From 51edd0594c34949c7681e695e52961eb5f61ac4e Mon Sep 17 00:00:00 2001 From: Eugeni Dodonov Date: Thu, 25 Jun 2009 19:31:42 +0000 Subject: Redesigned auditing code, added support for plugins and better logging. --- cron-sh/Makefile | 6 +- cron-sh/diff_check.sh | 240 ------------------------------ cron-sh/functions.sh | 99 +++++++++++++ cron-sh/promisc_check.sh | 52 ------- cron-sh/scripts/01_files.sh | 327 ++++++++++++++++++++++++++++++++++++++++ cron-sh/scripts/02_network.sh | 79 ++++++++++ cron-sh/scripts/03_rpm.sh | 107 ++++++++++++++ cron-sh/scripts/04_rootkit.sh | 49 ++++++ cron-sh/scripts/05_access.sh | 125 ++++++++++++++++ cron-sh/scripts/06_promisc.sh | 53 +++++++ cron-sh/security.sh | 306 +++++++++----------------------------- cron-sh/security_check.sh | 337 ------------------------------------------ 12 files changed, 909 insertions(+), 871 deletions(-) delete mode 100755 cron-sh/diff_check.sh create mode 100644 cron-sh/functions.sh delete mode 100755 cron-sh/promisc_check.sh create mode 100755 cron-sh/scripts/01_files.sh create mode 100755 cron-sh/scripts/02_network.sh create mode 100755 cron-sh/scripts/03_rpm.sh create mode 100755 cron-sh/scripts/04_rootkit.sh create mode 100755 cron-sh/scripts/05_access.sh create mode 100755 cron-sh/scripts/06_promisc.sh delete mode 100755 cron-sh/security_check.sh (limited to 'cron-sh') diff --git a/cron-sh/Makefile b/cron-sh/Makefile index 2f75459..e4eaa87 100644 --- a/cron-sh/Makefile +++ b/cron-sh/Makefile @@ -1,6 +1,6 @@ all: - for f in *.sh; do bash -n $$f || exit 1; done + for f in *.sh scripts/*.sh; do bash -n $$f || exit 1; done install: - mkdir -p /etc/security/msec/cron-sh - cp *.sh /etc/security/msec/cron-sh + mkdir -p $(RPM_BUILD_ROOT)/usr/share/msec/scripts + for f in *.sh scripts/*.sh; do install -m755 $$f $(RPM_BUILD_ROOT)/usr/share/msec/$$f; done diff --git a/cron-sh/diff_check.sh b/cron-sh/diff_check.sh deleted file mode 100755 index 4761dc2..0000000 --- a/cron-sh/diff_check.sh +++ /dev/null @@ -1,240 +0,0 @@ -#!/bin/bash -# -# Written by Vandoorselaere Yoann -# - -if [[ -f /etc/security/msec/security.conf ]]; then - . /etc/security/msec/security.conf -else - echo "/etc/security/msec/security.conf don't exist." - exit 1 -fi - -if [[ ${CHECK_SECURITY} == no ]]; then - exit 0 -fi - -SECURITY_LOG="/var/log/security.log" -TMP=`mktemp /tmp/secure.XXXXXX` - -### New Suid root files detection -if [[ ${CHECK_SUID_ROOT} == yes ]]; then - - if [[ -f ${SUID_ROOT_YESTERDAY} ]]; then - if ! diff -u ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_TODAY} > ${SUID_ROOT_DIFF}; then - printf "\nSecurity Warning: Change in Suid Root files found :\n" >> ${TMP} - grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- Newly added suid root file : ${file}\n" - done >> ${TMP} - grep '^-' ${SUID_ROOT_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- No longer present suid root file : ${file}\n" - done >> ${TMP} - fi - fi - -fi - -### New Sgid files detection -if [[ ${CHECK_SGID} == yes ]]; then - - if [[ -f ${SGID_YESTERDAY} ]]; then - if ! diff -u ${SGID_YESTERDAY} ${SGID_TODAY} > ${SGID_DIFF}; then - printf "\nSecurity Warning: Changes in Sgid files found :\n" >> ${TMP} - grep '^+' ${SGID_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- Newly added sgid file : ${file}\n" - done >> ${TMP} - grep '^-' ${SGID_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- No longer present sgid file : ${file}\n" - done >> ${TMP} - fi - fi - -fi - -### Writable files detection -if [[ ${CHECK_WRITABLE} == yes ]]; then - - if [[ -f ${WRITABLE_YESTERDAY} ]]; then - diff -u ${WRITABLE_YESTERDAY} ${WRITABLE_TODAY} > ${WRITABLE_DIFF} - if [ -s ${WRITABLE_DIFF} ]; then - printf "\nSecurity Warning: Change in World Writable Files found :\n" >> ${TMP} - grep '^+' ${WRITABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- Newly added writable file : ${file}\n" - done >> ${TMP} - grep '^-' ${WRITABLE_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- No longer present writable file : ${file}\n" - done >> ${TMP} - fi - fi - -fi - -### Search Non Owned files -if [[ ${CHECK_UNOWNED} == yes ]]; then - - if [[ -f ${UNOWNED_USER_YESTERDAY} ]]; then - diff -u ${UNOWNED_USER_YESTERDAY} ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_DIFF} - if [ -s ${UNOWNED_USER_DIFF} ]; then - printf "\nSecurity Warning: the following files aren't owned by an user :\n" >> ${TMP} - grep '^+' ${UNOWNED_USER_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- Newly added un-owned file : ${file}\n" - done >> ${TMP} - grep '^-' ${UNOWNED_USER_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- No longer present un-owned file : ${file}\n" - done >> ${TMP} - fi - fi - - if [[ -f ${UNOWNED_GROUP_YESTERDAY} ]]; then - diff -u ${UNOWNED_GROUP_YESTERDAY} ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_DIFF} - if [ -s ${UNOWNED_GROUP_DIFF} ]; then - printf "\nSecurity Warning: the following files aren't owned by a group :\n" >> ${TMP} - grep '^+' ${UNOWNED_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- Newly added un-owned file : ${file}\n" - done >> ${TMP} - grep '^-' ${UNOWNED_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- No longer present un-owned file : ${file}\n" - done >> ${TMP} - fi - fi - -fi - -### Md5 check for SUID root fileg -if [[ ${CHECK_SUID_MD5} == yes ]]; then - ctrl_md5=0; - - if [[ -f ${SUID_MD5_YESTERDAY} ]]; then - diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF} - if [ -s ${SUID_MD5_DIFF} ]; then - grep '^+' ${SUID_MD5_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | awk '{print $2}' | while read file; do - if cat ${SUID_MD5_YESTERDAY} | awk '{print $2}' | grep -qw ${file}; then - if [[ ${ctrl_md5} == 0 ]]; then - printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${TMP} - printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${TMP} - ctrl_md5=1; - fi - printf "\t\t- Checksum changed file : ${file}\n" - fi - done >> ${TMP} - fi - fi - -fi - -### Changed open port -if [[ ${CHECK_OPEN_PORT} == yes ]]; then - - if [[ -f ${OPEN_PORT_YESTERDAY} ]]; then - diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF} - if [ -s ${OPEN_PORT_DIFF} ]; then - printf "\nSecurity Warning: There are modifications for port listening on your machine :\n" >> ${TMP} - grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- Opened ports : ${file}\n" - done >> ${TMP} - grep '^-' ${OPEN_PORT_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- Closed ports : ${file}\n" - done >> ${TMP} - fi - fi - -fi - -### Changed firewall -if [[ ${CHECK_FIREWALL} == yes ]]; then - - if [[ -f ${FIREWALL_YESTERDAY} ]]; then - diff -u ${FIREWALL_YESTERDAY} ${FIREWALL_TODAY} 1> ${FIREWALL_DIFF} - if [ -s ${FIREWALL_DIFF} ]; then - printf "\nSecurity Warning: There are modifications for firewall configuration on your machine :\n" >> ${TMP} - grep '^+' ${FIREWALL_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- New entries : ${file}\n" - done >> ${TMP} - grep '^-' ${FIREWALL_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- Removed entries : ${file}\n" - done >> ${TMP} - fi - fi - -fi - -### rpm database -if [[ ${CHECK_RPM} == yes ]]; then - if [[ -f ${RPM_QA_YESTERDAY} ]]; then - diff -u ${RPM_QA_YESTERDAY} ${RPM_QA_TODAY} > ${RPM_QA_DIFF} - if [ -s ${RPM_QA_DIFF} ]; then - printf "\nSecurity Warning: These packages have changed on the system :\n" >> ${TMP} - grep '^+' ${RPM_QA_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- Newly installed package : ${file}\n" - done >> ${TMP} - grep '^-' ${RPM_QA_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- No longer present package : ${file}\n" - done >> ${TMP} - fi - fi - if [[ -f ${RPM_VA_YESTERDAY} ]]; then - diff -u ${RPM_VA_YESTERDAY} ${RPM_VA_TODAY} > ${RPM_VA_DIFF} - if [ -s ${RPM_VA_DIFF} ]; then - printf "\nSecurity Warning: These files belonging to packages have changed of status on the system :\n" >> ${TMP} - grep '^+' ${RPM_VA_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- Newly modified : ${file}\n" - done >> ${TMP} - grep '^-' ${RPM_VA_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- No longer modified : ${file}\n" - done >> ${TMP} - fi - fi - if [[ -f ${RPM_VA_CONFIG_YESTERDAY} ]]; then - diff -u ${RPM_VA_CONFIG_YESTERDAY} ${RPM_VA_CONFIG_TODAY} > ${RPM_VA_CONFIG_DIFF} - if [ -s ${RPM_VA_CONFIG_DIFF} ]; then - printf "\nSecurity Warning: These config files belonging to packages have changed of status on the system :\n" >> ${TMP} - grep '^+' ${RPM_VA_CONFIG_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- Newly modified : ${file}\n" - done >> ${TMP} - grep '^-' ${RPM_VA_CONFIG_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- No longer modified : ${file}\n" - done >> ${TMP} - fi - fi -fi - -### Changed chkrootkit -if [[ ${CHECK_CHKROOTKIT} == yes ]]; then - - if [[ -f ${CHKROOTKIT_YESTERDAY} ]]; then - diff -u ${CHKROOTKIT_YESTERDAY} ${CHKROOTKIT_TODAY} 1> ${CHKROOTKIT_DIFF} - if [ -s ${CHKROOTKIT_DIFF} ]; then - printf "\nSecurity Warning: There are modifications for chkrootkit results :\n" >> ${TMP} - grep '^+' ${CHKROOTKIT_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- Added : ${file}\n" - done >> ${TMP} - grep '^-' ${CHKROOTKIT_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do - printf "\t\t- Removed : ${file}\n" - done >> ${TMP} - fi - fi -fi - - -######## Report ###### -date=`date` -hostname=`hostname` - -if [[ -s ${TMP} ]]; then - Syslog ${TMP} - Ttylog ${TMP} - - echo -e "\n\n*** Diff Check, ${date} ***\n" >> ${SECURITY_LOG} - cat ${TMP} >> ${SECURITY_LOG} - - Notifylog "MSEC has performed Diff Check on ${hostname} on ${date}. Changes in system security were detected and are available in ${SECURITY_LOG}." -else - Notifylog "MSEC has performed Diff Check on ${hostname} on ${date}. No changes were detected in system security." -fi - -Maillog "[msec] *** Diff Check on ${hostname}, ${date} ***" "${TMP}" - -if [[ -f ${TMP} ]]; then - rm -f ${TMP} -fi - diff --git a/cron-sh/functions.sh b/cron-sh/functions.sh new file mode 100644 index 0000000..e987d91 --- /dev/null +++ b/cron-sh/functions.sh @@ -0,0 +1,99 @@ +#!/bin/bash +# msec: shared function + +. /etc/sysconfig/i18n +if [[ -f /etc/profile.d/10lang.sh ]]; then + . /etc/profile.d/10lang.sh +fi + +if [[ -f /etc/security/msec/security.conf ]]; then + . /etc/security/msec/security.conf +else + echo "/etc/security/msec/security.conf don't exist." + exit 1 +fi + +if [ -r /etc/security/shell ]; then + . /etc/security/shell +fi + +umask ${UMASK_ROOT=077} + +# main security log +SECURITY_LOG="/var/log/security.log" + +# Modified filters coming from debian security scripts. +# rootfs is not listed among excluded types, because +# / is mounted twice, and filtering it would mess with excluded dir list +TYPE_FILTER='(devpts|sysfs|usbfs|tmpfs|binfmt_misc|rpc_pipefs|securityfs|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|hfs|nfs|afs|coda|cifs|fuse.gvfs-fuse-daemon)' +MOUNTPOINT_FILTER='^\/mnt|^\/media' +DIR=`awk '$3 !~ /'$TYPE_FILTER'/ && $2 !~ /'$MOUNTPOINT_FILTER'/ \ + {print $2}' /proc/mounts | uniq` +PRINT="%h/%f\n" +EXCLUDEDIR=`awk '$3 ~ /'$TYPE_FILTER'/ || $2 ~ /'$MOUNTPOINT_FILTER'/ \ + {print $2}' /proc/mounts | uniq` +export EXCLUDEDIR +FILTER="\(`echo $EXCLUDEDIR | sed -e 's/ /\\\|/g'`\)" + +### Functions ### + +Syslog() { + if [[ ${SYSLOG_WARN} == yes ]]; then + cat ${1} | while read line; do + logger -t msec -- "${line}" + done + fi +} + +Ttylog() { + if [[ ${TTY_WARN} == yes ]]; then + for i in `w | grep -v "load\|TTY" | grep '^root' | awk '{print $2}'` ; do + cat ${1} > /dev/$i + done + fi +} + +Maillog() { + subject=${1} + text=${2} + SOMETHING_TO_SEND= + + if [[ ${MAIL_WARN} == yes ]]; then + # define a mail user + if [[ -z ${MAIL_USER} ]]; then + MAIL_USER="root" + fi + if [[ -x /bin/mail ]]; then + for f in ${text}; do + if [[ -s $f ]]; then + SOMETHING_TO_SEND=1 + break + fi + done + if [[ -z ${SOMETHING_TO_SEND} ]]; then + if [[ ${MAIL_EMPTY_CONTENT} != no ]]; then + /bin/mail -s "${subject}" "${MAIL_USER}" </dev/null` + if [ -x "$DBUS_SEND" ]; then + $DBUS_SEND --system --type=signal /com/mandriva/user com.mandriva.user.security_notification string:"$message" + fi + fi +} + +################## + diff --git a/cron-sh/promisc_check.sh b/cron-sh/promisc_check.sh deleted file mode 100755 index 4df9c25..0000000 --- a/cron-sh/promisc_check.sh +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/bash - -# Writen by Vandoorselaere Yoann - -Syslog() { - if [[ ${SYSLOG_WARN} == yes ]]; then - logger -t msec -- "${1}" - fi -} - -Ttylog() { - if [[ ${TTY_WARN} == yes ]]; then - w | grep -v "load\|TTY" | grep '^root' | awk '{print $2}' | while read line; do - echo -e "${1}" > /dev/$line - done - fi -} - -LogPromisc() { - date=`date` - Syslog "Security warning : $1 is in promiscuous mode." - Syslog " A sniffer is probably running on your system." - Ttylog "\\033[1;31mSecurity warning : $1 is in promiscuous mode.\\033[0;39m" - Ttylog "\\033[1;31mA sniffer is probably running on your system.\\033[0;39m" - echo -e "\n${date} Security warning : $1 is in promiscuous mode." >> /var/log/security.log - echo " A sniffer is probably running on your system." >> /var/log/security.log - -} - -if [[ -f /etc/security/msec/security.conf ]]; then - . /etc/security/msec/security.conf -else - echo "/etc/security/msec/security.conf don't exist." - exit 1 -fi - -if tail /var/log/security.log | grep -q "promiscuous"; then - # Dont flood with warning. - exit 0 -fi - -# Check if a network interface is in promiscuous mode... - -if [[ ${CHECK_PROMISC} == no ]]; then - exit 0; -fi - -for INTERFACE in `/sbin/ip link list | grep PROMISC | cut -f 2 -d ':';/usr/bin/promisc_check -q`; do - LogPromisc ${INTERFACE} -done - -# promisc_check.sh ends here diff --git a/cron-sh/scripts/01_files.sh b/cron-sh/scripts/01_files.sh new file mode 100755 index 0000000..dc20bd0 --- /dev/null +++ b/cron-sh/scripts/01_files.sh @@ -0,0 +1,327 @@ +#!/bin/bash +# msec: security check for suid_root binaries + +# check if we are run from main script +if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then + # variables are set in security.sh and propagated to the subscripts + echo "Error: this check should be run by the main msec security check!" + echo " do not run it directly unless you know what you are doing." + return 1 +fi + +export SUID_ROOT_TODAY="/var/log/security/suid_root.today" +SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday" +SUID_ROOT_DIFF="/var/log/security/suid_root.diff" +export SGID_TODAY="/var/log/security/sgid.today" +SGID_YESTERDAY="/var/log/security/sgid.yesterday" +SGID_DIFF="/var/log/security/sgid.diff" +export SUID_MD5_TODAY="/var/log/security/suid_md5.today" +SUID_MD5_YESTERDAY="/var/log/security/suid_md5.yesterday" +SUID_MD5_DIFF="/var/log/security/suid_md5.diff" +export WRITABLE_TODAY="/var/log/security/writable.today" +WRITABLE_YESTERDAY="/var/log/security/writable.yesterday" +WRITABLE_DIFF="/var/log/security/writable.diff" +export UNOWNED_USER_TODAY="/var/log/security/unowned_user.today" +UNOWNED_USER_YESTERDAY="/var/log/security/unowned_user.yesterday" +UNOWNED_USER_DIFF="/var/log/security/unowned_user.diff" +export UNOWNED_GROUP_TODAY="/var/log/security/unowned_group.today" +UNOWNED_GROUP_YESTERDAY="/var/log/security/unowned_group.yesterday" +UNOWNED_GROUP_DIFF="/var/log/security/unowned_group.diff" + +if [[ -f ${SUID_ROOT_TODAY} ]]; then + mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY}; +fi + +if [[ -f ${SGID_TODAY} ]]; then + mv ${SGID_TODAY} ${SGID_YESTERDAY}; +fi + +if [[ -f ${SUID_MD5_TODAY} ]]; then + mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY}; +fi + +if [[ -f ${WRITABLE_TODAY} ]]; then + mv ${WRITABLE_TODAY} ${WRITABLE_YESTERDAY}; +fi + +if [[ -f ${UNOWNED_USER_TODAY} ]]; then + mv ${UNOWNED_USER_TODAY} ${UNOWNED_USER_YESTERDAY}; +fi + +if [[ -f ${UNOWNED_GROUP_TODAY} ]]; then + mv ${UNOWNED_GROUP_TODAY} ${UNOWNED_GROUP_YESTERDAY}; +fi + +# only running this check when really required +if [[ ${CHECK_SUID_MD5} == yes || ${CHECK_SUID_ROOT} == yes || ${CHECK_SGID} == yes || ${CHECK_WRITABLE} == yes || ${CHECK_UNOWNED} == yes ]]; then + + # Hard disk related file check; the less priority the better... + nice --adjustment=+19 /usr/bin/msec_find ${DIR} +fi + +if [[ -f ${SUID_ROOT_TODAY} ]]; then + sort < ${SUID_ROOT_TODAY} > ${SUID_ROOT_TODAY}.tmp + mv -f ${SUID_ROOT_TODAY}.tmp ${SUID_ROOT_TODAY} +fi + +if [[ -f ${SGID_TODAY} ]]; then + sort < ${SGID_TODAY} > ${SGID_TODAY}.tmp + mv -f ${SGID_TODAY}.tmp ${SGID_TODAY} +fi + +if [[ -f ${WRITABLE_TODAY} ]]; then + sort < ${WRITABLE_TODAY} | egrep -v '^(/var)?/tmp$' > ${WRITABLE_TODAY}.tmp + mv -f ${WRITABLE_TODAY}.tmp ${WRITABLE_TODAY} +fi + +if [[ -f ${UNOWNED_USER_TODAY} ]]; then + sort < ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_TODAY}.tmp + mv -f ${UNOWNED_USER_TODAY}.tmp ${UNOWNED_USER_TODAY} +fi + +if [[ -f ${UNOWNED_GROUP_TODAY} ]]; then + sort < ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_TODAY}.tmp + mv -f ${UNOWNED_GROUP_TODAY}.tmp ${UNOWNED_GROUP_TODAY} +fi + +if [[ -f ${SUID_ROOT_TODAY} && ${CHECK_SUID_MD5} == yes ]]; then + while read line; do + md5sum ${line} + done < ${SUID_ROOT_TODAY} > ${SUID_MD5_TODAY} +else + touch ${SUID_MD5_TODAY} +fi + +### New Suid root files detection +if [[ ${CHECK_SUID_ROOT} == yes ]]; then + + if [[ -f ${SUID_ROOT_YESTERDAY} ]]; then + if ! diff -u ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_TODAY} > ${SUID_ROOT_DIFF}; then + printf "\nSecurity Warning: Change in Suid Root files found :\n" >> ${DIFF} + grep '^+' ${SUID_ROOT_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly added suid root file : ${file}\n" + done >> ${DIFF} + grep '^-' ${SUID_ROOT_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer present suid root file : ${file}\n" + done >> ${DIFF} + fi + fi + +fi + +### New Sgid files detection +if [[ ${CHECK_SGID} == yes ]]; then + + if [[ -f ${SGID_YESTERDAY} ]]; then + if ! diff -u ${SGID_YESTERDAY} ${SGID_TODAY} > ${SGID_DIFF}; then + printf "\nSecurity Warning: Changes in Sgid files found :\n" >> ${DIFF} + grep '^+' ${SGID_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly added sgid file : ${file}\n" + done >> ${DIFF} + grep '^-' ${SGID_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer present sgid file : ${file}\n" + done >> ${DIFF} + fi + fi + +fi + +### Writable files detection +if [[ ${CHECK_WRITABLE} == yes ]]; then + + if [[ -f ${WRITABLE_YESTERDAY} ]]; then + diff -u ${WRITABLE_YESTERDAY} ${WRITABLE_TODAY} > ${WRITABLE_DIFF} + if [ -s ${WRITABLE_DIFF} ]; then + printf "\nSecurity Warning: Change in World Writable Files found :\n" >> ${DIFF} + grep '^+' ${WRITABLE_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly added writable file : ${file}\n" + done >> ${DIFF} + grep '^-' ${WRITABLE_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer present writable file : ${file}\n" + done >> ${DIFF} + fi + fi + +fi + +### Search Non Owned files +if [[ ${CHECK_UNOWNED} == yes ]]; then + + if [[ -f ${UNOWNED_USER_YESTERDAY} ]]; then + diff -u ${UNOWNED_USER_YESTERDAY} ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_DIFF} + if [ -s ${UNOWNED_USER_DIFF} ]; then + printf "\nSecurity Warning: the following files aren't owned by an user :\n" >> ${DIFF} + grep '^+' ${UNOWNED_USER_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly added un-owned file : ${file}\n" + done >> ${DIFF} + grep '^-' ${UNOWNED_USER_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer present un-owned file : ${file}\n" + done >> ${DIFF} + fi + fi + + if [[ -f ${UNOWNED_GROUP_YESTERDAY} ]]; then + diff -u ${UNOWNED_GROUP_YESTERDAY} ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_DIFF} + if [ -s ${UNOWNED_GROUP_DIFF} ]; then + printf "\nSecurity Warning: the following files aren't owned by a group :\n" >> ${DIFF} + grep '^+' ${UNOWNED_GROUP_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly added un-owned file : ${file}\n" + done >> ${DIFF} + grep '^-' ${UNOWNED_GROUP_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer present un-owned file : ${file}\n" + done >> ${DIFF} + fi + fi + +fi + +### Md5 check for SUID root fileg +if [[ ${CHECK_SUID_MD5} == yes ]]; then + ctrl_md5=0; + + if [[ -f ${SUID_MD5_YESTERDAY} ]]; then + diff -u ${SUID_MD5_YESTERDAY} ${SUID_MD5_TODAY} > ${SUID_MD5_DIFF} + if [ -s ${SUID_MD5_DIFF} ]; then + grep '^+' ${SUID_MD5_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | awk '{print $2}' | while read file; do + if cat ${SUID_MD5_YESTERDAY} | awk '{print $2}' | grep -qw ${file}; then + if [[ ${ctrl_md5} == 0 ]]; then + printf "\nSecurity Warning: the md5 checksum for one of your SUID files has changed,\n" >> ${DIFF} + printf "\tmaybe an intruder modified one of these suid binary in order to put in a backdoor...\n" >> ${DIFF} + ctrl_md5=1; + fi + printf "\t\t- Checksum changed file : ${file}\n" + fi + done >> ${DIFF} + fi + fi + +fi + +### Writable file detection +if [[ ${CHECK_WRITABLE} == yes ]]; then + if [[ -s ${WRITABLE_TODAY} ]]; then + printf "\nSecurity Warning: World Writable files found :\n" >> ${SECURITY} + cat ${WRITABLE_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY} + fi +fi + +### Search Un Owned file +if [[ ${CHECK_UNOWNED} == yes ]]; then + if [[ -s ${UNOWNED_USER_TODAY} ]]; then + printf "\nSecurity Warning : User Unowned files found :\n" >> ${SECURITY} + printf "\t( theses files now have user \"nobody\" as their owner. )\n" >> ${SECURITY} + cat ${UNOWNED_USER_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY} + cat ${UNOWNED_USER_TODAY} | while read line; do + if [[ ${FIX_UNOWNED} == yes ]]; then + chown nobody "${line}"; # Use quote if filename contain space. + fi + done + fi + + if [[ -s ${UNOWNED_GROUP_TODAY} ]]; then + printf "\nSecurity Warning : Group Unowned files found :\n" >> ${SECURITY} + printf "\t( theses files now have group \"nogroup\" as their group owner. )\n" >> ${SECURITY} + cat ${UNOWNED_GROUP_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY} + cat ${UNOWNED_GROUP_TODAY} | while read line; do + if [[ ${FIX_UNOWNED} == yes ]]; then + chgrp nogroup "${line}"; # Use quote if filename contain space. + fi + done + fi +fi + +if [[ ${CHECK_USER_FILES} == yes ]]; then +# Files that should not be owned by someone else or readable. +list=".netrc .rhosts .shosts .Xauthority .gnupg/secring.gpg \ +.pgp/secring.pgp .ssh/identity .ssh/id_dsa .ssh/id_rsa .ssh/random_seed" +getent passwd | awk -F: '/^[^+-]/ { print $1 ":" $3 ":" $6 }' | +while IFS=: read username uid homedir; do + if ! expr "$homedir" : "$FILTER" > /dev/null; then + for f in ${list} ; do + file="${homedir}/${f}" + if [[ -f "${file}" ]] ; then + res=`ls -LldcGn "${file}" | sed 's/ \{1,\}/:/g'` + printf "${uid}:${username}:${file}:${res}\n" + fi + done + fi +done | awk -F: '$1 != $6 && $6 != "0" \ + { print "\t\t- " $3 " : file is owned by uid " $6 "." } + $4 ~ /^-...r/ \ + { print "\t\t- " $3 " : file is group readable." } + $4 ~ /^-......r/ \ + { print "\t\t- " $3 " : file is other readable." } + $4 ~ /^-....w/ \ + { print "\t\t- " $3 " : file is group writable." } + $4 ~ /^-.......w/ \ + { print "\t\t- " $3 " : file is other writable." }' > ${MSEC_TMP} + +if [[ -s ${MSEC_TMP} ]]; then + printf "\nSecurity Warning: these files shouldn't be owned by someone else or readable :\n" >> ${SECURITY} + cat ${MSEC_TMP} >> ${SECURITY} +fi + +### Files that should not be owned by someone else or writable. +list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \ +.forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \ +.nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \ +.ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults \ +.gnupg .gnupg/secring.gpg .ssh/identity .ssh/id_dsa .ssh/id_rsa \ +.Xauthority .cvspass .subversion/auth .purple/accounts.xml .config " +getent passwd | awk -F: '/^[^+-]/ { print $1 ":" $3 ":" $6 }' | \ +while IFS=: read username uid homedir; do + if ! expr "$homedir" : "$FILTER" > /dev/null; then + for f in ${list} ; do + file="${homedir}/${f}" + if [[ -e "${file}" ]] ; then + res=`ls -LldcGn "${file}" | sed 's/ \{1,\}/:/g'` + printf "${uid}:${username}:${file}:${res}\n" + fi + done + fi +done | awk -F: '$1 != $6 && $6 != "0" \ + { print "\t\t- " $3 " : file is owned by uid " $6 "." } + $4 ~ /^.....w/ \ + { print "\t\t- " $3 " : file is group writable." } + $4 ~ /^........w/ \ + { print "\t\t- " $3 " : file is other writable." }' > ${MSEC_TMP} + +if [[ -s ${MSEC_TMP} ]]; then + printf "\nSecurity Warning: theses files should not be owned by someone else or writable :\n" >> ${SECURITY} + cat ${MSEC_TMP} >> ${SECURITY} +fi + +### Check home directories. Directories should not be owned by someone else or writable. +getent passwd | awk -F: '/^[^+-]/ { print $1 ":" $3 ":" $6 }' | \ +while IFS=: read username uid homedir; do + if ! expr "$homedir" : "$FILTER" > /dev/null; then + if [[ -d "${homedir}" ]] ; then + realuid=`ls -LldGn "${homedir}"| awk '{ print $3 }'` + realuser=`ls -LldG "${homedir}"| awk '{ print $3 }'` + permissions=`ls -LldG "${homedir}"| awk '{ print $1 }'` + printf "${permissions}:${username}:(${uid}):${realuser}:(${realuid})\n" + fi + fi +done | awk -F: '$3 != $5 && $5 != "(0)" \ + { print "user=" $2 $3 " : home directory is owned by " $4 $5 "." } + $1 ~ /^d....w/ && $2 != "lp" && $2 != "mail" \ + { print "user=" $2 $3" : home directory is group writable." } + $1 ~ /^d.......w/ \ + { print "user=" $2 $3" : home directory is other writable." }' > ${MSEC_TMP} + +if [[ -s $MSEC_TMP ]] ; then + printf "\nSecurity Warning: these home directory should not be owned by someone else or writable :\n" >> ${SECURITY} + cat ${MSEC_TMP} >> ${SECURITY} +fi +fi # End of CHECK_USER_FILES + +# now check default permissions +if [[ ${CHECK_PERMS} == yes ]]; then + # running msec_perms + /usr/sbin/msecperms > ${MSEC_TMP} 2>&1 + if [[ -s ${MSEC_TMP} ]]; then + printf "\nPermissions changes on system files:\n" >> ${SECURITY} + cat ${MSEC_TMP} | sed -e 's/WARNING: //g' >> ${SECURITY} + fi +fi + diff --git a/cron-sh/scripts/02_network.sh b/cron-sh/scripts/02_network.sh new file mode 100755 index 0000000..f376724 --- /dev/null +++ b/cron-sh/scripts/02_network.sh @@ -0,0 +1,79 @@ +#!/bin/bash +# msec: network security checks + +# check if we are run from main script +if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then + # variables are set in security.sh and propagated to the subscripts + echo "Error: this check should be run by the main msec security check!" + echo " do not run it directly unless you know what you are doing." + return 1 +fi + +export OPEN_PORT_TODAY="/var/log/security/open_port.today" +OPEN_PORT_YESTERDAY="/var/log/security/open_port.yesterday" +OPEN_PORT_DIFF="/var/log/security/open_port.diff" +export FIREWALL_TODAY="/var/log/security/open_port.today" +FIREWALL_YESTERDAY="/var/log/security/open_port.yesterday" +FIREWALL_DIFF="/var/log/security/open_port.diff" + +if [[ -f ${OPEN_PORT_TODAY} ]]; then + mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY} +fi + +if [[ -f ${FIREWALL_TODAY} ]]; then + mv -f ${FIREWALL_TODAY} ${FIREWALL_YESTERDAY} +fi + +if [[ ${CHECK_OPEN_PORT} == yes ]]; then + netstat -pvlA inet,inet6 2> /dev/null > ${OPEN_PORT_TODAY}; +fi + +if [[ ${CHECK_FIREWALL} == yes ]]; then + iptables -L 2>/dev/null > ${FIREWALL_TODAY} +fi + +### Changed open port +if [[ ${CHECK_OPEN_PORT} == yes ]]; then + + if [[ -f ${OPEN_PORT_YESTERDAY} ]]; then + diff -u ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_TODAY} 1> ${OPEN_PORT_DIFF} + if [ -s ${OPEN_PORT_DIFF} ]; then + printf "\nSecurity Warning: There are modifications for port listening on your machine :\n" >> ${DIFF} + grep '^+' ${OPEN_PORT_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Opened ports : ${file}\n" + done >> ${DIFF} + grep '^-' ${OPEN_PORT_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Closed ports : ${file}\n" + done >> ${DIFF} + fi + fi + +fi + +### Changed firewall +if [[ ${CHECK_FIREWALL} == yes ]]; then + + if [[ -f ${FIREWALL_YESTERDAY} ]]; then + diff -u ${FIREWALL_YESTERDAY} ${FIREWALL_TODAY} 1> ${FIREWALL_DIFF} + if [ -s ${FIREWALL_DIFF} ]; then + printf "\nSecurity Warning: There are modifications for firewall configuration on your machine :\n" >> ${DIFF} + grep '^+' ${FIREWALL_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- New entries : ${file}\n" + done >> ${DIFF} + grep '^-' ${FIREWALL_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Removed entries : ${file}\n" + done >> ${DIFF} + fi + fi + +fi + +### Dump a list of open port. +if [[ ${CHECK_OPEN_PORT} == yes ]]; then + + if [[ -s ${OPEN_PORT_TODAY} ]]; then + printf "\nThese are the ports listening on your machine :\n" >> ${INFOS} + cat ${OPEN_PORT_TODAY} >> ${INFOS} + fi +fi + diff --git a/cron-sh/scripts/03_rpm.sh b/cron-sh/scripts/03_rpm.sh new file mode 100755 index 0000000..6bd4307 --- /dev/null +++ b/cron-sh/scripts/03_rpm.sh @@ -0,0 +1,107 @@ +#!/bin/bash +# msec: rpm security check + +# check if we are run from main script +if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then + # variables are set in security.sh and propagated to the subscripts + echo "Error: this check should be run by the main msec security check!" + echo " do not run it directly unless you know what you are doing." + return 1 +fi + +export RPM_VA_TODAY="/var/log/security/rpm-va.today" +RPM_VA_YESTERDAY="/var/log/security/rpm-va.yesterday" +RPM_VA_DIFF="/var/log/security/rpm-va.diff" +export RPM_VA_CONFIG_TODAY="/var/log/security/rpm-va-config.today" +RPM_VA_CONFIG_YESTERDAY="/var/log/security/rpm-va-config.yesterday" +RPM_VA_CONFIG_DIFF="/var/log/security/rpm-va-config.diff" +export RPM_QA_TODAY="/var/log/security/rpm-qa.today" +RPM_QA_YESTERDAY="/var/log/security/rpm-qa.yesterday" +RPM_QA_DIFF="/var/log/security/rpm-qa.diff" + +if [[ -f ${RPM_VA_TODAY} ]]; then + mv -f ${RPM_VA_TODAY} ${RPM_VA_YESTERDAY} +fi + +if [[ -f ${RPM_VA_CONFIG_TODAY} ]]; then + mv -f ${RPM_VA_CONFIG_TODAY} ${RPM_VA_CONFIG_YESTERDAY} +fi + +if [[ -f ${RPM_QA_TODAY} ]]; then + mv -f ${RPM_QA_TODAY} ${RPM_QA_YESTERDAY} +fi + +if [[ -f ${CHKROOTKIT_TODAY} ]]; then + mv -f ${CHKROOTKIT_TODAY} ${CHKROOTKIT_YESTERDAY} +fi + +### rpm database check + +if [[ ${CHECK_RPM} == yes ]]; then + rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\t%{INSTALLTIME}\n" | sort > ${RPM_QA_TODAY} + + rm -f ${RPM_VA_TODAY}.tmp + nice --adjustment=+19 rpm -Va --noscripts | grep '^..5' | sort > ${RPM_VA_TODAY}.tmp + grep -v '^..........c.' ${RPM_VA_TODAY}.tmp | sed 's/^............//' | sort > ${RPM_VA_TODAY} + grep '^..........c.' ${RPM_VA_TODAY}.tmp | sed 's/^............//' | sort > ${RPM_VA_CONFIG_TODAY} + rm -f ${RPM_VA_TODAY}.tmp +fi + +### rpm database checks +if [[ ${CHECK_RPM} == yes ]]; then + + if [[ -s ${RPM_VA_TODAY} ]]; then + printf "\nSecurity Warning: These files belonging to packages are modified on the system :\n" >> ${SECURITY} + cat ${RPM_VA_TODAY} | while read f; do + printf "\t\t- $f\n" + done >> ${SECURITY} + fi + + if [[ -s ${RPM_VA_CONFIG_TODAY} ]]; then + printf "\nSecurity Warning: These config files belonging to packages are modified on the system :\n" >> ${SECURITY} + cat ${RPM_VA_CONFIG_TODAY} | while read f; do + printf "\t\t- $f\n" + done >> ${SECURITY} + fi +fi + +### rpm database +if [[ ${CHECK_RPM} == yes ]]; then + if [[ -f ${RPM_QA_YESTERDAY} ]]; then + diff -u ${RPM_QA_YESTERDAY} ${RPM_QA_TODAY} > ${RPM_QA_DIFF} + if [ -s ${RPM_QA_DIFF} ]; then + printf "\nSecurity Warning: These packages have changed on the system :\n" >> ${DIFF} + grep '^+' ${RPM_QA_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly installed package : ${file}\n" + done >> ${DIFF} + grep '^-' ${RPM_QA_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer present package : ${file}\n" + done >> ${DIFF} + fi + fi + if [[ -f ${RPM_VA_YESTERDAY} ]]; then + diff -u ${RPM_VA_YESTERDAY} ${RPM_VA_TODAY} > ${RPM_VA_DIFF} + if [ -s ${RPM_VA_DIFF} ]; then + printf "\nSecurity Warning: These files belonging to packages have changed of status on the system :\n" >> ${DIFF} + grep '^+' ${RPM_VA_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly modified : ${file}\n" + done >> ${DIFF} + grep '^-' ${RPM_VA_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer modified : ${file}\n" + done >> ${DIFF} + fi + fi + if [[ -f ${RPM_VA_CONFIG_YESTERDAY} ]]; then + diff -u ${RPM_VA_CONFIG_YESTERDAY} ${RPM_VA_CONFIG_TODAY} > ${RPM_VA_CONFIG_DIFF} + if [ -s ${RPM_VA_CONFIG_DIFF} ]; then + printf "\nSecurity Warning: These config files belonging to packages have changed of status on the system :\n" >> ${DIFF} + grep '^+' ${RPM_VA_CONFIG_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Newly modified : ${file}\n" + done >> ${DIFF} + grep '^-' ${RPM_VA_CONFIG_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- No longer modified : ${file}\n" + done >> ${DIFF} + fi + fi +fi + diff --git a/cron-sh/scripts/04_rootkit.sh b/cron-sh/scripts/04_rootkit.sh new file mode 100755 index 0000000..b83e727 --- /dev/null +++ b/cron-sh/scripts/04_rootkit.sh @@ -0,0 +1,49 @@ +#!/bin/bash +# msec: rootkit security check + +# check if we are run from main script +if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then + # variables are set in security.sh and propagated to the subscripts + echo "Error: this check should be run by the main msec security check!" + echo " do not run it directly unless you know what you are doing." + return 1 +fi + +export CHKROOTKIT_TODAY="/var/log/security/chkrootkit.today" +CHKROOTKIT_YESTERDAY="/var/log/security/chkrootkit.yesterday" +CHKROOTKIT_DIFF="/var/log/security/chkrootkit.diff" + +### chkrootkit checks +if [[ ${CHECK_CHKROOTKIT} == yes ]]; then + if [ -x /usr/sbin/chkrootkit ]; then + # do not check on NFS + /usr/sbin/chkrootkit -n ${CHKROOTKIT_OPTION} > ${CHKROOTKIT_TODAY} + fi +fi + +### chkrootkit checks +if [[ ${CHECK_CHKROOTKIT} == yes ]]; then + + if [[ -s ${CHKROOTKIT_TODAY} ]]; then + printf "\nChkrootkit report:\n" >> ${SECURITY} + cat ${CHKROOTKIT_TODAY} >> ${SECURITY} + fi +fi + +### Changed chkrootkit +if [[ ${CHECK_CHKROOTKIT} == yes ]]; then + + if [[ -f ${CHKROOTKIT_YESTERDAY} ]]; then + diff -u ${CHKROOTKIT_YESTERDAY} ${CHKROOTKIT_TODAY} 1> ${CHKROOTKIT_DIFF} + if [ -s ${CHKROOTKIT_DIFF} ]; then + printf "\nSecurity Warning: There are modifications for chkrootkit results :\n" >> ${DIFF} + grep '^+' ${CHKROOTKIT_DIFF} | grep -vw "^+++ " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Added : ${file}\n" + done >> ${DIFF} + grep '^-' ${CHKROOTKIT_DIFF} | grep -vw "^--- " | sed 's|^.||'|sed -e 's/%/%%/g' | while read file; do + printf "\t\t- Removed : ${file}\n" + done >> ${DIFF} + fi + fi +fi + diff --git a/cron-sh/scripts/05_access.sh b/cron-sh/scripts/05_access.sh new file mode 100755 index 0000000..1168cd7 --- /dev/null +++ b/cron-sh/scripts/05_access.sh @@ -0,0 +1,125 @@ +#!/bin/bash +# msec: system access + +# check if we are run from main script +if [ -z "$MSEC_TMP" -o -z "$INFOS" -o -z "$SECURITY" -o -z "$DIFF" -o -z "$SECURITY_LOG" ]; then + # variables are set in security.sh and propagated to the subscripts + echo "Error: this check should be run by the main msec security check!" + echo " do not run it directly unless you know what you are doing." + return 1 +fi + +### Passwd file check +if [[ ${CHECK_PASSWD} == yes ]]; then + getent passwd | awk -F: '{ + if ( $2 == "" ) + printf("\t\t- /etc/passwd:%d: User \"%s\" has no password !\n", FNR, $1); + else if ($2 !~ /^[x*!]+$/) + printf("\t\t- /etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1); + else if ( $3 == 0 && $1 != "root" ) + printf("\t\t- /etc/passwd:%d: User \"%s\" has id 0 !\n", FNR, $1); + }' > ${MSEC_TMP} + + if [[ -s ${MSEC_TMP} ]]; then + printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY} + cat ${MSEC_TMP} >> ${SECURITY} + fi +fi + +### Shadow password file Check +if [[ ${CHECK_SHADOW} == yes ]]; then + awk -F: '{ + if ( $2 == "" ) + printf("\t\t- /etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1); + }' < /etc/shadow > ${MSEC_TMP} + + if [[ -s ${MSEC_TMP} ]]; then + printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY} + cat ${MSEC_TMP} >> ${SECURITY} + fi +fi + +### File systems should not be globally exported. +if [[ -s /etc/exports ]] ; then + awk '{ + if (($1 ~ /^#/) || ($1 ~ /^$/)) next; + readonly = 0; + for (i = 2; i <= NF; ++i) { + if ($i ~ /^-ro$/) + readonly = 1; + else if ($i !~ /^-/) + next; + } + if (readonly) { + print "\t\t- Nfs File system " $1 " globally exported, read-only."; + } else print "\t\t- Nfs File system " $1 " globally exported, read-write."; + }' < /etc/exports > ${MSEC_TMP} + + if [[ -s ${MSEC_TMP} ]] ; then + printf "\nSecurity Warning: Some NFS filesystem are exported globally :\n" >> ${SECURITY} + cat ${MSEC_TMP} >> ${SECURITY} + fi +fi + +### nfs mounts with missing nosuid +/bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > ${MSEC_TMP} +if [[ -s ${MSEC_TMP} ]] ; then + printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY} + cat ${MSEC_TMP} | awk '{ print "\t\t- "$0 }' >> ${SECURITY} +fi + +### Files that should not have + signs. +list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" +for file in $list ; do + if [[ -s ${file} ]] ; then + awk '{ + if ($0 ~ /^\+@.*$/) + next; + if ($0 ~ /^\+.*$/) + printf("\t\t- %s: %s\n", FILENAME, $0); + }' ${file} + fi +done > ${MSEC_TMP} + +### Passwd file check +if [[ ${CHECK_SHOSTS} == yes ]]; then + getent passwd | awk -F: '{print $1" "$6}' | + while read username homedir; do + if ! expr "$homedir" : "$FILTER" > /dev/null; then + for file in .rhosts .shosts; do + if [[ -s ${homedir}/${file} ]] ; then + awk '{ + if ($0 ~ /^\+@.*$/) + next; + if ($0 ~ /^\+.*$/) + printf("\t\t- %s: %s\n", FILENAME, $0); + }' ${homedir}/${file} + fi + done >> ${DIFF} + fi + done + + if [[ -s ${MSEC_TMP} ]]; then + printf "\nSecurity Warning: '+' character found in hosts trusting files,\n" >> ${SECURITY} + printf "\tthis probably mean that you trust certains users/domain\n" >> ${SECURITY} + printf "\tto connect on this host without proper authentication :\n" >> ${SECURITY} + cat ${MSEC_TMP} >> ${SECURITY} + fi +fi + +### executables should not be in the aliases file. +list="/etc/aliases /etc/postfix/aliases" +for file in ${list}; do + if [[ -s ${file} ]]; then + grep -v '^#' ${file} | grep '|' | while read line; do + printf "\t\t- ${line}\n" + done > ${MSEC_TMP} + fi + + if [[ -s ${MSEC_TMP} ]]; then + printf "\nSecurity Warning: The following programs are executed in your mail\n" >> ${SECURITY} + printf "\tvia ${file} files, this could lead to security problems :\n" >> ${SECURITY} + cat ${MSEC_TMP} >> ${SECURITY} + fi +done + diff --git a/cron-sh/scripts/06_promisc.sh b/cron-sh/scripts/06_promisc.sh new file mode 100755 index 0000000..e46620c --- /dev/null +++ b/cron-sh/scripts/06_promisc.sh @@ -0,0 +1,53 @@ +#!/bin/bash +# TODO: this is incomplete for new msec framework + +# Writen by Vandoorselaere Yoann + +Syslog() { + if [[ ${SYSLOG_WARN} == yes ]]; then + logger -t msec -- "${1}" + fi +} + +Ttylog() { + if [[ ${TTY_WARN} == yes ]]; then + w | grep -v "load\|TTY" | grep '^root' | awk '{print $2}' | while read line; do + echo -e "${1}" > /dev/$line + done + fi +} + +LogPromisc() { + date=`date` + Syslog "Security warning : $1 is in promiscuous mode." + Syslog " A sniffer is probably running on your system." + Ttylog "\\033[1;31mSecurity warning : $1 is in promiscuous mode.\\033[0;39m" + Ttylog "\\033[1;31mA sniffer is probably running on your system.\\033[0;39m" + echo -e "\n${date} Security warning : $1 is in promiscuous mode." >> /var/log/security.log + echo " A sniffer is probably running on your system." >> /var/log/security.log + +} + +if [[ -f /etc/security/msec/security.conf ]]; then + . /etc/security/msec/security.conf +else + echo "/etc/security/msec/security.conf don't exist." + return 1 +fi + +if tail /var/log/security.log | grep -q "promiscuous"; then + # Dont flood with warning. + return 0 +fi + +# Check if a network interface is in promiscuous mode... + +if [[ ${CHECK_PROMISC} == no ]]; then + return 0; +fi + +for INTERFACE in `/sbin/ip link list | grep PROMISC | cut -f 2 -d ':';/usr/bin/promisc_check -q`; do + LogPromisc ${INTERFACE} +done + +# promisc_check.sh ends here diff --git a/cron-sh/security.sh b/cron-sh/security.sh index 4b02cf6..c636750 100755 --- a/cron-sh/security.sh +++ b/cron-sh/security.sh @@ -1,27 +1,8 @@ #!/bin/bash - -. /etc/sysconfig/i18n -if [[ -f /etc/profile.d/10lang.sh ]]; then - . /etc/profile.d/10lang.sh -fi - -LCK=/var/run/msec-security.pid - -function cleanup() { - rm -f $LCK -} - -if [ -f $LCK ]; then - if [ -d /proc/`cat $LCK` ]; then - exit 0 - else - rm -f $LCK - fi -fi - -echo -n $$ > $LCK - -trap cleanup 0 +# msec: this is the main security auditing script +# it runs all executable scripts from /usr/share/msec/scripts +# which should be named NN_script_name.sh, where NN represents +# the order in which they should be executed if [[ -f /etc/security/msec/security.conf ]]; then . /etc/security/msec/security.conf @@ -30,245 +11,92 @@ else exit 1 fi -if [ -r /etc/security/shell ]; then - . /etc/security/shell +# is security check enabled? +if [[ ${CHECK_SECURITY} != yes ]]; then + exit 0 fi -umask ${UMASK_ROOT=077} - -[[ ${MAIL_WARN} == yes ]] && [ -z ${MAIL_USER} ] && MAIL_USER="root" - -export SUID_ROOT_TODAY="/var/log/security/suid_root.today" -SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday" -SUID_ROOT_DIFF="/var/log/security/suid_root.diff" -export SGID_TODAY="/var/log/security/sgid.today" -SGID_YESTERDAY="/var/log/security/sgid.yesterday" -SGID_DIFF="/var/log/security/sgid.diff" -export SUID_MD5_TODAY="/var/log/security/suid_md5.today" -SUID_MD5_YESTERDAY="/var/log/security/suid_md5.yesterday" -SUID_MD5_DIFF="/var/log/security/suid_md5.diff" -export OPEN_PORT_TODAY="/var/log/security/open_port.today" -OPEN_PORT_YESTERDAY="/var/log/security/open_port.yesterday" -OPEN_PORT_DIFF="/var/log/security/open_port.diff" -export FIREWALL_TODAY="/var/log/security/open_port.today" -FIREWALL_YESTERDAY="/var/log/security/open_port.yesterday" -FIREWALL_DIFF="/var/log/security/open_port.diff" -export WRITABLE_TODAY="/var/log/security/writable.today" -WRITABLE_YESTERDAY="/var/log/security/writable.yesterday" -WRITABLE_DIFF="/var/log/security/writable.diff" -export UNOWNED_USER_TODAY="/var/log/security/unowned_user.today" -UNOWNED_USER_YESTERDAY="/var/log/security/unowned_user.yesterday" -UNOWNED_USER_DIFF="/var/log/security/unowned_user.diff" -export UNOWNED_GROUP_TODAY="/var/log/security/unowned_group.today" -UNOWNED_GROUP_YESTERDAY="/var/log/security/unowned_group.yesterday" -UNOWNED_GROUP_DIFF="/var/log/security/unowned_group.diff" -export RPM_VA_TODAY="/var/log/security/rpm-va.today" -RPM_VA_YESTERDAY="/var/log/security/rpm-va.yesterday" -RPM_VA_DIFF="/var/log/security/rpm-va.diff" -export RPM_VA_CONFIG_TODAY="/var/log/security/rpm-va-config.today" -RPM_VA_CONFIG_YESTERDAY="/var/log/security/rpm-va-config.yesterday" -RPM_VA_CONFIG_DIFF="/var/log/security/rpm-va-config.diff" -export RPM_QA_TODAY="/var/log/security/rpm-qa.today" -RPM_QA_YESTERDAY="/var/log/security/rpm-qa.yesterday" -RPM_QA_DIFF="/var/log/security/rpm-qa.diff" -export CHKROOTKIT_TODAY="/var/log/security/chkrootkit.today" -CHKROOTKIT_YESTERDAY="/var/log/security/chkrootkit.yesterday" -CHKROOTKIT_DIFF="/var/log/security/chkrootkit.diff" -export EXCLUDE_REGEXP +. /usr/share/msec/functions.sh -# Modified filters coming from debian security scripts. -# rootfs is not listed among excluded types, because -# / is mounted twice, and filtering it would mess with excluded dir list -TYPE_FILTER='(devpts|sysfs|usbfs|tmpfs|binfmt_misc|rpc_pipefs|securityfs|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|hfs|nfs|afs|coda|cifs)' -MOUNTPOINT_FILTER='^\/mnt|^\/media' -DIR=`awk '$3 !~ /'$TYPE_FILTER'/ && $2 !~ /'$MOUNTPOINT_FILTER'/ \ - {print $2}' /proc/mounts | uniq` -PRINT="%h/%f\n" -EXCLUDEDIR=`awk '$3 ~ /'$TYPE_FILTER'/ || $2 ~ /'$MOUNTPOINT_FILTER'/ \ - {print $2}' /proc/mounts | uniq` -export EXCLUDEDIR - -if [[ ! -d /var/log/security ]]; then - mkdir /var/log/security -fi - -if [[ -f ${SUID_ROOT_TODAY} ]]; then - mv ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY}; -fi - -if [[ -f ${SGID_TODAY} ]]; then - mv ${SGID_TODAY} ${SGID_YESTERDAY}; -fi - -if [[ -f ${WRITABLE_TODAY} ]]; then - mv ${WRITABLE_TODAY} ${WRITABLE_YESTERDAY}; -fi - -if [[ -f ${UNOWNED_USER_TODAY} ]]; then - mv ${UNOWNED_USER_TODAY} ${UNOWNED_USER_YESTERDAY}; -fi - -if [[ -f ${UNOWNED_GROUP_TODAY} ]]; then - mv ${UNOWNED_GROUP_TODAY} ${UNOWNED_GROUP_YESTERDAY}; -fi - -if [[ -f ${OPEN_PORT_TODAY} ]]; then - mv -f ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY} -fi - -if [[ -f ${FIREWALL_TODAY} ]]; then - mv -f ${FIREWALL_TODAY} ${FIREWALL_YESTERDAY} -fi +# variables +LCK=/var/run/msec-security.pid +SECURITY_LOG="/var/log/security.log" -if [[ -f ${SUID_MD5_TODAY} ]]; then - mv ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY}; -fi +# log formatting +REPORT_DATE=`date "+%b %W %H:%M:%S"` +REPORT_HOSTNAME=`hostname` +LOG_PREFIX="$REPORT_DATE $REPORT_HOSTNAME" +SECURITY_PREFIX="$LOG_PREFIX security: " +INFO_PREFIX="$LOG_PREFIX info: " +DIFF_PREFIX="$LOG_PREFIX diff: " -if [[ -f ${RPM_VA_TODAY} ]]; then - mv -f ${RPM_VA_TODAY} ${RPM_VA_YESTERDAY} -fi -if [[ -f ${RPM_VA_CONFIG_TODAY} ]]; then - mv -f ${RPM_VA_CONFIG_TODAY} ${RPM_VA_CONFIG_YESTERDAY} -fi +function cleanup() { + # removing temporary files + rm -f $LCK $MSEC_TMP $SECURITY $INFOS $DIFF +} -if [[ -f ${RPM_QA_TODAY} ]]; then - mv -f ${RPM_QA_TODAY} ${RPM_QA_YESTERDAY} +if [ -f $LCK ]; then + if [ -d /proc/`cat $LCK` ]; then + exit 0 + else + rm -f $LCK + fi fi +echo -n $$ > $LCK +trap cleanup 0 1 2 15 -if [[ -f ${CHKROOTKIT_TODAY} ]]; then - mv -f ${CHKROOTKIT_TODAY} ${CHKROOTKIT_YESTERDAY} -fi +# temporary files +MSEC_TMP=`mktemp /tmp/secure.XXXXXX` +INFOS=`mktemp /tmp/secure.XXXXXX` +SECURITY=`mktemp /tmp/secure.XXXXXX` +DIFF=`mktemp /tmp/secure.XXXXXX` -if [[ ${CHECK_OPEN_PORT} == yes ]]; then - netstat -pvlA inet,inet6 2> /dev/null > ${OPEN_PORT_TODAY}; -fi - -if [[ ${CHECK_FIREWALL} == yes ]]; then - iptables -L 2>/dev/null > ${FIREWALL_TODAY} +# creating security log dir if necessary +if [[ ! -d /var/log/security ]]; then + mkdir /var/log/security fi ionice -c3 -p $$ -# only running this check when really required -if [[ ${CHECK_SUID_MD5} == yes || ${CHECK_SUID_ROOT} == yes || ${CHECK_SGID} == yes || ${CHECK_WRITABLE} == yes || ${CHECK_UNOWNED} == yes ]]; then +for script in /usr/share/msec/scripts/*sh; do + test -x $script && . $script + ret=$? + if [ $ret -ne 0 ]; then + echo "MSEC: audit script $script failed" + fi +done - # Hard disk related file check; the less priority the better... - nice --adjustment=+19 /usr/bin/msec_find ${DIR} -fi +# fix permissions on newly created msec files according to system policy +/usr/sbin/msecperms -e '/var/log/msec.log' "$SECURITY_LOG" "/var/log/security/*" &> ${MSEC_TMP} -if [[ -f ${SUID_ROOT_TODAY} ]]; then - sort < ${SUID_ROOT_TODAY} > ${SUID_ROOT_TODAY}.tmp - mv -f ${SUID_ROOT_TODAY}.tmp ${SUID_ROOT_TODAY} -fi - -if [[ -f ${SGID_TODAY} ]]; then - sort < ${SGID_TODAY} > ${SGID_TODAY}.tmp - mv -f ${SGID_TODAY}.tmp ${SGID_TODAY} -fi - -if [[ -f ${WRITABLE_TODAY} ]]; then - sort < ${WRITABLE_TODAY} | egrep -v '^(/var)?/tmp$' > ${WRITABLE_TODAY}.tmp - mv -f ${WRITABLE_TODAY}.tmp ${WRITABLE_TODAY} -fi +# email/show results -if [[ -f ${UNOWNED_USER_TODAY} ]]; then - sort < ${UNOWNED_USER_TODAY} > ${UNOWNED_USER_TODAY}.tmp - mv -f ${UNOWNED_USER_TODAY}.tmp ${UNOWNED_USER_TODAY} -fi +# security check +if [[ -s ${SECURITY} ]]; then + Syslog ${SECURITY} + Ttylog ${SECURITY} -if [[ -f ${UNOWNED_GROUP_TODAY} ]]; then - sort < ${UNOWNED_GROUP_TODAY} > ${UNOWNED_GROUP_TODAY}.tmp - mv -f ${UNOWNED_GROUP_TODAY}.tmp ${UNOWNED_GROUP_TODAY} -fi + echo "$SECURITY_PREFIX *** Security Check, ${REPORT_DATE} ***" >> ${SECURITY_LOG} + cat ${SECURITY} | sed -e "s/^/$SECURITY_PREFIX/g" >> ${SECURITY_LOG} + cat ${INFOS} | sed -e "s/^/$INFO_PREFIX/g" >> ${SECURITY_LOG} -if [[ -f ${SUID_ROOT_TODAY} ]]; then - while read line; do - md5sum ${line} - done < ${SUID_ROOT_TODAY} > ${SUID_MD5_TODAY} + Maillog "[msec] *** Security Check on ${REPORT_HOSTNAME}, ${REPORT_DATE} ***" "${SECURITY} ${INFOS}" + Notifylog "MSEC has performed Security Check on ${REPORT_HOSTNAME} on ${REPORT_DATE}" fi -### rpm database check +# diff check +if [[ -s ${DIFF} ]]; then + Syslog ${DIFF} + Ttylog ${DIFF} -if [[ ${CHECK_RPM} == yes ]]; then - rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\t%{INSTALLTIME}\n" | sort > ${RPM_QA_TODAY} + echo "$DIFF_PREFIX *** Diff Check, ${REPORT_DATE} ***" >> ${SECURITY_LOG} + cat ${DIFF} | sed -e "s/^/$DIFF_PREFIX/g" >> ${SECURITY_LOG} - rm -f ${RPM_VA_TODAY}.tmp - nice --adjustment=+19 rpm -Va --noscripts | grep '^..5' | sort > ${RPM_VA_TODAY}.tmp - grep -v '^..........c.' ${RPM_VA_TODAY}.tmp | sed 's/^............//' | sort > ${RPM_VA_TODAY} - grep '^..........c.' ${RPM_VA_TODAY}.tmp | sed 's/^............//' | sort > ${RPM_VA_CONFIG_TODAY} - rm -f ${RPM_VA_TODAY}.tmp -fi - -### chkrootkit checks -if [[ ${CHECK_CHKROOTKIT} == yes ]]; then - if [ -x /usr/sbin/chkrootkit ]; then - # do not check on NFS - /usr/sbin/chkrootkit -n ${CHKROOTKIT_OPTION} > ${CHKROOTKIT_TODAY} - fi + Notifylog "MSEC has performed Diff Check on ${REPORT_HOSTNAME} on ${REPORT_DATE}. Changes in system security were detected and are available in ${SECURITY_LOG}." +else + Notifylog "MSEC has performed Diff Check on ${REPORT_HOSTNAME} on ${REPORT_DATE}. No changes were detected in system security." fi -### Functions ### - -Syslog() { - if [[ ${SYSLOG_WARN} == yes ]]; then - while read line; do - logger -t msec -- "${line}" - done < ${1} - fi -} - -Ttylog() { - if [[ ${TTY_WARN} == yes ]]; then - for i in `w | grep -v "load\|TTY" | grep '^root' | awk '{print $2}'` ; do - cat ${1} > /dev/$i - done - fi -} - -Maillog() { - subject=${1} - text=${2} - SOMETHING_TO_SEND= - - if [[ ${MAIL_WARN} == yes ]]; then - if [[ -z ${MAIL_USER} ]]; then - MAIL_USER="root" - fi - if [[ -x /bin/mail ]]; then - for f in ${text}; do - if [[ -s $f ]]; then - SOMETHING_TO_SEND=1 - break - fi - done - if [[ -z ${SOMETHING_TO_SEND} ]]; then - if [[ ${MAIL_EMPTY_CONTENT} != no ]]; then - /bin/mail -s "${subject}" "${MAIL_USER}" </dev/null` - if [ -x "$DBUS_SEND" ]; then - $DBUS_SEND --system --type=signal /com/mandriva/user com.mandriva.user.security_notification string:"$message" - fi - fi -} - -################## - -. /usr/share/msec/diff_check.sh -. /usr/share/msec/security_check.sh +Maillog "[msec] *** Diff Check on ${REPORT_HOSTNAME}, ${REPORT_DATE} ***" "${DIFF}" diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh deleted file mode 100755 index fe1418b..0000000 --- a/cron-sh/security_check.sh +++ /dev/null @@ -1,337 +0,0 @@ -#!/bin/bash - -# -# Written by Vandoorselaere Yoann -# - -if [[ -f /etc/security/msec/security.conf ]]; then - . /etc/security/msec/security.conf -else - echo "/etc/security/msec/security.conf don't exist." - exit 1 -fi - -if [[ ${CHECK_SECURITY} != yes ]]; then - exit 0 -fi - -INFOS=`mktemp /tmp/secure.XXXXXX` -SECURITY=`mktemp /tmp/secure.XXXXXX` -SECURITY_LOG="/var/log/security.log" -TMP=`mktemp /tmp/secure.XXXXXX` -FILTER="\(`echo $EXCLUDEDIR | sed -e 's/ /\\\|/g'`\)" - -if [[ ! -d /var/log/security ]]; then - mkdir /var/log/security -fi - -### Writable file detection -if [[ ${CHECK_WRITABLE} == yes ]]; then - if [[ -s ${WRITABLE_TODAY} ]]; then - printf "\nSecurity Warning: World Writable files found :\n" >> ${SECURITY} - cat ${WRITABLE_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY} - fi -fi - -### Search Un Owned file -if [[ ${CHECK_UNOWNED} == yes ]]; then - if [[ -s ${UNOWNED_USER_TODAY} ]]; then - printf "\nSecurity Warning : User Unowned files found :\n" >> ${SECURITY} - printf "\t( theses files now have user \"nobody\" as their owner. )\n" >> ${SECURITY} - cat ${UNOWNED_USER_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY} - cat ${UNOWNED_USER_TODAY} | while read line; do - if [[ ${FIX_UNOWNED} == yes ]]; then - chown nobody "${line}"; # Use quote if filename contain space. - fi - done - fi - - if [[ -s ${UNOWNED_GROUP_TODAY} ]]; then - printf "\nSecurity Warning : Group Unowned files found :\n" >> ${SECURITY} - printf "\t( theses files now have group \"nogroup\" as their group owner. )\n" >> ${SECURITY} - cat ${UNOWNED_GROUP_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY} - cat ${UNOWNED_GROUP_TODAY} | while read line; do - if [[ ${FIX_UNOWNED} == yes ]]; then - chgrp nogroup "${line}"; # Use quote if filename contain space. - fi - done - fi -fi - -if [[ ${CHECK_USER_FILES} == yes ]]; then -# Files that should not be owned by someone else or readable. -list=".netrc .rhosts .shosts .Xauthority .gnupg/secring.gpg \ -.pgp/secring.pgp .ssh/identity .ssh/id_dsa .ssh/id_rsa .ssh/random_seed" -getent passwd | awk -F: '/^[^+-]/ { print $1 ":" $3 ":" $6 }' | -while IFS=: read username uid homedir; do - if ! expr "$homedir" : "$FILTER" > /dev/null; then - for f in ${list} ; do - file="${homedir}/${f}" - if [[ -f "${file}" ]] ; then - res=`ls -LldcGn "${file}" | sed 's/ \{1,\}/:/g'` - printf "${uid}:${username}:${file}:${res}\n" - fi - done - fi -done | awk -F: '$1 != $6 && $6 != "0" \ - { print "\t\t- " $3 " : file is owned by uid " $6 "." } - $4 ~ /^-...r/ \ - { print "\t\t- " $3 " : file is group readable." } - $4 ~ /^-......r/ \ - { print "\t\t- " $3 " : file is other readable." } - $4 ~ /^-....w/ \ - { print "\t\t- " $3 " : file is group writable." } - $4 ~ /^-.......w/ \ - { print "\t\t- " $3 " : file is other writable." }' > ${TMP} - -if [[ -s ${TMP} ]]; then - printf "\nSecurity Warning: these files shouldn't be owned by someone else or readable :\n" >> ${SECURITY} - cat ${TMP} >> ${SECURITY} -fi - -### Files that should not be owned by someone else or writable. -list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \ -.forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \ -.nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \ -.ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults \ -.gnupg .gnupg/secring.gpg .ssh/identity .ssh/id_dsa .ssh/id_rsa \ -.Xauthority .cvspass .subversion/auth .purple/accounts.xml .config " -getent passwd | awk -F: '/^[^+-]/ { print $1 ":" $3 ":" $6 }' | \ -while IFS=: read username uid homedir; do - if ! expr "$homedir" : "$FILTER" > /dev/null; then - for f in ${list} ; do - file="${homedir}/${f}" - if [[ -e "${file}" ]] ; then - res=`ls -LldcGn "${file}" | sed 's/ \{1,\}/:/g'` - printf "${uid}:${username}:${file}:${res}\n" - fi - done - fi -done | awk -F: '$1 != $6 && $6 != "0" \ - { print "\t\t- " $3 " : file is owned by uid " $6 "." } - $4 ~ /^.....w/ \ - { print "\t\t- " $3 " : file is group writable." } - $4 ~ /^........w/ \ - { print "\t\t- " $3 " : file is other writable." }' > ${TMP} - -if [[ -s ${TMP} ]]; then - printf "\nSecurity Warning: theses files should not be owned by someone else or writable :\n" >> ${SECURITY} - cat ${TMP} >> ${SECURITY} -fi - -### Check home directories. Directories should not be owned by someone else or writable. -getent passwd | awk -F: '/^[^+-]/ { print $1 ":" $3 ":" $6 }' | \ -while IFS=: read username uid homedir; do - if ! expr "$homedir" : "$FILTER" > /dev/null; then - if [[ -d "${homedir}" ]] ; then - realuid=`ls -LldGn "${homedir}"| awk '{ print $3 }'` - realuser=`ls -LldG "${homedir}"| awk '{ print $3 }'` - permissions=`ls -LldG "${homedir}"| awk '{ print $1 }'` - printf "${permissions}:${username}:(${uid}):${realuser}:(${realuid})\n" - fi - fi -done | awk -F: '$3 != $5 && $5 != "(0)" \ - { print "user=" $2 $3 " : home directory is owned by " $4 $5 "." } - $1 ~ /^d....w/ && $2 != "lp" && $2 != "mail" \ - { print "user=" $2 $3" : home directory is group writable." } - $1 ~ /^d.......w/ \ - { print "user=" $2 $3" : home directory is other writable." }' > ${TMP} - -if [[ -s $TMP ]] ; then - printf "\nSecurity Warning: these home directory should not be owned by someone else or writable :\n" >> ${SECURITY} - cat ${TMP} >> ${SECURITY} -fi -fi # End of CHECK_USER_FILES - -### Passwd file check -if [[ ${CHECK_PASSWD} == yes ]]; then - getent passwd | awk -F: '{ - if ( $2 == "" ) - printf("\t\t- /etc/passwd:%d: User \"%s\" has no password !\n", FNR, $1); - else if ($2 !~ /^[x*!]+$/) - printf("\t\t- /etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1); - else if ( $3 == 0 && $1 != "root" ) - printf("\t\t- /etc/passwd:%d: User \"%s\" has id 0 !\n", FNR, $1); - }' > ${TMP} - - if [[ -s ${TMP} ]]; then - printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY} - cat ${TMP} >> ${SECURITY} - fi -fi - -### Shadow password file Check -if [[ ${CHECK_SHADOW} == yes ]]; then - awk -F: '{ - if ( $2 == "" ) - printf("\t\t- /etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1); - }' < /etc/shadow > ${TMP} - - if [[ -s ${TMP} ]]; then - printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY} - cat ${TMP} >> ${SECURITY} - fi -fi - -### File systems should not be globally exported. -if [[ -s /etc/exports ]] ; then - awk '{ - if (($1 ~ /^#/) || ($1 ~ /^$/)) next; - readonly = 0; - for (i = 2; i <= NF; ++i) { - if ($i ~ /^-ro$/) - readonly = 1; - else if ($i !~ /^-/) - next; - } - if (readonly) { - print "\t\t- Nfs File system " $1 " globally exported, read-only."; - } else print "\t\t- Nfs File system " $1 " globally exported, read-write."; - }' < /etc/exports > ${TMP} - - if [[ -s ${TMP} ]] ; then - printf "\nSecurity Warning: Some NFS filesystem are exported globally :\n" >> ${SECURITY} - cat ${TMP} >> ${SECURITY} - fi -fi - -### nfs mounts with missing nosuid -/bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > ${TMP} -if [[ -s ${TMP} ]] ; then - printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY} - cat ${TMP} | awk '{ print "\t\t- "$0 }' >> ${SECURITY} -fi - -### Files that should not have + signs. -list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" -for file in $list ; do - if [[ -s ${file} ]] ; then - awk '{ - if ($0 ~ /^\+@.*$/) - next; - if ($0 ~ /^\+.*$/) - printf("\t\t- %s: %s\n", FILENAME, $0); - }' ${file} - fi -done > ${TMP} - -### Passwd file check -if [[ ${CHECK_SHOSTS} == yes ]]; then - getent passwd | awk -F: '{print $1" "$6}' | - while read username homedir; do - if ! expr "$homedir" : "$FILTER" > /dev/null; then - for file in .rhosts .shosts; do - if [[ -s ${homedir}/${file} ]] ; then - awk '{ - if ($0 ~ /^\+@.*$/) - next; - if ($0 ~ /^\+.*$/) - printf("\t\t- %s: %s\n", FILENAME, $0); - }' ${homedir}/${file} - fi - done >> ${TMP} - fi - done - - if [[ -s ${TMP} ]]; then - printf "\nSecurity Warning: '+' character found in hosts trusting files,\n" >> ${SECURITY} - printf "\tthis probably mean that you trust certains users/domain\n" >> ${SECURITY} - printf "\tto connect on this host without proper authentication :\n" >> ${SECURITY} - cat ${TMP} >> ${SECURITY} - fi -fi - -### executables should not be in the aliases file. -list="/etc/aliases /etc/postfix/aliases" -for file in ${list}; do - if [[ -s ${file} ]]; then - grep -v '^#' ${file} | grep '|' | while read line; do - printf "\t\t- ${line}\n" - done > ${TMP} - fi - - if [[ -s ${TMP} ]]; then - printf "\nSecurity Warning: The following programs are executed in your mail\n" >> ${SECURITY} - printf "\tvia ${file} files, this could lead to security problems :\n" >> ${SECURITY} - cat ${TMP} >> ${SECURITY} - fi -done - -### Dump a list of open port. -if [[ ${CHECK_OPEN_PORT} == yes ]]; then - - if [[ -s ${OPEN_PORT_TODAY} ]]; then - printf "\nThese are the ports listening on your machine :\n" >> ${INFOS} - cat ${OPEN_PORT_TODAY} >> ${INFOS} - fi -fi - - -### rpm database checks -if [[ ${CHECK_RPM} == yes ]]; then - - if [[ -s ${RPM_VA_TODAY} ]]; then - printf "\nSecurity Warning: These files belonging to packages are modified on the system :\n" >> ${SECURITY} - cat ${RPM_VA_TODAY} | while read f; do - printf "\t\t- $f\n" - done >> ${SECURITY} - fi - - if [[ -s ${RPM_VA_CONFIG_TODAY} ]]; then - printf "\nSecurity Warning: These config files belonging to packages are modified on the system :\n" >> ${SECURITY} - cat ${RPM_VA_CONFIG_TODAY} | while read f; do - printf "\t\t- $f\n" - done >> ${SECURITY} - fi -fi - -### chkrootkit checks -if [[ ${CHECK_CHKROOTKIT} == yes ]]; then - - if [[ -s ${CHKROOTKIT_TODAY} ]]; then - printf "\nChkrootkit report:\n" >> ${SECURITY} - cat ${CHKROOTKIT_TODAY} >> ${SECURITY} - fi -fi - -### file permissions -# fix permissions on newly created msec files according to system policy -/usr/sbin/msecperms -e '/var/log/msec.log' "$SECURITY_LOG" "/var/log/security/*" &> ${TMP} - -# now check default permissions -if [[ ${CHECK_PERMS} == yes ]]; then - # running msec_perms - /usr/sbin/msecperms > ${TMP} 2>&1 - if [[ -s ${TMP} ]]; then - printf "\nPermissions changes on system files:\n" >> ${SECURITY} - cat ${TMP} | sed -e 's/WARNING: //g' >> ${SECURITY} - fi -fi - - -### Report -if [[ -s ${SECURITY} ]]; then - Syslog ${SECURITY} - Ttylog ${SECURITY} - date=`date` - hostname=`hostname` - - echo -e "\n\n*** Security Check, ${date} ***\n" >> ${SECURITY_LOG} - cat ${SECURITY} >> ${SECURITY_LOG} - cat ${INFOS} >> ${SECURITY_LOG} - - Maillog "[msec] *** Security Check on ${hostname}, ${date} ***" "${SECURITY} ${INFOS}" - Notifylog "MSEC has performed Security Check on ${hostname} on ${date}" -fi - -if [[ -f ${SECURITY} ]]; then - rm -f ${SECURITY} -fi - -if [[ -f ${TMP} ]]; then - rm -f ${TMP} -fi - -if [[ -f ${INFOS} ]]; then - rm -f ${INFOS}; -fi -- cgit v1.2.1