From 51edd0594c34949c7681e695e52961eb5f61ac4e Mon Sep 17 00:00:00 2001
From: Eugeni Dodonov <eugeni@mandriva.org>
Date: Thu, 25 Jun 2009 19:31:42 +0000
Subject: Redesigned auditing code, added support for plugins and better
 logging.

---
 cron-sh/scripts/02_network.sh | 79 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100755 cron-sh/scripts/02_network.sh

(limited to 'cron-sh/scripts/02_network.sh')

diff --git a/cron-sh/scripts/02_network.sh b/cron-sh/scripts/02_network.sh
new file mode 100755
index 0000000..f376724
--- /dev/null
+++ b/cron-sh/scripts/02_network.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+# msec: network security checks
+
+# check if we are run from main script
+if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then
+        # variables are set in security.sh and propagated to the subscripts
+        echo "Error: this check should be run by the main msec security check!"
+        echo "       do not run it directly unless you know what you are doing."
+        return 1
+fi
+
+export OPEN_PORT_TODAY="/var/log/security/open_port.today"
+OPEN_PORT_YESTERDAY="/var/log/security/open_port.yesterday"
+OPEN_PORT_DIFF="/var/log/security/open_port.diff"
+export FIREWALL_TODAY="/var/log/security/open_port.today"
+FIREWALL_YESTERDAY="/var/log/security/open_port.yesterday"
+FIREWALL_DIFF="/var/log/security/open_port.diff"
+
+if [[ -f ${OPEN_PORT_TODAY} ]]; then
+    mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY}
+fi
+
+if [[ -f ${FIREWALL_TODAY} ]]; then
+    mv -f ${FIREWALL_TODAY} ${FIREWALL_YESTERDAY}
+fi
+
+if [[ ${CHECK_OPEN_PORT} == yes ]]; then
+        netstat -pvlA inet,inet6 2> /dev/null > ${OPEN_PORT_TODAY};
+fi
+
+if [[ ${CHECK_FIREWALL} == yes ]]; then
+        iptables -L 2>/dev/null > ${FIREWALL_TODAY}
+fi
+
+### Changed open port
+if [[ ${CHECK_OPEN_PORT} == yes ]]; then
+
+    if [[ -f ${OPEN_PORT_YESTERDAY} ]]; then
+        diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF}
+        if [ -s ${OPEN_PORT_DIFF} ]; then
+            printf "\nSecurity Warning: There are modifications for port listening on your machine :\n" >> ${DIFF}
+            grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+                printf "\t\t-  Opened ports : ${file}\n"
+            done >> ${DIFF}
+            grep '^-' ${OPEN_PORT_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+                printf "\t\t- Closed ports  : ${file}\n"
+            done >> ${DIFF}
+        fi
+    fi
+
+fi
+
+### Changed firewall
+if [[ ${CHECK_FIREWALL} == yes ]]; then
+
+    if [[ -f ${FIREWALL_YESTERDAY} ]]; then
+        diff -u ${FIREWALL_YESTERDAY} ${FIREWALL_TODAY} 1> ${FIREWALL_DIFF}
+        if [ -s ${FIREWALL_DIFF} ]; then
+            printf "\nSecurity Warning: There are modifications for firewall configuration on your machine :\n" >> ${DIFF}
+            grep '^+' ${FIREWALL_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+                printf "\t\t-      New entries : ${file}\n"
+            done >> ${DIFF}
+            grep '^-' ${FIREWALL_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do
+                printf "\t\t- Removed entries  : ${file}\n"
+            done >> ${DIFF}
+        fi
+    fi
+
+fi
+
+### Dump a list of open port.
+if [[ ${CHECK_OPEN_PORT} == yes ]]; then
+
+    if [[ -s ${OPEN_PORT_TODAY} ]]; then
+        printf "\nThese are the ports listening on your machine :\n" >> ${INFOS}
+        cat ${OPEN_PORT_TODAY} >> ${INFOS}
+    fi
+fi
+
-- 
cgit v1.2.1