cron-sh/security.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

#!/usr/bin/bash
# msec: this is the main security auditing script
#       it runs all executable scripts from /usr/share/msec/scripts
#       which should be named NN_script_name.sh, where NN represents
#       the order in which they should be executed

export TEXTDOMAINDIR=/usr/share/locale
export TEXTDOMAIN=msec
. gettext.sh

if [[ -f /etc/security/msec/security.conf ]]; then
    # load settings from base level
    BASE_LEVEL=$(sed -n 's/BASE_LEVEL=//p' /etc/security/msec/security.conf)
    if [[ ! -f /etc/security/msec/level.$BASE_LEVEL ]]; then
        eval_gettext "Error: base level \$BASE_LEVEL not found"; echo
        exit 1
    fi
    . /etc/security/msec/level.$BASE_LEVEL
    . /etc/security/msec/security.conf
else
    eval_gettext "/etc/security/msec/security.conf don't exist."; echo
    exit 1
fi

# is security check enabled?
if [[ ${CHECK_SECURITY} != yes ]]; then
    exit 0
fi

# are we running on battery power?
if [[ ${CHECK_ON_BATTERY} == no ]]; then
    grep 'charging state' /proc/acpi/battery/*/state 2>/dev/null | grep -q 'discharging'
    ret=$?
    if [[ $ret = 0 ]]; then
        # skipping check as we are running on battery power
        exit 0
    fi
fi

. /usr/share/msec/functions.sh

# discover current check type
CURRENT_CHECK_TYPE=$(current_check_type)

# variables
LCK=/var/run/msec-security-${CURRENT_CHECK_TYPE}.pid
SECURITY_LOG="/var/log/security.log"
MAIL_LOG_TODAY="/var/log/security/mail.${CURRENT_CHECK_TYPE}.today"
MAIL_LOG_YESTERDAY="/var/log/security/mail.${CURRENT_CHECK_TYPE}.yesterday"

# log formatting
REPORT_DATE=`date "+%b %d %H:%M:%S"`
REPORT_HOSTNAME=`hostname`
LOG_PREFIX="$REPORT_DATE $REPORT_HOSTNAME"
SECURITY_PREFIX="$LOG_PREFIX security: "
INFO_PREFIX="$LOG_PREFIX info: "
DIFF_PREFIX="$LOG_PREFIX diff: "


function cleanup() {
    # removing temporary files
    rm -f $LCK $MSEC_TMP $SECURITY $INFOS $DIFF
}

if [ -f $LCK ]; then
    if [ -d /proc/`cat $LCK` ]; then
        exit 0
    else
        rm -f $LCK
    fi
fi
echo -n $$ > $LCK
trap cleanup 0 1 2 15

# temporary files
MSEC_TMP=`mktemp /tmp/secure.XXXXXX`
INFOS=`mktemp /tmp/secure.XXXXXX`
SECURITY=`mktemp /tmp/secure.XXXXXX`
DIFF=`mktemp /tmp/secure.XXXXXX`

# creating security log dir if necessary
if [[ ! -d /var/log/security ]]; then
    mkdir /var/log/security
fi

ionice -c3 -p $$

for script in /usr/share/msec/scripts/*sh; do
        test -x $script && . $script
        ret=$?
        if [ $ret -ne 0 ]; then
                eval_gettext "MSEC: audit script \$script failed"; echo
        fi
done

# fix permissions on newly created msec files according to system policy
/usr/sbin/msecperms -e '/var/log/msec.log' "$SECURITY_LOG" "/var/log/security/*" &> ${MSEC_TMP}

# email/show results

# security check
if [[ -s ${SECURITY} ]]; then
    Syslog ${SECURITY}
    Ttylog ${SECURITY}

    TEST_ENDED=`date "+%b %d %H:%M:%S"`

    echo "*** Security Check, ${REPORT_DATE} ***" > ${MSEC_TMP}
    echo "*** Check type: ${CURRENT_CHECK_TYPE} ***" >> ${MSEC_TMP}
    echo "*** Check executed from: $0 ***" >> ${MSEC_TMP}
    printf "Report summary:\n" >> ${MSEC_TMP}
    echo "Test started: $REPORT_DATE" >> ${MSEC_TMP}
    echo "Test finished: $TEST_ENDED" >> ${MSEC_TMP}
    cat ${INFOS} >> ${MSEC_TMP}
    printf "\nDetailed report:\n" >> ${MSEC_TMP}
    cat ${SECURITY} >> ${MSEC_TMP}

    cat ${INFOS} | sed -e "s/^/$INFO_PREFIX/g" >> ${SECURITY_LOG}

    # save the complete mail text somewhere
    if [[ -f ${MAIL_LOG_TODAY} ]]; then
        mv ${MAIL_LOG_TODAY} ${MAIL_LOG_YESTERDAY};
    fi
    cat ${MSEC_TMP} > ${MAIL_LOG_TODAY}
    /usr/sbin/msecperms -q ${MAIL_LOG_TODAY}

    Maillog "[msec] *** Security Check on ${REPORT_HOSTNAME}, ${REPORT_DATE} ***" "${MSEC_TMP}"
    Notifylog "`eval_gettext \"MSEC has performed Security Check on \\\${REPORT_HOSTNAME} on \\\${REPORT_DATE}. Detailed results are available in \\\${MAIL_LOG_TODAY}\"`"
fi

# diff check
if [[ -s ${DIFF} ]]; then
    Syslog ${DIFF}
    Ttylog ${DIFF}

    echo "$DIFF_PREFIX *** Diff Check, ${REPORT_DATE} ***" >> ${SECURITY_LOG}
    cat ${DIFF} | sed -e "s/^/$DIFF_PREFIX/g" >> ${SECURITY_LOG}

    Notifylog "`eval_gettext \"MSEC has performed Diff Check on \\\${REPORT_HOSTNAME} on \\\${REPORT_DATE}. Changes in system security were detected and are available in \\\${SECURITY_LOG}.\"`"
fi

Maillog "[msec] *** Diff Check on ${REPORT_HOSTNAME}, ${REPORT_DATE} ***" "${DIFF}"