (AS_REQ|TGS_REQ) \([0-9]+ etypes \{[ 0-9]+}\) ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+): (ISSUE|UNKNOWN_SERVER): authtime [0-9]+, (?:etypes \{rep=[0-9]+ tkt=[0-9]+ ses=[0-9]+},)? ([^ ]+) for ([^ ,]+)(?:, )?(.*)$/)) {
     if($service=~/^krbtgt\/([^@]+)@\1/) {
        $service='Login';
     }
     if($response eq 'UNKNOWN_SERVER' && $e eq 'Server not found in Kerberos database') {
        $response=$e;
        $e='';
     }
     $KerbList{$response}{$type}{$from}{$service}{$client}{$e}++;
  } elsif (my ($type,$from,$response,$client,$service,$e) = ($ThisLine =~ /krb5kdc\[[0-9]*\]: (AS_REQ|TGS_REQ) \([0-9]+ etypes \{[ 0-9]+}\) ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+): (NEEDED_PREAUTH|PREAUTH_FAILED|CLIENT_NOT_FOUND): ([^ ]+) for ([^ ,]+)(?:, )?(.*)$/)) {
     if($service=~/^krbtgt\/([^@]+)@\1/) {
        $service='Login';
     }
     if($response eq 'CLIENT_NOT_FOUND' && $e eq 'Client not found in Kerberos database') {
        $response=$e;
        $e='';
     } elsif($response eq 'NEEDED_PREAUTH' && $e eq 'Additional pre-authentication required') {
        next unless($Detail > 9||$type ne 'AS_REQ');
        $response=$e;
        $e='';
     }
     $KerbList{$response}{$type}{$from}{$service}{$client}{$e}++;
   } elsif ($ThisLine =~ /Rootkit Hunter:/ ) {
      if ($ThisLine =~ /Please inspect this machine/) {
         $RootkitHunter{'inspect'}++;
      } elsif ($ThisLine =~ /check started/) {
         $RootkitHunter{'runs'}++;
      } elsif (my ($mins, $secs) = ($ThisLine =~ /Scanning took ([0-9]*) minutes? and ([0-9]*) seconds?/)) {
         $RootkitHunter{'time'}+= $mins*60 + $secs;
      }
   } else {
      # Unmatched entries...
      $ThisLine =~ s/\[\d+\]:/:/;
      $OtherList{$ThisLine}++;
   }
}

#######################################

if ($NewUsers) {
   print "New Users:\n$NewUsers\n";
}

if ($DeletedUsers) {
   print "Deleted Users:\n$DeletedUsers\n";
}

if (keys %FailedAddUsers) {
   print "Failed adding users:\n";
   foreach $User (keys %FailedAddUsers) {
      print "   $User: ". $FailedAddUsers{$User}. " Time(s)\n";
   }
   print"\n";
}

if ($NewGroups) {
   print "New Groups:\n$NewGroups\n";
}

if ($DeletedGroups) {
   print "Deleted Groups:\n$DeletedGroups\n";
}

if (keys %GroupRenamed) {
   print "Renamed groups:\n";
   foreach $Group (sort {$a cmp $b} keys %GroupRenamed) {
      print "   $Group\n";
   }
}

if (keys %GroupChanged) {
   print "Changed groups:\n";
   foreach $Group (sort {$a cmp $b} keys %GroupChanged) {
      print "   $Group\n";
   }
}

if (keys %AddToGroup) {
   print "\nAdded User to group:\n";
   foreach $Group (sort {$a cmp $b} keys %AddToGroup) {
      print "   $Group:\n";
      foreach $User (sort {$a cmp $b} keys %{$AddToGroup{$Group}}) {
         print "      $User\n";
      }
   }
}

if ($SetGroupMembers) {
   print "Set Members of Group:\n$SetGroupMembers\n";
}

if (@RemoveFromGroup) {
   print "\nRemoved From Group:\n".join('',@RemoveFromGroup)."\n";
}

if (keys %HomeChange) {
   print "\nChanged users home directory:\n";
   foreach $User (sort {$a cmp $b} keys %HomeChange) {
      print "   $User:\n";
      # No sorting here - show it by time...
      foreach $Home (keys %{$HomeChange{$User}}) {
         print "      $Home\n";
      }
   }
}

if (keys %UidChange) {
   print "\nChanged users UID:\n";
   foreach $Entry (sort {$a cmp $b} keys %UidChange) {
      print "   $Entry\n";
   }
}

if (keys %GidChange) {
   print "\nChanged users GID:\n";
   foreach $Entry (sort {$a cmp $b} keys %GidChange) {
      print "   $Entry\n";
   }
}

if (keys %PwdChange) {
   print "\nChanged users password:\n";
   foreach $Entry (keys %PwdChange) {
      print "   $Entry changed password: $PwdChange{$Entry} Time(s)\n";
   }
}

if (keys %UnknownUser) {
   print "\nUnknown users:\n";
   foreach $User (sort {$a cmp $b} keys %UnknownUser) {
      print "   $User : $UnknownUser{$User} Time(s)\n";
   }
}

if ($pwd_file_unknown > 0) {
   print "\nUsers unknown in password database (pwd_file): $pwd_file_unknown\n";
}

if ($pwd_file_too_short > 0) {
   print "\nPassword too short or NULL (pwd_file): $pwd_file_too_short Time(s)\n";
}

if (keys %{$Connections}) {
   print "\nConnections:\n";
   foreach $ThisOne (keys %{$Connections}) {
      if ($Summarize =~ /\Q$ThisOne\E/) {
         print "   Service " . $ThisOne . ": " . $Connections->{$ThisOne} . " Connection(s)\n";
      } else {
         my $service_check = 0;
         if ($ENV{"secure_$ThisOne"}) {
         $service_check = $ENV{"secure_$ThisOne"};
         print "   Service " . $ThisOne . " [Connection(s) more than $service_check per day]:\n";
         } else {
         print "   Service " . $ThisOne . " [Connection(s) per day]:\n";
         }
         my $Total_Con = 0;
         foreach $OtherOne (sort SortIP keys %{$Connections->{$ThisOne}}) {
            $Total_Con = $Total_Con + $Connections->{$ThisOne}->{$OtherOne};
            if ( $Connections->{$ThisOne}->{$OtherOne} >= $service_check) {
            print "      " . $OtherOne . ": " . $Connections->{$ThisOne}->{$OtherOne} . " Time(s)\n";
            }
         }
            print "      Total Connections: $Total_Con\n";
      }
   }
}

if (keys %{$Refused}) {
   print "\nRefused Connections:\n";
   foreach $ThisOne (sort {$a cmp $b} keys %{$Refused}) {
      print "   Service " . $ThisOne . ":\n";
      foreach $OtherOne (sort SortIP keys %{$Refused->{$ThisOne}}) {
         print "      " . $OtherOne . ": " . $Refused->{$ThisOne}->{$OtherOne} . " Time(s)\n";
      }
   }
}

if (keys %{$FailedLogins}) {
   print "\nFailed logins:\n";
   foreach $ThisOne (sort {$a cmp $b} keys %{$FailedLogins}) {
      print "   User " . $ThisOne . ":\n";
      foreach $OtherOne (sort {$a cmp $b} keys %{$FailedLogins->{$ThisOne}}) {
         print "      " . $OtherOne . ": " . $FailedLogins->{$ThisOne}->{$OtherOne} . " Time(s)\n";
      }
   }
}

if (keys %{$FailedSaver}) {
   print "\nFailed screensaver disable:\n";
   foreach $User (sort {$a cmp $b} keys %{$FailedSaver}) {
      print "   User $User on displays:\n";
      foreach $Display (sort {$a cmp $b} keys %{$FailedSaver->{$User}}) {
         print "      $Display : " . $FailedSaver->{$User}->{$Display} . " Time(s)\n";
      }
   }
}

if (keys %DeniedAccess) {
   print "\ndovecot-auth: Denied access\n";
   foreach (keys %DeniedAccess) {
      ($User,$Reason) = split ",";
      print "   for user " . $User . " (reason: " . $Reason . ") :" . $DeniedAccess{"$User,$Reason"} . " Time(s)\n";
   }
}

if (keys %NoIP) {
   print "\nCouldn't get client IPs for connections to:\n";
   foreach $ThisOne (sort {$a cmp $b} keys %NoIP) {
      print "   $ThisOne: $NoIP{$ThisOne} Time(s)\n";
   }
}

if (keys %NameVerifyFail) {
   print "\nHostname verification failed:\n";
   foreach $Service (sort {$a cmp $b} keys %NameVerifyFail) {
      print "   Service $Service:\n";
      foreach my $Namev (sort {$a cmp $b} keys %{$NameVerifyFail{$Service}}) {
         print "      $Namev:  $NameVerifyFail{$Service}{$Namev} Time(s)\n";
      }
   }
}

if (keys %Error) {
   print "\nErrors:\n";
   foreach $Service (sort {$a cmp $b} keys %Error) {
      print "   Service $Service:\n";
      foreach $Err (sort {$a cmp $b} keys %{$Error{$Service}}) {
         print "      $Err: $Error{$Service}{$Err} Time(s)\n";
      }
   }
}

if ($RootLoginTTY) {
   print "\nRoot logins on ttys: $RootLoginTTY Time(s).\n";
}

if ($RootLoginXVC) {
   print "\nRoot logins on xvcs: $RootLoginXVC Time(s).\n";
}

if (keys %UserLogin) {
   print "\nUser Logins:\n";
   foreach $User (sort {$a cmp $b} keys %UserLogin) {
      print "   $User : $UserLogin{$User} Time(s)\n";
   }
}

if (keys %Su_User) {
   print "\nUsers performing Su Changes:\n";
      foreach $User ( keys %Su_User) {
         print "    $User:\n";
            foreach $Su ( keys %{$Su_User{$User}}) {
               my $val = $Su_User{$User}{$Su};
               print "         $Su $val time(s)\n";
            }
     }
}

if ($ConsoleLock > 0) {
   print "\nConsole file lock already in place: $ConsoleLock Time(s).\n";
}

if (keys %PasswordExpiry) {
   print "\nChanged password expiry for users:\n";
   foreach $User (sort {$a cmp $b} keys %PasswordExpiry) {
      print "   $User : $PasswordExpiry{$User} Time(s)\n";
   }
}

if (keys %UserInfChange) {
   print "\nChanged user information:\n";
   foreach $User (sort {$a cmp $b} keys %UserInfChange) {
      print "   $User : $UserInfChange{$User} Time(s)\n";
   }
}

if (keys %XauthMessage) {
   print "\nReported by call_xauth:\n";
   foreach $Message (sort {$a cmp $b} keys %XauthMessage) {
      print "   $Message : $XauthMessage{$Message} Time(s)\n";
   }
}

if (keys %PopLogin) {
   print "\nspop3d user connections:\n";
   foreach $PopUser (sort {$a cmp $b} keys %PopLogin) {
      print "   $PopUser\:\t$PopLogin{$PopUser} Time(s)\n";
   }
}

if (keys %PopErrors) {
   print "\nspop3d  connection failures:\n";
   foreach $PopErr (sort {$a cmp $b} keys %PopErrors) {
      print "   $PopErr\:\t$PopErrors{$PopErr} Time(s)\n";
   }
}

if ($spop3d_opened > 0) {
   print "\nspop3d connections(sum):\t".$spop3d_opened."\n";
}

if ($spop3d_errors > 0) {
   print "spop3d connection errors:\t".$spop3d_errors."\n";
}

if ($#SudoList >= 0) {
   print "\nUnauthorized sudo commands attempted (" . ($#SudoList + 1) . "):\n";
   print @SudoList;
}

if (keys %ChkPasswdPam) {
   print "\ncheckpassword-pam (SUID root PAM client):\n";
   foreach $PID (sort {$a cmp $b} keys %ChkPasswdPam) {
      $ServiceUsernamePair = $ChkPasswdPam{$PID}{'Username'}.' => '.$ChkPasswdPam{$PID}{'Service'};
      if ($ChkPasswdPam{$PID}{'Success'} eq 'true') {
         $Successes{$ServiceUsernamePair}++;
      } else {
         $Failures{$ServiceUsernamePair}++;
      }
   }
   foreach $ServiceUsernamePair (sort {$a cmp $b} keys %Successes) {
      $S = $Successes{$ServiceUsernamePair} ? $Successes{$ServiceUsernamePair} : 0;
      $F = $Failures{$ServiceUsernamePair} ? $Failures{$ServiceUsernamePair} : 0;
      print "   $ServiceUsernamePair : $S success(es), $F failure(s)\n";
   }
}

if (keys %TallyOverflow) {
   print "\nTally overflowed for user:\n";
   foreach $User (sort {$a cmp $b} keys %TallyOverflow) {
      print "   $User : $TallyOverflow{$User} Time(s)\n";
   }
}

if (keys %Executed_app) {
   print "\nUserhelper executed applications:\n";
   foreach (keys %Executed_app) {
     ($longapp,$asuser,$user) = split ",";
     $app = substr($longapp,rindex($longapp,"/")+1);
     print "   $user -> $app as $asuser:  ".$Executed_app{"$longapp,$asuser,$user"}." Time(s)\n";
   }
}

if (keys %ChangedUserName) {
   print "\nChanged users names:\n";
   foreach (keys %ChangedUserName) {
     ($Name1,$Name2) = split ",";
     print "   User " . $Name1 . " change name to " . $Name2 . $ChangedUserName . "\n";
   }
}

if (keys %ChangedUID) {
   print "\nChanged UID:\n";
   foreach (keys %ChangedUID) {
     ($Name,$UID1,$UID2) = split ",";
     print "   User " . $Name . " changed UID from " . $UID1 . " to " . $UID2 . "\n";
   }
}

if (keys %ChangedShell) {
   print "\nChanged users default login shell: \n";
   foreach (keys %ChangedShell) {
     ($User,$From,$To) = split ",";
     print "   User " . $User . " change shell from " . $From . " to " . $To . ": " . $ChangedShell{"$User,$From,$To"} . " Time(s)\n";
   }

}

if (keys %ChangedGID) {
   print "\nChanged GID:\n";
   foreach (keys %ChangedGID) {
      ($Name,$GID) = split ",";
       print "   Group " . $Name . " change GID to " . $GID . "\n";
   }
}

if (keys %cvs_passwd_mismatch) {
   print "\ncvs:";
   print "\n   Authentication Failures:\n";
   foreach $User (keys %cvs_passwd_mismatch) {
      print "      $User : $cvs_passwd_mismatch{$User} Time(s)\n";
   }
}

if (keys %DeprecateModule){
   print "\nDeprecated pam module:\n";
   foreach (keys %DeprecateModule) {
      ($Module,$Service) = split ",";
      print "   deprecated module $Module called from service $Service: " . $DeprecateModule{"$Module,$Service"} . " Time(s)\n";
   }
}


if ($RequestKeyFailures) {
   print "\nRequest Key Failures (nfs-utils/kernel mismatch): $RequestKeyFailures Time(s)\n";
}

if (keys %KerbList) {
   print "\nKerberos Entries:\n";
   foreach my $response (sort {$a cmp $b} keys %KerbList) {
      print "   $response:\n";
      foreach my $type (sort {$a cmp $b} keys %{$KerbList{$response}}) {
        print "      $type:\n";
        foreach my $from (sort {$a cmp $b} keys %{$KerbList{$response}{$type}}) {
           print "         $from:\n";
           foreach my $service (sort {$a cmp $b} keys %{$KerbList{$response}{$type}{$from}}) {
              print "            $service:\n";
              foreach my $client (sort {$a cmp $b} keys %{$KerbList{$response}{$type}{$from}{$service}}) {
                 if(scalar(keys %{$KerbList{$response}{$type}{$from}{$service}{$client}})==1&&defined($KerbList{$response}{$type}{$from}{$service}{$client}{''})){
                    print "                  $client: $KerbList{$response}{$type}{$from}{$service}{$client}{''} Time(s)\n";
                 }else{
                    print "               $client:\n";
                    foreach my $e (sort {$a cmp $b} keys %{$KerbList{$response}{$type}{$from}{$service}{$client}}) {
                       print "                  $e: $KerbList{$response}{$type}{$from}{$service}{$client}{$e} Time(s)\n";
                    }
                 }
              }
           }
        }
      }
   }
}

if (keys %RootkitHunter) {
   use integer;
   my ($mins, $secs) = ($RootkitHunter{'time'} / 60, $RootkitHunter{'time'} % 60);
   print "\nRootkitHunter:\n";
   print "   Runs: $RootkitHunter{'runs'}\n";
   print "   Suggested Inspection: $RootkitHunter{'inspect'} Time(s)\n";
   print "   Total Runtime: $mins minute(s) $secs second(s)\n";
}

if (keys %OtherList) {
   print "\n**Unmatched Entries**\n";
   foreach $line (sort {$a cmp $b} keys %OtherList) {
      print "   $line: $OtherList{$line} Time(s)\n";
   }
}

if (keys %MissingLib) {
   print "\n Missing libraries:\n";
   foreach $Lib (keys %MissingLib) {
      print "   $Lib : $MissingLib{$Lib} Time(s)\n";
   }
}

exit(0);

# vi: shiftwidth=3 tabstop=3 syntax=perl et
# Local Variables:
# mode: perl
# perl-indent-level: 3
# indent-tabs-mode: nil
# End: