From 74055382de3e44e81bf084d08883e7a9e5b90b04 Mon Sep 17 00:00:00 2001 From: Yoann Vandoorselaere Date: Mon, 6 Dec 1999 18:11:39 +0000 Subject: *** empty log message *** --- cron-sh/file_check.sh | 416 +++++++++++++++------------------------------- cron-sh/security_check.sh | 279 +++++++++++++++++++++++++++++++ 2 files changed, 409 insertions(+), 286 deletions(-) create mode 100755 cron-sh/security_check.sh (limited to 'cron-sh') diff --git a/cron-sh/file_check.sh b/cron-sh/file_check.sh index f91dce3..60a87e5 100755 --- a/cron-sh/file_check.sh +++ b/cron-sh/file_check.sh @@ -15,8 +15,6 @@ if [ SECURITY_CHECK == "no" ]; then exit 0 fi -OUT=./blah - # Modified filters coming from debian security scripts. CS_NFSAFS='(nfs|afs|xfs|coda)' CS_TYPES=' type (devpts|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|'$CS_NFSAFS')' @@ -26,47 +24,45 @@ FILTERS="$CS_TYPES|$CS_DEVS|$CS_DIRS" DIR=`mount | grep -vE "$FILTERS" | cut -d ' ' -f3` ### -SUID_ROOT_TODAY=/var/log/security/suid_root.today -SUID_ROOT_YESTERDAY=/var/log/security/suid_root.yesterday -SUID_ROOT_DIFF=/var/log/security/suid_root.diff -SUID_GROUP_TODAY=/var/log/security/suid_group.today -SUID_GROUP_YESTERDAY=/var/log/security/suid_group.yesterday -SUID_GROUP_DIFF=/var/log/security/suid_group.diff -WRITABLE_TODAY=/var/log/security/writable.today -WRITABLE_YESTERDAY=/var/log/security/writable.yesterday -WRITABLE_DIFF=/var/log/security/writable.diff -UNOWNED_TODAY=/var/log/security/unowned.today -UNOWNED_YESTERDAY=/var/log/security/unowned.yesterday -UNOWNED_DIFF=/var/log/security/unowned.diff -PASSWD_TODAY=/var/log/security/passwd.today -PASSWD_YESTERDAY=/var/log/security/passwd.yesterday -PASSWD_DIFF=/var/log/security/passwd.diff -SHADOW_TODAY=/var/log/security/shadow.today -SHADOW_YESTERDAY=/var/log/security/shadow.yesterday -SHADOW_DIFF=/var/log/security/shadow.diff -HOST_TODAY=/var/log/security/hosts.today -HOST_YESTERDAY=/var/log/security/hosts.yesterday -HOST_DIFF=/var/log/security/hosts.diff -SUID_MD5_TODAY=/var/log/security/suid_md5.today -SUID_MD5_YESTERDAY=/var/log/security/suid_md5.yesterday -SUID_MD5_DIFF=/var/log/security/suid_md5.diff -OPEN_PORT_TODAY=/var/log/security/open_port.today -OPEN_PORT_YESTERDAY=/var/log/security/open_port.yesterday -OPEN_PORT_DIFF=/var/log/security/open_port.diff +SUID_ROOT_TODAY="/var/log/security/suid_root.today" +SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday" +SUID_ROOT_DIFF="/var/log/security/suid_root.diff" +SUID_GROUP_TODAY="/var/log/security/suid_group.today" +SUID_GROUP_YESTERDAY="/var/log/security/suid_group.yesterday" +SUID_GROUP_DIFF="/var/log/security/suid_group.diff" +SUID_MD5_TODAY="/var/log/security/suid_md5.today" +SUID_MD5_YESTERDAY="/var/log/security/suid_md5.yesterday" +SUID_MD5_DIFF="/var/log/security/suid_md5.diff" +OPEN_PORT_TODAY="/var/log/security/open_port.today" +OPEN_PORT_YESTERDAY="/var/log/security/open_port.yesterday" +OPEN_PORT_DIFF="/var/log/security/open_port.diff" +WRITEABLE_TODAY="/var/log/security/writeable.today" +WRITEABLE_YESTERDAY="/var/log/security/writeable.yesterday" +WRITEABLE_DIFF="/var/log/security/writeable.diff" +UNOWNED_TODAY="/var/log/security/unowned.today" +UNOWNED_YESTERDAY="/var/log/security/unowned.yesterday" +UNOWNED_DIFF="/var/log/security/unowned.diff" + +SECURITY_LOG="/var/log/security.log" +TMP="/tmp/secure.tmp" if [ ! -d /var/log/security ]; then mkdir /var/log/security fi -chattr -a /var/log/security/ -chattr -a /var/log/security/* +chattr -a /var/log/security/ >& /dev/null +chattr -a /var/log/security/* >& /dev/null + +rm -f ${TMP} ${SECURITY_TMP} >& /dev/null ### Functions ### Syslog() { - if [ $SYS_LOG=="yes" ]; then - /sbin/initlog --string="$1" - fi + if [ $SYS_LOG=="yes" ]; then + cat ${1} | while read line; do + /sbin/initlog --string="${line}" + done + fi } Ttylog() { @@ -80,84 +76,110 @@ Ttylog() { ################## -### New Suid root file detection ### -if [ $CHECK_SUID_ROOT=="yes" ]; then - if [ -f $SUID_ROOT_TODAY ]; then - mv $SUID_ROOT_TODAY $SUID_ROOT_YESTERDAY +### New Suid root files detection +if [ ${CHECK_SUID_ROOT}=="yes" ]; then + + if [ -f ${SUID_ROOT_TODAY} ]; then + mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY} fi - find $DIR -xdev -type f -perm +04000 -user root \ - -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > $SUID_ROOT_TODAY + find ${DIR} -xdev -type f -perm +04000 -user root \ + -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_ROOT_TODAY} - if [ -f $SUID_ROOT_YESTERDAY ]; then - if ! diff $SUID_ROOT_YESTERDAY $SUID_ROOT_TODAY > $SUID_ROOT_DIFF; then - Syslog "Change in Suid Root file found, please consult $SUID_ROOT_DIFF" - Ttylog "\\033[1;31mChange in Suid Root file found !\\033[0;39m" - Ttylog "\\033[1;31mPlease consult $SUID_ROOT_DIFF\\033[0;39m" + if [ -f ${SUID_ROOT_YESTERDAY} ]; then + if ! diff -u ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_TODAY} > ${SUID_ROOT_DIFF}; then + printf "\nSecurity Warning: Change in Suid Root files found :\n" >> ${TMP} + grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Added suid root files : ${file}.\n" >> ${TMP} + done + grep '^-' ${SUID_ROOT_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Removed suid root files : ${file}.\n" >> ${TMP} + done fi fi fi -############################# - -### New Suid group file detection ### -if [ $CHECK_SUID_GROUP ]; then - if [ -f $SUID_GROUP_TODAY ]; then - mv $SUID_GROUP_TODAY $SUID_GROUP_YESTERDAY +### New Suid group files detection +if [ ${CHECK_SUID_GROUP} ]; then + if [ -f ${SUID_GROUP_TODAY} ]; then + mv ${SUID_GROUP_TODAY} ${SUID_GROUP_YESTERDAY} fi - find $DIR -xdev -type f -perm +02000 \ - -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > $SUID_GROUP_TODAY + find ${DIR} -xdev -type f -perm +02000 \ + -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_GROUP_TODAY} - if [ -f $SUID_GROUP_YESTERDAY ]; then - if ! diff $SUID_GROUP_YESTERDAY $SUID_GROUP_TODAY > $SUID_GROUP_DIFF; then - Syslog "Change in Suid Group file found, please consult $SUID_GROUP_DIFF" - Ttylog "\\033[1;31mChange in Suid Group file found !\\033[0;39m" - Ttylog "\\033[1;31mPlease consult $SUID_GROUP_DIFF\\033[0;39m" + if [ -f ${SUID_GROUP_YESTERDAY} ]; then + if ! diff -u ${SUID_GROUP_YESTERDAY} ${SUID_GROUP_TODAY} > ${SUID_GROUP_DIFF}; then + printf "\nSecurity Warning: Changes in Suid Group files found :\n" >> ${TMP} + grep '^+' ${SUID_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Added suid group files : ${file}.\n" >> ${TMP} + done + grep '^-' ${SUID_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Removed suid group files : ${file}.\n" >> ${TMP} + done fi fi fi -############################# -### Writable file detection ### +### Writable files detection +if [ ${CHECK_WRITEABLE}=="yes" ]; then -if [ $CHECK_WRITABLE=="yes" ]; then - if [ -f $WRITABLE_TODAY ]; then - mv $WRITABLE_TODAY $WRITABLE_YESTERDAY + if [ -f ${WRITEABLE_TODAY} ]; then + mv -f ${WRITEABLE_TODAY} ${WRITEABLE_YESTERDAY} fi - find $DIR -xdev -type f -perm -2 \ - -ls -print | sort > $WRITABLE_TODAY + find ${DIR} -xdev -type f -perm -2 -ls -print | sort > ${WRITEABLE_TODAY} - if [ -f $WRITABLE_YESTERDAY ]; then - if ! diff $WRITABLE_YESTERDAY $WRITABLE_TODAY > $WRITABLE_DIFF; then - Syslog "Change in World Writable File found, please consult $WRITABLE_DIFF" - Ttylog "\\033[1;31mChange in World Writable File found !\\033[0;39m" - Ttylog "\\033[1;31mPlease consult $WRITABLE_DIFF\\033[0;39m" + if [ -f ${WRITEABLE_YESTERDAY} ]; then + if ! diff -u ${WRITEABLE_YESTERDAY} ${WRITEABLE_TODAY} > ${WRITEABLE_DIFF}; then + printf "\nSecurity Warning: Change in World Writeable Files found :\n" >> ${TMP} + grep '^+' ${WRITEABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Added writables files : ${file}.\n" >> ${TMP} + done + grep '^-' ${WRITEABLE_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Removed writables files : ${file}.\n" >> ${TMP} + done fi fi fi -################################# -### Search Un Owned file ### -if [ $CHECK_UNOWNED=="yes" ]; then - if [ -f $UNOWNED_TODAY ]; then - mv $UNOWNED_TODAY $UNOWNED_YESTERDAY +### Search Non Owned files +if [ ${CHECK_UNOWNED}=="yes" ]; then + + if [ -f ${UNOWNED_TODAY} ]; then + mv -f ${UNOWNED_TODAY} ${UNOWNED_YESTERDAY} fi - find $DIR -xdev -nouser -o -nogroup -print \ - -ls | sort > $UNOWNED_TODAY + find ${DIR} -xdev -nouser -print -ls | sort > ${UNOWNED_TODAY} + + if [ -f ${UNOWNED_YESTERDAY} ]; then + if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then + printf "\nSecurity Warning: the following files aren't owned by an user :\n" >> ${TMP} + grep '^+' ${UNOWNED_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Added un-owned files : ${file}.\n" >> ${TMP} + done + grep '^-' ${UNOWNED_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Removed un-owned files : ${file}.\n" >> ${TMP} + done + fi + fi + + find ${DIR} -xdev -nogroup -print -ls | sort >> ${UNOWNED_TODAY} - if [ -f $UNOWNED_YESTERDAY ]; then - if ! diff $UNOWNED_YESTERDAY $UNOWNED_TODAY; then - Syslog "Change in Un-Owned file user/group, please consult $UNOWNED_DIFF" - Ttylog "\\033[1;31mChange in Un-Owned file user/group found !\\033[0;39m" - Ttylog "\\033[1;31mPlease consult $UNOWNED_DIFF\\033[0;39m" + if [ -f ${UNOWNED_YESTERDAY} ]; then + if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then + printf "\nSecurity Warning: the following files aren't owned by a group :\n" >> ${TMP} + grep '^+' ${UNOWNED_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Added un-owned files : ${file}.\n" >> ${TMP} + done + grep '^-' ${UNOWNED_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Removed un-owned files : ${file}.\n" >> ${TMP} + done fi fi fi -########## Md5 check for SUID root file ######### +### Md5 check for SUID root file if [ ${CHECK_SUID_MD5}=="yes" ]; then if [ -f ${SUID_MD5_TODAY} ]; then mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY} @@ -170,87 +192,20 @@ if [ ${CHECK_SUID_MD5}=="yes" ]; then done if [ -f ${SUID_MD5_YESTERDAY} ]; then - if ! diff ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} 1> ${SUID_MD5_DIFF}; then - Syslog "Warning, the md5 checksum for one of your SUID files has changed..." - Syslog "Maybe an intruder modified one of these suid binary in order to put in a backdoor..." - Syslog "Please consult ${SUID_MD5_DIFF}." - Ttylog "Warning, the md5 checksum for one of your SUID files has changed..." - Ttylog "Maybe an intruder modified one of these suid binary in order to put in a backdoor..." - Ttylog "Please consult ${SUID_MD5_DIFF}." - fi - fi -fi -################################################## - -#### Passwd check #### -if [ ${CHECK_PASSWD}=="yes" ]; then - if [ -f ${PASSWD_TODAY} ]; then - mv ${PASSWD_TODAY} ${PASSWD_YESTERDAY}; - fi - - awk -F: '{ - if ( $2 == "" ) - printf("/etc/passwd:%d: User \"%s\" has no password !\n", FNR, $1); - else if ($2 !~ /^[x*!]+$/) - printf("/etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1); - }' < /etc/passwd > ${PASSWD_TODAY} - - if [ -f ${PASSWD_YESTERDAY} ]; then - if ! diff ${PASSWD_YESTERDAY} ${PASSWD_TODAY} 1> ${PASSWD_DIFF}; then - Syslog `cat ${PASSWD_DIFF}` - Ttylog `cat ${PASSWD_DIFF}` - fi - fi -fi -###################### - -#### Shadow Check #### -if [ ${CHECK_SHADOW}=="yes" ]; then - if [ -f ${SHADOW_TODAY} ]; then - mv -f ${SHADOW_TODAY} ${SHADOW_YESTERDAY}; - fi - - awk -F: '{ - if ( $2 == "" ) - printf("/etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1); - }' < /etc/shadow > ${SHADOW_TODAY} - - if [ -f ${SHADOW_YESTERDAY} ]; then - if ! diff ${SHADOW_YESTERDAY} ${SHADOW_TODAY} 1> ${SHADOW_DIFF}; then - Syslog `cat ${SHADOW_DIFF}` - Ttylog `cat ${SHADOW_DIFF}` - fi - fi -fi - -#### .[sr]hosts check #### -if [ ${CHECK_RHOST}=="yes" ]; then - if [ -f ${HOST_TODAY} ]; then - mv -f ${HOST_TODAY} ${HOST_YESTERDAY}; - fi - - awk -F: '{print $1" "$6}' /etc/passwd | - while read username homedir; do - for file in .rhosts .shosts; do - if [ -s ${homedir}/${file} ] ; then - rhost=`ls -lcdg ${homedir}/${file}` - printf "${username}: ${rhost}\n" - if grep "+" ${homedir}/${file} > /dev/null ; then - printf "\tThere is a (+) character in ${file} : this is a *big* security problem \!\n" - fi - fi + if ! diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF}; then + printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${TMP} + printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${TMP} + grep '^+' ${SUID_MD5_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $2}' | while read file; do + printf "\t\t- Changed ( added ) files : ${file}.\n" >> ${TMP} + done + grep '^-' ${SUID_MD5_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $2}' | while read file; do + printf "\t\t- Changed ( removed ) files : ${file}.\n" >> ${TMP} done - done > ${HOST_TODAY} - - if [ -f ${HOST_YESTERDAY} ]; then - if ! diff ${HOST_YESTERDAY} ${HOST_TODAY} 1> ${HOST_DIFF}; then - Syslog `cat ${HOST_DIFF}` - Ttylog `cat ${HOST_DIFF}` fi fi fi -### Network check ### +### Changed open port if [ ${CHECK_OPEN_PORT}=="yes" ]; then if [ -f ${OPEN_PORT_TODAY} ]; then mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY} @@ -259,139 +214,28 @@ if [ ${CHECK_OPEN_PORT}=="yes" ]; then netstat -pvlA inet > ${OPEN_PORT_TODAY}; if [ -f ${OPEN_PORT_YESTERDAY} ]; then - if ! diff ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}; then - Syslog "There is a new port listening on your machine..." - Syslog "Please consult ${OPEN_PORT_DIFF} for security purpose..." - Ttylog "There is a new port listening on your machine..." - Ttylog "Please consult ${OPEN_PORT_DIFF} for security purpose..." + if ! diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}; then + printf "\nSecurity Warning: There is a new port listening on your machine :\n" >> ${TMP} + grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Opened ports : ${file}.\n" >> ${TMP} + done + grep '^-' ${OPEN_PORT_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Closed ports : ${file}.\n" >> ${TMP} + done fi fi fi -### /etc/exports check ### - -# File systems should not be globally exported. -if [ -s /etc/exports ] ; then - awk '{ - if (($1 ~ /^#/) || ($1 ~ /^$/)) next; - readonly = 0; - for (i = 2; i <= NF; ++i) { - if ($i ~ /^-ro$/) - readonly = 1; - else if ($i !~ /^-/) - next; - } - if (readonly) { - print "Warning : Nfs File system " $1 " globally exported, read-only."; - } else print "Warning : Nfs File system " $1 " globally exported, read-write."; - }' < /etc/exports > $OUT - if [ -s "$OUT" ] ; then - printf "\nChecking for globally exported file systems.\n" - cat "$OUT" - fi +######## Report ###### +if [ -s ${TMP} ]; then + Syslog ${TMP} + Ttylog ${TMP} + cat ${TMP} >> ${SECURITY_LOG} + rm -f ${TMP} fi -# nfs mounts with missing nosuid -/bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > $OUT -if [ -s "$OUT" ] ; then - printf "\nThe following NFS mounts haven't got the nosuid option set:\n" - cat "$OUT" -fi - -# Files that should not be owned by someone else or readable. -list=".netrc .rhosts .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed" -awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ -while read uid homedir; do - for f in $list ; do - file=${homedir}/${f} - if [ -f $file ] ; then - printf "$uid $f `ls -ldcg $file`\n" - fi - done -done | -awk '$1 != $5 && $5 != "root" \ - { print "user " $1 " " $2 " : file is owned by " $5 } - $3 ~ /^-...r/ \ - { print "user " $1 " " $2 " : file is group readable" } - $3 ~ /^-......r/ \ - { print "user " $1 " " $2 " : file is other readable" } - $3 ~ /^-....w/ \ - { print "user " $1 " " $2 " : file is group writeable" } - $3 ~ /^-.......w/ \ - { print "user " $1 " " $2 " : file is other writeable" }' > $OUT - - -# Files that should not be owned by someone else or writeable. -list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \ -.forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \ -.nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \ -.ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults" -awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ -while read uid homedir; do - for f in $list ; do - file=${homedir}/${f} - if [ -f $file ] ; then - printf "$uid $f `ls -ldcg $file`\n" - fi - done -done | -awk '$1 != $5 && $5 != "root" \ - { print "user " $1 " " $2 " : file is owned by " $5 } - $3 ~ /^-....w/ \ - { print "user " $1 " " $2 " : file is group writeable" } - $3 ~ /^-.......w/ \ - { print "user " $1 " " $2 " : file is other writeable" }' >> $OUT -if [ -s "$OUT" ] ; then - printf "\nChecking dot files.\n" - cat "$OUT" -fi - -# Check home directories. Directories should not be owned by someone else -# or writeable. -awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ -while read uid homedir; do - if [ -d ${homedir}/ ] ; then - file=`ls -ldg ${homedir}` - printf "$uid $file\n" - fi -done | -awk '$1 != $4 && $4 != "root" \ - { print "user " $1 " : home directory is owned by " $4 } - $2 ~ /^-....w/ \ - { print "user " $1 " : home directory is group writeable" } - $2 ~ /^-.......w/ \ - { print "user " $1 " : home directory is other writeable" }' > $OUT -if [ -s "$OUT" ] ; then - printf "\nChecking home directories.\n" - cat "$OUT" -fi - -# Files that should not have + signs. -list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" -for f in $list ; do - if [ -s $f ] ; then - awk '{ - if ($0 ~ /^\+@.*$/) - next; - if ($0 ~ /^\+.*$/) - printf("\nPlus sign in the file %s\n", FILENAME); - }' $f - fi -done - - -# executables should not be in the /etc/aliases file. -if [ -s /etc/aliases ]; then - grep -v '^#' /etc/aliases | grep '|' > $OUT - if [ -s "$OUT" ] ; then - printf "\nThe following programs are executed in your mail via /etc/aliases (bad!):\n" - cat "$OUT" - fi -fi - - - - +# We launch our other report engine :) +/etc/security/msec/security_check.sh diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh new file mode 100755 index 0000000..5dffc48 --- /dev/null +++ b/cron-sh/security_check.sh @@ -0,0 +1,279 @@ +#!/bin/bash + +# +# Basic security checking for suid files. +# Written by Vandoorselaere Yoann, +# + +if [ -f /etc/security/msec/security.conf ]; then + . /etc/security/msec/security.conf +else + exit 1 +fi + +if [ SECURITY_CHECK == "no" ]; then + exit 0 +fi + +SECURITY_LOG="/tmp/secure.log" +SECURITY="/var/log/security.log" +TMP="/tmp/secure.tmp" + +if [ ! -d /var/log/security ]; then + mkdir /var/log/security +fi + +chattr -a /var/log/security/ >& /dev/null +chattr -a /var/log/security/* >& /dev/null +rm -f ${SECURITY_LOG} ${TMP} >& /dev/null + +### Functions ### + +Syslog() { + if [ $SYS_LOG=="yes" ]; then + cat ${1} | while read line; do + /sbin/initlog --string="${line}" + done + fi +} + +Ttylog() { + if [ $TTY_LOG=="yes" ]; then + for i in `w | grep -v "load\|TTY" | awk '{print $2}'` ; do + echo -e "$1" > /dev/$i + done + fi +} + +### Writeable file detection +if [ ${CHECK_WRITEABLE}=="yes" ]; then + find ${DIR} -xdev -type f -perm -2 -ls -print | awk '{print $11}' | sort > ${TMP} + + if [ -s ${TMP} ]; then + printf "\nSecurity Warning: World Writeable Files found :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} + fi +fi + +### Search Un Owned file +if [ ${CHECK_UNOWNED}=="yes" ]; then + find ${DIR} -xdev -nouser -print -ls | awk '{print $11}' | sort > ${TMP} + if [ -s ${TMP} ]; then + printf "\nSecurity Warning : the following file aren't owned by any user :\n" >> ${SECURITY_LOG} + printf "\ttheses files now have user \"nobody\" as their owner." >> ${SECURE_LOG} + cat ${TMP} >> ${SECURITY_LOG} + cat ${TMP} | while read line; do chown nobody ${line}; done + fi + + find $DIR -xdev -nogroup -print -ls | awk '{print $11}' | sort > ${TMP} + if [ -s ${TMP} ]; then + printf "\nSecurity Warning : the following file aren't owned by any group :\n" >> ${SECURITY_LOG} + printf "\ttheses files now have group \"nogroup\" as their group owner." >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} + cat ${TMP} | while read line; do chgrp nogroup ${line}; done + fi +fi + +if [ ${CHECK_PERMISSIONS}=="yes" ]; then +# Files that should not be owned by someone else or readable. +list=".netrc .rhosts .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed" +awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ +while read uid homedir; do + for f in ${list} ; do + file="${homedir}/${f}" + if [ -f ${file} ] ; then + printf "${uid} ${f} `ls -ldcg ${file}`\n" + fi + done +done | awk '$1 != $5 && $5 != "root" \ + { print "\t\tuser=" $1 ", file=" $2 " : file is owned by " $5 } + $3 ~ /^-...r/ \ + { print "\t\tuser=" $1 ", file=" $2 " : file is group readable" } + $3 ~ /^-......r/ \ + { print "\t\tuser=" $1 ", file=" $2 " : file is other readable" } + $3 ~ /^-....w/ \ + { print "\t\tuser=" $1 ", file=" $2 " : file is group writeable" } + $3 ~ /^-.......w/ \ + { print "\t\tuser=" $1 ", file=" $2 " : file is other writeable" }' > ${TMP} + +if [ -s ${TMP} ]; then + printf "\nSecurity Warning: these files shouldn't be owned by someone else or readable :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} +fi + + +### Files that should not be owned by someone else or writeable. +list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \ +.forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \ +.nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \ +.ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults" +awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ +while read uid homedir; do + for f in ${list} ; do + file="${homedir}/${f}" + if [ -f $file ] ; then + printf "$uid ${f} `ls -ldcg ${file}`\n" + fi + done +done | awk '$1 != $5 && $5 != "root" \ + { print "\t\t- user=" $1 ", file=" $2 " : file is owned by " $5 } + $3 ~ /^-....w/ \ + { print "\t\t- user=" $1 ", file=" $2 " : file is group writeable" } + $3 ~ /^-.......w/ \ + { print "\t\t- user=" $1 ", file=" $2 " : file is other writeable" }' > ${TMP} + +if [ -s ${TMP} ]; then + printf "\nSecurity Warning: theses files should not be owned by someone else or writeable :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} +fi + +### Check home directories. Directories should not be owned by someone else or writeable. +awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ +while read uid homedir; do + if [ -d ${homedir}/ ] ; then + file=`ls -ldg ${homedir}` + printf "$uid $file\n" + fi +done | awk '$1 != $4 && $4 != "root" \ + { print "user=" $1 " : home directory is owned by " $4 } + $2 ~ /^-....w/ \ + { print "user=" $1 " : home directory is group writeable" } + $2 ~ /^-.......w/ \ + { print "user=" $1 " : home directory is other writeable" }' > ${TMP} + +if [ -s $TMP ] ; then + printf "\nSecurity Warning: these home directory should not be owned by someone else or writeable :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} +fi +fi + +if [ ${CHECK_SECURITY}=="yes" ]; then +### Passwd file check +if [ ${CHECK_PASSWD}=="yes" ]; then + awk -F: '{ + if ( $2 == "" ) + printf("\t\t- /etc/passwd:%d: User \"%s\" has no password !\n", FNR, $1); + else if ($2 !~ /^[x*!]+$/) + printf("\t\t- /etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1); + }' < /etc/passwd > ${TMP} + + if [ -s ${TMP} ]; then + printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} + fi +fi + +### Shadow password file Check +if [ ${CHECK_SHADOW}=="yes" ]; then + awk -F: '{ + if ( $2 == "" ) + printf("\t\t- /etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1); + }' < /etc/shadow > ${TMP} + + if [ -s ${TMP} ]; then + printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} + fi +fi + +### File systems should not be globally exported. +if [ -s /etc/exports ] ; then + awk '{ + if (($1 ~ /^#/) || ($1 ~ /^$/)) next; + readonly = 0; + for (i = 2; i <= NF; ++i) { + if ($i ~ /^-ro$/) + readonly = 1; + else if ($i !~ /^-/) + next; + } + if (readonly) { + print "\t\t- Nfs File system " $1 " globally exported, read-only."; + } else print "\t\t- Nfs File system " $1 " globally exported, read-write."; + }' < /etc/exports > ${TMP} + + if [ -s ${TMP} ] ; then + printf "\nSecurity Warning: Some NFS filesystem are exported to globally :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} + fi +fi + +### nfs mounts with missing nosuid +/bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > ${TMP} +if [ -s ${TMP} ] ; then + printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} +fi + +### Files that should not have + signs. +list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" +for file in $list ; do + if [ -s ${file} ] ; then + awk '{ + if ($0 ~ /^\+@.*$/) + next; + if ($0 ~ /^\+.*$/) + printf("\t\t- %s: %s\n", FILENAME, $0); + }' ${file} + fi +done > ${TMP} + +awk -F: '{print $1" "$6}' /etc/passwd | + while read username homedir; do + for file in .rhosts .shosts; do + if [ -s ${homedir}/${file} ] ; then + awk '{ + if ($0 ~ /^\+@.*$/) + next; + if ($0 ~ /^\+.*$/) + printf("\t\t- %s: %s\n", FILENAME, $0); + }' ${homedir}/${file} + fi + done >> ${TMP} + done + +if [ -s ${TMP} ]; then + printf "\nSecurity Warning: '+' character found in hosts trusting files,\n" >> ${SECURITY_LOG} + printf "\tthis probably mean that you trust certains users/domain\n" >> ${SECURITY_LOG} + printf "\tto connect on this host without proper authentication :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} +fi + +### executables should not be in the aliases file. +list="/etc/aliases /etc/postfix/aliases" +for file in ${list}; do + if [ -s ${file} ]; then + grep -v '^#' /etc/aliases | grep '|' | while read line; do + printf "\t\t- ${line}\n" + done > ${TMP} + fi + + if [ -s ${TMP} ]; then + printf "\nSecurity Warning: The following programs are executed in your mail\n" >> ${SECURITY_LOG} + printf "\tvia ${file} files, this could lead to security problems :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} + fi +done + +### Dump a list of open port. +if [ ${CHECK_OPEN_PORT}=="yes" ]; then + netstat -pvlA inet > ${TMP}; + + if [ -s ${TMP} ]; then + printf "\nThese are the ports listening on your machine :\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} + fi +fi +fi # end of CHECK_SECURITY + +### Report +if [ -s ${SECURITY_LOG} ]; then + Syslog ${SECURITY_LOG} + Ttylog ${SECURITY_LOG} + cat ${SECURITY_LOG} >> ${SECURITY} +fi + + + + + -- cgit v1.2.1