Add support for FIX_UNOWNED to allow changing unowned files owner and

group (#51791).

5 files changed, 12 insertions, 1 deletions

diff --git a/conf/level.secure b/conf/level.secure
index 89c7726..6b6dc25 100644
--- a/conf/level.secure
+++ b/conf/level.secure
@@ -26,6 +26,7 @@ ENABLE_PAM_WHEEL_FOR_SU=yes
 CHECK_SHADOW=yes
 ALLOW_ROOT_LOGIN=no
 CHECK_UNOWNED=yes
+FIX_UNOWNED=yes
 ENABLE_CONSOLE_LOG=no
 ALLOW_USER_LIST=no
 ENABLE_DNS_SPOOFING_PROTECTION=yes
diff --git a/conf/level.standard b/conf/level.standard
index bf4b0f5..6d0d952 100644
--- a/conf/level.standard
+++ b/conf/level.standard
@@ -26,6 +26,7 @@ ENABLE_PAM_WHEEL_FOR_SU=no
 CHECK_SHADOW=yes
 ALLOW_ROOT_LOGIN=yes
 CHECK_UNOWNED=no
+FIX_UNOWNED=yes
 ENABLE_CONSOLE_LOG=yes
 ALLOW_USER_LIST=yes
 ENABLE_DNS_SPOOFING_PROTECTION=yes
diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh
index bbff82a..fe1418b 100755
--- a/cron-sh/security_check.sh
+++ b/cron-sh/security_check.sh
@@ -40,7 +40,9 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then
 	printf "\t( theses files now have user \"nobody\" as their owner. )\n" >> ${SECURITY}
 	cat ${UNOWNED_USER_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY}
         cat ${UNOWNED_USER_TODAY} | while read line; do
+	if [[ ${FIX_UNOWNED} == yes ]]; then
 	    chown nobody "${line}"; # Use quote if filename contain space. 
+	fi
 	done	
     fi
 
@@ -49,7 +51,9 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then
         printf "\t( theses files now have group \"nogroup\" as their group owner. )\n" >> ${SECURITY}
 	cat ${UNOWNED_GROUP_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY}
 	cat ${UNOWNED_GROUP_TODAY} | while read line; do
+	if [[ ${FIX_UNOWNED} == yes ]]; then
 	    chgrp nogroup "${line}"; # Use quote if filename contain space. 
+	fi
 	done
     fi
 fi
diff --git a/src/msec/config.py b/src/msec/config.py
index 37880e7..212b327 100644
--- a/src/msec/config.py
+++ b/src/msec/config.py
@@ -61,6 +61,7 @@ SETTINGS =    {'BASE_LEVEL':                    ("libmsec.base_level",
                'CHECK_SGID' :                   ("libmsec.check_sgid",                      ['yes', 'no']),
                'CHECK_WRITABLE' :               ("libmsec.check_writable",                  ['yes', 'no']),
                'CHECK_UNOWNED' :                ("libmsec.check_unowned",                   ['yes', 'no']),
+               'FIX_UNOWNED' :                  ("libmsec.fix_unowned",                     ['yes', 'no']),
                'CHECK_PROMISC' :                ("libmsec.check_promisc",                   ['yes', 'no']),
                'CHECK_OPEN_PORT' :              ("libmsec.check_open_port",                 ['yes', 'no']),
                'CHECK_PASSWD' :                 ("libmsec.check_passwd",                    ['yes', 'no']),
@@ -125,7 +126,7 @@ SETTINGS_NETWORK = ["ACCEPT_BOGUS_ERROR_RESPONSES", "ACCEPT_BROADCASTED_ICMP_ECH
                     ]
 # periodic checks
 SETTINGS_PERIODIC = ["CHECK_PERMS", "CHECK_USER_FILES", "CHECK_SUID_ROOT", "CHECK_SUID_MD5", "CHECK_SGID",
-                    "CHECK_WRITABLE", "CHECK_UNOWNED", "CHECK_PROMISC", "CHECK_OPEN_PORT", "CHECK_PASSWD",
+                    "CHECK_WRITABLE", "CHECK_UNOWNED", "FIX_UNOWNED", "CHECK_PROMISC", "CHECK_OPEN_PORT", "CHECK_PASSWD",
                     "CHECK_SHADOW", "CHECK_CHKROOTKIT", "CHECK_RPM", "CHECK_SHOSTS", "TTY_WARN", "SYSLOG_WARN",
                     "MAIL_EMPTY_CONTENT",
                     ]
diff --git a/src/msec/libmsec.py b/src/msec/libmsec.py
index 162cf01..5d5d232 100755
--- a/src/msec/libmsec.py
+++ b/src/msec/libmsec.py
@@ -1420,6 +1420,10 @@ class MSEC:
         """ Enable checking for unowned files."""
         pass
 
+    def fix_unowned(self, param):
+        """ Fix owner and group of unowned files to use nobody/nogroup."""
+        pass
+
     def check_open_port(self, param):
         """ Enable checking for open network ports."""
         pass