From 1f56baceee8d86b84c07227b6a6bfe9a95b6b123 Mon Sep 17 00:00:00 2001 From: Eugeni Dodonov Date: Tue, 23 Jun 2009 20:52:47 +0000 Subject: Add support for FIX_UNOWNED to allow changing unowned files owner and group (#51791). --- conf/level.secure | 1 + conf/level.standard | 1 + cron-sh/security_check.sh | 4 ++++ src/msec/config.py | 3 ++- src/msec/libmsec.py | 4 ++++ 5 files changed, 12 insertions(+), 1 deletion(-) diff --git a/conf/level.secure b/conf/level.secure index 89c7726..6b6dc25 100644 --- a/conf/level.secure +++ b/conf/level.secure @@ -26,6 +26,7 @@ ENABLE_PAM_WHEEL_FOR_SU=yes CHECK_SHADOW=yes ALLOW_ROOT_LOGIN=no CHECK_UNOWNED=yes +FIX_UNOWNED=yes ENABLE_CONSOLE_LOG=no ALLOW_USER_LIST=no ENABLE_DNS_SPOOFING_PROTECTION=yes diff --git a/conf/level.standard b/conf/level.standard index bf4b0f5..6d0d952 100644 --- a/conf/level.standard +++ b/conf/level.standard @@ -26,6 +26,7 @@ ENABLE_PAM_WHEEL_FOR_SU=no CHECK_SHADOW=yes ALLOW_ROOT_LOGIN=yes CHECK_UNOWNED=no +FIX_UNOWNED=yes ENABLE_CONSOLE_LOG=yes ALLOW_USER_LIST=yes ENABLE_DNS_SPOOFING_PROTECTION=yes diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh index bbff82a..fe1418b 100755 --- a/cron-sh/security_check.sh +++ b/cron-sh/security_check.sh @@ -40,7 +40,9 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then printf "\t( theses files now have user \"nobody\" as their owner. )\n" >> ${SECURITY} cat ${UNOWNED_USER_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY} cat ${UNOWNED_USER_TODAY} | while read line; do + if [[ ${FIX_UNOWNED} == yes ]]; then chown nobody "${line}"; # Use quote if filename contain space. + fi done fi @@ -49,7 +51,9 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then printf "\t( theses files now have group \"nogroup\" as their group owner. )\n" >> ${SECURITY} cat ${UNOWNED_GROUP_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY} cat ${UNOWNED_GROUP_TODAY} | while read line; do + if [[ ${FIX_UNOWNED} == yes ]]; then chgrp nogroup "${line}"; # Use quote if filename contain space. + fi done fi fi diff --git a/src/msec/config.py b/src/msec/config.py index 37880e7..212b327 100644 --- a/src/msec/config.py +++ b/src/msec/config.py @@ -61,6 +61,7 @@ SETTINGS = {'BASE_LEVEL': ("libmsec.base_level", 'CHECK_SGID' : ("libmsec.check_sgid", ['yes', 'no']), 'CHECK_WRITABLE' : ("libmsec.check_writable", ['yes', 'no']), 'CHECK_UNOWNED' : ("libmsec.check_unowned", ['yes', 'no']), + 'FIX_UNOWNED' : ("libmsec.fix_unowned", ['yes', 'no']), 'CHECK_PROMISC' : ("libmsec.check_promisc", ['yes', 'no']), 'CHECK_OPEN_PORT' : ("libmsec.check_open_port", ['yes', 'no']), 'CHECK_PASSWD' : ("libmsec.check_passwd", ['yes', 'no']), @@ -125,7 +126,7 @@ SETTINGS_NETWORK = ["ACCEPT_BOGUS_ERROR_RESPONSES", "ACCEPT_BROADCASTED_ICMP_ECH ] # periodic checks SETTINGS_PERIODIC = ["CHECK_PERMS", "CHECK_USER_FILES", "CHECK_SUID_ROOT", "CHECK_SUID_MD5", "CHECK_SGID", - "CHECK_WRITABLE", "CHECK_UNOWNED", "CHECK_PROMISC", "CHECK_OPEN_PORT", "CHECK_PASSWD", + "CHECK_WRITABLE", "CHECK_UNOWNED", "FIX_UNOWNED", "CHECK_PROMISC", "CHECK_OPEN_PORT", "CHECK_PASSWD", "CHECK_SHADOW", "CHECK_CHKROOTKIT", "CHECK_RPM", "CHECK_SHOSTS", "TTY_WARN", "SYSLOG_WARN", "MAIL_EMPTY_CONTENT", ] diff --git a/src/msec/libmsec.py b/src/msec/libmsec.py index 162cf01..5d5d232 100755 --- a/src/msec/libmsec.py +++ b/src/msec/libmsec.py @@ -1420,6 +1420,10 @@ class MSEC: """ Enable checking for unowned files.""" pass + def fix_unowned(self, param): + """ Fix owner and group of unowned files to use nobody/nogroup.""" + pass + def check_open_port(self, param): """ Enable checking for open network ports.""" pass -- cgit v1.2.1