aboutsummaryrefslogtreecommitdiffstats
path: root/cron-sh
diff options
context:
space:
mode:
Diffstat (limited to 'cron-sh')
-rw-r--r--cron-sh/Makefile6
-rwxr-xr-xcron-sh/diff_check.sh240
-rw-r--r--cron-sh/functions.sh99
-rwxr-xr-xcron-sh/scripts/01_files.sh327
-rwxr-xr-xcron-sh/scripts/02_network.sh79
-rwxr-xr-xcron-sh/scripts/03_rpm.sh107
-rwxr-xr-xcron-sh/scripts/04_rootkit.sh49
-rwxr-xr-xcron-sh/scripts/05_access.sh125
-rwxr-xr-xcron-sh/scripts/06_promisc.sh (renamed from cron-sh/promisc_check.sh)9
-rwxr-xr-xcron-sh/security.sh306
-rwxr-xr-xcron-sh/security_check.sh337
11 files changed, 861 insertions, 823 deletions
diff --git a/cron-sh/Makefile b/cron-sh/Makefile
index 2f75459..e4eaa87 100644
--- a/cron-sh/Makefile
+++ b/cron-sh/Makefile
@@ -1,6 +1,6 @@
all:
- for f in *.sh; do bash -n $$f || exit 1; done
+ for f in *.sh scripts/*.sh; do bash -n $$f || exit 1; done
install:
- mkdir -p /etc/security/msec/cron-sh
- cp *.sh /etc/security/msec/cron-sh
+ mkdir -p $(RPM_BUILD_ROOT)/usr/share/msec/scripts
+ for f in *.sh scripts/*.sh; do install -m755 $$f $(RPM_BUILD_ROOT)/usr/share/msec/$$f; done
diff --git a/cron-sh/diff_check.sh b/cron-sh/diff_check.sh
deleted file mode 100755
index 4761dc2..0000000
--- a/cron-sh/diff_check.sh
+++ /dev/null
@@ -1,240 +0,0 @@
-#!/bin/bash
-#
-# Written by Vandoorselaere Yoann
-#
-
-if [[ -f /etc/security/msec/security.conf ]]; then
- . /etc/security/msec/security.conf
-else
- echo "/etc/security/msec/security.conf don't exist."
- exit 1
-fi
-
-if [[ ${CHECK_SECURITY} == no ]]; then
- exit 0
-fi
-
-SECURITY_LOG="/var/log/security.log"
-TMP=`mktemp /tmp/secure.XXXXXX`
-
-### New Suid root files detection
-if [[ ${CHECK_SUID_ROOT} == yes ]]; then
-
- if [[ -f ${SUID_ROOT_YESTERDAY} ]]; then
- if ! diff -u ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_TODAY} > ${SUID_ROOT_DIFF}; then
- printf "\nSecurity Warning: Change in Suid Root files found :\n" >> ${TMP}
- grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- Newly added suid root file : ${file}\n"
- done >> ${TMP}
- grep '^-' ${SUID_ROOT_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- No longer present suid root file : ${file}\n"
- done >> ${TMP}
- fi
- fi
-
-fi
-
-### New Sgid files detection
-if [[ ${CHECK_SGID} == yes ]]; then
-
- if [[ -f ${SGID_YESTERDAY} ]]; then
- if ! diff -u ${SGID_YESTERDAY} ${SGID_TODAY} > ${SGID_DIFF}; then
- printf "\nSecurity Warning: Changes in Sgid files found :\n" >> ${TMP}
- grep '^+' ${SGID_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- Newly added sgid file : ${file}\n"
- done >> ${TMP}
- grep '^-' ${SGID_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- No longer present sgid file : ${file}\n"
- done >> ${TMP}
- fi
- fi
-
-fi
-
-### Writable files detection
-if [[ ${CHECK_WRITABLE} == yes ]]; then
-
- if [[ -f ${WRITABLE_YESTERDAY} ]]; then
- diff -u ${WRITABLE_YESTERDAY} ${WRITABLE_TODAY} > ${WRITABLE_DIFF}
- if [ -s ${WRITABLE_DIFF} ]; then
- printf "\nSecurity Warning: Change in World Writable Files found :\n" >> ${TMP}
- grep '^+' ${WRITABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- Newly added writable file : ${file}\n"
- done >> ${TMP}
- grep '^-' ${WRITABLE_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- No longer present writable file : ${file}\n"
- done >> ${TMP}
- fi
- fi
-
-fi
-
-### Search Non Owned files
-if [[ ${CHECK_UNOWNED} == yes ]]; then
-
- if [[ -f ${UNOWNED_USER_YESTERDAY} ]]; then
- diff -u ${UNOWNED_USER_YESTERDAY} ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_DIFF}
- if [ -s ${UNOWNED_USER_DIFF} ]; then
- printf "\nSecurity Warning: the following files aren't owned by an user :\n" >> ${TMP}
- grep '^+' ${UNOWNED_USER_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- Newly added un-owned file : ${file}\n"
- done >> ${TMP}
- grep '^-' ${UNOWNED_USER_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- No longer present un-owned file : ${file}\n"
- done >> ${TMP}
- fi
- fi
-
- if [[ -f ${UNOWNED_GROUP_YESTERDAY} ]]; then
- diff -u ${UNOWNED_GROUP_YESTERDAY} ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_DIFF}
- if [ -s ${UNOWNED_GROUP_DIFF} ]; then
- printf "\nSecurity Warning: the following files aren't owned by a group :\n" >> ${TMP}
- grep '^+' ${UNOWNED_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- Newly added un-owned file : ${file}\n"
- done >> ${TMP}
- grep '^-' ${UNOWNED_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- No longer present un-owned file : ${file}\n"
- done >> ${TMP}
- fi
- fi
-
-fi
-
-### Md5 check for SUID root fileg
-if [[ ${CHECK_SUID_MD5} == yes ]]; then
- ctrl_md5=0;
-
- if [[ -f ${SUID_MD5_YESTERDAY} ]]; then
- diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF}
- if [ -s ${SUID_MD5_DIFF} ]; then
- grep '^+' ${SUID_MD5_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | awk '{print $2}' | while read file; do
- if cat ${SUID_MD5_YESTERDAY} | awk '{print $2}' | grep -qw ${file}; then
- if [[ ${ctrl_md5} == 0 ]]; then
- printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${TMP}
- printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${TMP}
- ctrl_md5=1;
- fi
- printf "\t\t- Checksum changed file : ${file}\n"
- fi
- done >> ${TMP}
- fi
- fi
-
-fi
-
-### Changed open port
-if [[ ${CHECK_OPEN_PORT} == yes ]]; then
-
- if [[ -f ${OPEN_PORT_YESTERDAY} ]]; then
- diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}
- if [ -s ${OPEN_PORT_DIFF} ]; then
- printf "\nSecurity Warning: There are modifications for port listening on your machine :\n" >> ${TMP}
- grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- Opened ports : ${file}\n"
- done >> ${TMP}
- grep '^-' ${OPEN_PORT_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- Closed ports : ${file}\n"
- done >> ${TMP}
- fi
- fi
-
-fi
-
-### Changed firewall
-if [[ ${CHECK_FIREWALL} == yes ]]; then
-
- if [[ -f ${FIREWALL_YESTERDAY} ]]; then
- diff -u ${FIREWALL_YESTERDAY} ${FIREWALL_TODAY} 1> ${FIREWALL_DIFF}
- if [ -s ${FIREWALL_DIFF} ]; then
- printf "\nSecurity Warning: There are modifications for firewall configuration on your machine :\n" >> ${TMP}
- grep '^+' ${FIREWALL_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- New entries : ${file}\n"
- done >> ${TMP}
- grep '^-' ${FIREWALL_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- Removed entries : ${file}\n"
- done >> ${TMP}
- fi
- fi
-
-fi
-
-### rpm database
-if [[ ${CHECK_RPM} == yes ]]; then
- if [[ -f ${RPM_QA_YESTERDAY} ]]; then
- diff -u ${RPM_QA_YESTERDAY} ${RPM_QA_TODAY} > ${RPM_QA_DIFF}
- if [ -s ${RPM_QA_DIFF} ]; then
- printf "\nSecurity Warning: These packages have changed on the system :\n" >> ${TMP}
- grep '^+' ${RPM_QA_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- Newly installed package : ${file}\n"
- done >> ${TMP}
- grep '^-' ${RPM_QA_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- No longer present package : ${file}\n"
- done >> ${TMP}
- fi
- fi
- if [[ -f ${RPM_VA_YESTERDAY} ]]; then
- diff -u ${RPM_VA_YESTERDAY} ${RPM_VA_TODAY} > ${RPM_VA_DIFF}
- if [ -s ${RPM_VA_DIFF} ]; then
- printf "\nSecurity Warning: These files belonging to packages have changed of status on the system :\n" >> ${TMP}
- grep '^+' ${RPM_VA_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- Newly modified : ${file}\n"
- done >> ${TMP}
- grep '^-' ${RPM_VA_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- No longer modified : ${file}\n"
- done >> ${TMP}
- fi
- fi
- if [[ -f ${RPM_VA_CONFIG_YESTERDAY} ]]; then
- diff -u ${RPM_VA_CONFIG_YESTERDAY} ${RPM_VA_CONFIG_TODAY} > ${RPM_VA_CONFIG_DIFF}
- if [ -s ${RPM_VA_CONFIG_DIFF} ]; then
- printf "\nSecurity Warning: These config files belonging to packages have changed of status on the system :\n" >> ${TMP}
- grep '^+' ${RPM_VA_CONFIG_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- Newly modified : ${file}\n"
- done >> ${TMP}
- grep '^-' ${RPM_VA_CONFIG_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- No longer modified : ${file}\n"
- done >> ${TMP}
- fi
- fi
-fi
-
-### Changed chkrootkit
-if [[ ${CHECK_CHKROOTKIT} == yes ]]; then
-
- if [[ -f ${CHKROOTKIT_YESTERDAY} ]]; then
- diff -u ${CHKROOTKIT_YESTERDAY} ${CHKROOTKIT_TODAY} 1> ${CHKROOTKIT_DIFF}
- if [ -s ${CHKROOTKIT_DIFF} ]; then
- printf "\nSecurity Warning: There are modifications for chkrootkit results :\n" >> ${TMP}
- grep '^+' ${CHKROOTKIT_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- Added : ${file}\n"
- done >> ${TMP}
- grep '^-' ${CHKROOTKIT_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
- printf "\t\t- Removed : ${file}\n"
- done >> ${TMP}
- fi
- fi
-fi
-
-
-######## Report ######
-date=`date`
-hostname=`hostname`
-
-if [[ -s ${TMP} ]]; then
- Syslog ${TMP}
- Ttylog ${TMP}
-
- echo -e "\n\n*** Diff Check, ${date} ***\n" >> ${SECURITY_LOG}
- cat ${TMP} >> ${SECURITY_LOG}
-
- Notifylog "MSEC has performed Diff Check on ${hostname} on ${date}. Changes in system security were detected and are available in ${SECURITY_LOG}."
-else
- Notifylog "MSEC has performed Diff Check on ${hostname} on ${date}. No changes were detected in system security."
-fi
-
-Maillog "[msec] *** Diff Check on ${hostname}, ${date} ***" "${TMP}"
-
-if [[ -f ${TMP} ]]; then
- rm -f ${TMP}
-fi
-
diff --git a/cron-sh/functions.sh b/cron-sh/functions.sh
new file mode 100644
index 0000000..e987d91
--- /dev/null
+++ b/cron-sh/functions.sh
@@ -0,0 +1,99 @@
+#!/bin/bash
+# msec: shared function
+
+. /etc/sysconfig/i18n
+if [[ -f /etc/profile.d/10lang.sh ]]; then
+ . /etc/profile.d/10lang.sh
+fi
+
+if [[ -f /etc/security/msec/security.conf ]]; then
+ . /etc/security/msec/security.conf
+else
+ echo "/etc/security/msec/security.conf don't exist."
+ exit 1
+fi
+
+if [ -r /etc/security/shell ]; then
+ . /etc/security/shell
+fi
+
+umask ${UMASK_ROOT=077}
+
+# main security log
+SECURITY_LOG="/var/log/security.log"
+
+# Modified filters coming from debian security scripts.
+# rootfs is not listed among excluded types, because
+# / is mounted twice, and filtering it would mess with excluded dir list
+TYPE_FILTER='(devpts|sysfs|usbfs|tmpfs|binfmt_misc|rpc_pipefs|securityfs|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|hfs|nfs|afs|coda|cifs|fuse.gvfs-fuse-daemon)'
+MOUNTPOINT_FILTER='^\/mnt|^\/media'
+DIR=`awk '$3 !~ /'$TYPE_FILTER'/ && $2 !~ /'$MOUNTPOINT_FILTER'/ \
+ {print $2}' /proc/mounts | uniq`
+PRINT="%h/%f\n"
+EXCLUDEDIR=`awk '$3 ~ /'$TYPE_FILTER'/ || $2 ~ /'$MOUNTPOINT_FILTER'/ \
+ {print $2}' /proc/mounts | uniq`
+export EXCLUDEDIR
+FILTER="\(`echo $EXCLUDEDIR | sed -e 's/ /\\\|/g'`\)"
+
+### Functions ###
+
+Syslog() {
+ if [[ ${SYSLOG_WARN} == yes ]]; then
+ cat ${1} | while read line; do
+ logger -t msec -- "${line}"
+ done
+ fi
+}
+
+Ttylog() {
+ if [[ ${TTY_WARN} == yes ]]; then
+ for i in `w | grep -v "load\|TTY" | grep '^root' | awk '{print $2}'` ; do
+ cat ${1} > /dev/$i
+ done
+ fi
+}
+
+Maillog() {
+ subject=${1}
+ text=${2}
+ SOMETHING_TO_SEND=
+
+ if [[ ${MAIL_WARN} == yes ]]; then
+ # define a mail user
+ if [[ -z ${MAIL_USER} ]]; then
+ MAIL_USER="root"
+ fi
+ if [[ -x /bin/mail ]]; then
+ for f in ${text}; do
+ if [[ -s $f ]]; then
+ SOMETHING_TO_SEND=1
+ break
+ fi
+ done
+ if [[ -z ${SOMETHING_TO_SEND} ]]; then
+ if [[ ${MAIL_EMPTY_CONTENT} != no ]]; then
+ /bin/mail -s "${subject}" "${MAIL_USER}" <<EOF
+Nothing has changed since the last run.
+EOF
+ fi
+ else
+ # remove non-printable characters,
+ # see http://qa.mandriva.com/show_bug.cgi?id=36848 and https://qa.mandriva.com/show_bug.cgi?id=26773
+ cat ${text} | sed -e "s,[[:cntrl:]],,g" | LC_CTYPE=$LC_CTYPE /bin/mail -s "${subject}" "${MAIL_USER}"
+ fi
+ fi
+ fi
+}
+
+Notifylog() {
+ if [[ ${NOTIFY_WARN} == yes ]]; then
+ message=${1}
+ DBUS_SEND=`which dbus-send 2>/dev/null`
+ if [ -x "$DBUS_SEND" ]; then
+ $DBUS_SEND --system --type=signal /com/mandriva/user com.mandriva.user.security_notification string:"$message"
+ fi
+ fi
+}
+
+##################
+
diff --git a/cron-sh/scripts/01_files.sh b/cron-sh/scripts/01_files.sh
new file mode 100755
index 0000000..dc20bd0
--- /dev/null
+++ b/cron-sh/scripts/01_files.sh
@@ -0,0 +1,327 @@
+#!/bin/bash
+# msec: security check for suid_root binaries
+
+# check if we are run from main script
+if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then
+ # variables are set in security.sh and propagated to the subscripts
+ echo "Error: this check should be run by the main msec security check!"
+ echo " do not run it directly unless you know what you are doing."
+ return 1
+fi
+
+export SUID_ROOT_TODAY="/var/log/security/suid_root.today"
+SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday"
+SUID_ROOT_DIFF="/var/log/security/suid_root.diff"
+export SGID_TODAY="/var/log/security/sgid.today"
+SGID_YESTERDAY="/var/log/security/sgid.yesterday"
+SGID_DIFF="/var/log/security/sgid.diff"
+export SUID_MD5_TODAY="/var/log/security/suid_md5.today"
+SUID_MD5_YESTERDAY="/var/log/security/suid_md5.yesterday"
+SUID_MD5_DIFF="/var/log/security/suid_md5.diff"
+export WRITABLE_TODAY="/var/log/security/writable.today"
+WRITABLE_YESTERDAY="/var/log/security/writable.yesterday"
+WRITABLE_DIFF="/var/log/security/writable.diff"
+export UNOWNED_USER_TODAY="/var/log/security/unowned_user.today"
+UNOWNED_USER_YESTERDAY="/var/log/security/unowned_user.yesterday"
+UNOWNED_USER_DIFF="/var/log/security/unowned_user.diff"
+export UNOWNED_GROUP_TODAY="/var/log/security/unowned_group.today"
+UNOWNED_GROUP_YESTERDAY="/var/log/security/unowned_group.yesterday"
+UNOWNED_GROUP_DIFF="/var/log/security/unowned_group.diff"
+
+if [[ -f ${SUID_ROOT_TODAY} ]]; then
+ mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY};
+fi
+
+if [[ -f ${SGID_TODAY} ]]; then
+ mv ${SGID_TODAY} ${SGID_YESTERDAY};
+fi
+
+if [[ -f ${SUID_MD5_TODAY} ]]; then
+ mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY};
+fi
+
+if [[ -f ${WRITABLE_TODAY} ]]; then
+ mv ${WRITABLE_TODAY} ${WRITABLE_YESTERDAY};
+fi
+
+if [[ -f ${UNOWNED_USER_TODAY} ]]; then
+ mv ${UNOWNED_USER_TODAY} ${UNOWNED_USER_YESTERDAY};
+fi
+
+if [[ -f ${UNOWNED_GROUP_TODAY} ]]; then
+ mv ${UNOWNED_GROUP_TODAY} ${UNOWNED_GROUP_YESTERDAY};
+fi
+
+# only running this check when really required
+if [[ ${CHECK_SUID_MD5} == yes || ${CHECK_SUID_ROOT} == yes || ${CHECK_SGID} == yes || ${CHECK_WRITABLE} == yes || ${CHECK_UNOWNED} == yes ]]; then
+
+ # Hard disk related file check; the less priority the better...
+ nice --adjustment=+19 /usr/bin/msec_find ${DIR}
+fi
+
+if [[ -f ${SUID_ROOT_TODAY} ]]; then
+ sort < ${SUID_ROOT_TODAY} > ${SUID_ROOT_TODAY}.tmp
+ mv -f ${SUID_ROOT_TODAY}.tmp ${SUID_ROOT_TODAY}
+fi
+
+if [[ -f ${SGID_TODAY} ]]; then
+ sort < ${SGID_TODAY} > ${SGID_TODAY}.tmp
+ mv -f ${SGID_TODAY}.tmp ${SGID_TODAY}
+fi
+
+if [[ -f ${WRITABLE_TODAY} ]]; then
+ sort < ${WRITABLE_TODAY} | egrep -v '^(/var)?/tmp$' > ${WRITABLE_TODAY}.tmp
+ mv -f ${WRITABLE_TODAY}.tmp ${WRITABLE_TODAY}
+fi
+
+if [[ -f ${UNOWNED_USER_TODAY} ]]; then
+ sort < ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_TODAY}.tmp
+ mv -f ${UNOWNED_USER_TODAY}.tmp ${UNOWNED_USER_TODAY}
+fi
+
+if [[ -f ${UNOWNED_GROUP_TODAY} ]]; then
+ sort < ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_TODAY}.tmp
+ mv -f ${UNOWNED_GROUP_TODAY}.tmp ${UNOWNED_GROUP_TODAY}
+fi
+
+if [[ -f ${SUID_ROOT_TODAY} && ${CHECK_SUID_MD5} == yes ]]; then
+ while read line; do
+ md5sum ${line}
+ done < ${SUID_ROOT_TODAY} > ${SUID_MD5_TODAY}
+else
+ touch ${SUID_MD5_TODAY}
+fi
+
+### New Suid root files detection
+if [[ ${CHECK_SUID_ROOT} == yes ]]; then
+
+ if [[ -f ${SUID_ROOT_YESTERDAY} ]]; then
+ if ! diff -u ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_TODAY} > ${SUID_ROOT_DIFF}; then
+ printf "\nSecurity Warning: Change in Suid Root files found :\n" >> ${DIFF}
+ grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- Newly added suid root file : ${file}\n"
+ done >> ${DIFF}
+ grep '^-' ${SUID_ROOT_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- No longer present suid root file : ${file}\n"
+ done >> ${DIFF}
+ fi
+ fi
+
+fi
+
+### New Sgid files detection
+if [[ ${CHECK_SGID} == yes ]]; then
+
+ if [[ -f ${SGID_YESTERDAY} ]]; then
+ if ! diff -u ${SGID_YESTERDAY} ${SGID_TODAY} > ${SGID_DIFF}; then
+ printf "\nSecurity Warning: Changes in Sgid files found :\n" >> ${DIFF}
+ grep '^+' ${SGID_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- Newly added sgid file : ${file}\n"
+ done >> ${DIFF}
+ grep '^-' ${SGID_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- No longer present sgid file : ${file}\n"
+ done >> ${DIFF}
+ fi
+ fi
+
+fi
+
+### Writable files detection
+if [[ ${CHECK_WRITABLE} == yes ]]; then
+
+ if [[ -f ${WRITABLE_YESTERDAY} ]]; then
+ diff -u ${WRITABLE_YESTERDAY} ${WRITABLE_TODAY} > ${WRITABLE_DIFF}
+ if [ -s ${WRITABLE_DIFF} ]; then
+ printf "\nSecurity Warning: Change in World Writable Files found :\n" >> ${DIFF}
+ grep '^+' ${WRITABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- Newly added writable file : ${file}\n"
+ done >> ${DIFF}
+ grep '^-' ${WRITABLE_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- No longer present writable file : ${file}\n"
+ done >> ${DIFF}
+ fi
+ fi
+
+fi
+
+### Search Non Owned files
+if [[ ${CHECK_UNOWNED} == yes ]]; then
+
+ if [[ -f ${UNOWNED_USER_YESTERDAY} ]]; then
+ diff -u ${UNOWNED_USER_YESTERDAY} ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_DIFF}
+ if [ -s ${UNOWNED_USER_DIFF} ]; then
+ printf "\nSecurity Warning: the following files aren't owned by an user :\n" >> ${DIFF}
+ grep '^+' ${UNOWNED_USER_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- Newly added un-owned file : ${file}\n"
+ done >> ${DIFF}
+ grep '^-' ${UNOWNED_USER_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- No longer present un-owned file : ${file}\n"
+ done >> ${DIFF}
+ fi
+ fi
+
+ if [[ -f ${UNOWNED_GROUP_YESTERDAY} ]]; then
+ diff -u ${UNOWNED_GROUP_YESTERDAY} ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_DIFF}
+ if [ -s ${UNOWNED_GROUP_DIFF} ]; then
+ printf "\nSecurity Warning: the following files aren't owned by a group :\n" >> ${DIFF}
+ grep '^+' ${UNOWNED_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- Newly added un-owned file : ${file}\n"
+ done >> ${DIFF}
+ grep '^-' ${UNOWNED_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- No longer present un-owned file : ${file}\n"
+ done >> ${DIFF}
+ fi
+ fi
+
+fi
+
+### Md5 check for SUID root fileg
+if [[ ${CHECK_SUID_MD5} == yes ]]; then
+ ctrl_md5=0;
+
+ if [[ -f ${SUID_MD5_YESTERDAY} ]]; then
+ diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF}
+ if [ -s ${SUID_MD5_DIFF} ]; then
+ grep '^+' ${SUID_MD5_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | awk '{print $2}' | while read file; do
+ if cat ${SUID_MD5_YESTERDAY} | awk '{print $2}' | grep -qw ${file}; then
+ if [[ ${ctrl_md5} == 0 ]]; then
+ printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${DIFF}
+ printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${DIFF}
+ ctrl_md5=1;
+ fi
+ printf "\t\t- Checksum changed file : ${file}\n"
+ fi
+ done >> ${DIFF}
+ fi
+ fi
+
+fi
+
+### Writable file detection
+if [[ ${CHECK_WRITABLE} == yes ]]; then
+ if [[ -s ${WRITABLE_TODAY} ]]; then
+ printf "\nSecurity Warning: World Writable files found :\n" >> ${SECURITY}
+ cat ${WRITABLE_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY}
+ fi
+fi
+
+### Search Un Owned file
+if [[ ${CHECK_UNOWNED} == yes ]]; then
+ if [[ -s ${UNOWNED_USER_TODAY} ]]; then
+ printf "\nSecurity Warning : User Unowned files found :\n" >> ${SECURITY}
+ printf "\t( theses files now have user \"nobody\" as their owner. )\n" >> ${SECURITY}
+ cat ${UNOWNED_USER_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY}
+ cat ${UNOWNED_USER_TODAY} | while read line; do
+ if [[ ${FIX_UNOWNED} == yes ]]; then
+ chown nobody "${line}"; # Use quote if filename contain space.
+ fi
+ done
+ fi
+
+ if [[ -s ${UNOWNED_GROUP_TODAY} ]]; then
+ printf "\nSecurity Warning : Group Unowned files found :\n" >> ${SECURITY}
+ printf "\t( theses files now have group \"nogroup\" as their group owner. )\n" >> ${SECURITY}
+ cat ${UNOWNED_GROUP_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY}
+ cat ${UNOWNED_GROUP_TODAY} | while read line; do
+ if [[ ${FIX_UNOWNED} == yes ]]; then
+ chgrp nogroup "${line}"; # Use quote if filename contain space.
+ fi
+ done
+ fi
+fi
+
+if [[ ${CHECK_USER_FILES} == yes ]]; then
+# Files that should not be owned by someone else or readable.
+list=".netrc .rhosts .shosts .Xauthority .gnupg/secring.gpg \
+.pgp/secring.pgp .ssh/identity .ssh/id_dsa .ssh/id_rsa .ssh/random_seed"
+getent passwd | awk -F: '/^[^+-]/ { print $1 ":" $3 ":" $6 }' |
+while IFS=: read username uid homedir; do
+ if ! expr "$homedir" : "$FILTER" > /dev/null; then
+ for f in ${list} ; do
+ file="${homedir}/${f}"
+ if [[ -f "${file}" ]] ; then
+ res=`ls -LldcGn "${file}" | sed 's/ \{1,\}/:/g'`
+ printf "${uid}:${username}:${file}:${res}\n"
+ fi
+ done
+ fi
+done | awk -F: '$1 != $6 && $6 != "0" \
+ { print "\t\t- " $3 " : file is owned by uid " $6 "." }
+ $4 ~ /^-...r/ \
+ { print "\t\t- " $3 " : file is group readable." }
+ $4 ~ /^-......r/ \
+ { print "\t\t- " $3 " : file is other readable." }
+ $4 ~ /^-....w/ \
+ { print "\t\t- " $3 " : file is group writable." }
+ $4 ~ /^-.......w/ \
+ { print "\t\t- " $3 " : file is other writable." }' > ${MSEC_TMP}
+
+if [[ -s ${MSEC_TMP} ]]; then
+ printf "\nSecurity Warning: these files shouldn't be owned by someone else or readable :\n" >> ${SECURITY}
+ cat ${MSEC_TMP} >> ${SECURITY}
+fi
+
+### Files that should not be owned by someone else or writable.
+list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \
+.forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \
+.nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \
+.ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults \
+.gnupg .gnupg/secring.gpg .ssh/identity .ssh/id_dsa .ssh/id_rsa \
+.Xauthority .cvspass .subversion/auth .purple/accounts.xml .config "
+getent passwd | awk -F: '/^[^+-]/ { print $1 ":" $3 ":" $6 }' | \
+while IFS=: read username uid homedir; do
+ if ! expr "$homedir" : "$FILTER" > /dev/null; then
+ for f in ${list} ; do
+ file="${homedir}/${f}"
+ if [[ -e "${file}" ]] ; then
+ res=`ls -LldcGn "${file}" | sed 's/ \{1,\}/:/g'`
+ printf "${uid}:${username}:${file}:${res}\n"
+ fi
+ done
+ fi
+done | awk -F: '$1 != $6 && $6 != "0" \
+ { print "\t\t- " $3 " : file is owned by uid " $6 "." }
+ $4 ~ /^.....w/ \
+ { print "\t\t- " $3 " : file is group writable." }
+ $4 ~ /^........w/ \
+ { print "\t\t- " $3 " : file is other writable." }' > ${MSEC_TMP}
+
+if [[ -s ${MSEC_TMP} ]]; then
+ printf "\nSecurity Warning: theses files should not be owned by someone else or writable :\n" >> ${SECURITY}
+ cat ${MSEC_TMP} >> ${SECURITY}
+fi
+
+### Check home directories. Directories should not be owned by someone else or writable.
+getent passwd | awk -F: '/^[^+-]/ { print $1 ":" $3 ":" $6 }' | \
+while IFS=: read username uid homedir; do
+ if ! expr "$homedir" : "$FILTER" > /dev/null; then
+ if [[ -d "${homedir}" ]] ; then
+ realuid=`ls -LldGn "${homedir}"| awk '{ print $3 }'`
+ realuser=`ls -LldG "${homedir}"| awk '{ print $3 }'`
+ permissions=`ls -LldG "${homedir}"| awk '{ print $1 }'`
+ printf "${permissions}:${username}:(${uid}):${realuser}:(${realuid})\n"
+ fi
+ fi
+done | awk -F: '$3 != $5 && $5 != "(0)" \
+ { print "user=" $2 $3 " : home directory is owned by " $4 $5 "." }
+ $1 ~ /^d....w/ && $2 != "lp" && $2 != "mail" \
+ { print "user=" $2 $3" : home directory is group writable." }
+ $1 ~ /^d.......w/ \
+ { print "user=" $2 $3" : home directory is other writable." }' > ${MSEC_TMP}
+
+if [[ -s $MSEC_TMP ]] ; then
+ printf "\nSecurity Warning: these home directory should not be owned by someone else or writable :\n" >> ${SECURITY}
+ cat ${MSEC_TMP} >> ${SECURITY}
+fi
+fi # End of CHECK_USER_FILES
+
+# now check default permissions
+if [[ ${CHECK_PERMS} == yes ]]; then
+ # running msec_perms
+ /usr/sbin/msecperms > ${MSEC_TMP} 2>&1
+ if [[ -s ${MSEC_TMP} ]]; then
+ printf "\nPermissions changes on system files:\n" >> ${SECURITY}
+ cat ${MSEC_TMP} | sed -e 's/WARNING: //g' >> ${SECURITY}
+ fi
+fi
+
diff --git a/cron-sh/scripts/02_network.sh b/cron-sh/scripts/02_network.sh
new file mode 100755
index 0000000..f376724
--- /dev/null
+++ b/cron-sh/scripts/02_network.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+# msec: network security checks
+
+# check if we are run from main script
+if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then
+ # variables are set in security.sh and propagated to the subscripts
+ echo "Error: this check should be run by the main msec security check!"
+ echo " do not run it directly unless you know what you are doing."
+ return 1
+fi
+
+export OPEN_PORT_TODAY="/var/log/security/open_port.today"
+OPEN_PORT_YESTERDAY="/var/log/security/open_port.yesterday"
+OPEN_PORT_DIFF="/var/log/security/open_port.diff"
+export FIREWALL_TODAY="/var/log/security/open_port.today"
+FIREWALL_YESTERDAY="/var/log/security/open_port.yesterday"
+FIREWALL_DIFF="/var/log/security/open_port.diff"
+
+if [[ -f ${OPEN_PORT_TODAY} ]]; then
+ mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY}
+fi
+
+if [[ -f ${FIREWALL_TODAY} ]]; then
+ mv -f ${FIREWALL_TODAY} ${FIREWALL_YESTERDAY}
+fi
+
+if [[ ${CHECK_OPEN_PORT} == yes ]]; then
+ netstat -pvlA inet,inet6 2> /dev/null > ${OPEN_PORT_TODAY};
+fi
+
+if [[ ${CHECK_FIREWALL} == yes ]]; then
+ iptables -L 2>/dev/null > ${FIREWALL_TODAY}
+fi
+
+### Changed open port
+if [[ ${CHECK_OPEN_PORT} == yes ]]; then
+
+ if [[ -f ${OPEN_PORT_YESTERDAY} ]]; then
+ diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}
+ if [ -s ${OPEN_PORT_DIFF} ]; then
+ printf "\nSecurity Warning: There are modifications for port listening on your machine :\n" >> ${DIFF}
+ grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- Opened ports : ${file}\n"
+ done >> ${DIFF}
+ grep '^-' ${OPEN_PORT_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- Closed ports : ${file}\n"
+ done >> ${DIFF}
+ fi
+ fi
+
+fi
+
+### Changed firewall
+if [[ ${CHECK_FIREWALL} == yes ]]; then
+
+ if [[ -f ${FIREWALL_YESTERDAY} ]]; then
+ diff -u ${FIREWALL_YESTERDAY} ${FIREWALL_TODAY} 1> ${FIREWALL_DIFF}
+ if [ -s ${FIREWALL_DIFF} ]; then
+ printf "\nSecurity Warning: There are modifications for firewall configuration on your machine :\n" >> ${DIFF}
+ grep '^+' ${FIREWALL_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- New entries : ${file}\n"
+ done >> ${DIFF}
+ grep '^-' ${FIREWALL_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- Removed entries : ${file}\n"
+ done >> ${DIFF}
+ fi
+ fi
+
+fi
+
+### Dump a list of open port.
+if [[ ${CHECK_OPEN_PORT} == yes ]]; then
+
+ if [[ -s ${OPEN_PORT_TODAY} ]]; then
+ printf "\nThese are the ports listening on your machine :\n" >> ${INFOS}
+ cat ${OPEN_PORT_TODAY} >> ${INFOS}
+ fi
+fi
+
diff --git a/cron-sh/scripts/03_rpm.sh b/cron-sh/scripts/03_rpm.sh
new file mode 100755
index 0000000..6bd4307
--- /dev/null
+++ b/cron-sh/scripts/03_rpm.sh
@@ -0,0 +1,107 @@
+#!/bin/bash
+# msec: rpm security check
+
+# check if we are run from main script
+if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then
+ # variables are set in security.sh and propagated to the subscripts
+ echo "Error: this check should be run by the main msec security check!"
+ echo " do not run it directly unless you know what you are doing."
+ return 1
+fi
+
+export RPM_VA_TODAY="/var/log/security/rpm-va.today"
+RPM_VA_YESTERDAY="/var/log/security/rpm-va.yesterday"
+RPM_VA_DIFF="/var/log/security/rpm-va.diff"
+export RPM_VA_CONFIG_TODAY="/var/log/security/rpm-va-config.today"
+RPM_VA_CONFIG_YESTERDAY="/var/log/security/rpm-va-config.yesterday"
+RPM_VA_CONFIG_DIFF="/var/log/security/rpm-va-config.diff"
+export RPM_QA_TODAY="/var/log/security/rpm-qa.today"
+RPM_QA_YESTERDAY="/var/log/security/rpm-qa.yesterday"
+RPM_QA_DIFF="/var/log/security/rpm-qa.diff"
+
+if [[ -f ${RPM_VA_TODAY} ]]; then
+ mv -f ${RPM_VA_TODAY} ${RPM_VA_YESTERDAY}
+fi
+
+if [[ -f ${RPM_VA_CONFIG_TODAY} ]]; then
+ mv -f ${RPM_VA_CONFIG_TODAY} ${RPM_VA_CONFIG_YESTERDAY}
+fi
+
+if [[ -f ${RPM_QA_TODAY} ]]; then
+ mv -f ${RPM_QA_TODAY} ${RPM_QA_YESTERDAY}
+fi
+
+if [[ -f ${CHKROOTKIT_TODAY} ]]; then
+ mv -f ${CHKROOTKIT_TODAY} ${CHKROOTKIT_YESTERDAY}
+fi
+
+### rpm database check
+
+if [[ ${CHECK_RPM} == yes ]]; then
+ rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\t%{INSTALLTIME}\n" | sort > ${RPM_QA_TODAY}
+
+ rm -f ${RPM_VA_TODAY}.tmp
+ nice --adjustment=+19 rpm -Va --noscripts | grep '^..5' | sort > ${RPM_VA_TODAY}.tmp
+ grep -v '^..........c.' ${RPM_VA_TODAY}.tmp | sed 's/^............//' | sort > ${RPM_VA_TODAY}
+ grep '^..........c.' ${RPM_VA_TODAY}.tmp | sed 's/^............//' | sort > ${RPM_VA_CONFIG_TODAY}
+ rm -f ${RPM_VA_TODAY}.tmp
+fi
+
+### rpm database checks
+if [[ ${CHECK_RPM} == yes ]]; then
+
+ if [[ -s ${RPM_VA_TODAY} ]]; then
+ printf "\nSecurity Warning: These files belonging to packages are modified on the system :\n" >> ${SECURITY}
+ cat ${RPM_VA_TODAY} | while read f; do
+ printf "\t\t- $f\n"
+ done >> ${SECURITY}
+ fi
+
+ if [[ -s ${RPM_VA_CONFIG_TODAY} ]]; then
+ printf "\nSecurity Warning: These config files belonging to packages are modified on the system :\n" >> ${SECURITY}
+ cat ${RPM_VA_CONFIG_TODAY} | while read f; do
+ printf "\t\t- $f\n"
+ done >> ${SECURITY}
+ fi
+fi
+
+### rpm database
+if [[ ${CHECK_RPM} == yes ]]; then
+ if [[ -f ${RPM_QA_YESTERDAY} ]]; then
+ diff -u ${RPM_QA_YESTERDAY} ${RPM_QA_TODAY} > ${RPM_QA_DIFF}
+ if [ -s ${RPM_QA_DIFF} ]; then
+ printf "\nSecurity Warning: These packages have changed on the system :\n" >> ${DIFF}
+ grep '^+' ${RPM_QA_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- Newly installed package : ${file}\n"
+ done >> ${DIFF}
+ grep '^-' ${RPM_QA_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- No longer present package : ${file}\n"
+ done >> ${DIFF}
+ fi
+ fi
+ if [[ -f ${RPM_VA_YESTERDAY} ]]; then
+ diff -u ${RPM_VA_YESTERDAY} ${RPM_VA_TODAY} > ${RPM_VA_DIFF}
+ if [ -s ${RPM_VA_DIFF} ]; then
+ printf "\nSecurity Warning: These files belonging to packages have changed of status on the system :\n" >> ${DIFF}
+ grep '^+' ${RPM_VA_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- Newly modified : ${file}\n"
+ done >> ${DIFF}
+ grep '^-' ${RPM_VA_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- No longer modified : ${file}\n"
+ done >> ${DIFF}
+ fi
+ fi
+ if [[ -f ${RPM_VA_CONFIG_YESTERDAY} ]]; then
+ diff -u ${RPM_VA_CONFIG_YESTERDAY} ${RPM_VA_CONFIG_TODAY} > ${RPM_VA_CONFIG_DIFF}
+ if [ -s ${RPM_VA_CONFIG_DIFF} ]; then
+ printf "\nSecurity Warning: These config files belonging to packages have changed of status on the system :\n" >> ${DIFF}
+ grep '^+' ${RPM_VA_CONFIG_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- Newly modified : ${file}\n"
+ done >> ${DIFF}
+ grep '^-' ${RPM_VA_CONFIG_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- No longer modified : ${file}\n"
+ done >> ${DIFF}
+ fi
+ fi
+fi
+
diff --git a/cron-sh/scripts/04_rootkit.sh b/cron-sh/scripts/04_rootkit.sh
new file mode 100755
index 0000000..b83e727
--- /dev/null
+++ b/cron-sh/scripts/04_rootkit.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+# msec: rootkit security check
+
+# check if we are run from main script
+if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then
+ # variables are set in security.sh and propagated to the subscripts
+ echo "Error: this check should be run by the main msec security check!"
+ echo " do not run it directly unless you know what you are doing."
+ return 1
+fi
+
+export CHKROOTKIT_TODAY="/var/log/security/chkrootkit.today"
+CHKROOTKIT_YESTERDAY="/var/log/security/chkrootkit.yesterday"
+CHKROOTKIT_DIFF="/var/log/security/chkrootkit.diff"
+
+### chkrootkit checks
+if [[ ${CHECK_CHKROOTKIT} == yes ]]; then
+ if [ -x /usr/sbin/chkrootkit ]; then
+ # do not check on NFS
+ /usr/sbin/chkrootkit -n ${CHKROOTKIT_OPTION} > ${CHKROOTKIT_TODAY}
+ fi
+fi
+
+### chkrootkit checks
+if [[ ${CHECK_CHKROOTKIT} == yes ]]; then
+
+ if [[ -s ${CHKROOTKIT_TODAY} ]]; then
+ printf "\nChkrootkit report:\n" >> ${SECURITY}
+ cat ${CHKROOTKIT_TODAY} >> ${SECURITY}
+ fi
+fi
+
+### Changed chkrootkit
+if [[ ${CHECK_CHKROOTKIT} == yes ]]; then
+
+ if [[ -f ${CHKROOTKIT_YESTERDAY} ]]; then
+ diff -u ${CHKROOTKIT_YESTERDAY} ${CHKROOTKIT_TODAY} 1> ${CHKROOTKIT_DIFF}
+ if [ -s ${CHKROOTKIT_DIFF} ]; then
+ printf "\nSecurity Warning: There are modifications for chkrootkit results :\n" >> ${DIFF}
+ grep '^+' ${CHKROOTKIT_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- Added : ${file}\n"
+ done >> ${DIFF}
+ grep '^-' ${CHKROOTKIT_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+ printf "\t\t- Removed : ${file}\n"
+ done >> ${DIFF}
+ fi
+ fi
+fi
+
diff --git a/cron-sh/scripts/05_access.sh b/cron-sh/scripts/05_access.sh
new file mode 100755
index 0000000..1168cd7
--- /dev/null
+++ b/cron-sh/scripts/05_access.sh
@@ -0,0 +1,125 @@
+#!/bin/bash
+# msec: system access
+
+# check if we are run from main script
+if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then
+ # variables are set in security.sh and propagated to the subscripts
+ echo "Error: this check should be run by the main msec security check!"
+ echo " do not run it directly unless you know what you are doing."
+ return 1
+fi
+
+### Passwd file check
+if [[ ${CHECK_PASSWD} == yes ]]; then
+ getent passwd | awk -F: '{
+ if ( $2 == "" )
+ printf("\t\t- /etc/passwd:%d: User \"%s\" has no password !\n", FNR, $1);
+ else if ($2 !~ /^[x*!]+$/)
+ printf("\t\t- /etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1);
+ else if ( $3 == 0 && $1 != "root" )
+ printf("\t\t- /etc/passwd:%d: User \"%s\" has id 0 !\n", FNR, $1);
+ }' > ${MSEC_TMP}
+
+ if [[ -s ${MSEC_TMP} ]]; then
+ printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY}
+ cat ${MSEC_TMP} >> ${SECURITY}
+ fi
+fi
+
+### Shadow password file Check
+if [[ ${CHECK_SHADOW} == yes ]]; then
+ awk -F: '{
+ if ( $2 == "" )
+ printf("\t\t- /etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1);
+ }' < /etc/shadow > ${MSEC_TMP}
+
+ if [[ -s ${MSEC_TMP} ]]; then
+ printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY}
+ cat ${MSEC_TMP} >> ${SECURITY}
+ fi
+fi
+
+### File systems should not be globally exported.
+if [[ -s /etc/exports ]] ; then
+ awk '{
+ if (($1 ~ /^#/) || ($1 ~ /^$/)) next;
+ readonly = 0;
+ for (i = 2; i <= NF; ++i) {
+ if ($i ~ /^-ro$/)
+ readonly = 1;
+ else if ($i !~ /^-/)
+ next;
+ }
+ if (readonly) {
+ print "\t\t- Nfs File system " $1 " globally exported, read-only.";
+ } else print "\t\t- Nfs File system " $1 " globally exported, read-write.";
+ }' < /etc/exports > ${MSEC_TMP}
+
+ if [[ -s ${MSEC_TMP} ]] ; then
+ printf "\nSecurity Warning: Some NFS filesystem are exported globally :\n" >> ${SECURITY}
+ cat ${MSEC_TMP} >> ${SECURITY}
+ fi
+fi
+
+### nfs mounts with missing nosuid
+/bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > ${MSEC_TMP}
+if [[ -s ${MSEC_TMP} ]] ; then
+ printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY}
+ cat ${MSEC_TMP} | awk '{ print "\t\t- "$0 }' >> ${SECURITY}
+fi
+
+### Files that should not have + signs.
+list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd"
+for file in $list ; do
+ if [[ -s ${file} ]] ; then
+ awk '{
+ if ($0 ~ /^\+@.*$/)
+ next;
+ if ($0 ~ /^\+.*$/)
+ printf("\t\t- %s: %s\n", FILENAME, $0);
+ }' ${file}
+ fi
+done > ${MSEC_TMP}
+
+### Passwd file check
+if [[ ${CHECK_SHOSTS} == yes ]]; then
+ getent passwd | awk -F: '{print $1" "$6}' |
+ while read username homedir; do
+ if ! expr "$homedir" : "$FILTER" > /dev/null; then
+ for file in .rhosts .shosts; do
+ if [[ -s ${homedir}/${file} ]] ; then
+ awk '{
+ if ($0 ~ /^\+@.*$/)
+ next;
+ if ($0 ~ /^\+.*$/)
+ printf("\t\t- %s: %s\n", FILENAME, $0);
+ }' ${homedir}/${file}
+ fi
+ done >> ${DIFF}
+ fi
+ done
+
+ if [[ -s ${MSEC_TMP} ]]; then
+ printf "\nSecurity Warning: '+' character found in hosts trusting files,\n" >> ${SECURITY}
+ printf "\tthis probably mean that you trust certains users/domain\n" >> ${SECURITY}
+ printf "\tto connect on this host without proper authentication :\n" >> ${SECURITY}
+ cat ${MSEC_TMP} >> ${SECURITY}
+ fi
+fi
+
+### executables should not be in the aliases file.
+list="/etc/aliases /etc/postfix/aliases"
+for file in ${list}; do
+ if [[ -s ${file} ]]; then
+ grep -v '^#' ${file} | grep '|' | while read line; do
+ printf "\t\t- ${line}\n"
+ done > ${MSEC_TMP}
+ fi
+
+ if [[ -s ${MSEC_TMP} ]]; then
+ printf "\nSecurity Warning: The following programs are executed in your mail\n" >> ${SECURITY}
+ printf "\tvia ${file} files, this could lead to security problems :\n" >> ${SECURITY}
+ cat ${MSEC_TMP} >> ${SECURITY}
+ fi
+done
+
diff --git a/cron-sh/promisc_check.sh b/cron-sh/scripts/06_promisc.sh
index 4df9c25..e46620c 100755
--- a/cron-sh/promisc_check.sh
+++ b/cron-sh/scripts/06_promisc.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# TODO: this is incomplete for new msec framework
# Writen by Vandoorselaere Yoann
@@ -26,23 +27,23 @@ LogPromisc() {
echo " A sniffer is probably running on your system." >> /var/log/security.log
}
-
+
if [[ -f /etc/security/msec/security.conf ]]; then
. /etc/security/msec/security.conf
else
echo "/etc/security/msec/security.conf don't exist."
- exit 1
+ return 1
fi
if tail /var/log/security.log | grep -q "promiscuous"; then
# Dont flood with warning.
- exit 0
+ return 0
fi
# Check if a network interface is in promiscuous mode...
if [[ ${CHECK_PROMISC} == no ]]; then
- exit 0;
+ return 0;
fi
for INTERFACE in `/sbin/ip link list | grep PROMISC | cut -f 2 -d ':';/usr/bin/promisc_check -q`; do
diff --git a/cron-sh/security.sh b/cron-sh/security.sh
index 4b02cf6..c636750 100755
--- a/cron-sh/security.sh
+++ b/cron-sh/security.sh
@@ -1,27 +1,8 @@
#!/bin/bash
-
-. /etc/sysconfig/i18n
-if [[ -f /etc/profile.d/10lang.sh ]]; then
- . /etc/profile.d/10lang.sh
-fi
-
-LCK=/var/run/msec-security.pid
-
-function cleanup() {
- rm -f $LCK
-}
-
-if [ -f $LCK ]; then
- if [ -d /proc/`cat $LCK` ]; then
- exit 0
- else
- rm -f $LCK
- fi
-fi
-
-echo -n $$ > $LCK
-
-trap cleanup 0
+# msec: this is the main security auditing script
+# it runs all executable scripts from /usr/share/msec/scripts
+# which should be named NN_script_name.sh, where NN represents
+# the order in which they should be executed
if [[ -f /etc/security/msec/security.conf ]]; then
. /etc/security/msec/security.conf
@@ -30,245 +11,92 @@ else
exit 1
fi
-if [ -r /etc/security/shell ]; then
- . /etc/security/shell
+# is security check enabled?
+if [[ ${CHECK_SECURITY} != yes ]]; then
+ exit 0
fi
-umask ${UMASK_ROOT=077}
-
-[[ ${MAIL_WARN} == yes ]] && [ -z ${MAIL_USER} ] && MAIL_USER="root"
-
-export SUID_ROOT_TODAY="/var/log/security/suid_root.today"
-SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday"
-SUID_ROOT_DIFF="/var/log/security/suid_root.diff"
-export SGID_TODAY="/var/log/security/sgid.today"
-SGID_YESTERDAY="/var/log/security/sgid.yesterday"
-SGID_DIFF="/var/log/security/sgid.diff"
-export SUID_MD5_TODAY="/var/log/security/suid_md5.today"
-SUID_MD5_YESTERDAY="/var/log/security/suid_md5.yesterday"
-SUID_MD5_DIFF="/var/log/security/suid_md5.diff"
-export OPEN_PORT_TODAY="/var/log/security/open_port.today"
-OPEN_PORT_YESTERDAY="/var/log/security/open_port.yesterday"
-OPEN_PORT_DIFF="/var/log/security/open_port.diff"
-export FIREWALL_TODAY="/var/log/security/open_port.today"
-FIREWALL_YESTERDAY="/var/log/security/open_port.yesterday"
-FIREWALL_DIFF="/var/log/security/open_port.diff"
-export WRITABLE_TODAY="/var/log/security/writable.today"
-WRITABLE_YESTERDAY="/var/log/security/writable.yesterday"
-WRITABLE_DIFF="/var/log/security/writable.diff"
-export UNOWNED_USER_TODAY="/var/log/security/unowned_user.today"
-UNOWNED_USER_YESTERDAY="/var/log/security/unowned_user.yesterday"
-UNOWNED_USER_DIFF="/var/log/security/unowned_user.diff"
-export UNOWNED_GROUP_TODAY="/var/log/security/unowned_group.today"
-UNOWNED_GROUP_YESTERDAY="/var/log/security/unowned_group.yesterday"
-UNOWNED_GROUP_DIFF="/var/log/security/unowned_group.diff"
-export RPM_VA_TODAY="/var/log/security/rpm-va.today"
-RPM_VA_YESTERDAY="/var/log/security/rpm-va.yesterday"
-RPM_VA_DIFF="/var/log/security/rpm-va.diff"
-export RPM_VA_CONFIG_TODAY="/var/log/security/rpm-va-config.today"
-RPM_VA_CONFIG_YESTERDAY="/var/log/security/rpm-va-config.yesterday"
-RPM_VA_CONFIG_DIFF="/var/log/security/rpm-va-config.diff"
-export RPM_QA_TODAY="/var/log/security/rpm-qa.today"
-RPM_QA_YESTERDAY="/var/log/security/rpm-qa.yesterday"
-RPM_QA_DIFF="/var/log/security/rpm-qa.diff"
-export CHKROOTKIT_TODAY="/var/log/security/chkrootkit.today"
-CHKROOTKIT_YESTERDAY="/var/log/security/chkrootkit.yesterday"
-CHKROOTKIT_DIFF="/var/log/security/chkrootkit.diff"
-export EXCLUDE_REGEXP
+. /usr/share/msec/functions.sh
-# Modified filters coming from debian security scripts.
-# rootfs is not listed among excluded types, because
-# / is mounted twice, and filtering it would mess with excluded dir list
-TYPE_FILTER='(devpts|sysfs|usbfs|tmpfs|binfmt_misc|rpc_pipefs|securityfs|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|hfs|nfs|afs|coda|cifs)'
-MOUNTPOINT_FILTER='^\/mnt|^\/media'
-DIR=`awk '$3 !~ /'$TYPE_FILTER'/ && $2 !~ /'$MOUNTPOINT_FILTER'/ \
- {print $2}' /proc/mounts | uniq`
-PRINT="%h/%f\n"
-EXCLUDEDIR=`awk '$3 ~ /'$TYPE_FILTER'/ || $2 ~ /'$MOUNTPOINT_FILTER'/ \
- {print $2}' /proc/mounts | uniq`
-export EXCLUDEDIR
-
-if [[ ! -d /var/log/security ]]; then
- mkdir /var/log/security
-fi
-
-if [[ -f ${SUID_ROOT_TODAY} ]]; then
- mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY};
-fi
-
-if [[ -f ${SGID_TODAY} ]]; then
- mv ${SGID_TODAY} ${SGID_YESTERDAY};
-fi
-
-if [[ -f ${WRITABLE_TODAY} ]]; then
- mv ${WRITABLE_TODAY} ${WRITABLE_YESTERDAY};
-fi
-
-if [[ -f ${UNOWNED_USER_TODAY} ]]; then
- mv ${UNOWNED_USER_TODAY} ${UNOWNED_USER_YESTERDAY};
-fi
-
-if [[ -f ${UNOWNED_GROUP_TODAY} ]]; then
- mv ${UNOWNED_GROUP_TODAY} ${UNOWNED_GROUP_YESTERDAY};
-fi
-
-if [[ -f ${OPEN_PORT_TODAY} ]]; then
- mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY}
-fi
-
-if [[ -f ${FIREWALL_TODAY} ]]; then
- mv -f ${FIREWALL_TODAY} ${FIREWALL_YESTERDAY}
-fi
+# variables
+LCK=/var/run/msec-security.pid
+SECURITY_LOG="/var/log/security.log"
-if [[ -f ${SUID_MD5_TODAY} ]]; then
- mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY};
-fi
+# log formatting
+REPORT_DATE=`date "+%b %W %H:%M:%S"`
+REPORT_HOSTNAME=`hostname`
+LOG_PREFIX="$REPORT_DATE $REPORT_HOSTNAME"
+SECURITY_PREFIX="$LOG_PREFIX security: "
+INFO_PREFIX="$LOG_PREFIX info: "
+DIFF_PREFIX="$LOG_PREFIX diff: "
-if [[ -f ${RPM_VA_TODAY} ]]; then
- mv -f ${RPM_VA_TODAY} ${RPM_VA_YESTERDAY}
-fi
-if [[ -f ${RPM_VA_CONFIG_TODAY} ]]; then
- mv -f ${RPM_VA_CONFIG_TODAY} ${RPM_VA_CONFIG_YESTERDAY}
-fi
+function cleanup() {
+ # removing temporary files
+ rm -f $LCK $MSEC_TMP $SECURITY $INFOS $DIFF
+}
-if [[ -f ${RPM_QA_TODAY} ]]; then
- mv -f ${RPM_QA_TODAY} ${RPM_QA_YESTERDAY}
+if [ -f $LCK ]; then
+ if [ -d /proc/`cat $LCK` ]; then
+ exit 0
+ else
+ rm -f $LCK
+ fi
fi
+echo -n $$ > $LCK
+trap cleanup 0 1 2 15
-if [[ -f ${CHKROOTKIT_TODAY} ]]; then
- mv -f ${CHKROOTKIT_TODAY} ${CHKROOTKIT_YESTERDAY}
-fi
+# temporary files
+MSEC_TMP=`mktemp /tmp/secure.XXXXXX`
+INFOS=`mktemp /tmp/secure.XXXXXX`
+SECURITY=`mktemp /tmp/secure.XXXXXX`
+DIFF=`mktemp /tmp/secure.XXXXXX`
-if [[ ${CHECK_OPEN_PORT} == yes ]]; then
- netstat -pvlA inet,inet6 2> /dev/null > ${OPEN_PORT_TODAY};
-fi
-
-if [[ ${CHECK_FIREWALL} == yes ]]; then
- iptables -L 2>/dev/null > ${FIREWALL_TODAY}
+# creating security log dir if necessary
+if [[ ! -d /var/log/security ]]; then
+ mkdir /var/log/security
fi
ionice -c3 -p $$
-# only running this check when really required
-if [[ ${CHECK_SUID_MD5} == yes || ${CHECK_SUID_ROOT} == yes || ${CHECK_SGID} == yes || ${CHECK_WRITABLE} == yes || ${CHECK_UNOWNED} == yes ]]; then
+for script in /usr/share/msec/scripts/*sh; do
+ test -x $script && . $script
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ echo "MSEC: audit script $script failed"
+ fi
+done
- # Hard disk related file check; the less priority the better...
- nice --adjustment=+19 /usr/bin/msec_find ${DIR}
-fi
+# fix permissions on newly created msec files according to system policy
+/usr/sbin/msecperms -e '/var/log/msec.log' "$SECURITY_LOG" "/var/log/security/*" &> ${MSEC_TMP}
-if [[ -f ${SUID_ROOT_TODAY} ]]; then
- sort < ${SUID_ROOT_TODAY} > ${SUID_ROOT_TODAY}.tmp
- mv -f ${SUID_ROOT_TODAY}.tmp ${SUID_ROOT_TODAY}
-fi
-
-if [[ -f ${SGID_TODAY} ]]; then
- sort < ${SGID_TODAY} > ${SGID_TODAY}.tmp
- mv -f ${SGID_TODAY}.tmp ${SGID_TODAY}
-fi
-
-if [[ -f ${WRITABLE_TODAY} ]]; then
- sort < ${WRITABLE_TODAY} | egrep -v '^(/var)?/tmp$' > ${WRITABLE_TODAY}.tmp
- mv -f ${WRITABLE_TODAY}.tmp ${WRITABLE_TODAY}
-fi
+# email/show results
-if [[ -f ${UNOWNED_USER_TODAY} ]]; then
- sort < ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_TODAY}.tmp
- mv -f ${UNOWNED_USER_TODAY}.tmp ${UNOWNED_USER_TODAY}
-fi
+# security check
+if [[ -s ${SECURITY} ]]; then
+ Syslog ${SECURITY}
+ Ttylog ${SECURITY}
-if [[ -f ${UNOWNED_GROUP_TODAY} ]]; then
- sort < ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_TODAY}.tmp
- mv -f ${UNOWNED_GROUP_TODAY}.tmp ${UNOWNED_GROUP_TODAY}
-fi
+ echo "$SECURITY_PREFIX *** Security Check, ${REPORT_DATE} ***" >> ${SECURITY_LOG}
+ cat ${SECURITY} | sed -e "s/^/$SECURITY_PREFIX/g" >> ${SECURITY_LOG}
+ cat ${INFOS} | sed -e "s/^/$INFO_PREFIX/g" >> ${SECURITY_LOG}
-if [[ -f ${SUID_ROOT_TODAY} ]]; then
- while read line; do
- md5sum ${line}
- done < ${SUID_ROOT_TODAY} > ${SUID_MD5_TODAY}
+ Maillog "[msec] *** Security Check on ${REPORT_HOSTNAME}, ${REPORT_DATE} ***" "${SECURITY} ${INFOS}"
+ Notifylog "MSEC has performed Security Check on ${REPORT_HOSTNAME} on ${REPORT_DATE}"
fi
-### rpm database check
+# diff check
+if [[ -s ${DIFF} ]]; then
+ Syslog ${DIFF}
+ Ttylog ${DIFF}
-if [[ ${CHECK_RPM} == yes ]]; then
- rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\t%{INSTALLTIME}\n" | sort > ${RPM_QA_TODAY}
+ echo "$DIFF_PREFIX *** Diff Check, ${REPORT_DATE} ***" >> ${SECURITY_LOG}
+ cat ${DIFF} | sed -e "s/^/$DIFF_PREFIX/g" >> ${SECURITY_LOG}
- rm -f ${RPM_VA_TODAY}.tmp
- nice --adjustment=+19 rpm -Va --noscripts | grep '^..5' | sort > ${RPM_VA_TODAY}.tmp
- grep -v '^..........c.' ${RPM_VA_TODAY}.tmp | sed 's/^............//' | sort > ${RPM_VA_TODAY}
- grep '^..........c.' ${RPM_VA_TODAY}.tmp | sed 's/^............//' | sort > ${RPM_VA_CONFIG_TODAY}
- rm -f ${RPM_VA_TODAY}.tmp
-fi
-
-### chkrootkit checks
-if [[ ${CHECK_CHKROOTKIT} == yes ]]; then
- if [ -x /usr/sbin/chkrootkit ]; then
- # do not check on NFS
- /usr/sbin/chkrootkit -n ${CHKROOTKIT_OPTION} > ${CHKROOTKIT_TODAY}
- fi
+ Notifylog "MSEC has performed Diff Check on ${REPORT_HOSTNAME} on ${REPORT_DATE}. Changes in system security were detected and are available in ${SECURITY_LOG}."
+else
+ Notifylog "MSEC has performed Diff Check on ${REPORT_HOSTNAME} on ${REPORT_DATE}. No changes were detected in system security."
fi
-### Functions ###
-
-Syslog() {
- if [[ ${SYSLOG_WARN} == yes ]]; then
- while read line; do
- logger -t msec -- "${line}"
- done < ${1}
- fi
-}
-
-Ttylog() {
- if [[ ${TTY_WARN} == yes ]]; then
- for i in `w | grep -v "load\|TTY" | grep '^root' | awk '{print $2}'` ; do
- cat ${1} > /dev/$i
- done
- fi
-}
-
-Maillog() {
- subject=${1}
- text=${2}
- SOMETHING_TO_SEND=
-
- if [[ ${MAIL_WARN} == yes ]]; then
- if [[ -z ${MAIL_USER} ]]; then
- MAIL_USER="root"
- fi
- if [[ -x /bin/mail ]]; then
- for f in ${text}; do
- if [[ -s $f ]]; then
- SOMETHING_TO_SEND=1
- break
- fi
- done
- if [[ -z ${SOMETHING_TO_SEND} ]]; then
- if [[ ${MAIL_EMPTY_CONTENT} != no ]]; then
- /bin/mail -s "${subject}" "${MAIL_USER}" <<EOF
-Nothing has changed since the last run.
-EOF
- fi
- else
- # remove non-printable characters,
- # see http://qa.mandriva.com/show_bug.cgi?id=36848 and https://qa.mandriva.com/show_bug.cgi?id=26773
- cat ${text} | sed -e "s,[[:cntrl:]],,g" | LC_CTYPE=$LC_CTYPE /bin/mail -s "${subject}" "${MAIL_USER}"
- fi
- fi
- fi
-}
-
-Notifylog() {
- if [[ ${NOTIFY_WARN} == yes ]]; then
- message=${1}
- DBUS_SEND=`which dbus-send 2>/dev/null`
- if [ -x "$DBUS_SEND" ]; then
- $DBUS_SEND --system --type=signal /com/mandriva/user com.mandriva.user.security_notification string:"$message"
- fi
- fi
-}
-
-##################
-
-. /usr/share/msec/diff_check.sh
-. /usr/share/msec/security_check.sh
+Maillog "[msec] *** Diff Check on ${REPORT_HOSTNAME}, ${REPORT_DATE} ***" "${DIFF}"
diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh
deleted file mode 100755
index fe1418b..0000000
--- a/cron-sh/security_check.sh
+++ /dev/null
@@ -1,337 +0,0 @@
-#!/bin/bash
-
-#
-# Written by Vandoorselaere Yoann
-#
-
-if [[ -f /etc/security/msec/security.conf ]]; then
- . /etc/security/msec/security.conf
-else
- echo "/etc/security/msec/security.conf don't exist."
- exit 1
-fi
-
-if [[ ${CHECK_SECURITY} != yes ]]; then
- exit 0
-fi
-
-INFOS=`mktemp /tmp/secure.XXXXXX`
-SECURITY=`mktemp /tmp/secure.XXXXXX`
-SECURITY_LOG="/var/log/security.log"
-TMP=`mktemp /tmp/secure.XXXXXX`
-FILTER="\(`echo $EXCLUDEDIR | sed -e 's/ /\\\|/g'`\)"
-
-if [[ ! -d /var/log/security ]]; then
- mkdir /var/log/security
-fi
-
-### Writable file detection
-if [[ ${CHECK_WRITABLE} == yes ]]; then
- if [[ -s ${WRITABLE_TODAY} ]]; then
- printf "\nSecurity Warning: World Writable files found :\n" >> ${SECURITY}
- cat ${WRITABLE_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY}
- fi
-fi
-
-### Search Un Owned file
-if [[ ${CHECK_UNOWNED} == yes ]]; then
- if [[ -s ${UNOWNED_USER_TODAY} ]]; then
- printf "\nSecurity Warning : User Unowned files found :\n" >> ${SECURITY}
- printf "\t( theses files now have user \"nobody\" as their owner. )\n" >> ${SECURITY}
- cat ${UNOWNED_USER_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY}
- cat ${UNOWNED_USER_TODAY} | while read line; do
- if [[ ${FIX_UNOWNED} == yes ]]; then
- chown nobody "${line}"; # Use quote if filename contain space.
- fi
- done
- fi
-
- if [[ -s ${UNOWNED_GROUP_TODAY} ]]; then
- printf "\nSecurity Warning : Group Unowned files found :\n" >> ${SECURITY}
- printf "\t( theses files now have group \"nogroup\" as their group owner. )\n" >> ${SECURITY}
- cat ${UNOWNED_GROUP_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY}
- cat ${UNOWNED_GROUP_TODAY} | while read line; do
- if [[ ${FIX_UNOWNED} == yes ]]; then
- chgrp nogroup "${line}"; # Use quote if filename contain space.
- fi
- done
- fi
-fi
-
-if [[ ${CHECK_USER_FILES} == yes ]]; then
-# Files that should not be owned by someone else or readable.
-list=".netrc .rhosts .shosts .Xauthority .gnupg/secring.gpg \
-.pgp/secring.pgp .ssh/identity .ssh/id_dsa .ssh/id_rsa .ssh/random_seed"
-getent passwd | awk -F: '/^[^+-]/ { print $1 ":" $3 ":" $6 }' |
-while IFS=: read username uid homedir; do
- if ! expr "$homedir" : "$FILTER" > /dev/null; then
- for f in ${list} ; do
- file="${homedir}/${f}"
- if [[ -f "${file}" ]] ; then
- res=`ls -LldcGn "${file}" | sed 's/ \{1,\}/:/g'`
- printf "${uid}:${username}:${file}:${res}\n"
- fi
- done
- fi
-done | awk -F: '$1 != $6 && $6 != "0" \
- { print "\t\t- " $3 " : file is owned by uid " $6 "." }
- $4 ~ /^-...r/ \
- { print "\t\t- " $3 " : file is group readable." }
- $4 ~ /^-......r/ \
- { print "\t\t- " $3 " : file is other readable." }
- $4 ~ /^-....w/ \
- { print "\t\t- " $3 " : file is group writable." }
- $4 ~ /^-.......w/ \
- { print "\t\t- " $3 " : file is other writable." }' > ${TMP}
-
-if [[ -s ${TMP} ]]; then
- printf "\nSecurity Warning: these files shouldn't be owned by someone else or readable :\n" >> ${SECURITY}
- cat ${TMP} >> ${SECURITY}
-fi
-
-### Files that should not be owned by someone else or writable.
-list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \
-.forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \
-.nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \
-.ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults \
-.gnupg .gnupg/secring.gpg .ssh/identity .ssh/id_dsa .ssh/id_rsa \
-.Xauthority .cvspass .subversion/auth .purple/accounts.xml .config "
-getent passwd | awk -F: '/^[^+-]/ { print $1 ":" $3 ":" $6 }' | \
-while IFS=: read username uid homedir; do
- if ! expr "$homedir" : "$FILTER" > /dev/null; then
- for f in ${list} ; do
- file="${homedir}/${f}"
- if [[ -e "${file}" ]] ; then
- res=`ls -LldcGn "${file}" | sed 's/ \{1,\}/:/g'`
- printf "${uid}:${username}:${file}:${res}\n"
- fi
- done
- fi
-done | awk -F: '$1 != $6 && $6 != "0" \
- { print "\t\t- " $3 " : file is owned by uid " $6 "." }
- $4 ~ /^.....w/ \
- { print "\t\t- " $3 " : file is group writable." }
- $4 ~ /^........w/ \
- { print "\t\t- " $3 " : file is other writable." }' > ${TMP}
-
-if [[ -s ${TMP} ]]; then
- printf "\nSecurity Warning: theses files should not be owned by someone else or writable :\n" >> ${SECURITY}
- cat ${TMP} >> ${SECURITY}
-fi
-
-### Check home directories. Directories should not be owned by someone else or writable.
-getent passwd | awk -F: '/^[^+-]/ { print $1 ":" $3 ":" $6 }' | \
-while IFS=: read username uid homedir; do
- if ! expr "$homedir" : "$FILTER" > /dev/null; then
- if [[ -d "${homedir}" ]] ; then
- realuid=`ls -LldGn "${homedir}"| awk '{ print $3 }'`
- realuser=`ls -LldG "${homedir}"| awk '{ print $3 }'`
- permissions=`ls -LldG "${homedir}"| awk '{ print $1 }'`
- printf "${permissions}:${username}:(${uid}):${realuser}:(${realuid})\n"
- fi
- fi
-done | awk -F: '$3 != $5 && $5 != "(0)" \
- { print "user=" $2 $3 " : home directory is owned by " $4 $5 "." }
- $1 ~ /^d....w/ && $2 != "lp" && $2 != "mail" \
- { print "user=" $2 $3" : home directory is group writable." }
- $1 ~ /^d.......w/ \
- { print "user=" $2 $3" : home directory is other writable." }' > ${TMP}
-
-if [[ -s $TMP ]] ; then
- printf "\nSecurity Warning: these home directory should not be owned by someone else or writable :\n" >> ${SECURITY}
- cat ${TMP} >> ${SECURITY}
-fi
-fi # End of CHECK_USER_FILES
-
-### Passwd file check
-if [[ ${CHECK_PASSWD} == yes ]]; then
- getent passwd | awk -F: '{
- if ( $2 == "" )
- printf("\t\t- /etc/passwd:%d: User \"%s\" has no password !\n", FNR, $1);
- else if ($2 !~ /^[x*!]+$/)
- printf("\t\t- /etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1);
- else if ( $3 == 0 && $1 != "root" )
- printf("\t\t- /etc/passwd:%d: User \"%s\" has id 0 !\n", FNR, $1);
- }' > ${TMP}
-
- if [[ -s ${TMP} ]]; then
- printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY}
- cat ${TMP} >> ${SECURITY}
- fi
-fi
-
-### Shadow password file Check
-if [[ ${CHECK_SHADOW} == yes ]]; then
- awk -F: '{
- if ( $2 == "" )
- printf("\t\t- /etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1);
- }' < /etc/shadow > ${TMP}
-
- if [[ -s ${TMP} ]]; then
- printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY}
- cat ${TMP} >> ${SECURITY}
- fi
-fi
-
-### File systems should not be globally exported.
-if [[ -s /etc/exports ]] ; then
- awk '{
- if (($1 ~ /^#/) || ($1 ~ /^$/)) next;
- readonly = 0;
- for (i = 2; i <= NF; ++i) {
- if ($i ~ /^-ro$/)
- readonly = 1;
- else if ($i !~ /^-/)
- next;
- }
- if (readonly) {
- print "\t\t- Nfs File system " $1 " globally exported, read-only.";
- } else print "\t\t- Nfs File system " $1 " globally exported, read-write.";
- }' < /etc/exports > ${TMP}
-
- if [[ -s ${TMP} ]] ; then
- printf "\nSecurity Warning: Some NFS filesystem are exported globally :\n" >> ${SECURITY}
- cat ${TMP} >> ${SECURITY}
- fi
-fi
-
-### nfs mounts with missing nosuid
-/bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > ${TMP}
-if [[ -s ${TMP} ]] ; then
- printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY}
- cat ${TMP} | awk '{ print "\t\t- "$0 }' >> ${SECURITY}
-fi
-
-### Files that should not have + signs.
-list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd"
-for file in $list ; do
- if [[ -s ${file} ]] ; then
- awk '{
- if ($0 ~ /^\+@.*$/)
- next;
- if ($0 ~ /^\+.*$/)
- printf("\t\t- %s: %s\n", FILENAME, $0);
- }' ${file}
- fi
-done > ${TMP}
-
-### Passwd file check
-if [[ ${CHECK_SHOSTS} == yes ]]; then
- getent passwd | awk -F: '{print $1" "$6}' |
- while read username homedir; do
- if ! expr "$homedir" : "$FILTER" > /dev/null; then
- for file in .rhosts .shosts; do
- if [[ -s ${homedir}/${file} ]] ; then
- awk '{
- if ($0 ~ /^\+@.*$/)
- next;
- if ($0 ~ /^\+.*$/)
- printf("\t\t- %s: %s\n", FILENAME, $0);
- }' ${homedir}/${file}
- fi
- done >> ${TMP}
- fi
- done
-
- if [[ -s ${TMP} ]]; then
- printf "\nSecurity Warning: '+' character found in hosts trusting files,\n" >> ${SECURITY}
- printf "\tthis probably mean that you trust certains users/domain\n" >> ${SECURITY}
- printf "\tto connect on this host without proper authentication :\n" >> ${SECURITY}
- cat ${TMP} >> ${SECURITY}
- fi
-fi
-
-### executables should not be in the aliases file.
-list="/etc/aliases /etc/postfix/aliases"
-for file in ${list}; do
- if [[ -s ${file} ]]; then
- grep -v '^#' ${file} | grep '|' | while read line; do
- printf "\t\t- ${line}\n"
- done > ${TMP}
- fi
-
- if [[ -s ${TMP} ]]; then
- printf "\nSecurity Warning: The following programs are executed in your mail\n" >> ${SECURITY}
- printf "\tvia ${file} files, this could lead to security problems :\n" >> ${SECURITY}
- cat ${TMP} >> ${SECURITY}
- fi
-done
-
-### Dump a list of open port.
-if [[ ${CHECK_OPEN_PORT} == yes ]]; then
-
- if [[ -s ${OPEN_PORT_TODAY} ]]; then
- printf "\nThese are the ports listening on your machine :\n" >> ${INFOS}
- cat ${OPEN_PORT_TODAY} >> ${INFOS}
- fi
-fi
-
-
-### rpm database checks
-if [[ ${CHECK_RPM} == yes ]]; then
-
- if [[ -s ${RPM_VA_TODAY} ]]; then
- printf "\nSecurity Warning: These files belonging to packages are modified on the system :\n" >> ${SECURITY}
- cat ${RPM_VA_TODAY} | while read f; do
- printf "\t\t- $f\n"
- done >> ${SECURITY}
- fi
-
- if [[ -s ${RPM_VA_CONFIG_TODAY} ]]; then
- printf "\nSecurity Warning: These config files belonging to packages are modified on the system :\n" >> ${SECURITY}
- cat ${RPM_VA_CONFIG_TODAY} | while read f; do
- printf "\t\t- $f\n"
- done >> ${SECURITY}
- fi
-fi
-
-### chkrootkit checks
-if [[ ${CHECK_CHKROOTKIT} == yes ]]; then
-
- if [[ -s ${CHKROOTKIT_TODAY} ]]; then
- printf "\nChkrootkit report:\n" >> ${SECURITY}
- cat ${CHKROOTKIT_TODAY} >> ${SECURITY}
- fi
-fi
-
-### file permissions
-# fix permissions on newly created msec files according to system policy
-/usr/sbin/msecperms -e '/var/log/msec.log' "$SECURITY_LOG" "/var/log/security/*" &> ${TMP}
-
-# now check default permissions
-if [[ ${CHECK_PERMS} == yes ]]; then
- # running msec_perms
- /usr/sbin/msecperms > ${TMP} 2>&1
- if [[ -s ${TMP} ]]; then
- printf "\nPermissions changes on system files:\n" >> ${SECURITY}
- cat ${TMP} | sed -e 's/WARNING: //g' >> ${SECURITY}
- fi
-fi
-
-
-### Report
-if [[ -s ${SECURITY} ]]; then
- Syslog ${SECURITY}
- Ttylog ${SECURITY}
- date=`date`
- hostname=`hostname`
-
- echo -e "\n\n*** Security Check, ${date} ***\n" >> ${SECURITY_LOG}
- cat ${SECURITY} >> ${SECURITY_LOG}
- cat ${INFOS} >> ${SECURITY_LOG}
-
- Maillog "[msec] *** Security Check on ${hostname}, ${date} ***" "${SECURITY} ${INFOS}"
- Notifylog "MSEC has performed Security Check on ${hostname} on ${date}"
-fi
-
-if [[ -f ${SECURITY} ]]; then
- rm -f ${SECURITY}
-fi
-
-if [[ -f ${TMP} ]]; then
- rm -f ${TMP}
-fi
-
-if [[ -f ${INFOS} ]]; then
- rm -f ${INFOS};
-fi