From f452f1717554c19e09ae8ef68aeb00e107b08015 Mon Sep 17 00:00:00 2001 From: Yoann Vandoorselaere Date: Sun, 19 Dec 1999 20:05:06 +0000 Subject: *** empty log message *** --- ChangeLog | 4 + cron-sh/diff_check.sh | 187 +++++++++++++++++----------------------------- cron-sh/find.sh | 73 ++++++++++++++++++ cron-sh/security_check.sh | 35 ++++----- init-sh/security.conf | 30 +++++--- 5 files changed, 181 insertions(+), 148 deletions(-) create mode 100755 cron-sh/find.sh diff --git a/ChangeLog b/ChangeLog index 81907fa..b6515a3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +1999-12-19 Yoann Vandoorselaere + * Big cleanup. + * All work properly now. + 1999-12-19 Pixel * msec.spec: modify to take into account the Makefile modifying the .spec diff --git a/cron-sh/diff_check.sh b/cron-sh/diff_check.sh index 603edf6..006a26d 100755 --- a/cron-sh/diff_check.sh +++ b/cron-sh/diff_check.sh @@ -14,34 +14,9 @@ if [[ ${CHECK_SECURITY} == no ]]; then exit 0 fi -SUID_ROOT_TODAY="/var/log/security/suid_root.today" -SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday" -SUID_ROOT_DIFF="/var/log/security/suid_root.diff" -SUID_GROUP_TODAY="/var/log/security/suid_group.today" -SUID_GROUP_YESTERDAY="/var/log/security/suid_group.yesterday" -SUID_GROUP_DIFF="/var/log/security/suid_group.diff" -SUID_MD5_TODAY="/var/log/security/suid_md5.today" -SUID_MD5_YESTERDAY="/var/log/security/suid_md5.yesterday" -SUID_MD5_DIFF="/var/log/security/suid_md5.diff" -OPEN_PORT_TODAY="/var/log/security/open_port.today" -OPEN_PORT_YESTERDAY="/var/log/security/open_port.yesterday" -OPEN_PORT_DIFF="/var/log/security/open_port.diff" -WRITEABLE_TODAY="/var/log/security/writeable.today" -WRITEABLE_YESTERDAY="/var/log/security/writeable.yesterday" -WRITEABLE_DIFF="/var/log/security/writeable.diff" -UNOWNED_TODAY="/var/log/security/unowned.today" -UNOWNED_YESTERDAY="/var/log/security/unowned.yesterday" -UNOWNED_DIFF="/var/log/security/unowned.diff" - SECURITY_LOG="/var/log/security.log" TMP=`mktemp /tmp/secure.XXXXXX` -if [[ ! -d /var/log/security ]]; then - mkdir /var/log/security -fi - -rm -f ${TMP} ${SECURITY_TMP} >& /dev/null - ### Functions ### Syslog() { @@ -66,154 +41,119 @@ Ttylog() { ### New Suid root files detection if [[ ${CHECK_SUID_ROOT} == yes ]]; then - if [[ -f ${SUID_ROOT_TODAY} ]]; then - mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY} - fi - - find ${DIR} -xdev -type f -perm +04000 -user root \ - -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_ROOT_TODAY} - if [[ -f ${SUID_ROOT_YESTERDAY} ]]; then if ! diff -u ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_TODAY} > ${SUID_ROOT_DIFF}; then printf "\nSecurity Warning: Change in Suid Root files found :\n" >> ${TMP} - grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Added suid root files : ${file}.\n" >> ${TMP} - done - grep '^-' ${SUID_ROOT_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Removed suid root files : ${file}.\n" >> ${TMP} - done + grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do + printf "\t\t- Added suid root files : ${file}\n" + done >> ${TMP} + grep '^-' ${SUID_ROOT_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do + printf "\t\t- Removed suid root files : ${file}\n" + done >> ${TMP} fi fi + fi ### New Suid group files detection if [[ ${CHECK_SUID_GROUP} == yes ]]; then - if [[ -f ${SUID_GROUP_TODAY} ]]; then - mv ${SUID_GROUP_TODAY} ${SUID_GROUP_YESTERDAY} - fi - - find ${DIR} -xdev -type f -perm +02000 \ - -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > ${SUID_GROUP_TODAY} - if [[ -f ${SUID_GROUP_YESTERDAY} ]]; then if ! diff -u ${SUID_GROUP_YESTERDAY} ${SUID_GROUP_TODAY} > ${SUID_GROUP_DIFF}; then - printf "\nSecurity Warning: Changes in Suid Group files found :\n" >> ${TMP} - grep '^+' ${SUID_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Added suid group files : ${file}.\n" >> ${TMP} - done - grep '^-' ${SUID_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Removed suid group files : ${file}.\n" >> ${TMP} - done + printf "\nSecurity Warning: Changes in Suid Group files found :\n" >> ${TMP} + grep '^+' ${SUID_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do + printf "\t\t- Added suid group files : ${file}\n" + done >> ${TMP} + grep '^-' ${SUID_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do + printf "\t\t- Removed suid group files : ${file}\n" + done >> ${TMP} fi fi + fi ### Writable files detection if [[ ${CHECK_WRITEABLE} == yes ]]; then - if [[ -f ${WRITEABLE_TODAY} ]]; then - mv -f ${WRITEABLE_TODAY} ${WRITEABLE_YESTERDAY} - fi - - find ${DIR} -xdev -type f -perm -2 -ls -print | sort > ${WRITEABLE_TODAY} - if [[ -f ${WRITEABLE_YESTERDAY} ]]; then if ! diff -u ${WRITEABLE_YESTERDAY} ${WRITEABLE_TODAY} > ${WRITEABLE_DIFF}; then printf "\nSecurity Warning: Change in World Writeable Files found :\n" >> ${TMP} - grep '^+' ${WRITEABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Added writables files : ${file}.\n" >> ${TMP} - done - grep '^-' ${WRITEABLE_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Removed writables files : ${file}.\n" >> ${TMP} - done + grep '^+' ${WRITEABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do + printf "\t\t- Added writables files : ${file}\n" + done >> ${TMP + grep '^-' ${WRITEABLE_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do + printf "\t\t- Removed writables files : ${file}\n" + done >> ${TMP} fi fi + fi ### Search Non Owned files if [[ ${CHECK_UNOWNED} == yes ]]; then - if [[ -f ${UNOWNED_TODAY} ]]; then - mv -f ${UNOWNED_TODAY} ${UNOWNED_YESTERDAY} - fi - - find ${DIR} -xdev -nouser -print -ls | sort > ${UNOWNED_TODAY} - - if [[ -f ${UNOWNED_YESTERDAY} ]]; then - if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then + if [[ -f ${UNOWNED_USER_YESTERDAY} ]]; then + if ! diff -u ${UNOWNED_USER_YESTERDAY} ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_DIFF}; then printf "\nSecurity Warning: the following files aren't owned by an user :\n" >> ${TMP} - grep '^+' ${UNOWNED_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Added un-owned files : ${file}.\n" >> ${TMP} - done - grep '^-' ${UNOWNED_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Removed un-owned files : ${file}.\n" >> ${TMP} - done + grep '^+' ${UNOWNED_USER_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do + printf "\t\t- Added un-owned files : ${file}\n" + done > ${TMP} + grep '^-' ${UNOWNED_USER_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Removed un-owned files : ${file}\n" + done >> ${TMP} fi fi - - find ${DIR} -xdev -nogroup -print -ls | sort >> ${UNOWNED_TODAY} - if [[ -f ${UNOWNED_YESTERDAY} ]]; then - if ! diff -u ${UNOWNED_YESTERDAY} ${UNOWNED_TODAY} > ${UNOWNED_DIFF}; then + if [[ -f ${UNOWNED_GROUP_YESTERDAY} ]]; then + if ! diff -u ${UNOWNED_GROUP_YESTERDAY} ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_DIFF}; then printf "\nSecurity Warning: the following files aren't owned by a group :\n" >> ${TMP} - grep '^+' ${UNOWNED_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Added un-owned files : ${file}.\n" >> ${TMP} - done - grep '^-' ${UNOWNED_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Removed un-owned files : ${file}.\n" >> ${TMP} - done + grep '^+' ${UNOWNED_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do + printf "\t\t- Added un-owned files : ${file}\n" + done >> ${TMP} + grep '^-' ${UNOWNED_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do + printf "\t\t- Removed un-owned files : ${file}\n" + done >> ${TMP} fi fi + fi -### Md5 check for SUID root file +### Md5 check for SUID root fileg if [[ ${CHECK_SUID_MD5} == yes ]]; then - - if [[ -f ${SUID_MD5_TODAY} ]]; then - mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY} - fi - - touch ${SUID_MD5_TODAY} - awk '{print $12}' ${SUID_ROOT_TODAY} | - while read line; do - md5sum ${line} >> ${SUID_MD5_TODAY} - done + ctrl_md5=0; if [[ -f ${SUID_MD5_YESTERDAY} ]]; then if ! diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF}; then - printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${TMP} - printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${TMP} grep '^+' ${SUID_MD5_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $2}' | while read file; do - printf "\t\t- Changed ( added ) files : ${file}.\n" >> ${TMP} - done - grep '^-' ${SUID_MD5_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $2}' | while read file; do - printf "\t\t- Changed ( removed ) files : ${file}.\n" >> ${TMP} - done + if cat ${SUID_MD5_YESTERDAY} | awk '{print $2}' | grep -qw ${file}; then + if [[ ${ctrl_md5} == 0 ]]; then + printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${TMP} + printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${TMP} + ctrl_md5=1; + fi + printf "\t\t- Checksum changed files : ${file}\n" + fi + done >> ${TMP} fi fi + fi ### Changed open port if [[ ${CHECK_OPEN_PORT} == yes ]]; then - - if [[ -f ${OPEN_PORT_TODAY} ]]; then - mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY} - fi - - netstat -pvlA inet > ${OPEN_PORT_TODAY}; if [[ -f ${OPEN_PORT_YESTERDAY} ]]; then if ! diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}; then - printf "\nSecurity Warning: There is a new port listening on your machine :\n" >> ${TMP} - grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Opened ports : ${file}.\n" >> ${TMP} - done - grep '^-' ${OPEN_PORT_DIFF} | grep -vw "^--- " | sed 's|^.||' | awk '{print $12}' | while read file; do - printf "\t\t- Closed ports : ${file}.\n" >> ${TMP} - done + printf "\nSecurity Warning: There is modifications for port listening on your machine :\n" >> ${TMP} + grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||' | while read file; do + printf "\t\t- Opened ports : ${file}\n" + done >> ${TMP} + grep '^-' ${OPEN_PORT_DIFF} | grep -vw "^--- " | sed 's|^.||' | while read file; do + printf "\t\t- Closed ports : ${file}\n" + done >> ${TMP} fi fi + fi ######## Report ###### @@ -228,3 +168,12 @@ fi if [[ -f ${TMP} ]]; then rm -f ${TMP} fi + + + + + + + + + diff --git a/cron-sh/find.sh b/cron-sh/find.sh new file mode 100755 index 0000000..a12d46c --- /dev/null +++ b/cron-sh/find.sh @@ -0,0 +1,73 @@ +#!/bin/sh + +if [[ ! -f /etc/security/msec/security.conf ]]; then + echo "Can't access /etc/security/msec/security.conf." + exit 1 +fi + +. /etc/security/msec/security.conf + +# Modified filters coming from debian security scripts. + +CS_NFSAFS='(nfs|afs|xfs|coda)' +CS_TYPES=' type (devpts|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|'$CS_NFSAFS')' +CS_DEVS='^/dev/fd' +CS_DIRS='on /mnt' +FILTERS="$CS_TYPES|$CS_DEVS|$CS_DIRS" +DIR=`mount | grep -vE "$FILTERS" | cut -d ' ' -f3` +PRINT="%h/%f\n" +#PRINT="%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" + +if [[ ! -d /var/log/security ]]; then + mkdir /var/log/security +fi + +if [[ -s ${SUID_ROOT_TODAY} ]]; then + mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY}; +fi + +if [[ -s ${SUID_GROUP_TODAY} ]]; then + mv ${SUID_GROUP_TODAY} ${SUID_GROUP_YESTERDAY}; +fi + +if [[ -s ${WRITEABLE_TODAY} ]]; then + mv ${WRITEABLE_TODAY} ${WRITEABLE_YESTERDAY}; +fi + +if [[ -s ${UNOWNED_USER_TODAY} ]]; then + mv ${UNOWNED_USER_TODAY} ${UNOWNED_USER_YESTERDAY}; +fi + +if [[ -s ${UNOWNED_GROUP_TODAY} ]]; then + mv ${UNOWNED_GROUP_TODAY} ${UNOWNED_GROUP_YESTERDAY}; +fi + +if [[ -s ${OPEN_PORT_TODAY} ]]; then + mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY} +fi + +if [[ -s ${SUID_MD5_TODAY} ]]; then + mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY}; +fi + +netstat -pvlA inet > ${OPEN_PORT_TODAY}; +find ${DIR} -xdev -type f -perm +04000 -user root -printf "${PRINT}" | sort > ${SUID_ROOT_TODAY} +find ${DIR} -xdev -type f -perm +02000 -printf "${PRINT}" | sort > ${SUID_GROUP_TODAY} +find ${DIR} -xdev -type f -perm -2 -printf "${PRINT}" | sort > ${WRITEABLE_TODAY} +find ${DIR} -xdev -nouser -printf "${PRINT}" | sort > ${UNOWNED_USER_TODAY} +find ${DIR} -xdev -nogroup -printf "${PRINT}" | sort > ${UNOWNED_GROUP_TODAY} + +cat ${SUID_ROOT_TODAY} | while read line; do + md5sum ${line} +done > ${SUID_MD5_TODAY} + + + + + + + + + + + diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh index d7d6ff3..aafa294 100755 --- a/cron-sh/security_check.sh +++ b/cron-sh/security_check.sh @@ -43,34 +43,29 @@ Ttylog() { ### Writeable file detection if [[ ${CHECK_WRITEABLE} == yes ]]; then - find ${DIR} -xdev -type f -perm -2 -print | sort > ${TMP} - - if [[ -s ${TMP} ]]; then - printf "\nSecurity Warning: World Writeable Files found :\n" >> ${SECURITY} - cat ${TMP} | awk '{print "\t\t- " $0}' >> ${SECURITY} + if [[ -s ${WRITEABLE_TODAY} ]]; then + printf "\nSecurity Warning: World Writeable files found :\n" >> ${SECURITY} + cat ${WRITEABLE_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY} fi fi ### Search Un Owned file if [[ ${CHECK_UNOWNED} == yes ]]; then - find ${DIR} -xdev -nouser -print | sort > ${TMP} - - if [[ -s ${TMP} ]]; then - printf "\nSecurity Warning : the following file aren't owned by any user :\n" >> ${SECURITY} - printf "\ttheses files now have user \"nobody\" as their owner." >> ${SECURITY_LOG} - cat ${TMP} | awk '{print "\t\t- " $0}' >> ${SECURITY} - cat ${TMP} | while read line; do - chown nobody ${line}; + if [[ -s ${UNOWNED_USER_TODAY} ]]; then + printf "\nSecurity Warning : User Unowned files found :\n" >> ${SECURITY} + printf "\t( theses files now have user \"nobody\" as their owner. )\n" >> ${SECURITY_LOG} + cat ${UNOWNED_USER_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY} + cat ${UNOWNED_USER_TODAY} | while read line; do + chown nobody "${line}"; # Use quote if filename contain space. done fi - find $DIR -xdev -nogroup -print | sort > ${TMP} - if [[ -s ${TMP} ]]; then - printf "\nSecurity Warning : the following file aren't owned by any group :\n" >> ${SECURITY} - printf "\ttheses files now have group \"nogroup\" as their group owner." >> ${SECURITY} - cat ${TMP} | awk '{print "\t\t- " $0}' >> ${SECURITY} - cat ${TMP} | while read line; do - chgrp nogroup ${line}; + if [[ -s ${UNOWNED_GROUP_TODAY} ]]; then + printf "\nSecurity Warning : Group Unowned files found :\n" >> ${SECURITY} + printf "\t( theses files now have group \"nogroup\" as their group owner. )\n" >> ${SECURITY} + cat ${UNOWNED_GROUP_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY} + cat ${UNOWNED_GROUP_TODAY} | while read line; do + chgrp nogroup "${line}"; # Use quote if filename contain space. done fi fi diff --git a/init-sh/security.conf b/init-sh/security.conf index 64ea0ea..afb9428 100644 --- a/init-sh/security.conf +++ b/init-sh/security.conf @@ -1,9 +1,21 @@ -# Modified filters coming from debian security scripts. -CS_NFSAFS='(nfs|afs|xfs|coda)' -CS_TYPES=' type (devpts|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|'$CS_NFSAFS')' -CS_DEVS='^/dev/fd' -CS_DIRS='on /mnt' -FILTERS="$CS_TYPES|$CS_DEVS|$CS_DIRS" -DIR=`mount | grep -vE "$FILTERS" | cut -d ' ' -f3` -### - +SUID_ROOT_TODAY="/var/log/security/suid_root.today" +SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday" +SUID_ROOT_DIFF="/var/log/security/suid_root.diff" +SUID_GROUP_TODAY="/var/log/security/suid_group.today" +SUID_GROUP_YESTERDAY="/var/log/security/suid_group.yesterday" +SUID_GROUP_DIFF="/var/log/security/suid_group.diff" +SUID_MD5_TODAY="/var/log/security/suid_md5.today" +SUID_MD5_YESTERDAY="/var/log/security/suid_md5.yesterday" +SUID_MD5_DIFF="/var/log/security/suid_md5.diff" +OPEN_PORT_TODAY="/var/log/security/open_port.today" +OPEN_PORT_YESTERDAY="/var/log/security/open_port.yesterday" +OPEN_PORT_DIFF="/var/log/security/open_port.diff" +WRITEABLE_TODAY="/var/log/security/writeable.today" +WRITEABLE_YESTERDAY="/var/log/security/writeable.yesterday" +WRITEABLE_DIFF="/var/log/security/writeable.diff" +UNOWNED_USER_TODAY="/var/log/security/unowned_user.today" +UNOWNED_USER_YESTERDAY="/var/log/security/unowned_user.yesterday" +UNOWNED_USER_DIFF="/var/log/security/unowned_user.diff" +UNOWNED_GROUP_TODAY="/var/log/security/unowned_group.today" +UNOWNED_GROUP_YESTERDAY="/var/log/security/unowned_group.yesterday" +UNOWNED_GROUP_DIFF="/var/log/security/unowned_group.diff" -- cgit v1.2.1