aboutsummaryrefslogtreecommitdiffstats
path: root/cron-sh/diff_check.sh
diff options
context:
space:
mode:
authorYoann Vandoorselaere <yoann@mandriva.com>1999-12-19 20:05:06 +0000
committerYoann Vandoorselaere <yoann@mandriva.com>1999-12-19 20:05:06 +0000
commitf452f1717554c19e09ae8ef68aeb00e107b08015 (patch)
tree2a645692f9ec964c7b2b8744cc5aeea2835f0135 /cron-sh/diff_check.sh
parentee1bc9f98ca6fb3c2a9fef6b559ecd87eb64cf53 (diff)
downloadmsec-f452f1717554c19e09ae8ef68aeb00e107b08015.tar
msec-f452f1717554c19e09ae8ef68aeb00e107b08015.tar.gz
msec-f452f1717554c19e09ae8ef68aeb00e107b08015.tar.bz2
msec-f452f1717554c19e09ae8ef68aeb00e107b08015.tar.xz
msec-f452f1717554c19e09ae8ef68aeb00e107b08015.zip
*** empty log message ***
Diffstat (limited to 'cron-sh/diff_check.sh')
-rwxr-xr-xcron-sh/diff_check.sh187
1 files changed, 68 insertions, 119 deletions
diff --git a/cron-sh/diff_check.sh b/cron-sh/diff_check.sh
index 603edf6..006a26d 100755
--- a/cron-sh/diff_check.sh
+++ b/cron-sh/diff_check.sh
@@ -14,34 +14,9 @@ if [[ ${CHECK_SECURITY} == no ]]; then
exit 0
fi
-SUID_ROOT_TODAY="/var/log/security/suid_root.today"
-SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday"
-SUID_ROOT_DIFF="/var/log/security/suid_root.diff"
-SUID_GROUP_TODAY="/var/log/security/suid_group.today"
-SUID_GROUP_YESTERDAY="/var/log/security/suid_group.yesterday"
-SUID_GROUP_DIFF="/var/log/security/suid_group.diff"
-SUID_MD5_TODAY="/var/log/security/suid_md5.today"
-SUID_MD5_YESTERDAY="/var/log/security/suid_md5.yesterday"
-SUID_MD5_DIFF="/var/log/security/suid_md5.diff"
-OPEN_PORT_TODAY="/var/log/security/open_port.today"
-OPEN_PORT_YESTERDAY="/var/log/security/open_port.yesterday"
-OPEN_PORT_DIFF="/var/log/security/open_port.diff"
-WRITEABLE_TODAY="/var/log/security/writeable.today"
-WRITEABLE_YESTERDAY="/var/log/security/writeable.yesterday"
-WRITEABLE_DIFF="/var/log/security/writeable.diff"
-UNOWNED_TODAY="/var/log/security/unowned.today"
-UNOWNED_YESTERDAY="/var/log/security/unowned.yesterday"
-UNOWNED_DIFF="/var/log/security/unowned.diff"
-
SECURITY_LOG="/var/log/security.log"
TMP=`mktemp /tmp/secure.XXXXXX`
-if [[ ! -d /var/log/security ]]; then
- mkdir /var/log/security
-fi
-
-rm -f ${TMP} ${SECURITY_TMP} >& /dev/null
-
### Functions ###
Syslog() {
@@ -66,154 +41,119 @@ Ttylog() {
### New Suid root files detection
if [[ ${CHECK_SUID_ROOT} == yes ]]; then
- if [[ -f ${SUID_ROOT_TODAY} ]]; then
- mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY}
- fi
-
- find ${DIR} -xdev -type f -perm +04000 -user root \
- -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_ROOT_TODAY}
-
if [[ -f ${SUID_ROOT_YESTERDAY} ]]; then
if ! diff -u ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_TODAY} > ${SUID_ROOT_DIFF}; then
printf "\nSecurity Warning: Change in Suid Root files found :\n" >> ${TMP}
- grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Added suid root files : ${file}.\n" >> ${TMP}
- done
- grep '^-' ${SUID_ROOT_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Removed suid root files : ${file}.\n" >> ${TMP}
- done
+ grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do
+ printf "\t\t- Added suid root files : ${file}\n"
+ done >> ${TMP}
+ grep '^-' ${SUID_ROOT_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do
+ printf "\t\t- Removed suid root files : ${file}\n"
+ done >> ${TMP}
fi
fi
+
fi
### New Suid group files detection
if [[ ${CHECK_SUID_GROUP} == yes ]]; then
- if [[ -f ${SUID_GROUP_TODAY} ]]; then
- mv ${SUID_GROUP_TODAY} ${SUID_GROUP_YESTERDAY}
- fi
-
- find ${DIR} -xdev -type f -perm +02000 \
- -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_GROUP_TODAY}
-
if [[ -f ${SUID_GROUP_YESTERDAY} ]]; then
if ! diff -u ${SUID_GROUP_YESTERDAY} ${SUID_GROUP_TODAY} > ${SUID_GROUP_DIFF}; then
- printf "\nSecurity Warning: Changes in Suid Group files found :\n" >> ${TMP}
- grep '^+' ${SUID_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Added suid group files : ${file}.\n" >> ${TMP}
- done
- grep '^-' ${SUID_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Removed suid group files : ${file}.\n" >> ${TMP}
- done
+ printf "\nSecurity Warning: Changes in Suid Group files found :\n" >> ${TMP}
+ grep '^+' ${SUID_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do
+ printf "\t\t- Added suid group files : ${file}\n"
+ done >> ${TMP}
+ grep '^-' ${SUID_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do
+ printf "\t\t- Removed suid group files : ${file}\n"
+ done >> ${TMP}
fi
fi
+
fi
### Writable files detection
if [[ ${CHECK_WRITEABLE} == yes ]]; then
- if [[ -f ${WRITEABLE_TODAY} ]]; then
- mv -f ${WRITEABLE_TODAY} ${WRITEABLE_YESTERDAY}
- fi
-
- find ${DIR} -xdev -type f -perm -2 -ls -print | sort > ${WRITEABLE_TODAY}
-
if [[ -f ${WRITEABLE_YESTERDAY} ]]; then
if ! diff -u ${WRITEABLE_YESTERDAY} ${WRITEABLE_TODAY} > ${WRITEABLE_DIFF}; then
printf "\nSecurity Warning: Change in World Writeable Files found :\n" >> ${TMP}
- grep '^+' ${WRITEABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Added writables files : ${file}.\n" >> ${TMP}
- done
- grep '^-' ${WRITEABLE_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Removed writables files : ${file}.\n" >> ${TMP}
- done
+ grep '^+' ${WRITEABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do
+ printf "\t\t- Added writables files : ${file}\n"
+ done >> ${TMP
+ grep '^-' ${WRITEABLE_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do
+ printf "\t\t- Removed writables files : ${file}\n"
+ done >> ${TMP}
fi
fi
+
fi
### Search Non Owned files
if [[ ${CHECK_UNOWNED} == yes ]]; then
- if [[ -f ${UNOWNED_TODAY} ]]; then
- mv -f ${UNOWNED_TODAY} ${UNOWNED_YESTERDAY}
- fi
-
- find ${DIR} -xdev -nouser -print -ls | sort > ${UNOWNED_TODAY}
-
- if [[ -f ${UNOWNED_YESTERDAY} ]]; then
- if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then
+ if [[ -f ${UNOWNED_USER_YESTERDAY} ]]; then
+ if ! diff -u ${UNOWNED_USER_YESTERDAY} ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_DIFF}; then
printf "\nSecurity Warning: the following files aren't owned by an user :\n" >> ${TMP}
- grep '^+' ${UNOWNED_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Added un-owned files : ${file}.\n" >> ${TMP}
- done
- grep '^-' ${UNOWNED_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Removed un-owned files : ${file}.\n" >> ${TMP}
- done
+ grep '^+' ${UNOWNED_USER_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do
+ printf "\t\t- Added un-owned files : ${file}\n"
+ done > ${TMP}
+ grep '^-' ${UNOWNED_USER_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
+ printf "\t\t- Removed un-owned files : ${file}\n"
+ done >> ${TMP}
fi
fi
-
- find ${DIR} -xdev -nogroup -print -ls | sort >> ${UNOWNED_TODAY}
- if [[ -f ${UNOWNED_YESTERDAY} ]]; then
- if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then
+ if [[ -f ${UNOWNED_GROUP_YESTERDAY} ]]; then
+ if ! diff -u ${UNOWNED_GROUP_YESTERDAY} ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_DIFF}; then
printf "\nSecurity Warning: the following files aren't owned by a group :\n" >> ${TMP}
- grep '^+' ${UNOWNED_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Added un-owned files : ${file}.\n" >> ${TMP}
- done
- grep '^-' ${UNOWNED_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Removed un-owned files : ${file}.\n" >> ${TMP}
- done
+ grep '^+' ${UNOWNED_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do
+ printf "\t\t- Added un-owned files : ${file}\n"
+ done >> ${TMP}
+ grep '^-' ${UNOWNED_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
+ printf "\t\t- Removed un-owned files : ${file}\n"
+ done >> ${TMP}
fi
fi
+
fi
-### Md5 check for SUID root file
+### Md5 check for SUID root fileg
if [[ ${CHECK_SUID_MD5} == yes ]]; then
-
- if [[ -f ${SUID_MD5_TODAY} ]]; then
- mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY}
- fi
-
- touch ${SUID_MD5_TODAY}
- awk '{print $12}' ${SUID_ROOT_TODAY} |
- while read line; do
- md5sum ${line} >> ${SUID_MD5_TODAY}
- done
+ ctrl_md5=0;
if [[ -f ${SUID_MD5_YESTERDAY} ]]; then
if ! diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF}; then
- printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${TMP}
- printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${TMP}
grep '^+' ${SUID_MD5_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $2}' | while read file; do
- printf "\t\t- Changed ( added ) files : ${file}.\n" >> ${TMP}
- done
- grep '^-' ${SUID_MD5_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $2}' | while read file; do
- printf "\t\t- Changed ( removed ) files : ${file}.\n" >> ${TMP}
- done
+ if cat ${SUID_MD5_YESTERDAY} | awk '{print $2}' | grep -qw ${file}; then
+ if [[ ${ctrl_md5} == 0 ]]; then
+ printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${TMP}
+ printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${TMP}
+ ctrl_md5=1;
+ fi
+ printf "\t\t- Checksum changed files : ${file}\n"
+ fi
+ done >> ${TMP}
fi
fi
+
fi
### Changed open port
if [[ ${CHECK_OPEN_PORT} == yes ]]; then
-
- if [[ -f ${OPEN_PORT_TODAY} ]]; then
- mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY}
- fi
-
- netstat -pvlA inet > ${OPEN_PORT_TODAY};
if [[ -f ${OPEN_PORT_YESTERDAY} ]]; then
if ! diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}; then
- printf "\nSecurity Warning: There is a new port listening on your machine :\n" >> ${TMP}
- grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Opened ports : ${file}.\n" >> ${TMP}
- done
- grep '^-' ${OPEN_PORT_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Closed ports : ${file}.\n" >> ${TMP}
- done
+ printf "\nSecurity Warning: There is modifications for port listening on your machine :\n" >> ${TMP}
+ grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do
+ printf "\t\t- Opened ports : ${file}\n"
+ done >> ${TMP}
+ grep '^-' ${OPEN_PORT_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do
+ printf "\t\t- Closed ports : ${file}\n"
+ done >> ${TMP}
fi
fi
+
fi
######## Report ######
@@ -228,3 +168,12 @@ fi
if [[ -f ${TMP} ]]; then
rm -f ${TMP}
fi
+
+
+
+
+
+
+
+
+