From 04264a85de43e5cc0ef5f4c7113e0979bc397a53 Mon Sep 17 00:00:00 2001
From: Eugeni Dodonov <eugeni@mandriva.org>
Date: Wed, 9 Sep 2009 00:04:28 +0000
Subject: added support for msec exceptions

---
 cron-sh/scripts/05_access.sh | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'cron-sh/scripts/05_access.sh')

diff --git a/cron-sh/scripts/05_access.sh b/cron-sh/scripts/05_access.sh
index 2b35d8c..e3ecb72 100755
--- a/cron-sh/scripts/05_access.sh
+++ b/cron-sh/scripts/05_access.sh
@@ -21,6 +21,7 @@ fi
 # check for changes in users
 if [[ ${CHECK_USERS} == yes ]]; then
     getent passwd | cut -f 1 -d : | sort > ${USERS_LIST_TODAY}
+    Filter ${USERS_LIST_TODAY} CHECK_USERS
     Diffcheck ${USERS_LIST_TODAY} ${USERS_LIST_YESTERDAY} ${USERS_LIST_DIFF} "local users"
     Count ${INFOS} ${USERS_LIST_TODAY} "Total local users"
 fi
@@ -37,6 +38,7 @@ fi
 # check for changes in groups
 if [[ ${CHECK_GROUPS} == yes ]]; then
     getent passwd | cut -f 1 -d : | sort > ${GROUPS_LIST_TODAY}
+    Filter ${GROUPS_LIST_TODAY} CHECK_GROUPS
     Diffcheck ${GROUPS_LIST_TODAY} ${GROUPS_LIST_YESTERDAY} ${GROUPS_LIST_DIFF} "local groups"
     Count ${INFOS} ${GROUPS_LIST_TODAY} "Total local group"
 fi
@@ -51,6 +53,7 @@ if [[ ${CHECK_PASSWD} == yes ]]; then
         else if ( $3 == 0 && $1 != "root" )
             printf("\t\t- /etc/passwd:%d: User \"%s\" has id 0 !\n", FNR, $1);
     }' > ${MSEC_TMP}
+    Filter ${MSEC_TMP} CHECK_PASSWD
 
     if [[ -s ${MSEC_TMP} ]]; then
         printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY}
@@ -65,6 +68,7 @@ if [[ ${CHECK_SHADOW} == yes ]]; then
         if ( $2 == "" )
             printf("\t\t- /etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1);
     }' < /etc/shadow > ${MSEC_TMP}
+    Filter ${MSEC_TMP} CHECK_SHADOW
 
     if [[ -s ${MSEC_TMP} ]]; then
         printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY}
@@ -73,6 +77,7 @@ if [[ ${CHECK_SHADOW} == yes ]]; then
     fi
 fi
 
+# TODO: add CHECK_EXPORTS parameter in msec
 ### File systems should not be globally exported.
 if [[ -s /etc/exports ]] ; then
     awk '{
@@ -88,6 +93,7 @@ if [[ -s /etc/exports ]] ; then
                     print "\t\t- Nfs File system " $1 " globally exported, read-only.";
                 } else print "\t\t- Nfs File system " $1 " globally exported, read-write.";
         }' < /etc/exports > ${MSEC_TMP}
+    Filter ${MSEC_TMP} CHECK_EXPORTS
 
     if [[ -s ${MSEC_TMP} ]] ; then
         printf "\nSecurity Warning: Some NFS filesystem are exported globally :\n" >> ${SECURITY}
@@ -96,8 +102,10 @@ if [[ -s /etc/exports ]] ; then
     fi
 fi
 
+# TODO: add CHECK_MOUNTS parameter in msec
 ### nfs mounts with missing nosuid
 /bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > ${MSEC_TMP}
+Filter ${MSEC_TMP} CHECK_MOUNTS
 if [[ -s ${MSEC_TMP} ]] ; then
     printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY}
     cat ${MSEC_TMP} | awk '{ print "\t\t- "$0 }' >> ${SECURITY}
@@ -144,6 +152,7 @@ if [[ ${CHECK_SHOSTS} == yes ]]; then
                 fi
 fi
 
+# TODO: add CHECK_ALIASES
 ### executables should not be in the aliases file.
 list="/etc/aliases /etc/postfix/aliases"
 for file in ${list}; do
-- 
cgit v1.2.1