diff options
Diffstat (limited to 'cron-sh')
-rwxr-xr-x | cron-sh/diff_check.sh | 10 | ||||
-rwxr-xr-x | cron-sh/promisc_check.sh | 10 | ||||
-rwxr-xr-x | cron-sh/security.sh | 7 | ||||
-rwxr-xr-x | cron-sh/security_check.sh | 61 |
4 files changed, 42 insertions, 46 deletions
diff --git a/cron-sh/diff_check.sh b/cron-sh/diff_check.sh index 3c0fc27..b8991e1 100755 --- a/cron-sh/diff_check.sh +++ b/cron-sh/diff_check.sh @@ -3,15 +3,11 @@ # Written by Vandoorselaere Yoann, <yoann@mandrakesoft.com> # -if [[ -f /var/lib/msec/security.conf ]]; then - . /var/lib/msec/security.conf -else - echo "/var/lib/msec/security.conf don't exist." - exit 1 -fi - if [[ -f /etc/security/msec/security.conf ]]; then . /etc/security/msec/security.conf +else + echo "/etc/security/msec/security.conf don't exist." + exit 1 fi if [[ ${CHECK_SECURITY} == no ]]; then diff --git a/cron-sh/promisc_check.sh b/cron-sh/promisc_check.sh index e573526..468a44a 100755 --- a/cron-sh/promisc_check.sh +++ b/cron-sh/promisc_check.sh @@ -28,15 +28,11 @@ LogPromisc() { } -if [[ -f /var/lib/msec/security.conf ]]; then - . /var/lib/msec/security.conf -else - echo "/var/lib/msec/security.conf doesn't exist." - exit 1 -fi - if [[ -f /etc/security/msec/security.conf ]]; then . /etc/security/msec/security.conf +else + echo "/etc/security/msec/security.conf don't exist." + exit 1 fi if tail /var/log/security.log | grep -q "promiscuous"; then diff --git a/cron-sh/security.sh b/cron-sh/security.sh index c7ec008..4026c5f 100755 --- a/cron-sh/security.sh +++ b/cron-sh/security.sh @@ -24,10 +24,11 @@ if [[ ! -f /var/lib/msec/security.conf ]]; then exit 1 fi -. /var/lib/msec/security.conf - -if [ -r /etc/security/msec/security.conf ]; then +if [[ -f /etc/security/msec/security.conf ]]; then . /etc/security/msec/security.conf +else + echo "/etc/security/msec/security.conf don't exist." + exit 1 fi if [ -r /etc/sysconfig/msec ]; then diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh index e9121fe..2062902 100755 --- a/cron-sh/security_check.sh +++ b/cron-sh/security_check.sh @@ -4,15 +4,11 @@ # Written by Vandoorselaere Yoann, <yoann@mandrakesoft.com> # -if [[ -f /var/lib/msec/security.conf ]]; then - . /var/lib/msec/security.conf -else - echo "/var/lib/msec/security.conf don't exist." - exit 1 -fi - if [[ -f /etc/security/msec/security.conf ]]; then . /etc/security/msec/security.conf +else + echo "/etc/security/msec/security.conf don't exist." + exit 1 fi if [[ ${CHECK_SECURITY} != yes ]]; then @@ -59,6 +55,10 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then fi if [[ ${CHECK_PERMS} == yes ]]; then + # running msec_perms +fi + +if [[ ${CHECK_USER_FILES} == yes ]]; then # Files that should not be owned by someone else or readable. list=".netrc .rhosts .shosts .Xauthority .gnupg/secring.gpg \ .pgp/secring.pgp .ssh/identity .ssh/id_dsa .ssh/id_rsa .ssh/random_seed" @@ -139,7 +139,7 @@ if [[ -s $TMP ]] ; then printf "\nSecurity Warning: these home directory should not be owned by someone else or writable :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi -fi # End of check perms +fi # End of CHECK_USER_FILES ### Passwd file check if [[ ${CHECK_PASSWD} == yes ]]; then @@ -213,28 +213,31 @@ for file in $list ; do fi done > ${TMP} -# TODO: do not check on remote shares (#41709) -getent passwd | awk -F: '{print $1" "$6}' | - while read username homedir; do - if ! expr "$homedir" : "$FILTER" > /dev/null; then - for file in .rhosts .shosts; do - if [[ -s ${homedir}/${file} ]] ; then - awk '{ - if ($0 ~ /^\+@.*$/) - next; - if ($0 ~ /^\+.*$/) - printf("\t\t- %s: %s\n", FILENAME, $0); - }' ${homedir}/${file} +### Passwd file check +if [[ ${CHECK_SHOSTS} == yes ]]; then + # TODO: do not check on remote shares (#41709) + getent passwd | awk -F: '{print $1" "$6}' | + while read username homedir; do + if ! expr "$homedir" : "$FILTER" > /dev/null; then + for file in .rhosts .shosts; do + if [[ -s ${homedir}/${file} ]] ; then + awk '{ + if ($0 ~ /^\+@.*$/) + next; + if ($0 ~ /^\+.*$/) + printf("\t\t- %s: %s\n", FILENAME, $0); + }' ${homedir}/${file} + fi + done >> ${TMP} + fi + done + + if [[ -s ${TMP} ]]; then + printf "\nSecurity Warning: '+' character found in hosts trusting files,\n" >> ${SECURITY} + printf "\tthis probably mean that you trust certains users/domain\n" >> ${SECURITY} + printf "\tto connect on this host without proper authentication :\n" >> ${SECURITY} + cat ${TMP} >> ${SECURITY} fi - done >> ${TMP} - fi - done - -if [[ -s ${TMP} ]]; then - printf "\nSecurity Warning: '+' character found in hosts trusting files,\n" >> ${SECURITY} - printf "\tthis probably mean that you trust certains users/domain\n" >> ${SECURITY} - printf "\tto connect on this host without proper authentication :\n" >> ${SECURITY} - cat ${TMP} >> ${SECURITY} fi ### executables should not be in the aliases file. |