From 04264a85de43e5cc0ef5f4c7113e0979bc397a53 Mon Sep 17 00:00:00 2001 From: Eugeni Dodonov Date: Wed, 9 Sep 2009 00:04:28 +0000 Subject: added support for msec exceptions --- cron-sh/functions.sh | 6 ++++-- cron-sh/scripts/01_files.sh | 10 ++++++++++ cron-sh/scripts/02_network.sh | 2 ++ cron-sh/scripts/03_rpm.sh | 2 ++ cron-sh/scripts/05_access.sh | 9 +++++++++ 5 files changed, 27 insertions(+), 2 deletions(-) (limited to 'cron-sh') diff --git a/cron-sh/functions.sh b/cron-sh/functions.sh index cedd4c1..af08ad4 100644 --- a/cron-sh/functions.sh +++ b/cron-sh/functions.sh @@ -69,7 +69,8 @@ Count() { Filter() { # filters output according to defined rules - RULE="$1" + FILE="$1" + RULE="$2" exceptions=/etc/security/msec/exceptions if [ ! -s "$exceptions" -o "a$RULE" = "a" ]; then @@ -83,7 +84,8 @@ Filter() { done FILTER="sed $EXCEPTIONS" fi - $FILTER + $FILTER < $FILE > ${FILE}.tmp + mv -f ${FILE}.tmp $FILE } diff --git a/cron-sh/scripts/01_files.sh b/cron-sh/scripts/01_files.sh index 9720f55..c1135c6 100755 --- a/cron-sh/scripts/01_files.sh +++ b/cron-sh/scripts/01_files.sh @@ -60,26 +60,32 @@ if [[ ${CHECK_SUID_MD5} == yes || ${CHECK_SUID_ROOT} == yes || ${CHECK_SGID} == fi if [[ -f ${SUID_ROOT_TODAY} ]]; then + Filter ${SUID_ROOT_TODAY} CHECK_SUID_MD5 + Filter ${SUID_ROOT_TODAY} CHECK_SUID_ROOT sort < ${SUID_ROOT_TODAY} > ${SUID_ROOT_TODAY}.tmp mv -f ${SUID_ROOT_TODAY}.tmp ${SUID_ROOT_TODAY} fi if [[ -f ${SGID_TODAY} ]]; then + Filter ${SGID_TODAY} CHECK_SGID sort < ${SGID_TODAY} > ${SGID_TODAY}.tmp mv -f ${SGID_TODAY}.tmp ${SGID_TODAY} fi if [[ -f ${WRITABLE_TODAY} ]]; then + Filter ${WRITABLE_TODAY} CHECK_WRITABLE sort < ${WRITABLE_TODAY} | egrep -v '^(/var)?/tmp$' > ${WRITABLE_TODAY}.tmp mv -f ${WRITABLE_TODAY}.tmp ${WRITABLE_TODAY} fi if [[ -f ${UNOWNED_USER_TODAY} ]]; then + Filter ${UNOWNED_USER_TODAY} CHECK_UNOWNED sort < ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_TODAY}.tmp mv -f ${UNOWNED_USER_TODAY}.tmp ${UNOWNED_USER_TODAY} fi if [[ -f ${UNOWNED_GROUP_TODAY} ]]; then + Filter ${UNOWNED_GROUP_TODAY} CHECK_UNOWNED sort < ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_TODAY}.tmp mv -f ${UNOWNED_GROUP_TODAY}.tmp ${UNOWNED_GROUP_TODAY} fi @@ -182,6 +188,7 @@ done | awk -F: '$1 != $6 && $6 != "0" \ { print "\t\t- " $3 " : file is group writable." } $4 ~ /^-.......w/ \ { print "\t\t- " $3 " : file is other writable." }' > ${MSEC_TMP} +Filter ${MSEC_TMP} CHECK_USER_FILES if [[ -s ${MSEC_TMP} ]]; then Count ${INFOS} ${MSEC_TMP} "Total of unsecure user files" @@ -219,6 +226,7 @@ if [[ -s ${MSEC_TMP} ]]; then printf "\nSecurity Warning: theses files should not be owned by someone else or writable :\n" >> ${SECURITY} cat ${MSEC_TMP} >> ${SECURITY} fi +Filter ${MSEC_TMP} CHECK_USER_FILES ### Check home directories. Directories should not be owned by someone else or writable. getent passwd | awk -F: '/^[^+-]/ { print $1 ":" $3 ":" $6 }' | \ @@ -237,6 +245,7 @@ done | awk -F: '$3 != $5 && $5 != "(0)" \ { print "user=" $2 $3" : home directory is group writable." } $1 ~ /^d.......w/ \ { print "user=" $2 $3" : home directory is other writable." }' > ${MSEC_TMP} +Filter ${MSEC_TMP} CHECK_USER_FILES if [[ -s $MSEC_TMP ]] ; then Count ${INFOS} ${MSEC_TMP} "Total of users whose home directories have unsafe permissions " @@ -254,6 +263,7 @@ if [[ ${CHECK_PERMS} == yes || ${CHECK_PERMS} == enforce ]]; then fi # running msec_perms /usr/sbin/msecperms $MSECPERMS_PARAMS | grep WARNING > ${MSEC_TMP} 2>&1 + Filter ${MSEC_TMP} CHECK_PERMS if [[ -s ${MSEC_TMP} ]]; then Count ${INFOS} ${MSEC_TMP} "Permission changes on files watched by msecperms" printf "\nPermissions changes on files watched by msec:\n" >> ${SECURITY} diff --git a/cron-sh/scripts/02_network.sh b/cron-sh/scripts/02_network.sh index c31b101..b52f914 100755 --- a/cron-sh/scripts/02_network.sh +++ b/cron-sh/scripts/02_network.sh @@ -26,11 +26,13 @@ fi if [[ ${CHECK_OPEN_PORT} == yes ]]; then netstat -pvlA inet,inet6 2> /dev/null > ${OPEN_PORT_TODAY}; + Filter ${OPEN_PORT_TODAY} CHECK_OPEN_PORT Count ${INFOS} ${OPEN_PORT_TODAY} "Total of open network ports" fi if [[ ${CHECK_FIREWALL} == yes ]]; then iptables -S 2>/dev/null > ${FIREWALL_TODAY} + Filter ${FIREWALL_TODAY} CHECK_FIREWALL Count ${INFOS} ${FIREWALL_TODAY} "Total of configured firewall rules" fi diff --git a/cron-sh/scripts/03_rpm.sh b/cron-sh/scripts/03_rpm.sh index 24353e2..264bd63 100755 --- a/cron-sh/scripts/03_rpm.sh +++ b/cron-sh/scripts/03_rpm.sh @@ -40,6 +40,7 @@ fi # list of installed packages if [[ ${CHECK_RPM_PACKAGES} == yes ]]; then rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" | sort > ${RPM_QA_TODAY} + Filter ${RPM_QA_TODAY} CHECK_RPM_PACKAGES Count ${INFOS} ${RPM_QA_TODAY} "Total of installed packages" Diffcheck ${RPM_QA_TODAY} ${RPM_QA_YESTERDAY} ${RPM_QA_DIFF} "packages" fi @@ -48,6 +49,7 @@ fi if [[ ${CHECK_RPM_INTEGRITY} == yes ]]; then rm -f ${RPM_VA_TODAY}.tmp nice --adjustment=+19 rpm -Va --noscripts | grep '^..5' | sort > ${RPM_VA_TODAY}.tmp + Filter ${RPM_VA_TODAY} CHECK_RPM_INTEGRITY grep -v '^..........c.' ${RPM_VA_TODAY}.tmp | sed 's/^............//' | sort > ${RPM_VA_TODAY} grep '^..........c.' ${RPM_VA_TODAY}.tmp | sed 's/^............//' | sort > ${RPM_VA_CONFIG_TODAY} rm -f ${RPM_VA_TODAY}.tmp diff --git a/cron-sh/scripts/05_access.sh b/cron-sh/scripts/05_access.sh index 2b35d8c..e3ecb72 100755 --- a/cron-sh/scripts/05_access.sh +++ b/cron-sh/scripts/05_access.sh @@ -21,6 +21,7 @@ fi # check for changes in users if [[ ${CHECK_USERS} == yes ]]; then getent passwd | cut -f 1 -d : | sort > ${USERS_LIST_TODAY} + Filter ${USERS_LIST_TODAY} CHECK_USERS Diffcheck ${USERS_LIST_TODAY} ${USERS_LIST_YESTERDAY} ${USERS_LIST_DIFF} "local users" Count ${INFOS} ${USERS_LIST_TODAY} "Total local users" fi @@ -37,6 +38,7 @@ fi # check for changes in groups if [[ ${CHECK_GROUPS} == yes ]]; then getent passwd | cut -f 1 -d : | sort > ${GROUPS_LIST_TODAY} + Filter ${GROUPS_LIST_TODAY} CHECK_GROUPS Diffcheck ${GROUPS_LIST_TODAY} ${GROUPS_LIST_YESTERDAY} ${GROUPS_LIST_DIFF} "local groups" Count ${INFOS} ${GROUPS_LIST_TODAY} "Total local group" fi @@ -51,6 +53,7 @@ if [[ ${CHECK_PASSWD} == yes ]]; then else if ( $3 == 0 && $1 != "root" ) printf("\t\t- /etc/passwd:%d: User \"%s\" has id 0 !\n", FNR, $1); }' > ${MSEC_TMP} + Filter ${MSEC_TMP} CHECK_PASSWD if [[ -s ${MSEC_TMP} ]]; then printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY} @@ -65,6 +68,7 @@ if [[ ${CHECK_SHADOW} == yes ]]; then if ( $2 == "" ) printf("\t\t- /etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1); }' < /etc/shadow > ${MSEC_TMP} + Filter ${MSEC_TMP} CHECK_SHADOW if [[ -s ${MSEC_TMP} ]]; then printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY} @@ -73,6 +77,7 @@ if [[ ${CHECK_SHADOW} == yes ]]; then fi fi +# TODO: add CHECK_EXPORTS parameter in msec ### File systems should not be globally exported. if [[ -s /etc/exports ]] ; then awk '{ @@ -88,6 +93,7 @@ if [[ -s /etc/exports ]] ; then print "\t\t- Nfs File system " $1 " globally exported, read-only."; } else print "\t\t- Nfs File system " $1 " globally exported, read-write."; }' < /etc/exports > ${MSEC_TMP} + Filter ${MSEC_TMP} CHECK_EXPORTS if [[ -s ${MSEC_TMP} ]] ; then printf "\nSecurity Warning: Some NFS filesystem are exported globally :\n" >> ${SECURITY} @@ -96,8 +102,10 @@ if [[ -s /etc/exports ]] ; then fi fi +# TODO: add CHECK_MOUNTS parameter in msec ### nfs mounts with missing nosuid /bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > ${MSEC_TMP} +Filter ${MSEC_TMP} CHECK_MOUNTS if [[ -s ${MSEC_TMP} ]] ; then printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY} cat ${MSEC_TMP} | awk '{ print "\t\t- "$0 }' >> ${SECURITY} @@ -144,6 +152,7 @@ if [[ ${CHECK_SHOSTS} == yes ]]; then fi fi +# TODO: add CHECK_ALIASES ### executables should not be in the aliases file. list="/etc/aliases /etc/postfix/aliases" for file in ${list}; do -- cgit v1.2.1