diff options
Diffstat (limited to 'cron-sh')
-rw-r--r-- | cron-sh/functions.sh | 9 | ||||
-rwxr-xr-x | cron-sh/scripts/01_files.sh | 12 | ||||
-rwxr-xr-x | cron-sh/scripts/02_network.sh | 6 | ||||
-rwxr-xr-x | cron-sh/scripts/03_rpm.sh | 3 | ||||
-rwxr-xr-x | cron-sh/scripts/04_rootkit.sh | 23 | ||||
-rwxr-xr-x | cron-sh/scripts/05_access.sh | 8 | ||||
-rwxr-xr-x | cron-sh/security.sh | 4 |
7 files changed, 52 insertions, 13 deletions
diff --git a/cron-sh/functions.sh b/cron-sh/functions.sh index 40fbcab..9200838 100644 --- a/cron-sh/functions.sh +++ b/cron-sh/functions.sh @@ -58,6 +58,15 @@ Diffcheck() { fi } +Count() { + # counts number of entries in a file + LOG="$1" + FILE="$2" + MESSAGE="$3" + NUM_ENTRIES=$(wc -l 2>/dev/null < $FILE) + echo "$MESSAGE: $NUM_ENTRIES" >> $LOG +} + Syslog() { if [[ ${SYSLOG_WARN} == yes ]]; then cat ${1} | while read line; do diff --git a/cron-sh/scripts/01_files.sh b/cron-sh/scripts/01_files.sh index b9940ed..9720f55 100755 --- a/cron-sh/scripts/01_files.sh +++ b/cron-sh/scripts/01_files.sh @@ -95,27 +95,33 @@ fi ### New Suid root files detection if [[ ${CHECK_SUID_ROOT} == yes ]]; then Diffcheck ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_DIFF} "Suid Root files" + Count ${INFOS} ${SUID_ROOT_TODAY} "Total of Suid Root files" fi ### New Sgid files detection if [[ ${CHECK_SGID} == yes ]]; then Diffcheck ${SGID_TODAY} ${SGID_YESTERDAY} ${SGID_DIFF} "Sgid files" + Count ${INFOS} ${SGID_TODAY} "Total of Sgid files" fi ### Writable files detection if [[ ${CHECK_WRITABLE} == yes ]]; then Diffcheck ${WRITABLE_TODAY} ${WRITABLE_YESTERDAY} ${WRITABLE_DIFF} "World Writable files" + Count ${INFOS} ${WRITABLE_TODAY} "Total of World Writable files" fi ### Search Non Owned files if [[ ${CHECK_UNOWNED} == yes ]]; then Diffcheck ${UNOWNED_USER_TODAY} ${UNOWNED_USER_YESTERDAY} ${UNOWNED_USER_DIFF} "Un-owned files" + Count ${INFOS} ${UNOWNED_USER_TODAY} "Total of Un-owned files" Diffcheck ${UNOWNED_GROUP_TODAY} ${UNOWNED_GROUP_YESTERDAY} ${UNOWNED_GROUP_DIFF} "Un-owned group files" + Count ${INFOS} ${UNOWNED_GROUP_TODAY} "Total of Un-owned group files" fi ### Md5 check for SUID root fileg if [[ ${CHECK_SUID_MD5} == yes ]]; then Diffcheck ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY} ${SUID_MD5_DIFF} "SUID files MD5 checksum" + Count ${INFOS} ${SUID_MD5_TODAY} "Total of SUID files with controlled MD5 checksum" fi ### Writable file detection @@ -178,6 +184,7 @@ done | awk -F: '$1 != $6 && $6 != "0" \ { print "\t\t- " $3 " : file is other writable." }' > ${MSEC_TMP} if [[ -s ${MSEC_TMP} ]]; then + Count ${INFOS} ${MSEC_TMP} "Total of unsecure user files" printf "\nSecurity Warning: these files shouldn't be owned by someone else or readable :\n" >> ${SECURITY} cat ${MSEC_TMP} >> ${SECURITY} fi @@ -208,6 +215,7 @@ done | awk -F: '$1 != $6 && $6 != "0" \ { print "\t\t- " $3 " : file is other writable." }' > ${MSEC_TMP} if [[ -s ${MSEC_TMP} ]]; then + Count ${INFOS} ${MSEC_TMP} "Total of user files that should not be writable" printf "\nSecurity Warning: theses files should not be owned by someone else or writable :\n" >> ${SECURITY} cat ${MSEC_TMP} >> ${SECURITY} fi @@ -231,6 +239,7 @@ done | awk -F: '$3 != $5 && $5 != "(0)" \ { print "user=" $2 $3" : home directory is other writable." }' > ${MSEC_TMP} if [[ -s $MSEC_TMP ]] ; then + Count ${INFOS} ${MSEC_TMP} "Total of users whose home directories have unsafe permissions " printf "\nSecurity Warning: these home directory should not be owned by someone else or writable :\n" >> ${SECURITY} cat ${MSEC_TMP} >> ${SECURITY} fi @@ -244,8 +253,9 @@ if [[ ${CHECK_PERMS} == yes || ${CHECK_PERMS} == enforce ]]; then MSECPERMS_PARAMS="" fi # running msec_perms - /usr/sbin/msecperms $MSECPERMS_PARAMS > ${MSEC_TMP} 2>&1 + /usr/sbin/msecperms $MSECPERMS_PARAMS | grep WARNING > ${MSEC_TMP} 2>&1 if [[ -s ${MSEC_TMP} ]]; then + Count ${INFOS} ${MSEC_TMP} "Permission changes on files watched by msecperms" printf "\nPermissions changes on files watched by msec:\n" >> ${SECURITY} cat ${MSEC_TMP} | sed -e 's/WARNING: //g' >> ${SECURITY} fi diff --git a/cron-sh/scripts/02_network.sh b/cron-sh/scripts/02_network.sh index 8e2286c..c31b101 100755 --- a/cron-sh/scripts/02_network.sh +++ b/cron-sh/scripts/02_network.sh @@ -26,10 +26,12 @@ fi if [[ ${CHECK_OPEN_PORT} == yes ]]; then netstat -pvlA inet,inet6 2> /dev/null > ${OPEN_PORT_TODAY}; + Count ${INFOS} ${OPEN_PORT_TODAY} "Total of open network ports" fi if [[ ${CHECK_FIREWALL} == yes ]]; then iptables -S 2>/dev/null > ${FIREWALL_TODAY} + Count ${INFOS} ${FIREWALL_TODAY} "Total of configured firewall rules" fi ### Changed open port @@ -45,8 +47,8 @@ fi ### Dump a list of open port. if [[ ${CHECK_OPEN_PORT} == yes ]]; then if [[ -s ${OPEN_PORT_TODAY} ]]; then - printf "\nThese are the ports listening on your machine :\n" >> ${INFOS} - cat ${OPEN_PORT_TODAY} >> ${INFOS} + printf "\nThese are the ports listening on your machine :\n" >> ${SECURITY} + cat ${OPEN_PORT_TODAY} >> ${SECURITY} fi fi diff --git a/cron-sh/scripts/03_rpm.sh b/cron-sh/scripts/03_rpm.sh index cc10a91..24353e2 100755 --- a/cron-sh/scripts/03_rpm.sh +++ b/cron-sh/scripts/03_rpm.sh @@ -40,6 +40,7 @@ fi # list of installed packages if [[ ${CHECK_RPM_PACKAGES} == yes ]]; then rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" | sort > ${RPM_QA_TODAY} + Count ${INFOS} ${RPM_QA_TODAY} "Total of installed packages" Diffcheck ${RPM_QA_TODAY} ${RPM_QA_YESTERDAY} ${RPM_QA_DIFF} "packages" fi @@ -54,11 +55,13 @@ if [[ ${CHECK_RPM_INTEGRITY} == yes ]]; then # full check if [[ -s ${RPM_VA_TODAY} ]]; then printf "\nSecurity Warning: These files belonging to packages are modified on the system :\n" >> ${SECURITY} + Count ${INFOS} ${RPM_VA_TODAY} "Total of files belonging to packages that were modified since the install" cat ${RPM_VA_TODAY} >> ${SECURITY} fi if [[ -s ${RPM_VA_CONFIG_TODAY} ]]; then printf "\nSecurity Warning: These config files belonging to packages are modified on the system :\n" >> ${SECURITY} + Count ${INFOS} ${RPM_VA_CONFIG_TODAY} "Total of configuration files belonging to packages that were modified since the install" cat ${RPM_VA_CONFIG_TODAY} >> ${SECURITY} fi diff --git a/cron-sh/scripts/04_rootkit.sh b/cron-sh/scripts/04_rootkit.sh index c518247..3a59b0c 100755 --- a/cron-sh/scripts/04_rootkit.sh +++ b/cron-sh/scripts/04_rootkit.sh @@ -18,15 +18,20 @@ if [[ ${CHECK_CHKROOTKIT} == yes ]]; then if [ -x /usr/sbin/chkrootkit ]; then # do not check on NFS /usr/sbin/chkrootkit -n ${CHKROOTKIT_OPTION} > ${CHKROOTKIT_TODAY} - fi -fi - -### chkrootkit checks -if [[ ${CHECK_CHKROOTKIT} == yes ]]; then - - if [[ -s ${CHKROOTKIT_TODAY} ]]; then - printf "\nChkrootkit report:\n" >> ${SECURITY} - cat ${CHKROOTKIT_TODAY} >> ${SECURITY} + res=$? + if [ "$res" = "0" ]; then + chkrootkit_result="passed" + else + chkrootkit_result="failed" + fi + if [[ -s ${CHKROOTKIT_TODAY} ]]; then + printf "\nChkrootkit report:\n" >> ${SECURITY} + cat ${CHKROOTKIT_TODAY} >> ${SECURITY} + echo "Chkrootkit check: $chkrootkit_result" >> ${INFOS} + fi + else + printf "\nChkrootkit check skipped: chkrootkit not found" >> ${SECURITY} + echo "Chkrootkit check: skipped (chkrootkit not found)" >> ${INFOS} fi fi diff --git a/cron-sh/scripts/05_access.sh b/cron-sh/scripts/05_access.sh index b66e87f..2b35d8c 100755 --- a/cron-sh/scripts/05_access.sh +++ b/cron-sh/scripts/05_access.sh @@ -22,6 +22,7 @@ fi if [[ ${CHECK_USERS} == yes ]]; then getent passwd | cut -f 1 -d : | sort > ${USERS_LIST_TODAY} Diffcheck ${USERS_LIST_TODAY} ${USERS_LIST_YESTERDAY} ${USERS_LIST_DIFF} "local users" + Count ${INFOS} ${USERS_LIST_TODAY} "Total local users" fi # check for changes in groups @@ -37,6 +38,7 @@ fi if [[ ${CHECK_GROUPS} == yes ]]; then getent passwd | cut -f 1 -d : | sort > ${GROUPS_LIST_TODAY} Diffcheck ${GROUPS_LIST_TODAY} ${GROUPS_LIST_YESTERDAY} ${GROUPS_LIST_DIFF} "local groups" + Count ${INFOS} ${GROUPS_LIST_TODAY} "Total local group" fi ### Passwd file check @@ -53,6 +55,7 @@ if [[ ${CHECK_PASSWD} == yes ]]; then if [[ -s ${MSEC_TMP} ]]; then printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY} cat ${MSEC_TMP} >> ${SECURITY} + Count ${INFOS} ${MSEC_TMP} "Issues found in /etc/passwd file" fi fi @@ -66,6 +69,7 @@ if [[ ${CHECK_SHADOW} == yes ]]; then if [[ -s ${MSEC_TMP} ]]; then printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY} cat ${MSEC_TMP} >> ${SECURITY} + Count ${INFOS} ${MSEC_TMP} "Issues found in /etc/shadow file" fi fi @@ -88,6 +92,7 @@ if [[ -s /etc/exports ]] ; then if [[ -s ${MSEC_TMP} ]] ; then printf "\nSecurity Warning: Some NFS filesystem are exported globally :\n" >> ${SECURITY} cat ${MSEC_TMP} >> ${SECURITY} + Count ${INFOS} ${MSEC_TMP} "Issues found in NFS exports" fi fi @@ -96,6 +101,7 @@ fi if [[ -s ${MSEC_TMP} ]] ; then printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY} cat ${MSEC_TMP} | awk '{ print "\t\t- "$0 }' >> ${SECURITY} + Count ${INFOS} ${MSEC_TMP} "Unsafe NFS exports" fi ### Files that should not have + signs. @@ -134,6 +140,7 @@ if [[ ${CHECK_SHOSTS} == yes ]]; then printf "\tthis probably mean that you trust certains users/domain\n" >> ${SECURITY} printf "\tto connect on this host without proper authentication :\n" >> ${SECURITY} cat ${MSEC_TMP} >> ${SECURITY} + Count ${INFOS} ${MSEC_TMP} "Unsafe hosts trusting files" fi fi @@ -150,6 +157,7 @@ for file in ${list}; do printf "\nSecurity Warning: The following programs are executed in your mail\n" >> ${SECURITY} printf "\tvia ${file} files, this could lead to security problems :\n" >> ${SECURITY} cat ${MSEC_TMP} >> ${SECURITY} + Count ${INFOS} ${MSEC_TMP} "Unsafe mail aliases" fi done diff --git a/cron-sh/security.sh b/cron-sh/security.sh index fa50054..09f9286 100755 --- a/cron-sh/security.sh +++ b/cron-sh/security.sh @@ -78,8 +78,10 @@ if [[ -s ${SECURITY} ]]; then Ttylog ${SECURITY} echo "$SECURITY_PREFIX *** Security Check, ${REPORT_DATE} ***" >> ${SECURITY_LOG} - cat ${SECURITY} | sed -e "s/^/$SECURITY_PREFIX/g" >> ${SECURITY_LOG} + printf "Report summary:\n" >> ${SECURITY_LOG} cat ${INFOS} | sed -e "s/^/$INFO_PREFIX/g" >> ${SECURITY_LOG} + printf "\nDetailed report:\n" >> ${SECURITY_LOG} + cat ${SECURITY} | sed -e "s/^/$SECURITY_PREFIX/g" >> ${SECURITY_LOG} Maillog "[msec] *** Security Check on ${REPORT_HOSTNAME}, ${REPORT_DATE} ***" "${SECURITY} ${INFOS}" Notifylog "MSEC has performed Security Check on ${REPORT_HOSTNAME} on ${REPORT_DATE}" |