Hello community, here is the log from the commit of package seccheck for openSUSE:Factory checked in at 2014-12-19 09:38:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/seccheck (Old) and /work/SRC/openSUSE:Factory/.seccheck.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "seccheck" Changes: -------- --- /work/SRC/openSUSE:Factory/seccheck/seccheck.changes 2014-12-17 19:15:08.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.seccheck.new/seccheck.changes 2014-12-19 09:37:31.000000000 +0100 @@ -1,0 +2,9 @@ +Wed Dec 17 19:19:00 UTC 2014 - Led <[email protected]> + +- fix bashisms in scripts +- fix chebang of autologout.sh script than contains bash-specific + constructions +- add patches: + * seccheck-3.0-fix-bashisms.patch + +------------------------------------------------------------------- New: ---- seccheck-3.0-fix-bashisms.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ seccheck.spec ++++++ --- /var/tmp/diff_new_pack.a7Gf9S/_old 2014-12-19 09:37:32.000000000 +0100 +++ /var/tmp/diff_new_pack.a7Gf9S/_new 2014-12-19 09:37:32.000000000 +0100 @@ -26,6 +26,7 @@ Source1: sysconfig.seccheck Source2: cron_entries Patch0: daily-mailer.patch +Patch1: %{name}-3.0-fix-bashisms.patch Requires: bash Requires: cron # FIXME: use proper Requires(pre/post/preun/...) @@ -42,6 +43,7 @@ %setup -q %patch0 -p1 +%patch1 -p1 -F2 %install install -d -m 700 %{buildroot}%{_localstatedir}/lib/secchk ++++++ seccheck-3.0-fix-bashisms.patch ++++++ diff -Ndur seccheck-3.0/autologout.sh seccheck-3.0-fix-bashisms/autologout.sh --- seccheck-3.0/autologout.sh 2014-08-25 12:36:55.000000000 +0300 +++ seccheck-3.0-fix-bashisms/autologout.sh 2014-11-16 01:16:35.375287266 +0200 @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # Small shellscript by Alexander Bergmann <[email protected]> which checks # for idle user terminals and kills them where applicable. Parameters can be diff -Ndur seccheck-3.0/helper.inc seccheck-3.0-fix-bashisms/helper.inc --- seccheck-3.0/helper.inc 2014-08-25 12:36:55.000000000 +0300 +++ seccheck-3.0-fix-bashisms/helper.inc 2014-11-16 01:22:19.370263995 +0200 @@ -2,22 +2,22 @@ # functions used by all modules # # param: prefix for filename -function set_tmpdir () { +set_tmpdir () { TMPDIR=`/bin/mktemp -d /tmp/$1.XXXXXX` || exit 1 } -function run_sysconfig_seccheck () { +run_sysconfig_seccheck () { test -e /etc/sysconfig/seccheck && . /etc/sysconfig/seccheck } -function syntax () { +syntax () { /bin/echo "Syntax: $0 "'daily|weekly|monthly' exit 1 } # set which mailer should be used -function set_mailer () { +set_mailer () { test -z "$MAILER" && test -x "/usr/sbin/sendmail" && MAILER="/usr/sbin/sendmail" test -z "$MAILER" && test -x "/usr/bin/mailx" && MAILER="/usr/bin/mailx" test -z "$MAILER" && test -x "/usr/lib/sendmail" && MAILER="/usr/lib/sendmail" @@ -26,7 +26,7 @@ } # create necessary directories -function create_secdir () { +create_secdir () { if [ ! -d "$SEC_VAR" ]; then rm -rf "$SEC_VAR" @@ -43,14 +43,14 @@ # param a username # template engine to substitute a variable in a text and prepare it # to be sent per email -function guessable_password_email { +guessable_password_email { ret_tmpl=`sed "s/{guessable_account}/$1/" blurbs/guessable_passwd.txt` echo $ret_tmpl } # those files are needed # param $1 = SEC_DATA, normally /var/lib/seccheck/data -function initialize_secfiles () { +initialize_secfiles () { for i in "rpm-md5" "sbit" "write" "devices" "write-bin"; do if [ ! -e "$1/$i" ] ; then touch "$1/$i" @@ -61,7 +61,7 @@ # daily changes per email # params # OLD1, OUT1 -function send_daily_changes () { +send_daily_changes () { local old1=$1 local out1=$2 @@ -84,13 +84,14 @@ # use john the ripper to check guessable passwords # if you pass "quick" as argument it will simple try to find easy # guessable passwords. otherwise it will use a dictionary -function check_guessable_passwords () { +check_guessable_passwords () { - if type -p john >/dev/null && type -p unshadow >/dev/null ; then + if type john >/dev/null 2>&1 && type unshadow >/dev/null 2>&1; then # Copy passwd file. Use unique name to avoid races when john takes very long SEC_PASSWD="$SEC_VAR/passwd.$$" OUT="$TMPDIR/security.out" # random name please - echo -e '\nComplete list of user accounts with guessable passwords:' + echo + echo "Complete list of user accounts with guessable passwords:" unshadow /etc/passwd /etc/shadow > $SEC_PASSWD if [ "$1" != "quick" ]; then nice -n 1 john -single "$SEC_PASSWD" 1> /dev/null 2>&1 @@ -115,7 +116,7 @@ # param mount points -function check_new_devices () { +check_new_devices () { mnt_point=$1 local output_file=`mktemp -t new_devices.XXXX` # TEMPDIR is set but not exported.. does it work? # warning: bug #51004 ls output depends on root's locale and may be less @@ -131,7 +132,7 @@ } # check md5sum from files -function check_md5 () { +check_md5 () { local output_file=`mktemp -t md5.XXXX` # TEMPDIR is set but not exported.. does it work? nice -n 1 rpm -Va 2> /dev/null | grep '^5' > "$SEC_DATA/rpm-md5.new" diff -uw "$SEC_DATA/rpm-md5" "$SEC_DATA/rpm-md5.new" | \ @@ -144,7 +145,7 @@ rm -f "$output_file" } -function display_programs_with_bound_sockets () { +display_programs_with_bound_sockets () { if [ -x /usr/bin/lsof ]; then printf "\nThe following programs have got bound sockets:\n" /usr/bin/lsof -i -n -P | egrep 'UDP|TCP.*LISTEN' | sed 's/....[0-9]u IP.* / /' | @@ -155,7 +156,7 @@ } -function nfs_mounted_with_missing_nosuid () { +nfs_mounted_with_missing_nosuid () { local output_file=`mktemp -t mounted_with_missing_nosuid.XXXX` # TEMPDIR is set but not exported.. does it work? /bin/mount | /usr/bin/grep -v nosuid | /usr/bin/grep ' nfs ' |sort > $output_file if [ -s "$output_file" ] ; then @@ -165,7 +166,7 @@ rm -f "$output_file" } -function list_loaded_kernel_modules () { +list_loaded_kernel_modules () { local output_file=`mktemp -t loaded_kernel_modules.XXXX` # TEMPDIR is set but not exported.. does it work? test -e /proc/modules && { lsmod 2> /dev/null | grep -v '^Module .* Used by$' | awk '{print$1}' | sort > $output_file @@ -178,7 +179,7 @@ } -function check_for_globally_exported_fs () { +check_for_globally_exported_fs () { local output_file=`mktemp -t globally_exported_fs.XXXX` # TEMPDIR is set but not exported.. does it work? diff -Ndur seccheck-3.0/security-control.sh seccheck-3.0-fix-bashisms/security-control.sh --- seccheck-3.0/security-control.sh 2014-08-25 12:36:55.000000000 +0300 +++ seccheck-3.0-fix-bashisms/security-control.sh 2014-11-16 01:17:02.138285456 +0200 @@ -9,7 +9,7 @@ MY_DIR=$(dirname $(readlink -f $0)) . $MY_DIR/basic.inc -source $MY_DIR/helper.inc +. $MY_DIR/helper.inc run_sysconfig_seccheck diff -Ndur seccheck-3.0/security_daily_helper.inc seccheck-3.0-fix-bashisms/security_daily_helper.inc --- seccheck-3.0/security_daily_helper.inc 2014-08-25 12:36:55.000000000 +0300 +++ seccheck-3.0-fix-bashisms/security_daily_helper.inc 2014-11-16 01:24:33.903254894 +0200 @@ -1,5 +1,5 @@ # tests specific for security-daily.sh -function check_mailboxes_owned_by_user_and_unreadable () { +check_mailboxes_owned_by_user_and_unreadable () { local output_file=`mktemp -t globally_exported_fs.XXXX` # TEMPDIR is set but not exported.. does it work? ls -cl /var/spool/mail | sed 1d | \ awk '$3 != $9 \ @@ -16,12 +16,12 @@ # params # $1 the sysctl param # $2 the returned value expected -function check_specifics_sysctl_helper () { +check_specifics_sysctl_helper () { test `cat "$SEC_DATA/sysctl" | grep "$1" | cut -f2 -d'='` -eq "$2" } # some specific security sysctl parameters -function check_specifics_sysctl () { +check_specifics_sysctl () { if [ ! -e "$SEC_DATA/sysctl" ]; then /usr/sbin/sysctl -a > "$SEC_DATA/sysctl" @@ -33,7 +33,7 @@ check_specifics_sysctl_helper "net.ipv4.conf.all.rp_filter" 1 || printf "\nnet.ipv4.conf.all.rp_filter\n is disabled" } -function check_systemd_services() { +check_systemd_services() { local output_file=`mktemp -t check_systemd_services.XXXX` # TEMPDIR is set but not exported.. does it work? /usr/bin/systemctl list-unit-files --type=service > "$SEC_DATA/systemd_services.new" diff -uw "$SEC_DATA/systemd_services" "$SEC_DATA/systemd_services.new" |egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" @@ -45,7 +45,7 @@ rm -f "$output_file" } -function check_sysctl () { +check_sysctl () { local output_file=`mktemp -t check_sysctl.XXXX` # TEMPDIR is set but not exported.. does it work? /usr/sbin/sysctl -a > "$SEC_DATA/sysctl.new" diff -uw "$SEC_DATA/sysctl" "$SEC_DATA/sysctl.new" |egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" @@ -57,7 +57,7 @@ rm -f "$output_file" } -function check_xinetd_services () { +check_xinetd_services () { local output_file=`mktemp -t check_xinetd_services.XXXX` # TEMPDIR is set but not exported.. does it work? /sbin/chkconfig --list | awk '/xinetd based services/,/""/' | grep -v off > "$SEC_DATA/xinetd.new" diff -uw "$SEC_DATA/xinetd" "$SEC_DATA/xinetd.new" |egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$output_file" @@ -69,13 +69,13 @@ rm -f "$output_file" } -function check_ASLR_enabled () { +check_ASLR_enabled () { if test `cat /proc/sys/kernel/randomize_va_space` -ne 2; then printf "ASLR isnt enable. By default its enabled.\n" fi } -function check_leak_kernel_internal_addresses () { +check_leak_kernel_internal_addresses () { if test `cat /proc/sys/kernel/kptr_restrict` -ne 1; then printf "/proc/sys/kernel/kptr_restrict should be 1.\n" fi @@ -87,7 +87,7 @@ } # promisc check to catch all cases even from other hosts if -function check_promisc () { +check_promisc () { # new promisc check # rewrite of promisc check to catch all cases even from other hosts if # script runs on a central syslog host. Thomas Biege <[email protected]> @@ -122,7 +122,7 @@ } # .rhosts check -function check_rhosts () { +check_rhosts () { local output_file=`mktemp -t check_rhosts.XXXX` # TEMPDIR is set but not exported.. does it work? awk -F: '{ print $1 " " $6 }' /etc/passwd | while read uid homedir; do @@ -146,7 +146,7 @@ } # executables should not be in the /etc/aliases file. -function no_exec_in_etcaliases () { +no_exec_in_etcaliases () { if [ -s /etc/aliases ]; then local output_file=`mktemp -t no_exec_in_etcaliases.XXXX` # TEMPDIR is set but not exported.. does it work? grep -v '^#' /etc/aliases | grep '|' > $output_file @@ -161,7 +161,7 @@ } # it doesnt save it to a file like the others.. why? -function check_no_plus () { +check_no_plus () { local output_file=`mktemp -t check_no_plus.XXXX` # TEMPDIR is set but not exported.. does it work? list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" for f in $list ; do @@ -177,7 +177,7 @@ } # Check home directories. Directories should not be owned by someone else -function check_home_directories_owners () { +check_home_directories_owners () { local output_file=`mktemp -t home_directories_owners.XXXX` # TEMPDIR is set but not exported.. does it work? awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do @@ -200,7 +200,7 @@ } # Files that should not be owned by someone else or writeable. -function check_special_files_owner () { +check_special_files_owner () { output_file=`mktemp -t specia_files_owner.XXXX` # TEMPDIR is set but not exported.. does it work? list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \ .forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \ @@ -230,7 +230,7 @@ } # checking root's login scrips for secure path and umask -function check_root_login_scripts () { +check_root_login_scripts () { local output_file=`mktemp -t check_root_login_scripts.0.XXXX` # TEMPDIR is set but not exported.. does it work? local tmp_file1=`mktemp -t check_root_login_scripts.1.XXXX` # TEMPDIR is set but not exported.. does it work? local tmp_file2=`mktemp -t check_root_login_scripts.2.XXXX` # TEMPDIR is set but not exported.. does it work? diff -Ndur seccheck-3.0/security-daily.sh seccheck-3.0-fix-bashisms/security-daily.sh --- seccheck-3.0/security-daily.sh 2014-08-25 12:36:55.000000000 +0300 +++ seccheck-3.0-fix-bashisms/security-daily.sh 2014-11-16 01:17:23.275284026 +0200 @@ -12,9 +12,9 @@ MY_DIR=$(dirname $(readlink -f $0)) . $MY_DIR/basic.inc -source $MY_DIR/helper.inc -source $MY_DIR/security_daily_helper.inc -source $MY_DIR/user_group_password_helper.inc +. $MY_DIR/helper.inc +. $MY_DIR/security_daily_helper.inc +. $MY_DIR/user_group_password_helper.inc set_tmpdir "security-daily.sh" diff -Ndur seccheck-3.0/security-monthly.sh seccheck-3.0-fix-bashisms/security-monthly.sh --- seccheck-3.0/security-monthly.sh 2014-08-25 12:36:55.000000000 +0300 +++ seccheck-3.0-fix-bashisms/security-monthly.sh 2014-11-16 01:19:27.850275598 +0200 @@ -8,7 +8,7 @@ MY_DIR=$(dirname $(readlink -f $0)) . $MY_DIR/basic.inc -source $MY_DIR/helper.inc +. $MY_DIR/helper.inc run_sysconfig_seccheck @@ -35,28 +35,36 @@ # fi #done -echo -e '\nNOTE: have you checked http://www.novell.com/products/security.html for security updates?!\n' +echo ' +NOTE: have you checked http://www.novell.com/products/security.html for security updates?! +' cat "$OLD1" check_guessable_passwords "quick" -echo -e '\nComplete list of unused user accounts which have a password assigned:' +echo " +Complete list of unused user accounts which have a password assigned:" $SEC_BIN/checkneverlogin -echo -e '\nComplete list of writeable and executeable programs:' +echo " +Complete list of writeable and executeable programs:" cat "$SEC_DATA/write-bin" -echo -e '\nComplete list of suid/sgid files:' +echo " +Complete list of suid/sgid files:" cat "$SEC_DATA/sbit" -echo -e '\nComplete list of world writeable files:' +echo " +Complete list of world writeable files:" cat "$SEC_DATA/write" -echo -e '\nComplete list of all changed installed packages:' +echo " +Complete list of all changed installed packages:" cat "$SEC_DATA/rpm-md5" -echo -e '\nComplete list of (char/block) devices:' +echo " +Complete list of (char/block) devices:" cat "$SEC_DATA/devices" exit 0 diff -Ndur seccheck-3.0/security_weekly_helper.inc seccheck-3.0-fix-bashisms/security_weekly_helper.inc --- seccheck-3.0/security_weekly_helper.inc 2014-08-25 12:36:55.000000000 +0300 +++ seccheck-3.0-fix-bashisms/security_weekly_helper.inc 2014-11-16 01:22:55.737261535 +0200 @@ -1,5 +1,5 @@ # param mount points -function check_suid_sgid () { +check_suid_sgid () { mnt_point=$1 local output_file=`mktemp -t suid_sgid.XXXX` # TEMPDIR is set but not exported.. does it work? ( nice -n 1 find $mnt_point -mount \( -perm -04000 -o -perm -02000 \) -type f | sort | \ @@ -14,7 +14,7 @@ } # param mount points -function check_writable_executable () { +check_writable_executable () { mnt_point=$1 local output_file=`mktemp -t writable_executable.XXXX` # TEMPDIR is set but not exported.. does it work? ( nice -n 1 find $mnt_point -mount \( -perm -30 -o -perm -3 \) -type f | sort | \ @@ -30,7 +30,7 @@ } # param mount points -function check_world_writable () { +check_world_writable () { mnt_point=$1 local output_file=`mktemp -t world_writable.XXXX` # TEMPDIR is set but not exported.. does it work? ( nice -n 1 find $mnt_point -mount -perm -2 \( -type f -o -type d \) -not -perm -01000 | sort > "$SEC_DATA/write.new" ) 2> /dev/null @@ -46,7 +46,7 @@ # params # $1 = directory for checkneverlogin -function check_neverlogin () { +check_neverlogin () { bin_path=$1 # local output_file=`mktemp -t neverlogin.XXXX` # TEMPDIR is set but not exported.. does it work? diff -Ndur seccheck-3.0/security-weekly.sh seccheck-3.0-fix-bashisms/security-weekly.sh --- seccheck-3.0/security-weekly.sh 2014-08-25 12:36:55.000000000 +0300 +++ seccheck-3.0-fix-bashisms/security-weekly.sh 2014-11-16 01:20:03.815273165 +0200 @@ -15,9 +15,9 @@ MY_DIR=$(dirname $(readlink -f $0)) . $MY_DIR/basic.inc -source $MY_DIR/helper.inc -source $MY_DIR/security_weekly_helper.inc -source $MY_DIR/user_group_password_helper.inc +. $MY_DIR/helper.inc +. $MY_DIR/security_weekly_helper.inc +. $MY_DIR/user_group_password_helper.inc diff -Ndur seccheck-3.0/user_group_password_helper.inc seccheck-3.0-fix-bashisms/user_group_password_helper.inc --- seccheck-3.0/user_group_password_helper.inc 2014-08-25 12:36:55.000000000 +0300 +++ seccheck-3.0-fix-bashisms/user_group_password_helper.inc 2014-11-16 01:23:43.687258291 +0200 @@ -1,6 +1,6 @@ # user,group and password related functions -function check_passwd () { +check_passwd () { local output_file=`mktemp -t check_passwd.XXXX` # TEMPDIR is set but not exported.. does it work? # /etc/passwd check @@ -50,7 +50,8 @@ awk -F: '{ print $1 " " $3 }' $PW | sort -n -k2 | tee $TMP1 | uniq -d -f 1 | awk '{ print $2 }' > $TMP2 if [ -s "$TMP2" ] ; then - echo -e "\n$PW has duplicate user ids:" + echo + echo "$PW has duplicate user ids:" while read uid; do grep -w $uid\$ $TMP1 done < $TMP2 | column @@ -59,7 +60,7 @@ rm -f "$output_file" } -function check_shadow () { +check_shadow () { local output_file=`mktemp -t check_passwd.XXXX` # TEMPDIR is set but not exported.. does it work? PW="/etc/shadow" awk -F: '{ @@ -96,7 +97,7 @@ rm -f "$output_file" } -function check_group () { +check_group () { local output_file=`mktemp -t check_group.XXXX` # TEMPDIR is set but not exported.. does it work? GRP=/etc/group awk -F: '{ @@ -129,7 +130,7 @@ rm -f "$output_file" } -function check_ftpusers () { +check_ftpusers () { if [ -s /etc/ftpusers ]; then local output_file=`mktemp -t check_ftpusers.XXXX` # TEMPDIR is set but not exported.. does it work? grep -q '^root$' /etc/ftpusers || echo root >> $output_file -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
