From 3080f8427297531530dcf82b9df939e2331186ee Mon Sep 17 00:00:00 2001 From: Eugeni Dodonov Date: Wed, 16 Sep 2009 14:12:20 +0000 Subject: moved auditing part into audit plugin --- src/msec/config.py | 39 ++-------- src/msec/libmsec.py | 130 +-------------------------------- src/msec/plugins/audit.py | 179 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 185 insertions(+), 163 deletions(-) create mode 100644 src/msec/plugins/audit.py (limited to 'src') diff --git a/src/msec/config.py b/src/msec/config.py index af272bb..9f31723 100644 --- a/src/msec/config.py +++ b/src/msec/config.py @@ -53,33 +53,8 @@ PLUGINS_DIR="/usr/share/msec/plugins" # msec callbacks and valid values # OPTION callback valid values SETTINGS = {'BASE_LEVEL': ("libmsec.base_level", ['*']), - 'CHECK_SECURITY' : ("libmsec.check_security", ['yes', 'no']), - 'CHECK_PERMS' : ("libmsec.check_perms", ['yes', 'no', 'enforce']), - 'CHECK_USER_FILES' : ("libmsec.check_user_files", ['yes', 'no']), - 'CHECK_SUID_ROOT' : ("libmsec.check_suid_root", ['yes', 'no']), - 'CHECK_SUID_MD5' : ("libmsec.check_suid_md5", ['yes', 'no']), - 'CHECK_SGID' : ("libmsec.check_sgid", ['yes', 'no']), - 'CHECK_WRITABLE' : ("libmsec.check_writable", ['yes', 'no']), - 'CHECK_UNOWNED' : ("libmsec.check_unowned", ['yes', 'no']), - 'FIX_UNOWNED' : ("libmsec.fix_unowned", ['yes', 'no']), - 'CHECK_PROMISC' : ("libmsec.check_promisc", ['yes', 'no']), - 'CHECK_OPEN_PORT' : ("libmsec.check_open_port", ['yes', 'no']), - 'CHECK_FIREWALL' : ("libmsec.check_firewall", ['yes', 'no']), - 'CHECK_PASSWD' : ("libmsec.check_passwd", ['yes', 'no']), - 'CHECK_SHADOW' : ("libmsec.check_shadow", ['yes', 'no']), - 'CHECK_CHKROOTKIT' : ("libmsec.check_chkrootkit", ['yes', 'no']), - 'CHECK_RPM_PACKAGES' : ("libmsec.check_rpm_packages", ['yes', 'no']), - 'CHECK_RPM_INTEGRITY' : ("libmsec.check_rpm_integrity", ['yes', 'no']), - 'CHECK_SHOSTS' : ("libmsec.check_shosts", ['yes', 'no']), - 'CHECK_USERS' : ("libmsec.check_users", ['yes', 'no']), - 'CHECK_GROUPS' : ("libmsec.check_groups", ['yes', 'no']), - # notifications - 'TTY_WARN' : ("libmsec.tty_warn", ['yes', 'no']), - 'MAIL_WARN' : ("libmsec.mail_warn", ['yes', 'no']), - 'MAIL_USER' : ("libmsec.mail_user", ['*']), - 'MAIL_EMPTY_CONTENT': ("libmsec.mail_empty_content", ['yes', 'no']), - 'SYSLOG_WARN' : ("libmsec.syslog_warn", ['yes', 'no']), - 'NOTIFY_WARN' : ("libmsec.notify_warn", ['yes', 'no']), + # security checks from audit plugins + 'CHECK_SECURITY': ("libmsec.check_security", ['yes', 'no']), # security options 'USER_UMASK': ("libmsec.set_user_umask", ['*']), 'ROOT_UMASK': ("libmsec.set_root_umask", ['*']), @@ -104,7 +79,6 @@ SETTINGS = {'BASE_LEVEL': ("libmsec.base_level", 'ENABLE_IP_SPOOFING_PROTECTION': ("libmsec.enable_ip_spoofing_protection", ['yes', 'no']), 'ENABLE_LOG_STRANGE_PACKETS': ("libmsec.enable_log_strange_packets", ['yes', 'no']), 'ENABLE_MSEC_CRON': ("libmsec.enable_msec_cron", ['yes', 'no']), - 'ENABLE_SUDO': ("libmsec.enable_sudo", ['yes', 'no', 'wheel']), 'ENABLE_SULOGIN': ("libmsec.enable_sulogin", ['yes', 'no']), 'SECURE_TMP': ("libmsec.secure_tmp", ['yes', 'no']), 'SHELL_HISTORY_SIZE': ("libmsec.set_shell_history_size", ['*']), @@ -130,13 +104,8 @@ SETTINGS_NETWORK = ["ACCEPT_BOGUS_ERROR_RESPONSES", "ACCEPT_BROADCASTED_ICMP_ECH "AUTHORIZE_SERVICES", "ENABLE_DNS_SPOOFING_PROTECTION", "ENABLE_IP_SPOOFING_PROTECTION", "ENABLE_LOG_STRANGE_PACKETS", ] -# periodic checks -SETTINGS_PERIODIC = ["CHECK_PERMS", "CHECK_USER_FILES", "CHECK_SUID_ROOT", "CHECK_SUID_MD5", "CHECK_SGID", - "CHECK_WRITABLE", "CHECK_UNOWNED", "FIX_UNOWNED", "CHECK_PROMISC", "CHECK_OPEN_PORT", "CHECK_FIREWALL", - "CHECK_PASSWD", "CHECK_SHADOW", "CHECK_CHKROOTKIT", "CHECK_RPM_PACKAGES", "CHECK_RPM_INTEGRITY", - "CHECK_SHOSTS", "CHECK_USERS", "CHECK_GROUPS", - "TTY_WARN", "SYSLOG_WARN", "MAIL_EMPTY_CONTENT", - ] +# periodic checks - defined by 'audit' plugin +SETTINGS_PERIODIC = [] # checks that support exceptions CHECKS_WITH_EXCEPTIONS = ["CHECK_PERMS", "CHECK_USER_FILES", "CHECK_SUID_ROOT", "CHECK_SUID_MD5", "CHECK_SGID", diff --git a/src/msec/libmsec.py b/src/msec/libmsec.py index ecd909b..9b72591 100755 --- a/src/msec/libmsec.py +++ b/src/msec/libmsec.py @@ -127,9 +127,6 @@ CTRALTDEL_REGEXP = '^ca::ctrlaltdel:/sbin/shutdown.*' CONSOLE_HELPER = 'consolehelper' # ssh PermitRootLogin PERMIT_ROOT_LOGIN_REGEXP = '^\s*PermitRootLogin\s+(no|yes|without-password|forced-commands-only)' -# cron -CRON_ENTRY = '*/1 * * * * root /usr/share/msec/promisc_check.sh' -CRON_REGEX = '[^#]+/usr/share/msec/promisc_check.sh' # tcp_wrappers ALL_REGEXP = '^ALL:ALL:DENY' ALL_LOCAL_REGEXP = '^ALL:ALL EXCEPT 127\.0\.0\.1:DENY' @@ -1166,8 +1163,8 @@ class MSEC: self.log.info(_('Disabling log on console')) syslogconf.exists() and syslogconf.remove_line_matching('\s*[^#]+/dev/') - def enable_security_check(self, arg): - ''' Activate daily security check.''' + def check_security(self, arg): + """ Enable daily security checks.""" cron = self.configfiles.get_config_file(CRON) cron.remove_line_matching('[^#]+/usr/share/msec/security.sh') @@ -1328,21 +1325,6 @@ class MSEC: self.log.info(_('Forbidding export display from root')) export.remove_line_matching('^\*$') - def check_promisc(self, param): - ''' Activate ethernet cards promiscuity check.''' - cron = self.configfiles.get_config_file(CRON) - - val = cron.get_match(CRON_REGEX) - - if param == "yes": - if val != CRON_ENTRY: - self.log.info(_('Activating periodic promiscuity check')) - cron.replace_line_matching(CRON_REGEX, CRON_ENTRY, 1) - else: - if val: - self.log.info(_('Disabling periodic promiscuity check')) - cron.remove_line_matching('[^#]+/usr/share/msec/promisc_check.sh') - def allow_root_login(self, arg): ''' Allow direct root login on terminal.''' securetty = self.configfiles.get_config_file(SECURETTY) @@ -1396,114 +1378,6 @@ class MSEC: cnf.insert_at(0, 'auth required pam_listfile.so onerr=succeed item=user sense=deny file=/etc/bastille-no-login')) securetty.remove_line_matching('.+', 1) - # The following checks are run from crontab. We only have these functions here - # to get their descriptions. - - def check_security(self, param): - """ Enable daily security checks.""" - self.enable_security_check(param) - pass - - def check_perms(self, param): - """ Enable periodic permission checking for files specified in msec policy. If set to yes, the permissions are verified on every run. If set to enforce, incorrect permissions are restored to the ones specified in msec security policy.""" - pass - - def check_user_files(self, param): - """ Enable permission checking on users' files that should not be owned by someone else, or writable.""" - pass - - def check_suid_root(self, param): - """ Enable checking for additions/removals of suid root files.""" - pass - - def check_suid_md5(self, param): - """ Enable checksum verification for suid files.""" - pass - - def check_sgid(self, param): - """ Enable checking for additions/removals of sgid files.""" - pass - - def check_writable(self, param): - """ Enable checking for files/directories writable by everybody.""" - pass - - def check_unowned(self, param): - """ Enable checking for unowned files.""" - pass - - def fix_unowned(self, param): - """ Fix owner and group of unowned files to use nobody/nogroup.""" - pass - - def check_open_port(self, param): - """ Enable checking for open network ports.""" - pass - - def check_firewall(self, param): - """ Enable checking for changes in firewall settings.""" - pass - - def check_passwd(self, param): - """ Enable password-related checks, such as empty passwords and strange super-user accounts.""" - pass - - def check_shadow(self, param): - """ Enable checking for empty passwords in /etc/shadow (man shadow(5)).""" - pass - - def check_chkrootkit(self, param): - """ Enable checking for known rootkits using chkrootkit.""" - pass - - def check_rpm_packages(self, param): - """ Enable verification for changes in the installed RPM packages. This will notify you when new packages are installed or removed.""" - pass - - def check_rpm_integrity(self, param): - """ Enable verification of integrity of installed RPM packages. This will notify you if checksums of the installed files were changed, showing separate results for binary and configuration files.""" - pass - - def tty_warn(self, param): - """ Enable periodic security check results to terminal.""" - pass - - def mail_warn(self, param): - """ Send security check results by email.""" - pass - - def mail_empty_content(self, param): - """ Send mail reports even if no changes were detected.""" - pass - - def syslog_warn(self, param): - """ Enables logging of periodic checks to system log.""" - pass - - def mail_user(self, param): - """ User email to receive security notifications.""" - pass - - def check_shosts(self, param): - """ Enable checking for dangerous options in users' .rhosts/.shosts files.""" - pass - - def check_users(self, param): - """ Enable checking for changes in system users.""" - pass - - def check_groups(self, param): - """ Enable checking for changes in system groups.""" - pass - - def enable_sudo(self, param): - """Allow users to authenticate with their passwords for sudo. If this parameter is set to 'wheel', users must belong to the 'wheel' group to be able to use sudo""" - pass - - def notify_warn(self, param): - """Show security notifications in system tray using libnotify.""" - pass - # bogus functions def secure_tmp(self, param): """Use secure location for temporary files. If this parameter is set to 'yes', user home directory will be used for temporary files. Otherwise, /tmp will be used.""" diff --git a/src/msec/plugins/audit.py b/src/msec/plugins/audit.py new file mode 100644 index 0000000..2e8b839 --- /dev/null +++ b/src/msec/plugins/audit.py @@ -0,0 +1,179 @@ +#!/usr/bin/python +"""Msec plugin for auditing checks""" + +# main plugin class name +PLUGIN = "audit" + +# configuration +import config + +import gettext +# localization +try: + gettext.install('msec') +except IOError: + _ = str + +CRON = '/etc/cron.d/msec' +CRON_REGEX = '[^#]+/usr/share/msec/promisc_check.sh' +CRON_ENTRY = '*/1 * * * * root /usr/share/msec/promisc_check.sh' + +class audit: + def __init__(self, log=None, configfiles=None, root=None): + """This plugins is responsible for all auditing checks, which are performed by + /usr/share/msec/security.sh. The following functions are used as wrappers, + and are defined by msecgui.""" + self.log = log + self.configfiles = configfiles + self.root = root + + # defining the checks + config.SETTINGS['CHECK_PERMS'] = ("audit.check_perms", ['yes', 'no', 'enforce']) + config.SETTINGS['CHECK_USER_FILES'] = ("audit.check_user_files", ['yes', 'no']) + config.SETTINGS['CHECK_SUID_ROOT'] = ("audit.check_suid_root", ['yes', 'no']) + config.SETTINGS['CHECK_SUID_MD5'] = ("audit.check_suid_md5", ['yes', 'no']) + config.SETTINGS['CHECK_SGID'] = ("audit.check_sgid", ['yes', 'no']) + config.SETTINGS['CHECK_WRITABLE'] = ("audit.check_writable", ['yes', 'no']) + config.SETTINGS['CHECK_UNOWNED'] = ("audit.check_unowned", ['yes', 'no']) + config.SETTINGS['FIX_UNOWNED'] = ("audit.fix_unowned", ['yes', 'no']) + config.SETTINGS['CHECK_PROMISC'] = ("audit.check_promisc", ['yes', 'no']) + config.SETTINGS['CHECK_OPEN_PORT'] = ("audit.check_open_port", ['yes', 'no']) + config.SETTINGS['CHECK_FIREWALL'] = ("audit.check_firewall", ['yes', 'no']) + config.SETTINGS['CHECK_PASSWD'] = ("audit.check_passwd", ['yes', 'no']) + config.SETTINGS['CHECK_SHADOW'] = ("audit.check_shadow", ['yes', 'no']) + config.SETTINGS['CHECK_CHKROOTKIT'] = ("audit.check_chkrootkit", ['yes', 'no']) + config.SETTINGS['CHECK_RPM_PACKAGES'] = ("audit.check_rpm_packages", ['yes', 'no']) + config.SETTINGS['CHECK_RPM_INTEGRITY'] = ("audit.check_rpm_integrity", ['yes', 'no']) + config.SETTINGS['CHECK_SHOSTS'] = ("audit.check_shosts", ['yes', 'no']) + config.SETTINGS['CHECK_USERS'] = ("audit.check_users", ['yes', 'no']) + config.SETTINGS['CHECK_GROUPS'] = ("audit.check_groups", ['yes', 'no']) + # notifications + config.SETTINGS['TTY_WARN'] = ("audit.tty_warn", ['yes', 'no']) + config.SETTINGS['MAIL_WARN'] = ("audit.mail_warn", ['yes', 'no']) + config.SETTINGS['MAIL_USER'] = ("audit.mail_user", ['*']) + config.SETTINGS['MAIL_EMPTY_CONTENT'] = ("audit.mail_empty_content", ['yes', 'no']) + config.SETTINGS['SYSLOG_WARN'] = ("audit.syslog_warn", ['yes', 'no']) + config.SETTINGS['NOTIFY_WARN'] = ("audit.notify_warn", ['yes', 'no']) + + # preparing msecgui menu + for check in ["CHECK_PERMS", "CHECK_USER_FILES", "CHECK_SUID_ROOT", "CHECK_SUID_MD5", "CHECK_SGID", + "CHECK_WRITABLE", "CHECK_UNOWNED", "FIX_UNOWNED", "CHECK_PROMISC", "CHECK_OPEN_PORT", "CHECK_FIREWALL", + "CHECK_PASSWD", "CHECK_SHADOW", "CHECK_CHKROOTKIT", "CHECK_RPM_PACKAGES", "CHECK_RPM_INTEGRITY", + "CHECK_SHOSTS", "CHECK_USERS", "CHECK_GROUPS", + "TTY_WARN", "SYSLOG_WARN", "MAIL_EMPTY_CONTENT"]: + config.SETTINGS_PERIODIC.append(check) + + # The following checks are run from crontab. We only have these functions here + # to get their descriptions. + + def check_perms(self, param): + """ Enable periodic permission checking for files specified in msec policy. If set to yes, the permissions are verified on every run. If set to enforce, incorrect permissions are restored to the ones specified in msec security policy.""" + pass + + def check_user_files(self, param): + """ Enable permission checking on users' files that should not be owned by someone else, or writable.""" + pass + + def check_suid_root(self, param): + """ Enable checking for additions/removals of suid root files.""" + pass + + def check_suid_md5(self, param): + """ Enable checksum verification for suid files.""" + pass + + def check_sgid(self, param): + """ Enable checking for additions/removals of sgid files.""" + pass + + def check_writable(self, param): + """ Enable checking for files/directories writable by everybody.""" + pass + + def check_unowned(self, param): + """ Enable checking for unowned files.""" + pass + + def fix_unowned(self, param): + """ Fix owner and group of unowned files to use nobody/nogroup.""" + pass + + def check_open_port(self, param): + """ Enable checking for open network ports.""" + pass + + def check_firewall(self, param): + """ Enable checking for changes in firewall settings.""" + pass + + def check_passwd(self, param): + """ Enable password-related checks, such as empty passwords and strange super-user accounts.""" + pass + + def check_shadow(self, param): + """ Enable checking for empty passwords in /etc/shadow (man shadow(5)).""" + pass + + def check_chkrootkit(self, param): + """ Enable checking for known rootkits using chkrootkit.""" + pass + + def check_rpm_packages(self, param): + """ Enable verification for changes in the installed RPM packages. This will notify you when new packages are installed or removed.""" + pass + + def check_rpm_integrity(self, param): + """ Enable verification of integrity of installed RPM packages. This will notify you if checksums of the installed files were changed, showing separate results for binary and configuration files.""" + pass + + def tty_warn(self, param): + """ Enable periodic security check results to terminal.""" + pass + + def mail_warn(self, param): + """ Send security check results by email.""" + pass + + def mail_empty_content(self, param): + """ Send mail reports even if no changes were detected.""" + pass + + def syslog_warn(self, param): + """ Enables logging of periodic checks to system log.""" + pass + + def mail_user(self, param): + """ User email to receive security notifications.""" + pass + + def check_shosts(self, param): + """ Enable checking for dangerous options in users' .rhosts/.shosts files.""" + pass + + def check_users(self, param): + """ Enable checking for changes in system users.""" + pass + + def check_groups(self, param): + """ Enable checking for changes in system groups.""" + pass + + def notify_warn(self, param): + """Show security notifications in system tray using libnotify.""" + pass + + def check_promisc(self, param): + ''' Activate ethernet cards promiscuity check.''' + cron = self.configfiles.get_config_file(CRON) + + val = cron.get_match(CRON_REGEX) + + if param == "yes": + if val != CRON_ENTRY: + self.log.info(_('Activating periodic promiscuity check')) + cron.replace_line_matching(CRON_REGEX, CRON_ENTRY, 1) + else: + if val: + self.log.info(_('Disabling periodic promiscuity check')) + cron.remove_line_matching('[^#]+/usr/share/msec/promisc_check.sh') + -- cgit v1.2.1