#!/bin/bash # # Written by Vandoorselaere Yoann, # if [[ -f /var/lib/msec/security.conf ]]; then . /var/lib/msec/security.conf else echo "/var/lib/msec/security.conf don't exist." exit 1 fi if [[ -f /etc/security/msec/security.conf ]]; then . /etc/security/msec/security.conf fi if [[ ${CHECK_SECURITY} == no ]]; then exit 0 fi SECURITY_LOG="/var/log/security.log" TMP=`mktemp /tmp/secure.XXXXXX` ### New Suid root files detection if [[ ${CHECK_SUID_ROOT} == yes ]]; then if [[ -f ${SUID_ROOT_YESTERDAY} ]]; then if ! diff -u ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_TODAY} > ${SUID_ROOT_DIFF}; then printf "\nSecurity Warning: Change in Suid Root files found :\n" >> ${TMP} grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do printf "\t\t- Added suid root files : ${file}\n" done >> ${TMP} grep '^-' ${SUID_ROOT_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do printf "\t\t- Removed suid root files : ${file}\n" done >> ${TMP} fi fi fi ### New Suid group files detection if [[ ${CHECK_SUID_GROUP} == yes ]]; then if [[ -f ${SUID_GROUP_YESTERDAY} ]]; then if ! diff -u ${SUID_GROUP_YESTERDAY} ${SUID_GROUP_TODAY} > ${SUID_GROUP_DIFF}; then printf "\nSecurity Warning: Changes in Suid Group files found :\n" >> ${TMP} grep '^+' ${SUID_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do printf "\t\t- Added suid group files : ${file}\n" done >> ${TMP} grep '^-' ${SUID_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do printf "\t\t- Removed suid group files : ${file}\n" done >> ${TMP} fi fi fi ### Writable files detection if [[ ${CHECK_WRITEABLE} == yes ]]; then if [[ -f ${WRITEABLE_YESTERDAY} ]]; then diff -u ${WRITEABLE_YESTERDAY} ${WRITEABLE_TODAY} > ${WRITEABLE_DIFF} if [ -s ${WRITEABLE_DIFF} ]; then printf "\nSecurity Warning: Change in World Writeable Files found :\n" >> ${TMP} grep '^+' ${WRITEABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do printf "\t\t- Added writables files : ${file}\n" done >> ${TMP} grep '^-' ${WRITEABLE_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do printf "\t\t- Removed writables files : ${file}\n" done >> ${TMP} fi fi fi ### Search Non Owned files if [[ ${CHECK_UNOWNED} == yes ]]; then if [[ -f ${UNOWNED_USER_YESTERDAY} ]]; then diff -u ${UNOWNED_USER_YESTERDAY} ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_DIFF} if [ -s ${UNOWNED_USER_DIFF} ]; then printf "\nSecurity Warning: the following files aren't owned by an user :\n" >> ${TMP} grep '^+' ${UNOWNED_USER_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do printf "\t\t- Added un-owned files : ${file}\n" done >> ${TMP} grep '^-' ${UNOWNED_USER_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do printf "\t\t- Removed un-owned files : ${file}\n" done >> ${TMP} fi fi if [[ -f ${UNOWNED_GROUP_YESTERDAY} ]]; then diff -u ${UNOWNED_GROUP_YESTERDAY} ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_DIFF} if [ -s ${UNOWNED_GROUP_DIFF} ]; then printf "\nSecurity Warning: the following files aren't owned by a group :\n" >> ${TMP} grep '^+' ${UNOWNED_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do printf "\t\t- Added un-owned files : ${file}\n" done >> ${TMP} grep '^-' ${UNOWNED_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do printf "\t\t- Removed un-owned files : ${file}\n" done >> ${TMP} fi fi fi ### Md5 check for SUID root fileg if [[ ${CHECK_SUID_MD5} == yes ]]; then ctrl_md5=0; if [[ -f ${SUID_MD5_YESTERDAY} ]]; then diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF} if [ -s ${SUID_MD5_DIFF} ]; then grep '^+' ${SUID_MD5_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $2}' | while read file; do if cat ${SUID_MD5_YESTERDAY} | awk '{print $2}' | grep -qw ${file}; then if [[ ${ctrl_md5} == 0 ]]; then printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${TMP} printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${TMP} ctrl_md5=1; fi printf "\t\t- Checksum changed files : ${file}\n" fi done >> ${TMP} fi fi fi ### Changed open port if [[ ${CHECK_OPEN_PORT} == yes ]]; then if [[ -f ${OPEN_PORT_YESTERDAY} ]]; then diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF} if [ -s ${OPEN_PORT_DIFF} ]; then printf "\nSecurity Warning: There are modifications for port listening on your machine :\n" >> ${TMP} grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do printf "\t\t- Opened ports : ${file}\n" done >> ${TMP} grep '^-' ${OPEN_PORT_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do printf "\t\t- Closed ports : ${file}\n" done >> ${TMP} fi fi fi ### rpm database if [[ ${RPM_CHECK} == yes ]]; then if [[ -f ${RPM_QA_YESTERDAY} ]]; then diff -u ${RPM_QA_YESTERDAY} ${RPM_QA_TODAY} > ${RPM_QA_DIFF} if [ -s ${RPM_QA_DIFF} ]; then printf "\nSecurity Warning: These packages have changed on the system :\n" >> ${TMP} grep '^+' ${RPM_QA_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do printf "\t\t- added package : ${file}\n" done >> ${TMP} grep '^-' ${RPM_QA_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do printf "\t\t- removed package : ${file}\n" done >> ${TMP} fi fi if [[ -f ${RPM_VA_YESTERDAY} ]]; then diff -u ${RPM_VA_YESTERDAY} ${RPM_VA_TODAY} > ${RPM_VA_DIFF} if [ -s ${RPM_VA_DIFF} ]; then printf "\nSecurity Warning: These files belonging to packages have changed of status on the system :\n" >> ${TMP} grep '^+' ${RPM_VA_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do printf "\t\t- newly modified : ${file}\n" done >> ${TMP} grep '^-' ${RPM_VA_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do printf "\t\t- no more modified : ${file}\n" done >> ${TMP} fi fi if [[ -f ${RPM_VA_CONFIG_YESTERDAY} ]]; then diff -u ${RPM_VA_CONFIG_YESTERDAY} ${RPM_VA_CONFIG_TODAY} > ${RPM_VA_CONFIG_DIFF} if [ -s ${RPM_VA_CONFIG_DIFF} ]; then printf "\nSecurity Warning: These config files belonging to packages have changed of status on the system :\n" >> ${TMP} grep '^+' ${RPM_VA_CONFIG_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do printf "\t\t- newly modified : ${file}\n" done >> ${TMP} grep '^-' ${RPM_VA_CONFIG_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do printf "\t\t- no more modified : ${file}\n" done >> ${TMP} fi fi fi ######## Report ###### date=`date` hostname=`hostname` if [[ -s ${TMP} ]]; then Syslog ${TMP} Ttylog ${TMP} echo -e "\n\n*** Diff Check, ${date} ***\n" >> ${SECURITY_LOG} cat ${TMP} >> ${SECURITY_LOG} else cat > ${TMP} <