#!/bin/bash if [[ ! -f /etc/security/msec/security.conf ]]; then echo "Can't access /etc/security/msec/security.conf." exit 1 fi . /etc/security/msec/security.conf [[ ${MAIL_WARN} == yes ]] && [ -z ${MAIL_USER} ] && MAIL_USER="root" export SUID_ROOT_TODAY="/var/log/security/suid_root.today" SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday" SUID_ROOT_DIFF="/var/log/security/suid_root.diff" export SUID_GROUP_TODAY="/var/log/security/suid_group.today" SUID_GROUP_YESTERDAY="/var/log/security/suid_group.yesterday" SUID_GROUP_DIFF="/var/log/security/suid_group.diff" export SUID_MD5_TODAY="/var/log/security/suid_md5.today" SUID_MD5_YESTERDAY="/var/log/security/suid_md5.yesterday" SUID_MD5_DIFF="/var/log/security/suid_md5.diff" export OPEN_PORT_TODAY="/var/log/security/open_port.today" OPEN_PORT_YESTERDAY="/var/log/security/open_port.yesterday" OPEN_PORT_DIFF="/var/log/security/open_port.diff" export WRITEABLE_TODAY="/var/log/security/writeable.today" WRITEABLE_YESTERDAY="/var/log/security/writeable.yesterday" WRITEABLE_DIFF="/var/log/security/writeable.diff" export UNOWNED_USER_TODAY="/var/log/security/unowned_user.today" UNOWNED_USER_YESTERDAY="/var/log/security/unowned_user.yesterday" UNOWNED_USER_DIFF="/var/log/security/unowned_user.diff" export UNOWNED_GROUP_TODAY="/var/log/security/unowned_group.today" UNOWNED_GROUP_YESTERDAY="/var/log/security/unowned_group.yesterday" UNOWNED_GROUP_DIFF="/var/log/security/unowned_group.diff" export RPM_VA_TODAY="/var/log/security/rpm-va.today" RPM_VA_YESTERDAY="/var/log/security/rpm-va.yesterday" RPM_VA_DIFF="/var/log/security/rpm-va.diff" export RPM_QA_TODAY="/var/log/security/rpm-qa.today" RPM_QA_YESTERDAY="/var/log/security/rpm-qa.yesterday" RPM_QA_DIFF="/var/log/security/rpm-qa.diff" export CHKROOTKIT_TODAY="/var/log/security/chkrootkit.today" CHKROOTKIT_YESTERDAY="/var/log/security/chkrootkit.yesterday" # Modified filters coming from debian security scripts. CS_NFSAFS='(nfs|afs|xfs|coda)' CS_TYPES=' type (devpts|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|'$CS_NFSAFS')' CS_DEVS='^/dev/fd' CS_DIRS='on /mnt' FILTERS="$CS_TYPES|$CS_DEVS|$CS_DIRS" DIR=`mount | grep -vE "$FILTERS" | cut -d ' ' -f3` PRINT="%h/%f\n" if [[ ! -d /var/log/security ]]; then mkdir /var/log/security fi if [[ -f ${SUID_ROOT_TODAY} ]]; then mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY}; fi if [[ -f ${SUID_GROUP_TODAY} ]]; then mv ${SUID_GROUP_TODAY} ${SUID_GROUP_YESTERDAY}; fi if [[ -f ${WRITEABLE_TODAY} ]]; then mv ${WRITEABLE_TODAY} ${WRITEABLE_YESTERDAY}; fi if [[ -f ${UNOWNED_USER_TODAY} ]]; then mv ${UNOWNED_USER_TODAY} ${UNOWNED_USER_YESTERDAY}; fi if [[ -f ${UNOWNED_GROUP_TODAY} ]]; then mv ${UNOWNED_GROUP_TODAY} ${UNOWNED_GROUP_YESTERDAY}; fi if [[ -f ${OPEN_PORT_TODAY} ]]; then mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY} fi if [[ -f ${SUID_MD5_TODAY} ]]; then mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY}; fi if [[ -f ${RPM_VA_TODAY} ]]; then mv -f ${RPM_VA_TODAY} ${RPM_VA_YESTERDAY} fi if [[ -f ${RPM_QA_TODAY} ]]; then mv -f ${RPM_QA_TODAY} ${RPM_QA_YESTERDAY} fi if [[ -f ${CHKROOTKIT_TODAY} ]]; then mv -f ${CHKROOTKIT_TODAY} ${CHKROOTKIT_YESTERDAY} fi netstat -pvlA inet 2> /dev/null > ${OPEN_PORT_TODAY}; # Hard disk related file check; the less priority the better... nice --adjustment=+19 /usr/bin/msec_find ${DIR} if [[ -f ${SUID_ROOT_TODAY} ]]; then sort < ${SUID_ROOT_TODAY} > ${SUID_ROOT_TODAY}.tmp mv -f ${SUID_ROOT_TODAY}.tmp ${SUID_ROOT_TODAY} fi if [[ -f ${SUID_GROUP_TODAY} ]]; then sort < ${SUID_GROUP_TODAY} > ${SUID_GROUP_TODAY}.tmp mv -f ${SUID_GROUP_TODAY}.tmp ${SUID_GROUP_TODAY} fi if [[ -f ${WRITEABLE_TODAY} ]]; then sort < ${WRITEABLE_TODAY} > ${WRITEABLE_TODAY}.tmp mv -f ${WRITEABLE_TODAY}.tmp ${WRITEABLE_TODAY} fi if [[ -f ${UNOWNED_USER_TODAY} ]]; then sort < ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_TODAY}.tmp mv -f ${UNOWNED_USER_TODAY}.tmp ${UNOWNED_USER_TODAY} fi if [[ -f ${UNOWNED_GROUP_TODAY} ]]; then sort < ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_TODAY}.tmp mv -f ${UNOWNED_GROUP_TODAY}.tmp ${UNOWNED_GROUP_TODAY} fi if [[ -f ${SUID_ROOT_TODAY} ]]; then while read line; do md5sum ${line} done < ${SUID_ROOT_TODAY} > ${SUID_MD5_TODAY} fi ### rpm database check if [[ ${RPM_CHECK} == yes ]]; then if [ -f /var/lib/rpm/__db.001 -o -f /var/lib/rpm/__db.002 ]; then rm -f /var/lib/rpm/__db.00* rpm --rebuilddb fi rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\t%{INSTALLTIME}\n" | sort > ${RPM_QA_TODAY} nice --adjustment=+19 rpm -V `cut -f 1 < ${RPM_QA_TODAY} | grep -v '^dev-[0-9]'` | grep '^..5' | sed 's/...........//' | sort > ${RPM_VA_TODAY} fi ### chkrootkit checks if [[ ${CHKROOTKIT_CHECK} == yes ]]; then if [ -x /usr/sbin/chkrootkit ]; then /usr/sbin/chkrootkit > ${CHKROOTKIT_TODAY} fi fi ### Functions ### Syslog() { if [[ ${SYSLOG_WARN} == yes ]]; then while read line; do /sbin/initlog --string="${line}" done < ${1} fi } Ttylog() { if [[ ${TTY_WARN} == yes ]]; then for i in `w | grep -v "load\|TTY" | grep '^root' | awk '{print $2}'` ; do cat ${1} > /dev/$i done fi } Maillog() { subject=${1} text=${2} if [[ ${MAIL_WARN} == yes ]]; then if [[ -z ${MAIL_USER} ]]; then MAIL_USER="root" fi if [[ -x /bin/mail ]]; then cat ${text} | /bin/mail -s "${subject}" "${MAIL_USER}" fi fi } ################## . /usr/share/msec/diff_check.sh . /usr/share/msec/security_check.sh