blob: 54c1943a7933ef0155832d3567dbadc4585eb710 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
#!/bin/bash
# msec: this is the main security auditing script
# it runs all executable scripts from /usr/share/msec/scripts
# which should be named NN_script_name.sh, where NN represents
# the order in which they should be executed
if [[ -f /etc/security/msec/security.conf ]]; then
# load settings from base level
BASE_LEVEL=$(sed -n 's/BASE_LEVEL=//p' /etc/security/msec/security.conf)
if [[ ! -f /etc/security/msec/level.$BASE_LEVEL ]]; then
echo "Error: base level $BASE_LEVEL not found"
exit 1
fi
. /etc/security/msec/level.$BASE_LEVEL
. /etc/security/msec/security.conf
else
echo "/etc/security/msec/security.conf don't exist."
exit 1
fi
# is security check enabled?
if [[ ${CHECK_SECURITY} != yes ]]; then
exit 0
fi
# are we running on battery power?
if [[ ${CHECK_ON_BATTERY} == no ]]; then
grep 'charging state' /proc/acpi/battery/*/state 2>/dev/null | grep -q 'discharging'
ret=$?
if [[ $ret = 0 ]]; then
# skipping check as we are running on battery power
exit 0
fi
fi
. /usr/share/msec/functions.sh
# discover current check type
CURRENT_CHECK_TYPE=$(current_check_type)
# variables
LCK=/var/run/msec-security.pid
SECURITY_LOG="/var/log/security.log"
MAIL_LOG_TODAY="/var/log/security/mail.${CURRENT_CHECK_TYPE}.today"
MAIL_LOG_YESTERDAY="/var/log/security/mail.${CURRENT_CHECK_TYPE}.yesterday"
# log formatting
REPORT_DATE=`date "+%b %d %H:%M:%S"`
REPORT_HOSTNAME=`hostname`
LOG_PREFIX="$REPORT_DATE $REPORT_HOSTNAME"
SECURITY_PREFIX="$LOG_PREFIX security: "
INFO_PREFIX="$LOG_PREFIX info: "
DIFF_PREFIX="$LOG_PREFIX diff: "
function cleanup() {
# removing temporary files
rm -f $LCK $MSEC_TMP $SECURITY $INFOS $DIFF
}
if [ -f $LCK ]; then
if [ -d /proc/`cat $LCK` ]; then
exit 0
else
rm -f $LCK
fi
fi
echo -n $$ > $LCK
trap cleanup 0 1 2 15
# temporary files
MSEC_TMP=`mktemp /tmp/secure.XXXXXX`
INFOS=`mktemp /tmp/secure.XXXXXX`
SECURITY=`mktemp /tmp/secure.XXXXXX`
DIFF=`mktemp /tmp/secure.XXXXXX`
# creating security log dir if necessary
if [[ ! -d /var/log/security ]]; then
mkdir /var/log/security
fi
ionice -c3 -p $$
for script in /usr/share/msec/scripts/*sh; do
test -x $script && . $script
ret=$?
if [ $ret -ne 0 ]; then
echo "MSEC: audit script $script failed"
fi
done
# fix permissions on newly created msec files according to system policy
/usr/sbin/msecperms -e '/var/log/msec.log' "$SECURITY_LOG" "/var/log/security/*" &> ${MSEC_TMP}
# email/show results
# security check
if [[ -s ${SECURITY} ]]; then
Syslog ${SECURITY}
Ttylog ${SECURITY}
TEST_ENDED=`date "+%b %d %H:%M:%S"`
echo "*** Security Check, ${REPORT_DATE} ***" > ${MSEC_TMP}
echo "*** Check type: ${CURRENT_CHECK_TYPE} ***" >> ${MSEC_TMP}
echo "*** Check executed from: $0 ***" >> ${MSEC_TMP}
printf "Report summary:\n" >> ${MSEC_TMP}
echo "Test started: $REPORT_DATE" >> ${MSEC_TMP}
echo "Test finished: $TEST_ENDED" >> ${MSEC_TMP}
cat ${INFOS} >> ${MSEC_TMP}
printf "\nDetailed report:\n" >> ${MSEC_TMP}
cat ${SECURITY} >> ${MSEC_TMP}
cat ${INFOS} | sed -e "s/^/$INFO_PREFIX/g" >> ${SECURITY_LOG}
# save the complete mail text somewhere
if [[ -f ${MAIL_LOG_TODAY} ]]; then
mv ${MAIL_LOG_TODAY} ${MAIL_LOG_YESTERDAY};
fi
cat ${MSEC_TMP} > ${MAIL_LOG_TODAY}
Maillog "[msec] *** Security Check on ${REPORT_HOSTNAME}, ${REPORT_DATE} ***" "${MSEC_TMP}"
Notifylog "MSEC has performed Security Check on ${REPORT_HOSTNAME} on ${REPORT_DATE}. Detailed results are available in ${MAIL_LOG_TODAY}"
fi
# diff check
if [[ -s ${DIFF} ]]; then
Syslog ${DIFF}
Ttylog ${DIFF}
echo "$DIFF_PREFIX *** Diff Check, ${REPORT_DATE} ***" >> ${SECURITY_LOG}
cat ${DIFF} | sed -e "s/^/$DIFF_PREFIX/g" >> ${SECURITY_LOG}
Notifylog "MSEC has performed Diff Check on ${REPORT_HOSTNAME} on ${REPORT_DATE}. Changes in system security were detected and are available in ${SECURITY_LOG}."
else
Notifylog "MSEC has performed Diff Check on ${REPORT_HOSTNAME} on ${REPORT_DATE}. No changes were detected in system security."
fi
Maillog "[msec] *** Diff Check on ${REPORT_HOSTNAME}, ${REPORT_DATE} ***" "${DIFF}"
|