diff options
| author | Yoann Vandoorselaere <yoann@mandriva.com> | 1999-12-06 18:11:39 +0000 |
|---|---|---|
| committer | Yoann Vandoorselaere <yoann@mandriva.com> | 1999-12-06 18:11:39 +0000 |
| commit | 74055382de3e44e81bf084d08883e7a9e5b90b04 (patch) | |
| tree | 506dc12e505459cc3e1b79c0bf965e77b14f81db | |
| parent | 81fd9c016d08d9f26cb784dff1049a967b209a01 (diff) | |
| download | msec-74055382de3e44e81bf084d08883e7a9e5b90b04.tar msec-74055382de3e44e81bf084d08883e7a9e5b90b04.tar.gz msec-74055382de3e44e81bf084d08883e7a9e5b90b04.tar.bz2 msec-74055382de3e44e81bf084d08883e7a9e5b90b04.tar.xz msec-74055382de3e44e81bf084d08883e7a9e5b90b04.zip | |
*** empty log message ***
| -rwxr-xr-x | cron-sh/file_check.sh | 416 | ||||
| -rwxr-xr-x | cron-sh/security_check.sh | 279 | ||||
| -rw-r--r-- | doc/msec.spec | 14 | ||||
| -rwxr-xr-x | init-sh/custom.sh | 2 | ||||
| -rwxr-xr-x | init-sh/level1.sh | 6 | ||||
| -rwxr-xr-x | init-sh/level2.sh | 4 | ||||
| -rwxr-xr-x | init-sh/level3.sh | 4 | ||||
| -rwxr-xr-x | init-sh/level4.sh | 4 | ||||
| -rwxr-xr-x | init-sh/level5.sh | 4 | ||||
| -rw-r--r-- | init-sh/lib.sh | 1 |
10 files changed, 443 insertions, 291 deletions
diff --git a/cron-sh/file_check.sh b/cron-sh/file_check.sh index f91dce3..60a87e5 100755 --- a/cron-sh/file_check.sh +++ b/cron-sh/file_check.sh @@ -15,8 +15,6 @@ if [ SECURITY_CHECK == "no" ]; then exit 0 fi -OUT=./blah - # Modified filters coming from debian security scripts. CS_NFSAFS='(nfs|afs|xfs|coda)' CS_TYPES=' type (devpts|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|'$CS_NFSAFS')' @@ -26,47 +24,45 @@ FILTERS="$CS_TYPES|$CS_DEVS|$CS_DIRS" DIR=`mount | grep -vE "$FILTERS" | cut -d ' ' -f3` ### -SUID_ROOT_TODAY=/var/log/security/suid_root.today -SUID_ROOT_YESTERDAY=/var/log/security/suid_root.yesterday -SUID_ROOT_DIFF=/var/log/security/suid_root.diff -SUID_GROUP_TODAY=/var/log/security/suid_group.today -SUID_GROUP_YESTERDAY=/var/log/security/suid_group.yesterday -SUID_GROUP_DIFF=/var/log/security/suid_group.diff -WRITABLE_TODAY=/var/log/security/writable.today -WRITABLE_YESTERDAY=/var/log/security/writable.yesterday -WRITABLE_DIFF=/var/log/security/writable.diff -UNOWNED_TODAY=/var/log/security/unowned.today -UNOWNED_YESTERDAY=/var/log/security/unowned.yesterday -UNOWNED_DIFF=/var/log/security/unowned.diff -PASSWD_TODAY=/var/log/security/passwd.today -PASSWD_YESTERDAY=/var/log/security/passwd.yesterday -PASSWD_DIFF=/var/log/security/passwd.diff -SHADOW_TODAY=/var/log/security/shadow.today -SHADOW_YESTERDAY=/var/log/security/shadow.yesterday -SHADOW_DIFF=/var/log/security/shadow.diff -HOST_TODAY=/var/log/security/hosts.today -HOST_YESTERDAY=/var/log/security/hosts.yesterday -HOST_DIFF=/var/log/security/hosts.diff -SUID_MD5_TODAY=/var/log/security/suid_md5.today -SUID_MD5_YESTERDAY=/var/log/security/suid_md5.yesterday -SUID_MD5_DIFF=/var/log/security/suid_md5.diff -OPEN_PORT_TODAY=/var/log/security/open_port.today -OPEN_PORT_YESTERDAY=/var/log/security/open_port.yesterday -OPEN_PORT_DIFF=/var/log/security/open_port.diff +SUID_ROOT_TODAY="/var/log/security/suid_root.today" +SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday" +SUID_ROOT_DIFF="/var/log/security/suid_root.diff" +SUID_GROUP_TODAY="/var/log/security/suid_group.today" +SUID_GROUP_YESTERDAY="/var/log/security/suid_group.yesterday" +SUID_GROUP_DIFF="/var/log/security/suid_group.diff" +SUID_MD5_TODAY="/var/log/security/suid_md5.today" +SUID_MD5_YESTERDAY="/var/log/security/suid_md5.yesterday" +SUID_MD5_DIFF="/var/log/security/suid_md5.diff" +OPEN_PORT_TODAY="/var/log/security/open_port.today" +OPEN_PORT_YESTERDAY="/var/log/security/open_port.yesterday" +OPEN_PORT_DIFF="/var/log/security/open_port.diff" +WRITEABLE_TODAY="/var/log/security/writeable.today" +WRITEABLE_YESTERDAY="/var/log/security/writeable.yesterday" +WRITEABLE_DIFF="/var/log/security/writeable.diff" +UNOWNED_TODAY="/var/log/security/unowned.today" +UNOWNED_YESTERDAY="/var/log/security/unowned.yesterday" +UNOWNED_DIFF="/var/log/security/unowned.diff" + +SECURITY_LOG="/var/log/security.log" +TMP="/tmp/secure.tmp" if [ ! -d /var/log/security ]; then mkdir /var/log/security fi -chattr -a /var/log/security/ -chattr -a /var/log/security/* +chattr -a /var/log/security/ >& /dev/null +chattr -a /var/log/security/* >& /dev/null + +rm -f ${TMP} ${SECURITY_TMP} >& /dev/null ### Functions ### Syslog() { - if [ $SYS_LOG=="yes" ]; then - /sbin/initlog --string="$1" - fi + if [ $SYS_LOG=="yes" ]; then + cat ${1} | while read line; do + /sbin/initlog --string="${line}" + done + fi } Ttylog() { @@ -80,84 +76,110 @@ Ttylog() { ################## -### New Suid root file detection ### -if [ $CHECK_SUID_ROOT=="yes" ]; then - if [ -f $SUID_ROOT_TODAY ]; then - mv $SUID_ROOT_TODAY $SUID_ROOT_YESTERDAY +### New Suid root files detection +if [ ${CHECK_SUID_ROOT}=="yes" ]; then + + if [ -f ${SUID_ROOT_TODAY} ]; then + mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY} fi - find $DIR -xdev -type f -perm +04000 -user root \ - -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > $SUID_ROOT_TODAY + find ${DIR} -xdev -type f -perm +04000 -user root \ + -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_ROOT_TODAY} - if [ -f $SUID_ROOT_YESTERDAY ]; then - if ! diff $SUID_ROOT_YESTERDAY $SUID_ROOT_TODAY > $SUID_ROOT_DIFF; then - Syslog "Change in Suid Root file found, please consult $SUID_ROOT_DIFF" - Ttylog "\\033[1;31mChange in Suid Root file found !\\033[0;39m" - Ttylog "\\033[1;31mPlease consult $SUID_ROOT_DIFF\\033[0;39m" + if [ -f ${SUID_ROOT_YESTERDAY} ]; then + if ! diff -u ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_TODAY} > ${SUID_ROOT_DIFF}; then + printf "\nSecurity Warning: Change in Suid Root files found :\n" >> ${TMP} + grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Added suid root files : ${file}.\n" >> ${TMP} + done + grep '^-' ${SUID_ROOT_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Removed suid root files : ${file}.\n" >> ${TMP} + done fi fi fi -############################# - -### New Suid group file detection ### -if [ $CHECK_SUID_GROUP ]; then - if [ -f $SUID_GROUP_TODAY ]; then - mv $SUID_GROUP_TODAY $SUID_GROUP_YESTERDAY +### New Suid group files detection +if [ ${CHECK_SUID_GROUP} ]; then + if [ -f ${SUID_GROUP_TODAY} ]; then + mv ${SUID_GROUP_TODAY} ${SUID_GROUP_YESTERDAY} fi - find $DIR -xdev -type f -perm +02000 \ - -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > $SUID_GROUP_TODAY + find ${DIR} -xdev -type f -perm +02000 \ + -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_GROUP_TODAY} - if [ -f $SUID_GROUP_YESTERDAY ]; then - if ! diff $SUID_GROUP_YESTERDAY $SUID_GROUP_TODAY > $SUID_GROUP_DIFF; then - Syslog "Change in Suid Group file found, please consult $SUID_GROUP_DIFF" - Ttylog "\\033[1;31mChange in Suid Group file found !\\033[0;39m" - Ttylog "\\033[1;31mPlease consult $SUID_GROUP_DIFF\\033[0;39m" + if [ -f ${SUID_GROUP_YESTERDAY} ]; then + if ! diff -u ${SUID_GROUP_YESTERDAY} ${SUID_GROUP_TODAY} > ${SUID_GROUP_DIFF}; then + printf "\nSecurity Warning: Changes in Suid Group files found :\n" >> ${TMP} + grep '^+' ${SUID_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Added suid group files : ${file}.\n" >> ${TMP} + done + grep '^-' ${SUID_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Removed suid group files : ${file}.\n" >> ${TMP} + done fi fi fi -############################# -### Writable file detection ### +### Writable files detection +if [ ${CHECK_WRITEABLE}=="yes" ]; then -if [ $CHECK_WRITABLE=="yes" ]; then - if [ -f $WRITABLE_TODAY ]; then - mv $WRITABLE_TODAY $WRITABLE_YESTERDAY + if [ -f ${WRITEABLE_TODAY} ]; then + mv -f ${WRITEABLE_TODAY} ${WRITEABLE_YESTERDAY} fi - find $DIR -xdev -type f -perm -2 \ - -ls -print | sort > $WRITABLE_TODAY + find ${DIR} -xdev -type f -perm -2 -ls -print | sort > ${WRITEABLE_TODAY} - if [ -f $WRITABLE_YESTERDAY ]; then - if ! diff $WRITABLE_YESTERDAY $WRITABLE_TODAY > $WRITABLE_DIFF; then - Syslog "Change in World Writable File found, please consult $WRITABLE_DIFF" - Ttylog "\\033[1;31mChange in World Writable File found !\\033[0;39m" - Ttylog "\\033[1;31mPlease consult $WRITABLE_DIFF\\033[0;39m" + if [ -f ${WRITEABLE_YESTERDAY} ]; then + if ! diff -u ${WRITEABLE_YESTERDAY} ${WRITEABLE_TODAY} > ${WRITEABLE_DIFF}; then + printf "\nSecurity Warning: Change in World Writeable Files found :\n" >> ${TMP} + grep '^+' ${WRITEABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Added writables files : ${file}.\n" >> ${TMP} + done + grep '^-' ${WRITEABLE_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Removed writables files : ${file}.\n" >> ${TMP} + done fi fi fi -################################# -### Search Un Owned file ### -if [ $CHECK_UNOWNED=="yes" ]; then - if [ -f $UNOWNED_TODAY ]; then - mv $UNOWNED_TODAY $UNOWNED_YESTERDAY +### Search Non Owned files +if [ ${CHECK_UNOWNED}=="yes" ]; then + + if [ -f ${UNOWNED_TODAY} ]; then + mv -f ${UNOWNED_TODAY} ${UNOWNED_YESTERDAY} fi - find $DIR -xdev -nouser -o -nogroup -print \ - -ls | sort > $UNOWNED_TODAY + find ${DIR} -xdev -nouser -print -ls | sort > ${UNOWNED_TODAY} + + if [ -f ${UNOWNED_YESTERDAY} ]; then + if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then + printf "\nSecurity Warning: the following files aren't owned by an user :\n" >> ${TMP} + grep '^+' ${UNOWNED_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Added un-owned files : ${file}.\n" >> ${TMP} + done + grep '^-' ${UNOWNED_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Removed un-owned files : ${file}.\n" >> ${TMP} + done + fi + fi + + find ${DIR} -xdev -nogroup -print -ls | sort >> ${UNOWNED_TODAY} - if [ -f $UNOWNED_YESTERDAY ]; then - if ! diff $UNOWNED_YESTERDAY $UNOWNED_TODAY; then - Syslog "Change in Un-Owned file user/group, please consult $UNOWNED_DIFF" - Ttylog "\\033[1;31mChange in Un-Owned file user/group found !\\033[0;39m" - Ttylog "\\033[1;31mPlease consult $UNOWNED_DIFF\\033[0;39m" + if [ -f ${UNOWNED_YESTERDAY} ]; then + if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then + printf "\nSecurity Warning: the following files aren't owned by a group :\n" >> ${TMP} + grep '^+' ${UNOWNED_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Added un-owned files : ${file}.\n" >> ${TMP} + done + grep '^-' ${UNOWNED_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Removed un-owned files : ${file}.\n" >> ${TMP} + done fi fi fi -########## Md5 check for SUID root file ######### +### Md5 check for SUID root file if [ ${CHECK_SUID_MD5}=="yes" ]; then if [ -f ${SUID_MD5_TODAY} ]; then mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY} @@ -170,87 +192,20 @@ if [ ${CHECK_SUID_MD5}=="yes" ]; then done if [ -f ${SUID_MD5_YESTERDAY} ]; then - if ! diff ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} 1> ${SUID_MD5_DIFF}; then - Syslog "Warning, the md5 checksum for one of your SUID files has changed..." - Syslog "Maybe an intruder modified one of these suid binary in order to put in a backdoor..." - Syslog "Please consult ${SUID_MD5_DIFF}." - Ttylog "Warning, the md5 checksum for one of your SUID files has changed..." - Ttylog "Maybe an intruder modified one of these suid binary in order to put in a backdoor..." - Ttylog "Please consult ${SUID_MD5_DIFF}." - fi - fi -fi -################################################## - -#### Passwd check #### -if [ ${CHECK_PASSWD}=="yes" ]; then - if [ -f ${PASSWD_TODAY} ]; then - mv ${PASSWD_TODAY} ${PASSWD_YESTERDAY}; - fi - - awk -F: '{ - if ( $2 == "" ) - printf("/etc/passwd:%d: User \"%s\" has no password !\n", FNR, $1); - else if ($2 !~ /^[x*!]+$/) - printf("/etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1); - }' < /etc/passwd > ${PASSWD_TODAY} - - if [ -f ${PASSWD_YESTERDAY} ]; then - if ! diff ${PASSWD_YESTERDAY} ${PASSWD_TODAY} 1> ${PASSWD_DIFF}; then - Syslog `cat ${PASSWD_DIFF}` - Ttylog `cat ${PASSWD_DIFF}` - fi - fi -fi -###################### - -#### Shadow Check #### -if [ ${CHECK_SHADOW}=="yes" ]; then - if [ -f ${SHADOW_TODAY} ]; then - mv -f ${SHADOW_TODAY} ${SHADOW_YESTERDAY}; - fi - - awk -F: '{ - if ( $2 == "" ) - printf("/etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1); - }' < /etc/shadow > ${SHADOW_TODAY} - - if [ -f ${SHADOW_YESTERDAY} ]; then - if ! diff ${SHADOW_YESTERDAY} ${SHADOW_TODAY} 1> ${SHADOW_DIFF}; then - Syslog `cat ${SHADOW_DIFF}` - Ttylog `cat ${SHADOW_DIFF}` - fi - fi -fi - -#### .[sr]hosts check #### -if [ ${CHECK_RHOST}=="yes" ]; then - if [ -f ${HOST_TODAY} ]; then - mv -f ${HOST_TODAY} ${HOST_YESTERDAY}; - fi - - awk -F: '{print $1" "$6}' /etc/passwd | - while read username homedir; do - for file in .rhosts .shosts; do - if [ -s ${homedir}/${file} ] ; then - rhost=`ls -lcdg ${homedir}/${file}` - printf "${username}: ${rhost}\n" - if grep "+" ${homedir}/${file} > /dev/null ; then - printf "\tThere is a (+) character in ${file} : this is a *big* security problem \!\n" - fi - fi + if ! diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF}; then + printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${TMP} + printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${TMP} + grep '^+' ${SUID_MD5_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $2}' | while read file; do + printf "\t\t- Changed ( added ) files : ${file}.\n" >> ${TMP} + done + grep '^-' ${SUID_MD5_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $2}' | while read file; do + printf "\t\t- Changed ( removed ) files : ${file}.\n" >> ${TMP} done - done > ${HOST_TODAY} - - if [ -f ${HOST_YESTERDAY} ]; then - if ! diff ${HOST_YESTERDAY} ${HOST_TODAY} 1> ${HOST_DIFF}; then - Syslog `cat ${HOST_DIFF}` - Ttylog `cat ${HOST_DIFF}` fi fi fi -### Network check ### +### Changed open port if [ ${CHECK_OPEN_PORT}=="yes" ]; then if [ -f ${OPEN_PORT_TODAY} ]; then mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY} @@ -259,139 +214,28 @@ if [ ${CHECK_OPEN_PORT}=="yes" ]; then netstat -pvlA inet > ${OPEN_PORT_TODAY}; if [ -f ${OPEN_PORT_YESTERDAY} ]; then - if ! diff ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}; then - Syslog "There is a new port listening on your machine..." - Syslog "Please consult ${OPEN_PORT_DIFF} for security purpose..." - Ttylog "There is a new port listening on your machine..." - Ttylog "Please consult ${OPEN_PORT_DIFF} for security purpose..." + if ! diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}; then + printf "\nSecurity Warning: There is a new port listening on your machine :\n" >> ${TMP} + grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Opened ports : ${file}.\n" >> ${TMP} + done + grep '^-' ${OPEN_PORT_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Closed ports : ${file}.\n" >> ${TMP} + done fi fi fi -### /etc/exports check ### - -# File systems should not be globally exported. -if [ -s /etc/exports ] ; then - awk '{ - if (($1 ~ /^#/) || ($1 ~ /^$/)) next; - readonly = 0; - for (i = 2; i <= NF; ++i) { - if ($i ~ /^-ro$/) - readonly = 1; - else if ($i !~ /^-/) - next; - } - if (readonly) { - print "Warning : Nfs File system " $1 " globally exported, read-only."; - } else print "Warning : Nfs File system " $1 " globally exported, read-write."; - }' < /etc/exports > $OUT - if [ -s "$OUT" ] ; then - printf "\nChecking for globally exported file systems.\n" - cat "$OUT" - fi +######## Report ###### +if [ -s ${TMP} ]; then + Syslog ${TMP} + Ttylog ${TMP} + cat ${TMP} >> ${SECURITY_LOG} + rm -f ${TMP} fi -# nfs mounts with missing nosuid -/bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > $OUT -if [ -s "$OUT" ] ; then - printf "\nThe following NFS mounts haven't got the nosuid option set:\n" - cat "$OUT" -fi - -# Files that should not be owned by someone else or readable. -list=".netrc .rhosts .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed" -awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ -while read uid homedir; do - for f in $list ; do - file=${homedir}/${f} - if [ -f $file ] ; then - printf "$uid $f `ls -ldcg $file`\n" - fi - done -done | -awk '$1 != $5 && $5 != "root" \ - { print "user " $1 " " $2 " : file is owned by " $5 } - $3 ~ /^-...r/ \ - { print "user " $1 " " $2 " : file is group readable" } - $3 ~ /^-......r/ \ - { print "user " $1 " " $2 " : file is other readable" } - $3 ~ /^-....w/ \ - { print "user " $1 " " $2 " : file is group writeable" } - $3 ~ /^-.......w/ \ - { print "user " $1 " " $2 " : file is other writeable" }' > $OUT - - -# Files that should not be owned by someone else or writeable. -list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \ -.forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \ -.nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \ -.ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults" -awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ -while read uid homedir; do - for f in $list ; do - file=${homedir}/${f} - if [ -f $file ] ; then - printf "$uid $f `ls -ldcg $file`\n" - fi - done -done | -awk '$1 != $5 && $5 != "root" \ - { print "user " $1 " " $2 " : file is owned by " $5 } - $3 ~ /^-....w/ \ - { print "user " $1 " " $2 " : file is group writeable" } - $3 ~ /^-.......w/ \ - { print "user " $1 " " $2 " : file is other writeable" }' >> $OUT -if [ -s "$OUT" ] ; then - printf "\nChecking dot files.\n" - cat "$OUT" -fi - -# Check home directories. Directories should not be owned by someone else -# or writeable. -awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ -while read uid homedir; do - if [ -d ${homedir}/ ] ; then - file=`ls -ldg ${homedir}` - printf "$uid $file\n" - fi -done | -awk '$1 != $4 && $4 != "root" \ - { print "user " $1 " : home directory is owned by " $4 } - $2 ~ /^-....w/ \ - { print "user " $1 " : home directory is group writeable" } - $2 ~ /^-.......w/ \ - { print "user " $1 " : home directory is other writeable" }' > $OUT -if [ -s "$OUT" ] ; then - printf "\nChecking home directories.\n" - cat "$OUT" -fi - -# Files that should not have + signs. -list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" -for f in $list ; do - if [ -s $f ] ; then - awk '{ - if ($0 ~ /^\+@.*$/) - next; - if ($0 ~ /^\+.*$/) - printf("\nPlus sign in the file %s\n", FILENAME); - }' $f - fi -done - - -# executables should not be in the /etc/aliases file. -if [ -s /etc/aliases ]; then - grep -v '^#' /etc/aliases | grep '|' > $OUT - if [ -s "$OUT" ] ; then - printf "\nThe following programs are executed in your mail via /etc/aliases (bad!):\n" - cat "$OUT" - fi -fi - - - - +# We launch our other report engine :) +/etc/security/msec/security_check.sh diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh new file mode 100755 index 0000000..5dffc48 --- /dev/null +++ b/cron-sh/security_check.sh @@ -0,0 +1,279 @@ +#!/bin/bash + +# +# Basic security checking for suid files. +# Written by Vandoorselaere Yoann, <yoann@mandrakesoft.com> +# + +if [ -f /etc/security/msec/security.conf ]; then + . /etc/security/msec/security.conf +else + exit 1 +fi + +if [ SECURITY_CHECK == "no" ]; then + exit 0 +fi + +SECURITY_LOG="/tmp/secure.log" +SECURITY="/var/log/security.log" +TMP="/tmp/secure.tmp" + +if [ ! -d /var/log/security ]; then + mkdir /var/log/security +fi + +chattr -a /var/log/security/ >& /dev/null +chattr -a /var/log/security/* >& /dev/null +rm -f ${SECURITY_LOG} ${TMP} >& /dev/null + +### Functions ### + +Syslog() { + if [ $SYS_LOG=="yes" ]; then + cat ${1} | while read line; do + /sbin/initlog --string="${line}" + done + fi +} + +Ttylog() { + if [ $TTY_LOG=="yes" ]; then + for i in `w | grep -v "load\|TTY" | awk '{print $2}'` ; do + echo -e "$1" > /dev/$i + done + fi +} + +### Writeable file detection +if [ ${CHECK_WRITEABLE}=="yes" ]; then + find ${DIR} -xdev -type f -perm -2 -ls -print | awk '{print $11}' | sort > ${TMP} + + if [ -s ${TMP} ]; then + printf "\nSecurity Warning: World Writeable Files found :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} + fi +fi + +### Search Un Owned file +if [ ${CHECK_UNOWNED}=="yes" ]; then + find ${DIR} -xdev -nouser -print -ls | awk '{print $11}' | sort > ${TMP} + if [ -s ${TMP} ]; then + printf "\nSecurity Warning : the following file aren't owned by any user :\n" >> ${SECURITY_LOG} + printf "\ttheses files now have user \"nobody\" as their owner." >> ${SECURE_LOG} + cat ${TMP} >> ${SECURITY_LOG} + cat ${TMP} | while read line; do chown nobody ${line}; done + fi + + find $DIR -xdev -nogroup -print -ls | awk '{print $11}' | sort > ${TMP} + if [ -s ${TMP} ]; then + printf "\nSecurity Warning : the following file aren't owned by any group :\n" >> ${SECURITY_LOG} + printf "\ttheses files now have group \"nogroup\" as their group owner." >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} + cat ${TMP} | while read line; do chgrp nogroup ${line}; done + fi +fi + +if [ ${CHECK_PERMISSIONS}=="yes" ]; then +# Files that should not be owned by someone else or readable. +list=".netrc .rhosts .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed" +awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ +while read uid homedir; do + for f in ${list} ; do + file="${homedir}/${f}" + if [ -f ${file} ] ; then + printf "${uid} ${f} `ls -ldcg ${file}`\n" + fi + done +done | awk '$1 != $5 && $5 != "root" \ + { print "\t\tuser=" $1 ", file=" $2 " : file is owned by " $5 } + $3 ~ /^-...r/ \ + { print "\t\tuser=" $1 ", file=" $2 " : file is group readable" } + $3 ~ /^-......r/ \ + { print "\t\tuser=" $1 ", file=" $2 " : file is other readable" } + $3 ~ /^-....w/ \ + { print "\t\tuser=" $1 ", file=" $2 " : file is group writeable" } + $3 ~ /^-.......w/ \ + { print "\t\tuser=" $1 ", file=" $2 " : file is other writeable" }' > ${TMP} + +if [ -s ${TMP} ]; then + printf "\nSecurity Warning: these files shouldn't be owned by someone else or readable :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} +fi + + +### Files that should not be owned by someone else or writeable. +list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \ +.forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \ +.nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \ +.ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults" +awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ +while read uid homedir; do + for f in ${list} ; do + file="${homedir}/${f}" + if [ -f $file ] ; then + printf "$uid ${f} `ls -ldcg ${file}`\n" + fi + done +done | awk '$1 != $5 && $5 != "root" \ + { print "\t\t- user=" $1 ", file=" $2 " : file is owned by " $5 } + $3 ~ /^-....w/ \ + { print "\t\t- user=" $1 ", file=" $2 " : file is group writeable" } + $3 ~ /^-.......w/ \ + { print "\t\t- user=" $1 ", file=" $2 " : file is other writeable" }' > ${TMP} + +if [ -s ${TMP} ]; then + printf "\nSecurity Warning: theses files should not be owned by someone else or writeable :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} +fi + +### Check home directories. Directories should not be owned by someone else or writeable. +awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ +while read uid homedir; do + if [ -d ${homedir}/ ] ; then + file=`ls -ldg ${homedir}` + printf "$uid $file\n" + fi +done | awk '$1 != $4 && $4 != "root" \ + { print "user=" $1 " : home directory is owned by " $4 } + $2 ~ /^-....w/ \ + { print "user=" $1 " : home directory is group writeable" } + $2 ~ /^-.......w/ \ + { print "user=" $1 " : home directory is other writeable" }' > ${TMP} + +if [ -s $TMP ] ; then + printf "\nSecurity Warning: these home directory should not be owned by someone else or writeable :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} +fi +fi + +if [ ${CHECK_SECURITY}=="yes" ]; then +### Passwd file check +if [ ${CHECK_PASSWD}=="yes" ]; then + awk -F: '{ + if ( $2 == "" ) + printf("\t\t- /etc/passwd:%d: User \"%s\" has no password !\n", FNR, $1); + else if ($2 !~ /^[x*!]+$/) + printf("\t\t- /etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1); + }' < /etc/passwd > ${TMP} + + if [ -s ${TMP} ]; then + printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} + fi +fi + +### Shadow password file Check +if [ ${CHECK_SHADOW}=="yes" ]; then + awk -F: '{ + if ( $2 == "" ) + printf("\t\t- /etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1); + }' < /etc/shadow > ${TMP} + + if [ -s ${TMP} ]; then + printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} + fi +fi + +### File systems should not be globally exported. +if [ -s /etc/exports ] ; then + awk '{ + if (($1 ~ /^#/) || ($1 ~ /^$/)) next; + readonly = 0; + for (i = 2; i <= NF; ++i) { + if ($i ~ /^-ro$/) + readonly = 1; + else if ($i !~ /^-/) + next; + } + if (readonly) { + print "\t\t- Nfs File system " $1 " globally exported, read-only."; + } else print "\t\t- Nfs File system " $1 " globally exported, read-write."; + }' < /etc/exports > ${TMP} + + if [ -s ${TMP} ] ; then + printf "\nSecurity Warning: Some NFS filesystem are exported to globally :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} + fi +fi + +### nfs mounts with missing nosuid +/bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > ${TMP} +if [ -s ${TMP} ] ; then + printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} +fi + +### Files that should not have + signs. +list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" +for file in $list ; do + if [ -s ${file} ] ; then + awk '{ + if ($0 ~ /^\+@.*$/) + next; + if ($0 ~ /^\+.*$/) + printf("\t\t- %s: %s\n", FILENAME, $0); + }' ${file} + fi +done > ${TMP} + +awk -F: '{print $1" "$6}' /etc/passwd | + while read username homedir; do + for file in .rhosts .shosts; do + if [ -s ${homedir}/${file} ] ; then + awk '{ + if ($0 ~ /^\+@.*$/) + next; + if ($0 ~ /^\+.*$/) + printf("\t\t- %s: %s\n", FILENAME, $0); + }' ${homedir}/${file} + fi + done >> ${TMP} + done + +if [ -s ${TMP} ]; then + printf "\nSecurity Warning: '+' character found in hosts trusting files,\n" >> ${SECURITY_LOG} + printf "\tthis probably mean that you trust certains users/domain\n" >> ${SECURITY_LOG} + printf "\tto connect on this host without proper authentication :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} +fi + +### executables should not be in the aliases file. +list="/etc/aliases /etc/postfix/aliases" +for file in ${list}; do + if [ -s ${file} ]; then + grep -v '^#' /etc/aliases | grep '|' | while read line; do + printf "\t\t- ${line}\n" + done > ${TMP} + fi + + if [ -s ${TMP} ]; then + printf "\nSecurity Warning: The following programs are executed in your mail\n" >> ${SECURITY_LOG} + printf "\tvia ${file} files, this could lead to security problems :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} + fi +done + +### Dump a list of open port. +if [ ${CHECK_OPEN_PORT}=="yes" ]; then + netstat -pvlA inet > ${TMP}; + + if [ -s ${TMP} ]; then + printf "\nThese are the ports listening on your machine :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} + fi +fi +fi # end of CHECK_SECURITY + +### Report +if [ -s ${SECURITY_LOG} ]; then + Syslog ${SECURITY_LOG} + Ttylog ${SECURITY_LOG} + cat ${SECURITY_LOG} >> ${SECURITY} +fi + + + + + diff --git a/doc/msec.spec b/doc/msec.spec index a3366bb..e40107d 100644 --- a/doc/msec.spec +++ b/doc/msec.spec @@ -1,8 +1,8 @@ Summary: Security Level & Program for the Linux Mandrake distribution Name: msec -Version: 0.4 -Release: 6mdk -Source: ftp://mandrakesoft.com/pub/yoann/msec-0.4.tar.gz +Version: 0.5 +Release: 1mdk +Source: msec-0.5.tar.gz Copyright: GPL Group: System Environment/Base BuildRoot: /var/tmp/msec @@ -48,6 +48,14 @@ rm -rf $RPM_BUILD_ROOT /usr/bin/promisc_check %changelog +* Mon Dec 6 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com> +- Released 0.5 +- Divided security check into 2 files : + security_check.sh & file_check.sh, + the first do normal security check, the other watch at anormal change + on the system... +- Bug fix again & again + * Wed Dec 1 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com> - DrakX compatibility. diff --git a/init-sh/custom.sh b/init-sh/custom.sh index eac0cc8..feb5fdc 100755 --- a/init-sh/custom.sh +++ b/init-sh/custom.sh @@ -65,7 +65,7 @@ fi echo "Do you want your system to daily check Writable file change ?" WaitAnswer; clear if [ ${answer} == "yes" ]; then - AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf + AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab fi ### diff --git a/init-sh/level1.sh b/init-sh/level1.sh index dba9f55..b652fc6 100755 --- a/init-sh/level1.sh +++ b/init-sh/level1.sh @@ -22,6 +22,10 @@ AddRules "tty6" /etc/securetty # Security check echo "Updating file check variable : " +echo -e "\t- Check security : yes." + AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet +echo -e "\t- Check important permissions : no." + AddRules "CHECK_PERMS=no" /etc/security/msec/security.conf quiet echo -e "\t- Check suid root file : no." AddRules "CHECK_SUID_ROOT=no" /etc/security/msec/security.conf quiet echo -e "\t- Check suid root file integrity (backdoor check) : no." @@ -29,7 +33,7 @@ echo -e "\t- Check suid root file integrity (backdoor check) : no." echo -e "\t- Check suid group file : no." AddRules "CHECK_SUID_GROUP=no" /etc/security/msec/security.conf quiet echo -e "\t- Check world writable file : no." - AddRules "CHECK_WRITABLE=no" /etc/security/msec/security.conf quiet + AddRules "CHECK_WRITEABLE=no" /etc/security/msec/security.conf quiet echo -e "\t- Check unowned file : no." AddRules "CHECK_UNOWNED=no" /etc/security/msec/security.conf quiet echo -e "\t- Check promiscuous mode : no." diff --git a/init-sh/level2.sh b/init-sh/level2.sh index 37bfa93..b5e9706 100755 --- a/init-sh/level2.sh +++ b/init-sh/level2.sh @@ -22,6 +22,10 @@ AddRules "tty6" /etc/securetty # Security check echo "Updating file check variable : " +echo -e "\t- Check security : yes." + AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet +echo -e "\t- Check important permissions : no." + AddRules "CHECK_PERMS=no" /etc/security/msec/security.conf quiet echo -e "\t- Check suid root file : yes." AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check suid root file integrity (backdoor check) : yes." diff --git a/init-sh/level3.sh b/init-sh/level3.sh index 5a84b40..39213a4 100755 --- a/init-sh/level3.sh +++ b/init-sh/level3.sh @@ -26,6 +26,10 @@ AddRules "tty6" /etc/securetty quiet # Security check echo "Updating file check variable : " +echo -e "\t- Check security : yes." + AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet +echo -e "\t- Check important permissions : yes." + AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check suid root file : yes." AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check suid root file integrity (backdoor check) : yes." diff --git a/init-sh/level4.sh b/init-sh/level4.sh index c85b8bb..fac55b6 100755 --- a/init-sh/level4.sh +++ b/init-sh/level4.sh @@ -36,6 +36,10 @@ AddRules "tty6" /etc/securetty # Security check echo "Updating file check variable : " +echo -e "\t- Check security : yes." + AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet +echo -e "\t- Check important permissions : yes." + AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check suid root file : yes." AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check suid root file integrity (backdoor check) : yes." diff --git a/init-sh/level5.sh b/init-sh/level5.sh index 3a81faa..5804654 100755 --- a/init-sh/level5.sh +++ b/init-sh/level5.sh @@ -27,6 +27,10 @@ echo -e "done.\n\n" # Security check echo "Updating file check variable : " +echo -e "\t- Check security : yes." + AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet +echo -e "\t- Check important permissions : yes." + AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check suid root file : yes." AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check suid root file integrity (backdoor check) : yes." diff --git a/init-sh/lib.sh b/init-sh/lib.sh index 47bbcec..971a228 100644 --- a/init-sh/lib.sh +++ b/init-sh/lib.sh @@ -174,6 +174,7 @@ echo "Setting spoofing protection : " AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall # default group which must exist on the system +groupadd nogroup >& /dev/null groupadd audio >& /dev/null groupadd xgrp >& /dev/null usermod -G xgrp xfs |