diff options
-rw-r--r-- | ChangeLog | 4 | ||||
-rwxr-xr-x | cron-sh/security.sh | 45 | ||||
-rw-r--r-- | src/msec_find/find.c | 69 |
3 files changed, 66 insertions, 52 deletions
@@ -1,3 +1,7 @@ +2000-03-19 Yoann Vandoorselaere <yoann@mandrakesoft.com> + * security.sh : added patch from Thomas Poindessous. + * find.c : many modification :) + 2000-03-16 Yoann Vandoorselaere <yoann@mandrakesoft.com> * security.sh : export *_TODAY variable to be used by msec_find. * find.c : removed a debuging printf. diff --git a/cron-sh/security.sh b/cron-sh/security.sh index b949028..b6636b5 100755 --- a/cron-sh/security.sh +++ b/cron-sh/security.sh @@ -76,21 +76,36 @@ netstat -pvlA inet 2> /dev/null > ${OPEN_PORT_TODAY}; # Hard disk related file check; the less priority the better... nice --adjustment=+19 /usr/bin/msec_find ${DIR} -sort < ${SUID_ROOT_TODAY} > ${SUID_ROOT_TODAY}.tmp -sort < ${SUID_GROUP_TODAY} > ${SUID_GROUP_TODAY}.tmp -sort < ${WRITEABLE_TODAY} > ${WRITEABLE_TODAY}.tmp -sort < ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_TODAY}.tmp -sort < ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_TODAY}.tmp - -mv -f ${SUID_ROOT_TODAY}.tmp ${SUID_ROOT_TODAY} -mv -f ${SUID_GROUP_TODAY}.tmp ${SUID_GROUP_TODAY} -mv -f ${WRITEABLE_TODAY}.tmp ${WRITEABLE_TODAY} -mv -f ${UNOWNED_USER_TODAY}.tmp ${UNOWNED_USER_TODAY} -mv -f ${UNOWNED_GROUP_TODAY}.tmp ${UNOWNED_GROUP_TODAY} - -while read line; do - md5sum ${line} -done < ${SUID_ROOT_TODAY} > ${SUID_MD5_TODAY} +if [[ -f ${SUID_ROOT_TODAY} ]]; then + sort < ${SUID_ROOT_TODAY} > ${SUID_ROOT_TODAY}.tmp + mv -f ${SUID_ROOT_TODAY}.tmp ${SUID_ROOT_TODAY} +fi + +if [[ -f ${SUID_GROUP_TODAY} ]]; then + sort < ${SUID_GROUP_TODAY} > ${SUID_GROUP_TODAY}.tmp + mv -f ${SUID_GROUP_TODAY}.tmp ${SUID_GROUP_TODAY} +fi + +if [[ -f ${WRITEABLE_TODAY} ]]; then + sort < ${WRITEABLE_TODAY} > ${WRITEABLE_TODAY}.tmp + mv -f ${WRITEABLE_TODAY}.tmp ${WRITEABLE_TODAY} +fi + +if [[ -f ${UNOWNED_USER_TODAY} ]]; then + sort < ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_TODAY}.tmp + mv -f ${UNOWNED_USER_TODAY}.tmp ${UNOWNED_USER_TODAY} +fi + +if [[ -f ${UNOWNED_GROUP_TODAY} ]]; then + sort < ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_TODAY}.tmp + mv -f ${UNOWNED_GROUP_TODAY}.tmp ${UNOWNED_GROUP_TODAY} +fi + +if [[ -f ${SUID_ROOT_TODAY} ]]; then + while read line; do + md5sum ${line} + done < ${SUID_ROOT_TODAY} > ${SUID_MD5_TODAY} +fi ### Functions ### diff --git a/src/msec_find/find.c b/src/msec_find/find.c index 18c4261..c60de21 100644 --- a/src/msec_find/find.c +++ b/src/msec_find/find.c @@ -9,16 +9,16 @@ /* * TODO - * +++ hash tables or btree to stock already searched uid/gid for speed - * Pb: since linux-2.3.4x, uid & gid are 32 bits wide ... => BTREE? - * static char **uid_hash, **gid_hash; + * +++ hash tables or btree to stock already searched uid/gid for speed + * Pb: since linux-2.3.4x, uid & gid are 32 bits wide ... => BTREE? + * static char **uid_hash, **gid_hash; * - * +++ check for open & I/O error on log files ... - * +++ Yoann scripts should avoid /dev if devfs is mounted (either by testing - * if /dev is mounted by devfs or if [ -f /dev/.devfsd ] => see with - * Yoann - * --- disable 'cannot stat ...' warning (???) => better log them SECURITY_LOG - * --- disable write test on links => OK + * +++ check for open & I/O error on log files ... + * +++ Yoann scripts should avoid /dev if devfs is mounted (either by testing + * if /dev is mounted by devfs or if [ -f /dev/.devfsd ] => see with + * Yoann + * --- disable 'cannot stat ...' warning (???) => better log them SECURITY_LOG + * --- disable write test on links => OK */ /* @@ -31,7 +31,6 @@ * - Do not use getenv to get the root directory. * - Use argv instead of a DIR variable to get directory to scan. * - Free directory after use when allocated for appending a '/'. - * - We do not need __USE_XOPEN_EXTENDED definition. */ #include <stdlib.h> @@ -67,41 +66,27 @@ static FILE *writeable_fd; static int traverse(const char *file, const struct stat *sb, int flag, struct FTW *s) { - struct passwd *u_nss_data; - struct group *g_nss_data; - + struct passwd *u_nss_data; + struct group *g_nss_data; + + /* + * handle bogus glibc ftw + * else we won't print only one '/' in front of file names + */ if (strncmp(file, "//", 2) == 0 ) - /* - * handle bogus glibc ftw - * else we won't print only one '/' in front of file names - */ file++; - if (strncmp("/proc", file, 5) == 0) - return 0; - if (strncmp("/dev", file, 4) == 0) + /* + * Don't walk throught /dev & /proc + */ + if ( (strncmp("/proc", file, 5) == 0) || (strncmp("/dev", file, 4) == 0) ) return 0; switch (flag) { - /* - * Here is a difference with security-check.sh: - * we don't check for regular files only for Set-UID et Set-GID but - * to directories too. Idem for world writable directories ... - */ - - case FTW_F: /* - * Regular file - * - * printf("%s\n", file); + * Regular file handling. */ - - /* - * Is writeable check. - */ - if (sb->st_mode & 0002) - fprintf(writeable_fd, "%s\n", file); - + case FTW_F: /* * Is suid root check. */ @@ -114,8 +99,18 @@ static int traverse(const char *file, const struct stat *sb, int flag, struct FT if (sb->st_mode & S_ISGID) fprintf(sgid_fd, "%s\n", file); + /* + * Their is no break statement here, it is normal. + * Directory handing. + */ case FTW_D: /* + * Is world writeable check. + */ + if (sb->st_mode & 0002) + fprintf(writeable_fd, "%s\n", file); + + /* * Unowned user check. */ u_nss_data = getpwuid(sb->st_uid); |