diff options
| -rw-r--r-- | conf/level.secure | 2 | ||||
| -rw-r--r-- | conf/level.standard | 2 | ||||
| -rwxr-xr-x | cron-sh/scripts/05_access.sh | 50 | ||||
| -rw-r--r-- | src/msec/config.py | 3 | ||||
| -rwxr-xr-x | src/msec/libmsec.py | 8 |
5 files changed, 65 insertions, 0 deletions
diff --git a/conf/level.secure b/conf/level.secure index b89b554..eb4d14d 100644 --- a/conf/level.secure +++ b/conf/level.secure @@ -27,6 +27,8 @@ CHECK_SHADOW=yes ALLOW_ROOT_LOGIN=no CHECK_UNOWNED=yes FIX_UNOWNED=yes +CHECK_USERS=yes +CHECK_GROUPS=yes ENABLE_CONSOLE_LOG=no ALLOW_USER_LIST=no ENABLE_DNS_SPOOFING_PROTECTION=yes diff --git a/conf/level.standard b/conf/level.standard index 4a07ed3..3a20417 100644 --- a/conf/level.standard +++ b/conf/level.standard @@ -27,6 +27,8 @@ CHECK_SHADOW=yes ALLOW_ROOT_LOGIN=yes CHECK_UNOWNED=no FIX_UNOWNED=yes +CHECK_USERS=yes +CHECK_GROUPS=yes ENABLE_CONSOLE_LOG=yes ALLOW_USER_LIST=yes ENABLE_DNS_SPOOFING_PROTECTION=yes diff --git a/cron-sh/scripts/05_access.sh b/cron-sh/scripts/05_access.sh index 1168cd7..e63a3c8 100755 --- a/cron-sh/scripts/05_access.sh +++ b/cron-sh/scripts/05_access.sh @@ -9,6 +9,56 @@ if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECUR return 1 fi +# check for changes in users +USERS_LIST_TODAY="/var/log/security/users_list.today" +USERS_LIST_YESTERDAY="/var/log/security/users_list.yesterday" +USERS_LIST_DIFF="/var/log/security/users_list.diff" + +if [[ -f ${USERS_LIST_TODAY} ]]; then + mv ${USERS_LIST_TODAY} ${USERS_LIST_YESTERDAY}; +fi + +# check for changes in users +if [[ ${CHECK_USERS} == yes ]]; then + getent passwd | cut -f 1 -d : | sort > ${USERS_LIST_TODAY} + if [[ -f ${USERS_LIST_YESTERDAY} ]]; then + if ! diff -u ${USERS_LIST_YESTERDAY} ${USERS_LIST_TODAY} > ${USERS_LIST_DIFF}; then + printf "\nSecurity Warning: Changes in list of users found :\n" >> ${DIFF} + grep '^+' ${USERS_LIST_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly added users : ${file}\n" + done >> ${DIFF} + grep '^-' ${USERS_LIST_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer present users : ${file}\n" + done >> ${DIFF} + fi + fi +fi + +# check for changes in groups +GROUPS_LIST_TODAY="/var/log/security/groups_list.today" +GROUPS_LIST_YESTERDAY="/var/log/security/groups_list.yesterday" +GROUPS_LIST_DIFF="/var/log/security/groups_list.diff" + +if [[ -f ${GROUPS_LIST_TODAY} ]]; then + mv ${GROUPS_LIST_TODAY} ${GROUPS_LIST_YESTERDAY}; +fi + +# check for changes in groups +if [[ ${CHECK_GROUPS} == yes ]]; then + getent passwd | cut -f 1 -d : | sort > ${GROUPS_LIST_TODAY} + if [[ -f ${GROUPS_LIST_YESTERDAY} ]]; then + if ! diff -u ${GROUPS_LIST_YESTERDAY} ${GROUPS_LIST_TODAY} > ${GROUPS_LIST_DIFF}; then + printf "\nSecurity Warning: Changes in list of groups found :\n" >> ${DIFF} + grep '^+' ${GROUPS_LIST_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly added groups : ${file}\n" + done >> ${DIFF} + grep '^-' ${GROUPS_LIST_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer present groups : ${file}\n" + done >> ${DIFF} + fi + fi +fi + ### Passwd file check if [[ ${CHECK_PASSWD} == yes ]]; then getent passwd | awk -F: '{ diff --git a/src/msec/config.py b/src/msec/config.py index 5646fb7..29bcedb 100644 --- a/src/msec/config.py +++ b/src/msec/config.py @@ -69,6 +69,8 @@ SETTINGS = {'BASE_LEVEL': ("libmsec.base_level", 'CHECK_CHKROOTKIT' : ("libmsec.check_chkrootkit", ['yes', 'no']), 'CHECK_RPM' : ("libmsec.check_rpm", ['yes', 'no']), 'CHECK_SHOSTS' : ("libmsec.check_shosts", ['yes', 'no']), + 'CHECK_USERS' : ("libmsec.check_users", ['yes', 'no']), + 'CHECK_GROUPS' : ("libmsec.check_groups", ['yes', 'no']), # notifications 'TTY_WARN' : ("libmsec.tty_warn", ['yes', 'no']), 'MAIL_WARN' : ("libmsec.mail_warn", ['yes', 'no']), @@ -128,6 +130,7 @@ SETTINGS_NETWORK = ["ACCEPT_BOGUS_ERROR_RESPONSES", "ACCEPT_BROADCASTED_ICMP_ECH SETTINGS_PERIODIC = ["CHECK_PERMS", "CHECK_USER_FILES", "CHECK_SUID_ROOT", "CHECK_SUID_MD5", "CHECK_SGID", "CHECK_WRITABLE", "CHECK_UNOWNED", "FIX_UNOWNED", "CHECK_PROMISC", "CHECK_OPEN_PORT", "CHECK_FIREWALL", "CHECK_PASSWD", "CHECK_SHADOW", "CHECK_CHKROOTKIT", "CHECK_RPM", "CHECK_SHOSTS", + "CHECK_USERS", "CHECK_GROUPS", "TTY_WARN", "SYSLOG_WARN", "MAIL_EMPTY_CONTENT", ] diff --git a/src/msec/libmsec.py b/src/msec/libmsec.py index 4f520ae..c22a8a6 100755 --- a/src/msec/libmsec.py +++ b/src/msec/libmsec.py @@ -1484,6 +1484,14 @@ class MSEC: """ Enable checking for dangerous options in users' .rhosts/.shosts files.""" pass + def check_users(self, param): + """ Enable checking for changes in system users.""" + pass + + def check_groups(self, param): + """ Enable checking for changes in system groups.""" + pass + def enable_sudo(self, param): """Allow users to authenticate with their passwords for sudo. If this parameter is set to 'wheel', users must belong to the 'wheel' group to be able to use sudo""" pass |