blob: ceacb243a58ccad54d0a793dcbcf9ebecb490cee (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
#!/bin/bash
#
# This script upgrades msec configuration files from previous versions
# to the up-to-date format
#
if [ "`whoami`" != "root" ]; then
echo 'msec: sorry, you must be root !'
exit 1
fi
# upgrade from 2009.0 or previous versions
# manage spelling change
for i in /etc/security/msec/level.local /etc/security/msec/security.conf /var/lib/msec/security.conf; do
if [ -f $i ]; then
perl -pi -e 's/CHECK_WRITEABLE/CHECK_WRITABLE/g;s/CHECK_SUID_GROUP/CHECK_SGID/g' $i
fi
done
for ext in today yesterday diff; do
if [ -f /var/log/security/writeable.$ext ]; then
mv -f /var/log/security/writeable.$ext /var/log/security/writable.$ext
fi
if [ -f /var/log/security/suid_group.$ext ]; then
mv -f /var/log/security/suid_group.$ext /var/log/security/sgid.$ext
fi
done
# find secure level
SL=$SECURE_LEVEL
[ ! -r /etc/sysconfig/msec ] || SL=`sed -n 's/SECURE_LEVEL=//p' < /etc/sysconfig/msec` || :
# upgrade from old style msec or rerun the new msec
if grep -q "# Mandrake-Security : if you remove this comment" /etc/profile; then
[ -z "$SL" -a -r /etc/profile.d/msec.sh ] && SL=`sed -n 's/.*SECURE_LEVEL=//p' < /etc/profile.d/msec.sh` || :
/usr/share/msec/cleanold.sh || :
fi
# remove the old way of doing the daily cron
rm -f /etc/cron.d/msec
# upgrading old config files
if [ -n "$SL" ]; then
# old msec installation, pre 2009.1
# grab old configuration
OLDCONFIG=`mktemp /etc/security/msec/upgrade.XXXXXX`
[ -s /var/lib/msec/security.conf ] && cat /var/lib/msec/security.conf >> $OLDCONFIG
[ -s /etc/security/msec/security.conf ] && cat /etc/security/msec/security.conf >> $OLDCONFIG
if [ "$SL" -gt 3 ]; then
NEWLEVEL="secure"
elif [ "$SL" -gt 1 ]; then
NEWLEVEL="standard"
else
NEWLEVEL="none"
fi
if [ ! -s /etc/security/msec/security.conf ]; then
cp -f /etc/security/msec/level.$NEWLEVEL /etc/security/msec/security.conf
fi
if [ ! -s /etc/security/msec/perms.conf ]; then
cp -f /etc/security/msec/perm.$NEWLEVEL /etc/security/msec/perms.conf
fi
if [ -f /etc/sysconfig/msec ]; then
cat /etc/sysconfig/msec | grep -v SECURE_LEVEL > /etc/security/shell
fi
# upgrading old configuration
if [ -s "$OLDCONFIG" ]; then
cat ${OLDCONFIG} | sort | uniq >> /etc/security/msec/security.conf
fi
rm -f $OLDCONFIG
fi
# fixing spelling
if [ -f /etc/security/msec/security.conf ]; then
# without-password config setting
sed -i -e 's/without_password/without-password/g' /etc/security/msec/security.conf
# level name changes
sed -i -e 's/=default$/=standard/g' /etc/security/msec/security.conf
# variable name changes
sed -i -e 's/RPM_CHECK=/CHECK_RPM=/g' -e 's/CHKROOTKIT_CHECK=/CHECK_CHKROOTKIT=/g' /etc/security/msec/security.conf
# fixing WIN_PARTS_UMASK upgrade parameters
sed -i -e 's/\(WIN_PARTS_UMASK\)=no/\1=0/g' /etc/security/msec/security.conf
# serverlink changes
sed -i -e 's/\(CREATE_SERVER_LINK\)=standard/\1=no/g' \
-e 's/\(CREATE_SERVER_LINK\)=secure/\1=remote/g' \
/etc/security/msec/security.conf
# CHECK_RPM split into CHECK_RPM_PACKAGES and CHECK_RPM_INTEGRITY
sed -i -e 's/CHECK_RPM=\(.*\)/CHECK_RPM_PACKAGES=\1\nCHECK_RPM_INTEGRITY=\1/g' /etc/security/msec/security.conf
# starting with 2010.1, each periodic check can have a different periodicity
# therefore, for the enabled tests we define their periodicity to 'daily'
# to have the same behavior as on previous versions
CHECK_STRING=""
for z in PERMS USER_FILES SUID_ROOT SUID_MD5 SGID WRITABLE UNOWNED PROMISC OPEN_PORT FIREWALL PASSWD SHADOW CHKROOTKIT RPM_PACKAGES RPM_INTEGRITY SHOSTS USERS GROUPS; do
if [ -z "$CHECK_STRING" ]; then
CHECK_STRING=$z
else
CHECK_STRING="$CHECK_STRING\|$z"
fi
done
sed -i -e "s/\(CHECK_\($CHECK_STRING\)\)=yes/\1=daily/g" /etc/security/msec/security.conf
# removing duplicated entries
TEMPFILE=`mktemp /etc/security/msec/upgrade.XXXXXX`
cat /etc/security/msec/security.conf | sort | uniq > $TEMPFILE 2>/dev/null && mv -f $TEMPFILE /etc/security/msec/security.conf
test -f $TEMPFILE && rm -f $TEMPFILE
fi
|
