From 475339c9034f4b19101a7736b2192ad839bf9211 Mon Sep 17 00:00:00 2001 From: Eugeni Dodonov Date: Mon, 26 Jan 2009 15:36:21 +0000 Subject: Fixing permissions on msec-created files (#27820 #47059). --- cron-sh/security_check.sh | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) (limited to 'cron-sh') diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh index 796d2c9..89daea2 100755 --- a/cron-sh/security_check.sh +++ b/cron-sh/security_check.sh @@ -54,15 +54,6 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then fi fi -if [[ ${CHECK_PERMS} == yes ]]; then - # running msec_perms - /usr/sbin/msecperms > ${TMP} 2>&1 - if [[ -s ${TMP} ]]; then - printf "\nPermissions changes on system files:\n" >> ${SECURITY} - cat ${TMP} | sed -e 's/WARNING: //g' >> ${SECURITY} - fi -fi - if [[ ${CHECK_USER_FILES} == yes ]]; then # Files that should not be owned by someone else or readable. list=".netrc .rhosts .shosts .Xauthority .gnupg/secring.gpg \ @@ -220,7 +211,6 @@ done > ${TMP} ### Passwd file check if [[ ${CHECK_SHOSTS} == yes ]]; then - # TODO: do not check on remote shares (#41709) getent passwd | awk -F: '{print $1" "$6}' | while read username homedir; do if ! expr "$homedir" : "$FILTER" > /dev/null; then @@ -298,6 +288,21 @@ if [[ ${CHKROOTKIT_CHECK} == yes ]]; then fi fi +### file permissions +# fix permissions on newly created msec files according to system policy +/usr/sbin/msecperms -e '/var/log/msec.log' "$SECURITY_LOG" "/var/log/security/*" &> ${TMP} + +# now check default permissions +if [[ ${CHECK_PERMS} == yes ]]; then + # running msec_perms + /usr/sbin/msecperms > ${TMP} 2>&1 + if [[ -s ${TMP} ]]; then + printf "\nPermissions changes on system files:\n" >> ${SECURITY} + cat ${TMP} | sed -e 's/WARNING: //g' >> ${SECURITY} + fi +fi + + ### Report if [[ -s ${SECURITY} ]]; then Syslog ${SECURITY} -- cgit v1.2.1