From ccfa055b51d33154c8106da75a78aa183f135f1a Mon Sep 17 00:00:00 2001 From: Frederic Lepied Date: Mon, 21 Feb 2005 13:34:06 +0000 Subject: filter home dir too (Guillaume Rousse, bug #12335) --- cron-sh/security.sh | 3 +++ cron-sh/security_check.sh | 41 +++++++++++++++++++++++++---------------- 2 files changed, 28 insertions(+), 16 deletions(-) diff --git a/cron-sh/security.sh b/cron-sh/security.sh index 4aee135..1da3ef0 100755 --- a/cron-sh/security.sh +++ b/cron-sh/security.sh @@ -69,6 +69,7 @@ RPM_QA_YESTERDAY="/var/log/security/rpm-qa.yesterday" RPM_QA_DIFF="/var/log/security/rpm-qa.diff" export CHKROOTKIT_TODAY="/var/log/security/chkrootkit.today" CHKROOTKIT_YESTERDAY="/var/log/security/chkrootkit.yesterday" +export EXCLUDE_REGEXP # Modified filters coming from debian security scripts. CS_NFSAFS='(nfs|afs|coda)' @@ -78,6 +79,8 @@ CS_DIRS='on /mnt' FILTERS="$CS_TYPES|$CS_DEVS|$CS_DIRS" DIR=`mount | grep -vE "$FILTERS" | cut -d ' ' -f3` PRINT="%h/%f\n" +EXCLUDEDIR=`mount | grep -E "$FILTERS" | cut -d ' ' -f3` +export EXCLUDEDIR if [[ ! -d /var/log/security ]]; then mkdir /var/log/security diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh index b97b551..faadc53 100755 --- a/cron-sh/security_check.sh +++ b/cron-sh/security_check.sh @@ -23,6 +23,7 @@ INFOS=`mktemp /tmp/secure.XXXXXX` SECURITY=`mktemp /tmp/secure.XXXXXX` SECURITY_LOG="/var/log/security.log" TMP=`mktemp /tmp/secure.XXXXXX` +FILTER="\(`echo $EXCLUDEDIR | sed -e 's/ /\\\|/g'`\)" if [[ ! -d /var/log/security ]]; then mkdir /var/log/security @@ -63,12 +64,14 @@ list=".netrc .rhosts .shosts .Xauthority .gnupg/secring.gpg \ .pgp/secring.pgp .ssh/identity .ssh/id_dsa .ssh/id_rsa .ssh/random_seed" getent passwd | awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' | while read username uid homedir; do - for f in ${list} ; do - file="${homedir}/${f}" - if [[ -f ${file} ]] ; then - printf "${uid} ${username} ${file} `ls -LldcGn ${file}`\n" - fi - done + if ! expr $homedir : $FILTER > /dev/null; then + for f in ${list} ; do + file="${homedir}/${f}" + if [[ -f ${file} ]] ; then + printf "${uid} ${username} ${file} `ls -LldcGn ${file}`\n" + fi + done + fi done | awk '$1 != $6 && $6 != "0" \ { print "\t\t- " $3 " : file is owned by uid " $6 "." } $4 ~ /^-...r/ \ @@ -92,12 +95,14 @@ list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \ .ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults" getent passwd | awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' | \ while read username uid homedir; do + if ! expr $homedir : $FILTER > /dev/null; then for f in ${list} ; do file=${homedir}/${f} if [[ -f ${file} ]] ; then printf "${uid} ${username} ${file} `ls -LldcGn ${file}`\n" fi done + fi done | awk '$1 != $6 && $6 != "0" \ { print "\t\t- " $3 " : file is owned by uid " $6 "." } $4 ~ /^.....w/ \ @@ -113,12 +118,14 @@ fi ### Check home directories. Directories should not be owned by someone else or writable. getent passwd | awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' | \ while read username uid homedir; do + if ! expr $homedir : $FILTER > /dev/null; then if [[ -d ${homedir} ]] ; then realuid=`ls -LldGn ${homedir}| awk '{ print $3 }'` realuser=`ls -LldG ${homedir}| awk '{ print $3 }'` permissions=`ls -LldG ${homedir}| awk '{ print $1 }'` printf "${permissions} ${username} (${uid}) ${realuser} (${realuid})\n" fi + fi done | awk '$3 != $5 && $5 != "(0)" \ { print "user=" $2 $3 " : home directory is owned by " $4 $5 "." } $1 ~ /^d....w/ && $2 != "lp" && $2 != "mail" \ @@ -206,16 +213,18 @@ done > ${TMP} getent passwd | awk -F: '{print $1" "$6}' | while read username homedir; do - for file in .rhosts .shosts; do - if [[ -s ${homedir}/${file} ]] ; then - awk '{ - if ($0 ~ /^\+@.*$/) - next; - if ($0 ~ /^\+.*$/) - printf("\t\t- %s: %s\n", FILENAME, $0); - }' ${homedir}/${file} - fi - done >> ${TMP} + if ! expr $homedir : $FILTER > /dev/null; then + for file in .rhosts .shosts; do + if [[ -s ${homedir}/${file} ]] ; then + awk '{ + if ($0 ~ /^\+@.*$/) + next; + if ($0 ~ /^\+.*$/) + printf("\t\t- %s: %s\n", FILENAME, $0); + }' ${homedir}/${file} + fi + done >> ${TMP} + fi done if [[ -s ${TMP} ]]; then -- cgit v1.2.1