aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile6
-rwxr-xr-xcron-sh/diff_check.sh43
-rwxr-xr-xcron-sh/promisc_check.sh4
-rwxr-xr-xcron-sh/security_check.sh50
-rwxr-xr-xinit-sh/custom.sh38
-rwxr-xr-xinit-sh/file_perm.sh6
-rwxr-xr-xinit-sh/grpuser20
-rwxr-xr-xinit-sh/init.sh8
-rwxr-xr-xinit-sh/level0.sh14
-rwxr-xr-xinit-sh/level1.sh16
-rwxr-xr-xinit-sh/level2.sh15
-rwxr-xr-xinit-sh/level3.sh2
-rwxr-xr-xinit-sh/level4.sh2
-rwxr-xr-xinit-sh/level5.sh2
-rw-r--r--init-sh/lib.sh28
15 files changed, 132 insertions, 122 deletions
diff --git a/Makefile b/Makefile
index 35d9da0..1f3a005 100644
--- a/Makefile
+++ b/Makefile
@@ -18,7 +18,7 @@ rpm_install: all
cp init-sh/lib.sh $(RPM_BUILD_ROOT)/etc/security/msec/init-sh
cp init-sh/init.sh $(RPM_BUILD_ROOT)/etc/security/msec
cp init-sh/file_perm.sh $(RPM_BUILD_ROOT)/etc/security/msec/init-sh
- cp init-sh/perm.[1-5] $(RPM_BUILD_ROOT)/etc/security/msec/init-sh
+ cp init-sh/perm.[0-5] $(RPM_BUILD_ROOT)/etc/security/msec/init-sh
cp init-sh/server.* $(RPM_BUILD_ROOT)/etc/security/msec/init-sh
cp init-sh/grpuser $(RPM_BUILD_ROOT)/etc/security/msec/init-sh
cp init-sh/custom.sh $(RPM_BUILD_ROOT)/etc/security/msec/init-sh
@@ -45,7 +45,7 @@ install:
(cp init-sh/lib.sh /etc/security/msec/init-sh);
(cp init-sh/grpuser /etc/security/msec/init-sh);
(cp init-sh/file_perm.sh /etc/security/msec/init-sh);
- (cp init-sh/*.[1-5] /etc/security/msec/init-sh/)
+ (cp init-sh/*.[0-5] /etc/security/msec/init-sh/)
(cp init-sh/custom.sh /etc/security/msec/init-sh);
(cp init-sh/server.* /etc/security/msec/init-sh)
(touch /etc/security/msec/security.conf)
@@ -62,4 +62,4 @@ install:
@echo
@echo "To switch between runlevel, just launch init.sh ( in init-sh dir )"
@echo
- @echo \ No newline at end of file
+ @echo
diff --git a/cron-sh/diff_check.sh b/cron-sh/diff_check.sh
index 3c08858..048525d 100755
--- a/cron-sh/diff_check.sh
+++ b/cron-sh/diff_check.sh
@@ -3,14 +3,14 @@
# Written by Vandoorselaere Yoann, <yoann@mandrakesoft.com>
#
-if [ -f /etc/security/msec/security.conf ]; then
+if [[ -f /etc/security/msec/security.conf ]]; then
. /etc/security/msec/security.conf
else
echo "/etc/security/msec/security.conf don't exist."
exit 1
fi
-if [ "${CHECK_SECURITY}" == "no" ]; then
+if [[ ${CHECK_SECURITY} == no ]; then
exit 0
fi
@@ -45,7 +45,7 @@ UNOWNED_DIFF="/var/log/security/unowned.diff"
SECURITY_LOG="/var/log/security.log"
TMP="/tmp/secure.tmp"
-if [ ! -d /var/log/security ]; then
+if [[ ! -d /var/log/security ]]; then
mkdir /var/log/security
fi
@@ -78,14 +78,14 @@ Ttylog() {
### New Suid root files detection
if [[ ${CHECK_SUID_ROOT} == yes ]]; then
- if [ -f ${SUID_ROOT_TODAY} ]; then
+ if [[ -f ${SUID_ROOT_TODAY} ]]; then
mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY}
fi
find ${DIR} -xdev -type f -perm +04000 -user root \
-printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_ROOT_TODAY}
- if [ -f ${SUID_ROOT_YESTERDAY} ]; then
+ if [[ -f ${SUID_ROOT_YESTERDAY} ]]; then
if ! diff -u ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_TODAY} > ${SUID_ROOT_DIFF}; then
printf "\nSecurity Warning: Change in Suid Root files found :\n" >> ${TMP}
grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
@@ -99,15 +99,16 @@ if [[ ${CHECK_SUID_ROOT} == yes ]]; then
fi
### New Suid group files detection
-if [ ${CHECK_SUID_GROUP} ]; then
- if [ -f ${SUID_GROUP_TODAY} ]; then
+if [[ ${CHECK_SUID_GROUP} == yes ]]; then
+
+ if [[ -f ${SUID_GROUP_TODAY} ]]; then
mv ${SUID_GROUP_TODAY} ${SUID_GROUP_YESTERDAY}
fi
find ${DIR} -xdev -type f -perm +02000 \
-printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_GROUP_TODAY}
- if [ -f ${SUID_GROUP_YESTERDAY} ]; then
+ if [[ -f ${SUID_GROUP_YESTERDAY} ]]; then
if ! diff -u ${SUID_GROUP_YESTERDAY} ${SUID_GROUP_TODAY} > ${SUID_GROUP_DIFF}; then
printf "\nSecurity Warning: Changes in Suid Group files found :\n" >> ${TMP}
grep '^+' ${SUID_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
@@ -123,13 +124,13 @@ fi
### Writable files detection
if [[ ${CHECK_WRITEABLE} == yes ]]; then
- if [ -f ${WRITEABLE_TODAY} ]; then
+ if [[ -f ${WRITEABLE_TODAY} ]]; then
mv -f ${WRITEABLE_TODAY} ${WRITEABLE_YESTERDAY}
fi
find ${DIR} -xdev -type f -perm -2 -ls -print | sort > ${WRITEABLE_TODAY}
- if [ -f ${WRITEABLE_YESTERDAY} ]; then
+ if [[ -f ${WRITEABLE_YESTERDAY} ]]; then
if ! diff -u ${WRITEABLE_YESTERDAY} ${WRITEABLE_TODAY} > ${WRITEABLE_DIFF}; then
printf "\nSecurity Warning: Change in World Writeable Files found :\n" >> ${TMP}
grep '^+' ${WRITEABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
@@ -145,13 +146,13 @@ fi
### Search Non Owned files
if [[ ${CHECK_UNOWNED} == yes ]]; then
- if [ -f ${UNOWNED_TODAY} ]; then
+ if [[ -f ${UNOWNED_TODAY} ]]; then
mv -f ${UNOWNED_TODAY} ${UNOWNED_YESTERDAY}
fi
find ${DIR} -xdev -nouser -print -ls | sort > ${UNOWNED_TODAY}
- if [ -f ${UNOWNED_YESTERDAY} ]; then
+ if [[ -f ${UNOWNED_YESTERDAY} ]]; then
if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then
printf "\nSecurity Warning: the following files aren't owned by an user :\n" >> ${TMP}
grep '^+' ${UNOWNED_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do
@@ -165,7 +166,7 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then
find ${DIR} -xdev -nogroup -print -ls | sort >> ${UNOWNED_TODAY}
- if [ -f ${UNOWNED_YESTERDAY} ]; then
+ if [[ -f ${UNOWNED_YESTERDAY} ]]; then
if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then
printf "\nSecurity Warning: the following files aren't owned by a group :\n" >> ${TMP}
grep '^+' ${UNOWNED_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
@@ -179,8 +180,9 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then
fi
### Md5 check for SUID root file
-if [[ ${CHECK_SUID_MD5} == yes ]]; then
- if [ -f ${SUID_MD5_TODAY} ]; then
+if [[ ${CHECK_SUID_MD5} == yes ]]; then
+
+ if [[ -f ${SUID_MD5_TODAY} ]]; then
mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY}
fi
@@ -190,7 +192,7 @@ if [[ ${CHECK_SUID_MD5} == yes ]]; then
md5sum ${line} >> ${SUID_MD5_TODAY}
done
- if [ -f ${SUID_MD5_YESTERDAY} ]; then
+ if [[ -f ${SUID_MD5_YESTERDAY} ]]; then
if ! diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF}; then
printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${TMP}
printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${TMP}
@@ -206,13 +208,14 @@ fi
### Changed open port
if [[ ${CHECK_OPEN_PORT} == yes ]]; then
- if [ -f ${OPEN_PORT_TODAY} ]; then
+
+ if [[ -f ${OPEN_PORT_TODAY} ]]; then
mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY}
fi
netstat -pvlA inet > ${OPEN_PORT_TODAY};
- if [ -f ${OPEN_PORT_YESTERDAY} ]; then
+ if [[ -f ${OPEN_PORT_YESTERDAY} ]]; then
if ! diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}; then
printf "\nSecurity Warning: There is a new port listening on your machine :\n" >> ${TMP}
grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do
@@ -226,7 +229,7 @@ if [[ ${CHECK_OPEN_PORT} == yes ]]; then
fi
######## Report ######
-if [ -s ${TMP} ]; then
+if [[ -s ${TMP} ]]; then
Syslog ${TMP}
Ttylog ${TMP}
date=`date`
@@ -234,6 +237,6 @@ if [ -s ${TMP} ]; then
cat ${TMP} >> ${SECURITY_LOG}
fi
-if [ -f ${TMP} ]; then
+if [[ -f ${TMP} ]]; then
rm -f ${TMP}
fi
diff --git a/cron-sh/promisc_check.sh b/cron-sh/promisc_check.sh
index a2bdaa4..cabf0a8 100755
--- a/cron-sh/promisc_check.sh
+++ b/cron-sh/promisc_check.sh
@@ -3,7 +3,7 @@
# Writen by Vandoorselaere Yoann,
# <yoann@mandrakesoft.com>
-if [ -f /etc/security/msec/security.conf ]; then
+if [[ -f /etc/security/msec/security.conf ]]; then
. /etc/security/msec/security.conf
else
echo "/etc/security/msec/security.conf don't exist."
@@ -46,7 +46,7 @@ LogPromisc() {
}
-if [ -f /etc/security/msec/security.conf ]; then
+if [[ -f /etc/security/msec/security.conf ]]; then
. /etc/security/msec/security.conf
else
exit 1
diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh
index 844cd9d..6686dd3 100755
--- a/cron-sh/security_check.sh
+++ b/cron-sh/security_check.sh
@@ -4,7 +4,7 @@
# Written by Vandoorselaere Yoann, <yoann@mandrakesoft.com>
#
-if [ -f /etc/security/msec/security.conf ]; then
+if [[ -f /etc/security/msec/security.conf ]]; then
. /etc/security/msec/security.conf
else
echo "/etc/security/msec/security.conf don't exist."
@@ -19,7 +19,7 @@ SECURITY="/tmp/secure.log"
SECURITY_LOG="/var/log/security.log"
TMP="/tmp/secure.tmp"
-if [ ! -d /var/log/security ]; then
+if [[ ! -d /var/log/security ]]; then
mkdir /var/log/security
fi
@@ -49,7 +49,7 @@ Ttylog() {
if [[ ${CHECK_WRITEABLE} == yes ]]; then
find ${DIR} -xdev -type f -perm -2 -ls -print | awk '{print $11}' | sort > ${TMP}
- if [ -s ${TMP} ]; then
+ if [[ -s ${TMP} ]]; then
printf "\nSecurity Warning: World Writeable Files found :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
fi
@@ -58,7 +58,7 @@ fi
### Search Un Owned file
if [[ ${CHECK_UNOWNED} == yes ]]; then
find ${DIR} -xdev -nouser -print -ls | awk '{print $11}' | sort > ${TMP}
- if [ -s ${TMP} ]; then
+ if [[ -s ${TMP} ]]; then
printf "\nSecurity Warning : the following file aren't owned by any user :\n" >> ${SECURITY}
printf "\ttheses files now have user \"nobody\" as their owner." >> ${SECURE_LOG}
cat ${TMP} >> ${SECURITY}
@@ -66,7 +66,7 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then
fi
find $DIR -xdev -nogroup -print -ls | awk '{print $11}' | sort > ${TMP}
- if [ -s ${TMP} ]; then
+ if [[ -s ${TMP} ]]; then
printf "\nSecurity Warning : the following file aren't owned by any group :\n" >> ${SECURITY}
printf "\ttheses files now have group \"nogroup\" as their group owner." >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
@@ -81,7 +81,7 @@ awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd |
while read username uid homedir; do
for f in ${list} ; do
file="${homedir}/${f}"
- if [ -f ${file} ] ; then
+ if [[ -f ${file} ]] ; then
printf "${uid} ${username} ${file} `ls -ldcgn ${file}`\n"
fi
done
@@ -96,7 +96,7 @@ done | awk '$1 != $6 && $6 != "0" \
$4 ~ /^-.......w/ \
{ print "\t\t- " $3 " : file is other writeable." }' > ${TMP}
-if [ -s ${TMP} ]; then
+if [[ -s ${TMP} ]]; then
printf "\nSecurity Warning: these files shouldn't be owned by someone else or readable :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
fi
@@ -110,7 +110,7 @@ awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | \
while read username uid homedir; do
for f in ${list} ; do
file=${homedir}/${f}
- if [ -f ${file} ] ; then
+ if [[ -f ${file} ]] ; then
printf "${uid} ${username} ${file} `ls -ldcgn ${file}`\n"
fi
done
@@ -121,7 +121,7 @@ done | awk '$1 != $6 && $6 != "0" \
$4 ~ /^-.......w/ \
{ print "\t\t- " $3 " : file is other writeable." }' > ${TMP}
-if [ -s ${TMP} ]; then
+if [[ -s ${TMP} ]]; then
printf "\nSecurity Warning: theses files should not be owned by someone else or writeable :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
fi
@@ -129,7 +129,7 @@ fi
### Check home directories. Directories should not be owned by someone else or writeable.
awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
while read uid homedir; do
- if [ -d ${homedir}/ ] ; then
+ if [[ -d ${homedir} ]] ; then
file=`ls -ldg ${homedir}`
printf "$uid $file\n"
fi
@@ -140,7 +140,7 @@ done | awk '$1 != $4 && $4 != "root" \
$2 ~ /^-.......w/ \
{ print "user=" $1 " : home directory is other writeable." }' > ${TMP}
-if [ -s $TMP ] ; then
+if [[ -s $TMP ]] ; then
printf "\nSecurity Warning: these home directory should not be owned by someone else or writeable :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
fi
@@ -155,7 +155,7 @@ if [[ ${CHECK_PASSWD} == yes ]]; then
printf("\t\t- /etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1);
}' < /etc/passwd > ${TMP}
- if [ -s ${TMP} ]; then
+ if [[ -s ${TMP} ]]; then
printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
fi
@@ -168,14 +168,14 @@ if [[ ${CHECK_SHADOW} == yes ]]; then
printf("\t\t- /etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1);
}' < /etc/shadow > ${TMP}
- if [ -s ${TMP} ]; then
+ if [[ -s ${TMP} ]]; then
printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
fi
fi
### File systems should not be globally exported.
-if [ -s /etc/exports ] ; then
+if [[ -s /etc/exports ]] ; then
awk '{
if (($1 ~ /^#/) || ($1 ~ /^$/)) next;
readonly = 0;
@@ -190,7 +190,7 @@ if [ -s /etc/exports ] ; then
} else print "\t\t- Nfs File system " $1 " globally exported, read-write.";
}' < /etc/exports > ${TMP}
- if [ -s ${TMP} ] ; then
+ if [[ -s ${TMP} ]] ; then
printf "\nSecurity Warning: Some NFS filesystem are exported globally :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
fi
@@ -198,7 +198,7 @@ fi
### nfs mounts with missing nosuid
/bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > ${TMP}
-if [ -s ${TMP} ] ; then
+if [[ -s ${TMP} ]] ; then
printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
fi
@@ -206,7 +206,7 @@ fi
### Files that should not have + signs.
list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd"
for file in $list ; do
- if [ -s ${file} ] ; then
+ if [[ -s ${file} ]] ; then
awk '{
if ($0 ~ /^\+@.*$/)
next;
@@ -219,7 +219,7 @@ done > ${TMP}
awk -F: '{print $1" "$6}' /etc/passwd |
while read username homedir; do
for file in .rhosts .shosts; do
- if [ -s ${homedir}/${file} ] ; then
+ if [[ -s ${homedir}/${file} ]] ; then
awk '{
if ($0 ~ /^\+@.*$/)
next;
@@ -230,7 +230,7 @@ awk -F: '{print $1" "$6}' /etc/passwd |
done >> ${TMP}
done
-if [ -s ${TMP} ]; then
+if [[ -s ${TMP} ]]; then
printf "\nSecurity Warning: '+' character found in hosts trusting files,\n" >> ${SECURITY}
printf "\tthis probably mean that you trust certains users/domain\n" >> ${SECURITY}
printf "\tto connect on this host without proper authentication :\n" >> ${SECURITY}
@@ -240,13 +240,13 @@ fi
### executables should not be in the aliases file.
list="/etc/aliases /etc/postfix/aliases"
for file in ${list}; do
- if [ -s ${file} ]; then
+ if [[ -s ${file} ]]; then
grep -v '^#' /etc/aliases | grep '|' | while read line; do
printf "\t\t- ${line}\n"
done > ${TMP}
fi
- if [ -s ${TMP} ]; then
+ if [[ -s ${TMP} ]]; then
printf "\nSecurity Warning: The following programs are executed in your mail\n" >> ${SECURITY}
printf "\tvia ${file} files, this could lead to security problems :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
@@ -257,14 +257,14 @@ done
if [[ ${CHECK_OPEN_PORT} == yes ]]; then
netstat -pvlA inet > ${TMP};
- if [ -s ${TMP} ]; then
+ if [[ -s ${TMP} ]]; then
printf "\nThese are the ports listening on your machine :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
fi
fi
### Report
-if [ -s ${SECURITY} ]; then
+if [[ -s ${SECURITY} ]]; then
Syslog ${SECURITY}
Ttylog ${SECURITY}
date=`date`
@@ -272,11 +272,11 @@ if [ -s ${SECURITY} ]; then
cat ${SECURITY} >> ${SECURITY_LOG}
fi
-if [ -f ${SECURITY} ]; then
+if [[ -f ${SECURITY} ]]; then
rm -f ${SECURITY}
fi
-if [ -f ${TMP} ]; then
+if [[ -f ${TMP} ]]; then
rm -f ${TMP}
fi
diff --git a/init-sh/custom.sh b/init-sh/custom.sh
index c6963a9..46ba9af 100755
--- a/init-sh/custom.sh
+++ b/init-sh/custom.sh
@@ -5,7 +5,7 @@
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#
-if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then
. /etc/security/msec/init-sh/lib.sh
fi
@@ -15,24 +15,24 @@ clear
###
echo "Do you want your log file to be in append mode only ?"
WaitAnswer; clear
-if [ ${answer} == "yes" ]; then
+if [[ ${answer} == yes ]]; then
find /var/log/ -type f -exec chattr +a {} \;
fi
###
echo "Do you want all system events to be logged on tty12 ?"
WaitAnswer; clear
-if [ ${answer} == "yes" ]; then
+if [[ ${answer} == yes ]]; then
AddRules "*.* /dev/tty12" /etc/syslog.conf
fi
###
echo "Do you want to deny any machine to connect to yours ?"
WaitAnswer
-if [ ${answer} == "yes" ]; then
+if [[ ${answer} == yes ]]; then
echo "Do you want only localhost to be allowed ?"
WaitAnswer; clear
- if [ "${answer}" == "yes" ]; then
+ if [[ ${answer} == yes ]]; then
AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny
else
AddRules "ALL:ALL:DENY" /etc/hosts.deny
@@ -42,7 +42,7 @@ fi
###
echo "Do you want root console login to be allowed ?"
WaitAnswer; clear
-if [ ${answer} == "yes" ]; then
+if [[ ${answer} == yes ]]; then
AddRules "tty1" /etc/securetty quiet
AddRules "tty2" /etc/securetty quiet
AddRules "tty3" /etc/securetty quiet
@@ -53,7 +53,7 @@ fi
###
echo "Do you want your system to daily check important security problem ?"
WaitAnswer; clear
-if [ ${answer} == "yes" ]; then
+if [[ ${answer} == yes ]]; then
AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf
AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security_check.sh" /etc/crontab
fi
@@ -61,7 +61,7 @@ fi
###
echo "Do you want your system to daily check new open port listening ?"
WaitAnswer; clear
-if [ ${answer} == "yes" ]; then
+if [[ ${answer} == yes ]]; then
AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf
AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security_check.sh" /etc/crontab
AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab
@@ -70,7 +70,7 @@ fi
###
echo "Do you want your system to check for grave permission problem on senssibles files ?"
WaitAnswer; clear
-if [ ${answer} == "yes" ]; then
+if [[ ${answer} == yes ]]; then
AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf
AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security_check.sh" /etc/crontab
fi
@@ -78,7 +78,7 @@ fi
###
echo "Do you want your system to daily check SUID Root file change ?"
WaitAnswer; clear
-if [ ${answer} == "yes" ]; then
+if [[ ${answer} == yes ]]; then
AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf
AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab
fi
@@ -86,7 +86,7 @@ fi
###
echo "Do you want your system to daily check suid files md5 checksum changes ?"
WaitAnswer; clear
-if [ ${answer} == "yes" ]; then
+if [[ ${answer} == yes ]]; then
AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf
AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab
fi
@@ -94,7 +94,7 @@ fi
###
echo "Do you want your system to daily check SUID Group file change ?"
WaitAnswer; clear
-if [ ${answer} == "yes" ]; then
+if [[ ${answer} == yes ]]; then
AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf
AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab
fi
@@ -102,7 +102,7 @@ fi
###
echo "Do you want your system to daily check Writeable file change ?"
WaitAnswer; clear
-if [ ${answer} == "yes" ]; then
+if [[ ${answer} == yes ]]; then
AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf
AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab
fi
@@ -110,7 +110,7 @@ fi
###
echo "Do you want your system to daily check Unowned file change ?"
WaitAnswer; clear
-if [ ${answer} == "yes" ]; then
+if [[ ${answer} == yes ]]; then
AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf
AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab
fi
@@ -119,7 +119,7 @@ fi
echo "Do you want your system to verify every minutes if a network interface"
echo "is in promiscuous state (which mean someone is probably running a sniffer on your machine ) ?"
WaitAnswer; clear
-if [ ${answer} == "yes" ]; then
+if [[ ${answer} == yes ]]; then
AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf
AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab
fi
@@ -132,7 +132,7 @@ LiloUpdate;
echo "Do you want to disable your running server ( except important one )"
echo "This is only valuable for server installed with rpm."
WaitAnswer; clear
-if [ ${answer} == "yes" ]; then
+if [[ ${answer} == yes ]]; then
echo -n "Disabling all service, except : {"
chkconfig --list | awk '{print $1}' | while read service; do
if grep -qx ${service} /etc/security/msec/init-sh/server.4; then
@@ -155,7 +155,7 @@ echo "Do you want to disallow rpm to automatically enable a new installed server
echo "yes = you will need to chkconfig (--add ) servername for the server to run on boot."
echo "no = rpm will do it for you, but you have less control of what is running on your machine."
WaitAnswer; clear
-if [ "${answer}" == "yes" ]; then
+if [[ ${answer} == yes ]; then
export SECURE_LEVEL="4"
AddRules "SECURE_LEVEL=\"4\"" /etc/profile
else
@@ -182,7 +182,7 @@ case "${answer}" in
AddRules "umask 022" /etc/profile
;;
"restricted")
- AddRules "if [ \${UID} == 0 ]; then umask 022; else umask 077; fi" /etc/profile
+ AddRules "if [[ \${UID} == 0 ]]; then umask 022; else umask 077; fi" /etc/profile
;;
"paranoid")
AddRules "umask 077" /etc/profile
@@ -194,7 +194,7 @@ echo "Do you want a "." in your PATH variable ?"
echo "This permit you to not use ./progname & to just type progname"
echo "However this is a *high* security risk."
WaitAnswer; clear
-if [ ${answer} == "yes" ]; then
+if [[ ${answer} == yes ]]; then
AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games:." /etc/profile
else
AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/profile
diff --git a/init-sh/file_perm.sh b/init-sh/file_perm.sh
index 0e13e9c..a74a08d 100755
--- a/init-sh/file_perm.sh
+++ b/init-sh/file_perm.sh
@@ -1,6 +1,6 @@
#!/bin/bash
-if [ ! -s $1 ]; then
+if [[ ! -s $1 ]]; then
echo "I need a msec permfile in argument".
exit 1
fi
@@ -8,8 +8,8 @@ fi
echo -n "Setting files permissions : "
grep -v "^#" $1 | while read file owner perm; do
- if [ -a "${file}" ]; then
- if [ ${owner} != "current" ]; then
+ if [[ -a ${file} ]]; then
+ if [[ ${owner} != current ]]; then
chown ${owner} ${file}
fi
chmod ${perm} ${file}
diff --git a/init-sh/grpuser b/init-sh/grpuser
index 408e384..fb2ad25 100755
--- a/init-sh/grpuser
+++ b/init-sh/grpuser
@@ -33,7 +33,7 @@ RemoveUserFromGroup() {
}
AppendUserToGroup() {
- if [ -z "${group_users}" ]; then
+ if [[ -z ${group_users} ]]; then
new_group_line=${group_line}${user_name}
else
new_group_line=${group_line}",${user_name}"
@@ -41,7 +41,7 @@ AppendUserToGroup() {
}
IsUserAlreadyInGroup() {
- if echo "${group_users}" | grep -qw "${user_name}"; then
+ if echo ${group_users} | grep -qw "${user_name}"; then
return 1
fi
@@ -66,7 +66,7 @@ IsGroupExisting() {
IsUserExisting() {
grep -qn "^${user_name}:" /etc/passwd
- if [ $? == 0 ]; then
+ if [[ $? == 0 ]]; then
return 0;
fi
@@ -75,20 +75,20 @@ IsUserExisting() {
Add() {
IsGroupExisting;
- if [ $? == 0 ]; then
+ if [[ $? == 0 ]]; then
echo "Sorry, group \"${group_name}\" does not exist."
echo "Please create it using the \"groupadd\" command."
exit 1
fi
IsUserExisting;
- if [ $? == 1 ]; then
+ if [[ $? == 1 ]]; then
echo "Sorry, user \"${user_name}\" does not exist."
exit 1
fi
IsUserAlreadyInGroup;
- if [ $? == 1 ]; then
+ if [[ $? == 1 ]]; then
echo "Sorry, user \"${user_name}\" is already in group \"${group_name}\"."
exit 1
fi
@@ -101,13 +101,13 @@ Add() {
Del() {
IsGroupExisting;
- if [ $? == 0 ]; then
+ if [[ $? == 0 ]]; then
echo "Sorry, group \"${group_name}\" does not exist."
exit 1
fi
IsUserAlreadyInGroup;
- if [ $? == 0 ]; then
+ if [[ $? == 0 ]]; then
echo "Sorry, user \"${user_name}\" is not in group \"${group_name}\"."
exit 1
fi
@@ -119,13 +119,13 @@ Del() {
}
Perm() {
- if [ ! -w /etc/${file} ]; then
+ if [[ ! -w /etc/${file} ]]; then
echo "You're not allowed to write to /etc/group..."
exit 1
fi
}
-if [ $# == 3 ]; then
+if [[ $# == 3 ]]; then
case $1 in
"--add")
Perm;
diff --git a/init-sh/init.sh b/init-sh/init.sh
index 361eb1e..82d3964 100755
--- a/init-sh/init.sh
+++ b/init-sh/init.sh
@@ -1,20 +1,20 @@
#!/bin/sh
-if [ -z $1 ]; then
+if [[ -z $1 ]]; then
echo "Usage : $0 [0-5]"
echo "Usage : $0 \"custom\""
exit 1
fi
-if [ "${1}" == "custom" ]; then
+if [[ ${1} == custom ]]; then
/etc/security/msec/init-sh/custom.sh
exit 0;
fi
-if [ -f /etc/security/msec/init-sh/level$1.sh ]; then
+if [[ -f /etc/security/msec/init-sh/level$1.sh ]]; then
/etc/security/msec/init-sh/level$1.sh
- if [ -f /etc/security/msec/init-sh/perm.$1 ]; then
+ if [[ -f /etc/security/msec/init-sh/perm.$1 ]]; then
/etc/security/msec/init-sh/file_perm.sh /etc/security/msec/init-sh/perm.$1
else
echo "Couldn't find the default permissions for level $1."
diff --git a/init-sh/level0.sh b/init-sh/level0.sh
index 1e0a7f1..599cabe 100755
--- a/init-sh/level0.sh
+++ b/init-sh/level0.sh
@@ -5,7 +5,7 @@
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#
-if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then
. /etc/security/msec/init-sh/lib.sh
else
exit 1
@@ -71,11 +71,13 @@ AddRules "/usr/X11R6/bin/xhost +" /etc/X11/xdm/Xsession quiet
AddRules "/usr/X11R6/bin/xhost +" /etc/X11/xinit/xinitrc
# Group
-echo -n "Adding \"${DRAKX_USERS}\" to audio group :"
-for user in ${DRAKX_USERS}; do
- usermod -G audio "${user}"
-done
-echo "done."
+if [[ ! -z ${DRAKX_USERS} ]]; then
+ echo -n "Adding \"${DRAKX_USERS}\" to audio group :"
+ for user in ${DRAKX_USERS}; do
+ usermod -G audio "${user}"
+ done
+ echo "done."
+fi
diff --git a/init-sh/level1.sh b/init-sh/level1.sh
index 861a34c..583c547 100755
--- a/init-sh/level1.sh
+++ b/init-sh/level1.sh
@@ -5,7 +5,7 @@
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#
-if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then
. /etc/security/msec/init-sh/lib.sh
else
exit 1
@@ -74,13 +74,13 @@ AddRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc
###
# Group
-echo -n "Adding \"${DRAKX_USERS}\" to audio group :"
-for user in ${DRAKX_USERS}; do
- usermod -G audio "${user}"
-done
-echo "done."
-
-
+if [[ ! -z ${DRAKX_USERS} ]]; then
+ echo -n "Adding \"${DRAKX_USERS}\" to audio group :"
+ for user in ${DRAKX_USERS}; do
+ usermod -G audio "${user}"
+ done
+ echo "done."
+fi
diff --git a/init-sh/level2.sh b/init-sh/level2.sh
index d387b13..ea5174f 100755
--- a/init-sh/level2.sh
+++ b/init-sh/level2.sh
@@ -5,7 +5,7 @@
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#
-if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then
. /etc/security/msec/init-sh/lib.sh
else
exit 1
@@ -71,8 +71,11 @@ AddRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xdm/Xsession quiet
AddRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc
# Group
-echo -n "Adding \"${DRAKX_USERS}\" to audio group :"
-for user in ${DRAKX_USERS}; do
- usermod -G audio "${user}"
-done
-echo "done."
+if [[ ! -z ${DRAKX_USERS} ]]; then
+ echo -n "Adding \"${DRAKX_USERS}\" to audio group :"
+ for user in ${DRAKX_USERS}; do
+ usermod -G audio "${user}"
+ done
+ echo "done."
+fi
+
diff --git a/init-sh/level3.sh b/init-sh/level3.sh
index 3d33690..1fc9177 100755
--- a/init-sh/level3.sh
+++ b/init-sh/level3.sh
@@ -5,7 +5,7 @@
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#
-if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then
. /etc/security/msec/init-sh/lib.sh
else
exit 1
diff --git a/init-sh/level4.sh b/init-sh/level4.sh
index a5ba70d..edc5c64 100755
--- a/init-sh/level4.sh
+++ b/init-sh/level4.sh
@@ -7,7 +7,7 @@
#
-if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then
. /etc/security/msec/init-sh/lib.sh
else
exit 1
diff --git a/init-sh/level5.sh b/init-sh/level5.sh
index ea65199..454bbf8 100755
--- a/init-sh/level5.sh
+++ b/init-sh/level5.sh
@@ -5,7 +5,7 @@
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#
-if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then
. /etc/security/msec/init-sh/lib.sh
fi
diff --git a/init-sh/lib.sh b/init-sh/lib.sh
index 7c90b05..ec93c61 100644
--- a/init-sh/lib.sh
+++ b/init-sh/lib.sh
@@ -15,7 +15,7 @@ COMMENT="# Mandrake-Security : if you remove this comment, remove the next line
WaitAnswer() {
answer="nothing"
- while [[ "${answer}" != "yes" && "${answer}" != "no" ]]; do
+ while [[ ${answer} != yes && ${answer} != no ]]; do
echo -n "yes/no : "
read answer
done
@@ -24,12 +24,13 @@ WaitAnswer() {
AddRules () {
string=$1
file=$2
+ quiet=$3
- if [ -z "${string}" ]; then
+ if [[ -z ${string} ]]; then
return;
fi
- if [ -z ${3} ]; then
+ if [[ -z ${quiet} ]]; then
echo "Modifying config in ${file}..."
fi
@@ -37,7 +38,7 @@ AddRules () {
echo -e "${COMMENT}" >> ${file};
echo -e "${string}" >> ${file};
fi
- if [ -z ${3} ]; then
+ if [[ -z ${3} ]]; then
echo -e "done.\n"
fi
}
@@ -46,9 +47,10 @@ CleanRules() {
file=$1
ctrl=0
- if [ ! -f ${file} ]; then
+ if [[ ! -f ${file} ]]; then
return;
fi
+
echo -en "\t- Cleaning msec appended line in ${file} : "
mv -f ${file} /tmp/secure.tmp
touch ${file}
@@ -76,7 +78,7 @@ CleanRules() {
CommentUserRules() {
file=$1
- if [ ! -f ${file} ]; then
+ if [[ ! -f ${file} ]]; then
return;
fi
@@ -111,7 +113,7 @@ Ttylog() {
LiloUpdate() {
- if [ ! -f /tmp/secure.DrakX ]; then
+ if [[ ! -f /tmp/secure.DrakX ]]; then
echo "Do you want a password authentication at boot time ?"
echo "Be very carefull,"
echo "this will prevent your server to reboot without an operator to enter password".
@@ -126,7 +128,7 @@ LiloUpdate() {
password=${DRAKX_PASSWORD}
fi
- if [ ! -z "${password}" ]; then
+ if [[ ! -z "${password}" ]]; then
mv /etc/lilo.conf /tmp/secure.tmp
while read line; do
if ! echo "${line}" | grep -q "password"; then
@@ -143,12 +145,12 @@ LiloUpdate() {
# If we are currently installing our
# system with DrakX, we don't ask anything to the user...
# Instead, DrakX do it and give us a file with some variable.
-if [ -f /tmp/secure.DrakX ]; then
+if [[ -f /tmp/secure.DrakX ]]; then
. /tmp/secure.DrakX
AddRules "${DRAKX_USERS}" /etc/security/msec/security.conf
fi
-if [ -f /etc/security/msec/security.conf ]; then
+if [[ -f /etc/security/msec/security.conf ]]; then
. /etc/security/msec/security.conf
fi
@@ -188,14 +190,14 @@ usermod -G xgrp xfs
# We aren't at install time,
# so we delete ( temporarily ) audio user.
-if [ ! -f /tmp/secure.DrakX ]; then
- if [ ! -z ${DRAKX_USERS} ]; then
+if [[ ! -f /tmp/secure.DrakX ]]; then
+ if [[ ! -z ${DRAKX_USERS} ]]; then
for user in ${DRAKX_USERS}; do
/etc/security/msec/init-sh/grpuser --del audio "${user}"
done
fi
else
- if [ ! -z ${DRAKX_USERS} ]; then
+ if [[ ! -z ${DRAKX_USERS} ]]; then
AddRules "${DRAKX_USERS}" /etc/security/msec/security.conf
fi
fi