diff options
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | Makefile | 9 | ||||
| -rwxr-xr-x | cron-sh/security.sh | 17 | ||||
| -rwxr-xr-x | init-sh/custom.sh | 12 | ||||
| -rwxr-xr-x | init-sh/level4.sh | 13 | ||||
| -rwxr-xr-x | init-sh/level5.sh | 9 | ||||
| -rwxr-xr-x | init-sh/msec | 6 | ||||
| -rw-r--r-- | msec.spec | 8 | ||||
| -rw-r--r-- | src/msec_find/Makefile | 13 | ||||
| -rw-r--r-- | src/msec_find/find.c | 233 |
10 files changed, 317 insertions, 10 deletions
@@ -1,4 +1,11 @@ +2000-03-08 Yoann Vandoorselaere <yoann@mandrakesoft.com> + * Added msec_find utility, written by Thierry Vignaud + which will avoid us to find / 5 times :) + * Heavilly modified msec_find. + 2000-03-07 Yoann Vandoorselaere <yoann@mandrakesoft.com> + * Added support for libsafe stack overflow protection in level 4 / 5 / + custom * trap the sigint signal * use /etc/security/msec for config file only. * Renamed init.sh to msec, and install it in /usr/sbin. @@ -1,7 +1,7 @@ VERSION = 0.9 NAME = msec -all: promisc_check +all: promisc_check msec_find clean: find . -name *.o -exec rm -f {} \; @@ -9,7 +9,10 @@ clean: rm -f src/promisc_check/promisc_check promisc_check: - (cd src/promisc_check; make) + (cd src/promisc_check && make) + +msec_find: + (cd src/msec_find && make) dis: clean rm -rf msec-$(VERSION) ../msec-$(VERSION).tar* @@ -40,7 +43,7 @@ install: (touch $(RPM_BUILD_ROOT)/var/log/security.log) (mkdir -p $(RPM_BUILD_ROOT)/var/log/security) (cd src/promisc_check && make install) - (cd cron-sh && make install) + (cd src/msec_find && make install) @echo @echo diff --git a/cron-sh/security.sh b/cron-sh/security.sh index ee94863..ebe71de 100755 --- a/cron-sh/security.sh +++ b/cron-sh/security.sh @@ -74,11 +74,18 @@ fi netstat -pvlA inet 2> /dev/null > ${OPEN_PORT_TODAY}; # Hard disk related file check; the less priority the better... -nice --adjustment=+19 find ${DIR} -xdev -type f -perm +04000 -user root -printf "${PRINT}" 2> /dev/null | sort > ${SUID_ROOT_TODAY} -nice --adjustment=+19 find ${DIR} -xdev -type f -perm +02000 -printf "${PRINT}" 2> /dev/null | sort > ${SUID_GROUP_TODAY} -nice --adjustment=+19 find ${DIR} -xdev -type f -perm -2 -printf "${PRINT}" 2> /dev/null | sort > ${WRITEABLE_TODAY} -nice --adjustment=+19 find ${DIR} -xdev -nouser -printf "${PRINT}" 2> /dev/null | sort > ${UNOWNED_USER_TODAY} -nice --adjustment=+19 find ${DIR} -xdev -nogroup -printf "${PRINT}" 2> /dev/null | sort > ${UNOWNED_GROUP_TODAY} +nice --adjustment=+19 /usr/bin/msec_find ${DIR} +sort < ${SUID_ROOT_TODAY} > ${SUID_ROOT_TODAY}.tmp +sort < ${SUID_GROUP_TODAY} > ${SUID_GROUP_TODAY}.tmp +sort < ${WRITEABLE_TODAY} > ${WRITEABLE_TODAY}.tmp +sort < ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_TODAY}.tmp +sort < ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_TODAY}.tmp + +mv -f ${SUID_ROOT_TODAY}.tmp ${SUID_ROOT_TODAY} +mv -f ${SUID_GROUP_TODAY}.tmp ${SUID_GROUP_TODAY} +mv -f ${WRITEABLE_TODAY}.tmp ${WRITEABLE_TODAY} +mv -f ${UNOWNED_USER_TODAY}.tmp ${UNOWNED_USER_TODAY} +mv -f ${UNOWNED_GROUP_TODAY}.tmp ${UNOWNED_GROUP_TODAY} while read line; do md5sum ${line} diff --git a/init-sh/custom.sh b/init-sh/custom.sh index b8b8402..9d46bd1 100755 --- a/init-sh/custom.sh +++ b/init-sh/custom.sh @@ -62,6 +62,18 @@ if [[ ${answer} == yes ]]; then AddRules "tty6" /etc/securetty fi ### +echo "Do you want to enable the libsafe stack overflow protection ?" +echo "This stack overflow protection work by catching dangerous function call" +echo "like strcpy, strcat, getwd, gets, [vf]scanf, realpath, [v]sprintf" +echo "and verify the address & the size of the destination buffer in the stack" +echo "this is done by searching in the stack frame the one which contain the" +echo "destination address, and by substracting the frame address to the destination buffer one" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "export LD_PRELOAD=/usr/lib/libsafe.so.1.2" /etc/profile +fi + +### echo "Do you want your system to daily check important security problem ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then diff --git a/init-sh/level4.sh b/init-sh/level4.sh index 75a0e85..f10fb54 100755 --- a/init-sh/level4.sh +++ b/init-sh/level4.sh @@ -105,9 +105,15 @@ echo -e "done.\n"; # /etc/profile echo "Setting umask to 022 (u=rw,g=rx) for root, 077 (u=rw) for user :" AddRules "if [[ \${UID} == 0 ]]; then umask 022; else umask 077; fi" /etc/profile + echo "Adding \"normal\" PATH variable :" AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/profile quiet -AddRules "export PATH SECURE_LEVEL" /etc/profile +AddRules "export PATH SECURE_LEVEL" /etc/profile + +if [[ -f /usr/lib/libsafe.so.1.2 ]]; then + echo "Enabling stack overflow protection :" + AddRules "export LD_PRELOAD=/usr/lib/libsafe.so.1.2" /etc/profile +fi # Do not boot on a shell echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : " @@ -122,3 +128,8 @@ echo "done." # Group were modified in lib.sh... grpconv + + + + + diff --git a/init-sh/level5.sh b/init-sh/level5.sh index 59dc413..0e458b7 100755 --- a/init-sh/level5.sh +++ b/init-sh/level5.sh @@ -103,10 +103,16 @@ echo -e "done.\n"; # /etc/profile echo "Setting umask to 077 (u=rw) :" AddRules "umask 077" /etc/profile + echo "Adding \"normal\" PATH variable :" AddRules "PATH=\$PATH:/usr/X11R6/bin" /etc/profile quiet AddRules "export PATH SECURE_LEVEL" /etc/profile +if [[ -f /usr/lib/libsafe.so.1.2 ]]; then + echo "Enabling stack overflow protection :" + AddRules "export LD_PRELOAD=/usr/lib/libsafe.so.1.2" /etc/profile +fi + # Do not boot on a shell echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : " tmpfile=`mktemp /tmp/secure.XXXXXX` @@ -144,3 +150,6 @@ grpconv + + + diff --git a/init-sh/msec b/init-sh/msec index 2fc7c53..1ba1bb2 100755 --- a/init-sh/msec +++ b/init-sh/msec @@ -16,11 +16,17 @@ fi if [[ ${1} == custom ]]; then /usr/share/msec/custom.sh + echo + echo "You might logout of your session for some change to be activated." + echo exit 0; fi if [[ -f /usr/share/msec/level$1.sh ]]; then /usr/share/msec/level$1.sh + echo + echo "You might logout of your session for some change to be activated." + echo if [[ -f /usr/share/msec/perm.$1 ]]; then /usr/share/msec/file_perm.sh /usr/share/msec/perm.$1 else @@ -39,6 +39,7 @@ rm -rf $RPM_BUILD_ROOT %doc AUTHORS COPYING Makefile README %doc doc/*txt ChangeLog doc/*ps /usr/bin/promisc_check +/usr/bin/msec_find /usr/sbin/msec /usr/share/msec /var/log/security.log @@ -48,7 +49,12 @@ rm -rf $RPM_BUILD_ROOT %config /etc/security/msec %changelog -* Tue Mar 07 Yoann Vandoorselaere <yoann@mandrakesoft.com> +* Tue Mar 08 Yoann Vandoorselaere <yoann@mandrakesoft.com> +- Heavylly Modified msec_find. +- Added msec_find utility, written by Thierry Vignaud which will avoid us to + find / 5 times :) +- Added support for libsafe stack overflow protection in level 4 / 5 / + custom - trap the sigint signal. - use %config for config file ( thanks to Frederic Lepied ). - use /etc/security/msec for config file only. diff --git a/src/msec_find/Makefile b/src/msec_find/Makefile new file mode 100644 index 0000000..20fb4d9 --- /dev/null +++ b/src/msec_find/Makefile @@ -0,0 +1,13 @@ +CC=gcc +NAME=msec_find + +CFLAGS = -ggdb -Wall -Wmissing-prototypes -Wmissing-declarations \ +-Wpointer-arith -m486 -O2 -finline-functions -fkeep-inline-functions + +OBJ=find.o + +msec_find: $(OBJ) + $(CC) $(OBJ) -o $(NAME) + +install: + cp $(NAME) /usr/bin diff --git a/src/msec_find/find.c b/src/msec_find/find.c new file mode 100644 index 0000000..65e8c73 --- /dev/null +++ b/src/msec_find/find.c @@ -0,0 +1,233 @@ +/* + * Written by Thierry Vignaud, + * heavilly modified for msec purpose by Vandoorselaere Yoann. + * + * This code is copyrighted by Mandrakesoft [(c) 2000] and is released under + * the GPL licence + */ + + +/* + * TODO + * +++ hash tables or btree to stock already searched uid/gid for speed + * Pb: since linux-2.3.4x, uid & gid are 32 bits wide ... => BTREE? + * static char **uid_hash, **gid_hash; + * + * +++ check for open & I/O error on log files ... + * +++ Yoann scripts should avoid /dev if devfs is mounted (either by testing + * if /dev is mounted by devfs or if [ -f /dev/.devfsd ] => see with + * Yoann + * --- disable 'cannot stat ...' warning (???) => better log them SECURITY_LOG + * --- disable write test on links => OK + */ + +/* + * (Vandoorselaere Yoann) + * Done : + * - Don't handle FTW_DNR case, since it will print warning for /proc file. + * - Don't walk trought /dev & /proc. + * - We don't need to handle all of the ftw flag, just the FTW_F & FTW_D one :) + * - Use FTW_PHYS to not follow symbolic link. + * - Do not use getenv to get the root directory. + * - Use argv instead of a DIR variable to get directory to scan. + * - Free directory after use when allocated for appending a '/'. + * - We do not need __USE_XOPEN_EXTENDED definition. + */ + +#include <stdlib.h> +#include <stdio.h> + +#define __USE_XOPEN_EXTENDED +#include <ftw.h> + +#include <sys/stat.h> + +/* For NSS managment */ +#include <pwd.h> +#include <grp.h> +#include <sys/types.h> + +#include <string.h> + + +#ifdef __GNUC__ +#define inline +#else +#warning upgrade your so-called system to a real OS such as GNU/Linux +#endif + +/* + * Log files + */ +static FILE *suid_fd; +static FILE *sgid_fd; +static FILE *unowned_user_fd; +static FILE *unowned_group_fd; +static FILE *writeable_fd; + +static int traverse(const char *file, const struct stat *sb, int flag, struct FTW *s) +{ + struct passwd *u_nss_data; + struct group *g_nss_data; + + if (strncmp(file, "//", 2) == 0 ) + /* + * handle bogus glibc ftw + * else we won't print only one '/' in front of file names + */ + file++; + + if (strncmp("/proc", file, 5) == 0) + return 0; + if (strncmp("/dev", file, 4) == 0) + return 0; + + switch (flag) { + /* + * Here is a difference with security-check.sh: + * we don't check for regular files only for Set-UID et Set-GID but + * to directories too. Idem for world writable directories ... + */ + + case FTW_F: + /* + * Regular file + */ + printf("%s\n", file); + + /* + * Is writeable check. + */ + if (sb->st_mode & 0002) + fprintf(writeable_fd, "%s\n", file); + + /* + * Is suid root check. + */ + if ((sb->st_mode & S_ISUID) && (sb->st_uid == 0)) + fprintf(suid_fd, "%s\n", file); + + /* + * Is suid group check. + */ + if (sb->st_mode & S_ISGID) + fprintf(sgid_fd, "%s\n", file); + + case FTW_D: + /* + * Unowned user check. + */ + u_nss_data = getpwuid(sb->st_uid); + if (u_nss_data == NULL) + fprintf(unowned_user_fd, "%s\n", file); + + /* + * Unowned group check. + */ + g_nss_data = getgrgid(sb->st_uid); + if (g_nss_data == NULL) + fprintf(unowned_group_fd, "%s\n", file); + break; + } + return 0; +} + +/* This function opens all log files */ +__inline__ static void init() +{ + static const char *mode = "w+"; + + suid_fd = fopen(getenv("SUID_ROOT_TODAY"), mode); + if ( ! suid_fd ) { + perror("fopen (suid_root_today)"); + exit(1); + } + + sgid_fd = fopen(getenv("SUID_GROUP_TODAY"), mode); + if ( ! sgid_fd ) { + perror("fopen (suid_group_today)"); + exit(1); + } + + writeable_fd = fopen(getenv("WRITEABLE_TODAY"), mode); + if ( ! writeable_fd ) { + perror("fopen (writeable_today)"); + exit(1); + } + + unowned_user_fd = fopen(getenv("UNOWNED_USER_TODAY"), mode); + if ( ! unowned_user_fd ) { + perror("fopen (unowned_user_today)"); + exit(1); + } + + unowned_group_fd = fopen(getenv("UNOWNED_GROUP_TODAY"), mode); + if ( ! unowned_group_fd ) { + perror("fopen (unowned_group_today)"); + exit(1); + } +} + +int main(int argc, char **argv) +{ + char *directory; + int res = 0, i; + int ctrl = 0; + + if ( argc < 2 ) { + fprintf(stderr, "Please give directory as argument.\n"); + fprintf(stderr, "%s /usr/sbin /sbin\n\n", argv[0]); + exit(1); + } + + /* open all log files */ + init(); + + for ( i = 0; i < argc; i++ ) { + + if (strcmp(argv[0], "/") != 0) { + /* + * We need to add a final '/' to the base directory name else the + * FTW_MOUNT option of nftw won't work. i.e. : /mnt/cdrom is on the / + * fs (it is the directory on which a CD is mounted) whereas + * /mnt/cdrom/ is the mounted directory. + * Hopefully, find has the same "bug" + */ + + ctrl = 1; + directory = ( char * ) malloc((strlen(argv[i]) + 1)); + if ( ! directory ) { + perror("malloc"); + exit(1); + } + + strcpy(directory, argv[i]); + strcat(directory, "/"); + } else directory = argv[i]; + + res = nftw(directory, traverse, (int) 500, FTW_PHYS | FTW_MOUNT | FTW_CHDIR); + if ( ctrl ) { + free(directory); + ctrl = 0; + } + } + + /* + * close all log files + */ + + fclose(suid_fd); + fclose(sgid_fd); + fclose(writeable_fd); + fclose(unowned_user_fd); + fclose(unowned_group_fd); + + exit(res); +} + + + + + + + |