Fixing permissions on msec-created files (#27820 #47059).

1 files changed, 15 insertions, 10 deletions

diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh
index 796d2c9..89daea2 100755
--- a/cron-sh/security_check.sh
+++ b/cron-sh/security_check.sh
@@ -54,15 +54,6 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then
     fi
 fi
 
-if [[ ${CHECK_PERMS} == yes ]]; then
-	# running msec_perms
-	/usr/sbin/msecperms > ${TMP} 2>&1
-	if [[ -s ${TMP} ]]; then
-		printf "\nPermissions changes on system files:\n" >> ${SECURITY}
-		cat ${TMP} | sed -e 's/WARNING: //g' >> ${SECURITY}
-	fi
-fi
-
 if [[ ${CHECK_USER_FILES} == yes ]]; then
 # Files that should not be owned by someone else or readable.
 list=".netrc .rhosts .shosts .Xauthority .gnupg/secring.gpg \
@@ -220,7 +211,6 @@ done > ${TMP}
 
 ### Passwd file check
 if [[ ${CHECK_SHOSTS} == yes ]]; then    
-	# TODO: do not check on remote shares (#41709)
 	getent passwd | awk -F: '{print $1" "$6}' |
 	while read username homedir; do
 		if ! expr "$homedir" : "$FILTER"  > /dev/null; then
@@ -298,6 +288,21 @@ if [[ ${CHKROOTKIT_CHECK} == yes ]]; then
     fi
 fi
 
+### file permissions
+# fix permissions on newly created msec files according to system policy
+/usr/sbin/msecperms -e '/var/log/msec.log' "$SECURITY_LOG" "/var/log/security/*" &> ${TMP}
+
+# now check default permissions
+if [[ ${CHECK_PERMS} == yes ]]; then
+	# running msec_perms
+	/usr/sbin/msecperms > ${TMP} 2>&1
+	if [[ -s ${TMP} ]]; then
+		printf "\nPermissions changes on system files:\n" >> ${SECURITY}
+		cat ${TMP} | sed -e 's/WARNING: //g' >> ${SECURITY}
+	fi
+fi
+
+
 ### Report
 if [[ -s ${SECURITY} ]]; then
     Syslog ${SECURITY}