aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYoann Vandoorselaere <yoann@mandriva.com>2000-03-08 14:01:47 +0000
committerYoann Vandoorselaere <yoann@mandriva.com>2000-03-08 14:01:47 +0000
commitf6b197970ba833ea3e629a29805681fde8d4b811 (patch)
tree55b4fa4ab2962a86b77f5338342d92ab21ebe70d
parentbac62ec2c6fc141a00acd131278befa0ba5f1c5a (diff)
downloadmsec-f6b197970ba833ea3e629a29805681fde8d4b811.tar
msec-f6b197970ba833ea3e629a29805681fde8d4b811.tar.gz
msec-f6b197970ba833ea3e629a29805681fde8d4b811.tar.bz2
msec-f6b197970ba833ea3e629a29805681fde8d4b811.tar.xz
msec-f6b197970ba833ea3e629a29805681fde8d4b811.zip
*** empty log message ***
-rw-r--r--ChangeLog7
-rw-r--r--Makefile9
-rwxr-xr-xcron-sh/security.sh17
-rwxr-xr-xinit-sh/custom.sh12
-rwxr-xr-xinit-sh/level4.sh13
-rwxr-xr-xinit-sh/level5.sh9
-rwxr-xr-xinit-sh/msec6
-rw-r--r--msec.spec8
-rw-r--r--src/msec_find/Makefile13
-rw-r--r--src/msec_find/find.c233
10 files changed, 317 insertions, 10 deletions
diff --git a/ChangeLog b/ChangeLog
index 47ec38e..eaafff4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,11 @@
+2000-03-08 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+ * Added msec_find utility, written by Thierry Vignaud
+ which will avoid us to find / 5 times :)
+ * Heavilly modified msec_find.
+
2000-03-07 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+ * Added support for libsafe stack overflow protection in level 4 / 5 /
+ custom
* trap the sigint signal
* use /etc/security/msec for config file only.
* Renamed init.sh to msec, and install it in /usr/sbin.
diff --git a/Makefile b/Makefile
index 634c2d6..5edb8ac 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
VERSION = 0.9
NAME = msec
-all: promisc_check
+all: promisc_check msec_find
clean:
find . -name *.o -exec rm -f {} \;
@@ -9,7 +9,10 @@ clean:
rm -f src/promisc_check/promisc_check
promisc_check:
- (cd src/promisc_check; make)
+ (cd src/promisc_check && make)
+
+msec_find:
+ (cd src/msec_find && make)
dis: clean
rm -rf msec-$(VERSION) ../msec-$(VERSION).tar*
@@ -40,7 +43,7 @@ install:
(touch $(RPM_BUILD_ROOT)/var/log/security.log)
(mkdir -p $(RPM_BUILD_ROOT)/var/log/security)
(cd src/promisc_check && make install)
- (cd cron-sh && make install)
+ (cd src/msec_find && make install)
@echo
@echo
diff --git a/cron-sh/security.sh b/cron-sh/security.sh
index ee94863..ebe71de 100755
--- a/cron-sh/security.sh
+++ b/cron-sh/security.sh
@@ -74,11 +74,18 @@ fi
netstat -pvlA inet 2> /dev/null > ${OPEN_PORT_TODAY};
# Hard disk related file check; the less priority the better...
-nice --adjustment=+19 find ${DIR} -xdev -type f -perm +04000 -user root -printf "${PRINT}" 2> /dev/null | sort > ${SUID_ROOT_TODAY}
-nice --adjustment=+19 find ${DIR} -xdev -type f -perm +02000 -printf "${PRINT}" 2> /dev/null | sort > ${SUID_GROUP_TODAY}
-nice --adjustment=+19 find ${DIR} -xdev -type f -perm -2 -printf "${PRINT}" 2> /dev/null | sort > ${WRITEABLE_TODAY}
-nice --adjustment=+19 find ${DIR} -xdev -nouser -printf "${PRINT}" 2> /dev/null | sort > ${UNOWNED_USER_TODAY}
-nice --adjustment=+19 find ${DIR} -xdev -nogroup -printf "${PRINT}" 2> /dev/null | sort > ${UNOWNED_GROUP_TODAY}
+nice --adjustment=+19 /usr/bin/msec_find ${DIR}
+sort < ${SUID_ROOT_TODAY} > ${SUID_ROOT_TODAY}.tmp
+sort < ${SUID_GROUP_TODAY} > ${SUID_GROUP_TODAY}.tmp
+sort < ${WRITEABLE_TODAY} > ${WRITEABLE_TODAY}.tmp
+sort < ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_TODAY}.tmp
+sort < ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_TODAY}.tmp
+
+mv -f ${SUID_ROOT_TODAY}.tmp ${SUID_ROOT_TODAY}
+mv -f ${SUID_GROUP_TODAY}.tmp ${SUID_GROUP_TODAY}
+mv -f ${WRITEABLE_TODAY}.tmp ${WRITEABLE_TODAY}
+mv -f ${UNOWNED_USER_TODAY}.tmp ${UNOWNED_USER_TODAY}
+mv -f ${UNOWNED_GROUP_TODAY}.tmp ${UNOWNED_GROUP_TODAY}
while read line; do
md5sum ${line}
diff --git a/init-sh/custom.sh b/init-sh/custom.sh
index b8b8402..9d46bd1 100755
--- a/init-sh/custom.sh
+++ b/init-sh/custom.sh
@@ -62,6 +62,18 @@ if [[ ${answer} == yes ]]; then
AddRules "tty6" /etc/securetty
fi
###
+echo "Do you want to enable the libsafe stack overflow protection ?"
+echo "This stack overflow protection work by catching dangerous function call"
+echo "like strcpy, strcat, getwd, gets, [vf]scanf, realpath, [v]sprintf"
+echo "and verify the address & the size of the destination buffer in the stack"
+echo "this is done by searching in the stack frame the one which contain the"
+echo "destination address, and by substracting the frame address to the destination buffer one"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "export LD_PRELOAD=/usr/lib/libsafe.so.1.2" /etc/profile
+fi
+
+###
echo "Do you want your system to daily check important security problem ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
diff --git a/init-sh/level4.sh b/init-sh/level4.sh
index 75a0e85..f10fb54 100755
--- a/init-sh/level4.sh
+++ b/init-sh/level4.sh
@@ -105,9 +105,15 @@ echo -e "done.\n";
# /etc/profile
echo "Setting umask to 022 (u=rw,g=rx) for root, 077 (u=rw) for user :"
AddRules "if [[ \${UID} == 0 ]]; then umask 022; else umask 077; fi" /etc/profile
+
echo "Adding \"normal\" PATH variable :"
AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/profile quiet
-AddRules "export PATH SECURE_LEVEL" /etc/profile
+AddRules "export PATH SECURE_LEVEL" /etc/profile
+
+if [[ -f /usr/lib/libsafe.so.1.2 ]]; then
+ echo "Enabling stack overflow protection :"
+ AddRules "export LD_PRELOAD=/usr/lib/libsafe.so.1.2" /etc/profile
+fi
# Do not boot on a shell
echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : "
@@ -122,3 +128,8 @@ echo "done."
# Group were modified in lib.sh...
grpconv
+
+
+
+
+
diff --git a/init-sh/level5.sh b/init-sh/level5.sh
index 59dc413..0e458b7 100755
--- a/init-sh/level5.sh
+++ b/init-sh/level5.sh
@@ -103,10 +103,16 @@ echo -e "done.\n";
# /etc/profile
echo "Setting umask to 077 (u=rw) :"
AddRules "umask 077" /etc/profile
+
echo "Adding \"normal\" PATH variable :"
AddRules "PATH=\$PATH:/usr/X11R6/bin" /etc/profile quiet
AddRules "export PATH SECURE_LEVEL" /etc/profile
+if [[ -f /usr/lib/libsafe.so.1.2 ]]; then
+ echo "Enabling stack overflow protection :"
+ AddRules "export LD_PRELOAD=/usr/lib/libsafe.so.1.2" /etc/profile
+fi
+
# Do not boot on a shell
echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : "
tmpfile=`mktemp /tmp/secure.XXXXXX`
@@ -144,3 +150,6 @@ grpconv
+
+
+
diff --git a/init-sh/msec b/init-sh/msec
index 2fc7c53..1ba1bb2 100755
--- a/init-sh/msec
+++ b/init-sh/msec
@@ -16,11 +16,17 @@ fi
if [[ ${1} == custom ]]; then
/usr/share/msec/custom.sh
+ echo
+ echo "You might logout of your session for some change to be activated."
+ echo
exit 0;
fi
if [[ -f /usr/share/msec/level$1.sh ]]; then
/usr/share/msec/level$1.sh
+ echo
+ echo "You might logout of your session for some change to be activated."
+ echo
if [[ -f /usr/share/msec/perm.$1 ]]; then
/usr/share/msec/file_perm.sh /usr/share/msec/perm.$1
else
diff --git a/msec.spec b/msec.spec
index 9af10b8..4723c22 100644
--- a/msec.spec
+++ b/msec.spec
@@ -39,6 +39,7 @@ rm -rf $RPM_BUILD_ROOT
%doc AUTHORS COPYING Makefile README
%doc doc/*txt ChangeLog doc/*ps
/usr/bin/promisc_check
+/usr/bin/msec_find
/usr/sbin/msec
/usr/share/msec
/var/log/security.log
@@ -48,7 +49,12 @@ rm -rf $RPM_BUILD_ROOT
%config /etc/security/msec
%changelog
-* Tue Mar 07 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+* Tue Mar 08 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+- Heavylly Modified msec_find.
+- Added msec_find utility, written by Thierry Vignaud which will avoid us to
+ find / 5 times :)
+- Added support for libsafe stack overflow protection in level 4 / 5 /
+ custom
- trap the sigint signal.
- use %config for config file ( thanks to Frederic Lepied ).
- use /etc/security/msec for config file only.
diff --git a/src/msec_find/Makefile b/src/msec_find/Makefile
new file mode 100644
index 0000000..20fb4d9
--- /dev/null
+++ b/src/msec_find/Makefile
@@ -0,0 +1,13 @@
+CC=gcc
+NAME=msec_find
+
+CFLAGS = -ggdb -Wall -Wmissing-prototypes -Wmissing-declarations \
+-Wpointer-arith -m486 -O2 -finline-functions -fkeep-inline-functions
+
+OBJ=find.o
+
+msec_find: $(OBJ)
+ $(CC) $(OBJ) -o $(NAME)
+
+install:
+ cp $(NAME) /usr/bin
diff --git a/src/msec_find/find.c b/src/msec_find/find.c
new file mode 100644
index 0000000..65e8c73
--- /dev/null
+++ b/src/msec_find/find.c
@@ -0,0 +1,233 @@
+/*
+ * Written by Thierry Vignaud,
+ * heavilly modified for msec purpose by Vandoorselaere Yoann.
+ *
+ * This code is copyrighted by Mandrakesoft [(c) 2000] and is released under
+ * the GPL licence
+ */
+
+
+/*
+ * TODO
+ * +++ hash tables or btree to stock already searched uid/gid for speed
+ * Pb: since linux-2.3.4x, uid & gid are 32 bits wide ... => BTREE?
+ * static char **uid_hash, **gid_hash;
+ *
+ * +++ check for open & I/O error on log files ...
+ * +++ Yoann scripts should avoid /dev if devfs is mounted (either by testing
+ * if /dev is mounted by devfs or if [ -f /dev/.devfsd ] => see with
+ * Yoann
+ * --- disable 'cannot stat ...' warning (???) => better log them SECURITY_LOG
+ * --- disable write test on links => OK
+ */
+
+/*
+ * (Vandoorselaere Yoann)
+ * Done :
+ * - Don't handle FTW_DNR case, since it will print warning for /proc file.
+ * - Don't walk trought /dev & /proc.
+ * - We don't need to handle all of the ftw flag, just the FTW_F & FTW_D one :)
+ * - Use FTW_PHYS to not follow symbolic link.
+ * - Do not use getenv to get the root directory.
+ * - Use argv instead of a DIR variable to get directory to scan.
+ * - Free directory after use when allocated for appending a '/'.
+ * - We do not need __USE_XOPEN_EXTENDED definition.
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+
+#define __USE_XOPEN_EXTENDED
+#include <ftw.h>
+
+#include <sys/stat.h>
+
+/* For NSS managment */
+#include <pwd.h>
+#include <grp.h>
+#include <sys/types.h>
+
+#include <string.h>
+
+
+#ifdef __GNUC__
+#define inline
+#else
+#warning upgrade your so-called system to a real OS such as GNU/Linux
+#endif
+
+/*
+ * Log files
+ */
+static FILE *suid_fd;
+static FILE *sgid_fd;
+static FILE *unowned_user_fd;
+static FILE *unowned_group_fd;
+static FILE *writeable_fd;
+
+static int traverse(const char *file, const struct stat *sb, int flag, struct FTW *s)
+{
+ struct passwd *u_nss_data;
+ struct group *g_nss_data;
+
+ if (strncmp(file, "//", 2) == 0 )
+ /*
+ * handle bogus glibc ftw
+ * else we won't print only one '/' in front of file names
+ */
+ file++;
+
+ if (strncmp("/proc", file, 5) == 0)
+ return 0;
+ if (strncmp("/dev", file, 4) == 0)
+ return 0;
+
+ switch (flag) {
+ /*
+ * Here is a difference with security-check.sh:
+ * we don't check for regular files only for Set-UID et Set-GID but
+ * to directories too. Idem for world writable directories ...
+ */
+
+ case FTW_F:
+ /*
+ * Regular file
+ */
+ printf("%s\n", file);
+
+ /*
+ * Is writeable check.
+ */
+ if (sb->st_mode & 0002)
+ fprintf(writeable_fd, "%s\n", file);
+
+ /*
+ * Is suid root check.
+ */
+ if ((sb->st_mode & S_ISUID) && (sb->st_uid == 0))
+ fprintf(suid_fd, "%s\n", file);
+
+ /*
+ * Is suid group check.
+ */
+ if (sb->st_mode & S_ISGID)
+ fprintf(sgid_fd, "%s\n", file);
+
+ case FTW_D:
+ /*
+ * Unowned user check.
+ */
+ u_nss_data = getpwuid(sb->st_uid);
+ if (u_nss_data == NULL)
+ fprintf(unowned_user_fd, "%s\n", file);
+
+ /*
+ * Unowned group check.
+ */
+ g_nss_data = getgrgid(sb->st_uid);
+ if (g_nss_data == NULL)
+ fprintf(unowned_group_fd, "%s\n", file);
+ break;
+ }
+ return 0;
+}
+
+/* This function opens all log files */
+__inline__ static void init()
+{
+ static const char *mode = "w+";
+
+ suid_fd = fopen(getenv("SUID_ROOT_TODAY"), mode);
+ if ( ! suid_fd ) {
+ perror("fopen (suid_root_today)");
+ exit(1);
+ }
+
+ sgid_fd = fopen(getenv("SUID_GROUP_TODAY"), mode);
+ if ( ! sgid_fd ) {
+ perror("fopen (suid_group_today)");
+ exit(1);
+ }
+
+ writeable_fd = fopen(getenv("WRITEABLE_TODAY"), mode);
+ if ( ! writeable_fd ) {
+ perror("fopen (writeable_today)");
+ exit(1);
+ }
+
+ unowned_user_fd = fopen(getenv("UNOWNED_USER_TODAY"), mode);
+ if ( ! unowned_user_fd ) {
+ perror("fopen (unowned_user_today)");
+ exit(1);
+ }
+
+ unowned_group_fd = fopen(getenv("UNOWNED_GROUP_TODAY"), mode);
+ if ( ! unowned_group_fd ) {
+ perror("fopen (unowned_group_today)");
+ exit(1);
+ }
+}
+
+int main(int argc, char **argv)
+{
+ char *directory;
+ int res = 0, i;
+ int ctrl = 0;
+
+ if ( argc < 2 ) {
+ fprintf(stderr, "Please give directory as argument.\n");
+ fprintf(stderr, "%s /usr/sbin /sbin\n\n", argv[0]);
+ exit(1);
+ }
+
+ /* open all log files */
+ init();
+
+ for ( i = 0; i < argc; i++ ) {
+
+ if (strcmp(argv[0], "/") != 0) {
+ /*
+ * We need to add a final '/' to the base directory name else the
+ * FTW_MOUNT option of nftw won't work. i.e. : /mnt/cdrom is on the /
+ * fs (it is the directory on which a CD is mounted) whereas
+ * /mnt/cdrom/ is the mounted directory.
+ * Hopefully, find has the same "bug"
+ */
+
+ ctrl = 1;
+ directory = ( char * ) malloc((strlen(argv[i]) + 1));
+ if ( ! directory ) {
+ perror("malloc");
+ exit(1);
+ }
+
+ strcpy(directory, argv[i]);
+ strcat(directory, "/");
+ } else directory = argv[i];
+
+ res = nftw(directory, traverse, (int) 500, FTW_PHYS | FTW_MOUNT | FTW_CHDIR);
+ if ( ctrl ) {
+ free(directory);
+ ctrl = 0;
+ }
+ }
+
+ /*
+ * close all log files
+ */
+
+ fclose(suid_fd);
+ fclose(sgid_fd);
+ fclose(writeable_fd);
+ fclose(unowned_user_fd);
+ fclose(unowned_group_fd);
+
+ exit(res);
+}
+
+
+
+
+
+
+