aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile26
-rw-r--r--conf/perm.0 (renamed from init-sh/perm.0)0
-rw-r--r--conf/perm.1 (renamed from init-sh/perm.1)0
-rw-r--r--conf/perm.2 (renamed from init-sh/perm.2)0
-rw-r--r--conf/perm.3 (renamed from init-sh/perm.3)0
-rw-r--r--conf/perm.4 (renamed from init-sh/perm.4)0
-rw-r--r--conf/perm.5 (renamed from init-sh/perm.5)0
-rw-r--r--conf/server.4 (renamed from init-sh/server.4)0
-rw-r--r--conf/server.5 (renamed from init-sh/server.5)0
-rwxr-xr-xcron-sh/promisc_check.sh9
-rwxr-xr-xcron-sh/security.sh6
-rwxr-xr-xinit-sh/custom.sh36
-rwxr-xr-xinit-sh/level0.sh3
-rwxr-xr-xinit-sh/level1.sh8
-rwxr-xr-xinit-sh/level2.sh11
-rwxr-xr-xinit-sh/level3.sh9
-rwxr-xr-xinit-sh/level4.sh12
-rwxr-xr-xinit-sh/level5.sh13
-rw-r--r--init-sh/lib.sh2
-rwxr-xr-xinit-sh/msec (renamed from init-sh/init.sh)10
20 files changed, 83 insertions, 62 deletions
diff --git a/Makefile b/Makefile
index 24f8467..3085b4f 100644
--- a/Makefile
+++ b/Makefile
@@ -51,21 +51,19 @@ rpm: dis ../$(NAME)-$(VERSION).tar.bz2 $(RPM)
rm -f ../$(NAME)-$(VERSION).tar.bz2
install:
- (rm -rf /etc/security/msec)
- (mkdir -p /etc/security/msec/init-sh)
- (cp init-sh/level* /etc/security/msec/init-sh)
- (cp init-sh/init.sh /etc/security/msec/init.sh);
- (cp init-sh/lib.sh /etc/security/msec/init-sh);
- (cp init-sh/grpuser.sh /etc/security/msec/init-sh);
- (cp init-sh/file_perm.sh /etc/security/msec/init-sh);
- (cp init-sh/*.[0-5] /etc/security/msec/init-sh/)
- (cp init-sh/custom.sh /etc/security/msec/init-sh);
- (cp init-sh/server.* /etc/security/msec/init-sh)
+ (rm -rf $(RPM_BUILD_ROOT)/etc/security/msec)
+ (mkdir -p $(RPM_BUILD_ROOT)/etc/security/msec)
+ (mkdir -p $(RPM_BUILD_ROOT)/usr/share/msec)
+ (cp init-sh/*.sh $(RPM_BUILD_ROOT)/usr/share/msec)
+ (cp cron-sh/*.sh $(RPM_BUILD_ROOT)/usr/share/msec)
+ (cp init-sh/msec $(RPM_BUILD_ROOT)/usr/sbin)
+ (cp conf/perm.* conf/server.* $(RPM_BUILD_ROOT)/etc/security/msec)
+
(touch $(RPM_BUILD_ROOT)/etc/security/msec/security.conf)
- touch $(RPM_BUILD_ROOT)/var/log/security.log
- mkdir -p $(RPM_BUILD_ROOT)/var/log/security
- (cd src/promisc_check; make install)
- (cd cron-sh; make install)
+ (touch $(RPM_BUILD_ROOT)/var/log/security.log)
+ (mkdir -p $(RPM_BUILD_ROOT)/var/log/security)
+ (cd src/promisc_check && make install)
+ (cd cron-sh && make install)
@echo
@echo
diff --git a/init-sh/perm.0 b/conf/perm.0
index 9ade3c2..9ade3c2 100644
--- a/init-sh/perm.0
+++ b/conf/perm.0
diff --git a/init-sh/perm.1 b/conf/perm.1
index 8fc7d12..8fc7d12 100644
--- a/init-sh/perm.1
+++ b/conf/perm.1
diff --git a/init-sh/perm.2 b/conf/perm.2
index c6a3d41..c6a3d41 100644
--- a/init-sh/perm.2
+++ b/conf/perm.2
diff --git a/init-sh/perm.3 b/conf/perm.3
index 2c8520d..2c8520d 100644
--- a/init-sh/perm.3
+++ b/conf/perm.3
diff --git a/init-sh/perm.4 b/conf/perm.4
index ef31596..ef31596 100644
--- a/init-sh/perm.4
+++ b/conf/perm.4
diff --git a/init-sh/perm.5 b/conf/perm.5
index a4d5755..a4d5755 100644
--- a/init-sh/perm.5
+++ b/conf/perm.5
diff --git a/init-sh/server.4 b/conf/server.4
index 044f0bf..044f0bf 100644
--- a/init-sh/server.4
+++ b/conf/server.4
diff --git a/init-sh/server.5 b/conf/server.5
index 044f0bf..044f0bf 100644
--- a/init-sh/server.5
+++ b/conf/server.5
diff --git a/cron-sh/promisc_check.sh b/cron-sh/promisc_check.sh
index cabf0a8..ec0526d 100755
--- a/cron-sh/promisc_check.sh
+++ b/cron-sh/promisc_check.sh
@@ -6,7 +6,7 @@
if [[ -f /etc/security/msec/security.conf ]]; then
. /etc/security/msec/security.conf
else
- echo "/etc/security/msec/security.conf don't exist."
+ echo "/etc/security/msec/security.conf doesn't exist."
exit 1
fi
@@ -29,11 +29,8 @@ Ttylog() {
fi
}
+# Check if a network interface is in promiscuous mode...
PROMISC="/usr/bin/promisc_check -q"
-#
-# Check if a network interface is in promisc check...
-# Written by Vandoorselaere Yoann, <yoann@mandrakesoft.com>
-#
LogPromisc() {
date=`date`
@@ -57,7 +54,7 @@ if [[ ${CHECK_PROMISC} == no ]]; then
fi
for INTERFACE in `${PROMISC}`; do
- LogPromisc $INTERFACE
+ LogPromisc ${INTERFACE}
done
diff --git a/cron-sh/security.sh b/cron-sh/security.sh
index 43ad9d6..ee94863 100755
--- a/cron-sh/security.sh
+++ b/cron-sh/security.sh
@@ -72,6 +72,8 @@ fi
netstat -pvlA inet 2> /dev/null > ${OPEN_PORT_TODAY};
+
+# Hard disk related file check; the less priority the better...
nice --adjustment=+19 find ${DIR} -xdev -type f -perm +04000 -user root -printf "${PRINT}" 2> /dev/null | sort > ${SUID_ROOT_TODAY}
nice --adjustment=+19 find ${DIR} -xdev -type f -perm +02000 -printf "${PRINT}" 2> /dev/null | sort > ${SUID_GROUP_TODAY}
nice --adjustment=+19 find ${DIR} -xdev -type f -perm -2 -printf "${PRINT}" 2> /dev/null | sort > ${WRITEABLE_TODAY}
@@ -115,8 +117,8 @@ Maillog() {
##################
-. /etc/security/msec/cron-sh/diff_check.sh
-. /etc/security/msec/cron-sh/security_check.sh
+. /usr/share/msec/diff_check.sh
+. /usr/share/msec/security_check.sh
diff --git a/init-sh/custom.sh b/init-sh/custom.sh
index af4bba5..b8b8402 100755
--- a/init-sh/custom.sh
+++ b/init-sh/custom.sh
@@ -5,8 +5,12 @@
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#
-if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then
- . /etc/security/msec/init-sh/lib.sh
+
+if [[ -f /usr/share/msec/lib.sh ]]; then
+ . /usr/share/msec/lib.sh
+else
+ echo "Can't find /usr/share/msec/lib.sh, exiting."
+ exit 1
fi
clear
@@ -62,7 +66,7 @@ echo "Do you want your system to daily check important security problem ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf
- AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security.sh" /etc/crontab
+ AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab
fi
###
@@ -70,7 +74,7 @@ echo "Do you want your system to daily check new open port listening ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf
- AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security.sh" /etc/crontab
+ AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab
fi
###
@@ -78,7 +82,7 @@ echo "Do you want your system to check for grave permission problem on sensibles
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf
- AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security.sh" /etc/crontab
+ AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab
fi
###
@@ -86,7 +90,7 @@ echo "Do you want your system to daily check SUID Root file change ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf
- AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security.sh" /etc/crontab
+ AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab
fi
###
@@ -94,7 +98,7 @@ echo "Do you want your system to daily check suid files md5 checksum changes ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf
- AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security.sh" /etc/crontab
+ AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab
fi
###
@@ -102,7 +106,7 @@ echo "Do you want your system to daily check SUID Group file change ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf
- AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security.sh" /etc/crontab
+ AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab
fi
###
@@ -110,7 +114,7 @@ echo "Do you want your system to daily check Writeable file change ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf
- AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security.sh" /etc/crontab
+ AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab
fi
###
@@ -118,7 +122,7 @@ echo "Do you want your system to daily check Unowned file change ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf
- AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security.sh" /etc/crontab
+ AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab
fi
###
@@ -127,7 +131,7 @@ echo "is in promiscuous state (which mean someone is probably running a sniffer
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf
- AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab
+ AddRules "*/1 * * * * root nice --adjustment=+19 /usr/share/msec/promisc_check.sh" /etc/crontab
fi
###
@@ -169,7 +173,7 @@ WaitAnswer; clear
if [[ ${answer} == yes ]]; then
echo -n "Disabling all service, except : {"
chkconfig --list | awk '{print $1}' | while read service; do
- if grep -qx ${service} /etc/security/msec/init-sh/server.4; then
+ if grep -qx ${service} /etc/security/msec/server.4; then
echo -n " ${service}"
fi
done
@@ -242,3 +246,11 @@ AddRules "export PATH SECURE_LEVEL" /etc/profile
+
+
+
+
+
+
+
+
diff --git a/init-sh/level0.sh b/init-sh/level0.sh
index ea5181c..b979b61 100755
--- a/init-sh/level0.sh
+++ b/init-sh/level0.sh
@@ -5,6 +5,7 @@
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#
+
if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then
. /etc/security/msec/init-sh/lib.sh
else
@@ -74,7 +75,7 @@ AddBegRules "/usr/X11R6/bin/xhost +" /etc/X11/xinit/xinitrc
# Group
echo "Adding system users to specific groups :"
-/etc/security/msec/init-sh/grpuser.sh --refresh
+/usr/share/msec/grpuser.sh --refresh
echo -e "done.\n"
# Boot on a shell / authorize ctrl-alt-del
diff --git a/init-sh/level1.sh b/init-sh/level1.sh
index 32d00f1..0c17880 100755
--- a/init-sh/level1.sh
+++ b/init-sh/level1.sh
@@ -5,9 +5,11 @@
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#
-if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then
- . /etc/security/msec/init-sh/lib.sh
+
+if [[ -f /usr/share/msec/lib.sh ]]; then
+ . /usr/share/msec/lib.sh
else
+ echo "Can't find /usr/share/msec/lib.sh, exiting."
exit 1
fi
@@ -75,7 +77,7 @@ AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc
# Group
echo "Adding system users to specific groups :"
-/etc/security/msec/init-sh/grpuser.sh --refresh
+/usr/share/msec/grpuser.sh --refresh
grpconv
echo -e "done.\n"
diff --git a/init-sh/level2.sh b/init-sh/level2.sh
index e012f72..9348529 100755
--- a/init-sh/level2.sh
+++ b/init-sh/level2.sh
@@ -5,9 +5,12 @@
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#
-if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then
- . /etc/security/msec/init-sh/lib.sh
+
+
+if [[ -f /usr/share/msec/lib.sh ]]; then
+ . /usr/share/msec/lib.sh
else
+ echo "Can't find /usr/share/msec/lib.sh, exiting."
exit 1
fi
@@ -74,7 +77,7 @@ AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc
# group
echo "Adding system users to specifics groups :"
-/etc/security/msec/init-sh/grpuser.sh --refresh
+/usr/share/msec/grpuser.sh --refresh
grpconv
echo -e "done.\n"
@@ -87,3 +90,5 @@ cat ${tmpfile} | \
sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
rm -f ${tmpfile}
echo "done."
+
+
diff --git a/init-sh/level3.sh b/init-sh/level3.sh
index 1e78f93..bf53c66 100755
--- a/init-sh/level3.sh
+++ b/init-sh/level3.sh
@@ -5,13 +5,14 @@
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#
-if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then
- . /etc/security/msec/init-sh/lib.sh
+
+if [[ -f /usr/share/msec/lib.sh ]]; then
+ . /usr/share/msec/lib.sh
else
+ echo "Can't find /usr/share/msec/lib.sh, exiting."
exit 1
fi
-# All events logged on tty12
echo "Loging all messages on tty12 : "
AddRules "*.* /dev/tty12" /etc/syslog.conf
@@ -59,7 +60,7 @@ echo -e "\t- Security warning in syslog : yes."
# Crontab
echo "Adding permission check in crontab (scheduled every midnight) :"
-AddRules "0 0 * * * root /etc/security/msec/cron-sh/security.sh" /etc/crontab
+AddRules "0 0 * * * root /usr/share/msec/security.sh" /etc/crontab
# lilo update
echo -n "Running lilo to record new config : "
diff --git a/init-sh/level4.sh b/init-sh/level4.sh
index 18d9aac..75a0e85 100755
--- a/init-sh/level4.sh
+++ b/init-sh/level4.sh
@@ -6,10 +6,10 @@
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#
-
-if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then
- . /etc/security/msec/init-sh/lib.sh
+if [[ -f /usr/share/msec/lib.sh ]]; then
+ . /usr/share/msec/lib.sh
else
+ echo "Can't find /usr/share/msec/lib.sh, exiting."
exit 1
fi
@@ -68,10 +68,10 @@ echo -e "\t- Security warning in syslog : yes."
# Check every 1 minutes for promisc problem
echo "Adding promisc check in crontab (scheduled every minutes) :"
-AddRules "*/1 * * * * root /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab
+AddRules "*/1 * * * * root /usr/share/msec/promisc_check.sh" /etc/crontab
echo "Adding \"diff\" & \"global\" security check in crontab (scheduled every midnight) :"
-AddRules "0 0 * * * root /etc/security/msec/cron-sh/security.sh" /etc/crontab
+AddRules "0 0 * * * root /usr/share/msec/security.sh" /etc/crontab
# Do you want a password ?
LiloUpdate;
@@ -88,7 +88,7 @@ IFS="
"
echo -n "Disabling all service, except : {"
for service in `chkconfig --list | awk '{print $1}'`; do
- if grep -qx ${service} /etc/security/msec/init-sh/server.4; then
+ if grep -qx ${service} /etc/security/msec/server.4; then
echo -n " ${service}"
fi
done
diff --git a/init-sh/level5.sh b/init-sh/level5.sh
index 9e8af53..59dc413 100755
--- a/init-sh/level5.sh
+++ b/init-sh/level5.sh
@@ -5,8 +5,11 @@
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#
-if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then
- . /etc/security/msec/init-sh/lib.sh
+if [[ -f /usr/share/msec/lib.sh ]]; then
+ . /usr/share/msec/lib.sh
+else
+ echo "Can't find /usr/share/msec/lib.sh, exiting."
+ exit 1
fi
echo -e "Changing attribute of /var/log/* to append only...\n"
@@ -60,10 +63,10 @@ echo -e "\t- Security warning in syslog : yes."
################ Crontab things ###################
# Check every 1 minutes for promisc problem
echo "Adding promisc check in crontab (scheduled every minutes) :"
-AddRules "*/1 * * * * root /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab
+AddRules "*/1 * * * * root /usr/share/msec/promisc_check.sh" /etc/crontab
echo "Adding \"diff\" & \"global\" security check in crontab (scheduled every midnight) :"
-AddRules "0 0 * * * root /etc/security/msec/cron-sh/security.sh" /etc/crontab
+AddRules "0 0 * * * root /usr/share/msec/security.sh" /etc/crontab
###################################################
@@ -83,7 +86,7 @@ IFS="
export SECURE_LEVEL=5
echo -n "Disabling all service, except : {"
for service in `chkconfig --list | awk '{print $1}'`; do
- if grep -qx ${service} /etc/security/msec/init-sh/server.5; then
+ if grep -qx ${service} /etc/security/msec/server.5; then
echo -n " ${service}"
fi
done
diff --git a/init-sh/lib.sh b/init-sh/lib.sh
index 920996f..7f55c7c 100644
--- a/init-sh/lib.sh
+++ b/init-sh/lib.sh
@@ -197,7 +197,7 @@ groupadd audio >& /dev/null
groupadd xgrp >& /dev/null
usermod -G xgrp xfs
-/etc/security/msec/init-sh/grpuser.sh --clean
+/usr/share/msec/grpuser.sh --clean
echo
diff --git a/init-sh/init.sh b/init-sh/msec
index a748541..ee69564 100755
--- a/init-sh/init.sh
+++ b/init-sh/msec
@@ -8,14 +8,14 @@ fi
if [[ ${1} == custom ]]; then
- /etc/security/msec/init-sh/custom.sh
+ /usr/share/msec/custom.sh
exit 0;
fi
-if [[ -f /etc/security/msec/init-sh/level$1.sh ]]; then
- /etc/security/msec/init-sh/level$1.sh
- if [[ -f /etc/security/msec/init-sh/perm.$1 ]]; then
- /etc/security/msec/init-sh/file_perm.sh /etc/security/msec/init-sh/perm.$1
+if [[ -f /usr/share/msec/level$1.sh ]]; then
+ /usr/share/msec/level$1.sh
+ if [[ -f /usr/share/msec/perm.$1 ]]; then
+ /usr/share/msec/file_perm.sh /usr/share/msec/perm.$1
else
echo "Couldn't find the default permissions for level $1."
fi