1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
|
#!/usr/bin/python
"""Msec plugin for auditing checks"""
# main plugin class name
PLUGIN = "audit"
# configuration
import config
import gettext
# localization
try:
gettext.install('msec')
except IOError:
_ = str
CRON = '/etc/cron.d/msec'
CRON_REGEX = '[^#]+/usr/share/msec/promisc_check.sh'
CRON_ENTRY = '*/1 * * * * root /usr/share/msec/promisc_check.sh'
SECURITYCRON = '/etc/cron.daily/msec'
SECURITYSH = '/usr/share/msec/security.sh'
class audit:
def __init__(self, log=None, configfiles=None, root=None):
"""This plugins is responsible for all auditing checks, which are performed by
/usr/share/msec/security.sh. The following functions are used as wrappers,
and are defined by msecgui."""
self.log = log
self.configfiles = configfiles
self.root = root
# defining the checks
config.SETTINGS['CHECK_PERMS'] = ("audit.check_perms", ['yes', 'no', 'enforce'])
config.SETTINGS['CHECK_USER_FILES'] = ("audit.check_user_files", ['yes', 'no'])
config.SETTINGS['CHECK_SUID_ROOT'] = ("audit.check_suid_root", ['yes', 'no'])
config.SETTINGS['CHECK_SUID_MD5'] = ("audit.check_suid_md5", ['yes', 'no'])
config.SETTINGS['CHECK_SGID'] = ("audit.check_sgid", ['yes', 'no'])
config.SETTINGS['CHECK_WRITABLE'] = ("audit.check_writable", ['yes', 'no'])
config.SETTINGS['CHECK_UNOWNED'] = ("audit.check_unowned", ['yes', 'no'])
config.SETTINGS['FIX_UNOWNED'] = ("audit.fix_unowned", ['yes', 'no'])
config.SETTINGS['CHECK_PROMISC'] = ("audit.check_promisc", ['yes', 'no'])
config.SETTINGS['CHECK_OPEN_PORT'] = ("audit.check_open_port", ['yes', 'no'])
config.SETTINGS['CHECK_FIREWALL'] = ("audit.check_firewall", ['yes', 'no'])
config.SETTINGS['CHECK_PASSWD'] = ("audit.check_passwd", ['yes', 'no'])
config.SETTINGS['CHECK_SHADOW'] = ("audit.check_shadow", ['yes', 'no'])
config.SETTINGS['CHECK_CHKROOTKIT'] = ("audit.check_chkrootkit", ['yes', 'no'])
config.SETTINGS['CHECK_RPM_PACKAGES'] = ("audit.check_rpm_packages", ['yes', 'no'])
config.SETTINGS['CHECK_RPM_INTEGRITY'] = ("audit.check_rpm_integrity", ['yes', 'no'])
config.SETTINGS['CHECK_SHOSTS'] = ("audit.check_shosts", ['yes', 'no'])
config.SETTINGS['CHECK_USERS'] = ("audit.check_users", ['yes', 'no'])
config.SETTINGS['CHECK_GROUPS'] = ("audit.check_groups", ['yes', 'no'])
# notifications
config.SETTINGS['TTY_WARN'] = ("audit.tty_warn", ['yes', 'no'])
config.SETTINGS['MAIL_WARN'] = ("audit.mail_warn", ['yes', 'no'])
config.SETTINGS['MAIL_USER'] = ("audit.mail_user", ['*'])
config.SETTINGS['MAIL_EMPTY_CONTENT'] = ("audit.mail_empty_content", ['yes', 'no'])
config.SETTINGS['SYSLOG_WARN'] = ("audit.syslog_warn", ['yes', 'no'])
config.SETTINGS['NOTIFY_WARN'] = ("audit.notify_warn", ['yes', 'no'])
# security checks from audit plugins
config.SETTINGS['CHECK_SECURITY'] = ("audit.check_security", ['yes', 'no'])
config.SETTINGS['CHECK_ON_BATTERY'] = ("audit.check_on_battery", ['yes', 'no'])
# preparing msecgui menu
for check in ["CHECK_PERMS", "CHECK_USER_FILES", "CHECK_SUID_ROOT", "CHECK_SUID_MD5", "CHECK_SGID",
"CHECK_WRITABLE", "CHECK_UNOWNED", "FIX_UNOWNED", "CHECK_PROMISC", "CHECK_OPEN_PORT", "CHECK_FIREWALL",
"CHECK_PASSWD", "CHECK_SHADOW", "CHECK_CHKROOTKIT", "CHECK_RPM_PACKAGES", "CHECK_RPM_INTEGRITY",
"CHECK_SHOSTS", "CHECK_USERS", "CHECK_GROUPS",
"TTY_WARN", "SYSLOG_WARN", "MAIL_EMPTY_CONTENT", "CHECK_ON_BATTERY"]:
config.SETTINGS_PERIODIC.append(check)
# checks with exceptions
for check in ["CHECK_PERMS", "CHECK_USER_FILES", "CHECK_SUID_ROOT", "CHECK_SUID_MD5", "CHECK_SGID",
"CHECK_WRITABLE", "CHECK_UNOWNED", "CHECK_OPEN_PORT", "CHECK_FIREWALL",
"CHECK_PASSWD", "CHECK_SHADOW", "CHECK_RPM_PACKAGES", "CHECK_RPM_INTEGRITY",
"CHECK_SHOSTS", "CHECK_USERS", "CHECK_GROUPS"]:
config.CHECKS_WITH_EXCEPTIONS.append(check)
# The following checks are run from crontab. We only have these functions here
# to get their descriptions.
def check_perms(self, param):
""" Enable periodic permission checking for files specified in msec policy. If set to yes, the permissions are verified on every run. If set to enforce, incorrect permissions are restored to the ones specified in msec security policy."""
pass
def check_user_files(self, param):
""" Enable permission checking on users' files that should not be owned by someone else, or writable."""
pass
def check_suid_root(self, param):
""" Enable checking for additions/removals of suid root files."""
pass
def check_suid_md5(self, param):
""" Enable checksum verification for suid files."""
pass
def check_sgid(self, param):
""" Enable checking for additions/removals of sgid files."""
pass
def check_writable(self, param):
""" Enable checking for files/directories writable by everybody."""
pass
def check_unowned(self, param):
""" Enable checking for unowned files."""
pass
def fix_unowned(self, param):
""" Fix owner and group of unowned files to use nobody/nogroup."""
pass
def check_open_port(self, param):
""" Enable checking for open network ports."""
pass
def check_firewall(self, param):
""" Enable checking for changes in firewall settings."""
pass
def check_passwd(self, param):
""" Enable password-related checks, such as empty passwords and strange super-user accounts."""
pass
def check_shadow(self, param):
""" Enable checking for empty passwords in /etc/shadow (man shadow(5))."""
pass
def check_chkrootkit(self, param):
""" Enable checking for known rootkits using chkrootkit."""
pass
def check_rpm_packages(self, param):
""" Enable verification for changes in the installed RPM packages. This will notify you when new packages are installed or removed."""
pass
def check_rpm_integrity(self, param):
""" Enable verification of integrity of installed RPM packages. This will notify you if checksums of the installed files were changed, showing separate results for binary and configuration files."""
pass
def tty_warn(self, param):
""" Enable periodic security check results to terminal."""
pass
def mail_warn(self, param):
""" Send security check results by email."""
pass
def mail_empty_content(self, param):
""" Send mail reports even if no changes were detected."""
pass
def syslog_warn(self, param):
""" Enables logging of periodic checks to system log."""
pass
def mail_user(self, param):
""" User email to receive security notifications."""
pass
def check_shosts(self, param):
""" Enable checking for dangerous options in users' .rhosts/.shosts files."""
pass
def check_users(self, param):
""" Enable checking for changes in system users."""
pass
def check_groups(self, param):
""" Enable checking for changes in system groups."""
pass
def notify_warn(self, param):
"""Show security notifications in system tray using libnotify."""
pass
def check_on_battery(self, param):
"""Run security checks when machine is running on battery power."""
pass
def check_promisc(self, param):
''' Activate ethernet cards promiscuity check.'''
cron = self.configfiles.get_config_file(CRON)
val = cron.get_match(CRON_REGEX)
if param == "yes":
if val != CRON_ENTRY:
self.log.info(_('Activating periodic promiscuity check'))
cron.replace_line_matching(CRON_REGEX, CRON_ENTRY, 1)
else:
if val:
self.log.info(_('Disabling periodic promiscuity check'))
cron.remove_line_matching('[^#]+/usr/share/msec/promisc_check.sh')
def check_security(self, arg):
""" Enable daily security checks."""
cron = self.configfiles.get_config_file(CRON)
cron.remove_line_matching('[^#]+/usr/share/msec/security.sh')
securitycron = self.configfiles.get_config_file(SECURITYCRON)
if arg == "yes":
if not securitycron.exists():
self.log.info(_('Activating daily security check'))
securitycron.symlink(SECURITYSH)
else:
if securitycron.exists():
self.log.info(_('Disabling daily security check'))
securitycron.unlink()
|
