diff options
| author | Eugeni Dodonov <eugeni@mandriva.org> | 2009-09-09 00:04:28 +0000 |
|---|---|---|
| committer | Eugeni Dodonov <eugeni@mandriva.org> | 2009-09-09 00:04:28 +0000 |
| commit | 04264a85de43e5cc0ef5f4c7113e0979bc397a53 (patch) | |
| tree | 8943530e6ec71c6d7db4ba3fc403e4e3ab2d716b /cron-sh/scripts/05_access.sh | |
| parent | 7d9bf9988b2ea0960741aa09e794c2c365c5f09b (diff) | |
| download | msec-04264a85de43e5cc0ef5f4c7113e0979bc397a53.tar msec-04264a85de43e5cc0ef5f4c7113e0979bc397a53.tar.gz msec-04264a85de43e5cc0ef5f4c7113e0979bc397a53.tar.bz2 msec-04264a85de43e5cc0ef5f4c7113e0979bc397a53.tar.xz msec-04264a85de43e5cc0ef5f4c7113e0979bc397a53.zip | |
added support for msec exceptions
Diffstat (limited to 'cron-sh/scripts/05_access.sh')
| -rwxr-xr-x | cron-sh/scripts/05_access.sh | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/cron-sh/scripts/05_access.sh b/cron-sh/scripts/05_access.sh index 2b35d8c..e3ecb72 100755 --- a/cron-sh/scripts/05_access.sh +++ b/cron-sh/scripts/05_access.sh @@ -21,6 +21,7 @@ fi # check for changes in users if [[ ${CHECK_USERS} == yes ]]; then getent passwd | cut -f 1 -d : | sort > ${USERS_LIST_TODAY} + Filter ${USERS_LIST_TODAY} CHECK_USERS Diffcheck ${USERS_LIST_TODAY} ${USERS_LIST_YESTERDAY} ${USERS_LIST_DIFF} "local users" Count ${INFOS} ${USERS_LIST_TODAY} "Total local users" fi @@ -37,6 +38,7 @@ fi # check for changes in groups if [[ ${CHECK_GROUPS} == yes ]]; then getent passwd | cut -f 1 -d : | sort > ${GROUPS_LIST_TODAY} + Filter ${GROUPS_LIST_TODAY} CHECK_GROUPS Diffcheck ${GROUPS_LIST_TODAY} ${GROUPS_LIST_YESTERDAY} ${GROUPS_LIST_DIFF} "local groups" Count ${INFOS} ${GROUPS_LIST_TODAY} "Total local group" fi @@ -51,6 +53,7 @@ if [[ ${CHECK_PASSWD} == yes ]]; then else if ( $3 == 0 && $1 != "root" ) printf("\t\t- /etc/passwd:%d: User \"%s\" has id 0 !\n", FNR, $1); }' > ${MSEC_TMP} + Filter ${MSEC_TMP} CHECK_PASSWD if [[ -s ${MSEC_TMP} ]]; then printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY} @@ -65,6 +68,7 @@ if [[ ${CHECK_SHADOW} == yes ]]; then if ( $2 == "" ) printf("\t\t- /etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1); }' < /etc/shadow > ${MSEC_TMP} + Filter ${MSEC_TMP} CHECK_SHADOW if [[ -s ${MSEC_TMP} ]]; then printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY} @@ -73,6 +77,7 @@ if [[ ${CHECK_SHADOW} == yes ]]; then fi fi +# TODO: add CHECK_EXPORTS parameter in msec ### File systems should not be globally exported. if [[ -s /etc/exports ]] ; then awk '{ @@ -88,6 +93,7 @@ if [[ -s /etc/exports ]] ; then print "\t\t- Nfs File system " $1 " globally exported, read-only."; } else print "\t\t- Nfs File system " $1 " globally exported, read-write."; }' < /etc/exports > ${MSEC_TMP} + Filter ${MSEC_TMP} CHECK_EXPORTS if [[ -s ${MSEC_TMP} ]] ; then printf "\nSecurity Warning: Some NFS filesystem are exported globally :\n" >> ${SECURITY} @@ -96,8 +102,10 @@ if [[ -s /etc/exports ]] ; then fi fi +# TODO: add CHECK_MOUNTS parameter in msec ### nfs mounts with missing nosuid /bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > ${MSEC_TMP} +Filter ${MSEC_TMP} CHECK_MOUNTS if [[ -s ${MSEC_TMP} ]] ; then printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY} cat ${MSEC_TMP} | awk '{ print "\t\t- "$0 }' >> ${SECURITY} @@ -144,6 +152,7 @@ if [[ ${CHECK_SHOSTS} == yes ]]; then fi fi +# TODO: add CHECK_ALIASES ### executables should not be in the aliases file. list="/etc/aliases /etc/postfix/aliases" for file in ${list}; do |