aboutsummaryrefslogtreecommitdiffstats
path: root/cron-sh
diff options
context:
space:
mode:
Diffstat (limited to 'cron-sh')
-rwxr-xr-xcron-sh/file_check.sh284
1 files changed, 183 insertions, 101 deletions
diff --git a/cron-sh/file_check.sh b/cron-sh/file_check.sh
index 5118ebc..7886387 100755
--- a/cron-sh/file_check.sh
+++ b/cron-sh/file_check.sh
@@ -24,38 +24,53 @@ FILTERS="$CS_TYPES|$CS_DEVS|$CS_DIRS"
DIR=`mount | grep -vE "$FILTERS" | cut -d ' ' -f3`
###
-SUID_ROOT_TODAY="/var/log/security/suid_root.today"
-SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday"
-SUID_ROOT_DIFF="/var/log/security/suid_root.diff"
-SUID_GROUP_TODAY="/var/log/security/suid_group.today"
-SUID_GROUP_YESTERDAY="/var/log/security/suid_group.yesterday"
-SUID_GROUP_DIFF="/var/log/security/suid_group.diff"
+SUID_ROOT_TODAY=/var/log/security/suid_root.today
+SUID_ROOT_YESTERDAY=/var/log/security/suid_root.yesterday
+SUID_ROOT_DIFF=/var/log/security/suid_root.diff
+SUID_GROUP_TODAY=/var/log/security/suid_group.today
+SUID_GROUP_YESTERDAY=/var/log/security/suid_group.yesterday
+SUID_GROUP_DIFF=/var/log/security/suid_group.diff
WRITABLE_TODAY=/var/log/security/writable.today
WRITABLE_YESTERDAY=/var/log/security/writable.yesterday
WRITABLE_DIFF=/var/log/security/writable.diff
UNOWNED_TODAY=/var/log/security/unowned.today
UNOWNED_YESTERDAY=/var/log/security/unowned.yesterday
UNOWNED_DIFF=/var/log/security/unowned.diff
-
+PASSWD_TODAY=/var/log/security/passwd.today
+PASSWD_YESTERDAY=/var/log/security/passwd.yesterday
+PASSWD_DIFF=/var/log/security/passwd.diff
+SHADOW_TODAY=/var/log/security/shadow.today
+SHADOW_YESTERDAY=/var/log/security/shadow.yesterday
+SHADOW_DIFF=/var/log/security/shadow.diff
+HOST_TODAY=/var/log/security/hosts.today
+HOST_YESTERDAY=/var/log/security/hosts.yesterday
+HOST_DIFF=/var/log/security/hosts.diff
+SUID_MD5_TODAY=/var/log/security/suid_md5.today
+SUID_MD5_YESTERDAY=/var/log/security/suid_md5.yesterday
+SUID_MD5_DIFF=/var/log/security/suid_md5.diff
+OPEN_PORT_TODAY=/var/log/security/open_port.today
+OPEN_PORT_YESTERDAY=/var/log/security/open_port.yesterday
+OPEN_PORT_DIFF=/var/log/security/open_port.diff
if [ ! -d /var/log/security ]; then
mkdir /var/log/security
fi
-chattr -a /var/log/security
+chattr -a /var/log/security/
+chattr -a /var/log/security/*
### Functions ###
Syslog() {
if [ $SYS_LOG=="yes" ]; then
- /sbin/initlog --string=$1
+ /sbin/initlog --string="$1"
fi
}
Ttylog() {
if [ $TTY_LOG=="yes" ]; then
for i in `w | grep -v "load\|TTY" | awk '{print $2}'` ; do
- echo -e $1 > /dev/$i
+ echo -e "$1" > /dev/$i
done
fi
}
@@ -65,124 +80,191 @@ Ttylog() {
### New Suid root file detection ###
if [ $CHECK_SUID_ROOT=="yes" ]; then
- if [ -f $SUID_ROOT_TODAY ]; then
- mv $SUID_ROOT_TODAY $SUID_ROOT_YESTERDAY
- fi
-
- find $DIR -xdev -type f -perm +04000 -user root \
- -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > $SUID_ROOT_TODAY
-
- if [ -f $SUID_ROOT_YESTERDAY ]; then
- if ! diff $SUID_ROOT_YESTERDAY $SUID_ROOT_TODAY > $SUID_ROOT_DIFF; then
- Syslog "Change in Suid Root file found, please consult $SUID_ROOT_DIFF"
- Ttylog "\\033[1;31mChange in Suid Root file found !\\033[0;39m"
- Ttylog "\\033[1;31mPlease consult $SUID_ROOT_DIFF\\033[0;39m"
- fi
+ if [ -f $SUID_ROOT_TODAY ]; then
+ mv $SUID_ROOT_TODAY $SUID_ROOT_YESTERDAY
+ fi
+
+ find $DIR -xdev -type f -perm +04000 -user root \
+ -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > $SUID_ROOT_TODAY
+
+ if [ -f $SUID_ROOT_YESTERDAY ]; then
+ if ! diff $SUID_ROOT_YESTERDAY $SUID_ROOT_TODAY > $SUID_ROOT_DIFF; then
+ Syslog "Change in Suid Root file found, please consult $SUID_ROOT_DIFF"
+ Ttylog "\\033[1;31mChange in Suid Root file found !\\033[0;39m"
+ Ttylog "\\033[1;31mPlease consult $SUID_ROOT_DIFF\\033[0;39m"
fi
+ fi
fi
#############################
### New Suid group file detection ###
if [ $CHECK_SUID_GROUP ]; then
- if [ -f $SUID_GROUP_TODAY ]; then
- mv $SUID_GROUP_TODAY $SUID_GROUP_YESTERDAY
- fi
-
- find $DIR -xdev -type f -perm +02000 \
- -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > $SUID_GROUP_TODAY
-
- if [ -f $SUID_GROUP_YESTERDAY ]; then
- if ! diff $SUID_GROUP_YESTERDAY $SUID_GROUP_TODAY > $SUID_GROUP_DIFF; then
- Syslog "Change in Suid Group file found, please consult $SUID_GROUP_DIFF"
- Ttylog "\\033[1;31mChange in Suid Group file found !\\033[0;39m"
- Ttylog "\\033[1;31mPlease consult $SUID_GROUP_DIFF\\033[0;39m"
- fi
+ if [ -f $SUID_GROUP_TODAY ]; then
+ mv $SUID_GROUP_TODAY $SUID_GROUP_YESTERDAY
+ fi
+
+ find $DIR -xdev -type f -perm +02000 \
+ -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > $SUID_GROUP_TODAY
+
+ if [ -f $SUID_GROUP_YESTERDAY ]; then
+ if ! diff $SUID_GROUP_YESTERDAY $SUID_GROUP_TODAY > $SUID_GROUP_DIFF; then
+ Syslog "Change in Suid Group file found, please consult $SUID_GROUP_DIFF"
+ Ttylog "\\033[1;31mChange in Suid Group file found !\\033[0;39m"
+ Ttylog "\\033[1;31mPlease consult $SUID_GROUP_DIFF\\033[0;39m"
fi
+ fi
fi
#############################
### Writable file detection ###
if [ $CHECK_WRITABLE=="yes" ]; then
- if [ -f $WRITABLE_TODAY ]; then
- mv $WRITABLE_TODAY $WRITABLE_YESTERDAY
- fi
-
- find $DIR -xdev -type f -perm -2 \
- -ls -print | sort > $WRITABLE_TODAY
-
- if [ -f $WRITABLE_YESTERDAY ]; then
- if ! diff $WRITABLE_YESTERDAY $WRITABLE_TODAY > $WRITABLE_DIFF; then
- Syslog "Change in World Writable File found, please consult $WRITABLE_DIFF"
- Ttylog "\\033[1;31mChange in World Writable File found !\\033[0;39m"
- Ttylog "\\033[1;31mPlease consult $WRITABLE_DIFF\\033[0;39m"
- fi
+ if [ -f $WRITABLE_TODAY ]; then
+ mv $WRITABLE_TODAY $WRITABLE_YESTERDAY
+ fi
+
+ find $DIR -xdev -type f -perm -2 \
+ -ls -print | sort > $WRITABLE_TODAY
+
+ if [ -f $WRITABLE_YESTERDAY ]; then
+ if ! diff $WRITABLE_YESTERDAY $WRITABLE_TODAY > $WRITABLE_DIFF; then
+ Syslog "Change in World Writable File found, please consult $WRITABLE_DIFF"
+ Ttylog "\\033[1;31mChange in World Writable File found !\\033[0;39m"
+ Ttylog "\\033[1;31mPlease consult $WRITABLE_DIFF\\033[0;39m"
fi
+ fi
fi
#################################
### Search Un Owned file ###
if [ $CHECK_UNOWNED=="yes" ]; then
- if [ -f $UNOWNED_TODAY ]; then
- mv $UNOWNED_TODAY $UNOWNED_YESTERDAY
+ if [ -f $UNOWNED_TODAY ]; then
+ mv $UNOWNED_TODAY $UNOWNED_YESTERDAY
+ fi
+
+ find $DIR -xdev -nouser -o -nogroup -print \
+ -ls | sort > $UNOWNED_TODAY
+
+ if [ -f $UNOWNED_YESTERDAY ]; then
+ if ! diff $UNOWNED_YESTERDAY $UNOWNED_TODAY; then
+ Syslog "Change in Un-Owned file user/group, please consult $UNOWNED_DIFF"
+ Ttylog "\\033[1;31mChange in Un-Owned file user/group found !\\033[0;39m"
+ Ttylog "\\033[1;31mPlease consult $UNOWNED_DIFF\\033[0;39m"
fi
+ fi
+fi
- find $DIR -xdev -nouser -o -nogroup -print \
- -ls | sort > $UNOWNED_TODAY
+########## Md5 check for SUID root file #########
+if [ ${CHECK_SUID_MD5}=="yes" ]; then
+ if [ -f ${SUID_MD5_TODAY} ]; then
+ mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY}
+ fi
+
+ touch ${SUID_MD5_TODAY}
+ awk '{print $12}' ${SUID_ROOT_TODAY} |
+ while read line; do
+ md5sum ${line} >> ${SUID_MD5_TODAY}
+ done
+
+ if [ -f ${SUID_MD5_YESTERDAY} ]; then
+ if ! diff ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} 1> ${SUID_MD5_DIFF}; then
+ Syslog "Warning, the md5 checksum for one of your SUID files has changed..."
+ Syslog "Maybe an intruder modified one of these suid binary in order to put in a backdoor..."
+ Syslog "Please consult ${SUID_MD5_DIFF}."
+ Ttylog "Warning, the md5 checksum for one of your SUID files has changed..."
+ Ttylog "Maybe an intruder modified one of these suid binary in order to put in a backdoor..."
+ Ttylog "Please consult ${SUID_MD5_DIFF}."
+ fi
+ fi
+fi
+##################################################
+
+#### Passwd check ####
+if [ ${CHECK_PASSWD}=="yes" ]; then
+ if [ -f ${PASSWD_TODAY} ]; then
+ mv ${PASSWD_TODAY} ${PASSWD_YESTERDAY};
+ fi
+
+ awk -F: '{
+ if ( $2 == "" )
+ printf("/etc/passwd:%d: User \"%s\" has no password !\n", FNR, $1);
+ else if ($2 !~ /^[x*!]+$/)
+ printf("/etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1);
+ }' < /etc/passwd > ${PASSWD_TODAY}
+
+ if [ -f ${PASSWD_YESTERDAY} ]; then
+ if ! diff ${PASSWD_YESTERDAY} ${PASSWD_TODAY} 1> ${PASSWD_DIFF}; then
+ Syslog `cat ${PASSWD_DIFF}`
+ Ttylog `cat ${PASSWD_DIFF}`
+ fi
+ fi
+fi
+######################
+
+#### Shadow Check ####
+if [ ${CHECK_SHADOW}=="yes" ]; then
+ if [ -f ${SHADOW_TODAY} ]; then
+ mv -f ${SHADOW_TODAY} ${SHADOW_YESTERDAY};
+ fi
+
+ awk -F: '{
+ if ( $2 == "" )
+ printf("/etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1);
+ }' < /etc/shadow > ${SHADOW_TODAY}
+
+ if [ -f ${SHADOW_YESTERDAY} ]; then
+ if ! diff ${SHADOW_YESTERDAY} ${SHADOW_TODAY} 1> ${SHADOW_DIFF}; then
+ Syslog `cat ${SHADOW_DIFF}`
+ Ttylog `cat ${SHADOW_DIFF}`
+ fi
+ fi
+fi
- if [ -f $UNOWNED_YESTERDAY ]; then
- if ! diff $UNOWNED_YESTERDAY $UNOWNED_TODAY; then
- Syslog "Change in Un-Owned file user/group, please consult $UNOWNED_DIFF"
- Ttylog "\\033[1;31mChange in Un-Owned file user/group found !\\033[0;39m"
- Ttylog "\\033[1;31mPlease consult $UNOWNED_DIFF\\033[0;39m"
+#### .[sr]hosts check ####
+if [ ${CHECK_RHOST}=="yes" ]; then
+ if [ -f ${HOST_TODAY} ]; then
+ mv -f ${HOST_TODAY} ${HOST_YESTERDAY};
+ fi
+
+ awk -F: '{print $1" "$6}' /etc/passwd |
+ while read username homedir; do
+ for file in .rhosts .shosts; do
+ if [ -s ${homedir}/${file} ] ; then
+ rhost=`ls -lcdg ${homedir}/${file}`
+ printf "${username}: ${rhost}\n"
+ if grep "+" ${homedir}/${file} > /dev/null ; then
+ printf "\tThere is a (+) character in ${file} : this is a *big* security problem \!\n"
+ fi
fi
+ done
+ done > ${HOST_TODAY}
+
+ if [ -f ${HOST_YESTERDAY} ]; then
+ if ! diff ${HOST_YESTERDAY} ${HOST_TODAY} 1> ${HOST_DIFF}; then
+ Syslog `cat ${HOST_DIFF}`
+ Ttylog `cat ${HOST_DIFF}`
fi
+ fi
fi
-
-chattr +a /var/log/security
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+### Network check ###
+if [ ${CHECK_OPEN_PORT}=="yes" ]; then
+ if [ -f ${OPEN_PORT_TODAY} ]; then
+ mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY}
+ fi
+
+ netstat -pvlA inet > ${OPEN_PORT_TODAY};
+
+ if [ -f ${OPEN_PORT_YESTERDAY} ]; then
+ if ! diff ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}; then
+ Syslog "There is a new port listening on your machine..."
+ Syslog "Please consult ${OPEN_PORT_DIFF} for security purpose..."
+ Ttylog "There is a new port listening on your machine..."
+ Ttylog "Please consult ${OPEN_PORT_DIFF} for security purpose..."
+ fi
+ fi
+fi