diff options
Diffstat (limited to 'cron-sh')
-rwxr-xr-x | cron-sh/diff_check.sh | 56 | ||||
-rwxr-xr-x | cron-sh/security.sh | 36 | ||||
-rwxr-xr-x | cron-sh/security_check.sh | 24 |
3 files changed, 85 insertions, 31 deletions
diff --git a/cron-sh/diff_check.sh b/cron-sh/diff_check.sh index 1b6f9e4..f93c754 100755 --- a/cron-sh/diff_check.sh +++ b/cron-sh/diff_check.sh @@ -55,7 +55,8 @@ fi if [[ ${CHECK_WRITEABLE} == yes ]]; then if [[ -f ${WRITEABLE_YESTERDAY} ]]; then - if ! diff -u ${WRITEABLE_YESTERDAY} ${WRITEABLE_TODAY} > ${WRITEABLE_DIFF}; then + diff -u ${WRITEABLE_YESTERDAY} ${WRITEABLE_TODAY} > ${WRITEABLE_DIFF} + if [ -s ${WRITEABLE_DIFF} ]; then printf "\nSecurity Warning: Change in World Writeable Files found :\n" >> ${TMP} grep '^+' ${WRITEABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do printf "\t\t- Added writables files : ${file}\n" @@ -72,7 +73,8 @@ fi if [[ ${CHECK_UNOWNED} == yes ]]; then if [[ -f ${UNOWNED_USER_YESTERDAY} ]]; then - if ! diff -u ${UNOWNED_USER_YESTERDAY} ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_DIFF}; then + diff -u ${UNOWNED_USER_YESTERDAY} ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_DIFF} + if [ -s ${UNOWNED_USER_DIFF} ]; then printf "\nSecurity Warning: the following files aren't owned by an user :\n" >> ${TMP} grep '^+' ${UNOWNED_USER_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do printf "\t\t- Added un-owned files : ${file}\n" @@ -84,7 +86,8 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then fi if [[ -f ${UNOWNED_GROUP_YESTERDAY} ]]; then - if ! diff -u ${UNOWNED_GROUP_YESTERDAY} ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_DIFF}; then + diff -u ${UNOWNED_GROUP_YESTERDAY} ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_DIFF} + if [ -s ${UNOWNED_GROUP_DIFF} ]; then printf "\nSecurity Warning: the following files aren't owned by a group :\n" >> ${TMP} grep '^+' ${UNOWNED_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do printf "\t\t- Added un-owned files : ${file}\n" @@ -102,7 +105,8 @@ if [[ ${CHECK_SUID_MD5} == yes ]]; then ctrl_md5=0; if [[ -f ${SUID_MD5_YESTERDAY} ]]; then - if ! diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF}; then + diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF} + if [ -s ${SUID_MD5_DIFF} ]; then grep '^+' ${SUID_MD5_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $2}' | while read file; do if cat ${SUID_MD5_YESTERDAY} | awk '{print $2}' | grep -qw ${file}; then if [[ ${ctrl_md5} == 0 ]]; then @@ -122,8 +126,9 @@ fi if [[ ${CHECK_OPEN_PORT} == yes ]]; then if [[ -f ${OPEN_PORT_YESTERDAY} ]]; then - if ! diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}; then - printf "\nSecurity Warning: There is modifications for port listening on your machine :\n" >> ${TMP} + diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF} + if [ -s ${OPEN_PORT_DIFF} ]; then + printf "\nSecurity Warning: There are modifications for port listening on your machine :\n" >> ${TMP} grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do printf "\t\t- Opened ports : ${file}\n" done >> ${TMP} @@ -135,26 +140,47 @@ if [[ ${CHECK_OPEN_PORT} == yes ]]; then fi +### rpm database +if [[ ${RPM_CHECK} == yes ]]; then + if [[ -f ${RPM_VA_YESTERDAY} ]]; then + diff -u ${RPM_VA_YESTERDAY} ${RPM_VA_TODAY} > ${RPM_VA_DIFF} + if [ -s ${RPM_VA_DIFF} ]; then + printf "\nSecurity Warning: These files have been modified on the system :\n" >> ${TMP} + grep '^+' ${RPM_VA_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do + printf "\t\t- newly modified : ${file}\n" + done >> ${TMP} + grep '^-' ${RPM_VA_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do + printf "\t\t- no more modified : ${file}\n" + done >> ${TMP} + fi + fi + if [[ -f ${RPM_QA_YESTERDAY} ]]; then + diff -u ${RPM_QA_YESTERDAY} ${RPM_QA_TODAY} > ${RPM_QA_DIFF} + if [ -s ${RPM_QA_DIFF} ]; then + printf "\nSecurity Warning: These packages have changed on the system :\n" >> ${TMP} + grep '^+' ${RPM_QA_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do + printf "\t\t- added package : ${file}\n" + done >> ${TMP} + grep '^-' ${RPM_QA_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do + printf "\t\t- removed package : ${file}\n" + done >> ${TMP} + fi + fi +fi + ######## Report ###### if [[ -s ${TMP} ]]; then Syslog ${TMP} Ttylog ${TMP} date=`date` + hostname=`hostname` echo -e "\n\n*** Diff Check, ${date} ***\n" >> ${SECURITY_LOG} cat ${TMP} >> ${SECURITY_LOG} - Maillog "*** Diff Check, ${date} ***" "${TMP}" + Maillog "*** Diff Check on ${hostname}, ${date} ***" "${TMP}" fi if [[ -f ${TMP} ]]; then rm -f ${TMP} fi - - - - - - - - diff --git a/cron-sh/security.sh b/cron-sh/security.sh index 01d3e4c..5b974a4 100755 --- a/cron-sh/security.sh +++ b/cron-sh/security.sh @@ -30,6 +30,12 @@ UNOWNED_USER_DIFF="/var/log/security/unowned_user.diff" export UNOWNED_GROUP_TODAY="/var/log/security/unowned_group.today" UNOWNED_GROUP_YESTERDAY="/var/log/security/unowned_group.yesterday" UNOWNED_GROUP_DIFF="/var/log/security/unowned_group.diff" +export RPM_VA_TODAY="/var/log/security/rpm-va.today" +RPM_VA_YESTERDAY="/var/log/security/rpm-va.yesterday" +RPM_VA_DIFF="/var/log/security/rpm-va.diff" +export RPM_QA_TODAY="/var/log/security/rpm-qa.today" +RPM_QA_YESTERDAY="/var/log/security/rpm-qa.yesterday" +RPM_QA_DIFF="/var/log/security/rpm-qa.diff" # Modified filters coming from debian security scripts. CS_NFSAFS='(nfs|afs|xfs|coda)' @@ -72,6 +78,13 @@ if [[ -f ${SUID_MD5_TODAY} ]]; then mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY}; fi +if [[ -f ${RPM_VA_TODAY} ]]; then + mv -f ${RPM_VA_TODAY} ${RPM_VA_YESTERDAY} +fi + +if [[ -f ${RPM_QA_TODAY} ]]; then + mv -f ${RPM_QA_TODAY} ${RPM_QA_YESTERDAY} +fi netstat -pvlA inet 2> /dev/null > ${OPEN_PORT_TODAY}; @@ -109,6 +122,19 @@ if [[ -f ${SUID_ROOT_TODAY} ]]; then done < ${SUID_ROOT_TODAY} > ${SUID_MD5_TODAY} fi +### rpm database check + +if [[ ${RPM_CHECK} == yes ]]; then + if [ -f /var/lib/rpm/__db.001 -o -f /var/lib/rpm/__db.002 ]; then + rm -f /var/lib/rpm/__db.00* + rpm --rebuilddb + fi + + rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\t%{INSTALLTIME}\n" | sort > ${RPM_QA_TODAY} + + nice --adjustment=+19 rpm -V `cut -f 1 < ${RPM_QA_TODAY} | grep -v '^dev-[0-9]'` | grep '^..5' | sed 's/...........//' | sort > ${RPM_VA_TODAY} +fi + ### Functions ### Syslog() { @@ -121,7 +147,7 @@ Syslog() { Ttylog() { if [[ ${TTY_WARN} == yes ]]; then - for i in `w | grep -v "load\|TTY" | awk '{print $2}'` ; do + for i in `w | grep -v "load\|TTY" | grep '^root' | awk '{print $2}'` ; do cat ${1} > /dev/$i done fi @@ -146,11 +172,3 @@ Maillog() { . /usr/share/msec/diff_check.sh . /usr/share/msec/security_check.sh - - - - - - - - diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh index 5055b52..9ffc469 100755 --- a/cron-sh/security_check.sh +++ b/cron-sh/security_check.sh @@ -36,7 +36,7 @@ fi if [[ ${CHECK_UNOWNED} == yes ]]; then if [[ -s ${UNOWNED_USER_TODAY} ]]; then printf "\nSecurity Warning : User Unowned files found :\n" >> ${SECURITY} - printf "\t( theses files now have user \"nobody\" as their owner. )\n" >> ${SECURITY_LOG} + printf "\t( theses files now have user \"nobody\" as their owner. )\n" >> ${SECURITY} cat ${UNOWNED_USER_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY} cat ${UNOWNED_USER_TODAY} | while read line; do chown nobody "${line}"; # Use quote if filename contain space. @@ -135,6 +135,8 @@ if [[ ${CHECK_PASSWD} == yes ]]; then printf("\t\t- /etc/passwd:%d: User \"%s\" has no password !\n", FNR, $1); else if ($2 !~ /^[x*!]+$/) printf("\t\t- /etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1); + else if ( $3 == 0 && $1 != "root" ) + printf("\t\t- /etc/passwd:%d: User \"%s\" has id 0 !\n", FNR, $1); }' < /etc/passwd > ${TMP} if [[ -s ${TMP} ]]; then @@ -245,17 +247,29 @@ if [[ ${CHECK_OPEN_PORT} == yes ]]; then fi +### rpm database checks +if [[ ${RPM_CHECK} == yes ]]; then + + if [[ -s ${RPM_VA_TODAY} ]]; then + printf "\nSecurity Warning: These files belonging to packages are modified on the system :\n" >> ${SECURITY} + cat ${RPM_VA_TODAY} | while read f; do + printf "\t\t- $f\n" + done >> ${SECURITY} + fi +fi + ### Report if [[ -s ${SECURITY} ]]; then Syslog ${SECURITY} Ttylog ${SECURITY} date=`date` - + hostname=`hostname` + echo -e "\n\n*** Security Check, ${date} ***\n" >> ${SECURITY_LOG} cat ${SECURITY} >> ${SECURITY_LOG} cat ${INFOS} >> ${SECURITY_LOG} - Maillog "*** Security Check, ${date} ***" "${SECURITY} ${INFOS}" + Maillog "*** Security Check on ${hostname}, ${date} ***" "${SECURITY} ${INFOS}" fi if [[ -f ${SECURITY} ]]; then @@ -269,7 +283,3 @@ fi if [[ -f ${INFOS} ]]; then rm -f ${INFOS}; fi - - - - |