aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--conf/level.secure2
-rw-r--r--conf/level.standard2
-rwxr-xr-xcron-sh/scripts/05_access.sh50
-rw-r--r--src/msec/config.py3
-rwxr-xr-xsrc/msec/libmsec.py8
5 files changed, 65 insertions, 0 deletions
diff --git a/conf/level.secure b/conf/level.secure
index b89b554..eb4d14d 100644
--- a/conf/level.secure
+++ b/conf/level.secure
@@ -27,6 +27,8 @@ CHECK_SHADOW=yes
ALLOW_ROOT_LOGIN=no
CHECK_UNOWNED=yes
FIX_UNOWNED=yes
+CHECK_USERS=yes
+CHECK_GROUPS=yes
ENABLE_CONSOLE_LOG=no
ALLOW_USER_LIST=no
ENABLE_DNS_SPOOFING_PROTECTION=yes
diff --git a/conf/level.standard b/conf/level.standard
index 4a07ed3..3a20417 100644
--- a/conf/level.standard
+++ b/conf/level.standard
@@ -27,6 +27,8 @@ CHECK_SHADOW=yes
ALLOW_ROOT_LOGIN=yes
CHECK_UNOWNED=no
FIX_UNOWNED=yes
+CHECK_USERS=yes
+CHECK_GROUPS=yes
ENABLE_CONSOLE_LOG=yes
ALLOW_USER_LIST=yes
ENABLE_DNS_SPOOFING_PROTECTION=yes
diff --git a/cron-sh/scripts/05_access.sh b/cron-sh/scripts/05_access.sh
index 1168cd7..e63a3c8 100755
--- a/cron-sh/scripts/05_access.sh
+++ b/cron-sh/scripts/05_access.sh
@@ -9,6 +9,56 @@ if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECUR
return 1
fi
+# check for changes in users
+USERS_LIST_TODAY="/var/log/security/users_list.today"
+USERS_LIST_YESTERDAY="/var/log/security/users_list.yesterday"
+USERS_LIST_DIFF="/var/log/security/users_list.diff"
+
+if [[ -f ${USERS_LIST_TODAY} ]]; then
+ mv ${USERS_LIST_TODAY} ${USERS_LIST_YESTERDAY};
+fi
+
+# check for changes in users
+if [[ ${CHECK_USERS} == yes ]]; then
+ getent passwd | cut -f 1 -d : | sort > ${USERS_LIST_TODAY}
+ if [[ -f ${USERS_LIST_YESTERDAY} ]]; then
+ if ! diff -u ${USERS_LIST_YESTERDAY} ${USERS_LIST_TODAY} > ${USERS_LIST_DIFF}; then
+ printf "\nSecurity Warning: Changes in list of users found :\n" >> ${DIFF}
+ grep '^+' ${USERS_LIST_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- Newly added users : ${file}\n"
+ done >> ${DIFF}
+ grep '^-' ${USERS_LIST_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- No longer present users : ${file}\n"
+ done >> ${DIFF}
+ fi
+ fi
+fi
+
+# check for changes in groups
+GROUPS_LIST_TODAY="/var/log/security/groups_list.today"
+GROUPS_LIST_YESTERDAY="/var/log/security/groups_list.yesterday"
+GROUPS_LIST_DIFF="/var/log/security/groups_list.diff"
+
+if [[ -f ${GROUPS_LIST_TODAY} ]]; then
+ mv ${GROUPS_LIST_TODAY} ${GROUPS_LIST_YESTERDAY};
+fi
+
+# check for changes in groups
+if [[ ${CHECK_GROUPS} == yes ]]; then
+ getent passwd | cut -f 1 -d : | sort > ${GROUPS_LIST_TODAY}
+ if [[ -f ${GROUPS_LIST_YESTERDAY} ]]; then
+ if ! diff -u ${GROUPS_LIST_YESTERDAY} ${GROUPS_LIST_TODAY} > ${GROUPS_LIST_DIFF}; then
+ printf "\nSecurity Warning: Changes in list of groups found :\n" >> ${DIFF}
+ grep '^+' ${GROUPS_LIST_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- Newly added groups : ${file}\n"
+ done >> ${DIFF}
+ grep '^-' ${GROUPS_LIST_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- No longer present groups : ${file}\n"
+ done >> ${DIFF}
+ fi
+ fi
+fi
+
### Passwd file check
if [[ ${CHECK_PASSWD} == yes ]]; then
getent passwd | awk -F: '{
diff --git a/src/msec/config.py b/src/msec/config.py
index 5646fb7..29bcedb 100644
--- a/src/msec/config.py
+++ b/src/msec/config.py
@@ -69,6 +69,8 @@ SETTINGS = {'BASE_LEVEL': ("libmsec.base_level",
'CHECK_CHKROOTKIT' : ("libmsec.check_chkrootkit", ['yes', 'no']),
'CHECK_RPM' : ("libmsec.check_rpm", ['yes', 'no']),
'CHECK_SHOSTS' : ("libmsec.check_shosts", ['yes', 'no']),
+ 'CHECK_USERS' : ("libmsec.check_users", ['yes', 'no']),
+ 'CHECK_GROUPS' : ("libmsec.check_groups", ['yes', 'no']),
# notifications
'TTY_WARN' : ("libmsec.tty_warn", ['yes', 'no']),
'MAIL_WARN' : ("libmsec.mail_warn", ['yes', 'no']),
@@ -128,6 +130,7 @@ SETTINGS_NETWORK = ["ACCEPT_BOGUS_ERROR_RESPONSES", "ACCEPT_BROADCASTED_ICMP_ECH
SETTINGS_PERIODIC = ["CHECK_PERMS", "CHECK_USER_FILES", "CHECK_SUID_ROOT", "CHECK_SUID_MD5", "CHECK_SGID",
"CHECK_WRITABLE", "CHECK_UNOWNED", "FIX_UNOWNED", "CHECK_PROMISC", "CHECK_OPEN_PORT", "CHECK_FIREWALL",
"CHECK_PASSWD", "CHECK_SHADOW", "CHECK_CHKROOTKIT", "CHECK_RPM", "CHECK_SHOSTS",
+ "CHECK_USERS", "CHECK_GROUPS",
"TTY_WARN", "SYSLOG_WARN", "MAIL_EMPTY_CONTENT",
]
diff --git a/src/msec/libmsec.py b/src/msec/libmsec.py
index 4f520ae..c22a8a6 100755
--- a/src/msec/libmsec.py
+++ b/src/msec/libmsec.py
@@ -1484,6 +1484,14 @@ class MSEC:
""" Enable checking for dangerous options in users' .rhosts/.shosts files."""
pass
+ def check_users(self, param):
+ """ Enable checking for changes in system users."""
+ pass
+
+ def check_groups(self, param):
+ """ Enable checking for changes in system groups."""
+ pass
+
def enable_sudo(self, param):
"""Allow users to authenticate with their passwords for sudo. If this parameter is set to 'wheel', users must belong to the 'wheel' group to be able to use sudo"""
pass