aboutsummaryrefslogtreecommitdiffstats
path: root/cron-sh/security_check.sh
diff options
context:
space:
mode:
Diffstat (limited to 'cron-sh/security_check.sh')
-rwxr-xr-xcron-sh/security_check.sh25
1 files changed, 15 insertions, 10 deletions
diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh
index 796d2c9..89daea2 100755
--- a/cron-sh/security_check.sh
+++ b/cron-sh/security_check.sh
@@ -54,15 +54,6 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then
fi
fi
-if [[ ${CHECK_PERMS} == yes ]]; then
- # running msec_perms
- /usr/sbin/msecperms > ${TMP} 2>&1
- if [[ -s ${TMP} ]]; then
- printf "\nPermissions changes on system files:\n" >> ${SECURITY}
- cat ${TMP} | sed -e 's/WARNING: //g' >> ${SECURITY}
- fi
-fi
-
if [[ ${CHECK_USER_FILES} == yes ]]; then
# Files that should not be owned by someone else or readable.
list=".netrc .rhosts .shosts .Xauthority .gnupg/secring.gpg \
@@ -220,7 +211,6 @@ done > ${TMP}
### Passwd file check
if [[ ${CHECK_SHOSTS} == yes ]]; then
- # TODO: do not check on remote shares (#41709)
getent passwd | awk -F: '{print $1" "$6}' |
while read username homedir; do
if ! expr "$homedir" : "$FILTER" > /dev/null; then
@@ -298,6 +288,21 @@ if [[ ${CHKROOTKIT_CHECK} == yes ]]; then
fi
fi
+### file permissions
+# fix permissions on newly created msec files according to system policy
+/usr/sbin/msecperms -e '/var/log/msec.log' "$SECURITY_LOG" "/var/log/security/*" &> ${TMP}
+
+# now check default permissions
+if [[ ${CHECK_PERMS} == yes ]]; then
+ # running msec_perms
+ /usr/sbin/msecperms > ${TMP} 2>&1
+ if [[ -s ${TMP} ]]; then
+ printf "\nPermissions changes on system files:\n" >> ${SECURITY}
+ cat ${TMP} | sed -e 's/WARNING: //g' >> ${SECURITY}
+ fi
+fi
+
+
### Report
if [[ -s ${SECURITY} ]]; then
Syslog ${SECURITY}