diff options
author | Eugeni Dodonov <eugeni@mandriva.org> | 2009-06-23 20:52:47 +0000 |
---|---|---|
committer | Eugeni Dodonov <eugeni@mandriva.org> | 2009-06-23 20:52:47 +0000 |
commit | 1f56baceee8d86b84c07227b6a6bfe9a95b6b123 (patch) | |
tree | d44a3c9a87f3d812687f08a32e7d98dbe4c2e9a5 | |
parent | c34ef5f3c13e691056c6a59b6b945d87c678b710 (diff) | |
download | msec-1f56baceee8d86b84c07227b6a6bfe9a95b6b123.tar msec-1f56baceee8d86b84c07227b6a6bfe9a95b6b123.tar.gz msec-1f56baceee8d86b84c07227b6a6bfe9a95b6b123.tar.bz2 msec-1f56baceee8d86b84c07227b6a6bfe9a95b6b123.tar.xz msec-1f56baceee8d86b84c07227b6a6bfe9a95b6b123.zip |
Add support for FIX_UNOWNED to allow changing unowned files owner and
group (#51791).
-rw-r--r-- | conf/level.secure | 1 | ||||
-rw-r--r-- | conf/level.standard | 1 | ||||
-rwxr-xr-x | cron-sh/security_check.sh | 4 | ||||
-rw-r--r-- | src/msec/config.py | 3 | ||||
-rwxr-xr-x | src/msec/libmsec.py | 4 |
5 files changed, 12 insertions, 1 deletions
diff --git a/conf/level.secure b/conf/level.secure index 89c7726..6b6dc25 100644 --- a/conf/level.secure +++ b/conf/level.secure @@ -26,6 +26,7 @@ ENABLE_PAM_WHEEL_FOR_SU=yes CHECK_SHADOW=yes ALLOW_ROOT_LOGIN=no CHECK_UNOWNED=yes +FIX_UNOWNED=yes ENABLE_CONSOLE_LOG=no ALLOW_USER_LIST=no ENABLE_DNS_SPOOFING_PROTECTION=yes diff --git a/conf/level.standard b/conf/level.standard index bf4b0f5..6d0d952 100644 --- a/conf/level.standard +++ b/conf/level.standard @@ -26,6 +26,7 @@ ENABLE_PAM_WHEEL_FOR_SU=no CHECK_SHADOW=yes ALLOW_ROOT_LOGIN=yes CHECK_UNOWNED=no +FIX_UNOWNED=yes ENABLE_CONSOLE_LOG=yes ALLOW_USER_LIST=yes ENABLE_DNS_SPOOFING_PROTECTION=yes diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh index bbff82a..fe1418b 100755 --- a/cron-sh/security_check.sh +++ b/cron-sh/security_check.sh @@ -40,7 +40,9 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then printf "\t( theses files now have user \"nobody\" as their owner. )\n" >> ${SECURITY} cat ${UNOWNED_USER_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY} cat ${UNOWNED_USER_TODAY} | while read line; do + if [[ ${FIX_UNOWNED} == yes ]]; then chown nobody "${line}"; # Use quote if filename contain space. + fi done fi @@ -49,7 +51,9 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then printf "\t( theses files now have group \"nogroup\" as their group owner. )\n" >> ${SECURITY} cat ${UNOWNED_GROUP_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY} cat ${UNOWNED_GROUP_TODAY} | while read line; do + if [[ ${FIX_UNOWNED} == yes ]]; then chgrp nogroup "${line}"; # Use quote if filename contain space. + fi done fi fi diff --git a/src/msec/config.py b/src/msec/config.py index 37880e7..212b327 100644 --- a/src/msec/config.py +++ b/src/msec/config.py @@ -61,6 +61,7 @@ SETTINGS = {'BASE_LEVEL': ("libmsec.base_level", 'CHECK_SGID' : ("libmsec.check_sgid", ['yes', 'no']), 'CHECK_WRITABLE' : ("libmsec.check_writable", ['yes', 'no']), 'CHECK_UNOWNED' : ("libmsec.check_unowned", ['yes', 'no']), + 'FIX_UNOWNED' : ("libmsec.fix_unowned", ['yes', 'no']), 'CHECK_PROMISC' : ("libmsec.check_promisc", ['yes', 'no']), 'CHECK_OPEN_PORT' : ("libmsec.check_open_port", ['yes', 'no']), 'CHECK_PASSWD' : ("libmsec.check_passwd", ['yes', 'no']), @@ -125,7 +126,7 @@ SETTINGS_NETWORK = ["ACCEPT_BOGUS_ERROR_RESPONSES", "ACCEPT_BROADCASTED_ICMP_ECH ] # periodic checks SETTINGS_PERIODIC = ["CHECK_PERMS", "CHECK_USER_FILES", "CHECK_SUID_ROOT", "CHECK_SUID_MD5", "CHECK_SGID", - "CHECK_WRITABLE", "CHECK_UNOWNED", "CHECK_PROMISC", "CHECK_OPEN_PORT", "CHECK_PASSWD", + "CHECK_WRITABLE", "CHECK_UNOWNED", "FIX_UNOWNED", "CHECK_PROMISC", "CHECK_OPEN_PORT", "CHECK_PASSWD", "CHECK_SHADOW", "CHECK_CHKROOTKIT", "CHECK_RPM", "CHECK_SHOSTS", "TTY_WARN", "SYSLOG_WARN", "MAIL_EMPTY_CONTENT", ] diff --git a/src/msec/libmsec.py b/src/msec/libmsec.py index 162cf01..5d5d232 100755 --- a/src/msec/libmsec.py +++ b/src/msec/libmsec.py @@ -1420,6 +1420,10 @@ class MSEC: """ Enable checking for unowned files.""" pass + def fix_unowned(self, param): + """ Fix owner and group of unowned files to use nobody/nogroup.""" + pass + def check_open_port(self, param): """ Enable checking for open network ports.""" pass |