aboutsummaryrefslogtreecommitdiffstats
path: root/cron-sh
diff options
context:
space:
mode:
Diffstat (limited to 'cron-sh')
-rwxr-xr-xcron-sh/diff_check.sh56
-rwxr-xr-xcron-sh/security.sh36
-rwxr-xr-xcron-sh/security_check.sh24
3 files changed, 85 insertions, 31 deletions
diff --git a/cron-sh/diff_check.sh b/cron-sh/diff_check.sh
index 1b6f9e4..f93c754 100755
--- a/cron-sh/diff_check.sh
+++ b/cron-sh/diff_check.sh
@@ -55,7 +55,8 @@ fi
if [[ ${CHECK_WRITEABLE} == yes ]]; then
if [[ -f ${WRITEABLE_YESTERDAY} ]]; then
- if ! diff -u ${WRITEABLE_YESTERDAY} ${WRITEABLE_TODAY} > ${WRITEABLE_DIFF}; then
+ diff -u ${WRITEABLE_YESTERDAY} ${WRITEABLE_TODAY} > ${WRITEABLE_DIFF}
+ if [ -s ${WRITEABLE_DIFF} ]; then
printf "\nSecurity Warning: Change in World Writeable Files found :\n" >> ${TMP}
grep '^+' ${WRITEABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do
printf "\t\t- Added writables files : ${file}\n"
@@ -72,7 +73,8 @@ fi
if [[ ${CHECK_UNOWNED} == yes ]]; then
if [[ -f ${UNOWNED_USER_YESTERDAY} ]]; then
- if ! diff -u ${UNOWNED_USER_YESTERDAY} ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_DIFF}; then
+ diff -u ${UNOWNED_USER_YESTERDAY} ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_DIFF}
+ if [ -s ${UNOWNED_USER_DIFF} ]; then
printf "\nSecurity Warning: the following files aren't owned by an user :\n" >> ${TMP}
grep '^+' ${UNOWNED_USER_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do
printf "\t\t- Added un-owned files : ${file}\n"
@@ -84,7 +86,8 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then
fi
if [[ -f ${UNOWNED_GROUP_YESTERDAY} ]]; then
- if ! diff -u ${UNOWNED_GROUP_YESTERDAY} ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_DIFF}; then
+ diff -u ${UNOWNED_GROUP_YESTERDAY} ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_DIFF}
+ if [ -s ${UNOWNED_GROUP_DIFF} ]; then
printf "\nSecurity Warning: the following files aren't owned by a group :\n" >> ${TMP}
grep '^+' ${UNOWNED_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do
printf "\t\t- Added un-owned files : ${file}\n"
@@ -102,7 +105,8 @@ if [[ ${CHECK_SUID_MD5} == yes ]]; then
ctrl_md5=0;
if [[ -f ${SUID_MD5_YESTERDAY} ]]; then
- if ! diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF}; then
+ diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF}
+ if [ -s ${SUID_MD5_DIFF} ]; then
grep '^+' ${SUID_MD5_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $2}' | while read file; do
if cat ${SUID_MD5_YESTERDAY} | awk '{print $2}' | grep -qw ${file}; then
if [[ ${ctrl_md5} == 0 ]]; then
@@ -122,8 +126,9 @@ fi
if [[ ${CHECK_OPEN_PORT} == yes ]]; then
if [[ -f ${OPEN_PORT_YESTERDAY} ]]; then
- if ! diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}; then
- printf "\nSecurity Warning: There is modifications for port listening on your machine :\n" >> ${TMP}
+ diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}
+ if [ -s ${OPEN_PORT_DIFF} ]; then
+ printf "\nSecurity Warning: There are modifications for port listening on your machine :\n" >> ${TMP}
grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do
printf "\t\t- Opened ports : ${file}\n"
done >> ${TMP}
@@ -135,26 +140,47 @@ if [[ ${CHECK_OPEN_PORT} == yes ]]; then
fi
+### rpm database
+if [[ ${RPM_CHECK} == yes ]]; then
+ if [[ -f ${RPM_VA_YESTERDAY} ]]; then
+ diff -u ${RPM_VA_YESTERDAY} ${RPM_VA_TODAY} > ${RPM_VA_DIFF}
+ if [ -s ${RPM_VA_DIFF} ]; then
+ printf "\nSecurity Warning: These files have been modified on the system :\n" >> ${TMP}
+ grep '^+' ${RPM_VA_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do
+ printf "\t\t- newly modified : ${file}\n"
+ done >> ${TMP}
+ grep '^-' ${RPM_VA_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do
+ printf "\t\t- no more modified : ${file}\n"
+ done >> ${TMP}
+ fi
+ fi
+ if [[ -f ${RPM_QA_YESTERDAY} ]]; then
+ diff -u ${RPM_QA_YESTERDAY} ${RPM_QA_TODAY} > ${RPM_QA_DIFF}
+ if [ -s ${RPM_QA_DIFF} ]; then
+ printf "\nSecurity Warning: These packages have changed on the system :\n" >> ${TMP}
+ grep '^+' ${RPM_QA_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do
+ printf "\t\t- added package : ${file}\n"
+ done >> ${TMP}
+ grep '^-' ${RPM_QA_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do
+ printf "\t\t- removed package : ${file}\n"
+ done >> ${TMP}
+ fi
+ fi
+fi
+
######## Report ######
if [[ -s ${TMP} ]]; then
Syslog ${TMP}
Ttylog ${TMP}
date=`date`
+ hostname=`hostname`
echo -e "\n\n*** Diff Check, ${date} ***\n" >> ${SECURITY_LOG}
cat ${TMP} >> ${SECURITY_LOG}
- Maillog "*** Diff Check, ${date} ***" "${TMP}"
+ Maillog "*** Diff Check on ${hostname}, ${date} ***" "${TMP}"
fi
if [[ -f ${TMP} ]]; then
rm -f ${TMP}
fi
-
-
-
-
-
-
-
-
diff --git a/cron-sh/security.sh b/cron-sh/security.sh
index 01d3e4c..5b974a4 100755
--- a/cron-sh/security.sh
+++ b/cron-sh/security.sh
@@ -30,6 +30,12 @@ UNOWNED_USER_DIFF="/var/log/security/unowned_user.diff"
export UNOWNED_GROUP_TODAY="/var/log/security/unowned_group.today"
UNOWNED_GROUP_YESTERDAY="/var/log/security/unowned_group.yesterday"
UNOWNED_GROUP_DIFF="/var/log/security/unowned_group.diff"
+export RPM_VA_TODAY="/var/log/security/rpm-va.today"
+RPM_VA_YESTERDAY="/var/log/security/rpm-va.yesterday"
+RPM_VA_DIFF="/var/log/security/rpm-va.diff"
+export RPM_QA_TODAY="/var/log/security/rpm-qa.today"
+RPM_QA_YESTERDAY="/var/log/security/rpm-qa.yesterday"
+RPM_QA_DIFF="/var/log/security/rpm-qa.diff"
# Modified filters coming from debian security scripts.
CS_NFSAFS='(nfs|afs|xfs|coda)'
@@ -72,6 +78,13 @@ if [[ -f ${SUID_MD5_TODAY} ]]; then
mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY};
fi
+if [[ -f ${RPM_VA_TODAY} ]]; then
+ mv -f ${RPM_VA_TODAY} ${RPM_VA_YESTERDAY}
+fi
+
+if [[ -f ${RPM_QA_TODAY} ]]; then
+ mv -f ${RPM_QA_TODAY} ${RPM_QA_YESTERDAY}
+fi
netstat -pvlA inet 2> /dev/null > ${OPEN_PORT_TODAY};
@@ -109,6 +122,19 @@ if [[ -f ${SUID_ROOT_TODAY} ]]; then
done < ${SUID_ROOT_TODAY} > ${SUID_MD5_TODAY}
fi
+### rpm database check
+
+if [[ ${RPM_CHECK} == yes ]]; then
+ if [ -f /var/lib/rpm/__db.001 -o -f /var/lib/rpm/__db.002 ]; then
+ rm -f /var/lib/rpm/__db.00*
+ rpm --rebuilddb
+ fi
+
+ rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\t%{INSTALLTIME}\n" | sort > ${RPM_QA_TODAY}
+
+ nice --adjustment=+19 rpm -V `cut -f 1 < ${RPM_QA_TODAY} | grep -v '^dev-[0-9]'` | grep '^..5' | sed 's/...........//' | sort > ${RPM_VA_TODAY}
+fi
+
### Functions ###
Syslog() {
@@ -121,7 +147,7 @@ Syslog() {
Ttylog() {
if [[ ${TTY_WARN} == yes ]]; then
- for i in `w | grep -v "load\|TTY" | awk '{print $2}'` ; do
+ for i in `w | grep -v "load\|TTY" | grep '^root' | awk '{print $2}'` ; do
cat ${1} > /dev/$i
done
fi
@@ -146,11 +172,3 @@ Maillog() {
. /usr/share/msec/diff_check.sh
. /usr/share/msec/security_check.sh
-
-
-
-
-
-
-
-
diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh
index 5055b52..9ffc469 100755
--- a/cron-sh/security_check.sh
+++ b/cron-sh/security_check.sh
@@ -36,7 +36,7 @@ fi
if [[ ${CHECK_UNOWNED} == yes ]]; then
if [[ -s ${UNOWNED_USER_TODAY} ]]; then
printf "\nSecurity Warning : User Unowned files found :\n" >> ${SECURITY}
- printf "\t( theses files now have user \"nobody\" as their owner. )\n" >> ${SECURITY_LOG}
+ printf "\t( theses files now have user \"nobody\" as their owner. )\n" >> ${SECURITY}
cat ${UNOWNED_USER_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY}
cat ${UNOWNED_USER_TODAY} | while read line; do
chown nobody "${line}"; # Use quote if filename contain space.
@@ -135,6 +135,8 @@ if [[ ${CHECK_PASSWD} == yes ]]; then
printf("\t\t- /etc/passwd:%d: User \"%s\" has no password !\n", FNR, $1);
else if ($2 !~ /^[x*!]+$/)
printf("\t\t- /etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1);
+ else if ( $3 == 0 && $1 != "root" )
+ printf("\t\t- /etc/passwd:%d: User \"%s\" has id 0 !\n", FNR, $1);
}' < /etc/passwd > ${TMP}
if [[ -s ${TMP} ]]; then
@@ -245,17 +247,29 @@ if [[ ${CHECK_OPEN_PORT} == yes ]]; then
fi
+### rpm database checks
+if [[ ${RPM_CHECK} == yes ]]; then
+
+ if [[ -s ${RPM_VA_TODAY} ]]; then
+ printf "\nSecurity Warning: These files belonging to packages are modified on the system :\n" >> ${SECURITY}
+ cat ${RPM_VA_TODAY} | while read f; do
+ printf "\t\t- $f\n"
+ done >> ${SECURITY}
+ fi
+fi
+
### Report
if [[ -s ${SECURITY} ]]; then
Syslog ${SECURITY}
Ttylog ${SECURITY}
date=`date`
-
+ hostname=`hostname`
+
echo -e "\n\n*** Security Check, ${date} ***\n" >> ${SECURITY_LOG}
cat ${SECURITY} >> ${SECURITY_LOG}
cat ${INFOS} >> ${SECURITY_LOG}
- Maillog "*** Security Check, ${date} ***" "${SECURITY} ${INFOS}"
+ Maillog "*** Security Check on ${hostname}, ${date} ***" "${SECURITY} ${INFOS}"
fi
if [[ -f ${SECURITY} ]]; then
@@ -269,7 +283,3 @@ fi
if [[ -f ${INFOS} ]]; then
rm -f ${INFOS};
fi
-
-
-
-