diff options
| -rw-r--r-- | conf/level.secure | 3 | ||||
| -rw-r--r-- | conf/level.standard | 3 | ||||
| -rwxr-xr-x | cron-sh/scripts/03_rpm.sh | 40 | ||||
| -rw-r--r-- | src/msec/config.py | 7 | ||||
| -rwxr-xr-x | src/msec/libmsec.py | 8 | ||||
| -rw-r--r-- | src/msec/version.py | 2 |
6 files changed, 35 insertions, 28 deletions
diff --git a/conf/level.secure b/conf/level.secure index eb4d14d..181917b 100644 --- a/conf/level.secure +++ b/conf/level.secure @@ -42,7 +42,8 @@ SHELL_TIMEOUT=600 ALLOW_REMOTE_ROOT_LOGIN=no ENABLE_LOG_STRANGE_PACKETS=yes USER_UMASK=077 -CHECK_RPM=yes +CHECK_RPM_PACKAGES=yes +CHECK_RPM_INTEGRITY=yes ENABLE_SULOGIN=yes ENABLE_PAM_ROOT_FROM_WHEEL=no MAIL_WARN=yes diff --git a/conf/level.standard b/conf/level.standard index 3a20417..b3ded1b 100644 --- a/conf/level.standard +++ b/conf/level.standard @@ -42,7 +42,8 @@ SHELL_TIMEOUT=0 ALLOW_REMOTE_ROOT_LOGIN=without-password ENABLE_LOG_STRANGE_PACKETS=yes USER_UMASK=022 -CHECK_RPM=no +CHECK_RPM_PACKAGES=yes +CHECK_RPM_INTEGRITY=no ENABLE_SULOGIN=no ENABLE_PAM_ROOT_FROM_WHEEL=no MAIL_WARN=yes diff --git a/cron-sh/scripts/03_rpm.sh b/cron-sh/scripts/03_rpm.sh index 6bd4307..ae88542 100755 --- a/cron-sh/scripts/03_rpm.sh +++ b/cron-sh/scripts/03_rpm.sh @@ -37,19 +37,33 @@ fi ### rpm database check -if [[ ${CHECK_RPM} == yes ]]; then +# list of installed packages +if [[ ${CHECK_RPM_PACKAGES} == yes ]]; then rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\t%{INSTALLTIME}\n" | sort > ${RPM_QA_TODAY} + if [[ -f ${RPM_QA_YESTERDAY} ]]; then + diff -u ${RPM_QA_YESTERDAY} ${RPM_QA_TODAY} > ${RPM_QA_DIFF} + if [ -s ${RPM_QA_DIFF} ]; then + printf "\nSecurity Warning: These packages have changed on the system :\n" >> ${DIFF} + grep '^+' ${RPM_QA_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly installed package : ${file}\n" + done >> ${DIFF} + grep '^-' ${RPM_QA_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer present package : ${file}\n" + done >> ${DIFF} + fi + fi +fi + +# integrity of installed packages +if [[ ${CHECK_RPM_INTEGRITY} == yes ]]; then rm -f ${RPM_VA_TODAY}.tmp nice --adjustment=+19 rpm -Va --noscripts | grep '^..5' | sort > ${RPM_VA_TODAY}.tmp grep -v '^..........c.' ${RPM_VA_TODAY}.tmp | sed 's/^............//' | sort > ${RPM_VA_TODAY} grep '^..........c.' ${RPM_VA_TODAY}.tmp | sed 's/^............//' | sort > ${RPM_VA_CONFIG_TODAY} rm -f ${RPM_VA_TODAY}.tmp -fi - -### rpm database checks -if [[ ${CHECK_RPM} == yes ]]; then + # full check if [[ -s ${RPM_VA_TODAY} ]]; then printf "\nSecurity Warning: These files belonging to packages are modified on the system :\n" >> ${SECURITY} cat ${RPM_VA_TODAY} | while read f; do @@ -63,22 +77,8 @@ if [[ ${CHECK_RPM} == yes ]]; then printf "\t\t- $f\n" done >> ${SECURITY} fi -fi -### rpm database -if [[ ${CHECK_RPM} == yes ]]; then - if [[ -f ${RPM_QA_YESTERDAY} ]]; then - diff -u ${RPM_QA_YESTERDAY} ${RPM_QA_TODAY} > ${RPM_QA_DIFF} - if [ -s ${RPM_QA_DIFF} ]; then - printf "\nSecurity Warning: These packages have changed on the system :\n" >> ${DIFF} - grep '^+' ${RPM_QA_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- Newly installed package : ${file}\n" - done >> ${DIFF} - grep '^-' ${RPM_QA_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- No longer present package : ${file}\n" - done >> ${DIFF} - fi - fi + # diff check if [[ -f ${RPM_VA_YESTERDAY} ]]; then diff -u ${RPM_VA_YESTERDAY} ${RPM_VA_TODAY} > ${RPM_VA_DIFF} if [ -s ${RPM_VA_DIFF} ]; then diff --git a/src/msec/config.py b/src/msec/config.py index 29bcedb..9760100 100644 --- a/src/msec/config.py +++ b/src/msec/config.py @@ -67,7 +67,8 @@ SETTINGS = {'BASE_LEVEL': ("libmsec.base_level", 'CHECK_PASSWD' : ("libmsec.check_passwd", ['yes', 'no']), 'CHECK_SHADOW' : ("libmsec.check_shadow", ['yes', 'no']), 'CHECK_CHKROOTKIT' : ("libmsec.check_chkrootkit", ['yes', 'no']), - 'CHECK_RPM' : ("libmsec.check_rpm", ['yes', 'no']), + 'CHECK_RPM_PACKAGES' : ("libmsec.check_rpm_packages", ['yes', 'no']), + 'CHECK_RPM_INTEGRITY' : ("libmsec.check_rpm_integrity", ['yes', 'no']), 'CHECK_SHOSTS' : ("libmsec.check_shosts", ['yes', 'no']), 'CHECK_USERS' : ("libmsec.check_users", ['yes', 'no']), 'CHECK_GROUPS' : ("libmsec.check_groups", ['yes', 'no']), @@ -129,8 +130,8 @@ SETTINGS_NETWORK = ["ACCEPT_BOGUS_ERROR_RESPONSES", "ACCEPT_BROADCASTED_ICMP_ECH # periodic checks SETTINGS_PERIODIC = ["CHECK_PERMS", "CHECK_USER_FILES", "CHECK_SUID_ROOT", "CHECK_SUID_MD5", "CHECK_SGID", "CHECK_WRITABLE", "CHECK_UNOWNED", "FIX_UNOWNED", "CHECK_PROMISC", "CHECK_OPEN_PORT", "CHECK_FIREWALL", - "CHECK_PASSWD", "CHECK_SHADOW", "CHECK_CHKROOTKIT", "CHECK_RPM", "CHECK_SHOSTS", - "CHECK_USERS", "CHECK_GROUPS", + "CHECK_PASSWD", "CHECK_SHADOW", "CHECK_CHKROOTKIT", "CHECK_RPM_PACKAGES", "CHECK_RPM_INTEGRITY", + "CHECK_SHOSTS", "CHECK_USERS", "CHECK_GROUPS", "TTY_WARN", "SYSLOG_WARN", "MAIL_EMPTY_CONTENT", ] diff --git a/src/msec/libmsec.py b/src/msec/libmsec.py index c22a8a6..24fa0dd 100755 --- a/src/msec/libmsec.py +++ b/src/msec/libmsec.py @@ -1456,8 +1456,12 @@ class MSEC: """ Enable checking for known rootkits using chkrootkit.""" pass - def check_rpm(self, param): - """ Enable verification of installed RPM packages.""" + def check_rpm_packages(self, param): + """ Enable verification for changes in the installed RPM packages. This will notify you when new packages are installed or removed.""" + pass + + def check_rpm_integrity(self, param): + """ Enable verification of integrity of installed RPM packages. This will notify you if checksums of the installed files were changed, showing separate results for binary and configuration files.""" pass def tty_warn(self, param): diff --git a/src/msec/version.py b/src/msec/version.py index 9fa799e..9131e62 100644 --- a/src/msec/version.py +++ b/src/msec/version.py @@ -1 +1 @@ -version='0.60.12' +version='0.60.22' |