aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ChangeLog4
-rwxr-xr-xcron-sh/diff_check.sh187
-rwxr-xr-xcron-sh/find.sh73
-rwxr-xr-xcron-sh/security_check.sh35
-rw-r--r--init-sh/security.conf30
5 files changed, 181 insertions, 148 deletions
diff --git a/ChangeLog b/ChangeLog
index 81907fa..b6515a3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+1999-12-19 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+ * Big cleanup.
+ * All work properly now.
+
1999-12-19 Pixel <pixel@mandrakesoft.com>
* msec.spec: modify to take into account the Makefile modifying
the .spec
diff --git a/cron-sh/diff_check.sh b/cron-sh/diff_check.sh
index 603edf6..006a26d 100755
--- a/cron-sh/diff_check.sh
+++ b/cron-sh/diff_check.sh
@@ -14,34 +14,9 @@ if [[ ${CHECK_SECURITY} == no ]]; then
exit 0
fi
-SUID_ROOT_TODAY="/var/log/security/suid_root.today"
-SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday"
-SUID_ROOT_DIFF="/var/log/security/suid_root.diff"
-SUID_GROUP_TODAY="/var/log/security/suid_group.today"
-SUID_GROUP_YESTERDAY="/var/log/security/suid_group.yesterday"
-SUID_GROUP_DIFF="/var/log/security/suid_group.diff"
-SUID_MD5_TODAY="/var/log/security/suid_md5.today"
-SUID_MD5_YESTERDAY="/var/log/security/suid_md5.yesterday"
-SUID_MD5_DIFF="/var/log/security/suid_md5.diff"
-OPEN_PORT_TODAY="/var/log/security/open_port.today"
-OPEN_PORT_YESTERDAY="/var/log/security/open_port.yesterday"
-OPEN_PORT_DIFF="/var/log/security/open_port.diff"
-WRITEABLE_TODAY="/var/log/security/writeable.today"
-WRITEABLE_YESTERDAY="/var/log/security/writeable.yesterday"
-WRITEABLE_DIFF="/var/log/security/writeable.diff"
-UNOWNED_TODAY="/var/log/security/unowned.today"
-UNOWNED_YESTERDAY="/var/log/security/unowned.yesterday"
-UNOWNED_DIFF="/var/log/security/unowned.diff"
-
SECURITY_LOG="/var/log/security.log"
TMP=`mktemp /tmp/secure.XXXXXX`
-if [[ ! -d /var/log/security ]]; then
- mkdir /var/log/security
-fi
-
-rm -f ${TMP} ${SECURITY_TMP} >& /dev/null
-
### Functions ###
Syslog() {
@@ -66,154 +41,119 @@ Ttylog() {
### New Suid root files detection
if [[ ${CHECK_SUID_ROOT} == yes ]]; then
- if [[ -f ${SUID_ROOT_TODAY} ]]; then
- mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY}
- fi
-
- find ${DIR} -xdev -type f -perm +04000 -user root \
- -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_ROOT_TODAY}
-
if [[ -f ${SUID_ROOT_YESTERDAY} ]]; then
if ! diff -u ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_TODAY} > ${SUID_ROOT_DIFF}; then
printf "\nSecurity Warning: Change in Suid Root files found :\n" >> ${TMP}
- grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Added suid root files : ${file}.\n" >> ${TMP}
- done
- grep '^-' ${SUID_ROOT_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Removed suid root files : ${file}.\n" >> ${TMP}
- done
+ grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do
+ printf "\t\t- Added suid root files : ${file}\n"
+ done >> ${TMP}
+ grep '^-' ${SUID_ROOT_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do
+ printf "\t\t- Removed suid root files : ${file}\n"
+ done >> ${TMP}
fi
fi
+
fi
### New Suid group files detection
if [[ ${CHECK_SUID_GROUP} == yes ]]; then
- if [[ -f ${SUID_GROUP_TODAY} ]]; then
- mv ${SUID_GROUP_TODAY} ${SUID_GROUP_YESTERDAY}
- fi
-
- find ${DIR} -xdev -type f -perm +02000 \
- -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_GROUP_TODAY}
-
if [[ -f ${SUID_GROUP_YESTERDAY} ]]; then
if ! diff -u ${SUID_GROUP_YESTERDAY} ${SUID_GROUP_TODAY} > ${SUID_GROUP_DIFF}; then
- printf "\nSecurity Warning: Changes in Suid Group files found :\n" >> ${TMP}
- grep '^+' ${SUID_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Added suid group files : ${file}.\n" >> ${TMP}
- done
- grep '^-' ${SUID_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Removed suid group files : ${file}.\n" >> ${TMP}
- done
+ printf "\nSecurity Warning: Changes in Suid Group files found :\n" >> ${TMP}
+ grep '^+' ${SUID_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do
+ printf "\t\t- Added suid group files : ${file}\n"
+ done >> ${TMP}
+ grep '^-' ${SUID_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do
+ printf "\t\t- Removed suid group files : ${file}\n"
+ done >> ${TMP}
fi
fi
+
fi
### Writable files detection
if [[ ${CHECK_WRITEABLE} == yes ]]; then
- if [[ -f ${WRITEABLE_TODAY} ]]; then
- mv -f ${WRITEABLE_TODAY} ${WRITEABLE_YESTERDAY}
- fi
-
- find ${DIR} -xdev -type f -perm -2 -ls -print | sort > ${WRITEABLE_TODAY}
-
if [[ -f ${WRITEABLE_YESTERDAY} ]]; then
if ! diff -u ${WRITEABLE_YESTERDAY} ${WRITEABLE_TODAY} > ${WRITEABLE_DIFF}; then
printf "\nSecurity Warning: Change in World Writeable Files found :\n" >> ${TMP}
- grep '^+' ${WRITEABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Added writables files : ${file}.\n" >> ${TMP}
- done
- grep '^-' ${WRITEABLE_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Removed writables files : ${file}.\n" >> ${TMP}
- done
+ grep '^+' ${WRITEABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do
+ printf "\t\t- Added writables files : ${file}\n"
+ done >> ${TMP
+ grep '^-' ${WRITEABLE_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do
+ printf "\t\t- Removed writables files : ${file}\n"
+ done >> ${TMP}
fi
fi
+
fi
### Search Non Owned files
if [[ ${CHECK_UNOWNED} == yes ]]; then
- if [[ -f ${UNOWNED_TODAY} ]]; then
- mv -f ${UNOWNED_TODAY} ${UNOWNED_YESTERDAY}
- fi
-
- find ${DIR} -xdev -nouser -print -ls | sort > ${UNOWNED_TODAY}
-
- if [[ -f ${UNOWNED_YESTERDAY} ]]; then
- if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then
+ if [[ -f ${UNOWNED_USER_YESTERDAY} ]]; then
+ if ! diff -u ${UNOWNED_USER_YESTERDAY} ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_DIFF}; then
printf "\nSecurity Warning: the following files aren't owned by an user :\n" >> ${TMP}
- grep '^+' ${UNOWNED_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Added un-owned files : ${file}.\n" >> ${TMP}
- done
- grep '^-' ${UNOWNED_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Removed un-owned files : ${file}.\n" >> ${TMP}
- done
+ grep '^+' ${UNOWNED_USER_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do
+ printf "\t\t- Added un-owned files : ${file}\n"
+ done > ${TMP}
+ grep '^-' ${UNOWNED_USER_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
+ printf "\t\t- Removed un-owned files : ${file}\n"
+ done >> ${TMP}
fi
fi
-
- find ${DIR} -xdev -nogroup -print -ls | sort >> ${UNOWNED_TODAY}
- if [[ -f ${UNOWNED_YESTERDAY} ]]; then
- if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then
+ if [[ -f ${UNOWNED_GROUP_YESTERDAY} ]]; then
+ if ! diff -u ${UNOWNED_GROUP_YESTERDAY} ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_DIFF}; then
printf "\nSecurity Warning: the following files aren't owned by a group :\n" >> ${TMP}
- grep '^+' ${UNOWNED_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Added un-owned files : ${file}.\n" >> ${TMP}
- done
- grep '^-' ${UNOWNED_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Removed un-owned files : ${file}.\n" >> ${TMP}
- done
+ grep '^+' ${UNOWNED_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do
+ printf "\t\t- Added un-owned files : ${file}\n"
+ done >> ${TMP}
+ grep '^-' ${UNOWNED_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
+ printf "\t\t- Removed un-owned files : ${file}\n"
+ done >> ${TMP}
fi
fi
+
fi
-### Md5 check for SUID root file
+### Md5 check for SUID root fileg
if [[ ${CHECK_SUID_MD5} == yes ]]; then
-
- if [[ -f ${SUID_MD5_TODAY} ]]; then
- mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY}
- fi
-
- touch ${SUID_MD5_TODAY}
- awk '{print $12}' ${SUID_ROOT_TODAY} |
- while read line; do
- md5sum ${line} >> ${SUID_MD5_TODAY}
- done
+ ctrl_md5=0;
if [[ -f ${SUID_MD5_YESTERDAY} ]]; then
if ! diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF}; then
- printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${TMP}
- printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${TMP}
grep '^+' ${SUID_MD5_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $2}' | while read file; do
- printf "\t\t- Changed ( added ) files : ${file}.\n" >> ${TMP}
- done
- grep '^-' ${SUID_MD5_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $2}' | while read file; do
- printf "\t\t- Changed ( removed ) files : ${file}.\n" >> ${TMP}
- done
+ if cat ${SUID_MD5_YESTERDAY} | awk '{print $2}' | grep -qw ${file}; then
+ if [[ ${ctrl_md5} == 0 ]]; then
+ printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${TMP}
+ printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${TMP}
+ ctrl_md5=1;
+ fi
+ printf "\t\t- Checksum changed files : ${file}\n"
+ fi
+ done >> ${TMP}
fi
fi
+
fi
### Changed open port
if [[ ${CHECK_OPEN_PORT} == yes ]]; then
-
- if [[ -f ${OPEN_PORT_TODAY} ]]; then
- mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY}
- fi
-
- netstat -pvlA inet > ${OPEN_PORT_TODAY};
if [[ -f ${OPEN_PORT_YESTERDAY} ]]; then
if ! diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}; then
- printf "\nSecurity Warning: There is a new port listening on your machine :\n" >> ${TMP}
- grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Opened ports : ${file}.\n" >> ${TMP}
- done
- grep '^-' ${OPEN_PORT_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
- printf "\t\t- Closed ports : ${file}.\n" >> ${TMP}
- done
+ printf "\nSecurity Warning: There is modifications for port listening on your machine :\n" >> ${TMP}
+ grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do
+ printf "\t\t- Opened ports : ${file}\n"
+ done >> ${TMP}
+ grep '^-' ${OPEN_PORT_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do
+ printf "\t\t- Closed ports : ${file}\n"
+ done >> ${TMP}
fi
fi
+
fi
######## Report ######
@@ -228,3 +168,12 @@ fi
if [[ -f ${TMP} ]]; then
rm -f ${TMP}
fi
+
+
+
+
+
+
+
+
+
diff --git a/cron-sh/find.sh b/cron-sh/find.sh
new file mode 100755
index 0000000..a12d46c
--- /dev/null
+++ b/cron-sh/find.sh
@@ -0,0 +1,73 @@
+#!/bin/sh
+
+if [[ ! -f /etc/security/msec/security.conf ]]; then
+ echo "Can't access /etc/security/msec/security.conf."
+ exit 1
+fi
+
+. /etc/security/msec/security.conf
+
+# Modified filters coming from debian security scripts.
+
+CS_NFSAFS='(nfs|afs|xfs|coda)'
+CS_TYPES=' type (devpts|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|'$CS_NFSAFS')'
+CS_DEVS='^/dev/fd'
+CS_DIRS='on /mnt'
+FILTERS="$CS_TYPES|$CS_DEVS|$CS_DIRS"
+DIR=`mount | grep -vE "$FILTERS" | cut -d ' ' -f3`
+PRINT="%h/%f\n"
+#PRINT="%8i %5m %3n %-10u %-10g %9s %t %h/%f\n"
+
+if [[ ! -d /var/log/security ]]; then
+ mkdir /var/log/security
+fi
+
+if [[ -s ${SUID_ROOT_TODAY} ]]; then
+ mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY};
+fi
+
+if [[ -s ${SUID_GROUP_TODAY} ]]; then
+ mv ${SUID_GROUP_TODAY} ${SUID_GROUP_YESTERDAY};
+fi
+
+if [[ -s ${WRITEABLE_TODAY} ]]; then
+ mv ${WRITEABLE_TODAY} ${WRITEABLE_YESTERDAY};
+fi
+
+if [[ -s ${UNOWNED_USER_TODAY} ]]; then
+ mv ${UNOWNED_USER_TODAY} ${UNOWNED_USER_YESTERDAY};
+fi
+
+if [[ -s ${UNOWNED_GROUP_TODAY} ]]; then
+ mv ${UNOWNED_GROUP_TODAY} ${UNOWNED_GROUP_YESTERDAY};
+fi
+
+if [[ -s ${OPEN_PORT_TODAY} ]]; then
+ mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY}
+fi
+
+if [[ -s ${SUID_MD5_TODAY} ]]; then
+ mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY};
+fi
+
+netstat -pvlA inet > ${OPEN_PORT_TODAY};
+find ${DIR} -xdev -type f -perm +04000 -user root -printf "${PRINT}" | sort > ${SUID_ROOT_TODAY}
+find ${DIR} -xdev -type f -perm +02000 -printf "${PRINT}" | sort > ${SUID_GROUP_TODAY}
+find ${DIR} -xdev -type f -perm -2 -printf "${PRINT}" | sort > ${WRITEABLE_TODAY}
+find ${DIR} -xdev -nouser -printf "${PRINT}" | sort > ${UNOWNED_USER_TODAY}
+find ${DIR} -xdev -nogroup -printf "${PRINT}" | sort > ${UNOWNED_GROUP_TODAY}
+
+cat ${SUID_ROOT_TODAY} | while read line; do
+ md5sum ${line}
+done > ${SUID_MD5_TODAY}
+
+
+
+
+
+
+
+
+
+
+
diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh
index d7d6ff3..aafa294 100755
--- a/cron-sh/security_check.sh
+++ b/cron-sh/security_check.sh
@@ -43,34 +43,29 @@ Ttylog() {
### Writeable file detection
if [[ ${CHECK_WRITEABLE} == yes ]]; then
- find ${DIR} -xdev -type f -perm -2 -print | sort > ${TMP}
-
- if [[ -s ${TMP} ]]; then
- printf "\nSecurity Warning: World Writeable Files found :\n" >> ${SECURITY}
- cat ${TMP} | awk '{print "\t\t- " $0}' >> ${SECURITY}
+ if [[ -s ${WRITEABLE_TODAY} ]]; then
+ printf "\nSecurity Warning: World Writeable files found :\n" >> ${SECURITY}
+ cat ${WRITEABLE_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY}
fi
fi
### Search Un Owned file
if [[ ${CHECK_UNOWNED} == yes ]]; then
- find ${DIR} -xdev -nouser -print | sort > ${TMP}
-
- if [[ -s ${TMP} ]]; then
- printf "\nSecurity Warning : the following file aren't owned by any user :\n" >> ${SECURITY}
- printf "\ttheses files now have user \"nobody\" as their owner." >> ${SECURITY_LOG}
- cat ${TMP} | awk '{print "\t\t- " $0}' >> ${SECURITY}
- cat ${TMP} | while read line; do
- chown nobody ${line};
+ if [[ -s ${UNOWNED_USER_TODAY} ]]; then
+ printf "\nSecurity Warning : User Unowned files found :\n" >> ${SECURITY}
+ printf "\t( theses files now have user \"nobody\" as their owner. )\n" >> ${SECURITY_LOG}
+ cat ${UNOWNED_USER_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY}
+ cat ${UNOWNED_USER_TODAY} | while read line; do
+ chown nobody "${line}"; # Use quote if filename contain space.
done
fi
- find $DIR -xdev -nogroup -print | sort > ${TMP}
- if [[ -s ${TMP} ]]; then
- printf "\nSecurity Warning : the following file aren't owned by any group :\n" >> ${SECURITY}
- printf "\ttheses files now have group \"nogroup\" as their group owner." >> ${SECURITY}
- cat ${TMP} | awk '{print "\t\t- " $0}' >> ${SECURITY}
- cat ${TMP} | while read line; do
- chgrp nogroup ${line};
+ if [[ -s ${UNOWNED_GROUP_TODAY} ]]; then
+ printf "\nSecurity Warning : Group Unowned files found :\n" >> ${SECURITY}
+ printf "\t( theses files now have group \"nogroup\" as their group owner. )\n" >> ${SECURITY}
+ cat ${UNOWNED_GROUP_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY}
+ cat ${UNOWNED_GROUP_TODAY} | while read line; do
+ chgrp nogroup "${line}"; # Use quote if filename contain space.
done
fi
fi
diff --git a/init-sh/security.conf b/init-sh/security.conf
index 64ea0ea..afb9428 100644
--- a/init-sh/security.conf
+++ b/init-sh/security.conf
@@ -1,9 +1,21 @@
-# Modified filters coming from debian security scripts.
-CS_NFSAFS='(nfs|afs|xfs|coda)'
-CS_TYPES=' type (devpts|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|'$CS_NFSAFS')'
-CS_DEVS='^/dev/fd'
-CS_DIRS='on /mnt'
-FILTERS="$CS_TYPES|$CS_DEVS|$CS_DIRS"
-DIR=`mount | grep -vE "$FILTERS" | cut -d ' ' -f3`
-###
-
+SUID_ROOT_TODAY="/var/log/security/suid_root.today"
+SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday"
+SUID_ROOT_DIFF="/var/log/security/suid_root.diff"
+SUID_GROUP_TODAY="/var/log/security/suid_group.today"
+SUID_GROUP_YESTERDAY="/var/log/security/suid_group.yesterday"
+SUID_GROUP_DIFF="/var/log/security/suid_group.diff"
+SUID_MD5_TODAY="/var/log/security/suid_md5.today"
+SUID_MD5_YESTERDAY="/var/log/security/suid_md5.yesterday"
+SUID_MD5_DIFF="/var/log/security/suid_md5.diff"
+OPEN_PORT_TODAY="/var/log/security/open_port.today"
+OPEN_PORT_YESTERDAY="/var/log/security/open_port.yesterday"
+OPEN_PORT_DIFF="/var/log/security/open_port.diff"
+WRITEABLE_TODAY="/var/log/security/writeable.today"
+WRITEABLE_YESTERDAY="/var/log/security/writeable.yesterday"
+WRITEABLE_DIFF="/var/log/security/writeable.diff"
+UNOWNED_USER_TODAY="/var/log/security/unowned_user.today"
+UNOWNED_USER_YESTERDAY="/var/log/security/unowned_user.yesterday"
+UNOWNED_USER_DIFF="/var/log/security/unowned_user.diff"
+UNOWNED_GROUP_TODAY="/var/log/security/unowned_group.today"
+UNOWNED_GROUP_YESTERDAY="/var/log/security/unowned_group.yesterday"
+UNOWNED_GROUP_DIFF="/var/log/security/unowned_group.diff"