Hello community, here is the log from the commit of package seccheck for openSUSE:Factory checked in at 2014-09-06 12:18:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/seccheck (Old) and /work/SRC/openSUSE:Factory/.seccheck.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "seccheck" Changes: -------- --- /work/SRC/openSUSE:Factory/seccheck/seccheck.changes 2014-08-15 09:56:17.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.seccheck.new/seccheck.changes 2014-09-06 12:18:17.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Sep 3 12:35:19 UTC 2014 - [email protected] + +- refactoring: each security test, has its own helper +- ran spec-clean + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ seccheck-3.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/seccheck-3.0/helper.inc new/seccheck-3.0/helper.inc --- old/seccheck-3.0/helper.inc 2014-08-14 11:59:33.000000000 +0200 +++ new/seccheck-3.0/helper.inc 2014-08-25 11:36:55.000000000 +0200 @@ -80,20 +80,6 @@ /bin/mv "$out1" "$old1" } -# params -# $1 = directory for checkneverlogin -function check_neverlogin () { - bin_path=$1 - # - local output_file=`mktemp -t neverlogin.XXXX` # TEMPDIR is set but not exported.. does it work? - - $bin_path/checkneverlogin > "$output_file" - if [ -s "$output_file" ] ; then - printf "\nPlease check and perhaps disable the following unused accounts:\n" - cat "$output_file" - fi - rm -f "$output_file" -} # use john the ripper to check guessable passwords # if you pass "quick" as argument it will simple try to find easy @@ -126,51 +112,7 @@ fi } -# param mount points -function check_suid_sgid () { - mnt_point=$1 - local output_file=`mktemp -t suid_sgid.XXXX` # TEMPDIR is set but not exported.. does it work? - ( nice -n 1 find $mnt_point -mount \( -perm -04000 -o -perm -02000 \) -type f | sort | \ - xargs --no-run-if-empty ls -cdl --time-style=long-iso -- > "$SEC_DATA/sbit.new" ) 2> /dev/null - diff -uw "$SEC_DATA/sbit" "$SEC_DATA/sbit.new" | egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" - if [ -s "$output_file" ] ; then - printf "\nThe following files are suid/sgid:\n" - cat "$output_file" - fi - mv "$SEC_DATA/sbit.new" "$SEC_DATA/sbit" - rm -f "$output_file" -} - -# param mount points -function check_writable_executable () { - mnt_point=$1 - local output_file=`mktemp -t writable_executable.XXXX` # TEMPDIR is set but not exported.. does it work? - ( nice -n 1 find $mnt_point -mount \( -perm -30 -o -perm -3 \) -type f | sort | \ - xargs --no-run-if-empty ls -cdl --time-style=long-iso -- > "$SEC_DATA/write-bin.new" ) 2> /dev/null - diff -uw "$SEC_DATA/write-bin" "$SEC_DATA/write-bin.new" | \ - egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" - if [ -s "$output_file" ] ; then - printf "\nThe following program executables are group/world writeable:\n" - cat "$output_file" - fi - mv "$SEC_DATA/write-bin.new" "$SEC_DATA/write-bin" - rm -f "$output_file" -} -# param mount points -function check_world_writable () { - mnt_point=$1 - local output_file=`mktemp -t world_writable.XXXX` # TEMPDIR is set but not exported.. does it work? - ( nice -n 1 find $mnt_point -mount -perm -2 \( -type f -o -type d \) -not -perm -01000 | sort > "$SEC_DATA/write.new" ) 2> /dev/null - diff -uw "$SEC_DATA/write" "$SEC_DATA/write.new" | \ - egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" - if [ -s "$output_file" ] ; then - printf "\nThe following files/directories are world writeable and not sticky:\n" - cat "$output_file" - fi - mv "$SEC_DATA/write.new" "$SEC_DATA/write" - rm -f "$output_file" -} # param mount points function check_new_devices () { @@ -235,40 +177,6 @@ rm -f "$output_file" } -# promisc check to catch all cases even from other hosts if -function check_promisc () { - # new promisc check - # rewrite of promisc check to catch all cases even from other hosts if - # script runs on a central syslog host. Thomas Biege <[email protected]> - - local output_file=`mktemp -t mounted_with_missing_nosuid.XXXX` # TEMPDIR is set but not exported.. does it work? - - # local devices - for IF in $(grep "$(date +"%b %e")" /var/log/messages \ - | grep "$HOSTNAME kernel: device .* entered promiscuous mode" \ - | awk -F' ' '{print $7}') - do - ifconfig $IF | grep -C 2 PROMISC | grep -v ' [RT]X p' >> $output_file - done - - if [ -s "$output_file" ] ; then - printf "\nChecking local devices for promiscious mode.\n" - cat "$output_file" - fi - rm -f "$output_file" - # remote devices - for LL in $(grep "$(date +"%b %e")" /var/log/messages \ - | grep "kernel: device .* entered promiscuous mode" \ - | grep -v "$HOSTAME") - do - echo "$LL" >> $output_file - done - if [ -s "$output_file" ] ; then - printf "\nChecking remote devices for promiscious mode. (raw log entries)\n" - cat "$output_file" - fi - rm -f "$output_file" -} function check_for_globally_exported_fs () { @@ -297,18 +205,3 @@ rm -f "$output_file" fi } - - -function check_mailboxes_owned_by_user_and_unreadable () { - local output_file=`mktemp -t globally_exported_fs.XXXX` # TEMPDIR is set but not exported.. does it work? - ls -cl /var/spool/mail | sed 1d | \ - awk '$3 != $9 \ - { print "user " $9 " mailbox is owned by " $3 } - $1 != "-rw-------" \ - { print "user " $9 " mailbox is " $1 ", group " $4 }' > $output_file - if [ -s "$output_file" ] ; then - printf "\nChecking mailbox ownership.\n" - sort -u "$output_file" - fi - rm -f "$output_file" -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/seccheck-3.0/misc_helper.inc new/seccheck-3.0/misc_helper.inc --- old/seccheck-3.0/misc_helper.inc 2014-08-14 11:59:33.000000000 +0200 +++ new/seccheck-3.0/misc_helper.inc 1970-01-01 01:00:00.000000000 +0100 @@ -1,285 +0,0 @@ -# misc security checks - -# executables should not be in the /etc/aliases file. -function no_exec_in_etcaliases () { - if [ -s /etc/aliases ]; then - local output_file=`mktemp -t no_exec_in_etcaliases.XXXX` # TEMPDIR is set but not exported.. does it work? - grep -v '^#' /etc/aliases | grep '|' > $output_file - if [ -s "$output_file" ] ; then - printf "\nThe following programs are executed in your mail via /etc/aliases (bad!):\n" - cat "$output_file" - fi - rm -f "$output_file" - fi - - -} - -# it doesnt save it to a file like the others.. why? -function check_no_plus () { - local output_file=`mktemp -t check_no_plus.XXXX` # TEMPDIR is set but not exported.. does it work? - list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" - for f in $list ; do - if [ -s "$f" ] ; then - awk '{ - if ($0 ~ /^\+@.*$/) - next; - if ($0 ~ /^\+.*$/) - printf("\nPlus sign in the file %s\n", FILENAME); - }' $f - fi - done -} - -# .rhosts check -function check_rhosts () { - local output_file=`mktemp -t check_rhosts.XXXX` # TEMPDIR is set but not exported.. does it work? - awk -F: '{ print $1 " " $6 }' /etc/passwd | - while read uid homedir; do - for j in .rhosts .shosts; do - if [ -s ${homedir}/$j ] ; then - rhost=`ls -lcdbg ${homedir}/$j|sed 's/[%\]/_/g'` - printf "$uid: $rhost\n" - test -f "$j" && { # still a race, however ... - if egrep \\+ ${homedir}/$j > /dev/null ; then - printf "\t(has got a plus (+) sign!)\n" - fi - } - fi - done - done > $output_file - if [ -s "$output_file" ] ; then - printf "\nChecking for users with .rhosts/.shosts files.\n" - cat "$output_file" - fi - rm -f "$output_file" -} - -# Check home directories. Directories should not be owned by someone else -function check_home_directories_owners () { - local output_file=`mktemp -t home_directories_owners.XXXX` # TEMPDIR is set but not exported.. does it work? - awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ - while read uid homedir; do - if [ -d ${homedir}/ ] ; then - file=`ls -ldb ${homedir}|sed 's/[%\]/_/g'` - printf "$uid $file\n" - fi - done | - awk '$1 != $4 && $4 != "root" \ - { print "user " $1 " : home directory is owned by " $4 } - $2 ~ /^-....w/ \ - { print "user " $1 " : home directory is group writeable" } - $2 ~ /^-.......w/ \ - { print "user " $1 " : home directory is other writeable" }' > $output_file - if [ -s "$output_file" ] ; then - printf "\nChecking home directories.\n" - sort -u "$output_file" - fi - rm -f "$output_file" -} - - -# Files that should not be owned by someone else or writeable. -function check_special_files_owner () { - output_file=`mktemp -t specia_files_owner.XXXX` # TEMPDIR is set but not exported.. does it work? - list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \ - .forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \ - .nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \ - .ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults .rhosts \ - .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed \ - .pgp/randseed.bin .netrc .exrc .vimrc .viminfo" - awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ - while read uid homedir; do - for f in $list ; do - file=${homedir}/${f} - if [ -f "$file" ] ; then - printf "$uid $f `ls -ldcb $file|sed 's/[%\]/_/g'`\n" - fi - done - done | - awk '$1 != $5 && $5 != "root" \ - { print "user " $1 " " $2 " : file is owned by " $5 } - $3 ~ /^-....w/ \ - { print "user " $1 " " $2 " : file is group writeable" } - $3 ~ /^-.......w/ \ - { print "user " $1 " " $2 " : file is other writeable" }' >> $output_file - if [ -s "$output_file" ] ; then - printf "\nChecking dot files.\n" - sort -u "$output_file" - fi -} - -# checking root's login scrips for secure path and umask -function check_root_login_scripts () { - local output_file=`mktemp -t check_root_login_scripts.0.XXXX` # TEMPDIR is set but not exported.. does it work? - local tmp_file1=`mktemp -t check_root_login_scripts.1.XXXX` # TEMPDIR is set but not exported.. does it work? - local tmp_file2=`mktemp -t check_root_login_scripts.2.XXXX` # TEMPDIR is set but not exported.. does it work? - rhome=/root - umaskset=no - list="/etc/csh.cshrc /etc/csh.login" - for i in $list ; do - if [ -s "$i" ] ; then - if egrep umask $i > /dev/null ; then - umaskset=yes - fi - egrep umask $i | - awk '$2 % 100 < 20 \ - { print "Root umask is group writeable" } - $2 % 10 < 2 \ - { print "Root umask is other writeable" }' >> $output_file - SAVE_PATH=$PATH - unset PATH 2> /dev/null || PATH="" # redhat ... - /bin/csh -f -s << end-of-csh > /dev/null 2>&1 - test -f "$i" && ( # still a race - source $i - /bin/ls -ldcbg \$path > $tmp_file1 - ) -end-of-csh - PATH=$SAVE_PATH - awk '{ - if ($9 ~ /^\.$/) { - print "The root path includes ."; - next; - } - } - $1 ~ /^d....w/ \ - { print "Root path directory " $9 " is group writeable." } \ - $1 ~ /^d.......w/ \ - { print "Root path directory " $9 " is other writeable." }' \ - < $tmp_file1 >> $tmp_file2 - fi - done - if [ $umaskset = "no" -o -s "$tmp_file2" ] ; then - sort -u $tmp_file2 > $output_file - printf "\nChecking root csh paths, umask values:\n$list\n" - if [ -s "$output_file" ] ; then - cat "$output_file" - fi - if [ $umaskset = "no" ] ; then - printf "\nRoot csh startup files do not set the umask.\n" - fi - fi - > $output_file - > $tmp_file1 - > $tmp_file2 - rhome=/root - umaskset=no - list="/etc/profile ${rhome}/.profile ${rhome}/.bashrc ${rhome}/.bash_login" - for i in $list; do - if [ -s "$i" ] ; then - if egrep umask $i > /dev/null ; then - umaskset=yes - fi - egrep umask $i | - awk '$2 % 100 < 20 \ - { print "Root umask is group writeable" } \ - $2 % 10 < 2 \ - { print "Root umask is other writeable" }' >> $output_file - SAVE_PATH=$PATH - unset PATH 2> /dev/null || PATH="" # redhat again ... - /bin/sh << end-of-sh > /dev/null 2>&1 - file "$i" | grep -qw text && . $i - list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\` - /bin/ls -ldgbT \$list > $tmp_file1 -end-of-sh - PATH=$SAVE_PATH - awk '{ - if ($9 ~ /^\.$/) { - print "The root path includes ."; - next; - } - } - $1 ~ /^d....w/ \ - { print "Root path directory " $9 " is group writeable." } \ - $1 ~ /^d.......w/ \ - { print "Root path directory " $9 " is other writeable." }' \ - < $tmp_file1 >> $tmp_file2 - - fi - done - if [ $umaskset = "no" -o -s "$tmp_file2" ] ; then - sort -u $tmp_file2 > $output_file - printf "\nChecking root sh paths, umask values:\n$list\n" - if [ -s "$output_file" ] ; then - cat "$output_file" - fi - if [ $umaskset = "no" ] ; then - printf "\nRoot sh startup files do not set the umask.\n" - fi - fi - rm -f "$output_file" "$tmp_file1" "$tmp_file2" -} - -function check_ASLR_enabled () { - if test `cat /proc/sys/kernel/randomize_va_space` -ne 2; then - printf "ASLR isnt enable. By default its enabled.\n" - fi -} - -function check_leak_kernel_internal_addresses () { - if test `cat /proc/sys/kernel/kptr_restrict` -ne 1; then - printf "/proc/sys/kernel/kptr_restrict should be 1.\n" - fi - - if test `cat /proc/sys/kernel/dmesg_restrict` -ne 1; then - printf "/proc/sys/kernel/dmesg_restrict should be 1.\n" - fi - -} - - -function check_xinetd_services () { - local output_file=`mktemp -t check_xinted_services.XXXX` # TEMPDIR is set but not exported.. does it work? - /sbin/chkconfig --list | awk '/xinetd based services/,/""/' | grep -v off > "$SEC_DATA/xinetd.new" - diff -uw "$SEC_DATA/xinetd" "$SEC_DATA/xinetd.new" |egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" - if [ -s "$output_file" ] ; then - printf "\nThere are the following changes in xinetd running services output:\n" - cat "$output_file" - fi - mv "$SEC_DATA/xinetd.new" "$SEC_DATA/xinetd" - rm -f "$output_file" -} - -function check_systemd_services() { - local output_file=`mktemp -t check_systemd_services.XXXX` # TEMPDIR is set but not exported.. does it work? - /usr/bin/systemctl list-unit-files --type=service > "$SEC_DATA/systemd_services.new" - diff -uw "$SEC_DATA/systemd_services" "$SEC_DATA/systemd_services.new" |egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" - if [ -s "$output_file" ] ; then - printf "\nThere are the following changes in systemctl services output:\n" - cat "$output_file" - fi - mv "$SEC_DATA/systemd_services.new" "$SEC_DATA/systemd_services" - rm -f "$output_file" -} - -function check_sysctl () { - local output_file=`mktemp -t check_sysctl.XXXX` # TEMPDIR is set but not exported.. does it work? - /usr/sbin/sysctl -a > "$SEC_DATA/sysctl.new" - diff -uw "$SEC_DATA/sysctl" "$SEC_DATA/sysctl.new" |egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" - if [ -s "$output_file" ] ; then - printf "\nThere are the following changes in the output from sysctl -a:\n" - cat "$output_file" - fi - mv "$SEC_DATA/sysctl.new" "$SEC_DATA/sysctl" - rm -f "$output_file" -} - -# params -# $1 the sysctl param -# $2 the returned value expected -function check_specifics_sysctl_helper () { - test `cat "$SEC_DATA/sysctl" | grep "$1" | cut -f2 -d'='` -eq "$2" -} - -# some specific security sysctl parameters -function check_specifics_sysctl () { - - if [ ! -e "$SEC_DATA/sysctl" ]; then - /usr/sbin/sysctl -a > "$SEC_DATA/sysctl" - fi - # we can refactor it in a loop - check_specifics_sysctl_helper "net.ipv4.tcp_syncookies" 1 || printf "\nnet.ipv4.tcp_syncookies is disabled\n" - check_specifics_sysctl_helper "net.ipv4.conf.all.accept_source_route" 0 || printf "\nnet.ipv4.conf.all.accept_source_route is enabled" - check_specifics_sysctl_helper "net.ipv4.conf.all.accept_redirects" 0 || printf "\nnet.ipv4.conf.all_accept_redirects is enabled\n" - check_specifics_sysctl_helper "net.ipv4.conf.all.rp_filter" 1 || printf "\nnet.ipv4.conf.all.rp_filter\n is disabled" -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/seccheck-3.0/security-daily.sh new/seccheck-3.0/security-daily.sh --- old/seccheck-3.0/security-daily.sh 2014-08-14 11:59:33.000000000 +0200 +++ new/seccheck-3.0/security-daily.sh 2014-08-25 11:36:55.000000000 +0200 @@ -13,8 +13,8 @@ . $MY_DIR/basic.inc source $MY_DIR/helper.inc +source $MY_DIR/security_daily_helper.inc source $MY_DIR/user_group_password_helper.inc -source $MY_DIR/misc_helper.inc set_tmpdir "security-daily.sh" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/seccheck-3.0/security-weekly.sh new/seccheck-3.0/security-weekly.sh --- old/seccheck-3.0/security-weekly.sh 2014-08-14 11:59:33.000000000 +0200 +++ new/seccheck-3.0/security-weekly.sh 2014-08-25 11:36:55.000000000 +0200 @@ -16,8 +16,8 @@ . $MY_DIR/basic.inc source $MY_DIR/helper.inc +source $MY_DIR/security_weekly_helper.inc source $MY_DIR/user_group_password_helper.inc -source $MY_DIR/misc_helper.inc diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/seccheck-3.0/security_daily_helper.inc new/seccheck-3.0/security_daily_helper.inc --- old/seccheck-3.0/security_daily_helper.inc 1970-01-01 01:00:00.000000000 +0100 +++ new/seccheck-3.0/security_daily_helper.inc 2014-08-25 11:36:55.000000000 +0200 @@ -0,0 +1,331 @@ +# tests specific for security-daily.sh +function check_mailboxes_owned_by_user_and_unreadable () { + local output_file=`mktemp -t globally_exported_fs.XXXX` # TEMPDIR is set but not exported.. does it work? + ls -cl /var/spool/mail | sed 1d | \ + awk '$3 != $9 \ + { print "user " $9 " mailbox is owned by " $3 } + $1 != "-rw-------" \ + { print "user " $9 " mailbox is " $1 ", group " $4 }' > $output_file + if [ -s "$output_file" ] ; then + printf "\nChecking mailbox ownership.\n" + sort -u "$output_file" + fi + rm -f "$output_file" +} + +# params +# $1 the sysctl param +# $2 the returned value expected +function check_specifics_sysctl_helper () { + test `cat "$SEC_DATA/sysctl" | grep "$1" | cut -f2 -d'='` -eq "$2" +} + +# some specific security sysctl parameters +function check_specifics_sysctl () { + + if [ ! -e "$SEC_DATA/sysctl" ]; then + /usr/sbin/sysctl -a > "$SEC_DATA/sysctl" + fi + # we can refactor it in a loop + check_specifics_sysctl_helper "net.ipv4.tcp_syncookies" 1 || printf "\nnet.ipv4.tcp_syncookies is disabled\n" + check_specifics_sysctl_helper "net.ipv4.conf.all.accept_source_route" 0 || printf "\nnet.ipv4.conf.all.accept_source_route is enabled" + check_specifics_sysctl_helper "net.ipv4.conf.all.accept_redirects" 0 || printf "\nnet.ipv4.conf.all_accept_redirects is enabled\n" + check_specifics_sysctl_helper "net.ipv4.conf.all.rp_filter" 1 || printf "\nnet.ipv4.conf.all.rp_filter\n is disabled" +} + +function check_systemd_services() { + local output_file=`mktemp -t check_systemd_services.XXXX` # TEMPDIR is set but not exported.. does it work? + /usr/bin/systemctl list-unit-files --type=service > "$SEC_DATA/systemd_services.new" + diff -uw "$SEC_DATA/systemd_services" "$SEC_DATA/systemd_services.new" |egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" + if [ -s "$output_file" ] ; then + printf "\nThere are the following changes in systemctl services output:\n" + cat "$output_file" + fi + mv "$SEC_DATA/systemd_services.new" "$SEC_DATA/systemd_services" + rm -f "$output_file" +} + +function check_sysctl () { + local output_file=`mktemp -t check_sysctl.XXXX` # TEMPDIR is set but not exported.. does it work? + /usr/sbin/sysctl -a > "$SEC_DATA/sysctl.new" + diff -uw "$SEC_DATA/sysctl" "$SEC_DATA/sysctl.new" |egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" + if [ -s "$output_file" ] ; then + printf "\nThere are the following changes in the output from sysctl -a:\n" + cat "$output_file" + fi + mv "$SEC_DATA/sysctl.new" "$SEC_DATA/sysctl" + rm -f "$output_file" +} + +function check_xinetd_services () { + local output_file=`mktemp -t check_xinetd_services.XXXX` # TEMPDIR is set but not exported.. does it work? + /sbin/chkconfig --list | awk '/xinetd based services/,/""/' | grep -v off > "$SEC_DATA/xinetd.new" + diff -uw "$SEC_DATA/xinetd" "$SEC_DATA/xinetd.new" |egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" + if [ -s "$output_file" ] ; then + printf "\nThere are the following changes in xinetd running services output:\n" + cat "$output_file" + fi + mv "$SEC_DATA/xinetd.new" "$SEC_DATA/xinetd" + rm -f "$output_file" +} + +function check_ASLR_enabled () { + if test `cat /proc/sys/kernel/randomize_va_space` -ne 2; then + printf "ASLR isnt enable. By default its enabled.\n" + fi +} + +function check_leak_kernel_internal_addresses () { + if test `cat /proc/sys/kernel/kptr_restrict` -ne 1; then + printf "/proc/sys/kernel/kptr_restrict should be 1.\n" + fi + + if test `cat /proc/sys/kernel/dmesg_restrict` -ne 1; then + printf "/proc/sys/kernel/dmesg_restrict should be 1.\n" + fi + +} + +# promisc check to catch all cases even from other hosts if +function check_promisc () { + # new promisc check + # rewrite of promisc check to catch all cases even from other hosts if + # script runs on a central syslog host. Thomas Biege <[email protected]> + + local output_file=`mktemp -t mounted_with_missing_nosuid.XXXX` # TEMPDIR is set but not exported.. does it work? + + # local devices + for IF in $(grep "$(date +"%b %e")" /var/log/messages \ + | grep "$HOSTNAME kernel: device .* entered promiscuous mode" \ + | awk -F' ' '{print $7}') + do + ifconfig $IF | grep -C 2 PROMISC | grep -v ' [RT]X p' >> $output_file + done + + if [ -s "$output_file" ] ; then + printf "\nChecking local devices for promiscious mode.\n" + cat "$output_file" + fi + rm -f "$output_file" + # remote devices + for LL in $(grep "$(date +"%b %e")" /var/log/messages \ + | grep "kernel: device .* entered promiscuous mode" \ + | grep -v "$HOSTAME") + do + echo "$LL" >> $output_file + done + if [ -s "$output_file" ] ; then + printf "\nChecking remote devices for promiscious mode. (raw log entries)\n" + cat "$output_file" + fi + rm -f "$output_file" +} + +# .rhosts check +function check_rhosts () { + local output_file=`mktemp -t check_rhosts.XXXX` # TEMPDIR is set but not exported.. does it work? + awk -F: '{ print $1 " " $6 }' /etc/passwd | + while read uid homedir; do + for j in .rhosts .shosts; do + if [ -s ${homedir}/$j ] ; then + rhost=`ls -lcdbg ${homedir}/$j|sed 's/[%\]/_/g'` + printf "$uid: $rhost\n" + test -f "$j" && { # still a race, however ... + if egrep \\+ ${homedir}/$j > /dev/null ; then + printf "\t(has got a plus (+) sign!)\n" + fi + } + fi + done + done > $output_file + if [ -s "$output_file" ] ; then + printf "\nChecking for users with .rhosts/.shosts files.\n" + cat "$output_file" + fi + rm -f "$output_file" +} + +# executables should not be in the /etc/aliases file. +function no_exec_in_etcaliases () { + if [ -s /etc/aliases ]; then + local output_file=`mktemp -t no_exec_in_etcaliases.XXXX` # TEMPDIR is set but not exported.. does it work? + grep -v '^#' /etc/aliases | grep '|' > $output_file + if [ -s "$output_file" ] ; then + printf "\nThe following programs are executed in your mail via /etc/aliases (bad!):\n" + cat "$output_file" + fi + rm -f "$output_file" + fi + + +} + +# it doesnt save it to a file like the others.. why? +function check_no_plus () { + local output_file=`mktemp -t check_no_plus.XXXX` # TEMPDIR is set but not exported.. does it work? + list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" + for f in $list ; do + if [ -s "$f" ] ; then + awk '{ + if ($0 ~ /^\+@.*$/) + next; + if ($0 ~ /^\+.*$/) + printf("\nPlus sign in the file %s\n", FILENAME); + }' $f + fi + done +} + +# Check home directories. Directories should not be owned by someone else +function check_home_directories_owners () { + local output_file=`mktemp -t home_directories_owners.XXXX` # TEMPDIR is set but not exported.. does it work? + awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ + while read uid homedir; do + if [ -d ${homedir}/ ] ; then + file=`ls -ldb ${homedir}|sed 's/[%\]/_/g'` + printf "$uid $file\n" + fi + done | + awk '$1 != $4 && $4 != "root" \ + { print "user " $1 " : home directory is owned by " $4 } + $2 ~ /^-....w/ \ + { print "user " $1 " : home directory is group writeable" } + $2 ~ /^-.......w/ \ + { print "user " $1 " : home directory is other writeable" }' > $output_file + if [ -s "$output_file" ] ; then + printf "\nChecking home directories.\n" + sort -u "$output_file" + fi + rm -f "$output_file" +} + +# Files that should not be owned by someone else or writeable. +function check_special_files_owner () { + output_file=`mktemp -t specia_files_owner.XXXX` # TEMPDIR is set but not exported.. does it work? + list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \ + .forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \ + .nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \ + .ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults .rhosts \ + .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed \ + .pgp/randseed.bin .netrc .exrc .vimrc .viminfo" + awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ + while read uid homedir; do + for f in $list ; do + file=${homedir}/${f} + if [ -f "$file" ] ; then + printf "$uid $f `ls -ldcb $file|sed 's/[%\]/_/g'`\n" + fi + done + done | + awk '$1 != $5 && $5 != "root" \ + { print "user " $1 " " $2 " : file is owned by " $5 } + $3 ~ /^-....w/ \ + { print "user " $1 " " $2 " : file is group writeable" } + $3 ~ /^-.......w/ \ + { print "user " $1 " " $2 " : file is other writeable" }' >> $output_file + if [ -s "$output_file" ] ; then + printf "\nChecking dot files.\n" + sort -u "$output_file" + fi +} + +# checking root's login scrips for secure path and umask +function check_root_login_scripts () { + local output_file=`mktemp -t check_root_login_scripts.0.XXXX` # TEMPDIR is set but not exported.. does it work? + local tmp_file1=`mktemp -t check_root_login_scripts.1.XXXX` # TEMPDIR is set but not exported.. does it work? + local tmp_file2=`mktemp -t check_root_login_scripts.2.XXXX` # TEMPDIR is set but not exported.. does it work? + rhome=/root + umaskset=no + list="/etc/csh.cshrc /etc/csh.login" + for i in $list ; do + if [ -s "$i" ] ; then + if egrep umask $i > /dev/null ; then + umaskset=yes + fi + egrep umask $i | + awk '$2 % 100 < 20 \ + { print "Root umask is group writeable" } + $2 % 10 < 2 \ + { print "Root umask is other writeable" }' >> $output_file + SAVE_PATH=$PATH + unset PATH 2> /dev/null || PATH="" # redhat ... + /bin/csh -f -s << end-of-csh > /dev/null 2>&1 + test -f "$i" && ( # still a race + source $i + /bin/ls -ldcbg \$path > $tmp_file1 + ) +end-of-csh + PATH=$SAVE_PATH + awk '{ + if ($9 ~ /^\.$/) { + print "The root path includes ."; + next; + } + } + $1 ~ /^d....w/ \ + { print "Root path directory " $9 " is group writeable." } \ + $1 ~ /^d.......w/ \ + { print "Root path directory " $9 " is other writeable." }' \ + < $tmp_file1 >> $tmp_file2 + fi + done + if [ $umaskset = "no" -o -s "$tmp_file2" ] ; then + sort -u $tmp_file2 > $output_file + printf "\nChecking root csh paths, umask values:\n$list\n" + if [ -s "$output_file" ] ; then + cat "$output_file" + fi + if [ $umaskset = "no" ] ; then + printf "\nRoot csh startup files do not set the umask.\n" + fi + fi + > $output_file + > $tmp_file1 + > $tmp_file2 + rhome=/root + umaskset=no + list="/etc/profile ${rhome}/.profile ${rhome}/.bashrc ${rhome}/.bash_login" + for i in $list; do + if [ -s "$i" ] ; then + if egrep umask $i > /dev/null ; then + umaskset=yes + fi + egrep umask $i | + awk '$2 % 100 < 20 \ + { print "Root umask is group writeable" } \ + $2 % 10 < 2 \ + { print "Root umask is other writeable" }' >> $output_file + SAVE_PATH=$PATH + unset PATH 2> /dev/null || PATH="" # redhat again ... + /bin/sh << end-of-sh > /dev/null 2>&1 + file "$i" | grep -qw text && . $i + list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\` + /bin/ls -ldgbT \$list > $tmp_file1 +end-of-sh + PATH=$SAVE_PATH + awk '{ + if ($9 ~ /^\.$/) { + print "The root path includes ."; + next; + } + } + $1 ~ /^d....w/ \ + { print "Root path directory " $9 " is group writeable." } \ + $1 ~ /^d.......w/ \ + { print "Root path directory " $9 " is other writeable." }' \ + < $tmp_file1 >> $tmp_file2 + + fi + done + if [ $umaskset = "no" -o -s "$tmp_file2" ] ; then + sort -u $tmp_file2 > $output_file + printf "\nChecking root sh paths, umask values:\n$list\n" + if [ -s "$output_file" ] ; then + cat "$output_file" + fi + if [ $umaskset = "no" ] ; then + printf "\nRoot sh startup files do not set the umask.\n" + fi + fi + rm -f "$output_file" "$tmp_file1" "$tmp_file2" +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/seccheck-3.0/security_weekly_helper.inc new/seccheck-3.0/security_weekly_helper.inc --- old/seccheck-3.0/security_weekly_helper.inc 1970-01-01 01:00:00.000000000 +0100 +++ new/seccheck-3.0/security_weekly_helper.inc 2014-08-25 11:36:55.000000000 +0200 @@ -0,0 +1,60 @@ +# param mount points +function check_suid_sgid () { + mnt_point=$1 + local output_file=`mktemp -t suid_sgid.XXXX` # TEMPDIR is set but not exported.. does it work? + ( nice -n 1 find $mnt_point -mount \( -perm -04000 -o -perm -02000 \) -type f | sort | \ + xargs --no-run-if-empty ls -cdl --time-style=long-iso -- > "$SEC_DATA/sbit.new" ) 2> /dev/null + diff -uw "$SEC_DATA/sbit" "$SEC_DATA/sbit.new" | egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" + if [ -s "$output_file" ] ; then + printf "\nThe following files are suid/sgid:\n" + cat "$output_file" + fi + mv "$SEC_DATA/sbit.new" "$SEC_DATA/sbit" + rm -f "$output_file" +} + +# param mount points +function check_writable_executable () { + mnt_point=$1 + local output_file=`mktemp -t writable_executable.XXXX` # TEMPDIR is set but not exported.. does it work? + ( nice -n 1 find $mnt_point -mount \( -perm -30 -o -perm -3 \) -type f | sort | \ + xargs --no-run-if-empty ls -cdl --time-style=long-iso -- > "$SEC_DATA/write-bin.new" ) 2> /dev/null + diff -uw "$SEC_DATA/write-bin" "$SEC_DATA/write-bin.new" | \ + egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" + if [ -s "$output_file" ] ; then + printf "\nThe following program executables are group/world writeable:\n" + cat "$output_file" + fi + mv "$SEC_DATA/write-bin.new" "$SEC_DATA/write-bin" + rm -f "$output_file" +} + +# param mount points +function check_world_writable () { + mnt_point=$1 + local output_file=`mktemp -t world_writable.XXXX` # TEMPDIR is set but not exported.. does it work? + ( nice -n 1 find $mnt_point -mount -perm -2 \( -type f -o -type d \) -not -perm -01000 | sort > "$SEC_DATA/write.new" ) 2> /dev/null + diff -uw "$SEC_DATA/write" "$SEC_DATA/write.new" | \ + egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" + if [ -s "$output_file" ] ; then + printf "\nThe following files/directories are world writeable and not sticky:\n" + cat "$output_file" + fi + mv "$SEC_DATA/write.new" "$SEC_DATA/write" + rm -f "$output_file" +} + +# params +# $1 = directory for checkneverlogin +function check_neverlogin () { + bin_path=$1 + # + local output_file=`mktemp -t neverlogin.XXXX` # TEMPDIR is set but not exported.. does it work? + + $bin_path/checkneverlogin > "$output_file" + if [ -s "$output_file" ] ; then + printf "\nPlease check and perhaps disable the following unused accounts:\n" + cat "$output_file" + fi + rm -f "$output_file" +} -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
