diff options
| author | Eugeni Dodonov <eugeni@mandriva.org> | 2009-06-25 19:31:42 +0000 |
|---|---|---|
| committer | Eugeni Dodonov <eugeni@mandriva.org> | 2009-06-25 19:31:42 +0000 |
| commit | 51edd0594c34949c7681e695e52961eb5f61ac4e (patch) | |
| tree | fe01f3347899e6f206803c0850ef17622251bd9c /cron-sh/scripts | |
| parent | c0fe6aeecc246ef9a514fe34c1095d7fc6ef39a8 (diff) | |
| download | msec-51edd0594c34949c7681e695e52961eb5f61ac4e.tar msec-51edd0594c34949c7681e695e52961eb5f61ac4e.tar.gz msec-51edd0594c34949c7681e695e52961eb5f61ac4e.tar.bz2 msec-51edd0594c34949c7681e695e52961eb5f61ac4e.tar.xz msec-51edd0594c34949c7681e695e52961eb5f61ac4e.zip | |
Redesigned auditing code, added support for plugins and better logging.
Diffstat (limited to 'cron-sh/scripts')
| -rwxr-xr-x | cron-sh/scripts/01_files.sh | 327 | ||||
| -rwxr-xr-x | cron-sh/scripts/02_network.sh | 79 | ||||
| -rwxr-xr-x | cron-sh/scripts/03_rpm.sh | 107 | ||||
| -rwxr-xr-x | cron-sh/scripts/04_rootkit.sh | 49 | ||||
| -rwxr-xr-x | cron-sh/scripts/05_access.sh | 125 | ||||
| -rwxr-xr-x | cron-sh/scripts/06_promisc.sh | 53 |
6 files changed, 740 insertions, 0 deletions
diff --git a/cron-sh/scripts/01_files.sh b/cron-sh/scripts/01_files.sh new file mode 100755 index 0000000..dc20bd0 --- /dev/null +++ b/cron-sh/scripts/01_files.sh @@ -0,0 +1,327 @@ +#!/bin/bash +# msec: security check for suid_root binaries + +# check if we are run from main script +if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then + # variables are set in security.sh and propagated to the subscripts + echo "Error: this check should be run by the main msec security check!" + echo " do not run it directly unless you know what you are doing." + return 1 +fi + +export SUID_ROOT_TODAY="/var/log/security/suid_root.today" +SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday" +SUID_ROOT_DIFF="/var/log/security/suid_root.diff" +export SGID_TODAY="/var/log/security/sgid.today" +SGID_YESTERDAY="/var/log/security/sgid.yesterday" +SGID_DIFF="/var/log/security/sgid.diff" +export SUID_MD5_TODAY="/var/log/security/suid_md5.today" +SUID_MD5_YESTERDAY="/var/log/security/suid_md5.yesterday" +SUID_MD5_DIFF="/var/log/security/suid_md5.diff" +export WRITABLE_TODAY="/var/log/security/writable.today" +WRITABLE_YESTERDAY="/var/log/security/writable.yesterday" +WRITABLE_DIFF="/var/log/security/writable.diff" +export UNOWNED_USER_TODAY="/var/log/security/unowned_user.today" +UNOWNED_USER_YESTERDAY="/var/log/security/unowned_user.yesterday" +UNOWNED_USER_DIFF="/var/log/security/unowned_user.diff" +export UNOWNED_GROUP_TODAY="/var/log/security/unowned_group.today" +UNOWNED_GROUP_YESTERDAY="/var/log/security/unowned_group.yesterday" +UNOWNED_GROUP_DIFF="/var/log/security/unowned_group.diff" + +if [[ -f ${SUID_ROOT_TODAY} ]]; then + mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY}; +fi + +if [[ -f ${SGID_TODAY} ]]; then + mv ${SGID_TODAY} ${SGID_YESTERDAY}; +fi + +if [[ -f ${SUID_MD5_TODAY} ]]; then + mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY}; +fi + +if [[ -f ${WRITABLE_TODAY} ]]; then + mv ${WRITABLE_TODAY} ${WRITABLE_YESTERDAY}; +fi + +if [[ -f ${UNOWNED_USER_TODAY} ]]; then + mv ${UNOWNED_USER_TODAY} ${UNOWNED_USER_YESTERDAY}; +fi + +if [[ -f ${UNOWNED_GROUP_TODAY} ]]; then + mv ${UNOWNED_GROUP_TODAY} ${UNOWNED_GROUP_YESTERDAY}; +fi + +# only running this check when really required +if [[ ${CHECK_SUID_MD5} == yes || ${CHECK_SUID_ROOT} == yes || ${CHECK_SGID} == yes || ${CHECK_WRITABLE} == yes || ${CHECK_UNOWNED} == yes ]]; then + + # Hard disk related file check; the less priority the better... + nice --adjustment=+19 /usr/bin/msec_find ${DIR} +fi + +if [[ -f ${SUID_ROOT_TODAY} ]]; then + sort < ${SUID_ROOT_TODAY} > ${SUID_ROOT_TODAY}.tmp + mv -f ${SUID_ROOT_TODAY}.tmp ${SUID_ROOT_TODAY} +fi + +if [[ -f ${SGID_TODAY} ]]; then + sort < ${SGID_TODAY} > ${SGID_TODAY}.tmp + mv -f ${SGID_TODAY}.tmp ${SGID_TODAY} +fi + +if [[ -f ${WRITABLE_TODAY} ]]; then + sort < ${WRITABLE_TODAY} | egrep -v '^(/var)?/tmp$' > ${WRITABLE_TODAY}.tmp + mv -f ${WRITABLE_TODAY}.tmp ${WRITABLE_TODAY} +fi + +if [[ -f ${UNOWNED_USER_TODAY} ]]; then + sort < ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_TODAY}.tmp + mv -f ${UNOWNED_USER_TODAY}.tmp ${UNOWNED_USER_TODAY} +fi + +if [[ -f ${UNOWNED_GROUP_TODAY} ]]; then + sort < ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_TODAY}.tmp + mv -f ${UNOWNED_GROUP_TODAY}.tmp ${UNOWNED_GROUP_TODAY} +fi + +if [[ -f ${SUID_ROOT_TODAY} && ${CHECK_SUID_MD5} == yes ]]; then + while read line; do + md5sum ${line} + done < ${SUID_ROOT_TODAY} > ${SUID_MD5_TODAY} +else + touch ${SUID_MD5_TODAY} +fi + +### New Suid root files detection +if [[ ${CHECK_SUID_ROOT} == yes ]]; then + + if [[ -f ${SUID_ROOT_YESTERDAY} ]]; then + if ! diff -u ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_TODAY} > ${SUID_ROOT_DIFF}; then + printf "\nSecurity Warning: Change in Suid Root files found :\n" >> ${DIFF} + grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly added suid root file : ${file}\n" + done >> ${DIFF} + grep '^-' ${SUID_ROOT_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer present suid root file : ${file}\n" + done >> ${DIFF} + fi + fi + +fi + +### New Sgid files detection +if [[ ${CHECK_SGID} == yes ]]; then + + if [[ -f ${SGID_YESTERDAY} ]]; then + if ! diff -u ${SGID_YESTERDAY} ${SGID_TODAY} > ${SGID_DIFF}; then + printf "\nSecurity Warning: Changes in Sgid files found :\n" >> ${DIFF} + grep '^+' ${SGID_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly added sgid file : ${file}\n" + done >> ${DIFF} + grep '^-' ${SGID_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer present sgid file : ${file}\n" + done >> ${DIFF} + fi + fi + +fi + +### Writable files detection +if [[ ${CHECK_WRITABLE} == yes ]]; then + + if [[ -f ${WRITABLE_YESTERDAY} ]]; then + diff -u ${WRITABLE_YESTERDAY} ${WRITABLE_TODAY} > ${WRITABLE_DIFF} + if [ -s ${WRITABLE_DIFF} ]; then + printf "\nSecurity Warning: Change in World Writable Files found :\n" >> ${DIFF} + grep '^+' ${WRITABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly added writable file : ${file}\n" + done >> ${DIFF} + grep '^-' ${WRITABLE_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer present writable file : ${file}\n" + done >> ${DIFF} + fi + fi + +fi + +### Search Non Owned files +if [[ ${CHECK_UNOWNED} == yes ]]; then + + if [[ -f ${UNOWNED_USER_YESTERDAY} ]]; then + diff -u ${UNOWNED_USER_YESTERDAY} ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_DIFF} + if [ -s ${UNOWNED_USER_DIFF} ]; then + printf "\nSecurity Warning: the following files aren't owned by an user :\n" >> ${DIFF} + grep '^+' ${UNOWNED_USER_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly added un-owned file : ${file}\n" + done >> ${DIFF} + grep '^-' ${UNOWNED_USER_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer present un-owned file : ${file}\n" + done >> ${DIFF} + fi + fi + + if [[ -f ${UNOWNED_GROUP_YESTERDAY} ]]; then + diff -u ${UNOWNED_GROUP_YESTERDAY} ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_DIFF} + if [ -s ${UNOWNED_GROUP_DIFF} ]; then + printf "\nSecurity Warning: the following files aren't owned by a group :\n" >> ${DIFF} + grep '^+' ${UNOWNED_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly added un-owned file : ${file}\n" + done >> ${DIFF} + grep '^-' ${UNOWNED_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer present un-owned file : ${file}\n" + done >> ${DIFF} + fi + fi + +fi + +### Md5 check for SUID root fileg +if [[ ${CHECK_SUID_MD5} == yes ]]; then + ctrl_md5=0; + + if [[ -f ${SUID_MD5_YESTERDAY} ]]; then + diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF} + if [ -s ${SUID_MD5_DIFF} ]; then + grep '^+' ${SUID_MD5_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | awk '{print $2}' | while read file; do + if cat ${SUID_MD5_YESTERDAY} | awk '{print $2}' | grep -qw ${file}; then + if [[ ${ctrl_md5} == 0 ]]; then + printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${DIFF} + printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${DIFF} + ctrl_md5=1; + fi + printf "\t\t- Checksum changed file : ${file}\n" + fi + done >> ${DIFF} + fi + fi + +fi + +### Writable file detection +if [[ ${CHECK_WRITABLE} == yes ]]; then + if [[ -s ${WRITABLE_TODAY} ]]; then + printf "\nSecurity Warning: World Writable files found :\n" >> ${SECURITY} + cat ${WRITABLE_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY} + fi +fi + +### Search Un Owned file +if [[ ${CHECK_UNOWNED} == yes ]]; then + if [[ -s ${UNOWNED_USER_TODAY} ]]; then + printf "\nSecurity Warning : User Unowned files found :\n" >> ${SECURITY} + printf "\t( theses files now have user \"nobody\" as their owner. )\n" >> ${SECURITY} + cat ${UNOWNED_USER_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY} + cat ${UNOWNED_USER_TODAY} | while read line; do + if [[ ${FIX_UNOWNED} == yes ]]; then + chown nobody "${line}"; # Use quote if filename contain space. + fi + done + fi + + if [[ -s ${UNOWNED_GROUP_TODAY} ]]; then + printf "\nSecurity Warning : Group Unowned files found :\n" >> ${SECURITY} + printf "\t( theses files now have group \"nogroup\" as their group owner. )\n" >> ${SECURITY} + cat ${UNOWNED_GROUP_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY} + cat ${UNOWNED_GROUP_TODAY} | while read line; do + if [[ ${FIX_UNOWNED} == yes ]]; then + chgrp nogroup "${line}"; # Use quote if filename contain space. + fi + done + fi +fi + +if [[ ${CHECK_USER_FILES} == yes ]]; then +# Files that should not be owned by someone else or readable. +list=".netrc .rhosts .shosts .Xauthority .gnupg/secring.gpg \ +.pgp/secring.pgp .ssh/identity .ssh/id_dsa .ssh/id_rsa .ssh/random_seed" +getent passwd | awk -F: '/^[^+-]/ { print $1 ":" $3 ":" $6 }' | +while IFS=: read username uid homedir; do + if ! expr "$homedir" : "$FILTER" > /dev/null; then + for f in ${list} ; do + file="${homedir}/${f}" + if [[ -f "${file}" ]] ; then + res=`ls -LldcGn "${file}" | sed 's/ \{1,\}/:/g'` + printf "${uid}:${username}:${file}:${res}\n" + fi + done + fi +done | awk -F: '$1 != $6 && $6 != "0" \ + { print "\t\t- " $3 " : file is owned by uid " $6 "." } + $4 ~ /^-...r/ \ + { print "\t\t- " $3 " : file is group readable." } + $4 ~ /^-......r/ \ + { print "\t\t- " $3 " : file is other readable." } + $4 ~ /^-....w/ \ + { print "\t\t- " $3 " : file is group writable." } + $4 ~ /^-.......w/ \ + { print "\t\t- " $3 " : file is other writable." }' > ${MSEC_TMP} + +if [[ -s ${MSEC_TMP} ]]; then + printf "\nSecurity Warning: these files shouldn't be owned by someone else or readable :\n" >> ${SECURITY} + cat ${MSEC_TMP} >> ${SECURITY} +fi + +### Files that should not be owned by someone else or writable. +list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \ +.forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \ +.nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \ +.ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults \ +.gnupg .gnupg/secring.gpg .ssh/identity .ssh/id_dsa .ssh/id_rsa \ +.Xauthority .cvspass .subversion/auth .purple/accounts.xml .config " +getent passwd | awk -F: '/^[^+-]/ { print $1 ":" $3 ":" $6 }' | \ +while IFS=: read username uid homedir; do + if ! expr "$homedir" : "$FILTER" > /dev/null; then + for f in ${list} ; do + file="${homedir}/${f}" + if [[ -e "${file}" ]] ; then + res=`ls -LldcGn "${file}" | sed 's/ \{1,\}/:/g'` + printf "${uid}:${username}:${file}:${res}\n" + fi + done + fi +done | awk -F: '$1 != $6 && $6 != "0" \ + { print "\t\t- " $3 " : file is owned by uid " $6 "." } + $4 ~ /^.....w/ \ + { print "\t\t- " $3 " : file is group writable." } + $4 ~ /^........w/ \ + { print "\t\t- " $3 " : file is other writable." }' > ${MSEC_TMP} + +if [[ -s ${MSEC_TMP} ]]; then + printf "\nSecurity Warning: theses files should not be owned by someone else or writable :\n" >> ${SECURITY} + cat ${MSEC_TMP} >> ${SECURITY} +fi + +### Check home directories. Directories should not be owned by someone else or writable. +getent passwd | awk -F: '/^[^+-]/ { print $1 ":" $3 ":" $6 }' | \ +while IFS=: read username uid homedir; do + if ! expr "$homedir" : "$FILTER" > /dev/null; then + if [[ -d "${homedir}" ]] ; then + realuid=`ls -LldGn "${homedir}"| awk '{ print $3 }'` + realuser=`ls -LldG "${homedir}"| awk '{ print $3 }'` + permissions=`ls -LldG "${homedir}"| awk '{ print $1 }'` + printf "${permissions}:${username}:(${uid}):${realuser}:(${realuid})\n" + fi + fi +done | awk -F: '$3 != $5 && $5 != "(0)" \ + { print "user=" $2 $3 " : home directory is owned by " $4 $5 "." } + $1 ~ /^d....w/ && $2 != "lp" && $2 != "mail" \ + { print "user=" $2 $3" : home directory is group writable." } + $1 ~ /^d.......w/ \ + { print "user=" $2 $3" : home directory is other writable." }' > ${MSEC_TMP} + +if [[ -s $MSEC_TMP ]] ; then + printf "\nSecurity Warning: these home directory should not be owned by someone else or writable :\n" >> ${SECURITY} + cat ${MSEC_TMP} >> ${SECURITY} +fi +fi # End of CHECK_USER_FILES + +# now check default permissions +if [[ ${CHECK_PERMS} == yes ]]; then + # running msec_perms + /usr/sbin/msecperms > ${MSEC_TMP} 2>&1 + if [[ -s ${MSEC_TMP} ]]; then + printf "\nPermissions changes on system files:\n" >> ${SECURITY} + cat ${MSEC_TMP} | sed -e 's/WARNING: //g' >> ${SECURITY} + fi +fi + diff --git a/cron-sh/scripts/02_network.sh b/cron-sh/scripts/02_network.sh new file mode 100755 index 0000000..f376724 --- /dev/null +++ b/cron-sh/scripts/02_network.sh @@ -0,0 +1,79 @@ +#!/bin/bash +# msec: network security checks + +# check if we are run from main script +if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then + # variables are set in security.sh and propagated to the subscripts + echo "Error: this check should be run by the main msec security check!" + echo " do not run it directly unless you know what you are doing." + return 1 +fi + +export OPEN_PORT_TODAY="/var/log/security/open_port.today" +OPEN_PORT_YESTERDAY="/var/log/security/open_port.yesterday" +OPEN_PORT_DIFF="/var/log/security/open_port.diff" +export FIREWALL_TODAY="/var/log/security/open_port.today" +FIREWALL_YESTERDAY="/var/log/security/open_port.yesterday" +FIREWALL_DIFF="/var/log/security/open_port.diff" + +if [[ -f ${OPEN_PORT_TODAY} ]]; then + mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY} +fi + +if [[ -f ${FIREWALL_TODAY} ]]; then + mv -f ${FIREWALL_TODAY} ${FIREWALL_YESTERDAY} +fi + +if [[ ${CHECK_OPEN_PORT} == yes ]]; then + netstat -pvlA inet,inet6 2> /dev/null > ${OPEN_PORT_TODAY}; +fi + +if [[ ${CHECK_FIREWALL} == yes ]]; then + iptables -L 2>/dev/null > ${FIREWALL_TODAY} +fi + +### Changed open port +if [[ ${CHECK_OPEN_PORT} == yes ]]; then + + if [[ -f ${OPEN_PORT_YESTERDAY} ]]; then + diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF} + if [ -s ${OPEN_PORT_DIFF} ]; then + printf "\nSecurity Warning: There are modifications for port listening on your machine :\n" >> ${DIFF} + grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Opened ports : ${file}\n" + done >> ${DIFF} + grep '^-' ${OPEN_PORT_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Closed ports : ${file}\n" + done >> ${DIFF} + fi + fi + +fi + +### Changed firewall +if [[ ${CHECK_FIREWALL} == yes ]]; then + + if [[ -f ${FIREWALL_YESTERDAY} ]]; then + diff -u ${FIREWALL_YESTERDAY} ${FIREWALL_TODAY} 1> ${FIREWALL_DIFF} + if [ -s ${FIREWALL_DIFF} ]; then + printf "\nSecurity Warning: There are modifications for firewall configuration on your machine :\n" >> ${DIFF} + grep '^+' ${FIREWALL_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- New entries : ${file}\n" + done >> ${DIFF} + grep '^-' ${FIREWALL_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Removed entries : ${file}\n" + done >> ${DIFF} + fi + fi + +fi + +### Dump a list of open port. +if [[ ${CHECK_OPEN_PORT} == yes ]]; then + + if [[ -s ${OPEN_PORT_TODAY} ]]; then + printf "\nThese are the ports listening on your machine :\n" >> ${INFOS} + cat ${OPEN_PORT_TODAY} >> ${INFOS} + fi +fi + diff --git a/cron-sh/scripts/03_rpm.sh b/cron-sh/scripts/03_rpm.sh new file mode 100755 index 0000000..6bd4307 --- /dev/null +++ b/cron-sh/scripts/03_rpm.sh @@ -0,0 +1,107 @@ +#!/bin/bash +# msec: rpm security check + +# check if we are run from main script +if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then + # variables are set in security.sh and propagated to the subscripts + echo "Error: this check should be run by the main msec security check!" + echo " do not run it directly unless you know what you are doing." + return 1 +fi + +export RPM_VA_TODAY="/var/log/security/rpm-va.today" +RPM_VA_YESTERDAY="/var/log/security/rpm-va.yesterday" +RPM_VA_DIFF="/var/log/security/rpm-va.diff" +export RPM_VA_CONFIG_TODAY="/var/log/security/rpm-va-config.today" +RPM_VA_CONFIG_YESTERDAY="/var/log/security/rpm-va-config.yesterday" +RPM_VA_CONFIG_DIFF="/var/log/security/rpm-va-config.diff" +export RPM_QA_TODAY="/var/log/security/rpm-qa.today" +RPM_QA_YESTERDAY="/var/log/security/rpm-qa.yesterday" +RPM_QA_DIFF="/var/log/security/rpm-qa.diff" + +if [[ -f ${RPM_VA_TODAY} ]]; then + mv -f ${RPM_VA_TODAY} ${RPM_VA_YESTERDAY} +fi + +if [[ -f ${RPM_VA_CONFIG_TODAY} ]]; then + mv -f ${RPM_VA_CONFIG_TODAY} ${RPM_VA_CONFIG_YESTERDAY} +fi + +if [[ -f ${RPM_QA_TODAY} ]]; then + mv -f ${RPM_QA_TODAY} ${RPM_QA_YESTERDAY} +fi + +if [[ -f ${CHKROOTKIT_TODAY} ]]; then + mv -f ${CHKROOTKIT_TODAY} ${CHKROOTKIT_YESTERDAY} +fi + +### rpm database check + +if [[ ${CHECK_RPM} == yes ]]; then + rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\t%{INSTALLTIME}\n" | sort > ${RPM_QA_TODAY} + + rm -f ${RPM_VA_TODAY}.tmp + nice --adjustment=+19 rpm -Va --noscripts | grep '^..5' | sort > ${RPM_VA_TODAY}.tmp + grep -v '^..........c.' ${RPM_VA_TODAY}.tmp | sed 's/^............//' | sort > ${RPM_VA_TODAY} + grep '^..........c.' ${RPM_VA_TODAY}.tmp | sed 's/^............//' | sort > ${RPM_VA_CONFIG_TODAY} + rm -f ${RPM_VA_TODAY}.tmp +fi + +### rpm database checks +if [[ ${CHECK_RPM} == yes ]]; then + + if [[ -s ${RPM_VA_TODAY} ]]; then + printf "\nSecurity Warning: These files belonging to packages are modified on the system :\n" >> ${SECURITY} + cat ${RPM_VA_TODAY} | while read f; do + printf "\t\t- $f\n" + done >> ${SECURITY} + fi + + if [[ -s ${RPM_VA_CONFIG_TODAY} ]]; then + printf "\nSecurity Warning: These config files belonging to packages are modified on the system :\n" >> ${SECURITY} + cat ${RPM_VA_CONFIG_TODAY} | while read f; do + printf "\t\t- $f\n" + done >> ${SECURITY} + fi +fi + +### rpm database +if [[ ${CHECK_RPM} == yes ]]; then + if [[ -f ${RPM_QA_YESTERDAY} ]]; then + diff -u ${RPM_QA_YESTERDAY} ${RPM_QA_TODAY} > ${RPM_QA_DIFF} + if [ -s ${RPM_QA_DIFF} ]; then + printf "\nSecurity Warning: These packages have changed on the system :\n" >> ${DIFF} + grep '^+' ${RPM_QA_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly installed package : ${file}\n" + done >> ${DIFF} + grep '^-' ${RPM_QA_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer present package : ${file}\n" + done >> ${DIFF} + fi + fi + if [[ -f ${RPM_VA_YESTERDAY} ]]; then + diff -u ${RPM_VA_YESTERDAY} ${RPM_VA_TODAY} > ${RPM_VA_DIFF} + if [ -s ${RPM_VA_DIFF} ]; then + printf "\nSecurity Warning: These files belonging to packages have changed of status on the system :\n" >> ${DIFF} + grep '^+' ${RPM_VA_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly modified : ${file}\n" + done >> ${DIFF} + grep '^-' ${RPM_VA_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer modified : ${file}\n" + done >> ${DIFF} + fi + fi + if [[ -f ${RPM_VA_CONFIG_YESTERDAY} ]]; then + diff -u ${RPM_VA_CONFIG_YESTERDAY} ${RPM_VA_CONFIG_TODAY} > ${RPM_VA_CONFIG_DIFF} + if [ -s ${RPM_VA_CONFIG_DIFF} ]; then + printf "\nSecurity Warning: These config files belonging to packages have changed of status on the system :\n" >> ${DIFF} + grep '^+' ${RPM_VA_CONFIG_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly modified : ${file}\n" + done >> ${DIFF} + grep '^-' ${RPM_VA_CONFIG_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer modified : ${file}\n" + done >> ${DIFF} + fi + fi +fi + diff --git a/cron-sh/scripts/04_rootkit.sh b/cron-sh/scripts/04_rootkit.sh new file mode 100755 index 0000000..b83e727 --- /dev/null +++ b/cron-sh/scripts/04_rootkit.sh @@ -0,0 +1,49 @@ +#!/bin/bash +# msec: rootkit security check + +# check if we are run from main script +if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then + # variables are set in security.sh and propagated to the subscripts + echo "Error: this check should be run by the main msec security check!" + echo " do not run it directly unless you know what you are doing." + return 1 +fi + +export CHKROOTKIT_TODAY="/var/log/security/chkrootkit.today" +CHKROOTKIT_YESTERDAY="/var/log/security/chkrootkit.yesterday" +CHKROOTKIT_DIFF="/var/log/security/chkrootkit.diff" + +### chkrootkit checks +if [[ ${CHECK_CHKROOTKIT} == yes ]]; then + if [ -x /usr/sbin/chkrootkit ]; then + # do not check on NFS + /usr/sbin/chkrootkit -n ${CHKROOTKIT_OPTION} > ${CHKROOTKIT_TODAY} + fi +fi + +### chkrootkit checks +if [[ ${CHECK_CHKROOTKIT} == yes ]]; then + + if [[ -s ${CHKROOTKIT_TODAY} ]]; then + printf "\nChkrootkit report:\n" >> ${SECURITY} + cat ${CHKROOTKIT_TODAY} >> ${SECURITY} + fi +fi + +### Changed chkrootkit +if [[ ${CHECK_CHKROOTKIT} == yes ]]; then + + if [[ -f ${CHKROOTKIT_YESTERDAY} ]]; then + diff -u ${CHKROOTKIT_YESTERDAY} ${CHKROOTKIT_TODAY} 1> ${CHKROOTKIT_DIFF} + if [ -s ${CHKROOTKIT_DIFF} ]; then + printf "\nSecurity Warning: There are modifications for chkrootkit results :\n" >> ${DIFF} + grep '^+' ${CHKROOTKIT_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Added : ${file}\n" + done >> ${DIFF} + grep '^-' ${CHKROOTKIT_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Removed : ${file}\n" + done >> ${DIFF} + fi + fi +fi + diff --git a/cron-sh/scripts/05_access.sh b/cron-sh/scripts/05_access.sh new file mode 100755 index 0000000..1168cd7 --- /dev/null +++ b/cron-sh/scripts/05_access.sh @@ -0,0 +1,125 @@ +#!/bin/bash +# msec: system access + +# check if we are run from main script +if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then + # variables are set in security.sh and propagated to the subscripts + echo "Error: this check should be run by the main msec security check!" + echo " do not run it directly unless you know what you are doing." + return 1 +fi + +### Passwd file check +if [[ ${CHECK_PASSWD} == yes ]]; then + getent passwd | awk -F: '{ + if ( $2 == "" ) + printf("\t\t- /etc/passwd:%d: User \"%s\" has no password !\n", FNR, $1); + else if ($2 !~ /^[x*!]+$/) + printf("\t\t- /etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1); + else if ( $3 == 0 && $1 != "root" ) + printf("\t\t- /etc/passwd:%d: User \"%s\" has id 0 !\n", FNR, $1); + }' > ${MSEC_TMP} + + if [[ -s ${MSEC_TMP} ]]; then + printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY} + cat ${MSEC_TMP} >> ${SECURITY} + fi +fi + +### Shadow password file Check +if [[ ${CHECK_SHADOW} == yes ]]; then + awk -F: '{ + if ( $2 == "" ) + printf("\t\t- /etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1); + }' < /etc/shadow > ${MSEC_TMP} + + if [[ -s ${MSEC_TMP} ]]; then + printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY} + cat ${MSEC_TMP} >> ${SECURITY} + fi +fi + +### File systems should not be globally exported. +if [[ -s /etc/exports ]] ; then + awk '{ + if (($1 ~ /^#/) || ($1 ~ /^$/)) next; + readonly = 0; + for (i = 2; i <= NF; ++i) { + if ($i ~ /^-ro$/) + readonly = 1; + else if ($i !~ /^-/) + next; + } + if (readonly) { + print "\t\t- Nfs File system " $1 " globally exported, read-only."; + } else print "\t\t- Nfs File system " $1 " globally exported, read-write."; + }' < /etc/exports > ${MSEC_TMP} + + if [[ -s ${MSEC_TMP} ]] ; then + printf "\nSecurity Warning: Some NFS filesystem are exported globally :\n" >> ${SECURITY} + cat ${MSEC_TMP} >> ${SECURITY} + fi +fi + +### nfs mounts with missing nosuid +/bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > ${MSEC_TMP} +if [[ -s ${MSEC_TMP} ]] ; then + printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY} + cat ${MSEC_TMP} | awk '{ print "\t\t- "$0 }' >> ${SECURITY} +fi + +### Files that should not have + signs. +list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" +for file in $list ; do + if [[ -s ${file} ]] ; then + awk '{ + if ($0 ~ /^\+@.*$/) + next; + if ($0 ~ /^\+.*$/) + printf("\t\t- %s: %s\n", FILENAME, $0); + }' ${file} + fi +done > ${MSEC_TMP} + +### Passwd file check +if [[ ${CHECK_SHOSTS} == yes ]]; then + getent passwd | awk -F: '{print $1" "$6}' | + while read username homedir; do + if ! expr "$homedir" : "$FILTER" > /dev/null; then + for file in .rhosts .shosts; do + if [[ -s ${homedir}/${file} ]] ; then + awk '{ + if ($0 ~ /^\+@.*$/) + next; + if ($0 ~ /^\+.*$/) + printf("\t\t- %s: %s\n", FILENAME, $0); + }' ${homedir}/${file} + fi + done >> ${DIFF} + fi + done + + if [[ -s ${MSEC_TMP} ]]; then + printf "\nSecurity Warning: '+' character found in hosts trusting files,\n" >> ${SECURITY} + printf "\tthis probably mean that you trust certains users/domain\n" >> ${SECURITY} + printf "\tto connect on this host without proper authentication :\n" >> ${SECURITY} + cat ${MSEC_TMP} >> ${SECURITY} + fi +fi + +### executables should not be in the aliases file. +list="/etc/aliases /etc/postfix/aliases" +for file in ${list}; do + if [[ -s ${file} ]]; then + grep -v '^#' ${file} | grep '|' | while read line; do + printf "\t\t- ${line}\n" + done > ${MSEC_TMP} + fi + + if [[ -s ${MSEC_TMP} ]]; then + printf "\nSecurity Warning: The following programs are executed in your mail\n" >> ${SECURITY} + printf "\tvia ${file} files, this could lead to security problems :\n" >> ${SECURITY} + cat ${MSEC_TMP} >> ${SECURITY} + fi +done + diff --git a/cron-sh/scripts/06_promisc.sh b/cron-sh/scripts/06_promisc.sh new file mode 100755 index 0000000..e46620c --- /dev/null +++ b/cron-sh/scripts/06_promisc.sh @@ -0,0 +1,53 @@ +#!/bin/bash +# TODO: this is incomplete for new msec framework + +# Writen by Vandoorselaere Yoann + +Syslog() { + if [[ ${SYSLOG_WARN} == yes ]]; then + logger -t msec -- "${1}" + fi +} + +Ttylog() { + if [[ ${TTY_WARN} == yes ]]; then + w | grep -v "load\|TTY" | grep '^root' | awk '{print $2}' | while read line; do + echo -e "${1}" > /dev/$line + done + fi +} + +LogPromisc() { + date=`date` + Syslog "Security warning : $1 is in promiscuous mode." + Syslog " A sniffer is probably running on your system." + Ttylog "\\033[1;31mSecurity warning : $1 is in promiscuous mode.\\033[0;39m" + Ttylog "\\033[1;31mA sniffer is probably running on your system.\\033[0;39m" + echo -e "\n${date} Security warning : $1 is in promiscuous mode." >> /var/log/security.log + echo " A sniffer is probably running on your system." >> /var/log/security.log + +} + +if [[ -f /etc/security/msec/security.conf ]]; then + . /etc/security/msec/security.conf +else + echo "/etc/security/msec/security.conf don't exist." + return 1 +fi + +if tail /var/log/security.log | grep -q "promiscuous"; then + # Dont flood with warning. + return 0 +fi + +# Check if a network interface is in promiscuous mode... + +if [[ ${CHECK_PROMISC} == no ]]; then + return 0; +fi + +for INTERFACE in `/sbin/ip link list | grep PROMISC | cut -f 2 -d ':';/usr/bin/promisc_check -q`; do + LogPromisc ${INTERFACE} +done + +# promisc_check.sh ends here |