diff options
| -rw-r--r-- | Makefile | 6 | ||||
| -rwxr-xr-x | cron-sh/diff_check.sh | 43 | ||||
| -rwxr-xr-x | cron-sh/promisc_check.sh | 4 | ||||
| -rwxr-xr-x | cron-sh/security_check.sh | 50 | ||||
| -rwxr-xr-x | init-sh/custom.sh | 38 | ||||
| -rwxr-xr-x | init-sh/file_perm.sh | 6 | ||||
| -rwxr-xr-x | init-sh/grpuser | 20 | ||||
| -rwxr-xr-x | init-sh/init.sh | 8 | ||||
| -rwxr-xr-x | init-sh/level0.sh | 14 | ||||
| -rwxr-xr-x | init-sh/level1.sh | 16 | ||||
| -rwxr-xr-x | init-sh/level2.sh | 15 | ||||
| -rwxr-xr-x | init-sh/level3.sh | 2 | ||||
| -rwxr-xr-x | init-sh/level4.sh | 2 | ||||
| -rwxr-xr-x | init-sh/level5.sh | 2 | ||||
| -rw-r--r-- | init-sh/lib.sh | 28 |
15 files changed, 132 insertions, 122 deletions
@@ -18,7 +18,7 @@ rpm_install: all cp init-sh/lib.sh $(RPM_BUILD_ROOT)/etc/security/msec/init-sh cp init-sh/init.sh $(RPM_BUILD_ROOT)/etc/security/msec cp init-sh/file_perm.sh $(RPM_BUILD_ROOT)/etc/security/msec/init-sh - cp init-sh/perm.[1-5] $(RPM_BUILD_ROOT)/etc/security/msec/init-sh + cp init-sh/perm.[0-5] $(RPM_BUILD_ROOT)/etc/security/msec/init-sh cp init-sh/server.* $(RPM_BUILD_ROOT)/etc/security/msec/init-sh cp init-sh/grpuser $(RPM_BUILD_ROOT)/etc/security/msec/init-sh cp init-sh/custom.sh $(RPM_BUILD_ROOT)/etc/security/msec/init-sh @@ -45,7 +45,7 @@ install: (cp init-sh/lib.sh /etc/security/msec/init-sh); (cp init-sh/grpuser /etc/security/msec/init-sh); (cp init-sh/file_perm.sh /etc/security/msec/init-sh); - (cp init-sh/*.[1-5] /etc/security/msec/init-sh/) + (cp init-sh/*.[0-5] /etc/security/msec/init-sh/) (cp init-sh/custom.sh /etc/security/msec/init-sh); (cp init-sh/server.* /etc/security/msec/init-sh) (touch /etc/security/msec/security.conf) @@ -62,4 +62,4 @@ install: @echo @echo "To switch between runlevel, just launch init.sh ( in init-sh dir )" @echo - @echo
\ No newline at end of file + @echo diff --git a/cron-sh/diff_check.sh b/cron-sh/diff_check.sh index 3c08858..048525d 100755 --- a/cron-sh/diff_check.sh +++ b/cron-sh/diff_check.sh @@ -3,14 +3,14 @@ # Written by Vandoorselaere Yoann, <yoann@mandrakesoft.com> # -if [ -f /etc/security/msec/security.conf ]; then +if [[ -f /etc/security/msec/security.conf ]]; then . /etc/security/msec/security.conf else echo "/etc/security/msec/security.conf don't exist." exit 1 fi -if [ "${CHECK_SECURITY}" == "no" ]; then +if [[ ${CHECK_SECURITY} == no ]; then exit 0 fi @@ -45,7 +45,7 @@ UNOWNED_DIFF="/var/log/security/unowned.diff" SECURITY_LOG="/var/log/security.log" TMP="/tmp/secure.tmp" -if [ ! -d /var/log/security ]; then +if [[ ! -d /var/log/security ]]; then mkdir /var/log/security fi @@ -78,14 +78,14 @@ Ttylog() { ### New Suid root files detection if [[ ${CHECK_SUID_ROOT} == yes ]]; then - if [ -f ${SUID_ROOT_TODAY} ]; then + if [[ -f ${SUID_ROOT_TODAY} ]]; then mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY} fi find ${DIR} -xdev -type f -perm +04000 -user root \ -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_ROOT_TODAY} - if [ -f ${SUID_ROOT_YESTERDAY} ]; then + if [[ -f ${SUID_ROOT_YESTERDAY} ]]; then if ! diff -u ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_TODAY} > ${SUID_ROOT_DIFF}; then printf "\nSecurity Warning: Change in Suid Root files found :\n" >> ${TMP} grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do @@ -99,15 +99,16 @@ if [[ ${CHECK_SUID_ROOT} == yes ]]; then fi ### New Suid group files detection -if [ ${CHECK_SUID_GROUP} ]; then - if [ -f ${SUID_GROUP_TODAY} ]; then +if [[ ${CHECK_SUID_GROUP} == yes ]]; then + + if [[ -f ${SUID_GROUP_TODAY} ]]; then mv ${SUID_GROUP_TODAY} ${SUID_GROUP_YESTERDAY} fi find ${DIR} -xdev -type f -perm +02000 \ -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_GROUP_TODAY} - if [ -f ${SUID_GROUP_YESTERDAY} ]; then + if [[ -f ${SUID_GROUP_YESTERDAY} ]]; then if ! diff -u ${SUID_GROUP_YESTERDAY} ${SUID_GROUP_TODAY} > ${SUID_GROUP_DIFF}; then printf "\nSecurity Warning: Changes in Suid Group files found :\n" >> ${TMP} grep '^+' ${SUID_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do @@ -123,13 +124,13 @@ fi ### Writable files detection if [[ ${CHECK_WRITEABLE} == yes ]]; then - if [ -f ${WRITEABLE_TODAY} ]; then + if [[ -f ${WRITEABLE_TODAY} ]]; then mv -f ${WRITEABLE_TODAY} ${WRITEABLE_YESTERDAY} fi find ${DIR} -xdev -type f -perm -2 -ls -print | sort > ${WRITEABLE_TODAY} - if [ -f ${WRITEABLE_YESTERDAY} ]; then + if [[ -f ${WRITEABLE_YESTERDAY} ]]; then if ! diff -u ${WRITEABLE_YESTERDAY} ${WRITEABLE_TODAY} > ${WRITEABLE_DIFF}; then printf "\nSecurity Warning: Change in World Writeable Files found :\n" >> ${TMP} grep '^+' ${WRITEABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do @@ -145,13 +146,13 @@ fi ### Search Non Owned files if [[ ${CHECK_UNOWNED} == yes ]]; then - if [ -f ${UNOWNED_TODAY} ]; then + if [[ -f ${UNOWNED_TODAY} ]]; then mv -f ${UNOWNED_TODAY} ${UNOWNED_YESTERDAY} fi find ${DIR} -xdev -nouser -print -ls | sort > ${UNOWNED_TODAY} - if [ -f ${UNOWNED_YESTERDAY} ]; then + if [[ -f ${UNOWNED_YESTERDAY} ]]; then if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then printf "\nSecurity Warning: the following files aren't owned by an user :\n" >> ${TMP} grep '^+' ${UNOWNED_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do @@ -165,7 +166,7 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then find ${DIR} -xdev -nogroup -print -ls | sort >> ${UNOWNED_TODAY} - if [ -f ${UNOWNED_YESTERDAY} ]; then + if [[ -f ${UNOWNED_YESTERDAY} ]]; then if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then printf "\nSecurity Warning: the following files aren't owned by a group :\n" >> ${TMP} grep '^+' ${UNOWNED_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do @@ -179,8 +180,9 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then fi ### Md5 check for SUID root file -if [[ ${CHECK_SUID_MD5} == yes ]]; then - if [ -f ${SUID_MD5_TODAY} ]; then +if [[ ${CHECK_SUID_MD5} == yes ]]; then + + if [[ -f ${SUID_MD5_TODAY} ]]; then mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY} fi @@ -190,7 +192,7 @@ if [[ ${CHECK_SUID_MD5} == yes ]]; then md5sum ${line} >> ${SUID_MD5_TODAY} done - if [ -f ${SUID_MD5_YESTERDAY} ]; then + if [[ -f ${SUID_MD5_YESTERDAY} ]]; then if ! diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF}; then printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${TMP} printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${TMP} @@ -206,13 +208,14 @@ fi ### Changed open port if [[ ${CHECK_OPEN_PORT} == yes ]]; then - if [ -f ${OPEN_PORT_TODAY} ]; then + + if [[ -f ${OPEN_PORT_TODAY} ]]; then mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY} fi netstat -pvlA inet > ${OPEN_PORT_TODAY}; - if [ -f ${OPEN_PORT_YESTERDAY} ]; then + if [[ -f ${OPEN_PORT_YESTERDAY} ]]; then if ! diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}; then printf "\nSecurity Warning: There is a new port listening on your machine :\n" >> ${TMP} grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do @@ -226,7 +229,7 @@ if [[ ${CHECK_OPEN_PORT} == yes ]]; then fi ######## Report ###### -if [ -s ${TMP} ]; then +if [[ -s ${TMP} ]]; then Syslog ${TMP} Ttylog ${TMP} date=`date` @@ -234,6 +237,6 @@ if [ -s ${TMP} ]; then cat ${TMP} >> ${SECURITY_LOG} fi -if [ -f ${TMP} ]; then +if [[ -f ${TMP} ]]; then rm -f ${TMP} fi diff --git a/cron-sh/promisc_check.sh b/cron-sh/promisc_check.sh index a2bdaa4..cabf0a8 100755 --- a/cron-sh/promisc_check.sh +++ b/cron-sh/promisc_check.sh @@ -3,7 +3,7 @@ # Writen by Vandoorselaere Yoann, # <yoann@mandrakesoft.com> -if [ -f /etc/security/msec/security.conf ]; then +if [[ -f /etc/security/msec/security.conf ]]; then . /etc/security/msec/security.conf else echo "/etc/security/msec/security.conf don't exist." @@ -46,7 +46,7 @@ LogPromisc() { } -if [ -f /etc/security/msec/security.conf ]; then +if [[ -f /etc/security/msec/security.conf ]]; then . /etc/security/msec/security.conf else exit 1 diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh index 844cd9d..6686dd3 100755 --- a/cron-sh/security_check.sh +++ b/cron-sh/security_check.sh @@ -4,7 +4,7 @@ # Written by Vandoorselaere Yoann, <yoann@mandrakesoft.com> # -if [ -f /etc/security/msec/security.conf ]; then +if [[ -f /etc/security/msec/security.conf ]]; then . /etc/security/msec/security.conf else echo "/etc/security/msec/security.conf don't exist." @@ -19,7 +19,7 @@ SECURITY="/tmp/secure.log" SECURITY_LOG="/var/log/security.log" TMP="/tmp/secure.tmp" -if [ ! -d /var/log/security ]; then +if [[ ! -d /var/log/security ]]; then mkdir /var/log/security fi @@ -49,7 +49,7 @@ Ttylog() { if [[ ${CHECK_WRITEABLE} == yes ]]; then find ${DIR} -xdev -type f -perm -2 -ls -print | awk '{print $11}' | sort > ${TMP} - if [ -s ${TMP} ]; then + if [[ -s ${TMP} ]]; then printf "\nSecurity Warning: World Writeable Files found :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi @@ -58,7 +58,7 @@ fi ### Search Un Owned file if [[ ${CHECK_UNOWNED} == yes ]]; then find ${DIR} -xdev -nouser -print -ls | awk '{print $11}' | sort > ${TMP} - if [ -s ${TMP} ]; then + if [[ -s ${TMP} ]]; then printf "\nSecurity Warning : the following file aren't owned by any user :\n" >> ${SECURITY} printf "\ttheses files now have user \"nobody\" as their owner." >> ${SECURE_LOG} cat ${TMP} >> ${SECURITY} @@ -66,7 +66,7 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then fi find $DIR -xdev -nogroup -print -ls | awk '{print $11}' | sort > ${TMP} - if [ -s ${TMP} ]; then + if [[ -s ${TMP} ]]; then printf "\nSecurity Warning : the following file aren't owned by any group :\n" >> ${SECURITY} printf "\ttheses files now have group \"nogroup\" as their group owner." >> ${SECURITY} cat ${TMP} >> ${SECURITY} @@ -81,7 +81,7 @@ awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | while read username uid homedir; do for f in ${list} ; do file="${homedir}/${f}" - if [ -f ${file} ] ; then + if [[ -f ${file} ]] ; then printf "${uid} ${username} ${file} `ls -ldcgn ${file}`\n" fi done @@ -96,7 +96,7 @@ done | awk '$1 != $6 && $6 != "0" \ $4 ~ /^-.......w/ \ { print "\t\t- " $3 " : file is other writeable." }' > ${TMP} -if [ -s ${TMP} ]; then +if [[ -s ${TMP} ]]; then printf "\nSecurity Warning: these files shouldn't be owned by someone else or readable :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi @@ -110,7 +110,7 @@ awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | \ while read username uid homedir; do for f in ${list} ; do file=${homedir}/${f} - if [ -f ${file} ] ; then + if [[ -f ${file} ]] ; then printf "${uid} ${username} ${file} `ls -ldcgn ${file}`\n" fi done @@ -121,7 +121,7 @@ done | awk '$1 != $6 && $6 != "0" \ $4 ~ /^-.......w/ \ { print "\t\t- " $3 " : file is other writeable." }' > ${TMP} -if [ -s ${TMP} ]; then +if [[ -s ${TMP} ]]; then printf "\nSecurity Warning: theses files should not be owned by someone else or writeable :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi @@ -129,7 +129,7 @@ fi ### Check home directories. Directories should not be owned by someone else or writeable. awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do - if [ -d ${homedir}/ ] ; then + if [[ -d ${homedir} ]] ; then file=`ls -ldg ${homedir}` printf "$uid $file\n" fi @@ -140,7 +140,7 @@ done | awk '$1 != $4 && $4 != "root" \ $2 ~ /^-.......w/ \ { print "user=" $1 " : home directory is other writeable." }' > ${TMP} -if [ -s $TMP ] ; then +if [[ -s $TMP ]] ; then printf "\nSecurity Warning: these home directory should not be owned by someone else or writeable :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi @@ -155,7 +155,7 @@ if [[ ${CHECK_PASSWD} == yes ]]; then printf("\t\t- /etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1); }' < /etc/passwd > ${TMP} - if [ -s ${TMP} ]; then + if [[ -s ${TMP} ]]; then printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi @@ -168,14 +168,14 @@ if [[ ${CHECK_SHADOW} == yes ]]; then printf("\t\t- /etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1); }' < /etc/shadow > ${TMP} - if [ -s ${TMP} ]; then + if [[ -s ${TMP} ]]; then printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi fi ### File systems should not be globally exported. -if [ -s /etc/exports ] ; then +if [[ -s /etc/exports ]] ; then awk '{ if (($1 ~ /^#/) || ($1 ~ /^$/)) next; readonly = 0; @@ -190,7 +190,7 @@ if [ -s /etc/exports ] ; then } else print "\t\t- Nfs File system " $1 " globally exported, read-write."; }' < /etc/exports > ${TMP} - if [ -s ${TMP} ] ; then + if [[ -s ${TMP} ]] ; then printf "\nSecurity Warning: Some NFS filesystem are exported globally :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi @@ -198,7 +198,7 @@ fi ### nfs mounts with missing nosuid /bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > ${TMP} -if [ -s ${TMP} ] ; then +if [[ -s ${TMP} ]] ; then printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi @@ -206,7 +206,7 @@ fi ### Files that should not have + signs. list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" for file in $list ; do - if [ -s ${file} ] ; then + if [[ -s ${file} ]] ; then awk '{ if ($0 ~ /^\+@.*$/) next; @@ -219,7 +219,7 @@ done > ${TMP} awk -F: '{print $1" "$6}' /etc/passwd | while read username homedir; do for file in .rhosts .shosts; do - if [ -s ${homedir}/${file} ] ; then + if [[ -s ${homedir}/${file} ]] ; then awk '{ if ($0 ~ /^\+@.*$/) next; @@ -230,7 +230,7 @@ awk -F: '{print $1" "$6}' /etc/passwd | done >> ${TMP} done -if [ -s ${TMP} ]; then +if [[ -s ${TMP} ]]; then printf "\nSecurity Warning: '+' character found in hosts trusting files,\n" >> ${SECURITY} printf "\tthis probably mean that you trust certains users/domain\n" >> ${SECURITY} printf "\tto connect on this host without proper authentication :\n" >> ${SECURITY} @@ -240,13 +240,13 @@ fi ### executables should not be in the aliases file. list="/etc/aliases /etc/postfix/aliases" for file in ${list}; do - if [ -s ${file} ]; then + if [[ -s ${file} ]]; then grep -v '^#' /etc/aliases | grep '|' | while read line; do printf "\t\t- ${line}\n" done > ${TMP} fi - if [ -s ${TMP} ]; then + if [[ -s ${TMP} ]]; then printf "\nSecurity Warning: The following programs are executed in your mail\n" >> ${SECURITY} printf "\tvia ${file} files, this could lead to security problems :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} @@ -257,14 +257,14 @@ done if [[ ${CHECK_OPEN_PORT} == yes ]]; then netstat -pvlA inet > ${TMP}; - if [ -s ${TMP} ]; then + if [[ -s ${TMP} ]]; then printf "\nThese are the ports listening on your machine :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi fi ### Report -if [ -s ${SECURITY} ]; then +if [[ -s ${SECURITY} ]]; then Syslog ${SECURITY} Ttylog ${SECURITY} date=`date` @@ -272,11 +272,11 @@ if [ -s ${SECURITY} ]; then cat ${SECURITY} >> ${SECURITY_LOG} fi -if [ -f ${SECURITY} ]; then +if [[ -f ${SECURITY} ]]; then rm -f ${SECURITY} fi -if [ -f ${TMP} ]; then +if [[ -f ${TMP} ]]; then rm -f ${TMP} fi diff --git a/init-sh/custom.sh b/init-sh/custom.sh index c6963a9..46ba9af 100755 --- a/init-sh/custom.sh +++ b/init-sh/custom.sh @@ -5,7 +5,7 @@ # Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> # -if [ -f /etc/security/msec/init-sh/lib.sh ]; then +if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then . /etc/security/msec/init-sh/lib.sh fi @@ -15,24 +15,24 @@ clear ### echo "Do you want your log file to be in append mode only ?" WaitAnswer; clear -if [ ${answer} == "yes" ]; then +if [[ ${answer} == yes ]]; then find /var/log/ -type f -exec chattr +a {} \; fi ### echo "Do you want all system events to be logged on tty12 ?" WaitAnswer; clear -if [ ${answer} == "yes" ]; then +if [[ ${answer} == yes ]]; then AddRules "*.* /dev/tty12" /etc/syslog.conf fi ### echo "Do you want to deny any machine to connect to yours ?" WaitAnswer -if [ ${answer} == "yes" ]; then +if [[ ${answer} == yes ]]; then echo "Do you want only localhost to be allowed ?" WaitAnswer; clear - if [ "${answer}" == "yes" ]; then + if [[ ${answer} == yes ]]; then AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny else AddRules "ALL:ALL:DENY" /etc/hosts.deny @@ -42,7 +42,7 @@ fi ### echo "Do you want root console login to be allowed ?" WaitAnswer; clear -if [ ${answer} == "yes" ]; then +if [[ ${answer} == yes ]]; then AddRules "tty1" /etc/securetty quiet AddRules "tty2" /etc/securetty quiet AddRules "tty3" /etc/securetty quiet @@ -53,7 +53,7 @@ fi ### echo "Do you want your system to daily check important security problem ?" WaitAnswer; clear -if [ ${answer} == "yes" ]; then +if [[ ${answer} == yes ]]; then AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security_check.sh" /etc/crontab fi @@ -61,7 +61,7 @@ fi ### echo "Do you want your system to daily check new open port listening ?" WaitAnswer; clear -if [ ${answer} == "yes" ]; then +if [[ ${answer} == yes ]]; then AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security_check.sh" /etc/crontab AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab @@ -70,7 +70,7 @@ fi ### echo "Do you want your system to check for grave permission problem on senssibles files ?" WaitAnswer; clear -if [ ${answer} == "yes" ]; then +if [[ ${answer} == yes ]]; then AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security_check.sh" /etc/crontab fi @@ -78,7 +78,7 @@ fi ### echo "Do you want your system to daily check SUID Root file change ?" WaitAnswer; clear -if [ ${answer} == "yes" ]; then +if [[ ${answer} == yes ]]; then AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab fi @@ -86,7 +86,7 @@ fi ### echo "Do you want your system to daily check suid files md5 checksum changes ?" WaitAnswer; clear -if [ ${answer} == "yes" ]; then +if [[ ${answer} == yes ]]; then AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab fi @@ -94,7 +94,7 @@ fi ### echo "Do you want your system to daily check SUID Group file change ?" WaitAnswer; clear -if [ ${answer} == "yes" ]; then +if [[ ${answer} == yes ]]; then AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab fi @@ -102,7 +102,7 @@ fi ### echo "Do you want your system to daily check Writeable file change ?" WaitAnswer; clear -if [ ${answer} == "yes" ]; then +if [[ ${answer} == yes ]]; then AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab fi @@ -110,7 +110,7 @@ fi ### echo "Do you want your system to daily check Unowned file change ?" WaitAnswer; clear -if [ ${answer} == "yes" ]; then +if [[ ${answer} == yes ]]; then AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab fi @@ -119,7 +119,7 @@ fi echo "Do you want your system to verify every minutes if a network interface" echo "is in promiscuous state (which mean someone is probably running a sniffer on your machine ) ?" WaitAnswer; clear -if [ ${answer} == "yes" ]; then +if [[ ${answer} == yes ]]; then AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab fi @@ -132,7 +132,7 @@ LiloUpdate; echo "Do you want to disable your running server ( except important one )" echo "This is only valuable for server installed with rpm." WaitAnswer; clear -if [ ${answer} == "yes" ]; then +if [[ ${answer} == yes ]]; then echo -n "Disabling all service, except : {" chkconfig --list | awk '{print $1}' | while read service; do if grep -qx ${service} /etc/security/msec/init-sh/server.4; then @@ -155,7 +155,7 @@ echo "Do you want to disallow rpm to automatically enable a new installed server echo "yes = you will need to chkconfig (--add ) servername for the server to run on boot." echo "no = rpm will do it for you, but you have less control of what is running on your machine." WaitAnswer; clear -if [ "${answer}" == "yes" ]; then +if [[ ${answer} == yes ]; then export SECURE_LEVEL="4" AddRules "SECURE_LEVEL=\"4\"" /etc/profile else @@ -182,7 +182,7 @@ case "${answer}" in AddRules "umask 022" /etc/profile ;; "restricted") - AddRules "if [ \${UID} == 0 ]; then umask 022; else umask 077; fi" /etc/profile + AddRules "if [[ \${UID} == 0 ]]; then umask 022; else umask 077; fi" /etc/profile ;; "paranoid") AddRules "umask 077" /etc/profile @@ -194,7 +194,7 @@ echo "Do you want a "." in your PATH variable ?" echo "This permit you to not use ./progname & to just type progname" echo "However this is a *high* security risk." WaitAnswer; clear -if [ ${answer} == "yes" ]; then +if [[ ${answer} == yes ]]; then AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games:." /etc/profile else AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/profile diff --git a/init-sh/file_perm.sh b/init-sh/file_perm.sh index 0e13e9c..a74a08d 100755 --- a/init-sh/file_perm.sh +++ b/init-sh/file_perm.sh @@ -1,6 +1,6 @@ #!/bin/bash -if [ ! -s $1 ]; then +if [[ ! -s $1 ]]; then echo "I need a msec permfile in argument". exit 1 fi @@ -8,8 +8,8 @@ fi echo -n "Setting files permissions : " grep -v "^#" $1 | while read file owner perm; do - if [ -a "${file}" ]; then - if [ ${owner} != "current" ]; then + if [[ -a ${file} ]]; then + if [[ ${owner} != current ]]; then chown ${owner} ${file} fi chmod ${perm} ${file} diff --git a/init-sh/grpuser b/init-sh/grpuser index 408e384..fb2ad25 100755 --- a/init-sh/grpuser +++ b/init-sh/grpuser @@ -33,7 +33,7 @@ RemoveUserFromGroup() { } AppendUserToGroup() { - if [ -z "${group_users}" ]; then + if [[ -z ${group_users} ]]; then new_group_line=${group_line}${user_name} else new_group_line=${group_line}",${user_name}" @@ -41,7 +41,7 @@ AppendUserToGroup() { } IsUserAlreadyInGroup() { - if echo "${group_users}" | grep -qw "${user_name}"; then + if echo ${group_users} | grep -qw "${user_name}"; then return 1 fi @@ -66,7 +66,7 @@ IsGroupExisting() { IsUserExisting() { grep -qn "^${user_name}:" /etc/passwd - if [ $? == 0 ]; then + if [[ $? == 0 ]]; then return 0; fi @@ -75,20 +75,20 @@ IsUserExisting() { Add() { IsGroupExisting; - if [ $? == 0 ]; then + if [[ $? == 0 ]]; then echo "Sorry, group \"${group_name}\" does not exist." echo "Please create it using the \"groupadd\" command." exit 1 fi IsUserExisting; - if [ $? == 1 ]; then + if [[ $? == 1 ]]; then echo "Sorry, user \"${user_name}\" does not exist." exit 1 fi IsUserAlreadyInGroup; - if [ $? == 1 ]; then + if [[ $? == 1 ]]; then echo "Sorry, user \"${user_name}\" is already in group \"${group_name}\"." exit 1 fi @@ -101,13 +101,13 @@ Add() { Del() { IsGroupExisting; - if [ $? == 0 ]; then + if [[ $? == 0 ]]; then echo "Sorry, group \"${group_name}\" does not exist." exit 1 fi IsUserAlreadyInGroup; - if [ $? == 0 ]; then + if [[ $? == 0 ]]; then echo "Sorry, user \"${user_name}\" is not in group \"${group_name}\"." exit 1 fi @@ -119,13 +119,13 @@ Del() { } Perm() { - if [ ! -w /etc/${file} ]; then + if [[ ! -w /etc/${file} ]]; then echo "You're not allowed to write to /etc/group..." exit 1 fi } -if [ $# == 3 ]; then +if [[ $# == 3 ]]; then case $1 in "--add") Perm; diff --git a/init-sh/init.sh b/init-sh/init.sh index 361eb1e..82d3964 100755 --- a/init-sh/init.sh +++ b/init-sh/init.sh @@ -1,20 +1,20 @@ #!/bin/sh -if [ -z $1 ]; then +if [[ -z $1 ]]; then echo "Usage : $0 [0-5]" echo "Usage : $0 \"custom\"" exit 1 fi -if [ "${1}" == "custom" ]; then +if [[ ${1} == custom ]]; then /etc/security/msec/init-sh/custom.sh exit 0; fi -if [ -f /etc/security/msec/init-sh/level$1.sh ]; then +if [[ -f /etc/security/msec/init-sh/level$1.sh ]]; then /etc/security/msec/init-sh/level$1.sh - if [ -f /etc/security/msec/init-sh/perm.$1 ]; then + if [[ -f /etc/security/msec/init-sh/perm.$1 ]]; then /etc/security/msec/init-sh/file_perm.sh /etc/security/msec/init-sh/perm.$1 else echo "Couldn't find the default permissions for level $1." diff --git a/init-sh/level0.sh b/init-sh/level0.sh index 1e0a7f1..599cabe 100755 --- a/init-sh/level0.sh +++ b/init-sh/level0.sh @@ -5,7 +5,7 @@ # Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> # -if [ -f /etc/security/msec/init-sh/lib.sh ]; then +if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then . /etc/security/msec/init-sh/lib.sh else exit 1 @@ -71,11 +71,13 @@ AddRules "/usr/X11R6/bin/xhost +" /etc/X11/xdm/Xsession quiet AddRules "/usr/X11R6/bin/xhost +" /etc/X11/xinit/xinitrc # Group -echo -n "Adding \"${DRAKX_USERS}\" to audio group :" -for user in ${DRAKX_USERS}; do - usermod -G audio "${user}" -done -echo "done." +if [[ ! -z ${DRAKX_USERS} ]]; then + echo -n "Adding \"${DRAKX_USERS}\" to audio group :" + for user in ${DRAKX_USERS}; do + usermod -G audio "${user}" + done + echo "done." +fi diff --git a/init-sh/level1.sh b/init-sh/level1.sh index 861a34c..583c547 100755 --- a/init-sh/level1.sh +++ b/init-sh/level1.sh @@ -5,7 +5,7 @@ # Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> # -if [ -f /etc/security/msec/init-sh/lib.sh ]; then +if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then . /etc/security/msec/init-sh/lib.sh else exit 1 @@ -74,13 +74,13 @@ AddRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc ### # Group -echo -n "Adding \"${DRAKX_USERS}\" to audio group :" -for user in ${DRAKX_USERS}; do - usermod -G audio "${user}" -done -echo "done." - - +if [[ ! -z ${DRAKX_USERS} ]]; then + echo -n "Adding \"${DRAKX_USERS}\" to audio group :" + for user in ${DRAKX_USERS}; do + usermod -G audio "${user}" + done + echo "done." +fi diff --git a/init-sh/level2.sh b/init-sh/level2.sh index d387b13..ea5174f 100755 --- a/init-sh/level2.sh +++ b/init-sh/level2.sh @@ -5,7 +5,7 @@ # Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> # -if [ -f /etc/security/msec/init-sh/lib.sh ]; then +if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then . /etc/security/msec/init-sh/lib.sh else exit 1 @@ -71,8 +71,11 @@ AddRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xdm/Xsession quiet AddRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc # Group -echo -n "Adding \"${DRAKX_USERS}\" to audio group :" -for user in ${DRAKX_USERS}; do - usermod -G audio "${user}" -done -echo "done." +if [[ ! -z ${DRAKX_USERS} ]]; then + echo -n "Adding \"${DRAKX_USERS}\" to audio group :" + for user in ${DRAKX_USERS}; do + usermod -G audio "${user}" + done + echo "done." +fi + diff --git a/init-sh/level3.sh b/init-sh/level3.sh index 3d33690..1fc9177 100755 --- a/init-sh/level3.sh +++ b/init-sh/level3.sh @@ -5,7 +5,7 @@ # Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> # -if [ -f /etc/security/msec/init-sh/lib.sh ]; then +if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then . /etc/security/msec/init-sh/lib.sh else exit 1 diff --git a/init-sh/level4.sh b/init-sh/level4.sh index a5ba70d..edc5c64 100755 --- a/init-sh/level4.sh +++ b/init-sh/level4.sh @@ -7,7 +7,7 @@ # -if [ -f /etc/security/msec/init-sh/lib.sh ]; then +if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then . /etc/security/msec/init-sh/lib.sh else exit 1 diff --git a/init-sh/level5.sh b/init-sh/level5.sh index ea65199..454bbf8 100755 --- a/init-sh/level5.sh +++ b/init-sh/level5.sh @@ -5,7 +5,7 @@ # Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> # -if [ -f /etc/security/msec/init-sh/lib.sh ]; then +if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then . /etc/security/msec/init-sh/lib.sh fi diff --git a/init-sh/lib.sh b/init-sh/lib.sh index 7c90b05..ec93c61 100644 --- a/init-sh/lib.sh +++ b/init-sh/lib.sh @@ -15,7 +15,7 @@ COMMENT="# Mandrake-Security : if you remove this comment, remove the next line WaitAnswer() { answer="nothing" - while [[ "${answer}" != "yes" && "${answer}" != "no" ]]; do + while [[ ${answer} != yes && ${answer} != no ]]; do echo -n "yes/no : " read answer done @@ -24,12 +24,13 @@ WaitAnswer() { AddRules () { string=$1 file=$2 + quiet=$3 - if [ -z "${string}" ]; then + if [[ -z ${string} ]]; then return; fi - if [ -z ${3} ]; then + if [[ -z ${quiet} ]]; then echo "Modifying config in ${file}..." fi @@ -37,7 +38,7 @@ AddRules () { echo -e "${COMMENT}" >> ${file}; echo -e "${string}" >> ${file}; fi - if [ -z ${3} ]; then + if [[ -z ${3} ]]; then echo -e "done.\n" fi } @@ -46,9 +47,10 @@ CleanRules() { file=$1 ctrl=0 - if [ ! -f ${file} ]; then + if [[ ! -f ${file} ]]; then return; fi + echo -en "\t- Cleaning msec appended line in ${file} : " mv -f ${file} /tmp/secure.tmp touch ${file} @@ -76,7 +78,7 @@ CleanRules() { CommentUserRules() { file=$1 - if [ ! -f ${file} ]; then + if [[ ! -f ${file} ]]; then return; fi @@ -111,7 +113,7 @@ Ttylog() { LiloUpdate() { - if [ ! -f /tmp/secure.DrakX ]; then + if [[ ! -f /tmp/secure.DrakX ]]; then echo "Do you want a password authentication at boot time ?" echo "Be very carefull," echo "this will prevent your server to reboot without an operator to enter password". @@ -126,7 +128,7 @@ LiloUpdate() { password=${DRAKX_PASSWORD} fi - if [ ! -z "${password}" ]; then + if [[ ! -z "${password}" ]]; then mv /etc/lilo.conf /tmp/secure.tmp while read line; do if ! echo "${line}" | grep -q "password"; then @@ -143,12 +145,12 @@ LiloUpdate() { # If we are currently installing our # system with DrakX, we don't ask anything to the user... # Instead, DrakX do it and give us a file with some variable. -if [ -f /tmp/secure.DrakX ]; then +if [[ -f /tmp/secure.DrakX ]]; then . /tmp/secure.DrakX AddRules "${DRAKX_USERS}" /etc/security/msec/security.conf fi -if [ -f /etc/security/msec/security.conf ]; then +if [[ -f /etc/security/msec/security.conf ]]; then . /etc/security/msec/security.conf fi @@ -188,14 +190,14 @@ usermod -G xgrp xfs # We aren't at install time, # so we delete ( temporarily ) audio user. -if [ ! -f /tmp/secure.DrakX ]; then - if [ ! -z ${DRAKX_USERS} ]; then +if [[ ! -f /tmp/secure.DrakX ]]; then + if [[ ! -z ${DRAKX_USERS} ]]; then for user in ${DRAKX_USERS}; do /etc/security/msec/init-sh/grpuser --del audio "${user}" done fi else - if [ ! -z ${DRAKX_USERS} ]; then + if [[ ! -z ${DRAKX_USERS} ]]; then AddRules "${DRAKX_USERS}" /etc/security/msec/security.conf fi fi |