From 808c8c9ee57499a1f4a4af480df3eddce1725f9f Mon Sep 17 00:00:00 2001 From: Eugeni Dodonov Date: Wed, 10 Feb 2010 14:32:29 +0000 Subject: Properly log execution results for different check periods --- cron-sh/scripts/01_files.sh | 38 +++++++++++++++++++------------------- cron-sh/scripts/02_network.sh | 14 +++++++------- cron-sh/scripts/03_rpm.sh | 20 ++++++++++---------- cron-sh/scripts/04_rootkit.sh | 8 ++++---- cron-sh/scripts/05_access.sh | 14 +++++++------- cron-sh/scripts/06_sectool.sh | 8 ++++---- cron-sh/security.sh | 3 +++ 7 files changed, 54 insertions(+), 51 deletions(-) diff --git a/cron-sh/scripts/01_files.sh b/cron-sh/scripts/01_files.sh index f3853ad..64d82e7 100755 --- a/cron-sh/scripts/01_files.sh +++ b/cron-sh/scripts/01_files.sh @@ -2,31 +2,31 @@ # msec: security check for suid_root binaries # check if we are run from main script -if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then +if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" -o -z "${CURRENT_CHECK_TYPE}" ]; then # variables are set in security.sh and propagated to the subscripts echo "Error: this check should be run by the main msec security check!" echo " do not run it directly unless you know what you are doing." return 1 fi -export SUID_ROOT_TODAY="/var/log/security/suid_root.today" -SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday" -SUID_ROOT_DIFF="/var/log/security/suid_root.diff" -export SGID_TODAY="/var/log/security/sgid.today" -SGID_YESTERDAY="/var/log/security/sgid.yesterday" -SGID_DIFF="/var/log/security/sgid.diff" -export SUID_MD5_TODAY="/var/log/security/suid_md5.today" -SUID_MD5_YESTERDAY="/var/log/security/suid_md5.yesterday" -SUID_MD5_DIFF="/var/log/security/suid_md5.diff" -export WRITABLE_TODAY="/var/log/security/writable.today" -WRITABLE_YESTERDAY="/var/log/security/writable.yesterday" -WRITABLE_DIFF="/var/log/security/writable.diff" -export UNOWNED_USER_TODAY="/var/log/security/unowned_user.today" -UNOWNED_USER_YESTERDAY="/var/log/security/unowned_user.yesterday" -UNOWNED_USER_DIFF="/var/log/security/unowned_user.diff" -export UNOWNED_GROUP_TODAY="/var/log/security/unowned_group.today" -UNOWNED_GROUP_YESTERDAY="/var/log/security/unowned_group.yesterday" -UNOWNED_GROUP_DIFF="/var/log/security/unowned_group.diff" +export SUID_ROOT_TODAY="/var/log/security/suid_root.${CURRENT_CHECK_TYPE}.today" +SUID_ROOT_YESTERDAY="/var/log/security/suid_root.${CURRENT_CHECK_TYPE}.yesterday" +SUID_ROOT_DIFF="/var/log/security/suid_root.${CURRENT_CHECK_TYPE}.diff" +export SGID_TODAY="/var/log/security/sgid.${CURRENT_CHECK_TYPE}.today" +SGID_YESTERDAY="/var/log/security/sgid.${CURRENT_CHECK_TYPE}.yesterday" +SGID_DIFF="/var/log/security/sgid.${CURRENT_CHECK_TYPE}.diff" +export SUID_MD5_TODAY="/var/log/security/suid_md5.${CURRENT_CHECK_TYPE}.today" +SUID_MD5_YESTERDAY="/var/log/security/suid_md5.${CURRENT_CHECK_TYPE}.yesterday" +SUID_MD5_DIFF="/var/log/security/suid_md5.${CURRENT_CHECK_TYPE}.diff" +export WRITABLE_TODAY="/var/log/security/writable.${CURRENT_CHECK_TYPE}.today" +WRITABLE_YESTERDAY="/var/log/security/writable.${CURRENT_CHECK_TYPE}.yesterday" +WRITABLE_DIFF="/var/log/security/writable.${CURRENT_CHECK_TYPE}.diff" +export UNOWNED_USER_TODAY="/var/log/security/unowned_user.${CURRENT_CHECK_TYPE}.today" +UNOWNED_USER_YESTERDAY="/var/log/security/unowned_user.${CURRENT_CHECK_TYPE}.yesterday" +UNOWNED_USER_DIFF="/var/log/security/unowned_user.${CURRENT_CHECK_TYPE}.diff" +export UNOWNED_GROUP_TODAY="/var/log/security/unowned_group.${CURRENT_CHECK_TYPE}.today" +UNOWNED_GROUP_YESTERDAY="/var/log/security/unowned_group.${CURRENT_CHECK_TYPE}.yesterday" +UNOWNED_GROUP_DIFF="/var/log/security/unowned_group.${CURRENT_CHECK_TYPE}.diff" if [[ -f ${SUID_ROOT_TODAY} ]]; then mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY}; diff --git a/cron-sh/scripts/02_network.sh b/cron-sh/scripts/02_network.sh index 7e41d48..f0519ae 100755 --- a/cron-sh/scripts/02_network.sh +++ b/cron-sh/scripts/02_network.sh @@ -2,19 +2,19 @@ # msec: network security checks # check if we are run from main script -if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then +if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" -o -z "${CURRENT_CHECK_TYPE}" ]; then # variables are set in security.sh and propagated to the subscripts echo "Error: this check should be run by the main msec security check!" echo " do not run it directly unless you know what you are doing." return 1 fi -export OPEN_PORT_TODAY="/var/log/security/open_port.today" -OPEN_PORT_YESTERDAY="/var/log/security/open_port.yesterday" -OPEN_PORT_DIFF="/var/log/security/open_port.diff" -export FIREWALL_TODAY="/var/log/security/firewall.today" -FIREWALL_YESTERDAY="/var/log/security/firewall.yesterday" -FIREWALL_DIFF="/var/log/security/firewall.diff" +export OPEN_PORT_TODAY="/var/log/security/open_port.${CURRENT_CHECK_TYPE}.today" +OPEN_PORT_YESTERDAY="/var/log/security/open_port.${CURRENT_CHECK_TYPE}.yesterday" +OPEN_PORT_DIFF="/var/log/security/open_port.${CURRENT_CHECK_TYPE}.diff" +export FIREWALL_TODAY="/var/log/security/firewall.${CURRENT_CHECK_TYPE}.today" +FIREWALL_YESTERDAY="/var/log/security/firewall.${CURRENT_CHECK_TYPE}.yesterday" +FIREWALL_DIFF="/var/log/security/firewall.${CURRENT_CHECK_TYPE}.diff" if [[ -f ${OPEN_PORT_TODAY} ]]; then mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY} diff --git a/cron-sh/scripts/03_rpm.sh b/cron-sh/scripts/03_rpm.sh index cc6beea..f303ee2 100755 --- a/cron-sh/scripts/03_rpm.sh +++ b/cron-sh/scripts/03_rpm.sh @@ -2,22 +2,22 @@ # msec: rpm security check # check if we are run from main script -if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then +if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" -o -z "${CURRENT_CHECK_TYPE}" ]; then # variables are set in security.sh and propagated to the subscripts echo "Error: this check should be run by the main msec security check!" echo " do not run it directly unless you know what you are doing." return 1 fi -export RPM_VA_TODAY="/var/log/security/rpm-va.today" -RPM_VA_YESTERDAY="/var/log/security/rpm-va.yesterday" -RPM_VA_DIFF="/var/log/security/rpm-va.diff" -export RPM_VA_CONFIG_TODAY="/var/log/security/rpm-va-config.today" -RPM_VA_CONFIG_YESTERDAY="/var/log/security/rpm-va-config.yesterday" -RPM_VA_CONFIG_DIFF="/var/log/security/rpm-va-config.diff" -export RPM_QA_TODAY="/var/log/security/rpm-qa.today" -RPM_QA_YESTERDAY="/var/log/security/rpm-qa.yesterday" -RPM_QA_DIFF="/var/log/security/rpm-qa.diff" +export RPM_VA_TODAY="/var/log/security/rpm-va.${CURRENT_CHECK_TYPE}.today" +RPM_VA_YESTERDAY="/var/log/security/rpm-va.${CURRENT_CHECK_TYPE}.yesterday" +RPM_VA_DIFF="/var/log/security/rpm-va.${CURRENT_CHECK_TYPE}.diff" +export RPM_VA_CONFIG_TODAY="/var/log/security/rpm-va-config.${CURRENT_CHECK_TYPE}.today" +RPM_VA_CONFIG_YESTERDAY="/var/log/security/rpm-va-config.${CURRENT_CHECK_TYPE}.yesterday" +RPM_VA_CONFIG_DIFF="/var/log/security/rpm-va-config.${CURRENT_CHECK_TYPE}.diff" +export RPM_QA_TODAY="/var/log/security/rpm-qa.${CURRENT_CHECK_TYPE}.today" +RPM_QA_YESTERDAY="/var/log/security/rpm-qa.${CURRENT_CHECK_TYPE}.yesterday" +RPM_QA_DIFF="/var/log/security/rpm-qa.${CURRENT_CHECK_TYPE}.diff" if [[ -f ${RPM_VA_TODAY} ]]; then mv -f ${RPM_VA_TODAY} ${RPM_VA_YESTERDAY} diff --git a/cron-sh/scripts/04_rootkit.sh b/cron-sh/scripts/04_rootkit.sh index b8f598a..aca690d 100755 --- a/cron-sh/scripts/04_rootkit.sh +++ b/cron-sh/scripts/04_rootkit.sh @@ -2,16 +2,16 @@ # msec: rootkit security check # check if we are run from main script -if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then +if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" -o -z "${CURRENT_CHECK_TYPE}" ]; then # variables are set in security.sh and propagated to the subscripts echo "Error: this check should be run by the main msec security check!" echo " do not run it directly unless you know what you are doing." return 1 fi -export CHKROOTKIT_TODAY="/var/log/security/chkrootkit.today" -CHKROOTKIT_YESTERDAY="/var/log/security/chkrootkit.yesterday" -CHKROOTKIT_DIFF="/var/log/security/chkrootkit.diff" +export CHKROOTKIT_TODAY="/var/log/security/chkrootkit.${CURRENT_CHECK_TYPE}.today" +CHKROOTKIT_YESTERDAY="/var/log/security/chkrootkit.${CURRENT_CHECK_TYPE}.yesterday" +CHKROOTKIT_DIFF="/var/log/security/chkrootkit.${CURRENT_CHECK_TYPE}.diff" if [[ -f ${CHKROOTKIT_TODAY} ]]; then mv ${CHKROOTKIT_TODAY} ${CHKROOTKIT_YESTERDAY}; diff --git a/cron-sh/scripts/05_access.sh b/cron-sh/scripts/05_access.sh index 4fe5d82..f256b7d 100755 --- a/cron-sh/scripts/05_access.sh +++ b/cron-sh/scripts/05_access.sh @@ -2,7 +2,7 @@ # msec: system access # check if we are run from main script -if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then +if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" -o -z "${CURRENT_CHECK_TYPE}" ]; then # variables are set in security.sh and propagated to the subscripts echo "Error: this check should be run by the main msec security check!" echo " do not run it directly unless you know what you are doing." @@ -10,9 +10,9 @@ if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECUR fi # check for changes in users -USERS_LIST_TODAY="/var/log/security/users_list.today" -USERS_LIST_YESTERDAY="/var/log/security/users_list.yesterday" -USERS_LIST_DIFF="/var/log/security/users_list.diff" +USERS_LIST_TODAY="/var/log/security/users_list.${CURRENT_CHECK_TYPE}.today" +USERS_LIST_YESTERDAY="/var/log/security/users_list.${CURRENT_CHECK_TYPE}.yesterday" +USERS_LIST_DIFF="/var/log/security/users_list.${CURRENT_CHECK_TYPE}.diff" if [[ -f ${USERS_LIST_TODAY} ]]; then mv ${USERS_LIST_TODAY} ${USERS_LIST_YESTERDAY}; @@ -27,9 +27,9 @@ if check_is_enabled "${CHECK_USERS}" ; then fi # check for changes in groups -GROUPS_LIST_TODAY="/var/log/security/groups_list.today" -GROUPS_LIST_YESTERDAY="/var/log/security/groups_list.yesterday" -GROUPS_LIST_DIFF="/var/log/security/groups_list.diff" +GROUPS_LIST_TODAY="/var/log/security/groups_list.${CURRENT_CHECK_TYPE}.today" +GROUPS_LIST_YESTERDAY="/var/log/security/groups_list.${CURRENT_CHECK_TYPE}.yesterday" +GROUPS_LIST_DIFF="/var/log/security/groups_list.${CURRENT_CHECK_TYPE}.diff" if [[ -f ${GROUPS_LIST_TODAY} ]]; then mv ${GROUPS_LIST_TODAY} ${GROUPS_LIST_YESTERDAY}; diff --git a/cron-sh/scripts/06_sectool.sh b/cron-sh/scripts/06_sectool.sh index 6888e17..ef9fe6d 100755 --- a/cron-sh/scripts/06_sectool.sh +++ b/cron-sh/scripts/06_sectool.sh @@ -2,7 +2,7 @@ # msec: sectool check # check if we are run from main script -if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then +if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" -o -z "${CURRENT_CHECK_TYPE}" ]; then # variables are set in security.sh and propagated to the subscripts echo "Error: this check should be run by the main msec security check!" echo " do not run it directly unless you know what you are doing." @@ -10,9 +10,9 @@ if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECUR fi # check for changes in users -SECTOOL_TODAY="/var/log/security/sectool.today" -SECTOOL_YESTERDAY="/var/log/security/sectool.yesterday" -SECTOOL_DIFF="/var/log/security/sectool.diff" +SECTOOL_TODAY="/var/log/security/sectool.${CURRENT_CHECK_TYPE}.today" +SECTOOL_YESTERDAY="/var/log/security/sectool.${CURRENT_CHECK_TYPE}.yesterday" +SECTOOL_DIFF="/var/log/security/sectool.${CURRENT_CHECK_TYPE}.diff" if [[ -f ${SECTOOL_TODAY} ]]; then mv ${SECTOOL_TODAY} ${SECTOOL_YESTERDAY}; diff --git a/cron-sh/security.sh b/cron-sh/security.sh index 14f3f01..f879a28 100755 --- a/cron-sh/security.sh +++ b/cron-sh/security.sh @@ -35,6 +35,9 @@ fi . /usr/share/msec/functions.sh +# discover current check type +CURRENT_CHECK_TYPE=$(current_check_type) + # variables LCK=/var/run/msec-security.pid SECURITY_LOG="/var/log/security.log" -- cgit v1.2.1