Support enforcing file permissions in periodic msec runs

6 files changed, 14 insertions, 8 deletions

diff --git a/NEWS b/NEWS
index 261cea8..efa71f8 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,4 @@
+- support enforcing file permissions in periodic msec runs
 - allow configuring inclusion of current directory into path
 - do not crash if config files have empty lines (#53031)
 
diff --git a/conf/level.standard b/conf/level.standard
index c43a0da..dca63e8 100644
--- a/conf/level.standard
+++ b/conf/level.standard
@@ -5,7 +5,7 @@ CHECK_WRITABLE=yes
 ENABLE_IP_SPOOFING_PROTECTION=yes
 MAIL_EMPTY_CONTENT=no
 ACCEPT_BROADCASTED_ICMP_ECHO=yes
-CHECK_PERMS=yes
+CHECK_PERMS=no
 CHECK_USER_FILES=yes
 ENABLE_SUDO=wheel
 ALLOW_XSERVER_TO_LISTEN=no
diff --git a/cron-sh/scripts/01_files.sh b/cron-sh/scripts/01_files.sh
index a38a874..b9940ed 100755
--- a/cron-sh/scripts/01_files.sh
+++ b/cron-sh/scripts/01_files.sh
@@ -237,11 +237,16 @@ fi
 fi # End of CHECK_USER_FILES
 
 # now check default permissions
-if [[ ${CHECK_PERMS} == yes ]]; then
+if [[ ${CHECK_PERMS} == yes || ${CHECK_PERMS} == enforce ]]; then
+        if [[ ${CHECK_PERMS} == enforce ]]; then
+                MSECPERMS_PARAMS="-e"
+        else
+                MSECPERMS_PARAMS=""
+        fi
         # running msec_perms
-        /usr/sbin/msecperms > ${MSEC_TMP} 2>&1
+        /usr/sbin/msecperms $MSECPERMS_PARAMS > ${MSEC_TMP} 2>&1
         if [[ -s ${MSEC_TMP} ]]; then
-                printf "\nPermissions changes on system files:\n" >> ${SECURITY}
+                printf "\nPermissions changes on files watched by msec:\n" >> ${SECURITY}
                 cat ${MSEC_TMP} | sed -e 's/WARNING: //g' >> ${SECURITY}
         fi
 fi
diff --git a/po/msec.pot b/po/msec.pot
index 1978cbd..f799950 100644
--- a/po/msec.pot
+++ b/po/msec.pot
@@ -5,7 +5,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2009-08-30 16:40+BRT\n"
+"POT-Creation-Date: 2009-08-30 20:30+BRT\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -156,7 +156,7 @@ msgid "Defines the base security level, on top of which the current configuratio
 msgstr ""
 
 #: ../src/msec/help.py:84
-msgid "Enable periodic permission checking for system files."
+msgid "Enable periodic permission checking for files specified in msec settings. If set to yes, the permissions are verified on every run. If set to enforce, incorrect permissions are restored to the ones specified in msec security policy."
 msgstr ""
 
 #: ../src/msec/help.py:86
diff --git a/src/msec/config.py b/src/msec/config.py
index a70ca4f..2be993e 100644
--- a/src/msec/config.py
+++ b/src/msec/config.py
@@ -53,7 +53,7 @@ PLUGINS_DIR="/usr/share/msec/plugins"
 #               OPTION                           callback                            valid values
 SETTINGS =    {'BASE_LEVEL':                    ("libmsec.base_level",                      ['*']),
                'CHECK_SECURITY' :               ("libmsec.check_security",                  ['yes', 'no']),
-               'CHECK_PERMS' :                  ("libmsec.check_perms",                     ['yes', 'no']),
+               'CHECK_PERMS' :                  ("libmsec.check_perms",                     ['yes', 'no', 'enforce']),
                'CHECK_USER_FILES' :             ("libmsec.check_user_files",                ['yes', 'no']),
                'CHECK_SUID_ROOT' :              ("libmsec.check_suid_root",                 ['yes', 'no']),
                'CHECK_SUID_MD5' :               ("libmsec.check_suid_md5",                  ['yes', 'no']),
diff --git a/src/msec/libmsec.py b/src/msec/libmsec.py
index 4d9dc1b..ecd909b 100755
--- a/src/msec/libmsec.py
+++ b/src/msec/libmsec.py
@@ -1405,7 +1405,7 @@ class MSEC:
         pass
 
     def check_perms(self, param):
-        """ Enable periodic permission checking for system files."""
+        """ Enable periodic permission checking for files specified in msec policy. If set to yes, the permissions are verified on every run. If set to enforce, incorrect permissions are restored to the ones specified in msec security policy."""
         pass
 
     def check_user_files(self, param):