aboutsummaryrefslogtreecommitdiffstats
path: root/cron-sh
diff options
context:
space:
mode:
Diffstat (limited to 'cron-sh')
-rw-r--r--cron-sh/functions.sh9
-rwxr-xr-xcron-sh/scripts/01_files.sh12
-rwxr-xr-xcron-sh/scripts/02_network.sh6
-rwxr-xr-xcron-sh/scripts/03_rpm.sh3
-rwxr-xr-xcron-sh/scripts/04_rootkit.sh23
-rwxr-xr-xcron-sh/scripts/05_access.sh8
-rwxr-xr-xcron-sh/security.sh4
7 files changed, 52 insertions, 13 deletions
diff --git a/cron-sh/functions.sh b/cron-sh/functions.sh
index 40fbcab..9200838 100644
--- a/cron-sh/functions.sh
+++ b/cron-sh/functions.sh
@@ -58,6 +58,15 @@ Diffcheck() {
fi
}
+Count() {
+ # counts number of entries in a file
+ LOG="$1"
+ FILE="$2"
+ MESSAGE="$3"
+ NUM_ENTRIES=$(wc -l 2>/dev/null < $FILE)
+ echo "$MESSAGE: $NUM_ENTRIES" >> $LOG
+}
+
Syslog() {
if [[ ${SYSLOG_WARN} == yes ]]; then
cat ${1} | while read line; do
diff --git a/cron-sh/scripts/01_files.sh b/cron-sh/scripts/01_files.sh
index b9940ed..9720f55 100755
--- a/cron-sh/scripts/01_files.sh
+++ b/cron-sh/scripts/01_files.sh
@@ -95,27 +95,33 @@ fi
### New Suid root files detection
if [[ ${CHECK_SUID_ROOT} == yes ]]; then
Diffcheck ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_DIFF} "Suid Root files"
+ Count ${INFOS} ${SUID_ROOT_TODAY} "Total of Suid Root files"
fi
### New Sgid files detection
if [[ ${CHECK_SGID} == yes ]]; then
Diffcheck ${SGID_TODAY} ${SGID_YESTERDAY} ${SGID_DIFF} "Sgid files"
+ Count ${INFOS} ${SGID_TODAY} "Total of Sgid files"
fi
### Writable files detection
if [[ ${CHECK_WRITABLE} == yes ]]; then
Diffcheck ${WRITABLE_TODAY} ${WRITABLE_YESTERDAY} ${WRITABLE_DIFF} "World Writable files"
+ Count ${INFOS} ${WRITABLE_TODAY} "Total of World Writable files"
fi
### Search Non Owned files
if [[ ${CHECK_UNOWNED} == yes ]]; then
Diffcheck ${UNOWNED_USER_TODAY} ${UNOWNED_USER_YESTERDAY} ${UNOWNED_USER_DIFF} "Un-owned files"
+ Count ${INFOS} ${UNOWNED_USER_TODAY} "Total of Un-owned files"
Diffcheck ${UNOWNED_GROUP_TODAY} ${UNOWNED_GROUP_YESTERDAY} ${UNOWNED_GROUP_DIFF} "Un-owned group files"
+ Count ${INFOS} ${UNOWNED_GROUP_TODAY} "Total of Un-owned group files"
fi
### Md5 check for SUID root fileg
if [[ ${CHECK_SUID_MD5} == yes ]]; then
Diffcheck ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY} ${SUID_MD5_DIFF} "SUID files MD5 checksum"
+ Count ${INFOS} ${SUID_MD5_TODAY} "Total of SUID files with controlled MD5 checksum"
fi
### Writable file detection
@@ -178,6 +184,7 @@ done | awk -F: '$1 != $6 && $6 != "0" \
{ print "\t\t- " $3 " : file is other writable." }' > ${MSEC_TMP}
if [[ -s ${MSEC_TMP} ]]; then
+ Count ${INFOS} ${MSEC_TMP} "Total of unsecure user files"
printf "\nSecurity Warning: these files shouldn't be owned by someone else or readable :\n" >> ${SECURITY}
cat ${MSEC_TMP} >> ${SECURITY}
fi
@@ -208,6 +215,7 @@ done | awk -F: '$1 != $6 && $6 != "0" \
{ print "\t\t- " $3 " : file is other writable." }' > ${MSEC_TMP}
if [[ -s ${MSEC_TMP} ]]; then
+ Count ${INFOS} ${MSEC_TMP} "Total of user files that should not be writable"
printf "\nSecurity Warning: theses files should not be owned by someone else or writable :\n" >> ${SECURITY}
cat ${MSEC_TMP} >> ${SECURITY}
fi
@@ -231,6 +239,7 @@ done | awk -F: '$3 != $5 && $5 != "(0)" \
{ print "user=" $2 $3" : home directory is other writable." }' > ${MSEC_TMP}
if [[ -s $MSEC_TMP ]] ; then
+ Count ${INFOS} ${MSEC_TMP} "Total of users whose home directories have unsafe permissions "
printf "\nSecurity Warning: these home directory should not be owned by someone else or writable :\n" >> ${SECURITY}
cat ${MSEC_TMP} >> ${SECURITY}
fi
@@ -244,8 +253,9 @@ if [[ ${CHECK_PERMS} == yes || ${CHECK_PERMS} == enforce ]]; then
MSECPERMS_PARAMS=""
fi
# running msec_perms
- /usr/sbin/msecperms $MSECPERMS_PARAMS > ${MSEC_TMP} 2>&1
+ /usr/sbin/msecperms $MSECPERMS_PARAMS | grep WARNING > ${MSEC_TMP} 2>&1
if [[ -s ${MSEC_TMP} ]]; then
+ Count ${INFOS} ${MSEC_TMP} "Permission changes on files watched by msecperms"
printf "\nPermissions changes on files watched by msec:\n" >> ${SECURITY}
cat ${MSEC_TMP} | sed -e 's/WARNING: //g' >> ${SECURITY}
fi
diff --git a/cron-sh/scripts/02_network.sh b/cron-sh/scripts/02_network.sh
index 8e2286c..c31b101 100755
--- a/cron-sh/scripts/02_network.sh
+++ b/cron-sh/scripts/02_network.sh
@@ -26,10 +26,12 @@ fi
if [[ ${CHECK_OPEN_PORT} == yes ]]; then
netstat -pvlA inet,inet6 2> /dev/null > ${OPEN_PORT_TODAY};
+ Count ${INFOS} ${OPEN_PORT_TODAY} "Total of open network ports"
fi
if [[ ${CHECK_FIREWALL} == yes ]]; then
iptables -S 2>/dev/null > ${FIREWALL_TODAY}
+ Count ${INFOS} ${FIREWALL_TODAY} "Total of configured firewall rules"
fi
### Changed open port
@@ -45,8 +47,8 @@ fi
### Dump a list of open port.
if [[ ${CHECK_OPEN_PORT} == yes ]]; then
if [[ -s ${OPEN_PORT_TODAY} ]]; then
- printf "\nThese are the ports listening on your machine :\n" >> ${INFOS}
- cat ${OPEN_PORT_TODAY} >> ${INFOS}
+ printf "\nThese are the ports listening on your machine :\n" >> ${SECURITY}
+ cat ${OPEN_PORT_TODAY} >> ${SECURITY}
fi
fi
diff --git a/cron-sh/scripts/03_rpm.sh b/cron-sh/scripts/03_rpm.sh
index cc10a91..24353e2 100755
--- a/cron-sh/scripts/03_rpm.sh
+++ b/cron-sh/scripts/03_rpm.sh
@@ -40,6 +40,7 @@ fi
# list of installed packages
if [[ ${CHECK_RPM_PACKAGES} == yes ]]; then
rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" | sort > ${RPM_QA_TODAY}
+ Count ${INFOS} ${RPM_QA_TODAY} "Total of installed packages"
Diffcheck ${RPM_QA_TODAY} ${RPM_QA_YESTERDAY} ${RPM_QA_DIFF} "packages"
fi
@@ -54,11 +55,13 @@ if [[ ${CHECK_RPM_INTEGRITY} == yes ]]; then
# full check
if [[ -s ${RPM_VA_TODAY} ]]; then
printf "\nSecurity Warning: These files belonging to packages are modified on the system :\n" >> ${SECURITY}
+ Count ${INFOS} ${RPM_VA_TODAY} "Total of files belonging to packages that were modified since the install"
cat ${RPM_VA_TODAY} >> ${SECURITY}
fi
if [[ -s ${RPM_VA_CONFIG_TODAY} ]]; then
printf "\nSecurity Warning: These config files belonging to packages are modified on the system :\n" >> ${SECURITY}
+ Count ${INFOS} ${RPM_VA_CONFIG_TODAY} "Total of configuration files belonging to packages that were modified since the install"
cat ${RPM_VA_CONFIG_TODAY} >> ${SECURITY}
fi
diff --git a/cron-sh/scripts/04_rootkit.sh b/cron-sh/scripts/04_rootkit.sh
index c518247..3a59b0c 100755
--- a/cron-sh/scripts/04_rootkit.sh
+++ b/cron-sh/scripts/04_rootkit.sh
@@ -18,15 +18,20 @@ if [[ ${CHECK_CHKROOTKIT} == yes ]]; then
if [ -x /usr/sbin/chkrootkit ]; then
# do not check on NFS
/usr/sbin/chkrootkit -n ${CHKROOTKIT_OPTION} > ${CHKROOTKIT_TODAY}
- fi
-fi
-
-### chkrootkit checks
-if [[ ${CHECK_CHKROOTKIT} == yes ]]; then
-
- if [[ -s ${CHKROOTKIT_TODAY} ]]; then
- printf "\nChkrootkit report:\n" >> ${SECURITY}
- cat ${CHKROOTKIT_TODAY} >> ${SECURITY}
+ res=$?
+ if [ "$res" = "0" ]; then
+ chkrootkit_result="passed"
+ else
+ chkrootkit_result="failed"
+ fi
+ if [[ -s ${CHKROOTKIT_TODAY} ]]; then
+ printf "\nChkrootkit report:\n" >> ${SECURITY}
+ cat ${CHKROOTKIT_TODAY} >> ${SECURITY}
+ echo "Chkrootkit check: $chkrootkit_result" >> ${INFOS}
+ fi
+ else
+ printf "\nChkrootkit check skipped: chkrootkit not found" >> ${SECURITY}
+ echo "Chkrootkit check: skipped (chkrootkit not found)" >> ${INFOS}
fi
fi
diff --git a/cron-sh/scripts/05_access.sh b/cron-sh/scripts/05_access.sh
index b66e87f..2b35d8c 100755
--- a/cron-sh/scripts/05_access.sh
+++ b/cron-sh/scripts/05_access.sh
@@ -22,6 +22,7 @@ fi
if [[ ${CHECK_USERS} == yes ]]; then
getent passwd | cut -f 1 -d : | sort > ${USERS_LIST_TODAY}
Diffcheck ${USERS_LIST_TODAY} ${USERS_LIST_YESTERDAY} ${USERS_LIST_DIFF} "local users"
+ Count ${INFOS} ${USERS_LIST_TODAY} "Total local users"
fi
# check for changes in groups
@@ -37,6 +38,7 @@ fi
if [[ ${CHECK_GROUPS} == yes ]]; then
getent passwd | cut -f 1 -d : | sort > ${GROUPS_LIST_TODAY}
Diffcheck ${GROUPS_LIST_TODAY} ${GROUPS_LIST_YESTERDAY} ${GROUPS_LIST_DIFF} "local groups"
+ Count ${INFOS} ${GROUPS_LIST_TODAY} "Total local group"
fi
### Passwd file check
@@ -53,6 +55,7 @@ if [[ ${CHECK_PASSWD} == yes ]]; then
if [[ -s ${MSEC_TMP} ]]; then
printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY}
cat ${MSEC_TMP} >> ${SECURITY}
+ Count ${INFOS} ${MSEC_TMP} "Issues found in /etc/passwd file"
fi
fi
@@ -66,6 +69,7 @@ if [[ ${CHECK_SHADOW} == yes ]]; then
if [[ -s ${MSEC_TMP} ]]; then
printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY}
cat ${MSEC_TMP} >> ${SECURITY}
+ Count ${INFOS} ${MSEC_TMP} "Issues found in /etc/shadow file"
fi
fi
@@ -88,6 +92,7 @@ if [[ -s /etc/exports ]] ; then
if [[ -s ${MSEC_TMP} ]] ; then
printf "\nSecurity Warning: Some NFS filesystem are exported globally :\n" >> ${SECURITY}
cat ${MSEC_TMP} >> ${SECURITY}
+ Count ${INFOS} ${MSEC_TMP} "Issues found in NFS exports"
fi
fi
@@ -96,6 +101,7 @@ fi
if [[ -s ${MSEC_TMP} ]] ; then
printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY}
cat ${MSEC_TMP} | awk '{ print "\t\t- "$0 }' >> ${SECURITY}
+ Count ${INFOS} ${MSEC_TMP} "Unsafe NFS exports"
fi
### Files that should not have + signs.
@@ -134,6 +140,7 @@ if [[ ${CHECK_SHOSTS} == yes ]]; then
printf "\tthis probably mean that you trust certains users/domain\n" >> ${SECURITY}
printf "\tto connect on this host without proper authentication :\n" >> ${SECURITY}
cat ${MSEC_TMP} >> ${SECURITY}
+ Count ${INFOS} ${MSEC_TMP} "Unsafe hosts trusting files"
fi
fi
@@ -150,6 +157,7 @@ for file in ${list}; do
printf "\nSecurity Warning: The following programs are executed in your mail\n" >> ${SECURITY}
printf "\tvia ${file} files, this could lead to security problems :\n" >> ${SECURITY}
cat ${MSEC_TMP} >> ${SECURITY}
+ Count ${INFOS} ${MSEC_TMP} "Unsafe mail aliases"
fi
done
diff --git a/cron-sh/security.sh b/cron-sh/security.sh
index fa50054..09f9286 100755
--- a/cron-sh/security.sh
+++ b/cron-sh/security.sh
@@ -78,8 +78,10 @@ if [[ -s ${SECURITY} ]]; then
Ttylog ${SECURITY}
echo "$SECURITY_PREFIX *** Security Check, ${REPORT_DATE} ***" >> ${SECURITY_LOG}
- cat ${SECURITY} | sed -e "s/^/$SECURITY_PREFIX/g" >> ${SECURITY_LOG}
+ printf "Report summary:\n" >> ${SECURITY_LOG}
cat ${INFOS} | sed -e "s/^/$INFO_PREFIX/g" >> ${SECURITY_LOG}
+ printf "\nDetailed report:\n" >> ${SECURITY_LOG}
+ cat ${SECURITY} | sed -e "s/^/$SECURITY_PREFIX/g" >> ${SECURITY_LOG}
Maillog "[msec] *** Security Check on ${REPORT_HOSTNAME}, ${REPORT_DATE} ***" "${SECURITY} ${INFOS}"
Notifylog "MSEC has performed Security Check on ${REPORT_HOSTNAME} on ${REPORT_DATE}"