diff options
-rw-r--r-- | Makefile | 26 | ||||
-rw-r--r-- | conf/perm.0 (renamed from init-sh/perm.0) | 0 | ||||
-rw-r--r-- | conf/perm.1 (renamed from init-sh/perm.1) | 0 | ||||
-rw-r--r-- | conf/perm.2 (renamed from init-sh/perm.2) | 0 | ||||
-rw-r--r-- | conf/perm.3 (renamed from init-sh/perm.3) | 0 | ||||
-rw-r--r-- | conf/perm.4 (renamed from init-sh/perm.4) | 0 | ||||
-rw-r--r-- | conf/perm.5 (renamed from init-sh/perm.5) | 0 | ||||
-rw-r--r-- | conf/server.4 (renamed from init-sh/server.4) | 0 | ||||
-rw-r--r-- | conf/server.5 (renamed from init-sh/server.5) | 0 | ||||
-rwxr-xr-x | cron-sh/promisc_check.sh | 9 | ||||
-rwxr-xr-x | cron-sh/security.sh | 6 | ||||
-rwxr-xr-x | init-sh/custom.sh | 36 | ||||
-rwxr-xr-x | init-sh/level0.sh | 3 | ||||
-rwxr-xr-x | init-sh/level1.sh | 8 | ||||
-rwxr-xr-x | init-sh/level2.sh | 11 | ||||
-rwxr-xr-x | init-sh/level3.sh | 9 | ||||
-rwxr-xr-x | init-sh/level4.sh | 12 | ||||
-rwxr-xr-x | init-sh/level5.sh | 13 | ||||
-rw-r--r-- | init-sh/lib.sh | 2 | ||||
-rwxr-xr-x | init-sh/msec (renamed from init-sh/init.sh) | 10 |
20 files changed, 83 insertions, 62 deletions
@@ -51,21 +51,19 @@ rpm: dis ../$(NAME)-$(VERSION).tar.bz2 $(RPM) rm -f ../$(NAME)-$(VERSION).tar.bz2 install: - (rm -rf /etc/security/msec) - (mkdir -p /etc/security/msec/init-sh) - (cp init-sh/level* /etc/security/msec/init-sh) - (cp init-sh/init.sh /etc/security/msec/init.sh); - (cp init-sh/lib.sh /etc/security/msec/init-sh); - (cp init-sh/grpuser.sh /etc/security/msec/init-sh); - (cp init-sh/file_perm.sh /etc/security/msec/init-sh); - (cp init-sh/*.[0-5] /etc/security/msec/init-sh/) - (cp init-sh/custom.sh /etc/security/msec/init-sh); - (cp init-sh/server.* /etc/security/msec/init-sh) + (rm -rf $(RPM_BUILD_ROOT)/etc/security/msec) + (mkdir -p $(RPM_BUILD_ROOT)/etc/security/msec) + (mkdir -p $(RPM_BUILD_ROOT)/usr/share/msec) + (cp init-sh/*.sh $(RPM_BUILD_ROOT)/usr/share/msec) + (cp cron-sh/*.sh $(RPM_BUILD_ROOT)/usr/share/msec) + (cp init-sh/msec $(RPM_BUILD_ROOT)/usr/sbin) + (cp conf/perm.* conf/server.* $(RPM_BUILD_ROOT)/etc/security/msec) + (touch $(RPM_BUILD_ROOT)/etc/security/msec/security.conf) - touch $(RPM_BUILD_ROOT)/var/log/security.log - mkdir -p $(RPM_BUILD_ROOT)/var/log/security - (cd src/promisc_check; make install) - (cd cron-sh; make install) + (touch $(RPM_BUILD_ROOT)/var/log/security.log) + (mkdir -p $(RPM_BUILD_ROOT)/var/log/security) + (cd src/promisc_check && make install) + (cd cron-sh && make install) @echo @echo diff --git a/init-sh/perm.0 b/conf/perm.0 index 9ade3c2..9ade3c2 100644 --- a/init-sh/perm.0 +++ b/conf/perm.0 diff --git a/init-sh/perm.1 b/conf/perm.1 index 8fc7d12..8fc7d12 100644 --- a/init-sh/perm.1 +++ b/conf/perm.1 diff --git a/init-sh/perm.2 b/conf/perm.2 index c6a3d41..c6a3d41 100644 --- a/init-sh/perm.2 +++ b/conf/perm.2 diff --git a/init-sh/perm.3 b/conf/perm.3 index 2c8520d..2c8520d 100644 --- a/init-sh/perm.3 +++ b/conf/perm.3 diff --git a/init-sh/perm.4 b/conf/perm.4 index ef31596..ef31596 100644 --- a/init-sh/perm.4 +++ b/conf/perm.4 diff --git a/init-sh/perm.5 b/conf/perm.5 index a4d5755..a4d5755 100644 --- a/init-sh/perm.5 +++ b/conf/perm.5 diff --git a/init-sh/server.4 b/conf/server.4 index 044f0bf..044f0bf 100644 --- a/init-sh/server.4 +++ b/conf/server.4 diff --git a/init-sh/server.5 b/conf/server.5 index 044f0bf..044f0bf 100644 --- a/init-sh/server.5 +++ b/conf/server.5 diff --git a/cron-sh/promisc_check.sh b/cron-sh/promisc_check.sh index cabf0a8..ec0526d 100755 --- a/cron-sh/promisc_check.sh +++ b/cron-sh/promisc_check.sh @@ -6,7 +6,7 @@ if [[ -f /etc/security/msec/security.conf ]]; then . /etc/security/msec/security.conf else - echo "/etc/security/msec/security.conf don't exist." + echo "/etc/security/msec/security.conf doesn't exist." exit 1 fi @@ -29,11 +29,8 @@ Ttylog() { fi } +# Check if a network interface is in promiscuous mode... PROMISC="/usr/bin/promisc_check -q" -# -# Check if a network interface is in promisc check... -# Written by Vandoorselaere Yoann, <yoann@mandrakesoft.com> -# LogPromisc() { date=`date` @@ -57,7 +54,7 @@ if [[ ${CHECK_PROMISC} == no ]]; then fi for INTERFACE in `${PROMISC}`; do - LogPromisc $INTERFACE + LogPromisc ${INTERFACE} done diff --git a/cron-sh/security.sh b/cron-sh/security.sh index 43ad9d6..ee94863 100755 --- a/cron-sh/security.sh +++ b/cron-sh/security.sh @@ -72,6 +72,8 @@ fi netstat -pvlA inet 2> /dev/null > ${OPEN_PORT_TODAY}; + +# Hard disk related file check; the less priority the better... nice --adjustment=+19 find ${DIR} -xdev -type f -perm +04000 -user root -printf "${PRINT}" 2> /dev/null | sort > ${SUID_ROOT_TODAY} nice --adjustment=+19 find ${DIR} -xdev -type f -perm +02000 -printf "${PRINT}" 2> /dev/null | sort > ${SUID_GROUP_TODAY} nice --adjustment=+19 find ${DIR} -xdev -type f -perm -2 -printf "${PRINT}" 2> /dev/null | sort > ${WRITEABLE_TODAY} @@ -115,8 +117,8 @@ Maillog() { ################## -. /etc/security/msec/cron-sh/diff_check.sh -. /etc/security/msec/cron-sh/security_check.sh +. /usr/share/msec/diff_check.sh +. /usr/share/msec/security_check.sh diff --git a/init-sh/custom.sh b/init-sh/custom.sh index af4bba5..b8b8402 100755 --- a/init-sh/custom.sh +++ b/init-sh/custom.sh @@ -5,8 +5,12 @@ # Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> # -if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then - . /etc/security/msec/init-sh/lib.sh + +if [[ -f /usr/share/msec/lib.sh ]]; then + . /usr/share/msec/lib.sh +else + echo "Can't find /usr/share/msec/lib.sh, exiting." + exit 1 fi clear @@ -62,7 +66,7 @@ echo "Do you want your system to daily check important security problem ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf - AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security.sh" /etc/crontab + AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab fi ### @@ -70,7 +74,7 @@ echo "Do you want your system to daily check new open port listening ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf - AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security.sh" /etc/crontab + AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab fi ### @@ -78,7 +82,7 @@ echo "Do you want your system to check for grave permission problem on sensibles WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf - AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security.sh" /etc/crontab + AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab fi ### @@ -86,7 +90,7 @@ echo "Do you want your system to daily check SUID Root file change ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf - AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security.sh" /etc/crontab + AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab fi ### @@ -94,7 +98,7 @@ echo "Do you want your system to daily check suid files md5 checksum changes ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf - AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security.sh" /etc/crontab + AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab fi ### @@ -102,7 +106,7 @@ echo "Do you want your system to daily check SUID Group file change ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf - AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security.sh" /etc/crontab + AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab fi ### @@ -110,7 +114,7 @@ echo "Do you want your system to daily check Writeable file change ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf - AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security.sh" /etc/crontab + AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab fi ### @@ -118,7 +122,7 @@ echo "Do you want your system to daily check Unowned file change ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf - AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security.sh" /etc/crontab + AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab fi ### @@ -127,7 +131,7 @@ echo "is in promiscuous state (which mean someone is probably running a sniffer WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf - AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab + AddRules "*/1 * * * * root nice --adjustment=+19 /usr/share/msec/promisc_check.sh" /etc/crontab fi ### @@ -169,7 +173,7 @@ WaitAnswer; clear if [[ ${answer} == yes ]]; then echo -n "Disabling all service, except : {" chkconfig --list | awk '{print $1}' | while read service; do - if grep -qx ${service} /etc/security/msec/init-sh/server.4; then + if grep -qx ${service} /etc/security/msec/server.4; then echo -n " ${service}" fi done @@ -242,3 +246,11 @@ AddRules "export PATH SECURE_LEVEL" /etc/profile + + + + + + + + diff --git a/init-sh/level0.sh b/init-sh/level0.sh index ea5181c..b979b61 100755 --- a/init-sh/level0.sh +++ b/init-sh/level0.sh @@ -5,6 +5,7 @@ # Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> # + if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then . /etc/security/msec/init-sh/lib.sh else @@ -74,7 +75,7 @@ AddBegRules "/usr/X11R6/bin/xhost +" /etc/X11/xinit/xinitrc # Group echo "Adding system users to specific groups :" -/etc/security/msec/init-sh/grpuser.sh --refresh +/usr/share/msec/grpuser.sh --refresh echo -e "done.\n" # Boot on a shell / authorize ctrl-alt-del diff --git a/init-sh/level1.sh b/init-sh/level1.sh index 32d00f1..0c17880 100755 --- a/init-sh/level1.sh +++ b/init-sh/level1.sh @@ -5,9 +5,11 @@ # Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> # -if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then - . /etc/security/msec/init-sh/lib.sh + +if [[ -f /usr/share/msec/lib.sh ]]; then + . /usr/share/msec/lib.sh else + echo "Can't find /usr/share/msec/lib.sh, exiting." exit 1 fi @@ -75,7 +77,7 @@ AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc # Group echo "Adding system users to specific groups :" -/etc/security/msec/init-sh/grpuser.sh --refresh +/usr/share/msec/grpuser.sh --refresh grpconv echo -e "done.\n" diff --git a/init-sh/level2.sh b/init-sh/level2.sh index e012f72..9348529 100755 --- a/init-sh/level2.sh +++ b/init-sh/level2.sh @@ -5,9 +5,12 @@ # Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> # -if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then - . /etc/security/msec/init-sh/lib.sh + + +if [[ -f /usr/share/msec/lib.sh ]]; then + . /usr/share/msec/lib.sh else + echo "Can't find /usr/share/msec/lib.sh, exiting." exit 1 fi @@ -74,7 +77,7 @@ AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc # group echo "Adding system users to specifics groups :" -/etc/security/msec/init-sh/grpuser.sh --refresh +/usr/share/msec/grpuser.sh --refresh grpconv echo -e "done.\n" @@ -87,3 +90,5 @@ cat ${tmpfile} | \ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab rm -f ${tmpfile} echo "done." + + diff --git a/init-sh/level3.sh b/init-sh/level3.sh index 1e78f93..bf53c66 100755 --- a/init-sh/level3.sh +++ b/init-sh/level3.sh @@ -5,13 +5,14 @@ # Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> # -if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then - . /etc/security/msec/init-sh/lib.sh + +if [[ -f /usr/share/msec/lib.sh ]]; then + . /usr/share/msec/lib.sh else + echo "Can't find /usr/share/msec/lib.sh, exiting." exit 1 fi -# All events logged on tty12 echo "Loging all messages on tty12 : " AddRules "*.* /dev/tty12" /etc/syslog.conf @@ -59,7 +60,7 @@ echo -e "\t- Security warning in syslog : yes." # Crontab echo "Adding permission check in crontab (scheduled every midnight) :" -AddRules "0 0 * * * root /etc/security/msec/cron-sh/security.sh" /etc/crontab +AddRules "0 0 * * * root /usr/share/msec/security.sh" /etc/crontab # lilo update echo -n "Running lilo to record new config : " diff --git a/init-sh/level4.sh b/init-sh/level4.sh index 18d9aac..75a0e85 100755 --- a/init-sh/level4.sh +++ b/init-sh/level4.sh @@ -6,10 +6,10 @@ # Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> # - -if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then - . /etc/security/msec/init-sh/lib.sh +if [[ -f /usr/share/msec/lib.sh ]]; then + . /usr/share/msec/lib.sh else + echo "Can't find /usr/share/msec/lib.sh, exiting." exit 1 fi @@ -68,10 +68,10 @@ echo -e "\t- Security warning in syslog : yes." # Check every 1 minutes for promisc problem echo "Adding promisc check in crontab (scheduled every minutes) :" -AddRules "*/1 * * * * root /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab +AddRules "*/1 * * * * root /usr/share/msec/promisc_check.sh" /etc/crontab echo "Adding \"diff\" & \"global\" security check in crontab (scheduled every midnight) :" -AddRules "0 0 * * * root /etc/security/msec/cron-sh/security.sh" /etc/crontab +AddRules "0 0 * * * root /usr/share/msec/security.sh" /etc/crontab # Do you want a password ? LiloUpdate; @@ -88,7 +88,7 @@ IFS=" " echo -n "Disabling all service, except : {" for service in `chkconfig --list | awk '{print $1}'`; do - if grep -qx ${service} /etc/security/msec/init-sh/server.4; then + if grep -qx ${service} /etc/security/msec/server.4; then echo -n " ${service}" fi done diff --git a/init-sh/level5.sh b/init-sh/level5.sh index 9e8af53..59dc413 100755 --- a/init-sh/level5.sh +++ b/init-sh/level5.sh @@ -5,8 +5,11 @@ # Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> # -if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then - . /etc/security/msec/init-sh/lib.sh +if [[ -f /usr/share/msec/lib.sh ]]; then + . /usr/share/msec/lib.sh +else + echo "Can't find /usr/share/msec/lib.sh, exiting." + exit 1 fi echo -e "Changing attribute of /var/log/* to append only...\n" @@ -60,10 +63,10 @@ echo -e "\t- Security warning in syslog : yes." ################ Crontab things ################### # Check every 1 minutes for promisc problem echo "Adding promisc check in crontab (scheduled every minutes) :" -AddRules "*/1 * * * * root /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab +AddRules "*/1 * * * * root /usr/share/msec/promisc_check.sh" /etc/crontab echo "Adding \"diff\" & \"global\" security check in crontab (scheduled every midnight) :" -AddRules "0 0 * * * root /etc/security/msec/cron-sh/security.sh" /etc/crontab +AddRules "0 0 * * * root /usr/share/msec/security.sh" /etc/crontab ################################################### @@ -83,7 +86,7 @@ IFS=" export SECURE_LEVEL=5 echo -n "Disabling all service, except : {" for service in `chkconfig --list | awk '{print $1}'`; do - if grep -qx ${service} /etc/security/msec/init-sh/server.5; then + if grep -qx ${service} /etc/security/msec/server.5; then echo -n " ${service}" fi done diff --git a/init-sh/lib.sh b/init-sh/lib.sh index 920996f..7f55c7c 100644 --- a/init-sh/lib.sh +++ b/init-sh/lib.sh @@ -197,7 +197,7 @@ groupadd audio >& /dev/null groupadd xgrp >& /dev/null usermod -G xgrp xfs -/etc/security/msec/init-sh/grpuser.sh --clean +/usr/share/msec/grpuser.sh --clean echo diff --git a/init-sh/init.sh b/init-sh/msec index a748541..ee69564 100755 --- a/init-sh/init.sh +++ b/init-sh/msec @@ -8,14 +8,14 @@ fi if [[ ${1} == custom ]]; then - /etc/security/msec/init-sh/custom.sh + /usr/share/msec/custom.sh exit 0; fi -if [[ -f /etc/security/msec/init-sh/level$1.sh ]]; then - /etc/security/msec/init-sh/level$1.sh - if [[ -f /etc/security/msec/init-sh/perm.$1 ]]; then - /etc/security/msec/init-sh/file_perm.sh /etc/security/msec/init-sh/perm.$1 +if [[ -f /usr/share/msec/level$1.sh ]]; then + /usr/share/msec/level$1.sh + if [[ -f /usr/share/msec/perm.$1 ]]; then + /usr/share/msec/file_perm.sh /usr/share/msec/perm.$1 else echo "Couldn't find the default permissions for level $1." fi |