From c60397c453fee88ec3e97d90ca2882d00fbd0b49 Mon Sep 17 00:00:00 2001 From: Eugeni Dodonov Date: Mon, 8 Feb 2010 14:07:22 +0000 Subject: Added support for periodic checks --- cron-sh/scripts/01_files.sh | 25 ++++++++++++------------- cron-sh/scripts/02_network.sh | 12 ++++++------ cron-sh/scripts/03_rpm.sh | 4 ++-- cron-sh/scripts/04_rootkit.sh | 6 +++--- cron-sh/scripts/05_access.sh | 10 +++++----- 5 files changed, 28 insertions(+), 29 deletions(-) (limited to 'cron-sh') diff --git a/cron-sh/scripts/01_files.sh b/cron-sh/scripts/01_files.sh index b7f2d76..698b8ef 100755 --- a/cron-sh/scripts/01_files.sh +++ b/cron-sh/scripts/01_files.sh @@ -53,8 +53,7 @@ if [[ -f ${UNOWNED_GROUP_TODAY} ]]; then fi # only running this check when really required -if [[ ${CHECK_SUID_MD5} == yes || ${CHECK_SUID_ROOT} == yes || ${CHECK_SGID} == yes || ${CHECK_WRITABLE} == yes || ${CHECK_UNOWNED} == yes ]]; then - +if check_is_enabled "${CHECK_SUID_MD5}" || check_is_enabled "${CHECK_SUID_ROOT}" || check_is_enabled "${CHECK_SGID}" || check_is_enabled "${CHECK_WRITABLE}" || check_is_enabled "${CHECK_UNOWNED}" ; then # Hard disk related file check; the less priority the better... nice --adjustment=+19 /usr/bin/msec_find ${DIR} fi @@ -90,7 +89,7 @@ if [[ -f ${UNOWNED_GROUP_TODAY} ]]; then mv -f ${UNOWNED_GROUP_TODAY}.tmp ${UNOWNED_GROUP_TODAY} fi -if [[ -f ${SUID_ROOT_TODAY} && ${CHECK_SUID_MD5} == yes ]]; then +if check_is_enabled "${CHECK_SUID_MD5}" && [[ -f ${SUID_ROOT_TODAY} ]]; then while read line; do md5sum ${line} done < ${SUID_ROOT_TODAY} > ${SUID_MD5_TODAY} @@ -99,25 +98,25 @@ else fi ### New Suid root files detection -if [[ ${CHECK_SUID_ROOT} == yes ]]; then +if check_is_enabled "${CHECK_SUID_ROOT}" ; then Diffcheck ${SUID_ROOT_TODAY} ${SUID_ROOT_YESTERDAY} ${SUID_ROOT_DIFF} "Suid Root files" Count ${INFOS} ${SUID_ROOT_TODAY} "Total of Suid Root files" fi ### New Sgid files detection -if [[ ${CHECK_SGID} == yes ]]; then +if check_is_enabled "${CHECK_SGID}" ; then Diffcheck ${SGID_TODAY} ${SGID_YESTERDAY} ${SGID_DIFF} "Sgid files" Count ${INFOS} ${SGID_TODAY} "Total of Sgid files" fi ### Writable files detection -if [[ ${CHECK_WRITABLE} == yes ]]; then +if check_is_enabled "${CHECK_WRITABLE}" ; then Diffcheck ${WRITABLE_TODAY} ${WRITABLE_YESTERDAY} ${WRITABLE_DIFF} "World Writable files" Count ${INFOS} ${WRITABLE_TODAY} "Total of World Writable files" fi ### Search Non Owned files -if [[ ${CHECK_UNOWNED} == yes ]]; then +if check_is_enabled "${CHECK_UNOWNED}" ; then Diffcheck ${UNOWNED_USER_TODAY} ${UNOWNED_USER_YESTERDAY} ${UNOWNED_USER_DIFF} "Un-owned files" Count ${INFOS} ${UNOWNED_USER_TODAY} "Total of Un-owned files" Diffcheck ${UNOWNED_GROUP_TODAY} ${UNOWNED_GROUP_YESTERDAY} ${UNOWNED_GROUP_DIFF} "Un-owned group files" @@ -125,13 +124,13 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then fi ### Md5 check for SUID root fileg -if [[ ${CHECK_SUID_MD5} == yes ]]; then +if check_is_enabled "${CHECK_SUID_MD5}" ; then Diffcheck ${SUID_MD5_TODAY} ${SUID_MD5_YESTERDAY} ${SUID_MD5_DIFF} "SUID files MD5 checksum" Count ${INFOS} ${SUID_MD5_TODAY} "Total of SUID files with controlled MD5 checksum" fi ### Writable file detection -if [[ ${CHECK_WRITABLE} == yes ]]; then +if check_is_enabled "${CHECK_WRITABLE}" ; then if [[ -s ${WRITABLE_TODAY} ]]; then printf "\nSecurity Warning: World Writable files found :\n" >> ${SECURITY} cat ${WRITABLE_TODAY} | awk '{print "\t\t- " $0}' >> ${SECURITY} @@ -139,7 +138,7 @@ if [[ ${CHECK_WRITABLE} == yes ]]; then fi ### Search Un Owned file -if [[ ${CHECK_UNOWNED} == yes ]]; then +if check_is_enabled "${CHECK_UNOWNED}" ; then if [[ -s ${UNOWNED_USER_TODAY} ]]; then printf "\nSecurity Warning : User Unowned files found :\n" >> ${SECURITY} printf "\t( theses files now have user \"nobody\" as their owner. )\n" >> ${SECURITY} @@ -163,7 +162,7 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then fi fi -if [[ ${CHECK_USER_FILES} == yes ]]; then +if check_is_enabled "${CHECK_USER_FILES}" ; then # Files that should not be owned by someone else or readable. list=".netrc .rhosts .shosts .Xauthority .gnupg/secring.gpg \ .pgp/secring.pgp .ssh/identity .ssh/id_dsa .ssh/id_rsa .ssh/random_seed" @@ -256,8 +255,8 @@ fi fi # End of CHECK_USER_FILES # now check default permissions -if [[ ${CHECK_PERMS} == yes || ${CHECK_PERMS} == enforce ]]; then - if [[ ${CHECK_PERMS} == enforce ]]; then +if check_is_enabled "${CHECK_PERMS}" ; then + if [[ ${CHECK_PERMS_ENFORCE} == yes ]]; then MSECPERMS_PARAMS="-e" else MSECPERMS_PARAMS="" diff --git a/cron-sh/scripts/02_network.sh b/cron-sh/scripts/02_network.sh index b52f914..7e41d48 100755 --- a/cron-sh/scripts/02_network.sh +++ b/cron-sh/scripts/02_network.sh @@ -24,30 +24,30 @@ if [[ -f ${FIREWALL_TODAY} ]]; then mv -f ${FIREWALL_TODAY} ${FIREWALL_YESTERDAY} fi -if [[ ${CHECK_OPEN_PORT} == yes ]]; then +if check_is_enabled "${CHECK_OPEN_PORT}" ; then netstat -pvlA inet,inet6 2> /dev/null > ${OPEN_PORT_TODAY}; Filter ${OPEN_PORT_TODAY} CHECK_OPEN_PORT Count ${INFOS} ${OPEN_PORT_TODAY} "Total of open network ports" fi -if [[ ${CHECK_FIREWALL} == yes ]]; then +if check_is_enabled "${CHECK_FIREWALL}" ; then iptables -S 2>/dev/null > ${FIREWALL_TODAY} Filter ${FIREWALL_TODAY} CHECK_FIREWALL Count ${INFOS} ${FIREWALL_TODAY} "Total of configured firewall rules" fi ### Changed open port -if [[ ${CHECK_OPEN_PORT} == yes ]]; then +if check_is_enabled "${CHECK_OPEN_PORT}" ; then Diffcheck ${OPEN_PORT_TODAY} ${OPEN_PORT_YESTERDAY} ${OPEN_PORT_DIFF} "network listening ports" fi ### Changed firewall -if [[ ${CHECK_FIREWALL} == yes ]]; then +if check_is_enabled "${CHECK_FIREWALL}" ; then Diffcheck ${FIREWALL_TODAY} ${FIREWALL_YESTERDAY} ${FIREWALL_DIFF} "firewall rules" fi ### Dump a list of open port. -if [[ ${CHECK_OPEN_PORT} == yes ]]; then +if check_is_enabled "${CHECK_OPEN_PORT}" ; then if [[ -s ${OPEN_PORT_TODAY} ]]; then printf "\nThese are the ports listening on your machine :\n" >> ${SECURITY} cat ${OPEN_PORT_TODAY} >> ${SECURITY} @@ -55,7 +55,7 @@ if [[ ${CHECK_OPEN_PORT} == yes ]]; then fi ### Check if network is in promisc mode -if [[ ${CHECK_PROMISC} == yes ]]; then +if check_is_enabled "${CHECK_PROMISC}" ; then export SECURITY /usr/share/msec/promisc_check.sh fi diff --git a/cron-sh/scripts/03_rpm.sh b/cron-sh/scripts/03_rpm.sh index 264bd63..cc6beea 100755 --- a/cron-sh/scripts/03_rpm.sh +++ b/cron-sh/scripts/03_rpm.sh @@ -38,7 +38,7 @@ fi ### rpm database check # list of installed packages -if [[ ${CHECK_RPM_PACKAGES} == yes ]]; then +if check_is_enabled "${CHECK_RPM_PACKAGES}" ; then rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" | sort > ${RPM_QA_TODAY} Filter ${RPM_QA_TODAY} CHECK_RPM_PACKAGES Count ${INFOS} ${RPM_QA_TODAY} "Total of installed packages" @@ -46,7 +46,7 @@ if [[ ${CHECK_RPM_PACKAGES} == yes ]]; then fi # integrity of installed packages -if [[ ${CHECK_RPM_INTEGRITY} == yes ]]; then +if check_is_enabled "${CHECK_RPM_INTEGRITY}" ; then rm -f ${RPM_VA_TODAY}.tmp nice --adjustment=+19 rpm -Va --noscripts | grep '^..5' | sort > ${RPM_VA_TODAY}.tmp Filter ${RPM_VA_TODAY} CHECK_RPM_INTEGRITY diff --git a/cron-sh/scripts/04_rootkit.sh b/cron-sh/scripts/04_rootkit.sh index 8060343..b8f598a 100755 --- a/cron-sh/scripts/04_rootkit.sh +++ b/cron-sh/scripts/04_rootkit.sh @@ -17,11 +17,11 @@ if [[ -f ${CHKROOTKIT_TODAY} ]]; then mv ${CHKROOTKIT_TODAY} ${CHKROOTKIT_YESTERDAY}; if [ ! -x /usr/sbin/chkrootkit ]; then printf "\nSecurity Warning: chkrootkit is enabled but was uninstalled\n" >> ${CHKROOTKIT_DIFF} - fi + fi fi ### chkrootkit checks -if [[ ${CHECK_CHKROOTKIT} == yes ]]; then +if check_is_enabled "${CHECK_CHKROOTKIT}" ; then if [ -x /usr/sbin/chkrootkit ]; then # do not check on NFS /usr/sbin/chkrootkit -n ${CHKROOTKIT_OPTION} > ${CHKROOTKIT_TODAY} @@ -43,7 +43,7 @@ if [[ ${CHECK_CHKROOTKIT} == yes ]]; then fi ### Changed chkrootkit -if [[ ${CHECK_CHKROOTKIT} == yes ]]; then +if check_is_enabled "${CHECK_CHKROOTKIT}" ; then if [ -x /usr/sbin/chkrootkit ]; then Diffcheck ${CHKROOTKIT_TODAY} ${CHKROOTKIT_YESTERDAY} ${CHKROOTKIT_DIFF} "chkrootkit results" fi diff --git a/cron-sh/scripts/05_access.sh b/cron-sh/scripts/05_access.sh index e3ecb72..033aa6b 100755 --- a/cron-sh/scripts/05_access.sh +++ b/cron-sh/scripts/05_access.sh @@ -19,7 +19,7 @@ if [[ -f ${USERS_LIST_TODAY} ]]; then fi # check for changes in users -if [[ ${CHECK_USERS} == yes ]]; then +if check_is_enabled "${CHECK_USERS}" ; then getent passwd | cut -f 1 -d : | sort > ${USERS_LIST_TODAY} Filter ${USERS_LIST_TODAY} CHECK_USERS Diffcheck ${USERS_LIST_TODAY} ${USERS_LIST_YESTERDAY} ${USERS_LIST_DIFF} "local users" @@ -36,7 +36,7 @@ if [[ -f ${GROUPS_LIST_TODAY} ]]; then fi # check for changes in groups -if [[ ${CHECK_GROUPS} == yes ]]; then +if check_is_enabled "${CHECK_GROUPS}" ; then getent passwd | cut -f 1 -d : | sort > ${GROUPS_LIST_TODAY} Filter ${GROUPS_LIST_TODAY} CHECK_GROUPS Diffcheck ${GROUPS_LIST_TODAY} ${GROUPS_LIST_YESTERDAY} ${GROUPS_LIST_DIFF} "local groups" @@ -44,7 +44,7 @@ if [[ ${CHECK_GROUPS} == yes ]]; then fi ### Passwd file check -if [[ ${CHECK_PASSWD} == yes ]]; then +if check_is_enabled "${CHECK_PASSWD}" ; then getent passwd | awk -F: '{ if ( $2 == "" ) printf("\t\t- /etc/passwd:%d: User \"%s\" has no password !\n", FNR, $1); @@ -63,7 +63,7 @@ if [[ ${CHECK_PASSWD} == yes ]]; then fi ### Shadow password file Check -if [[ ${CHECK_SHADOW} == yes ]]; then +if check_is_enabled "${CHECK_SHADOW}" ; then awk -F: '{ if ( $2 == "" ) printf("\t\t- /etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1); @@ -126,7 +126,7 @@ for file in $list ; do done > ${MSEC_TMP} ### Passwd file check -if [[ ${CHECK_SHOSTS} == yes ]]; then +if check_is_enabled "${CHECK_SHOSTS}" ; then getent passwd | awk -F: '{print $1" "$6}' | while read username homedir; do if ! expr "$homedir" : "$FILTER" > /dev/null; then -- cgit v1.2.1