From 27d842aa9fa2e9fc83b49da73bb8cbaea89220e2 Mon Sep 17 00:00:00 2001 From: Yoann Vandoorselaere Date: Wed, 8 Dec 1999 12:00:22 +0000 Subject: *** empty log message *** --- ChangeLog | 4 + cron-sh/diff_check.sh | 236 +++++++++++++++++++++++++++++++++++++++++++++ cron-sh/file_check.sh | 241 ---------------------------------------------- cron-sh/security_check.sh | 1 - init-sh/custom.sh | 124 +++++++++++++++++++++--- init-sh/level1.sh | 2 - init-sh/level2.sh | 3 +- init-sh/level3.sh | 7 +- init-sh/level4.sh | 9 +- init-sh/level5.sh | 7 +- init-sh/lib.sh | 5 +- msec.spec | 9 ++ 12 files changed, 377 insertions(+), 271 deletions(-) create mode 100755 cron-sh/diff_check.sh delete mode 100755 cron-sh/file_check.sh diff --git a/ChangeLog b/ChangeLog index 025a4e3..97c2aa3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,10 @@ * level[1-3].sh: Changed crontab call to file_check.sh from every hour to every midnight ( bug reported by axalon ). * file_check.sh: clean up. + * moved file_check.sh to diff_check.sh and changed + what is related to cron call in level[15].sh + * Added missing configurations question in level custom. + * bug fix. 1999-12-08 Chmouel Boudjnah diff --git a/cron-sh/diff_check.sh b/cron-sh/diff_check.sh new file mode 100755 index 0000000..0388c76 --- /dev/null +++ b/cron-sh/diff_check.sh @@ -0,0 +1,236 @@ +#!/bin/bash +# +# is that the check contained in this one ( file_check ) are +# Written by Vandoorselaere Yoann, +# + +if [ -f /etc/security/msec/security.conf ]; then + . /etc/security/msec/security.conf +else + exit 1 +fi + +if [ SECURITY_CHECK == "no" ]; then + exit 0 +fi + +# Modified filters coming from debian security scripts. +CS_NFSAFS='(nfs|afs|xfs|coda)' +CS_TYPES=' type (devpts|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|'$CS_NFSAFS')' +CS_DEVS='^/dev/fd' +CS_DIRS='on /mnt' +FILTERS="$CS_TYPES|$CS_DEVS|$CS_DIRS" +DIR=`mount | grep -vE "$FILTERS" | cut -d ' ' -f3` +### + +SUID_ROOT_TODAY="/var/log/security/suid_root.today" +SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday" +SUID_ROOT_DIFF="/var/log/security/suid_root.diff" +SUID_GROUP_TODAY="/var/log/security/suid_group.today" +SUID_GROUP_YESTERDAY="/var/log/security/suid_group.yesterday" +SUID_GROUP_DIFF="/var/log/security/suid_group.diff" +SUID_MD5_TODAY="/var/log/security/suid_md5.today" +SUID_MD5_YESTERDAY="/var/log/security/suid_md5.yesterday" +SUID_MD5_DIFF="/var/log/security/suid_md5.diff" +OPEN_PORT_TODAY="/var/log/security/open_port.today" +OPEN_PORT_YESTERDAY="/var/log/security/open_port.yesterday" +OPEN_PORT_DIFF="/var/log/security/open_port.diff" +WRITEABLE_TODAY="/var/log/security/writeable.today" +WRITEABLE_YESTERDAY="/var/log/security/writeable.yesterday" +WRITEABLE_DIFF="/var/log/security/writeable.diff" +UNOWNED_TODAY="/var/log/security/unowned.today" +UNOWNED_YESTERDAY="/var/log/security/unowned.yesterday" +UNOWNED_DIFF="/var/log/security/unowned.diff" + +SECURITY_LOG="/var/log/security.log" +TMP="/tmp/secure.tmp" + +if [ ! -d /var/log/security ]; then + mkdir /var/log/security +fi + +chattr -a /var/log/security/ >& /dev/null +chattr -a /var/log/security/* >& /dev/null + +rm -f ${TMP} ${SECURITY_TMP} >& /dev/null + +### Functions ### + +Syslog() { + if [ $SYS_LOG=="yes" ]; then + cat ${1} | while read line; do + /sbin/initlog --string="${line}" + done + fi +} + +Ttylog() { + if [ $TTY_LOG=="yes" ]; then + for i in `w | grep -v "load\|TTY" | awk '{print $2}'` ; do + echo -e "$1" > /dev/$i + done + fi +} + +################## + + +### New Suid root files detection +if [ ${CHECK_SUID_ROOT}=="yes" ]; then + + if [ -f ${SUID_ROOT_TODAY} ]; then + mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY} + fi + + find ${DIR} -xdev -type f -perm +04000 -user root \ + -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_ROOT_TODAY} + + if [ -f ${SUID_ROOT_YESTERDAY} ]; then + if ! diff -u ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_TODAY} > ${SUID_ROOT_DIFF}; then + printf "\nSecurity Warning: Change in Suid Root files found :\n" >> ${TMP} + grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Added suid root files : ${file}.\n" >> ${TMP} + done + grep '^-' ${SUID_ROOT_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Removed suid root files : ${file}.\n" >> ${TMP} + done + fi + fi +fi + +### New Suid group files detection +if [ ${CHECK_SUID_GROUP} ]; then + if [ -f ${SUID_GROUP_TODAY} ]; then + mv ${SUID_GROUP_TODAY} ${SUID_GROUP_YESTERDAY} + fi + + find ${DIR} -xdev -type f -perm +02000 \ + -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_GROUP_TODAY} + + if [ -f ${SUID_GROUP_YESTERDAY} ]; then + if ! diff -u ${SUID_GROUP_YESTERDAY} ${SUID_GROUP_TODAY} > ${SUID_GROUP_DIFF}; then + printf "\nSecurity Warning: Changes in Suid Group files found :\n" >> ${TMP} + grep '^+' ${SUID_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Added suid group files : ${file}.\n" >> ${TMP} + done + grep '^-' ${SUID_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Removed suid group files : ${file}.\n" >> ${TMP} + done + fi + fi +fi + +### Writable files detection +if [ ${CHECK_WRITEABLE}=="yes" ]; then + + if [ -f ${WRITEABLE_TODAY} ]; then + mv -f ${WRITEABLE_TODAY} ${WRITEABLE_YESTERDAY} + fi + + find ${DIR} -xdev -type f -perm -2 -ls -print | sort > ${WRITEABLE_TODAY} + + if [ -f ${WRITEABLE_YESTERDAY} ]; then + if ! diff -u ${WRITEABLE_YESTERDAY} ${WRITEABLE_TODAY} > ${WRITEABLE_DIFF}; then + printf "\nSecurity Warning: Change in World Writeable Files found :\n" >> ${TMP} + grep '^+' ${WRITEABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Added writables files : ${file}.\n" >> ${TMP} + done + grep '^-' ${WRITEABLE_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Removed writables files : ${file}.\n" >> ${TMP} + done + fi + fi +fi + +### Search Non Owned files +if [ ${CHECK_UNOWNED}=="yes" ]; then + + if [ -f ${UNOWNED_TODAY} ]; then + mv -f ${UNOWNED_TODAY} ${UNOWNED_YESTERDAY} + fi + + find ${DIR} -xdev -nouser -print -ls | sort > ${UNOWNED_TODAY} + + if [ -f ${UNOWNED_YESTERDAY} ]; then + if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then + printf "\nSecurity Warning: the following files aren't owned by an user :\n" >> ${TMP} + grep '^+' ${UNOWNED_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Added un-owned files : ${file}.\n" >> ${TMP} + done + grep '^-' ${UNOWNED_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Removed un-owned files : ${file}.\n" >> ${TMP} + done + fi + fi + + find ${DIR} -xdev -nogroup -print -ls | sort >> ${UNOWNED_TODAY} + + if [ -f ${UNOWNED_YESTERDAY} ]; then + if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then + printf "\nSecurity Warning: the following files aren't owned by a group :\n" >> ${TMP} + grep '^+' ${UNOWNED_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Added un-owned files : ${file}.\n" >> ${TMP} + done + grep '^-' ${UNOWNED_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Removed un-owned files : ${file}.\n" >> ${TMP} + done + fi + fi +fi + +### Md5 check for SUID root file +if [ ${CHECK_SUID_MD5}=="yes" ]; then + if [ -f ${SUID_MD5_TODAY} ]; then + mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY} + fi + + touch ${SUID_MD5_TODAY} + awk '{print $12}' ${SUID_ROOT_TODAY} | + while read line; do + md5sum ${line} >> ${SUID_MD5_TODAY} + done + + if [ -f ${SUID_MD5_YESTERDAY} ]; then + if ! diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF}; then + printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${TMP} + printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${TMP} + grep '^+' ${SUID_MD5_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $2}' | while read file; do + printf "\t\t- Changed ( added ) files : ${file}.\n" >> ${TMP} + done + grep '^-' ${SUID_MD5_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $2}' | while read file; do + printf "\t\t- Changed ( removed ) files : ${file}.\n" >> ${TMP} + done + fi + fi +fi + +### Changed open port +if [ ${CHECK_OPEN_PORT}=="yes" ]; then + if [ -f ${OPEN_PORT_TODAY} ]; then + mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY} + fi + + netstat -pvlA inet > ${OPEN_PORT_TODAY}; + + if [ -f ${OPEN_PORT_YESTERDAY} ]; then + if ! diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}; then + printf "\nSecurity Warning: There is a new port listening on your machine :\n" >> ${TMP} + grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Opened ports : ${file}.\n" >> ${TMP} + done + grep '^-' ${OPEN_PORT_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Closed ports : ${file}.\n" >> ${TMP} + done + fi + fi +fi + +######## Report ###### +if [ -s ${TMP} ]; then + Syslog ${TMP} + Ttylog ${TMP} + date=`date` + echo -n "\n\n*** ${date} ***\n" >> ${SECURITY_LOG} + cat ${TMP} >> ${SECURITY_LOG} + rm -f ${TMP} +fi diff --git a/cron-sh/file_check.sh b/cron-sh/file_check.sh deleted file mode 100755 index 9ff094f..0000000 --- a/cron-sh/file_check.sh +++ /dev/null @@ -1,241 +0,0 @@ -#!/bin/bash - -# -# Basic security checking for suid files. -# Written by Vandoorselaere Yoann, -# - -if [ -f /etc/security/msec/security.conf ]; then - . /etc/security/msec/security.conf -else - exit 1 -fi - -if [ SECURITY_CHECK == "no" ]; then - exit 0 -fi - -# Modified filters coming from debian security scripts. -CS_NFSAFS='(nfs|afs|xfs|coda)' -CS_TYPES=' type (devpts|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|'$CS_NFSAFS')' -CS_DEVS='^/dev/fd' -CS_DIRS='on /mnt' -FILTERS="$CS_TYPES|$CS_DEVS|$CS_DIRS" -DIR=`mount | grep -vE "$FILTERS" | cut -d ' ' -f3` -### - -SUID_ROOT_TODAY="/var/log/security/suid_root.today" -SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday" -SUID_ROOT_DIFF="/var/log/security/suid_root.diff" -SUID_GROUP_TODAY="/var/log/security/suid_group.today" -SUID_GROUP_YESTERDAY="/var/log/security/suid_group.yesterday" -SUID_GROUP_DIFF="/var/log/security/suid_group.diff" -SUID_MD5_TODAY="/var/log/security/suid_md5.today" -SUID_MD5_YESTERDAY="/var/log/security/suid_md5.yesterday" -SUID_MD5_DIFF="/var/log/security/suid_md5.diff" -OPEN_PORT_TODAY="/var/log/security/open_port.today" -OPEN_PORT_YESTERDAY="/var/log/security/open_port.yesterday" -OPEN_PORT_DIFF="/var/log/security/open_port.diff" -WRITEABLE_TODAY="/var/log/security/writeable.today" -WRITEABLE_YESTERDAY="/var/log/security/writeable.yesterday" -WRITEABLE_DIFF="/var/log/security/writeable.diff" -UNOWNED_TODAY="/var/log/security/unowned.today" -UNOWNED_YESTERDAY="/var/log/security/unowned.yesterday" -UNOWNED_DIFF="/var/log/security/unowned.diff" - -SECURITY_LOG="/var/log/security.log" -TMP="/tmp/secure.tmp" - -if [ ! -d /var/log/security ]; then - mkdir /var/log/security -fi - -chattr -a /var/log/security/ >& /dev/null -chattr -a /var/log/security/* >& /dev/null - -rm -f ${TMP} ${SECURITY_TMP} >& /dev/null - -### Functions ### - -Syslog() { - if [ $SYS_LOG=="yes" ]; then - cat ${1} | while read line; do - /sbin/initlog --string="${line}" - done - fi -} - -Ttylog() { - if [ $TTY_LOG=="yes" ]; then - for i in `w | grep -v "load\|TTY" | awk '{print $2}'` ; do - echo -e "$1" > /dev/$i - done - fi -} - -################## - - -### New Suid root files detection -if [ ${CHECK_SUID_ROOT}=="yes" ]; then - - if [ -f ${SUID_ROOT_TODAY} ]; then - mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY} - fi - - find ${DIR} -xdev -type f -perm +04000 -user root \ - -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_ROOT_TODAY} - - if [ -f ${SUID_ROOT_YESTERDAY} ]; then - if ! diff -u ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_TODAY} > ${SUID_ROOT_DIFF}; then - printf "\nSecurity Warning: Change in Suid Root files found :\n" >> ${TMP} - grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Added suid root files : ${file}.\n" >> ${TMP} - done - grep '^-' ${SUID_ROOT_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Removed suid root files : ${file}.\n" >> ${TMP} - done - fi - fi -fi - -### New Suid group files detection -if [ ${CHECK_SUID_GROUP} ]; then - if [ -f ${SUID_GROUP_TODAY} ]; then - mv ${SUID_GROUP_TODAY} ${SUID_GROUP_YESTERDAY} - fi - - find ${DIR} -xdev -type f -perm +02000 \ - -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_GROUP_TODAY} - - if [ -f ${SUID_GROUP_YESTERDAY} ]; then - if ! diff -u ${SUID_GROUP_YESTERDAY} ${SUID_GROUP_TODAY} > ${SUID_GROUP_DIFF}; then - printf "\nSecurity Warning: Changes in Suid Group files found :\n" >> ${TMP} - grep '^+' ${SUID_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Added suid group files : ${file}.\n" >> ${TMP} - done - grep '^-' ${SUID_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Removed suid group files : ${file}.\n" >> ${TMP} - done - fi - fi -fi - -### Writable files detection -if [ ${CHECK_WRITEABLE}=="yes" ]; then - - if [ -f ${WRITEABLE_TODAY} ]; then - mv -f ${WRITEABLE_TODAY} ${WRITEABLE_YESTERDAY} - fi - - find ${DIR} -xdev -type f -perm -2 -ls -print | sort > ${WRITEABLE_TODAY} - - if [ -f ${WRITEABLE_YESTERDAY} ]; then - if ! diff -u ${WRITEABLE_YESTERDAY} ${WRITEABLE_TODAY} > ${WRITEABLE_DIFF}; then - printf "\nSecurity Warning: Change in World Writeable Files found :\n" >> ${TMP} - grep '^+' ${WRITEABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Added writables files : ${file}.\n" >> ${TMP} - done - grep '^-' ${WRITEABLE_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Removed writables files : ${file}.\n" >> ${TMP} - done - fi - fi -fi - -### Search Non Owned files -if [ ${CHECK_UNOWNED}=="yes" ]; then - - if [ -f ${UNOWNED_TODAY} ]; then - mv -f ${UNOWNED_TODAY} ${UNOWNED_YESTERDAY} - fi - - find ${DIR} -xdev -nouser -print -ls | sort > ${UNOWNED_TODAY} - - if [ -f ${UNOWNED_YESTERDAY} ]; then - if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then - printf "\nSecurity Warning: the following files aren't owned by an user :\n" >> ${TMP} - grep '^+' ${UNOWNED_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Added un-owned files : ${file}.\n" >> ${TMP} - done - grep '^-' ${UNOWNED_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Removed un-owned files : ${file}.\n" >> ${TMP} - done - fi - fi - - find ${DIR} -xdev -nogroup -print -ls | sort >> ${UNOWNED_TODAY} - - if [ -f ${UNOWNED_YESTERDAY} ]; then - if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then - printf "\nSecurity Warning: the following files aren't owned by a group :\n" >> ${TMP} - grep '^+' ${UNOWNED_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Added un-owned files : ${file}.\n" >> ${TMP} - done - grep '^-' ${UNOWNED_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Removed un-owned files : ${file}.\n" >> ${TMP} - done - fi - fi -fi - -### Md5 check for SUID root file -if [ ${CHECK_SUID_MD5}=="yes" ]; then - if [ -f ${SUID_MD5_TODAY} ]; then - mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY} - fi - - touch ${SUID_MD5_TODAY} - awk '{print $12}' ${SUID_ROOT_TODAY} | - while read line; do - md5sum ${line} >> ${SUID_MD5_TODAY} - done - - if [ -f ${SUID_MD5_YESTERDAY} ]; then - if ! diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF}; then - printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${TMP} - printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${TMP} - grep '^+' ${SUID_MD5_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $2}' | while read file; do - printf "\t\t- Changed ( added ) files : ${file}.\n" >> ${TMP} - done - grep '^-' ${SUID_MD5_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $2}' | while read file; do - printf "\t\t- Changed ( removed ) files : ${file}.\n" >> ${TMP} - done - fi - fi -fi - -### Changed open port -if [ ${CHECK_OPEN_PORT}=="yes" ]; then - if [ -f ${OPEN_PORT_TODAY} ]; then - mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY} - fi - - netstat -pvlA inet > ${OPEN_PORT_TODAY}; - - if [ -f ${OPEN_PORT_YESTERDAY} ]; then - if ! diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}; then - printf "\nSecurity Warning: There is a new port listening on your machine :\n" >> ${TMP} - grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Opened ports : ${file}.\n" >> ${TMP} - done - grep '^-' ${OPEN_PORT_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Closed ports : ${file}.\n" >> ${TMP} - done - fi - fi -fi - -######## Report ###### -if [ -s ${TMP} ]; then - Syslog ${TMP} - Ttylog ${TMP} - cat ${TMP} >> ${SECURITY_LOG} - rm -f ${TMP} -fi - - -# We launch our other report engine :) -/etc/security/msec/cron-sh/security_check.sh - - diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh index 6c174d8..3c72d3d 100755 --- a/cron-sh/security_check.sh +++ b/cron-sh/security_check.sh @@ -1,7 +1,6 @@ #!/bin/bash # -# Basic security checking for suid files. # Written by Vandoorselaere Yoann, # diff --git a/init-sh/custom.sh b/init-sh/custom.sh index feb5fdc..367f5aa 100755 --- a/init-sh/custom.sh +++ b/init-sh/custom.sh @@ -18,12 +18,14 @@ WaitAnswer; clear if [ ${answer} == "yes" ]; then find /var/log/ -type f -exec chattr +a {} \; fi + ### echo "Do you want all system events to be logged on tty12 ?" WaitAnswer; clear if [ ${answer} == "yes" ]; then AddRules "*.* /dev/tty12" /etc/syslog.conf fi + ### echo "Do you want to deny any machine to connect to yours ?" WaitAnswer @@ -36,6 +38,7 @@ if [ ${answer} == "yes" ]; then AddRules "ALL:ALL:DENY" /etc/hosts.deny fi fi + ### echo "Do you want root console login to be allowed ?" WaitAnswer; clear @@ -47,34 +50,71 @@ if [ ${answer} == "yes" ]; then AddRules "tty5" /etc/securetty quiet AddRules "tty6" /etc/securetty fi +### +echo "Do you want your system to daily check important security problem ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security_check.sh" /etc/crontab +fi + +### +echo "Do you want your system to daily check new open port listening ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security_check.sh" /etc/crontab + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab +fi + +### +echo "Do you want your system to check for permission problem ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security_check.sh" /etc/crontab +fi + ### echo "Do you want your system to daily check SUID Root file change ?" WaitAnswer; clear if [ ${answer} == "yes" ]; then AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf - AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab +fi + +### +echo "Do you want your system to daily check suid files md5 checksum changes ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab fi + ### echo "Do you want your system to daily check SUID Group file change ?" WaitAnswer; clear if [ ${answer} == "yes" ]; then AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf - AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab fi + ### -echo "Do you want your system to daily check Writable file change ?" +echo "Do you want your system to daily check Writeable file change ?" WaitAnswer; clear if [ ${answer} == "yes" ]; then AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf - AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab fi + ### echo "Do you want your system to daily check Unowned file change ?" WaitAnswer; clear if [ ${answer} == "yes" ]; then AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf - AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab fi + ### echo "Do you want your system to verify every minutes if a network interface" echo "is in promiscuous state (which mean someone is probably running a sniffer on your machine ) ?" @@ -84,23 +124,81 @@ if [ ${answer} == "yes" ]; then AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab fi ### + LiloUpdate; /sbin/lilo >& /dev/null + ### -echo "Do you want a "." in your PATH variable ?" -echo "This permit you to not use ./progname & to just type progname" -echo "However this is a *high* security risk." +echo "Do you want to disable your running server ( except important one )" +echo "This is only valuable for server installed with rpm." WaitAnswer; clear if [ ${answer} == "yes" ]; then - AddRules "PATH=\$PATH:/usr/X11R6/bin" /etc/profile + echo -n "Disabling all service, except : {" + for service in `chkconfig --list | awk '{print $1}'`; do + if grep -qx ${service} /etc/security/msec/init-sh/server.5 | grep -v "^#"; + then + echo -n " ${service}" + fi + done + echo " } : " + + for service in `chkconfig --list | awk '{print $1}'`; do + chkconfig --del "${service}" + if ! chkconfig --msec --add "${service}"; then + echo -e "\t- Services ${service} is now disabled." + fi + done + echo -e "done.\n"; fi + ### -AddRules "SECURE_LEVEL=\"custom\"" /etc/profile -export SECURE_LEVEL="custom" -### -AddRules "umask 077" /etc/profile +echo "Do you want to disallow rpm to automatically enable a new installed server for run on next reboot ?" +echo "yes = you will need to chkconfig (--add ) servername for the server to run on boot." +echo "no = rpm will do it for you, but you have less control of what is running on your machine." +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + export SECURE_LEVEL="4" + AddRules "SECURE_LEVEL=\"4\"" /etc/profile +else + AddRules "SECURE_LEVEL=\"3\"" /etc/profile +fi +### +echo "Do you want an easy, normal, restricted, or paranoid umask ?" +echo "easy ( 002 ) = user = rwx, group = rwx, other = rx" +echo "normal ( 022 ) = user = rwx, group = rx, other = rx" +echo "restricted ( for users ) ( 077 ) = user = rwx, group =, other =" +echo "restricted ( for root ) ( 022 ) = user = rwx, = group = rx, other = rx" +echo "paranoid ( 077 ) = user = rwx, group = , other =" +answer="nothing" +while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer} != "restricted" && "${answer}" != "paranoid" ]]; do + echo -n "easy/normal/restricted/paranoid : " + read answer +done +case "${answer}" in + "easy") + AddRules "umask 002" /etc/profile + ;; + "normal") + AddRules "umask 022" /etc/profile + ;; + "restricted") + AddRules "if [ \${UID} == 0 ]; then umask 022; else umask 077; fi" /etc/profile + ;; + "paranoid") + AddRules "umask 077" /etc/profile + ;; +### +echo "Do you want a "." in your PATH variable ?" +echo "This permit you to not use ./progname & to just type progname" +echo "However this is a *high* security risk." +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games:." /etc/profile +else + AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/profile +fi diff --git a/init-sh/level1.sh b/init-sh/level1.sh index b652fc6..a0cd43c 100755 --- a/init-sh/level1.sh +++ b/init-sh/level1.sh @@ -40,8 +40,6 @@ echo -e "\t- Check promiscuous mode : no." AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf quiet echo -e "\t- Check listening port : no." AddRules "CHECK_OPEN_PORT=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check for dangerous .[sr]hosts file : no." - AddRules "CHECK_RHOST=no" /etc/security/msec/security.conf quiet echo -e "\t- Check passwd file integrity : no." AddRules "CHECK_PASSWD=no" /etc/security/msec/security.conf quiet echo -e "\t- Check shadow file integrity : no." diff --git a/init-sh/level2.sh b/init-sh/level2.sh index 1e6d605..20f3298 100755 --- a/init-sh/level2.sh +++ b/init-sh/level2.sh @@ -40,8 +40,6 @@ echo -e "\t- Check promiscuous mode : no." AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf quiet echo -e "\t- Check listening port : no." AddRules "CHECK_OPEN_PORT=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check for dangerous .[sr]hosts file : no." - AddRules "CHECK_RHOST=no" /etc/security/msec/security.conf quiet echo -e "\t- Check passwd file integrity : no." AddRules "CHECK_PASSWD=no" /etc/security/msec/security.conf quiet echo -e "\t- Check shadow file integrity : no." @@ -66,6 +64,7 @@ AddRules "umask 022" /etc/profile echo "Adding \"normal\" PATH variable :" AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/profile quiet AddRules "export PATH SECURE_LEVEL" /etc/profile + # Group echo -n "Adding \"${DRAKX_USERS}\" to audio group :" for user in ${DRAKX_USERS}; do diff --git a/init-sh/level3.sh b/init-sh/level3.sh index 5859689..3d33690 100755 --- a/init-sh/level3.sh +++ b/init-sh/level3.sh @@ -41,11 +41,9 @@ echo -e "\t- Check world writable file : yes." echo -e "\t- Check unowned file : no." AddRules "CHECK_UNOWNED=no" /etc/security/msec/security.conf quiet echo -e "\t- Check promiscuous mode : no." - AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf quiet + AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf quiet echo -e "\t- Check listening port : yes." AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check for dangerous .[sr]hosts file : yes." - AddRules "CHECK_RHOST=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check passwd file integrity : yes." AddRules "CHECK_PASSWD=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check shadow file integrity : yes." @@ -58,7 +56,8 @@ echo -e "\t- Security warning in syslog : \"yes\" :" # Crontab echo "Adding permission check in crontab (scheduled every midnight) :" -AddRules "0 0 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab +AddRules "0 0 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab +AddRules "0 0 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security_check.sh" /etc/crontab echo -n "Running lilo to record new config : " /sbin/lilo >& /dev/null diff --git a/init-sh/level4.sh b/init-sh/level4.sh index 00ea93d..6745ae5 100755 --- a/init-sh/level4.sh +++ b/init-sh/level4.sh @@ -54,8 +54,6 @@ echo -e "\t- Check promiscuous mode : yes." AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check listening port : yes." AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check for dangerous .[sr]hosts file : yes." - AddRules "CHECK_RHOST=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check passwd file integrity : yes." AddRules "CHECK_PASSWD=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check shadow file integrity : yes." @@ -70,8 +68,11 @@ echo -e "\t- Security warning in syslog : \"yes\" :" echo "Adding promisc check in crontab (scheduled every minutes) :" AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab -echo "Adding permission check in crontab (scheduled every midnight) :" -AddRules "0 0 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab +echo "Adding \"diff\" security check in crontab (scheduled every midnight) :" +AddRules "0 0 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab + +echo "Adding \"global\" security check in crontab (scheduled every midnight) :" +AddRules "0 0 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security_check.sh" /etc/crontab # Do you want a password ? LiloUpdate; diff --git a/init-sh/level5.sh b/init-sh/level5.sh index 272267f..33ad73b 100755 --- a/init-sh/level5.sh +++ b/init-sh/level5.sh @@ -45,8 +45,6 @@ echo -e "\t- Check promiscuous mode : yes." AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check listening port : yes." AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check for dangerous .[sr]hosts file : yes." - AddRules "CHECK_RHOST=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check passwd file integrity : yes." AddRules "CHECK_PASSWD=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check shadow file integrity : yes." @@ -62,8 +60,11 @@ echo -e "\t- Security warning in syslog : \"yes\" :" echo "Adding promisc check in crontab (scheduled every minutes) :" AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab -echo "Adding permission check in crontab (schedued every midnight) :" +echo "Adding \"diff\" security check in crontab (scheduled every midnight) :" AddRules "0 0 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab + +echo "Adding \"global\" security check in crontab (scheduled every midnight) :" +AddRules "0 0 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security_check.sh" /etc/crontab ################################################### # Wanna a password ? diff --git a/init-sh/lib.sh b/init-sh/lib.sh index 971a228..07a0507 100644 --- a/init-sh/lib.sh +++ b/init-sh/lib.sh @@ -99,7 +99,7 @@ Syslog() { Ttylog() { if [ "${TTY_LOG}" == "yes" ]; then - for i in `w | grep -v "load\|TTY" | awk '{print $2}'` ; do + w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do echo -e ${1} > /dev/$i done fi @@ -166,6 +166,7 @@ CleanRules /etc/profile CleanRules /etc/lilo.conf CleanRules /etc/rc.d/rc.firewall CleanRules /etc/crontab +CleanRules /etc/security/msec/security.users echo -e "\nStarting to reconfigure the system : " @@ -188,6 +189,8 @@ if [ ! -f /tmp/secure.DrakX ]; then echo "Problem removing user \"${user}\" from group audio." fi done +else + AddRules "${DRAKX_USERS}" /etc/security/msec/security.conf fi diff --git a/msec.spec b/msec.spec index 934be3c..0c8729c 100644 --- a/msec.spec +++ b/msec.spec @@ -35,6 +35,15 @@ rm -rf $RPM_BUILD_ROOT /usr/bin/promisc_check %changelog +* Wed Dec 8 1999 Yoann Vandoorselaere + - level[1-3].sh: Changed crontab call to file_check.sh + from every hour to every midnight ( bug reported by axalon ). + - diff_check.sh: clean up. + - moved file_check.sh to diff_check.sh and changed + what is related to cron call in level[15].sh + - Added missing configurations question in level custom. + - bug fix. + * Wed Dec 8 1999 Chmouel Boudjnah - Various (Makefile|specfiles) clean-up. - insert doc. -- cgit v1.2.1