aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYoann Vandoorselaere <yoann@mandriva.com>1999-12-06 18:11:39 +0000
committerYoann Vandoorselaere <yoann@mandriva.com>1999-12-06 18:11:39 +0000
commit74055382de3e44e81bf084d08883e7a9e5b90b04 (patch)
tree506dc12e505459cc3e1b79c0bf965e77b14f81db
parent81fd9c016d08d9f26cb784dff1049a967b209a01 (diff)
downloadmsec-74055382de3e44e81bf084d08883e7a9e5b90b04.tar
msec-74055382de3e44e81bf084d08883e7a9e5b90b04.tar.gz
msec-74055382de3e44e81bf084d08883e7a9e5b90b04.tar.bz2
msec-74055382de3e44e81bf084d08883e7a9e5b90b04.tar.xz
msec-74055382de3e44e81bf084d08883e7a9e5b90b04.zip
*** empty log message ***
-rwxr-xr-xcron-sh/file_check.sh416
-rwxr-xr-xcron-sh/security_check.sh279
-rw-r--r--doc/msec.spec14
-rwxr-xr-xinit-sh/custom.sh2
-rwxr-xr-xinit-sh/level1.sh6
-rwxr-xr-xinit-sh/level2.sh4
-rwxr-xr-xinit-sh/level3.sh4
-rwxr-xr-xinit-sh/level4.sh4
-rwxr-xr-xinit-sh/level5.sh4
-rw-r--r--init-sh/lib.sh1
10 files changed, 443 insertions, 291 deletions
diff --git a/cron-sh/file_check.sh b/cron-sh/file_check.sh
index f91dce3..60a87e5 100755
--- a/cron-sh/file_check.sh
+++ b/cron-sh/file_check.sh
@@ -15,8 +15,6 @@ if [ SECURITY_CHECK == "no" ]; then
exit 0
fi
-OUT=./blah
-
# Modified filters coming from debian security scripts.
CS_NFSAFS='(nfs|afs|xfs|coda)'
CS_TYPES=' type (devpts|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|'$CS_NFSAFS')'
@@ -26,47 +24,45 @@ FILTERS="$CS_TYPES|$CS_DEVS|$CS_DIRS"
DIR=`mount | grep -vE "$FILTERS" | cut -d ' ' -f3`
###
-SUID_ROOT_TODAY=/var/log/security/suid_root.today
-SUID_ROOT_YESTERDAY=/var/log/security/suid_root.yesterday
-SUID_ROOT_DIFF=/var/log/security/suid_root.diff
-SUID_GROUP_TODAY=/var/log/security/suid_group.today
-SUID_GROUP_YESTERDAY=/var/log/security/suid_group.yesterday
-SUID_GROUP_DIFF=/var/log/security/suid_group.diff
-WRITABLE_TODAY=/var/log/security/writable.today
-WRITABLE_YESTERDAY=/var/log/security/writable.yesterday
-WRITABLE_DIFF=/var/log/security/writable.diff
-UNOWNED_TODAY=/var/log/security/unowned.today
-UNOWNED_YESTERDAY=/var/log/security/unowned.yesterday
-UNOWNED_DIFF=/var/log/security/unowned.diff
-PASSWD_TODAY=/var/log/security/passwd.today
-PASSWD_YESTERDAY=/var/log/security/passwd.yesterday
-PASSWD_DIFF=/var/log/security/passwd.diff
-SHADOW_TODAY=/var/log/security/shadow.today
-SHADOW_YESTERDAY=/var/log/security/shadow.yesterday
-SHADOW_DIFF=/var/log/security/shadow.diff
-HOST_TODAY=/var/log/security/hosts.today
-HOST_YESTERDAY=/var/log/security/hosts.yesterday
-HOST_DIFF=/var/log/security/hosts.diff
-SUID_MD5_TODAY=/var/log/security/suid_md5.today
-SUID_MD5_YESTERDAY=/var/log/security/suid_md5.yesterday
-SUID_MD5_DIFF=/var/log/security/suid_md5.diff
-OPEN_PORT_TODAY=/var/log/security/open_port.today
-OPEN_PORT_YESTERDAY=/var/log/security/open_port.yesterday
-OPEN_PORT_DIFF=/var/log/security/open_port.diff
+SUID_ROOT_TODAY="/var/log/security/suid_root.today"
+SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday"
+SUID_ROOT_DIFF="/var/log/security/suid_root.diff"
+SUID_GROUP_TODAY="/var/log/security/suid_group.today"
+SUID_GROUP_YESTERDAY="/var/log/security/suid_group.yesterday"
+SUID_GROUP_DIFF="/var/log/security/suid_group.diff"
+SUID_MD5_TODAY="/var/log/security/suid_md5.today"
+SUID_MD5_YESTERDAY="/var/log/security/suid_md5.yesterday"
+SUID_MD5_DIFF="/var/log/security/suid_md5.diff"
+OPEN_PORT_TODAY="/var/log/security/open_port.today"
+OPEN_PORT_YESTERDAY="/var/log/security/open_port.yesterday"
+OPEN_PORT_DIFF="/var/log/security/open_port.diff"
+WRITEABLE_TODAY="/var/log/security/writeable.today"
+WRITEABLE_YESTERDAY="/var/log/security/writeable.yesterday"
+WRITEABLE_DIFF="/var/log/security/writeable.diff"
+UNOWNED_TODAY="/var/log/security/unowned.today"
+UNOWNED_YESTERDAY="/var/log/security/unowned.yesterday"
+UNOWNED_DIFF="/var/log/security/unowned.diff"
+
+SECURITY_LOG="/var/log/security.log"
+TMP="/tmp/secure.tmp"
if [ ! -d /var/log/security ]; then
mkdir /var/log/security
fi
-chattr -a /var/log/security/
-chattr -a /var/log/security/*
+chattr -a /var/log/security/ >& /dev/null
+chattr -a /var/log/security/* >& /dev/null
+
+rm -f ${TMP} ${SECURITY_TMP} >& /dev/null
### Functions ###
Syslog() {
- if [ $SYS_LOG=="yes" ]; then
- /sbin/initlog --string="$1"
- fi
+ if [ $SYS_LOG=="yes" ]; then
+ cat ${1} | while read line; do
+ /sbin/initlog --string="${line}"
+ done
+ fi
}
Ttylog() {
@@ -80,84 +76,110 @@ Ttylog() {
##################
-### New Suid root file detection ###
-if [ $CHECK_SUID_ROOT=="yes" ]; then
- if [ -f $SUID_ROOT_TODAY ]; then
- mv $SUID_ROOT_TODAY $SUID_ROOT_YESTERDAY
+### New Suid root files detection
+if [ ${CHECK_SUID_ROOT}=="yes" ]; then
+
+ if [ -f ${SUID_ROOT_TODAY} ]; then
+ mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY}
fi
- find $DIR -xdev -type f -perm +04000 -user root \
- -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > $SUID_ROOT_TODAY
+ find ${DIR} -xdev -type f -perm +04000 -user root \
+ -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_ROOT_TODAY}
- if [ -f $SUID_ROOT_YESTERDAY ]; then
- if ! diff $SUID_ROOT_YESTERDAY $SUID_ROOT_TODAY > $SUID_ROOT_DIFF; then
- Syslog "Change in Suid Root file found, please consult $SUID_ROOT_DIFF"
- Ttylog "\\033[1;31mChange in Suid Root file found !\\033[0;39m"
- Ttylog "\\033[1;31mPlease consult $SUID_ROOT_DIFF\\033[0;39m"
+ if [ -f ${SUID_ROOT_YESTERDAY} ]; then
+ if ! diff -u ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_TODAY} > ${SUID_ROOT_DIFF}; then
+ printf "\nSecurity Warning: Change in Suid Root files found :\n" >> ${TMP}
+ grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
+ printf "\t\t- Added suid root files : ${file}.\n" >> ${TMP}
+ done
+ grep '^-' ${SUID_ROOT_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
+ printf "\t\t- Removed suid root files : ${file}.\n" >> ${TMP}
+ done
fi
fi
fi
-#############################
-
-### New Suid group file detection ###
-if [ $CHECK_SUID_GROUP ]; then
- if [ -f $SUID_GROUP_TODAY ]; then
- mv $SUID_GROUP_TODAY $SUID_GROUP_YESTERDAY
+### New Suid group files detection
+if [ ${CHECK_SUID_GROUP} ]; then
+ if [ -f ${SUID_GROUP_TODAY} ]; then
+ mv ${SUID_GROUP_TODAY} ${SUID_GROUP_YESTERDAY}
fi
- find $DIR -xdev -type f -perm +02000 \
- -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > $SUID_GROUP_TODAY
+ find ${DIR} -xdev -type f -perm +02000 \
+ -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_GROUP_TODAY}
- if [ -f $SUID_GROUP_YESTERDAY ]; then
- if ! diff $SUID_GROUP_YESTERDAY $SUID_GROUP_TODAY > $SUID_GROUP_DIFF; then
- Syslog "Change in Suid Group file found, please consult $SUID_GROUP_DIFF"
- Ttylog "\\033[1;31mChange in Suid Group file found !\\033[0;39m"
- Ttylog "\\033[1;31mPlease consult $SUID_GROUP_DIFF\\033[0;39m"
+ if [ -f ${SUID_GROUP_YESTERDAY} ]; then
+ if ! diff -u ${SUID_GROUP_YESTERDAY} ${SUID_GROUP_TODAY} > ${SUID_GROUP_DIFF}; then
+ printf "\nSecurity Warning: Changes in Suid Group files found :\n" >> ${TMP}
+ grep '^+' ${SUID_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
+ printf "\t\t- Added suid group files : ${file}.\n" >> ${TMP}
+ done
+ grep '^-' ${SUID_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
+ printf "\t\t- Removed suid group files : ${file}.\n" >> ${TMP}
+ done
fi
fi
fi
-#############################
-### Writable file detection ###
+### Writable files detection
+if [ ${CHECK_WRITEABLE}=="yes" ]; then
-if [ $CHECK_WRITABLE=="yes" ]; then
- if [ -f $WRITABLE_TODAY ]; then
- mv $WRITABLE_TODAY $WRITABLE_YESTERDAY
+ if [ -f ${WRITEABLE_TODAY} ]; then
+ mv -f ${WRITEABLE_TODAY} ${WRITEABLE_YESTERDAY}
fi
- find $DIR -xdev -type f -perm -2 \
- -ls -print | sort > $WRITABLE_TODAY
+ find ${DIR} -xdev -type f -perm -2 -ls -print | sort > ${WRITEABLE_TODAY}
- if [ -f $WRITABLE_YESTERDAY ]; then
- if ! diff $WRITABLE_YESTERDAY $WRITABLE_TODAY > $WRITABLE_DIFF; then
- Syslog "Change in World Writable File found, please consult $WRITABLE_DIFF"
- Ttylog "\\033[1;31mChange in World Writable File found !\\033[0;39m"
- Ttylog "\\033[1;31mPlease consult $WRITABLE_DIFF\\033[0;39m"
+ if [ -f ${WRITEABLE_YESTERDAY} ]; then
+ if ! diff -u ${WRITEABLE_YESTERDAY} ${WRITEABLE_TODAY} > ${WRITEABLE_DIFF}; then
+ printf "\nSecurity Warning: Change in World Writeable Files found :\n" >> ${TMP}
+ grep '^+' ${WRITEABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
+ printf "\t\t- Added writables files : ${file}.\n" >> ${TMP}
+ done
+ grep '^-' ${WRITEABLE_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
+ printf "\t\t- Removed writables files : ${file}.\n" >> ${TMP}
+ done
fi
fi
fi
-#################################
-### Search Un Owned file ###
-if [ $CHECK_UNOWNED=="yes" ]; then
- if [ -f $UNOWNED_TODAY ]; then
- mv $UNOWNED_TODAY $UNOWNED_YESTERDAY
+### Search Non Owned files
+if [ ${CHECK_UNOWNED}=="yes" ]; then
+
+ if [ -f ${UNOWNED_TODAY} ]; then
+ mv -f ${UNOWNED_TODAY} ${UNOWNED_YESTERDAY}
fi
- find $DIR -xdev -nouser -o -nogroup -print \
- -ls | sort > $UNOWNED_TODAY
+ find ${DIR} -xdev -nouser -print -ls | sort > ${UNOWNED_TODAY}
+
+ if [ -f ${UNOWNED_YESTERDAY} ]; then
+ if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then
+ printf "\nSecurity Warning: the following files aren't owned by an user :\n" >> ${TMP}
+ grep '^+' ${UNOWNED_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
+ printf "\t\t- Added un-owned files : ${file}.\n" >> ${TMP}
+ done
+ grep '^-' ${UNOWNED_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
+ printf "\t\t- Removed un-owned files : ${file}.\n" >> ${TMP}
+ done
+ fi
+ fi
+
+ find ${DIR} -xdev -nogroup -print -ls | sort >> ${UNOWNED_TODAY}
- if [ -f $UNOWNED_YESTERDAY ]; then
- if ! diff $UNOWNED_YESTERDAY $UNOWNED_TODAY; then
- Syslog "Change in Un-Owned file user/group, please consult $UNOWNED_DIFF"
- Ttylog "\\033[1;31mChange in Un-Owned file user/group found !\\033[0;39m"
- Ttylog "\\033[1;31mPlease consult $UNOWNED_DIFF\\033[0;39m"
+ if [ -f ${UNOWNED_YESTERDAY} ]; then
+ if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then
+ printf "\nSecurity Warning: the following files aren't owned by a group :\n" >> ${TMP}
+ grep '^+' ${UNOWNED_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
+ printf "\t\t- Added un-owned files : ${file}.\n" >> ${TMP}
+ done
+ grep '^-' ${UNOWNED_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
+ printf "\t\t- Removed un-owned files : ${file}.\n" >> ${TMP}
+ done
fi
fi
fi
-########## Md5 check for SUID root file #########
+### Md5 check for SUID root file
if [ ${CHECK_SUID_MD5}=="yes" ]; then
if [ -f ${SUID_MD5_TODAY} ]; then
mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY}
@@ -170,87 +192,20 @@ if [ ${CHECK_SUID_MD5}=="yes" ]; then
done
if [ -f ${SUID_MD5_YESTERDAY} ]; then
- if ! diff ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} 1> ${SUID_MD5_DIFF}; then
- Syslog "Warning, the md5 checksum for one of your SUID files has changed..."
- Syslog "Maybe an intruder modified one of these suid binary in order to put in a backdoor..."
- Syslog "Please consult ${SUID_MD5_DIFF}."
- Ttylog "Warning, the md5 checksum for one of your SUID files has changed..."
- Ttylog "Maybe an intruder modified one of these suid binary in order to put in a backdoor..."
- Ttylog "Please consult ${SUID_MD5_DIFF}."
- fi
- fi
-fi
-##################################################
-
-#### Passwd check ####
-if [ ${CHECK_PASSWD}=="yes" ]; then
- if [ -f ${PASSWD_TODAY} ]; then
- mv ${PASSWD_TODAY} ${PASSWD_YESTERDAY};
- fi
-
- awk -F: '{
- if ( $2 == "" )
- printf("/etc/passwd:%d: User \"%s\" has no password !\n", FNR, $1);
- else if ($2 !~ /^[x*!]+$/)
- printf("/etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1);
- }' < /etc/passwd > ${PASSWD_TODAY}
-
- if [ -f ${PASSWD_YESTERDAY} ]; then
- if ! diff ${PASSWD_YESTERDAY} ${PASSWD_TODAY} 1> ${PASSWD_DIFF}; then
- Syslog `cat ${PASSWD_DIFF}`
- Ttylog `cat ${PASSWD_DIFF}`
- fi
- fi
-fi
-######################
-
-#### Shadow Check ####
-if [ ${CHECK_SHADOW}=="yes" ]; then
- if [ -f ${SHADOW_TODAY} ]; then
- mv -f ${SHADOW_TODAY} ${SHADOW_YESTERDAY};
- fi
-
- awk -F: '{
- if ( $2 == "" )
- printf("/etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1);
- }' < /etc/shadow > ${SHADOW_TODAY}
-
- if [ -f ${SHADOW_YESTERDAY} ]; then
- if ! diff ${SHADOW_YESTERDAY} ${SHADOW_TODAY} 1> ${SHADOW_DIFF}; then
- Syslog `cat ${SHADOW_DIFF}`
- Ttylog `cat ${SHADOW_DIFF}`
- fi
- fi
-fi
-
-#### .[sr]hosts check ####
-if [ ${CHECK_RHOST}=="yes" ]; then
- if [ -f ${HOST_TODAY} ]; then
- mv -f ${HOST_TODAY} ${HOST_YESTERDAY};
- fi
-
- awk -F: '{print $1" "$6}' /etc/passwd |
- while read username homedir; do
- for file in .rhosts .shosts; do
- if [ -s ${homedir}/${file} ] ; then
- rhost=`ls -lcdg ${homedir}/${file}`
- printf "${username}: ${rhost}\n"
- if grep "+" ${homedir}/${file} > /dev/null ; then
- printf "\tThere is a (+) character in ${file} : this is a *big* security problem \!\n"
- fi
- fi
+ if ! diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF}; then
+ printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${TMP}
+ printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${TMP}
+ grep '^+' ${SUID_MD5_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $2}' | while read file; do
+ printf "\t\t- Changed ( added ) files : ${file}.\n" >> ${TMP}
+ done
+ grep '^-' ${SUID_MD5_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $2}' | while read file; do
+ printf "\t\t- Changed ( removed ) files : ${file}.\n" >> ${TMP}
done
- done > ${HOST_TODAY}
-
- if [ -f ${HOST_YESTERDAY} ]; then
- if ! diff ${HOST_YESTERDAY} ${HOST_TODAY} 1> ${HOST_DIFF}; then
- Syslog `cat ${HOST_DIFF}`
- Ttylog `cat ${HOST_DIFF}`
fi
fi
fi
-### Network check ###
+### Changed open port
if [ ${CHECK_OPEN_PORT}=="yes" ]; then
if [ -f ${OPEN_PORT_TODAY} ]; then
mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY}
@@ -259,139 +214,28 @@ if [ ${CHECK_OPEN_PORT}=="yes" ]; then
netstat -pvlA inet > ${OPEN_PORT_TODAY};
if [ -f ${OPEN_PORT_YESTERDAY} ]; then
- if ! diff ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}; then
- Syslog "There is a new port listening on your machine..."
- Syslog "Please consult ${OPEN_PORT_DIFF} for security purpose..."
- Ttylog "There is a new port listening on your machine..."
- Ttylog "Please consult ${OPEN_PORT_DIFF} for security purpose..."
+ if ! diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}; then
+ printf "\nSecurity Warning: There is a new port listening on your machine :\n" >> ${TMP}
+ grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
+ printf "\t\t- Opened ports : ${file}.\n" >> ${TMP}
+ done
+ grep '^-' ${OPEN_PORT_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
+ printf "\t\t- Closed ports : ${file}.\n" >> ${TMP}
+ done
fi
fi
fi
-### /etc/exports check ###
-
-# File systems should not be globally exported.
-if [ -s /etc/exports ] ; then
- awk '{
- if (($1 ~ /^#/) || ($1 ~ /^$/)) next;
- readonly = 0;
- for (i = 2; i <= NF; ++i) {
- if ($i ~ /^-ro$/)
- readonly = 1;
- else if ($i !~ /^-/)
- next;
- }
- if (readonly) {
- print "Warning : Nfs File system " $1 " globally exported, read-only.";
- } else print "Warning : Nfs File system " $1 " globally exported, read-write.";
- }' < /etc/exports > $OUT
- if [ -s "$OUT" ] ; then
- printf "\nChecking for globally exported file systems.\n"
- cat "$OUT"
- fi
+######## Report ######
+if [ -s ${TMP} ]; then
+ Syslog ${TMP}
+ Ttylog ${TMP}
+ cat ${TMP} >> ${SECURITY_LOG}
+ rm -f ${TMP}
fi
-# nfs mounts with missing nosuid
-/bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > $OUT
-if [ -s "$OUT" ] ; then
- printf "\nThe following NFS mounts haven't got the nosuid option set:\n"
- cat "$OUT"
-fi
-
-# Files that should not be owned by someone else or readable.
-list=".netrc .rhosts .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed"
-awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
-while read uid homedir; do
- for f in $list ; do
- file=${homedir}/${f}
- if [ -f $file ] ; then
- printf "$uid $f `ls -ldcg $file`\n"
- fi
- done
-done |
-awk '$1 != $5 && $5 != "root" \
- { print "user " $1 " " $2 " : file is owned by " $5 }
- $3 ~ /^-...r/ \
- { print "user " $1 " " $2 " : file is group readable" }
- $3 ~ /^-......r/ \
- { print "user " $1 " " $2 " : file is other readable" }
- $3 ~ /^-....w/ \
- { print "user " $1 " " $2 " : file is group writeable" }
- $3 ~ /^-.......w/ \
- { print "user " $1 " " $2 " : file is other writeable" }' > $OUT
-
-
-# Files that should not be owned by someone else or writeable.
-list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \
-.forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \
-.nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \
-.ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults"
-awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
-while read uid homedir; do
- for f in $list ; do
- file=${homedir}/${f}
- if [ -f $file ] ; then
- printf "$uid $f `ls -ldcg $file`\n"
- fi
- done
-done |
-awk '$1 != $5 && $5 != "root" \
- { print "user " $1 " " $2 " : file is owned by " $5 }
- $3 ~ /^-....w/ \
- { print "user " $1 " " $2 " : file is group writeable" }
- $3 ~ /^-.......w/ \
- { print "user " $1 " " $2 " : file is other writeable" }' >> $OUT
-if [ -s "$OUT" ] ; then
- printf "\nChecking dot files.\n"
- cat "$OUT"
-fi
-
-# Check home directories. Directories should not be owned by someone else
-# or writeable.
-awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
-while read uid homedir; do
- if [ -d ${homedir}/ ] ; then
- file=`ls -ldg ${homedir}`
- printf "$uid $file\n"
- fi
-done |
-awk '$1 != $4 && $4 != "root" \
- { print "user " $1 " : home directory is owned by " $4 }
- $2 ~ /^-....w/ \
- { print "user " $1 " : home directory is group writeable" }
- $2 ~ /^-.......w/ \
- { print "user " $1 " : home directory is other writeable" }' > $OUT
-if [ -s "$OUT" ] ; then
- printf "\nChecking home directories.\n"
- cat "$OUT"
-fi
-
-# Files that should not have + signs.
-list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd"
-for f in $list ; do
- if [ -s $f ] ; then
- awk '{
- if ($0 ~ /^\+@.*$/)
- next;
- if ($0 ~ /^\+.*$/)
- printf("\nPlus sign in the file %s\n", FILENAME);
- }' $f
- fi
-done
-
-
-# executables should not be in the /etc/aliases file.
-if [ -s /etc/aliases ]; then
- grep -v '^#' /etc/aliases | grep '|' > $OUT
- if [ -s "$OUT" ] ; then
- printf "\nThe following programs are executed in your mail via /etc/aliases (bad!):\n"
- cat "$OUT"
- fi
-fi
-
-
-
-
+# We launch our other report engine :)
+/etc/security/msec/security_check.sh
diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh
new file mode 100755
index 0000000..5dffc48
--- /dev/null
+++ b/cron-sh/security_check.sh
@@ -0,0 +1,279 @@
+#!/bin/bash
+
+#
+# Basic security checking for suid files.
+# Written by Vandoorselaere Yoann, <yoann@mandrakesoft.com>
+#
+
+if [ -f /etc/security/msec/security.conf ]; then
+ . /etc/security/msec/security.conf
+else
+ exit 1
+fi
+
+if [ SECURITY_CHECK == "no" ]; then
+ exit 0
+fi
+
+SECURITY_LOG="/tmp/secure.log"
+SECURITY="/var/log/security.log"
+TMP="/tmp/secure.tmp"
+
+if [ ! -d /var/log/security ]; then
+ mkdir /var/log/security
+fi
+
+chattr -a /var/log/security/ >& /dev/null
+chattr -a /var/log/security/* >& /dev/null
+rm -f ${SECURITY_LOG} ${TMP} >& /dev/null
+
+### Functions ###
+
+Syslog() {
+ if [ $SYS_LOG=="yes" ]; then
+ cat ${1} | while read line; do
+ /sbin/initlog --string="${line}"
+ done
+ fi
+}
+
+Ttylog() {
+ if [ $TTY_LOG=="yes" ]; then
+ for i in `w | grep -v "load\|TTY" | awk '{print $2}'` ; do
+ echo -e "$1" > /dev/$i
+ done
+ fi
+}
+
+### Writeable file detection
+if [ ${CHECK_WRITEABLE}=="yes" ]; then
+ find ${DIR} -xdev -type f -perm -2 -ls -print | awk '{print $11}' | sort > ${TMP}
+
+ if [ -s ${TMP} ]; then
+ printf "\nSecurity Warning: World Writeable Files found :\n" >> ${SECURITY_LOG}
+ cat ${TMP} >> ${SECURITY_LOG}
+ fi
+fi
+
+### Search Un Owned file
+if [ ${CHECK_UNOWNED}=="yes" ]; then
+ find ${DIR} -xdev -nouser -print -ls | awk '{print $11}' | sort > ${TMP}
+ if [ -s ${TMP} ]; then
+ printf "\nSecurity Warning : the following file aren't owned by any user :\n" >> ${SECURITY_LOG}
+ printf "\ttheses files now have user \"nobody\" as their owner." >> ${SECURE_LOG}
+ cat ${TMP} >> ${SECURITY_LOG}
+ cat ${TMP} | while read line; do chown nobody ${line}; done
+ fi
+
+ find $DIR -xdev -nogroup -print -ls | awk '{print $11}' | sort > ${TMP}
+ if [ -s ${TMP} ]; then
+ printf "\nSecurity Warning : the following file aren't owned by any group :\n" >> ${SECURITY_LOG}
+ printf "\ttheses files now have group \"nogroup\" as their group owner." >> ${SECURITY_LOG}
+ cat ${TMP} >> ${SECURITY_LOG}
+ cat ${TMP} | while read line; do chgrp nogroup ${line}; done
+ fi
+fi
+
+if [ ${CHECK_PERMISSIONS}=="yes" ]; then
+# Files that should not be owned by someone else or readable.
+list=".netrc .rhosts .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed"
+awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
+while read uid homedir; do
+ for f in ${list} ; do
+ file="${homedir}/${f}"
+ if [ -f ${file} ] ; then
+ printf "${uid} ${f} `ls -ldcg ${file}`\n"
+ fi
+ done
+done | awk '$1 != $5 && $5 != "root" \
+ { print "\t\tuser=" $1 ", file=" $2 " : file is owned by " $5 }
+ $3 ~ /^-...r/ \
+ { print "\t\tuser=" $1 ", file=" $2 " : file is group readable" }
+ $3 ~ /^-......r/ \
+ { print "\t\tuser=" $1 ", file=" $2 " : file is other readable" }
+ $3 ~ /^-....w/ \
+ { print "\t\tuser=" $1 ", file=" $2 " : file is group writeable" }
+ $3 ~ /^-.......w/ \
+ { print "\t\tuser=" $1 ", file=" $2 " : file is other writeable" }' > ${TMP}
+
+if [ -s ${TMP} ]; then
+ printf "\nSecurity Warning: these files shouldn't be owned by someone else or readable :\n" >> ${SECURITY_LOG}
+ cat ${TMP} >> ${SECURITY_LOG}
+fi
+
+
+### Files that should not be owned by someone else or writeable.
+list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \
+.forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \
+.nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \
+.ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults"
+awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
+while read uid homedir; do
+ for f in ${list} ; do
+ file="${homedir}/${f}"
+ if [ -f $file ] ; then
+ printf "$uid ${f} `ls -ldcg ${file}`\n"
+ fi
+ done
+done | awk '$1 != $5 && $5 != "root" \
+ { print "\t\t- user=" $1 ", file=" $2 " : file is owned by " $5 }
+ $3 ~ /^-....w/ \
+ { print "\t\t- user=" $1 ", file=" $2 " : file is group writeable" }
+ $3 ~ /^-.......w/ \
+ { print "\t\t- user=" $1 ", file=" $2 " : file is other writeable" }' > ${TMP}
+
+if [ -s ${TMP} ]; then
+ printf "\nSecurity Warning: theses files should not be owned by someone else or writeable :\n" >> ${SECURITY_LOG}
+ cat ${TMP} >> ${SECURITY_LOG}
+fi
+
+### Check home directories. Directories should not be owned by someone else or writeable.
+awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
+while read uid homedir; do
+ if [ -d ${homedir}/ ] ; then
+ file=`ls -ldg ${homedir}`
+ printf "$uid $file\n"
+ fi
+done | awk '$1 != $4 && $4 != "root" \
+ { print "user=" $1 " : home directory is owned by " $4 }
+ $2 ~ /^-....w/ \
+ { print "user=" $1 " : home directory is group writeable" }
+ $2 ~ /^-.......w/ \
+ { print "user=" $1 " : home directory is other writeable" }' > ${TMP}
+
+if [ -s $TMP ] ; then
+ printf "\nSecurity Warning: these home directory should not be owned by someone else or writeable :\n" >> ${SECURITY_LOG}
+ cat ${TMP} >> ${SECURITY_LOG}
+fi
+fi
+
+if [ ${CHECK_SECURITY}=="yes" ]; then
+### Passwd file check
+if [ ${CHECK_PASSWD}=="yes" ]; then
+ awk -F: '{
+ if ( $2 == "" )
+ printf("\t\t- /etc/passwd:%d: User \"%s\" has no password !\n", FNR, $1);
+ else if ($2 !~ /^[x*!]+$/)
+ printf("\t\t- /etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1);
+ }' < /etc/passwd > ${TMP}
+
+ if [ -s ${TMP} ]; then
+ printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY_LOG}
+ cat ${TMP} >> ${SECURITY_LOG}
+ fi
+fi
+
+### Shadow password file Check
+if [ ${CHECK_SHADOW}=="yes" ]; then
+ awk -F: '{
+ if ( $2 == "" )
+ printf("\t\t- /etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1);
+ }' < /etc/shadow > ${TMP}
+
+ if [ -s ${TMP} ]; then
+ printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY_LOG}
+ cat ${TMP} >> ${SECURITY_LOG}
+ fi
+fi
+
+### File systems should not be globally exported.
+if [ -s /etc/exports ] ; then
+ awk '{
+ if (($1 ~ /^#/) || ($1 ~ /^$/)) next;
+ readonly = 0;
+ for (i = 2; i <= NF; ++i) {
+ if ($i ~ /^-ro$/)
+ readonly = 1;
+ else if ($i !~ /^-/)
+ next;
+ }
+ if (readonly) {
+ print "\t\t- Nfs File system " $1 " globally exported, read-only.";
+ } else print "\t\t- Nfs File system " $1 " globally exported, read-write.";
+ }' < /etc/exports > ${TMP}
+
+ if [ -s ${TMP} ] ; then
+ printf "\nSecurity Warning: Some NFS filesystem are exported to globally :\n" >> ${SECURITY_LOG}
+ cat ${TMP} >> ${SECURITY_LOG}
+ fi
+fi
+
+### nfs mounts with missing nosuid
+/bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > ${TMP}
+if [ -s ${TMP} ] ; then
+ printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY_LOG}
+ cat ${TMP} >> ${SECURITY_LOG}
+fi
+
+### Files that should not have + signs.
+list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd"
+for file in $list ; do
+ if [ -s ${file} ] ; then
+ awk '{
+ if ($0 ~ /^\+@.*$/)
+ next;
+ if ($0 ~ /^\+.*$/)
+ printf("\t\t- %s: %s\n", FILENAME, $0);
+ }' ${file}
+ fi
+done > ${TMP}
+
+awk -F: '{print $1" "$6}' /etc/passwd |
+ while read username homedir; do
+ for file in .rhosts .shosts; do
+ if [ -s ${homedir}/${file} ] ; then
+ awk '{
+ if ($0 ~ /^\+@.*$/)
+ next;
+ if ($0 ~ /^\+.*$/)
+ printf("\t\t- %s: %s\n", FILENAME, $0);
+ }' ${homedir}/${file}
+ fi
+ done >> ${TMP}
+ done
+
+if [ -s ${TMP} ]; then
+ printf "\nSecurity Warning: '+' character found in hosts trusting files,\n" >> ${SECURITY_LOG}
+ printf "\tthis probably mean that you trust certains users/domain\n" >> ${SECURITY_LOG}
+ printf "\tto connect on this host without proper authentication :\n" >> ${SECURITY_LOG}
+ cat ${TMP} >> ${SECURITY_LOG}
+fi
+
+### executables should not be in the aliases file.
+list="/etc/aliases /etc/postfix/aliases"
+for file in ${list}; do
+ if [ -s ${file} ]; then
+ grep -v '^#' /etc/aliases | grep '|' | while read line; do
+ printf "\t\t- ${line}\n"
+ done > ${TMP}
+ fi
+
+ if [ -s ${TMP} ]; then
+ printf "\nSecurity Warning: The following programs are executed in your mail\n" >> ${SECURITY_LOG}
+ printf "\tvia ${file} files, this could lead to security problems :\n" >> ${SECURITY_LOG}
+ cat ${TMP} >> ${SECURITY_LOG}
+ fi
+done
+
+### Dump a list of open port.
+if [ ${CHECK_OPEN_PORT}=="yes" ]; then
+ netstat -pvlA inet > ${TMP};
+
+ if [ -s ${TMP} ]; then
+ printf "\nThese are the ports listening on your machine :\n" >> ${SECURITY_LOG}
+ cat ${TMP} >> ${SECURITY_LOG}
+ fi
+fi
+fi # end of CHECK_SECURITY
+
+### Report
+if [ -s ${SECURITY_LOG} ]; then
+ Syslog ${SECURITY_LOG}
+ Ttylog ${SECURITY_LOG}
+ cat ${SECURITY_LOG} >> ${SECURITY}
+fi
+
+
+
+
+
diff --git a/doc/msec.spec b/doc/msec.spec
index a3366bb..e40107d 100644
--- a/doc/msec.spec
+++ b/doc/msec.spec
@@ -1,8 +1,8 @@
Summary: Security Level & Program for the Linux Mandrake distribution
Name: msec
-Version: 0.4
-Release: 6mdk
-Source: ftp://mandrakesoft.com/pub/yoann/msec-0.4.tar.gz
+Version: 0.5
+Release: 1mdk
+Source: msec-0.5.tar.gz
Copyright: GPL
Group: System Environment/Base
BuildRoot: /var/tmp/msec
@@ -48,6 +48,14 @@ rm -rf $RPM_BUILD_ROOT
/usr/bin/promisc_check
%changelog
+* Mon Dec 6 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+- Released 0.5
+- Divided security check into 2 files :
+ security_check.sh & file_check.sh,
+ the first do normal security check, the other watch at anormal change
+ on the system...
+- Bug fix again & again
+
* Wed Dec 1 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- DrakX compatibility.
diff --git a/init-sh/custom.sh b/init-sh/custom.sh
index eac0cc8..feb5fdc 100755
--- a/init-sh/custom.sh
+++ b/init-sh/custom.sh
@@ -65,7 +65,7 @@ fi
echo "Do you want your system to daily check Writable file change ?"
WaitAnswer; clear
if [ ${answer} == "yes" ]; then
- AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf
+ AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf
AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
fi
###
diff --git a/init-sh/level1.sh b/init-sh/level1.sh
index dba9f55..b652fc6 100755
--- a/init-sh/level1.sh
+++ b/init-sh/level1.sh
@@ -22,6 +22,10 @@ AddRules "tty6" /etc/securetty
# Security check
echo "Updating file check variable : "
+echo -e "\t- Check security : yes."
+ AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet
+echo -e "\t- Check important permissions : no."
+ AddRules "CHECK_PERMS=no" /etc/security/msec/security.conf quiet
echo -e "\t- Check suid root file : no."
AddRules "CHECK_SUID_ROOT=no" /etc/security/msec/security.conf quiet
echo -e "\t- Check suid root file integrity (backdoor check) : no."
@@ -29,7 +33,7 @@ echo -e "\t- Check suid root file integrity (backdoor check) : no."
echo -e "\t- Check suid group file : no."
AddRules "CHECK_SUID_GROUP=no" /etc/security/msec/security.conf quiet
echo -e "\t- Check world writable file : no."
- AddRules "CHECK_WRITABLE=no" /etc/security/msec/security.conf quiet
+ AddRules "CHECK_WRITEABLE=no" /etc/security/msec/security.conf quiet
echo -e "\t- Check unowned file : no."
AddRules "CHECK_UNOWNED=no" /etc/security/msec/security.conf quiet
echo -e "\t- Check promiscuous mode : no."
diff --git a/init-sh/level2.sh b/init-sh/level2.sh
index 37bfa93..b5e9706 100755
--- a/init-sh/level2.sh
+++ b/init-sh/level2.sh
@@ -22,6 +22,10 @@ AddRules "tty6" /etc/securetty
# Security check
echo "Updating file check variable : "
+echo -e "\t- Check security : yes."
+ AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet
+echo -e "\t- Check important permissions : no."
+ AddRules "CHECK_PERMS=no" /etc/security/msec/security.conf quiet
echo -e "\t- Check suid root file : yes."
AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet
echo -e "\t- Check suid root file integrity (backdoor check) : yes."
diff --git a/init-sh/level3.sh b/init-sh/level3.sh
index 5a84b40..39213a4 100755
--- a/init-sh/level3.sh
+++ b/init-sh/level3.sh
@@ -26,6 +26,10 @@ AddRules "tty6" /etc/securetty quiet
# Security check
echo "Updating file check variable : "
+echo -e "\t- Check security : yes."
+ AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet
+echo -e "\t- Check important permissions : yes."
+ AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf quiet
echo -e "\t- Check suid root file : yes."
AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet
echo -e "\t- Check suid root file integrity (backdoor check) : yes."
diff --git a/init-sh/level4.sh b/init-sh/level4.sh
index c85b8bb..fac55b6 100755
--- a/init-sh/level4.sh
+++ b/init-sh/level4.sh
@@ -36,6 +36,10 @@ AddRules "tty6" /etc/securetty
# Security check
echo "Updating file check variable : "
+echo -e "\t- Check security : yes."
+ AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet
+echo -e "\t- Check important permissions : yes."
+ AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf quiet
echo -e "\t- Check suid root file : yes."
AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet
echo -e "\t- Check suid root file integrity (backdoor check) : yes."
diff --git a/init-sh/level5.sh b/init-sh/level5.sh
index 3a81faa..5804654 100755
--- a/init-sh/level5.sh
+++ b/init-sh/level5.sh
@@ -27,6 +27,10 @@ echo -e "done.\n\n"
# Security check
echo "Updating file check variable : "
+echo -e "\t- Check security : yes."
+ AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet
+echo -e "\t- Check important permissions : yes."
+ AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf quiet
echo -e "\t- Check suid root file : yes."
AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet
echo -e "\t- Check suid root file integrity (backdoor check) : yes."
diff --git a/init-sh/lib.sh b/init-sh/lib.sh
index 47bbcec..971a228 100644
--- a/init-sh/lib.sh
+++ b/init-sh/lib.sh
@@ -174,6 +174,7 @@ echo "Setting spoofing protection : "
AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall
# default group which must exist on the system
+groupadd nogroup >& /dev/null
groupadd audio >& /dev/null
groupadd xgrp >& /dev/null
usermod -G xgrp xfs