File seccheck-2.0-misc.patch of Package seccheck
--- seccheck-2.0/crontab.security.misc Sun Dec 10 18:31:04 2000
+++ seccheck-2.0/crontab.security Mon Nov 18 17:16:54 2002
@@ -1,3 +1,4 @@
+RUN_FROM_CRON=yes
#
# SuSE Security Checks
#
--- seccheck-2.0/security-control.sh.misc Mon Nov 18 17:16:54 2002
+++ seccheck-2.0/security-control.sh Mon Nov 18 17:16:54 2002
@@ -11,9 +11,8 @@
test -z "$SECCHK_USER" && SECCHK_USER="root"
-CRON=`ps ax|grep $PPID|grep -v grep| grep -i cron`
-if test "$START_SECCHK" != yes -a ! -z "$CRON"; then
- echo "seccheck disabled by START_SECCHK"
+if test "$START_SECCHK" != yes -a "$RUN_FROM_CRON" = yes; then
+ #echo "seccheck disabled by START_SECCHK"
exit 0
fi
@@ -21,15 +20,19 @@
/bin/echo "Syntax: $0 "'daily|weekly|monthly'
exit 1
}
-function disclaimer () {
- /bin/echo
- /bin/echo "DISCLAIMER"
- /bin/echo
- /bin/echo "Please note that these security checks are neither complete nor reliable."
- /bin/echo "Any attacker with proper experience and root access to your system can"
- /bin/echo "deceive *any* security check!"
- /bin/echo
-}
+
+BLURB="
+
+This is an automated mail by the seccheck tool. If you want to disable
+this service, set START_SECCHK=no in /etc/sysconfig/seccheck.
+
+DISCLAIMER
+
+Please note that these security checks are neither complete nor reliable.
+Any attacker with proper experience and root access to your system can
+deceive *any* security check!
+
+"
test -z "$1" && syntax
@@ -41,7 +44,7 @@
test -z "$MAILER" && echo "Can not find a suitable mailer!"
test -z "$MAILER" && exit 1
test -z "$SEC_BIN" && SEC_BIN="/usr/lib/secchk"
-test -z "$SEC_DATA" && SEC_VAR="/var/lib/secchk"
+test -z "$SEC_VAR" && SEC_VAR="/var/lib/secchk"
export MAILER
SEC_DATA="$SEC_VAR/data"
OUT1="$SEC_VAR/security-report-daily.new"
@@ -69,13 +72,17 @@
/bin/sh "$SEC_BIN/security-daily.sh" 1> "$OUT1"
/usr/bin/diff -q -w "$OLD1" "$OUT1" 1> /dev/null || (
{
- echo "To: $SECCHK_USER"
- echo -e "Subject: Local Daily Security for `hostname`: Changes\n"
- echo "Daily security check $VERSION by Marc Heuse <marc@suse.de>"
- echo "This is an automated mail by the seccheck tool. If you want to disable this"
- echo "service, just type \"mv /etc/cron.d/seccheck /etc/cron.d_seccheck.save\"."
- disclaimer
- echo -e "Changes in your daily security configuration of `hostname`:\n"
+ cat <<-EOF
+ To: $SECCHK_USER
+ Subject: Local Daily Security for `hostname`: Changes
+
+ Daily security check $VERSION by Marc Heuse <marc@suse.de>
+ $BLURB
+
+ Changes in your daily security configuration of `hostname`:
+
+EOF
+
/usr/bin/diff -u -w "$OLD1" "$OUT1" | sed 's/^@@.*/\
* Changes (+: new entries, -: removed entries):\
/' | egrep '^[+*-]|^$' |sed 's/^+++/NEW:/' | sed 's/^---/OLD:/' | sed 's/^[+-]/& /'
@@ -89,13 +96,16 @@
/bin/sh "$SEC_BIN/security-weekly.sh" 1> "$OUT2"
if [ -s "$OUT2" ]; then
{
- echo "To: $SECCHK_USER"
- echo -e "Subject: Local Weekly Security for `hostname`: Changes\n"
- echo "Weekly security check $VERSION by Marc Heuse <marc@suse.de>"
- echo "This is an automated mail by the seccheck tool. If you want to disable this"
- echo "service, just type \"mv /etc/cron.d/seccheck /etc/cron.d_seccheck.save\"."
- disclaimer
- echo -e "Changes in your weekly security configuration of `hostname`:\n"
+ cat <<-EOF
+ To: $SECCHK_USER
+ Subject: Local Weekly Security for `hostname`: Changes
+
+ Weekly security check $VERSION by Marc Heuse <marc@suse.de>
+ $BLURB
+
+ Changes in your weekly security configuration of `hostname`:
+
+EOF
cat "$OUT2"
} | $MAILER "$SECCHK_USER"
mv "$OUT2" "$OLD2"
@@ -107,13 +117,16 @@
test -s "$OLD1" || /bin/sh "$SEC_BIN/security-daily.sh" 1> "$OLD1"
test -e "$SEC_DATA/devices" || /bin/sh "$SEC_BIN/security-weekly.sh" 1> "$OLD2"
{
- echo "To: $SECCHK_USER"
- echo -e "Subject: Local Monthly Security for `hostname`: Complete\n"
- echo "Monthly security check $VERSION by Marc Heuse <marc@suse.de>"
- echo "This is an automated mail by the seccheck tool. If you want to disable this"
- echo "service, just type \"mv /etc/cron.d/seccheck /etc/cron.d_seccheck.save\"."
- disclaimer
- echo -e "Complete monthly listing of `hostname`:\n"
+ cat <<-EOF
+ To: $SECCHK_USER
+ Subject: Local Monthly Security for `hostname`: Complete
+
+ Monthly security check $VERSION by Marc Heuse <marc@suse.de>
+ $BLURB
+
+ Monthly security check $VERSION by Marc Heuse <marc@suse.de>
+
+EOF
/bin/sh "$SEC_BIN/security-monthly.sh"
} | tee "$OLD3" | $MAILER "$SECCHK_USER"
)
--- seccheck-2.0/security-daily.sh.misc Mon Nov 18 17:16:54 2002
+++ seccheck-2.0/security-daily.sh Mon Nov 18 17:32:27 2002
@@ -33,16 +33,16 @@
printf("Line %d is a blank line.\n", NR);
next;
}
- if (NF != 7)
- printf("Line %d has the wrong number of fields.\n", NR);
if ($1 ~ /^[+-]$/)
next;
+ if (NF != 7)
+ printf("Line %d has the wrong number of fields.\n", NR+1);
if ($1 == "")
printf("Line %d has an empty login field.\n", NR);
else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_\.-]*$/)
printf("Login %s has non-alphanumeric characters.\n", $1);
- if (length($1) > 8)
- printf("Login %s has more than 8 characters.\n", $1);
+ if (length($1) > 32)
+ printf("Login %s has more than 32 characters.\n", $1);
if ($2 == "")
printf("Login %s has no password.\n", $1);
else if ($2 !~ /^[x*!]+$/)
@@ -95,16 +95,16 @@
printf("Line %d is a blank line.\n", NR);
next;
}
- if (NF != 9)
- printf("Line %d has the wrong number of fields.\n", NR);
if ($1 ~ /^[+-]$/)
next;
+ if (NF != 9)
+ printf("Line %d has the wrong number of fields.\n", NR+1);
if ($1 == "")
printf("Line %d has an empty login field.\n", NR);
else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_-]*$/)
printf("Login %s has non-alphanumeric characters.\n", $1);
- if (length($1) > 8)
- printf("Login %s has more than 8 characters.\n", $1);
+ if (length($1) > 32)
+ printf("Login %s has more than 32 characters.\n", $1);
if ($2 == "")
printf("Login %s has no password.\n", $1);
if ($2 != "" && length($2) != 13 && length($2) != 34 &&
@@ -133,11 +133,11 @@
if ($1 ~ /^[+-]$/)
next;
if (NF != 4)
- printf("Line %d has the wrong number of fields.\n", NR);
+ printf("Line %d has the wrong number of fields.\n", NR+1);
if ($1 !~ /^[A-za-z0-9][A-za-z0-9_-]*$/)
printf("Group %s has non-alphanumeric characters.\n", $1);
- if (length($1) > 8)
- printf("Group %s has more than 8 characters.\n", $1);
+ if (length($1) > 32)
+ printf("Group %s has more than 32 characters.\n", $1);
if ($3 !~ /[0-9]*/)
printf("Login %s has a negative group id.\n", $1);
if (length($4) > 0 && $3 < 3)
@@ -313,7 +313,7 @@
awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
while read uid homedir; do
if [ -d ${homedir}/ ] ; then
- file=`ls -ldbg ${homedir}|sed 's/[%\]/_/g'`
+ file=`ls -ldb ${homedir}|sed 's/[%\]/_/g'`
printf "$uid $file\n"
fi
done |
@@ -360,7 +360,7 @@
for f in $list ; do
file=${homedir}/${f}
if [ -f "$file" ] ; then
- printf "$uid $f `ls -ldcbg $file|sed 's/[%\]/_/g'`\n"
+ printf "$uid $f `ls -ldcb $file|sed 's/[%\]/_/g'`\n"
fi
done
done |
--- seccheck-2.0/security-monthly.sh.misc Sun Jul 1 23:28:01 2001
+++ seccheck-2.0/security-monthly.sh Mon Nov 18 17:16:54 2002
@@ -5,7 +5,7 @@
#
####
-. /etc/rc.config
+. /etc/sysconfig/seccheck
export PATH="/sbin:/usr/sbin:/bin:/usr/bin"
umask 077
--- seccheck-2.0/security-weekly.sh.misc Mon Jul 2 00:30:42 2001
+++ seccheck-2.0/security-weekly.sh Mon Nov 18 17:19:36 2002
@@ -8,7 +8,7 @@
# TODO /etc /home /home/.* permissions
#
-. /etc/rc.config
+. /etc/sysconfig/seccheck
PATH=/sbin:/usr/sbin:/bin:/usr/bin
umask 077
@@ -53,10 +53,13 @@
if [ -x /usr/sbin/john -a -x /usr/sbin/unshadow ]; then
echo > $SEC_VAR/dict
cat /usr/dict/* /var/lib/john/password.lst 2> /dev/null | sort | uniq >> $SEC_VAR/dict
- unshadow /etc/passwd /etc/shadow > $SEC_VAR/passwd
- nice -n 1 john -single "$SEC_VAR/passwd" 1> /dev/null 2>&1
- nice -n 1 john -rules -w:$SEC_VAR/dict "$SEC_VAR/passwd" 1> /dev/null 2>&1
- john -show "$SEC_VAR/passwd" | sed -n 's/:.*//p' > "$OUT"
+
+ # Copy passwd file. Use unique name to avoid races when john takes very long
+ SEC_PASSWD=$SEC_VAR/passwd.$$
+ unshadow /etc/passwd /etc/shadow > $SEC_PASSWD
+ nice -n 1 john -single "$SEC_PASSWD" 1> /dev/null 2>&1
+ nice -n 1 john -rules -w:$SEC_VAR/dict "$SEC_PASSWD" 1> /dev/null 2>&1
+ john -show "$SEC_PASSWD" | sed -n 's/:.*//p' > "$OUT"
if [ -s "$OUT" ] ; then
for i in `cat "$OUT"`; do
$MAILER "$i" << _EOF_
@@ -76,7 +79,7 @@
else
echo -e "\nPassword security checking not possible, package "john" not installed."
fi
-rm -f $SEC_VAR/passwd
+rm -f $SEC_PASSWD
# neverlogin check
$SEC_BIN/checkneverlogin > "$OUT"
@@ -86,7 +89,7 @@
fi
# suid/sgid check
-( nice -n 1 find $MNT \( -perm -04000 -o -perm -02000 \) -mount -type f | sort | xargs ls -cdl --full-time -- > "$SEC_DATA/sbit.new" ) 2> /dev/null
+( nice -n 1 find $MNT \( -perm -04000 -o -perm -02000 \) -mount -type f | sort | xargs ls -cdl --time-style=long-iso -- > "$SEC_DATA/sbit.new" ) 2> /dev/null
diff -uw "$SEC_DATA/sbit" "$SEC_DATA/sbit.new" | \
egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$OUT"
if [ -s "$OUT" ] ; then
@@ -97,7 +100,7 @@
rm -f "$SEC_DATA/sbit.new"
# writeable executable check
-( nice -n 1 find $MNT \( -perm -30 -o -perm -3 \) -mount -type f | sort | xargs ls -cdl --full-time -- > "$SEC_DATA/write-bin.new" ) 2> /dev/null
+( nice -n 1 find $MNT \( -perm -30 -o -perm -3 \) -mount -type f | sort | xargs ls -cdl --time-style=long-iso -- > "$SEC_DATA/write-bin.new" ) 2> /dev/null
diff -uw "$SEC_DATA/write-bin" "$SEC_DATA/write-bin.new" | \
egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$OUT"
if [ -s "$OUT" ] ; then
