Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:12.3
seccheck
seccheck-2.0-misc.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File seccheck-2.0-misc.patch of Package seccheck
--- seccheck-2.0/crontab.security.misc Sun Dec 10 18:31:04 2000 +++ seccheck-2.0/crontab.security Mon Nov 18 17:16:54 2002 @@ -1,3 +1,4 @@ +RUN_FROM_CRON=yes # # SuSE Security Checks # --- seccheck-2.0/security-control.sh.misc Mon Nov 18 17:16:54 2002 +++ seccheck-2.0/security-control.sh Mon Nov 18 17:16:54 2002 @@ -11,9 +11,8 @@ test -z "$SECCHK_USER" && SECCHK_USER="root" -CRON=`ps ax|grep $PPID|grep -v grep| grep -i cron` -if test "$START_SECCHK" != yes -a ! -z "$CRON"; then - echo "seccheck disabled by START_SECCHK" +if test "$START_SECCHK" != yes -a "$RUN_FROM_CRON" = yes; then + #echo "seccheck disabled by START_SECCHK" exit 0 fi @@ -21,15 +20,19 @@ /bin/echo "Syntax: $0 "'daily|weekly|monthly' exit 1 } -function disclaimer () { - /bin/echo - /bin/echo "DISCLAIMER" - /bin/echo - /bin/echo "Please note that these security checks are neither complete nor reliable." - /bin/echo "Any attacker with proper experience and root access to your system can" - /bin/echo "deceive *any* security check!" - /bin/echo -} + +BLURB=" + +This is an automated mail by the seccheck tool. If you want to disable +this service, set START_SECCHK=no in /etc/sysconfig/seccheck. + +DISCLAIMER + +Please note that these security checks are neither complete nor reliable. +Any attacker with proper experience and root access to your system can +deceive *any* security check! + +" test -z "$1" && syntax @@ -41,7 +44,7 @@ test -z "$MAILER" && echo "Can not find a suitable mailer!" test -z "$MAILER" && exit 1 test -z "$SEC_BIN" && SEC_BIN="/usr/lib/secchk" -test -z "$SEC_DATA" && SEC_VAR="/var/lib/secchk" +test -z "$SEC_VAR" && SEC_VAR="/var/lib/secchk" export MAILER SEC_DATA="$SEC_VAR/data" OUT1="$SEC_VAR/security-report-daily.new" @@ -69,13 +72,17 @@ /bin/sh "$SEC_BIN/security-daily.sh" 1> "$OUT1" /usr/bin/diff -q -w "$OLD1" "$OUT1" 1> /dev/null || ( { - echo "To: $SECCHK_USER" - echo -e "Subject: Local Daily Security for `hostname`: Changes\n" - echo "Daily security check $VERSION by Marc Heuse <marc@suse.de>" - echo "This is an automated mail by the seccheck tool. If you want to disable this" - echo "service, just type \"mv /etc/cron.d/seccheck /etc/cron.d_seccheck.save\"." - disclaimer - echo -e "Changes in your daily security configuration of `hostname`:\n" + cat <<-EOF + To: $SECCHK_USER + Subject: Local Daily Security for `hostname`: Changes + + Daily security check $VERSION by Marc Heuse <marc@suse.de> + $BLURB + + Changes in your daily security configuration of `hostname`: + +EOF + /usr/bin/diff -u -w "$OLD1" "$OUT1" | sed 's/^@@.*/\ * Changes (+: new entries, -: removed entries):\ /' | egrep '^[+*-]|^$' |sed 's/^+++/NEW:/' | sed 's/^---/OLD:/' | sed 's/^[+-]/& /' @@ -89,13 +96,16 @@ /bin/sh "$SEC_BIN/security-weekly.sh" 1> "$OUT2" if [ -s "$OUT2" ]; then { - echo "To: $SECCHK_USER" - echo -e "Subject: Local Weekly Security for `hostname`: Changes\n" - echo "Weekly security check $VERSION by Marc Heuse <marc@suse.de>" - echo "This is an automated mail by the seccheck tool. If you want to disable this" - echo "service, just type \"mv /etc/cron.d/seccheck /etc/cron.d_seccheck.save\"." - disclaimer - echo -e "Changes in your weekly security configuration of `hostname`:\n" + cat <<-EOF + To: $SECCHK_USER + Subject: Local Weekly Security for `hostname`: Changes + + Weekly security check $VERSION by Marc Heuse <marc@suse.de> + $BLURB + + Changes in your weekly security configuration of `hostname`: + +EOF cat "$OUT2" } | $MAILER "$SECCHK_USER" mv "$OUT2" "$OLD2" @@ -107,13 +117,16 @@ test -s "$OLD1" || /bin/sh "$SEC_BIN/security-daily.sh" 1> "$OLD1" test -e "$SEC_DATA/devices" || /bin/sh "$SEC_BIN/security-weekly.sh" 1> "$OLD2" { - echo "To: $SECCHK_USER" - echo -e "Subject: Local Monthly Security for `hostname`: Complete\n" - echo "Monthly security check $VERSION by Marc Heuse <marc@suse.de>" - echo "This is an automated mail by the seccheck tool. If you want to disable this" - echo "service, just type \"mv /etc/cron.d/seccheck /etc/cron.d_seccheck.save\"." - disclaimer - echo -e "Complete monthly listing of `hostname`:\n" + cat <<-EOF + To: $SECCHK_USER + Subject: Local Monthly Security for `hostname`: Complete + + Monthly security check $VERSION by Marc Heuse <marc@suse.de> + $BLURB + + Monthly security check $VERSION by Marc Heuse <marc@suse.de> + +EOF /bin/sh "$SEC_BIN/security-monthly.sh" } | tee "$OLD3" | $MAILER "$SECCHK_USER" ) --- seccheck-2.0/security-daily.sh.misc Mon Nov 18 17:16:54 2002 +++ seccheck-2.0/security-daily.sh Mon Nov 18 17:32:27 2002 @@ -33,16 +33,16 @@ printf("Line %d is a blank line.\n", NR); next; } - if (NF != 7) - printf("Line %d has the wrong number of fields.\n", NR); if ($1 ~ /^[+-]$/) next; + if (NF != 7) + printf("Line %d has the wrong number of fields.\n", NR+1); if ($1 == "") printf("Line %d has an empty login field.\n", NR); else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_\.-]*$/) printf("Login %s has non-alphanumeric characters.\n", $1); - if (length($1) > 8) - printf("Login %s has more than 8 characters.\n", $1); + if (length($1) > 32) + printf("Login %s has more than 32 characters.\n", $1); if ($2 == "") printf("Login %s has no password.\n", $1); else if ($2 !~ /^[x*!]+$/) @@ -95,16 +95,16 @@ printf("Line %d is a blank line.\n", NR); next; } - if (NF != 9) - printf("Line %d has the wrong number of fields.\n", NR); if ($1 ~ /^[+-]$/) next; + if (NF != 9) + printf("Line %d has the wrong number of fields.\n", NR+1); if ($1 == "") printf("Line %d has an empty login field.\n", NR); else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_-]*$/) printf("Login %s has non-alphanumeric characters.\n", $1); - if (length($1) > 8) - printf("Login %s has more than 8 characters.\n", $1); + if (length($1) > 32) + printf("Login %s has more than 32 characters.\n", $1); if ($2 == "") printf("Login %s has no password.\n", $1); if ($2 != "" && length($2) != 13 && length($2) != 34 && @@ -133,11 +133,11 @@ if ($1 ~ /^[+-]$/) next; if (NF != 4) - printf("Line %d has the wrong number of fields.\n", NR); + printf("Line %d has the wrong number of fields.\n", NR+1); if ($1 !~ /^[A-za-z0-9][A-za-z0-9_-]*$/) printf("Group %s has non-alphanumeric characters.\n", $1); - if (length($1) > 8) - printf("Group %s has more than 8 characters.\n", $1); + if (length($1) > 32) + printf("Group %s has more than 32 characters.\n", $1); if ($3 !~ /[0-9]*/) printf("Login %s has a negative group id.\n", $1); if (length($4) > 0 && $3 < 3) @@ -313,7 +313,7 @@ awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do if [ -d ${homedir}/ ] ; then - file=`ls -ldbg ${homedir}|sed 's/[%\]/_/g'` + file=`ls -ldb ${homedir}|sed 's/[%\]/_/g'` printf "$uid $file\n" fi done | @@ -360,7 +360,7 @@ for f in $list ; do file=${homedir}/${f} if [ -f "$file" ] ; then - printf "$uid $f `ls -ldcbg $file|sed 's/[%\]/_/g'`\n" + printf "$uid $f `ls -ldcb $file|sed 's/[%\]/_/g'`\n" fi done done | --- seccheck-2.0/security-monthly.sh.misc Sun Jul 1 23:28:01 2001 +++ seccheck-2.0/security-monthly.sh Mon Nov 18 17:16:54 2002 @@ -5,7 +5,7 @@ # #### -. /etc/rc.config +. /etc/sysconfig/seccheck export PATH="/sbin:/usr/sbin:/bin:/usr/bin" umask 077 --- seccheck-2.0/security-weekly.sh.misc Mon Jul 2 00:30:42 2001 +++ seccheck-2.0/security-weekly.sh Mon Nov 18 17:19:36 2002 @@ -8,7 +8,7 @@ # TODO /etc /home /home/.* permissions # -. /etc/rc.config +. /etc/sysconfig/seccheck PATH=/sbin:/usr/sbin:/bin:/usr/bin umask 077 @@ -53,10 +53,13 @@ if [ -x /usr/sbin/john -a -x /usr/sbin/unshadow ]; then echo > $SEC_VAR/dict cat /usr/dict/* /var/lib/john/password.lst 2> /dev/null | sort | uniq >> $SEC_VAR/dict - unshadow /etc/passwd /etc/shadow > $SEC_VAR/passwd - nice -n 1 john -single "$SEC_VAR/passwd" 1> /dev/null 2>&1 - nice -n 1 john -rules -w:$SEC_VAR/dict "$SEC_VAR/passwd" 1> /dev/null 2>&1 - john -show "$SEC_VAR/passwd" | sed -n 's/:.*//p' > "$OUT" + + # Copy passwd file. Use unique name to avoid races when john takes very long + SEC_PASSWD=$SEC_VAR/passwd.$$ + unshadow /etc/passwd /etc/shadow > $SEC_PASSWD + nice -n 1 john -single "$SEC_PASSWD" 1> /dev/null 2>&1 + nice -n 1 john -rules -w:$SEC_VAR/dict "$SEC_PASSWD" 1> /dev/null 2>&1 + john -show "$SEC_PASSWD" | sed -n 's/:.*//p' > "$OUT" if [ -s "$OUT" ] ; then for i in `cat "$OUT"`; do $MAILER "$i" << _EOF_ @@ -76,7 +79,7 @@ else echo -e "\nPassword security checking not possible, package "john" not installed." fi -rm -f $SEC_VAR/passwd +rm -f $SEC_PASSWD # neverlogin check $SEC_BIN/checkneverlogin > "$OUT" @@ -86,7 +89,7 @@ fi # suid/sgid check -( nice -n 1 find $MNT \( -perm -04000 -o -perm -02000 \) -mount -type f | sort | xargs ls -cdl --full-time -- > "$SEC_DATA/sbit.new" ) 2> /dev/null +( nice -n 1 find $MNT \( -perm -04000 -o -perm -02000 \) -mount -type f | sort | xargs ls -cdl --time-style=long-iso -- > "$SEC_DATA/sbit.new" ) 2> /dev/null diff -uw "$SEC_DATA/sbit" "$SEC_DATA/sbit.new" | \ egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$OUT" if [ -s "$OUT" ] ; then @@ -97,7 +100,7 @@ rm -f "$SEC_DATA/sbit.new" # writeable executable check -( nice -n 1 find $MNT \( -perm -30 -o -perm -3 \) -mount -type f | sort | xargs ls -cdl --full-time -- > "$SEC_DATA/write-bin.new" ) 2> /dev/null +( nice -n 1 find $MNT \( -perm -30 -o -perm -3 \) -mount -type f | sort | xargs ls -cdl --time-style=long-iso -- > "$SEC_DATA/write-bin.new" ) 2> /dev/null diff -uw "$SEC_DATA/write-bin" "$SEC_DATA/write-bin.new" | \ egrep -v '^\+\+\+ |^--- |^$|^@@' | sed 's/^[+-]/& /' > "$OUT" if [ -s "$OUT" ] ; then
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor