From 6993d7456f2e542095deec62549d467e6e9a7057 Mon Sep 17 00:00:00 2001 From: Yoann Vandoorselaere Date: Tue, 30 Nov 1999 15:47:11 +0000 Subject: Many cron security check added. Now report what it does ( msec ). --- cron-sh/file_check.sh | 284 ++++++++++++++++++++++++++++++++------------------ 1 file changed, 183 insertions(+), 101 deletions(-) (limited to 'cron-sh/file_check.sh') diff --git a/cron-sh/file_check.sh b/cron-sh/file_check.sh index 5118ebc..7886387 100755 --- a/cron-sh/file_check.sh +++ b/cron-sh/file_check.sh @@ -24,38 +24,53 @@ FILTERS="$CS_TYPES|$CS_DEVS|$CS_DIRS" DIR=`mount | grep -vE "$FILTERS" | cut -d ' ' -f3` ### -SUID_ROOT_TODAY="/var/log/security/suid_root.today" -SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday" -SUID_ROOT_DIFF="/var/log/security/suid_root.diff" -SUID_GROUP_TODAY="/var/log/security/suid_group.today" -SUID_GROUP_YESTERDAY="/var/log/security/suid_group.yesterday" -SUID_GROUP_DIFF="/var/log/security/suid_group.diff" +SUID_ROOT_TODAY=/var/log/security/suid_root.today +SUID_ROOT_YESTERDAY=/var/log/security/suid_root.yesterday +SUID_ROOT_DIFF=/var/log/security/suid_root.diff +SUID_GROUP_TODAY=/var/log/security/suid_group.today +SUID_GROUP_YESTERDAY=/var/log/security/suid_group.yesterday +SUID_GROUP_DIFF=/var/log/security/suid_group.diff WRITABLE_TODAY=/var/log/security/writable.today WRITABLE_YESTERDAY=/var/log/security/writable.yesterday WRITABLE_DIFF=/var/log/security/writable.diff UNOWNED_TODAY=/var/log/security/unowned.today UNOWNED_YESTERDAY=/var/log/security/unowned.yesterday UNOWNED_DIFF=/var/log/security/unowned.diff - +PASSWD_TODAY=/var/log/security/passwd.today +PASSWD_YESTERDAY=/var/log/security/passwd.yesterday +PASSWD_DIFF=/var/log/security/passwd.diff +SHADOW_TODAY=/var/log/security/shadow.today +SHADOW_YESTERDAY=/var/log/security/shadow.yesterday +SHADOW_DIFF=/var/log/security/shadow.diff +HOST_TODAY=/var/log/security/hosts.today +HOST_YESTERDAY=/var/log/security/hosts.yesterday +HOST_DIFF=/var/log/security/hosts.diff +SUID_MD5_TODAY=/var/log/security/suid_md5.today +SUID_MD5_YESTERDAY=/var/log/security/suid_md5.yesterday +SUID_MD5_DIFF=/var/log/security/suid_md5.diff +OPEN_PORT_TODAY=/var/log/security/open_port.today +OPEN_PORT_YESTERDAY=/var/log/security/open_port.yesterday +OPEN_PORT_DIFF=/var/log/security/open_port.diff if [ ! -d /var/log/security ]; then mkdir /var/log/security fi -chattr -a /var/log/security +chattr -a /var/log/security/ +chattr -a /var/log/security/* ### Functions ### Syslog() { if [ $SYS_LOG=="yes" ]; then - /sbin/initlog --string=$1 + /sbin/initlog --string="$1" fi } Ttylog() { if [ $TTY_LOG=="yes" ]; then for i in `w | grep -v "load\|TTY" | awk '{print $2}'` ; do - echo -e $1 > /dev/$i + echo -e "$1" > /dev/$i done fi } @@ -65,124 +80,191 @@ Ttylog() { ### New Suid root file detection ### if [ $CHECK_SUID_ROOT=="yes" ]; then - if [ -f $SUID_ROOT_TODAY ]; then - mv $SUID_ROOT_TODAY $SUID_ROOT_YESTERDAY - fi - - find $DIR -xdev -type f -perm +04000 -user root \ - -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > $SUID_ROOT_TODAY - - if [ -f $SUID_ROOT_YESTERDAY ]; then - if ! diff $SUID_ROOT_YESTERDAY $SUID_ROOT_TODAY > $SUID_ROOT_DIFF; then - Syslog "Change in Suid Root file found, please consult $SUID_ROOT_DIFF" - Ttylog "\\033[1;31mChange in Suid Root file found !\\033[0;39m" - Ttylog "\\033[1;31mPlease consult $SUID_ROOT_DIFF\\033[0;39m" - fi + if [ -f $SUID_ROOT_TODAY ]; then + mv $SUID_ROOT_TODAY $SUID_ROOT_YESTERDAY + fi + + find $DIR -xdev -type f -perm +04000 -user root \ + -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > $SUID_ROOT_TODAY + + if [ -f $SUID_ROOT_YESTERDAY ]; then + if ! diff $SUID_ROOT_YESTERDAY $SUID_ROOT_TODAY > $SUID_ROOT_DIFF; then + Syslog "Change in Suid Root file found, please consult $SUID_ROOT_DIFF" + Ttylog "\\033[1;31mChange in Suid Root file found !\\033[0;39m" + Ttylog "\\033[1;31mPlease consult $SUID_ROOT_DIFF\\033[0;39m" fi + fi fi ############################# ### New Suid group file detection ### if [ $CHECK_SUID_GROUP ]; then - if [ -f $SUID_GROUP_TODAY ]; then - mv $SUID_GROUP_TODAY $SUID_GROUP_YESTERDAY - fi - - find $DIR -xdev -type f -perm +02000 \ - -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > $SUID_GROUP_TODAY - - if [ -f $SUID_GROUP_YESTERDAY ]; then - if ! diff $SUID_GROUP_YESTERDAY $SUID_GROUP_TODAY > $SUID_GROUP_DIFF; then - Syslog "Change in Suid Group file found, please consult $SUID_GROUP_DIFF" - Ttylog "\\033[1;31mChange in Suid Group file found !\\033[0;39m" - Ttylog "\\033[1;31mPlease consult $SUID_GROUP_DIFF\\033[0;39m" - fi + if [ -f $SUID_GROUP_TODAY ]; then + mv $SUID_GROUP_TODAY $SUID_GROUP_YESTERDAY + fi + + find $DIR -xdev -type f -perm +02000 \ + -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > $SUID_GROUP_TODAY + + if [ -f $SUID_GROUP_YESTERDAY ]; then + if ! diff $SUID_GROUP_YESTERDAY $SUID_GROUP_TODAY > $SUID_GROUP_DIFF; then + Syslog "Change in Suid Group file found, please consult $SUID_GROUP_DIFF" + Ttylog "\\033[1;31mChange in Suid Group file found !\\033[0;39m" + Ttylog "\\033[1;31mPlease consult $SUID_GROUP_DIFF\\033[0;39m" fi + fi fi ############################# ### Writable file detection ### if [ $CHECK_WRITABLE=="yes" ]; then - if [ -f $WRITABLE_TODAY ]; then - mv $WRITABLE_TODAY $WRITABLE_YESTERDAY - fi - - find $DIR -xdev -type f -perm -2 \ - -ls -print | sort > $WRITABLE_TODAY - - if [ -f $WRITABLE_YESTERDAY ]; then - if ! diff $WRITABLE_YESTERDAY $WRITABLE_TODAY > $WRITABLE_DIFF; then - Syslog "Change in World Writable File found, please consult $WRITABLE_DIFF" - Ttylog "\\033[1;31mChange in World Writable File found !\\033[0;39m" - Ttylog "\\033[1;31mPlease consult $WRITABLE_DIFF\\033[0;39m" - fi + if [ -f $WRITABLE_TODAY ]; then + mv $WRITABLE_TODAY $WRITABLE_YESTERDAY + fi + + find $DIR -xdev -type f -perm -2 \ + -ls -print | sort > $WRITABLE_TODAY + + if [ -f $WRITABLE_YESTERDAY ]; then + if ! diff $WRITABLE_YESTERDAY $WRITABLE_TODAY > $WRITABLE_DIFF; then + Syslog "Change in World Writable File found, please consult $WRITABLE_DIFF" + Ttylog "\\033[1;31mChange in World Writable File found !\\033[0;39m" + Ttylog "\\033[1;31mPlease consult $WRITABLE_DIFF\\033[0;39m" fi + fi fi ################################# ### Search Un Owned file ### if [ $CHECK_UNOWNED=="yes" ]; then - if [ -f $UNOWNED_TODAY ]; then - mv $UNOWNED_TODAY $UNOWNED_YESTERDAY + if [ -f $UNOWNED_TODAY ]; then + mv $UNOWNED_TODAY $UNOWNED_YESTERDAY + fi + + find $DIR -xdev -nouser -o -nogroup -print \ + -ls | sort > $UNOWNED_TODAY + + if [ -f $UNOWNED_YESTERDAY ]; then + if ! diff $UNOWNED_YESTERDAY $UNOWNED_TODAY; then + Syslog "Change in Un-Owned file user/group, please consult $UNOWNED_DIFF" + Ttylog "\\033[1;31mChange in Un-Owned file user/group found !\\033[0;39m" + Ttylog "\\033[1;31mPlease consult $UNOWNED_DIFF\\033[0;39m" fi + fi +fi - find $DIR -xdev -nouser -o -nogroup -print \ - -ls | sort > $UNOWNED_TODAY +########## Md5 check for SUID root file ######### +if [ ${CHECK_SUID_MD5}=="yes" ]; then + if [ -f ${SUID_MD5_TODAY} ]; then + mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY} + fi + + touch ${SUID_MD5_TODAY} + awk '{print $12}' ${SUID_ROOT_TODAY} | + while read line; do + md5sum ${line} >> ${SUID_MD5_TODAY} + done + + if [ -f ${SUID_MD5_YESTERDAY} ]; then + if ! diff ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} 1> ${SUID_MD5_DIFF}; then + Syslog "Warning, the md5 checksum for one of your SUID files has changed..." + Syslog "Maybe an intruder modified one of these suid binary in order to put in a backdoor..." + Syslog "Please consult ${SUID_MD5_DIFF}." + Ttylog "Warning, the md5 checksum for one of your SUID files has changed..." + Ttylog "Maybe an intruder modified one of these suid binary in order to put in a backdoor..." + Ttylog "Please consult ${SUID_MD5_DIFF}." + fi + fi +fi +################################################## + +#### Passwd check #### +if [ ${CHECK_PASSWD}=="yes" ]; then + if [ -f ${PASSWD_TODAY} ]; then + mv ${PASSWD_TODAY} ${PASSWD_YESTERDAY}; + fi + + awk -F: '{ + if ( $2 == "" ) + printf("/etc/passwd:%d: User \"%s\" has no password !\n", FNR, $1); + else if ($2 !~ /^[x*!]+$/) + printf("/etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1); + }' < /etc/passwd > ${PASSWD_TODAY} + + if [ -f ${PASSWD_YESTERDAY} ]; then + if ! diff ${PASSWD_YESTERDAY} ${PASSWD_TODAY} 1> ${PASSWD_DIFF}; then + Syslog `cat ${PASSWD_DIFF}` + Ttylog `cat ${PASSWD_DIFF}` + fi + fi +fi +###################### + +#### Shadow Check #### +if [ ${CHECK_SHADOW}=="yes" ]; then + if [ -f ${SHADOW_TODAY} ]; then + mv -f ${SHADOW_TODAY} ${SHADOW_YESTERDAY}; + fi + + awk -F: '{ + if ( $2 == "" ) + printf("/etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1); + }' < /etc/shadow > ${SHADOW_TODAY} + + if [ -f ${SHADOW_YESTERDAY} ]; then + if ! diff ${SHADOW_YESTERDAY} ${SHADOW_TODAY} 1> ${SHADOW_DIFF}; then + Syslog `cat ${SHADOW_DIFF}` + Ttylog `cat ${SHADOW_DIFF}` + fi + fi +fi - if [ -f $UNOWNED_YESTERDAY ]; then - if ! diff $UNOWNED_YESTERDAY $UNOWNED_TODAY; then - Syslog "Change in Un-Owned file user/group, please consult $UNOWNED_DIFF" - Ttylog "\\033[1;31mChange in Un-Owned file user/group found !\\033[0;39m" - Ttylog "\\033[1;31mPlease consult $UNOWNED_DIFF\\033[0;39m" +#### .[sr]hosts check #### +if [ ${CHECK_RHOST}=="yes" ]; then + if [ -f ${HOST_TODAY} ]; then + mv -f ${HOST_TODAY} ${HOST_YESTERDAY}; + fi + + awk -F: '{print $1" "$6}' /etc/passwd | + while read username homedir; do + for file in .rhosts .shosts; do + if [ -s ${homedir}/${file} ] ; then + rhost=`ls -lcdg ${homedir}/${file}` + printf "${username}: ${rhost}\n" + if grep "+" ${homedir}/${file} > /dev/null ; then + printf "\tThere is a (+) character in ${file} : this is a *big* security problem \!\n" + fi fi + done + done > ${HOST_TODAY} + + if [ -f ${HOST_YESTERDAY} ]; then + if ! diff ${HOST_YESTERDAY} ${HOST_TODAY} 1> ${HOST_DIFF}; then + Syslog `cat ${HOST_DIFF}` + Ttylog `cat ${HOST_DIFF}` fi + fi fi - -chattr +a /var/log/security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +### Network check ### +if [ ${CHECK_OPEN_PORT}=="yes" ]; then + if [ -f ${OPEN_PORT_TODAY} ]; then + mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY} + fi + + netstat -pvlA inet > ${OPEN_PORT_TODAY}; + + if [ -f ${OPEN_PORT_YESTERDAY} ]; then + if ! diff ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}; then + Syslog "There is a new port listening on your machine..." + Syslog "Please consult ${OPEN_PORT_DIFF} for security purpose..." + Ttylog "There is a new port listening on your machine..." + Ttylog "Please consult ${OPEN_PORT_DIFF} for security purpose..." + fi + fi +fi -- cgit v1.2.1