aboutsummaryrefslogtreecommitdiffstats
path: root/cron-sh
diff options
context:
space:
mode:
authorEugeni Dodonov <eugeni@mandriva.org>2009-09-09 00:04:28 +0000
committerEugeni Dodonov <eugeni@mandriva.org>2009-09-09 00:04:28 +0000
commit04264a85de43e5cc0ef5f4c7113e0979bc397a53 (patch)
tree8943530e6ec71c6d7db4ba3fc403e4e3ab2d716b /cron-sh
parent7d9bf9988b2ea0960741aa09e794c2c365c5f09b (diff)
downloadmsec-04264a85de43e5cc0ef5f4c7113e0979bc397a53.tar
msec-04264a85de43e5cc0ef5f4c7113e0979bc397a53.tar.gz
msec-04264a85de43e5cc0ef5f4c7113e0979bc397a53.tar.bz2
msec-04264a85de43e5cc0ef5f4c7113e0979bc397a53.tar.xz
msec-04264a85de43e5cc0ef5f4c7113e0979bc397a53.zip
added support for msec exceptions
Diffstat (limited to 'cron-sh')
-rw-r--r--cron-sh/functions.sh6
-rwxr-xr-xcron-sh/scripts/01_files.sh10
-rwxr-xr-xcron-sh/scripts/02_network.sh2
-rwxr-xr-xcron-sh/scripts/03_rpm.sh2
-rwxr-xr-xcron-sh/scripts/05_access.sh9
5 files changed, 27 insertions, 2 deletions
diff --git a/cron-sh/functions.sh b/cron-sh/functions.sh
index cedd4c1..af08ad4 100644
--- a/cron-sh/functions.sh
+++ b/cron-sh/functions.sh
@@ -69,7 +69,8 @@ Count() {
Filter() {
# filters output according to defined rules
- RULE="$1"
+ FILE="$1"
+ RULE="$2"
exceptions=/etc/security/msec/exceptions
if [ ! -s "$exceptions" -o "a$RULE" = "a" ]; then
@@ -83,7 +84,8 @@ Filter() {
done
FILTER="sed $EXCEPTIONS"
fi
- $FILTER
+ $FILTER < $FILE > ${FILE}.tmp
+ mv -f ${FILE}.tmp $FILE
}
diff --git a/cron-sh/scripts/01_files.sh b/cron-sh/scripts/01_files.sh
index 9720f55..c1135c6 100755
--- a/cron-sh/scripts/01_files.sh
+++ b/cron-sh/scripts/01_files.sh
@@ -60,26 +60,32 @@ if [[ ${CHECK_SUID_MD5} == yes || ${CHECK_SUID_ROOT} == yes || ${CHECK_SGID} ==
fi
if [[ -f ${SUID_ROOT_TODAY} ]]; then
+ Filter ${SUID_ROOT_TODAY} CHECK_SUID_MD5
+ Filter ${SUID_ROOT_TODAY} CHECK_SUID_ROOT
sort < ${SUID_ROOT_TODAY} > ${SUID_ROOT_TODAY}.tmp
mv -f ${SUID_ROOT_TODAY}.tmp ${SUID_ROOT_TODAY}
fi
if [[ -f ${SGID_TODAY} ]]; then
+ Filter ${SGID_TODAY} CHECK_SGID
sort < ${SGID_TODAY} > ${SGID_TODAY}.tmp
mv -f ${SGID_TODAY}.tmp ${SGID_TODAY}
fi
if [[ -f ${WRITABLE_TODAY} ]]; then
+ Filter ${WRITABLE_TODAY} CHECK_WRITABLE
sort < ${WRITABLE_TODAY} | egrep -v '^(/var)?/tmp$' > ${WRITABLE_TODAY}.tmp
mv -f ${WRITABLE_TODAY}.tmp ${WRITABLE_TODAY}
fi
if [[ -f ${UNOWNED_USER_TODAY} ]]; then
+ Filter ${UNOWNED_USER_TODAY} CHECK_UNOWNED
sort < ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_TODAY}.tmp
mv -f ${UNOWNED_USER_TODAY}.tmp ${UNOWNED_USER_TODAY}
fi
if [[ -f ${UNOWNED_GROUP_TODAY} ]]; then
+ Filter ${UNOWNED_GROUP_TODAY} CHECK_UNOWNED
sort < ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_TODAY}.tmp
mv -f ${UNOWNED_GROUP_TODAY}.tmp ${UNOWNED_GROUP_TODAY}
fi
@@ -182,6 +188,7 @@ done | awk -F: '$1 != $6 && $6 != "0" \
{ print "\t\t- " $3 " : file is group writable." }
$4 ~ /^-.......w/ \
{ print "\t\t- " $3 " : file is other writable." }' > ${MSEC_TMP}
+Filter ${MSEC_TMP} CHECK_USER_FILES
if [[ -s ${MSEC_TMP} ]]; then
Count ${INFOS} ${MSEC_TMP} "Total of unsecure user files"
@@ -219,6 +226,7 @@ if [[ -s ${MSEC_TMP} ]]; then
printf "\nSecurity Warning: theses files should not be owned by someone else or writable :\n" >> ${SECURITY}
cat ${MSEC_TMP} >> ${SECURITY}
fi
+Filter ${MSEC_TMP} CHECK_USER_FILES
### Check home directories. Directories should not be owned by someone else or writable.
getent passwd | awk -F: '/^[^+-]/ { print $1 ":" $3 ":" $6 }' | \
@@ -237,6 +245,7 @@ done | awk -F: '$3 != $5 && $5 != "(0)" \
{ print "user=" $2 $3" : home directory is group writable." }
$1 ~ /^d.......w/ \
{ print "user=" $2 $3" : home directory is other writable." }' > ${MSEC_TMP}
+Filter ${MSEC_TMP} CHECK_USER_FILES
if [[ -s $MSEC_TMP ]] ; then
Count ${INFOS} ${MSEC_TMP} "Total of users whose home directories have unsafe permissions "
@@ -254,6 +263,7 @@ if [[ ${CHECK_PERMS} == yes || ${CHECK_PERMS} == enforce ]]; then
fi
# running msec_perms
/usr/sbin/msecperms $MSECPERMS_PARAMS | grep WARNING > ${MSEC_TMP} 2>&1
+ Filter ${MSEC_TMP} CHECK_PERMS
if [[ -s ${MSEC_TMP} ]]; then
Count ${INFOS} ${MSEC_TMP} "Permission changes on files watched by msecperms"
printf "\nPermissions changes on files watched by msec:\n" >> ${SECURITY}
diff --git a/cron-sh/scripts/02_network.sh b/cron-sh/scripts/02_network.sh
index c31b101..b52f914 100755
--- a/cron-sh/scripts/02_network.sh
+++ b/cron-sh/scripts/02_network.sh
@@ -26,11 +26,13 @@ fi
if [[ ${CHECK_OPEN_PORT} == yes ]]; then
netstat -pvlA inet,inet6 2> /dev/null > ${OPEN_PORT_TODAY};
+ Filter ${OPEN_PORT_TODAY} CHECK_OPEN_PORT
Count ${INFOS} ${OPEN_PORT_TODAY} "Total of open network ports"
fi
if [[ ${CHECK_FIREWALL} == yes ]]; then
iptables -S 2>/dev/null > ${FIREWALL_TODAY}
+ Filter ${FIREWALL_TODAY} CHECK_FIREWALL
Count ${INFOS} ${FIREWALL_TODAY} "Total of configured firewall rules"
fi
diff --git a/cron-sh/scripts/03_rpm.sh b/cron-sh/scripts/03_rpm.sh
index 24353e2..264bd63 100755
--- a/cron-sh/scripts/03_rpm.sh
+++ b/cron-sh/scripts/03_rpm.sh
@@ -40,6 +40,7 @@ fi
# list of installed packages
if [[ ${CHECK_RPM_PACKAGES} == yes ]]; then
rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" | sort > ${RPM_QA_TODAY}
+ Filter ${RPM_QA_TODAY} CHECK_RPM_PACKAGES
Count ${INFOS} ${RPM_QA_TODAY} "Total of installed packages"
Diffcheck ${RPM_QA_TODAY} ${RPM_QA_YESTERDAY} ${RPM_QA_DIFF} "packages"
fi
@@ -48,6 +49,7 @@ fi
if [[ ${CHECK_RPM_INTEGRITY} == yes ]]; then
rm -f ${RPM_VA_TODAY}.tmp
nice --adjustment=+19 rpm -Va --noscripts | grep '^..5' | sort > ${RPM_VA_TODAY}.tmp
+ Filter ${RPM_VA_TODAY} CHECK_RPM_INTEGRITY
grep -v '^..........c.' ${RPM_VA_TODAY}.tmp | sed 's/^............//' | sort > ${RPM_VA_TODAY}
grep '^..........c.' ${RPM_VA_TODAY}.tmp | sed 's/^............//' | sort > ${RPM_VA_CONFIG_TODAY}
rm -f ${RPM_VA_TODAY}.tmp
diff --git a/cron-sh/scripts/05_access.sh b/cron-sh/scripts/05_access.sh
index 2b35d8c..e3ecb72 100755
--- a/cron-sh/scripts/05_access.sh
+++ b/cron-sh/scripts/05_access.sh
@@ -21,6 +21,7 @@ fi
# check for changes in users
if [[ ${CHECK_USERS} == yes ]]; then
getent passwd | cut -f 1 -d : | sort > ${USERS_LIST_TODAY}
+ Filter ${USERS_LIST_TODAY} CHECK_USERS
Diffcheck ${USERS_LIST_TODAY} ${USERS_LIST_YESTERDAY} ${USERS_LIST_DIFF} "local users"
Count ${INFOS} ${USERS_LIST_TODAY} "Total local users"
fi
@@ -37,6 +38,7 @@ fi
# check for changes in groups
if [[ ${CHECK_GROUPS} == yes ]]; then
getent passwd | cut -f 1 -d : | sort > ${GROUPS_LIST_TODAY}
+ Filter ${GROUPS_LIST_TODAY} CHECK_GROUPS
Diffcheck ${GROUPS_LIST_TODAY} ${GROUPS_LIST_YESTERDAY} ${GROUPS_LIST_DIFF} "local groups"
Count ${INFOS} ${GROUPS_LIST_TODAY} "Total local group"
fi
@@ -51,6 +53,7 @@ if [[ ${CHECK_PASSWD} == yes ]]; then
else if ( $3 == 0 && $1 != "root" )
printf("\t\t- /etc/passwd:%d: User \"%s\" has id 0 !\n", FNR, $1);
}' > ${MSEC_TMP}
+ Filter ${MSEC_TMP} CHECK_PASSWD
if [[ -s ${MSEC_TMP} ]]; then
printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY}
@@ -65,6 +68,7 @@ if [[ ${CHECK_SHADOW} == yes ]]; then
if ( $2 == "" )
printf("\t\t- /etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1);
}' < /etc/shadow > ${MSEC_TMP}
+ Filter ${MSEC_TMP} CHECK_SHADOW
if [[ -s ${MSEC_TMP} ]]; then
printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY}
@@ -73,6 +77,7 @@ if [[ ${CHECK_SHADOW} == yes ]]; then
fi
fi
+# TODO: add CHECK_EXPORTS parameter in msec
### File systems should not be globally exported.
if [[ -s /etc/exports ]] ; then
awk '{
@@ -88,6 +93,7 @@ if [[ -s /etc/exports ]] ; then
print "\t\t- Nfs File system " $1 " globally exported, read-only.";
} else print "\t\t- Nfs File system " $1 " globally exported, read-write.";
}' < /etc/exports > ${MSEC_TMP}
+ Filter ${MSEC_TMP} CHECK_EXPORTS
if [[ -s ${MSEC_TMP} ]] ; then
printf "\nSecurity Warning: Some NFS filesystem are exported globally :\n" >> ${SECURITY}
@@ -96,8 +102,10 @@ if [[ -s /etc/exports ]] ; then
fi
fi
+# TODO: add CHECK_MOUNTS parameter in msec
### nfs mounts with missing nosuid
/bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > ${MSEC_TMP}
+Filter ${MSEC_TMP} CHECK_MOUNTS
if [[ -s ${MSEC_TMP} ]] ; then
printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY}
cat ${MSEC_TMP} | awk '{ print "\t\t- "$0 }' >> ${SECURITY}
@@ -144,6 +152,7 @@ if [[ ${CHECK_SHOSTS} == yes ]]; then
fi
fi
+# TODO: add CHECK_ALIASES
### executables should not be in the aliases file.
list="/etc/aliases /etc/postfix/aliases"
for file in ${list}; do