aboutsummaryrefslogtreecommitdiffstats
path: root/cron-sh
diff options
context:
space:
mode:
authorFrederic Lepied <flepied@mandriva.com>2005-02-21 13:34:06 +0000
committerFrederic Lepied <flepied@mandriva.com>2005-02-21 13:34:06 +0000
commitccfa055b51d33154c8106da75a78aa183f135f1a (patch)
tree9bb350d222fa5a5e981d755b1b31f95a419f6ff8 /cron-sh
parent82a6400cb0c72d3eb1ab9f40a79265d1bb798055 (diff)
downloadmsec-ccfa055b51d33154c8106da75a78aa183f135f1a.tar
msec-ccfa055b51d33154c8106da75a78aa183f135f1a.tar.gz
msec-ccfa055b51d33154c8106da75a78aa183f135f1a.tar.bz2
msec-ccfa055b51d33154c8106da75a78aa183f135f1a.tar.xz
msec-ccfa055b51d33154c8106da75a78aa183f135f1a.zip
filter home dir too (Guillaume Rousse, bug #12335)
Diffstat (limited to 'cron-sh')
-rwxr-xr-xcron-sh/security.sh3
-rwxr-xr-xcron-sh/security_check.sh41
2 files changed, 28 insertions, 16 deletions
diff --git a/cron-sh/security.sh b/cron-sh/security.sh
index 4aee135..1da3ef0 100755
--- a/cron-sh/security.sh
+++ b/cron-sh/security.sh
@@ -69,6 +69,7 @@ RPM_QA_YESTERDAY="/var/log/security/rpm-qa.yesterday"
RPM_QA_DIFF="/var/log/security/rpm-qa.diff"
export CHKROOTKIT_TODAY="/var/log/security/chkrootkit.today"
CHKROOTKIT_YESTERDAY="/var/log/security/chkrootkit.yesterday"
+export EXCLUDE_REGEXP
# Modified filters coming from debian security scripts.
CS_NFSAFS='(nfs|afs|coda)'
@@ -78,6 +79,8 @@ CS_DIRS='on /mnt'
FILTERS="$CS_TYPES|$CS_DEVS|$CS_DIRS"
DIR=`mount | grep -vE "$FILTERS" | cut -d ' ' -f3`
PRINT="%h/%f\n"
+EXCLUDEDIR=`mount | grep -E "$FILTERS" | cut -d ' ' -f3`
+export EXCLUDEDIR
if [[ ! -d /var/log/security ]]; then
mkdir /var/log/security
diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh
index b97b551..faadc53 100755
--- a/cron-sh/security_check.sh
+++ b/cron-sh/security_check.sh
@@ -23,6 +23,7 @@ INFOS=`mktemp /tmp/secure.XXXXXX`
SECURITY=`mktemp /tmp/secure.XXXXXX`
SECURITY_LOG="/var/log/security.log"
TMP=`mktemp /tmp/secure.XXXXXX`
+FILTER="\(`echo $EXCLUDEDIR | sed -e 's/ /\\\|/g'`\)"
if [[ ! -d /var/log/security ]]; then
mkdir /var/log/security
@@ -63,12 +64,14 @@ list=".netrc .rhosts .shosts .Xauthority .gnupg/secring.gpg \
.pgp/secring.pgp .ssh/identity .ssh/id_dsa .ssh/id_rsa .ssh/random_seed"
getent passwd | awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' |
while read username uid homedir; do
- for f in ${list} ; do
- file="${homedir}/${f}"
- if [[ -f ${file} ]] ; then
- printf "${uid} ${username} ${file} `ls -LldcGn ${file}`\n"
- fi
- done
+ if ! expr $homedir : $FILTER > /dev/null; then
+ for f in ${list} ; do
+ file="${homedir}/${f}"
+ if [[ -f ${file} ]] ; then
+ printf "${uid} ${username} ${file} `ls -LldcGn ${file}`\n"
+ fi
+ done
+ fi
done | awk '$1 != $6 && $6 != "0" \
{ print "\t\t- " $3 " : file is owned by uid " $6 "." }
$4 ~ /^-...r/ \
@@ -92,12 +95,14 @@ list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \
.ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults"
getent passwd | awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' | \
while read username uid homedir; do
+ if ! expr $homedir : $FILTER > /dev/null; then
for f in ${list} ; do
file=${homedir}/${f}
if [[ -f ${file} ]] ; then
printf "${uid} ${username} ${file} `ls -LldcGn ${file}`\n"
fi
done
+ fi
done | awk '$1 != $6 && $6 != "0" \
{ print "\t\t- " $3 " : file is owned by uid " $6 "." }
$4 ~ /^.....w/ \
@@ -113,12 +118,14 @@ fi
### Check home directories. Directories should not be owned by someone else or writable.
getent passwd | awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' | \
while read username uid homedir; do
+ if ! expr $homedir : $FILTER > /dev/null; then
if [[ -d ${homedir} ]] ; then
realuid=`ls -LldGn ${homedir}| awk '{ print $3 }'`
realuser=`ls -LldG ${homedir}| awk '{ print $3 }'`
permissions=`ls -LldG ${homedir}| awk '{ print $1 }'`
printf "${permissions} ${username} (${uid}) ${realuser} (${realuid})\n"
fi
+ fi
done | awk '$3 != $5 && $5 != "(0)" \
{ print "user=" $2 $3 " : home directory is owned by " $4 $5 "." }
$1 ~ /^d....w/ && $2 != "lp" && $2 != "mail" \
@@ -206,16 +213,18 @@ done > ${TMP}
getent passwd | awk -F: '{print $1" "$6}' |
while read username homedir; do
- for file in .rhosts .shosts; do
- if [[ -s ${homedir}/${file} ]] ; then
- awk '{
- if ($0 ~ /^\+@.*$/)
- next;
- if ($0 ~ /^\+.*$/)
- printf("\t\t- %s: %s\n", FILENAME, $0);
- }' ${homedir}/${file}
- fi
- done >> ${TMP}
+ if ! expr $homedir : $FILTER > /dev/null; then
+ for file in .rhosts .shosts; do
+ if [[ -s ${homedir}/${file} ]] ; then
+ awk '{
+ if ($0 ~ /^\+@.*$/)
+ next;
+ if ($0 ~ /^\+.*$/)
+ printf("\t\t- %s: %s\n", FILENAME, $0);
+ }' ${homedir}/${file}
+ fi
+ done >> ${TMP}
+ fi
done
if [[ -s ${TMP} ]]; then