diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rwxr-xr-x | cron-sh/diff_check.sh | 14 | ||||
-rwxr-xr-x | cron-sh/promisc_check.sh | 9 | ||||
-rwxr-xr-x | cron-sh/security_check.sh | 20 | ||||
-rwxr-xr-x | init-sh/custom.sh | 2 | ||||
-rwxr-xr-x | init-sh/level4.sh | 2 | ||||
-rw-r--r-- | init-sh/lib.sh | 12 | ||||
-rw-r--r-- | msec.spec | 8 |
8 files changed, 40 insertions, 32 deletions
@@ -1,6 +1,9 @@ 1999-12-09 Yoann Vandoorselaere <yoann@mandrakesoft.com> - * security_cjheck.sh: print header at begining of the log. + * Many bugfix, i'm trying to get a bugfree release before the freeze + * Renamed some variable, added consistencie. + * security_check.sh: print header at begining of the log. * diff_check.sh: typo. + 1999-12-08 Yoann Vandoorselaere <yoann@mandrakesoft.com> * security_check.sh: remove /tmp stuff. * security_check.sh: typo diff --git a/cron-sh/diff_check.sh b/cron-sh/diff_check.sh index 2448481..3c08858 100755 --- a/cron-sh/diff_check.sh +++ b/cron-sh/diff_check.sh @@ -57,7 +57,7 @@ rm -f ${TMP} ${SECURITY_TMP} >& /dev/null ### Functions ### Syslog() { - if [ ${SYSLOG_WARN}=="yes" ]; then + if [[ ${SYSLOG_WARN} == yes ]]; then cat ${1} | while read line; do /sbin/initlog --string="${line}" done @@ -65,7 +65,7 @@ Syslog() { } Ttylog() { - if [ ${TTY_WARN}=="yes" ]; then + if [[ ${TTY_WARN} == yes ]]; then for i in `w | grep -v "load\|TTY" | awk '{print $2}'` ; do echo -e "$1" > /dev/$i done @@ -76,7 +76,7 @@ Ttylog() { ### New Suid root files detection -if [ ${CHECK_SUID_ROOT}=="yes" ]; then +if [[ ${CHECK_SUID_ROOT} == yes ]]; then if [ -f ${SUID_ROOT_TODAY} ]; then mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY} @@ -121,7 +121,7 @@ if [ ${CHECK_SUID_GROUP} ]; then fi ### Writable files detection -if [ ${CHECK_WRITEABLE}=="yes" ]; then +if [[ ${CHECK_WRITEABLE} == yes ]]; then if [ -f ${WRITEABLE_TODAY} ]; then mv -f ${WRITEABLE_TODAY} ${WRITEABLE_YESTERDAY} @@ -143,7 +143,7 @@ if [ ${CHECK_WRITEABLE}=="yes" ]; then fi ### Search Non Owned files -if [ ${CHECK_UNOWNED}=="yes" ]; then +if [[ ${CHECK_UNOWNED} == yes ]]; then if [ -f ${UNOWNED_TODAY} ]; then mv -f ${UNOWNED_TODAY} ${UNOWNED_YESTERDAY} @@ -179,7 +179,7 @@ if [ ${CHECK_UNOWNED}=="yes" ]; then fi ### Md5 check for SUID root file -if [ ${CHECK_SUID_MD5}=="yes" ]; then +if [[ ${CHECK_SUID_MD5} == yes ]]; then if [ -f ${SUID_MD5_TODAY} ]; then mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY} fi @@ -205,7 +205,7 @@ if [ ${CHECK_SUID_MD5}=="yes" ]; then fi ### Changed open port -if [ ${CHECK_OPEN_PORT}=="yes" ]; then +if [[ ${CHECK_OPEN_PORT} == yes ]]; then if [ -f ${OPEN_PORT_TODAY} ]; then mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY} fi diff --git a/cron-sh/promisc_check.sh b/cron-sh/promisc_check.sh index 2297595..a2bdaa4 100755 --- a/cron-sh/promisc_check.sh +++ b/cron-sh/promisc_check.sh @@ -1,5 +1,8 @@ #!/bin/bash +# Writen by Vandoorselaere Yoann, +# <yoann@mandrakesoft.com> + if [ -f /etc/security/msec/security.conf ]; then . /etc/security/msec/security.conf else @@ -13,13 +16,13 @@ if tail /var/log/security.log | grep -q "promiscuous"; then fi Syslog() { - if [ "${SYSLOG_WARN}" == "yes" ]; then + if [[ ${SYSLOG_WARN} == yes ]]; then /sbin/initlog --string="${1}" fi } Ttylog() { - if [ "${TTYLOG_WARN}" == "yes" ]; then + if [[ ${TTYLOG_WARN} == yes ]]; then w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do echo -e "${1}" > /dev/$i done @@ -49,7 +52,7 @@ else exit 1 fi -if [ ${CHECK_PROMISC}=="no" ]; then +if [[ ${CHECK_PROMISC} == no ]]; then exit 0; fi diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh index 7289a43..844cd9d 100755 --- a/cron-sh/security_check.sh +++ b/cron-sh/security_check.sh @@ -79,12 +79,12 @@ if [[ ${CHECK_PERMS} == yes ]]; then list=".netrc .rhosts .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed" awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | while read username uid homedir; do - for f in ${list} ; do - file="${homedir}/${f}" - if [ -f ${file} ] ; then - printf "${uid} ${username} ${file} `ls -ldcgn ${file}`\n" - fi - done + for f in ${list} ; do + file="${homedir}/${f}" + if [ -f ${file} ] ; then + printf "${uid} ${username} ${file} `ls -ldcgn ${file}`\n" + fi + done done | awk '$1 != $6 && $6 != "0" \ { print "\t\t- " $3 " : file is owned by uid " $6 "." } $4 ~ /^-...r/ \ @@ -101,7 +101,6 @@ if [ -s ${TMP} ]; then cat ${TMP} >> ${SECURITY} fi - ### Files that should not be owned by someone else or writeable. list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \ .forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \ @@ -145,12 +144,10 @@ if [ -s $TMP ] ; then printf "\nSecurity Warning: these home directory should not be owned by someone else or writeable :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi -fi - +fi # End of check perms -if [ ${CHECK_SECURITY} == yes ]; then ### Passwd file check -if [ ${CHECK_PASSWD} == yes ]; then +if [[ ${CHECK_PASSWD} == yes ]]; then awk -F: '{ if ( $2 == "" ) printf("\t\t- /etc/passwd:%d: User \"%s\" has no password !\n", FNR, $1); @@ -265,7 +262,6 @@ if [[ ${CHECK_OPEN_PORT} == yes ]]; then cat ${TMP} >> ${SECURITY} fi fi -fi # end of CHECK_SECURITY ### Report if [ -s ${SECURITY} ]; then diff --git a/init-sh/custom.sh b/init-sh/custom.sh index 459d0c8..c6963a9 100755 --- a/init-sh/custom.sh +++ b/init-sh/custom.sh @@ -68,7 +68,7 @@ if [ ${answer} == "yes" ]; then fi ### -echo "Do you want your system to check for permission problem ?" +echo "Do you want your system to check for grave permission problem on senssibles files ?" WaitAnswer; clear if [ ${answer} == "yes" ]; then AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf diff --git a/init-sh/level4.sh b/init-sh/level4.sh index 6745ae5..a5ba70d 100755 --- a/init-sh/level4.sh +++ b/init-sh/level4.sh @@ -105,7 +105,7 @@ echo -e "done.\n"; # /etc/profile echo "Setting umask to 022 (u=rw,g=rx) for root, 077 (u=rw) for user :" -AddRules "if [ \${UID} == 0 ]; then umask 022; else umask 077; fi" /etc/profile +AddRules "if [[ \${UID} == 0 ]]; then umask 022; else umask 077; fi" /etc/profile echo "Adding \"normal\" PATH variable :" AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/profile quiet AddRules "export PATH SECURE_LEVEL" /etc/profile diff --git a/init-sh/lib.sh b/init-sh/lib.sh index ec14082..ec14be3 100644 --- a/init-sh/lib.sh +++ b/init-sh/lib.sh @@ -4,7 +4,7 @@ # # Need root access -if [ ${UID} != 0 ]; then +if [[ ${UID} != 0 ]]; then echo "You need to be root in order to change secure level." exit 1 fi @@ -54,7 +54,7 @@ CleanRules() { touch ${file} while read line; do - if [ ${ctrl} == 1 ]; then + if [[ ${ctrl} == 1 ]]; then ctrl=0 continue; fi @@ -63,7 +63,7 @@ CleanRules() { ctrl=1 fi - if [ ${ctrl} == 0 ]; then + if [[ ${ctrl} == 0 ]]; then echo "${line}" >> ${file} fi done < /tmp/secure.tmp @@ -96,13 +96,13 @@ CommentUserRules() { } Syslog() { - if [ "${SYSLOG_WARN}" == "yes" ]; then + if [[ ${SYSLOG_WARN} == yes ]]; then /sbin/initlog --string=${1} fi } Ttylog() { - if [ "${TTY_WARN}" == "yes" ]; then + if [[ ${TTY_WARN} == yes ]]; then w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do echo -e ${1} > /dev/$i done @@ -116,7 +116,7 @@ LiloUpdate() { echo "Be very carefull," echo "this will prevent your server to reboot without an operator to enter password". WaitAnswer; - if [ "${answer}" == "yes" ]; then + if [[ ${answer} == yes ]]; then echo -n "Please enter the password which will be used at boot time : " read password else @@ -34,7 +34,13 @@ rm -rf $RPM_BUILD_ROOT /etc/security/msec /usr/bin/promisc_check -%changelog +%changeloga +1999-12-09 Yoann Vandoorselaere <yoann@mandrakesoft.com> +- Many bugfix, i'm trying to get a bugfree release before the freeze +- Renamed some variable, added consistencie. +- security_cjheck.sh: print header at begining of the log. +- diff_check.sh: typo. + * Wed Dec 8 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com> - security_check.sh: remove /tmp stuff. - security_check.sh: typo |