--- checksecurity-2.0.7.orig/debian/checksecurity.cron.daily +++ checksecurity-2.0.7/debian/checksecurity.cron.daily @@ -3,10 +3,9 @@ # Steve Greenland LOCKFILE=/var/lock/checksecurity.daily -# Previous value: -LOGFILE=/var/log/setuid.changes -# New proposed value -# LOGFILE=/var/log/checksecurity.log + +# The logfile we write our changes into. +LOGFILE=/var/log/checksecurity.log umask 022 # @@ -39,10 +38,7 @@ LOCKTOUCHPID="$!" fi -cd /var/log -umask 027 -[ -s "$LOGFILE" ] && savelog -c 7 -m 640 -u root -g adm "$LOGFILE" >/dev/null -checksecurity >"$LOGFILE" +checksecurity daily >>"$LOGFILE" # # Clean up lockfile --- checksecurity-2.0.7.orig/debian/changelog +++ checksecurity-2.0.7/debian/changelog @@ -1,3 +1,145 @@ +checksecurity (2.0.7-10.1ubuntu1) feisty; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Downgrade all Recommends to Suggests. + + -- Colin Watson Tue, 19 Dec 2006 14:54:03 +0000 + +checksecurity (2.0.7-10.1) unstable; urgency=low + + * Non-maintainer upload to fix longstanding l10n issues + * Debconf templates translations: + - Swedish added. Closes: #331305 + - Vietnamese added. Sent during the call for updates of the NMU campaign. + - Brazilian Portuguese updated. Sent during the call for updates of + the NMU campaign. + - Russian added. Sent during the call for updates of the NMU campaign. + - Dzongkha added. Sent during the call for updates of the NMU campaign. + - Basque added. Sent during the call for updates of the NMU campaign. + + -- Christian Perrier Thu, 16 Nov 2006 06:01:25 +0100 + +checksecurity (2.0.7-10ubuntu1) edgy; urgency=low + + * Downgrade all Recommends to Suggests + + -- Matt Zimmerman Tue, 15 Aug 2006 10:22:13 -0700 + +checksecurity (2.0.7-10) unstable; urgency=low + + * Clean up all logfiles on purge as required by policy. + * Modified checksecurity.weekly to use its own lockfile and fix the + error message. We should not be using the same lockfile as + checksecurity.daily since the tests being run by default don't overlap + (Closes: #326871) + * Use debhelper compatibility version 4 + * Fixed FSF address in debian/copyright + * Updated the debian/copyright file with new authors + + -- Javier Fernandez-Sanguino Pen~a Wed, 21 Sep 2005 00:43:14 +0200 + +checksecurity (2.0.7-9) unstable; urgency=low + + * Added dependancies for "| debconf-2.0" as requested by Joey Hess + + -- Javier Fernandez-Sanguino Pen~a Thu, 4 Aug 2005 19:08:46 +0200 + +checksecurity (2.0.7-8) unstable; urgency=low + + * Prevent the setuid checks from traversing AFS filesystems under + /vicep (Closes: #320407) + + -- Javier Fernandez-Sanguino Pen~a Mon, 1 Aug 2005 21:25:16 +0200 + +checksecurity (2.0.7-7) unstable; urgency=low + + * Added Vietnamese debconf translation provided by Clytie Siddall (Closes: #309632) + * Recommend logwatch as an alternative to logcheck (Closes: #315019) + + -- Javier Fernandez-Sanguino Pen~a Sat, 9 Jul 2005 15:43:04 +0200 + +checksecurity (2.0.7-6) unstable; urgency=low + + * Checksecurity checks if you are root (effective uid) before running and + so does the check-passwd plugin too. + * Proper GPL header to the checksecurity program as well as to all of + the plugins. + + -- Javier Fernandez-Sanguino Pen~a Thu, 7 Apr 2005 09:28:24 +0200 + +checksecurity (2.0.7-5) unstable; urgency=low + + * Added new configuration files to the conffiles definition (lintian + error) + + -- Javier Fernandez-Sanguino Pen~a Tue, 22 Mar 2005 02:25:20 +0100 + +checksecurity (2.0.7-4) unstable; urgency=low + + * Use proper user for the logrotation facility (Closes: #299896) + + -- Javier Fernandez-Sanguino Pen~a Thu, 17 Mar 2005 09:24:44 +0100 + +checksecurity (2.0.7-3) unstable; urgency=low + + * Fix postinst's check for files so that the return code is always + true, have the script run with -e and add also an 'exit 0' + return status in any case. (Closes: #299811) + + -- Javier Fernandez-Sanguino Pen~a Thu, 17 Mar 2005 01:19:29 +0100 + +checksecurity (2.0.7-2) unstable; urgency=low + + * Adopted package (Closes: #298573) + * Have the check_diskfree plugin mail to root the results of the test, if + defined. Notice that the environment is currently cleaned up so that + it will not work yet properly. This is the patch available in #232951 + * Fixed the formatting issue in the check-setuid.8 manpage with the + patch provided by Nicolas Francois (Closes: #274428) + * Fixed the reference to checksecurity.conf in bin/checksecurity, the + message now refers to checksecurity(8) (Closes: #276950) + * Create /var/log/setuid with proper permissions (750), also, move the + files in postinst through a loop checking first if they exist + (Closes: #297691) + * Rotate /var/log/setuid.changes, /var/log/diskfree.log and + /var/log/checksecurity.log through logrotate instead of having this in + the cron task, use dh_installlogrotate to install this. + * Add Getopt::Long usage to bin/checksecurity and define a debug (-d or + --debug option) (currently undocumented) + * Introduce a 'period' argument in checksecurity (currently undocumented) + which determines what checks should it run: + - Modify global-checksecurity.conf so that diskfree and passwd checks + are run daily and setuid is run weekly + - Create a new checksecurity-weekly cron task that will run setuid + This closes two long-standing bugs since users can adjust the + configuration now to their needs. (Closes: #138484, #31902) + * Recommend: Tiger, logcheck, and integrity checkers, also + suggest some programs to check if newer packages are available, + as bug #163813 has not been closed yet. + This is an interim solution in order to warn users that + there are more (advanced) security checks available they might want + to implement in addition to checksecurity. + * Added Czech po-debconf translation provided by Jan Outrata + (Closes: #291576) + + -- Javier Fernandez-Sanguino Pen~a Fri, 11 Mar 2005 08:46:43 +0100 + +checksecurity (2.0.7-1) unstable; urgency=low + + * Removed obsolete documentation and support for CHECKSECURITY_DISABLE. + This is handled in checksecurity.conf now. + * Updated version number. + * Switched to a non-Debian native package. + * Avoid searching for setuid files on filesystems of type shfs and lufs. + (Closes: #272402) + * Place all the setuid logfiles in /var/log/setuid instead of /var/log. + Move existing files into place on upgrade. + (Closes: #164665) (Closes: #59809) + * Added the German debconf translation. + (Closes: #250944) Thanks to Erik Schanze. + + -- Steve Kemp Mon, 20 Sep 2004 22:04:11 +0000 + checksecurity (2.0.6) unstable; urgency=low * Respect the NMU from Javier, much appreciated. --- checksecurity-2.0.7.orig/debian/control +++ checksecurity-2.0.7/debian/control @@ -1,15 +1,14 @@ Source: checksecurity Section: admin Priority: optional -Maintainer: Steve Kemp +Maintainer: Javier Fernandez-Sanguino Pen~a Standards-Version: 3.6.1 Build-Depends-Indep: debhelper (>= 4.1.16) Package: checksecurity Architecture: all -Depends: cron (>= 3.0pl1-74), debconf (>= 0.5), perl (>= 5.8.0) -Recommends: -Suggests: lockfile-progs +Depends: cron (>= 3.0pl1-74), debconf (>= 0.5) | debconf-2.0, perl (>= 5.8.0) +Suggests: apt-watch | cron-apt, lockfile-progs, tiger, logcheck, tripwire | integrit | aide | samhain | fcheck Conflicts: lockfile-progs (<< 0.1.7) Replaces: cron Provides: @@ -17,6 +16,7 @@ Checksecurity does some very basic system security checks, such as looking for changes in which programs have setuid permissions, and that remote filesystems are not allowed to have runnable setuid programs. + . Note that these are not to be considered in any way complete, and you should not rely on checksecurity to actually provide any useful information concerning the security or vulnerability of your system. --- checksecurity-2.0.7.orig/debian/postinst +++ checksecurity-2.0.7/debian/postinst @@ -1,14 +1,29 @@ -#!/bin/sh +#!/bin/sh -e # # Tell the user about the old configuration file. # . /usr/share/debconf/confmodule -if [ "$1" = "configure" -a -z "$2" -a -f /etc/checksecurity.conf.cron ] ; then +if [ "$1" = "configure" ] && [ -z "$2" ] && [ -f /etc/checksecurity.conf.cron ] ; then db_input low checksecurity/oldconf || true db_go || true fi db_stop +# +# If there is not a /var/log/setuid directory create it, and move +# any old logfiles into it. +# +if [ ! -d /var/log/setuid ]; then + mkdir -m 750 /var/log/setuid + chown root:adm /var/log/setuid || true + for file in /var/log/setuid.yesterday /var/log/setuid.today /var/log/setuid.changes \ + /var/log/setuid.changes.*; do + [ ! -e $file ] || mv $file /var/log/setuid + done +fi + + #DEBHELPER# +exit 0 --- checksecurity-2.0.7.orig/debian/rules +++ checksecurity-2.0.7/debian/rules @@ -31,13 +31,13 @@ dh_clean -k dh_installdirs - # Add here commands to install the files into debian/tmp - $(MAKE) install PREFIX=$(CURDIR)/debian/tmp - install -m 644 debian/overrides debian/tmp/usr/share/lintian/overrides/checksecurity + # Add here commands to install the files into debian/checksecurity + $(MAKE) install PREFIX=$(CURDIR)/debian/checksecurity + install -m 644 debian/overrides debian/checksecurity/usr/share/lintian/overrides/checksecurity dh_installdocs dh_installcron -# dh_installman man/checksecurity.8 + dh_installlogrotate dh_installchangelogs dh_installdebconf dh_compress --- checksecurity-2.0.7.orig/debian/copyright +++ checksecurity-2.0.7/debian/copyright @@ -2,6 +2,9 @@ checksecurity script: Copyright (C) 1994 Ian Jackson Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002 Steve Greenland +Copyright (C) 2003-2005 Steve Kemp +Copyright (C) 2005 Javier Fernandez-Sanguino + The `checksecurity' script and its associated files (checksecurity.8 and checksecurity.conf) are free software; you can redistribute it @@ -18,6 +21,5 @@ `/usr/share/common-licenses/GPL' in the Debian GNU/Linux distribution or on the World Wide Web at `http://www.gnu.org/copyleft/gpl.html'. You can also obtain it by -writing to the Free Software Foundation, Inc., 59 Temple Place - Suite -330, Boston, MA 02111-1307, USA. - +writing to the Free Software Foundation, Inc., +51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA --- checksecurity-2.0.7.orig/debian/po/templates.pot +++ checksecurity-2.0.7/debian/po/templates.pot @@ -16,7 +16,7 @@ msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2003-09-24 19:14+0100\n" +"POT-Creation-Date: 2006-11-23 17:13+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -24,13 +24,15 @@ "Content-Type: text/plain; charset=CHARSET\n" "Content-Transfer-Encoding: 8bit\n" +#. Type: note #. Description -#: ../templates:3 +#: ../templates:1001 msgid "Merge old configuration" msgstr "" +#. Type: note #. Description -#: ../templates:3 +#: ../templates:1001 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " --- checksecurity-2.0.7.orig/debian/po/fr.po +++ checksecurity-2.0.7/debian/po/fr.po @@ -14,7 +14,8 @@ msgid "" msgstr "" "Project-Id-Version: checksecurity (1.0.3)\n" -"POT-Creation-Date: 2003-09-24 19:14+0100\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2006-11-23 17:13+0100\n" "PO-Revision-Date: 2003-10-02 07:43+0100\n" "Last-Translator: Christian Perrier \n" "Language-Team: French \n" @@ -22,13 +23,15 @@ "Content-Type: text/plain; charset=iso-8859-15\n" "Content-Transfer-Encoding: 8bit\n" +#. Type: note #. Description -#: ../templates:3 +#: ../templates:1001 msgid "Merge old configuration" msgstr "Int嶲ration de l'ancienne configuration" +#. Type: note #. Description -#: ../templates:3 +#: ../templates:1001 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " --- checksecurity-2.0.7.orig/debian/po/ja.po +++ checksecurity-2.0.7/debian/po/ja.po @@ -15,7 +15,7 @@ msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2003-09-24 19:14+0100\n" +"POT-Creation-Date: 2006-11-23 17:13+0100\n" "PO-Revision-Date: 2004-03-13 22:16+0900\n" "Last-Translator: Kenshi Muto \n" "Language-Team: Japanese \n" @@ -23,17 +23,24 @@ "Content-Type: text/plain; charset=EUC-JP\n" "Content-Transfer-Encoding: 8bit\n" +#. Type: note #. Description -#: ../templates:3 +#: ../templates:1001 msgid "Merge old configuration" msgstr "衙中澀爛及穴□斥" +#. Type: note #. Description -#: ../templates:3 +#: ../templates:1001 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " "configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " "had modified your configuration, you may want to merge those changes into " "the new /etc/checksecurity.conf file from this package." -msgstr "仇木反 checksecurity 由永弗□斥及瘉賡及奶件旦玄□伙匹允互﹜cron 由永弗□斥井日及 湃繡及 checksecurity.conf 白央奶伙互丐曰引允﹝衙中澀爛白央奶伙反 \"/etc/checksecurity.conf.cron\" 午仄化酸今木化中引允﹝澀爛毛庍凳仄化中凶及匹丐木壬﹜公及庍凳毛蕙仄中由永弗□斥及 /etc/checksecurity.conf 卞穴□斥允月及互方中匹仄斤丹﹝" +msgstr "" +"仇木反 checksecurity 由永弗□斥及瘉賡及奶件旦玄□伙匹允互﹜cron 由永弗□斥井" +"日及 湃繡及 checksecurity.conf 白央奶伙互丐曰引允﹝衙中澀爛白央奶伙反 \"/etc/" +"checksecurity.conf.cron\" 午仄化酸今木化中引允﹝澀爛毛庍凳仄化中凶及匹丐木" +"壬﹜公及庍凳毛蕙仄中由永弗□斥及 /etc/checksecurity.conf 卞穴□斥允月及互方中" +"匹仄斤丹﹝" --- checksecurity-2.0.7.orig/debian/po/pt_BR.po +++ checksecurity-2.0.7/debian/po/pt_BR.po @@ -11,26 +11,28 @@ # # Developers do not need to manually edit POT or PO files. # -#, fuzzy msgid "" msgstr "" "Project-Id-Version: checksecurity_2.0.3\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2003-09-24 19:14+0100\n" -"PO-Revision-Date: 2003-11-02 17:14-0300\n" -"Last-Translator: Andr矇 Lu穩s Lopes \n" -"Language-Team: Debian-BR Project \n" +"POT-Creation-Date: 2006-11-23 17:13+0100\n" +"PO-Revision-Date: 2006-11-26 16:58-0200\n" +"Last-Translator: Felipe Augusto van de Wiel (faw) \n" +"Language-Team: l10n portuguese \n" "MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=ISO-8859-1\n" +"Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" +"pt_BR utf-8\n" +#. Type: note #. Description -#: ../templates:3 +#: ../templates:1001 msgid "Merge old configuration" -msgstr "Obsorver configura癟瓊o antiga" +msgstr "Unir com a configura癟瓊o antiga" +#. Type: note #. Description -#: ../templates:3 +#: ../templates:1001 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " @@ -38,9 +40,8 @@ "had modified your configuration, you may want to merge those changes into " "the new /etc/checksecurity.conf file from this package." msgstr "" -"Esta 矇 sua instala癟瓊o inicial do pacote checksecurity e voc礙 possu穩a " -"um arquivo checksecurity.conf existente fornecido pelo pacote cron. O " -"antigo arquivo de configura癟瓊o foi preservado com o nome de " -"\"/etc/checksecurity.conf.cron\". Caso voc礙 tenha modificado sua " -"configura癟瓊o, voc礙 pode querer mesclar suas mudan癟as no arquivo " -"/etc/checksecurity.conf deste pacote." +"Esta 矇 sua instala癟瓊o inicial do pacote checksecurity e voc礙 possu穩a um " +"arquivo checksecurity.conf fornecido pelo pacote cron. O antigo arquivo de " +"configura癟瓊o foi preservado com o nome de \"/etc/checksecurity.conf.cron\". " +"Caso voc礙 tenha modificado sua configura癟瓊o, voc礙 pode querer unir suas " +"mudan癟as no novo arquivo /etc/checksecurity.conf deste pacote." --- checksecurity-2.0.7.orig/debian/po/es.po +++ checksecurity-2.0.7/debian/po/es.po @@ -28,7 +28,8 @@ msgid "" msgstr "" "Project-Id-Version: checksecurity 2.0.5\n" -"POT-Creation-Date: 2003-09-24 19:14+0100\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2006-11-23 17:13+0100\n" "PO-Revision-Date: 2004-01-20 20:54+0100\n" "Last-Translator: Javier Fernandez-Sanguino Pe鎙 \n" "Language-Team: Debian Spanish \n" @@ -36,13 +37,15 @@ "Content-Type: text/plain; charset=ISO-8859-15\n" "Content-Transfer-Encoding: 8bit\n" +#. Type: note #. Description -#: ../templates:3 +#: ../templates:1001 msgid "Merge old configuration" msgstr "Fusionar la configuraci鏮 antigua" +#. Type: note #. Description -#: ../templates:3 +#: ../templates:1001 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " @@ -52,6 +55,6 @@ msgstr "" "Esta es la primera vez que instala el paquete checksecurity, sin embargo, " "tiene el fichero checksecurity.conf del paquete cron. Esta configuraci鏮 " -"antigua ha sido preservada movi幯dola al fichero /etc/checksecurity.conf.cron. Quiz嫳 " -"desee fusionar los cambios en el nuevo /etc/checksecurity.conf que provee " -"este paquete." +"antigua ha sido preservada movi幯dola al fichero /etc/checksecurity.conf." +"cron. Quiz嫳 desee fusionar los cambios en el nuevo /etc/checksecurity." +"conf que provee este paquete." --- checksecurity-2.0.7.orig/debian/po/da.po +++ checksecurity-2.0.7/debian/po/da.po @@ -5,7 +5,7 @@ msgstr "" "Project-Id-Version: checksecurity_2.0.5_templates\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2003-09-24 19:14+0100\n" +"POT-Creation-Date: 2006-11-23 17:13+0100\n" "PO-Revision-Date: 2004-02-19 16:37+0100\n" "Last-Translator: Claus Hindsgaul \n" "Language-Team: Danish \n" @@ -15,13 +15,15 @@ "X-Generator: KBabel 1.3\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" +#. Type: note #. Description -#: ../templates:3 +#: ../templates:1001 msgid "Merge old configuration" msgstr "Flet gammel ops犚ning" +#. Type: note #. Description -#: ../templates:3 +#: ../templates:1001 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " @@ -29,9 +31,8 @@ "had modified your configuration, you may want to merge those changes into " "the new /etc/checksecurity.conf file from this package." msgstr "" -"Dette er din f鷨ste installation af pakken checksecurity, og du har en eksisterende " -"ops犚ningsfil checksecurity.conf fra cron-pakken. Den gamle ops犚ningsfil " -"er gemt som \"/etc/checksecurity.conf.cron\". Hvis du havde rettet i din ops犚ning, " -"kan du flette 熡dringerne ind i den nye /etc/checksecurity.conf-fil fra denne " -"pakke." - +"Dette er din f鷨ste installation af pakken checksecurity, og du har en " +"eksisterende ops犚ningsfil checksecurity.conf fra cron-pakken. Den gamle " +"ops犚ningsfil er gemt som \"/etc/checksecurity.conf.cron\". Hvis du havde " +"rettet i din ops犚ning, kan du flette 熡dringerne ind i den nye /etc/" +"checksecurity.conf-fil fra denne pakke." --- checksecurity-2.0.7.orig/debian/po/nl.po +++ checksecurity-2.0.7/debian/po/nl.po @@ -14,7 +14,8 @@ msgid "" msgstr "" "Project-Id-Version: checksecurity 2.0.5.1\n" -"POT-Creation-Date: 2003-09-24 19:14+0100\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2006-11-23 17:13+0100\n" "PO-Revision-Date: 2004-03-22 17:14+0100\n" "Last-Translator: Luk Claes \n" "Language-Team: Debian l10n Dutch \n" @@ -22,13 +23,24 @@ "Content-Type: text/plain; charset=iso-8859-1\n" "Content-Transfer-Encoding: 8bit\n" +#. Type: note #. Description -#: ../templates:3 +#: ../templates:1001 msgid "Merge old configuration" msgstr "Oude configuratie samenvoegen?" +#. Type: note #. Description -#: ../templates:3 -msgid "This is your initial install of the checksecurity package, and you had an existing checksecurity.conf file from the cron package. The old configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you had modified your configuration, you may want to merge those changes into the new /etc/checksecurity.conf file from this package." -msgstr "Dit is uw eerste installatie van het checksecurity-pakket, en u heeft een bestaand checksecurity.conf-bestand van het cron-pakket. Het oude configuratiebestand is bewaard als \"/etc/checksecurity.conf.cron\". Als u uw configuratie had aangepast, kunt u deze wijzigingen samenvoegen met het nieuwe /etc/checksecurity.conf-bestand van dit pakket." - +#: ../templates:1001 +msgid "" +"This is your initial install of the checksecurity package, and you had an " +"existing checksecurity.conf file from the cron package. The old " +"configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " +"had modified your configuration, you may want to merge those changes into " +"the new /etc/checksecurity.conf file from this package." +msgstr "" +"Dit is uw eerste installatie van het checksecurity-pakket, en u heeft een " +"bestaand checksecurity.conf-bestand van het cron-pakket. Het oude " +"configuratiebestand is bewaard als \"/etc/checksecurity.conf.cron\". Als u " +"uw configuratie had aangepast, kunt u deze wijzigingen samenvoegen met het " +"nieuwe /etc/checksecurity.conf-bestand van dit pakket." --- checksecurity-2.0.7.orig/debian/po/cs.po +++ checksecurity-2.0.7/debian/po/cs.po @@ -0,0 +1,46 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: checksecurity\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2006-11-23 17:13+0100\n" +"PO-Revision-Date: 2005-01-21 14:16+0100\n" +"Last-Translator: Jan Outrata \n" +"Language-Team: Czech \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-2\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: note +#. Description +#: ../templates:1001 +msgid "Merge old configuration" +msgstr "Slou鋀n star konfigurace" + +#. Type: note +#. Description +#: ../templates:1001 +msgid "" +"This is your initial install of the checksecurity package, and you had an " +"existing checksecurity.conf file from the cron package. The old " +"configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " +"had modified your configuration, you may want to merge those changes into " +"the new /etc/checksecurity.conf file from this package." +msgstr "" +"Toto je va鈹 prvotn instalace bal膻ku checksecurity a m骴i jste soubor " +"checksecurity.conf z bal膻ku cron. Tento star konfigura鋝 soubor byl " +"zachov嫕 jako \"/etc/checksecurity.conf.cron\". Pokud jste zm髶ili n骿ter " +"nastaven, m躨ete cht癃 prov廥t tyto zm髶y do nov嶭o souboru /etc/" +"checksecurity.conf z toho bal膻ku." --- checksecurity-2.0.7.orig/debian/po/de.po +++ checksecurity-2.0.7/debian/po/de.po @@ -0,0 +1,47 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans# +# Developers do not need to manually edit POT or PO files. +# Erik Schanze , 2004. +# +msgid "" +msgstr "" +"Project-Id-Version: checksecurity_2.0.5.2_templates\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2006-11-23 17:13+0100\n" +"PO-Revision-Date: 2004-05-25 19:58+0200\n" +"Last-Translator: Erik Schanze \n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.3.1\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Type: note +#. Description +#: ../templates:1001 +msgid "Merge old configuration" +msgstr "Alte Einstellungen einbinden" + +#. Type: note +#. Description +#: ../templates:1001 +msgid "" +"This is your initial install of the checksecurity package, and you had an " +"existing checksecurity.conf file from the cron package. The old " +"configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " +"had modified your configuration, you may want to merge those changes into " +"the new /etc/checksecurity.conf file from this package." +msgstr "" +"Dies ist Ihre erste Installation des Paketes checksecurity und Sie haben " +"schon eine Datei checksecurity.conf aus dem Paket cron. Die alte " +"Konfigurationsdatei wurde als\"/etc/checksecurity.conf.cron\" erhalten. Wenn " +"Sie Ihre Einstellungen ge瓣ndert hatten, sollten Sie die nderungen in die " +"neue Datei /etc/checksecurity.conf dieses Paketes einbinden." --- checksecurity-2.0.7.orig/debian/po/sv.po +++ checksecurity-2.0.7/debian/po/sv.po @@ -0,0 +1,45 @@ +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# Developers do not need to manually edit POT or PO files. +# , fuzzy +# +# +msgid "" +msgstr "" +"Project-Id-Version: checksecurity 2.0.7-10\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2006-11-23 17:13+0100\n" +"PO-Revision-Date: 2005-10-03 23:32+0200\n" +"Last-Translator: Daniel Nylander \n" +"Language-Team: Swedish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=iso-8859-1\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: note +#. Description +#: ../templates:1001 +msgid "Merge old configuration" +msgstr "Flytta 饘er gammal konfiguration" + +#. Type: note +#. Description +#: ../templates:1001 +msgid "" +"This is your initial install of the checksecurity package, and you had an " +"existing checksecurity.conf file from the cron package. The old " +"configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " +"had modified your configuration, you may want to merge those changes into " +"the new /etc/checksecurity.conf file from this package." +msgstr "" +"Detta 酺 din f顤sta installation av paketet checksecurity och du har redan " +"en checksecurity.conf fil fr幩 cron-paketet. Den gamla konfigurationsfilen " +"blev arkiverad som \"/etc/checksecurity.conf.cron\". Om du har modifierat " +"din konfiguration kanske du vill flytta 饘er de 鄚dringarna till den nya /" +"etc/checksecurity.conf fr幩 detta paketet." --- checksecurity-2.0.7.orig/debian/po/vi.po +++ checksecurity-2.0.7/debian/po/vi.po @@ -0,0 +1,35 @@ +# Vietnamese Translation for checksecurity. +# Copyright 穢 2005 Free Software Foundation, Inc. +# Clytie Siddall , 2005. +# +msgid "" +"" +msgstr "Project-Id-Version: checksecurity 2.0.7-6\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2006-11-23 17:13+0100\n" +"PO-Revision-Date: 2006-11-24 18:52+1030\n" +"Last-Translator: Clytie Siddall \n" +"Language-Team: Vietnamese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0\n" +"X-Generator: Mac PO Editor 1.0a9" + +#.Type: note +#.Description +#: ../templates:1001 +msgid "Merge old configuration" +msgstr "Tr廙n c廕只 h穫nh c觼" + +#.Type: note +#.Description +#: ../templates:1001 +msgid "" +"This is your initial install of the checksecurity package, and you had an " +"existing checksecurity.conf file from the cron package. The old " +"configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " +"had modified your configuration, you may want to merge those changes into " +"the new /etc/checksecurity.conf file from this package." +msgstr "璽y l l廕吵 廕吟 ti礙n ci 廕暗 g籀i checksecurity (ki廙m tra b廕υ m廕負), c簷n b廕》 瓊 c籀 " +"m廙t t廕計 tin c廕只 h穫nh 竄 checksecurity.conf 罈 c觼 t廙 g籀i 竄 cron 罈. T廕計 tin c廕只 h穫nh c觼 ny 瓊 が廙θ gi廙 l廕【 d廕》g 竄 /etc/checksecurity.conf.cron 罈. N廕簑 b廕》 瓊 s廙苔 廙i c廕只 h穫nh chがa th穫 c籀 th廙 mu廙n tr廙n c獺c thay 廙i 籀 v廙i t廕計 tin 竄 /etc/checksecurity.conf 罈 m廙i c廙吧 g籀i ny." --- checksecurity-2.0.7.orig/debian/po/ru.po +++ checksecurity-2.0.7/debian/po/ru.po @@ -0,0 +1,51 @@ +# translation of checksecurity_debconf_ru.po to Russian +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans# +# Developers do not need to manually edit POT or PO files. +# +# Yuri Kozlov , 2006. +msgid "" +msgstr "" +"Project-Id-Version: 2.0.7-10\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2006-11-23 17:13+0100\n" +"PO-Revision-Date: 2006-11-27 10:15+0300\n" +"Last-Translator: Yuri Kozlov \n" +"Language-Team: Russian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.2\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#. Type: note +#. Description +#: ../templates:1001 +msgid "Merge old configuration" +msgstr "郋訇訄赲郅迮郇邽迮 訄郋邿 郕郋郇邽迣訄邽邽" + +#. Type: note +#. Description +#: ../templates:1001 +msgid "" +"This is your initial install of the checksecurity package, and you had an " +"existing checksecurity.conf file from the cron package. The old " +"configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " +"had modified your configuration, you may want to merge those changes into " +"the new /etc/checksecurity.conf file from this package." +msgstr "" +"郈郋郅郇迮郇訄 郋郅郕郋 郇訄訄郅郇訄 訄郇郋赲郕訄 郈訄郕迮訄 checksecurity; 赲 赲訄迮邿 " +"邽迮邾迮 迠迮 訇郅 訄邿郅 checksecurity.conf 邽郱 郈訄郕迮訄 cron. 苤訄邿 " +"郕郋郇邽迣訄邽郋郇郇邿 訄邿郅 訇迡迮 郋訄郇郇 郈郋迡 " +"邽邾迮郇迮邾 \"/etc/checksecurity.conf.cron\". 郅邽 赲 迡迮郅訄郅邽 赲 郇邾 邽郱邾迮郇迮郇邽 " +"訄邾郋郋迮郅郇郋, 赲訄邾 邾郋迠迮 郈郋迮訇郋赲訄 " +"郈迮迮郇迮邽 邽 邽郱邾迮郇迮郇邽 赲 郇郋赲邿 訄邿郅 /etc/checksecurity.conf " +"郋迣郋 郈訄郕迮訄." + --- checksecurity-2.0.7.orig/debian/po/dz.po +++ checksecurity-2.0.7/debian/po/dz.po @@ -0,0 +1,41 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: checksecurity\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2006-11-23 17:13+0100\n" +"PO-Revision-Date: 2006-11-27 00:38+0530\n" +"Last-Translator: yangka \n" +"Language-Team: dzongkha \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2;plural=(n!=1);\n" +"X-Poedit-Language: Dzongkha\n" +"X-Poedit-Country: BHUTAN\n" +"X-Poedit-SourceCharset: utf-8\n" + +#. Type: note +#. Description +#: ../templates:1001 +msgid "Merge old configuration" +msgstr "鉠R蔡鉠鉏鉠舟鉧耜蔡鉠鉏鉠R鉠耜鉠鉏鉠鉠鉠鉏鉠鉠舟鴃鉠潼鉠舟鉠鉠鉠鉏鉠鉠耜" + +#. Type: note +#. Description +#: ../templates:1001 +msgid "This is your initial install of the checksecurity package, and you had an existing checksecurity.conf file from the cron package. The old configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you had modified your configuration, you may want to merge those changes into the new /etc/checksecurity.conf file from this package." +msgstr "鉠鉏鉠鉠耜鉠鉠鉠耜鉠鉧晤蝦鉠鉏鉠鉧晤蔡鉏鉠鉠耜鉏鉠鉠鉧晤鉏鉠舟噙鉠毯鉏鉠舟鉧晤蝦鉠鉏鉠鉠毯鉏鉠舟鉧耜蔡鉠鉏鉠鉧晤蔡鉏鉠鉠鉠潼鉠鉠潼鉏鉠鉠鉠耜鉠鉠鉠毯鉠舟鉠兒蔡鉠鉠鉏鉠鉠鉏鉏鉠鉧晤蝦鉠鉏鉠鉠毯鉠鉠潼耦鉠晤蝦鉠鉏鉠鉠毯鉏鉠舟鉧耜蔡鉠鉏鉠鉠鉠耜鉠鉠舟鉠鉠耜鉏鉠鉠鉧晤鉏鉠R蔡鉠鉏鉠舟鉧耜蔡鉠鉏鉠﹤蔡鉠鉏鉠舟麾鉠潼鉏鉠﹤蝦鉠鉏鉠鉠鉠耜鉏鉠鉏鉠﹤蝦鉠鉏 鉠R蔡鉠鉏鉠舟鉧耜蔡鉠鉏鉠﹤蔡鉠鉏鉠舟麾鉠潼鉏鉠R鉠耜鉠鉏鉠鉠箋\"/etc/checksecurity.conf.cron\"鉠舟齒鉠箋鉠鉠鉠舟鉠舟噙鉠毯鉏鉠鉠鉠鉏鉠﹤蝦鉠鉠鉏鉠兒蔡鉠鉏 鉠鉧晤蝦鉠鉏鉠R鉠耜鉠R蔡鉠鉏鉠舟鉧耜蔡鉠鉏鉠鉠箋鉠舟鉠鉠鉠潼膠鉏鉠鉠鉠鉏鉠﹤蝦鉠鉏鉠鉏鉠鉠耜鉏鉠鉧晤蝦鉠鉏鉠R鉏鉠鉠毯鉏鉠舟鉧耜蔡鉠鉏鉠鉠鉠耜鉠鉠舟 鉠鉠舟耦鉠鉏/鉠鉏鉠舟蝦鉠鉠舟鉠鉏/鉠鉠耜鉏鉠鉠鉧晤鉏鉠R蔡鉠鉏鉠舟鉧耜蔡鉠鉏鉠﹤蔡鉠鉏鉠舟麾鉠潼鉏鉠鉠鉏鉠鉠舟鉧晤蓬鉠R鉠鉠鉠潼膠鉏鉠鉠毯鉠鉠鉠鉏鉠鉠舟鴃鉠潼鉠舟鉠鉠鉠鉏鉠鉠鉠毯鉏鉠兒蔡鉠鉏" + --- checksecurity-2.0.7.orig/debian/po/eu.po +++ checksecurity-2.0.7/debian/po/eu.po @@ -0,0 +1,46 @@ +# translation of checksecurity.po to librezale +# Piarres Beobide , 2006. +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# Developers do not need to manually edit POT or PO files. +msgid "" +msgstr "" +"Project-Id-Version: checksecurity\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2006-11-23 17:13+0100\n" +"PO-Revision-Date: 2006-11-28 21:54+0100\n" +"Last-Translator: Piarres Beobide \n" +"Language-Team: librezale \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1)\n" +"X-Generator: KBabel 1.11.4\n" + +# Type: note +# Description +#. Type: note +#. Description +#: ../templates:1001 +msgid "Merge old configuration" +msgstr "Konfigurazio zaharra bateratu" + +# Type: note +# Description +#. Type: note +#. Description +#: ../templates:1001 +msgid "" +"This is your initial install of the checksecurity package, and you had an " +"existing checksecurity.conf file from the cron package. The old " +"configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " +"had modified your configuration, you may want to merge those changes into " +"the new /etc/checksecurity.conf file from this package." +msgstr "Hau checksecurity paketearen lehen instalazioa da eta dagoeneko cron paketeko checksecurity.conf fitxategia duzu. Konfigurazio zaharra \"/etc/checksecurity.conf.cron\" bezala gordeko da. Konfigurazioa aldatu egin bazenu aldaketa hauek pakete honetarako /etc/checksecurity.conf fitxategi berrian bateratu nahi izan ditzakezu." + --- checksecurity-2.0.7.orig/debian/files +++ checksecurity-2.0.7/debian/files @@ -1 +1 @@ -checksecurity_2.0.6_all.deb admin optional +checksecurity_2.0.7-10_all.deb admin optional --- checksecurity-2.0.7.orig/debian/compat +++ checksecurity-2.0.7/debian/compat @@ -0,0 +1 @@ +4 --- checksecurity-2.0.7.orig/debian/checksecurity.cron.weekly +++ checksecurity-2.0.7/debian/checksecurity.cron.weekly @@ -0,0 +1,49 @@ +#!/bin/sh +# /etc/cron.weekly/checksecurity: Run the checksecurity script +# Steve Greenland + +LOCKFILE=/var/lock/checksecurity.weekly + +# The logfile we write our changes into. +LOGFILE=/var/log/checksecurity.log +umask 022 + +# +# Exit silently if the checksecurity package is not installed. (We may be +# here just because we're conffile left over from a previous installation). +# +[ -e /usr/sbin/checksecurity ] || exit 0 +# + +# +# Avoid running more than one at a time -- could happen if the +# checksecurity script lands on a network drive. +# + +if [ -x /usr/bin/lockfile-create ] ; then + lockfile-create $LOCKFILE + if [ $? -ne 0 ] ; then + cat <>"$LOGFILE" + +# +# Clean up lockfile +# +if [ -x /usr/bin/lockfile-create ] ; then + kill $LOCKTOUCHPID + lockfile-remove $LOCKFILE +fi --- checksecurity-2.0.7.orig/debian/postrm.debhelper +++ checksecurity-2.0.7/debian/postrm.debhelper @@ -0,0 +1,6 @@ +# Automatically added by dh_installdebconf +if [ "$1" = purge ] && [ -e /usr/share/debconf/confmodule ]; then + . /usr/share/debconf/confmodule + db_purge +fi +# End automatically added section --- checksecurity-2.0.7.orig/debian/substvars +++ checksecurity-2.0.7/debian/substvars @@ -0,0 +1 @@ +misc:Depends=debconf (>= 0.5) | debconf-2.0 --- checksecurity-2.0.7.orig/debian/postrm +++ checksecurity-2.0.7/debian/postrm @@ -0,0 +1,39 @@ +#! /bin/sh +# postrm script for checksecurity +# +# see: dh_installdeb(1) + +set -e + +case "$1" in + purge) +# Clean up all log files on purge + LOGDIR=/var/log + for dir in $LOGDIR/setuid/ + do + [ -d "$dir" ] && { + find $dir -type f -exec rm -f {} \; + rmdir $dir + } + done + for file in setuid.today setuid.yesterday setuid.changes \ + checksecurity.log + do + logfile=$LOGDIR/$file + [ -f "$logfile" ] && rm -f $logfile + done + + ;; + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) +# Do nothing + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 0 +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# --- checksecurity-2.0.7.orig/debian/checksecurity.logrotate +++ checksecurity-2.0.7/debian/checksecurity.logrotate @@ -0,0 +1,8 @@ +/var/log/checksecurity.log /var/log/diskfree.log /var/log/setuid/setuid.changes { + weekly + rotate 10 + compress + missingok + create 0640 root adm +} + --- checksecurity-2.0.7.orig/plugins/check-passwd +++ checksecurity-2.0.7/plugins/check-passwd @@ -1,17 +1,36 @@ #!/bin/sh # -# This script is designed to check for common weaknesses in passwords +# Check-passwd checksecurity plugin +# +# This script is designed to check for common weaknesses in passwords # -# It is part of the 'checksecurity' package, and tests may be configured +# It is part of the 'checksecurity' package, and tests may be configured # by the global file '/etc/checksecurity.conf' and the file # '/etc/checksecurity/check-password.conf'. # +# Copyright (C) 2003-2005 Steve Kemp +# +# Licensed under the GNU General Public License +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. # -# Steve -# -- -# http://www.steve.org.uk/ +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +if [ `/usr/bin/id -u` != 0 ] ; then + echo "Only root has permission to run this script" + exit 1 +fi # # Test for duplicate root login accounts. --- checksecurity-2.0.7.orig/plugins/check-diskfree +++ checksecurity-2.0.7/plugins/check-diskfree @@ -1,15 +1,61 @@ #! /bin/sh +# +# Check-diskfree checksecurity plugin # +# This script is designed to analyse the usage of the different +# disks in the system. +# +# It is part of the 'checksecurity' package, and tests may be configured +# by the global file '/etc/checksecurity.conf' and the file +# '/etc/checksecurity/check-diskfree.conf'. +# +# Copyright (C) 2003-2005 Steve Kemp +# +# Licensed under the GNU General Public License +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # Sane default, just in case [ -z "$CHECK_DISK_PERCENT" ] && CHECK_DISK_PERCENT=90 +[ -z "$LOGDIR" ] && LOGDIR=/var/log +# [ -z "$MAILTO" ] && MAILTO=root + +# Temporary file +[ ! -d /var/run/checksecurity ] && { umask 022; mkdir -p /var/run/checksecurity; } +TMPDF=/var/run/checksecurity/diskfree.log.tmp +>$TMPDF + df -klP | grep ^/ | sed -e 's/.*[[:space:]]\([[:digit:]]\+\)%/\1/' | while read PERC LOCATION; do - if [ $PERC -gt $CHECK_DISK_PERCENT ]; then - echo "Warning on $CHECK_DISK_PERCENT" - echo "${PERC}% ALERT - $LOCATION" + if [ "$PERC" -gt "$CHECK_DISK_PERCENT" ]; then + echo "Usage warning on $CHECK_DISK_PERCENT" >>$TMPDF + echo "${PERC}% ALERT - $LOCATION" >>$TMPDF fi -done +done + +# The default behaviour is to output to stdout +cat $TMPDF + +if [ -s "$TMPDF" ] && [ ! -z "$CHECKSECURITY_EMAIL" ]; then + /usr/bin/mail -s "Diskfree alert for `hostname -f` on `date '+%D %T'`" $MAILTO < $TMPDF +fi + + +mv $TMPDF $LOGDIR/diskfree.log + +exit 0 --- checksecurity-2.0.7.orig/plugins/check-setuid +++ checksecurity-2.0.7/plugins/check-setuid @@ -1,5 +1,30 @@ #!/bin/sh -# Security checks script - run daily out of the system crontab +# +# Check-setuid checksecurity plugin +# +# This script is designed to find the setuid files present on the system +# +# It is part of the 'checksecurity' package, and tests may be configured +# by the global file '/etc/checksecurity.conf' and the file +# '/etc/checksecurity/check-setuid.conf'. +# +# Copyright (C) 2003-2005 Steve Kemp +# +# Licensed under the GNU General Public License +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. set -e @@ -16,19 +41,15 @@ if [ `/usr/bin/id -u` != 0 ] ; then echo "Only root has permission to run this script" - exit -fi - -if [ "$CHECKSECURITY_DISABLE" = "TRUE" ] ; then - exit + exit 1 fi if [ -z "$CHECKSECURITY_GREPOUT" ]; then CHECKSECURITY_GREPOUT="$^" fi -TMPSETUID=${LOGDIR:=/var/log}/setuid.new.tmp -TMPDIFF=${LOGDIR:=/var/log}/setuid.diff.tmp +TMPSETUID=${LOGDIR:=/var/log/setuid}/setuid.new.tmp +TMPDIFF=${LOGDIR:=/var/log/setuid}/setuid.diff.tmp # # Check for NFS/AFS mounts that are not nosuid/nodev @@ -58,7 +79,7 @@ fi # Guard against undefined vars -[ -z "$LOGDIR" ] && LOGDIR=/var/log +[ -z "$LOGDIR" ] && LOGDIR=/var/log/setuid if [ -n "$CHECKSECURITY_PATHFILTER" ]; then PATHCHK="( $CHECKSECURITY_PATHFILTER ) -prune -o" else @@ -108,3 +129,5 @@ fi rm -f $TMPDIFF rm -f $TMPSETUID + +exit 0 --- checksecurity-2.0.7.orig/etc/check-setuid.conf +++ checksecurity-2.0.7/etc/check-setuid.conf @@ -6,7 +6,6 @@ # # CHECKSECURITY_FILTER # CHECKSECURITY_NOFINDERRORS -# CHECKSECURITY_DISABLE # CHECKSECURITY_NONFSAFS # CHECKSECURITY_EMAIL # CHECKSECURITY_DEVICEFILTER @@ -53,13 +52,15 @@ # Uncomment the next line to get the old behaviour. #CS_NFSAFS='(nfs|afs) \(.*(nosuid|noexec).*nodev.*\)' # -CS_TYPES='( type (auto|proc|sysfs|bind|msdos|fat|vfat|iso9660|usbdevfs|ncpfs|smbfs|cifs|ntfs|devpts|binfmt_misc|none))|'$CS_NFSAFS +CS_TYPES='( type (auto|proc|sysfs|bind|msdos|fat|vfat|iso9660|usbdevfs|ncpfs|smbfs|cifs|ntfs|devpts|binfmt_misc|shfs|lufs|none))|'$CS_NFSAFS # CS_OPTS='\(.*(nosuid|noexec).*\)' # CS_DEVS='^/dev/fd' # -CS_DIRS='on /mnt' +# Do not traverse /mnt (external mounts) or /vicep (AFS fileserver mounts) +# +CS_DIRS='on (/mnt|/vicep)' # CHECKSECURITY_FILTER="$CS_TYPES|$CS_OPTS|$CS_DEVS|$CS_DIRS" # @@ -81,12 +82,6 @@ CHECKSECURITY_NOFINDERRORS="FALSE" #### # -# The CHECKSECURITY_DISABLE, if set to "TRUE" (case sensitive), -# disables the running of checksecurity. -# -CHECKSECURITY_DISABLE="FALSE" -#### -# # The CHECKSECURITY_NONFSAFS, if set to "TRUE" (case sensitive), # disables the message about insecurely mounted nfs/afs disks. # --- checksecurity-2.0.7.orig/etc/global-checksecurity.conf +++ checksecurity-2.0.7/etc/global-checksecurity.conf @@ -28,7 +28,11 @@ ## The next group of settings control which checks are enabled. ## +# Which checks to run daily? +CHECK_DAILY="DISKFREE PASSWD" +# Which checks to run weekly? +CHECK_WEEKLY="SETUID" # # Check for mounts which have very little disk space free. --- checksecurity-2.0.7.orig/bin/checksecurity +++ checksecurity-2.0.7/bin/checksecurity @@ -1,22 +1,57 @@ -#!/usr/bin/perl +#!/usr/bin/perl # -# Run the plugins which have been setup. -# -# Steve -# -- -# http://www.steve.org.uk +# Debian's checksecurity. +# Runs a set of plugins which check the security of an installed +# system. +# +# (c) 2003-2005 Steve Kemp , http://www.steve.org.uk +# (c) 2005 Javier Fernandez-Sanguino +# Licensed under the GNU General Public License +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # use strict; use Env; +use Getopt::Long; +my $opt_debug = 0; +GetOptions( + 'debug!' => \$opt_debug, +); + +# Are we root? +if ( $> != 0 ) { + print STDERR "Sorry, only root can run checksecurity"; + exit 1; +} # # The fixed settings we work with. # my $CONFIG = "/etc/checksecurity.conf"; my $PLUGIN_DIR = "/usr/share/checksecurity"; -my $VERSION = "2.0.0"; +my $VERSION = "2.0.7"; +# Argument determine which checks will be run +my $period = "all"; +$period = $ARGV[0] if defined $ARGV[0]; +# Accepted periods +if ( $period !~ /^(all|daily|weekly)$/ ) { + print STDERR "Unknown period requested ($period) reverting to 'all'\n"; + $period = "all"; +} # Copy of the environmental variables. @@ -43,7 +78,7 @@ The global configuration file that checksecurity wishes to read in order to know which plugins are enabled is missing. - Please see man 'checksecurity.conf' for details of the contents + Please see man checksecurity(8) for details of the contents this file should have. Aborting. @@ -68,6 +103,10 @@ } $name = uc( $name ); + print "Checking plugin $name\n" if $opt_debug; + + # Are we configured to run it in this period? + next if ( $period ne "all" && $GLOBAL_ENV{ "CHECK_".uc($period) } !~ /$name/ ); # See if the plugin is enabled. if ( $GLOBAL_ENV{ "CHECK_$name" } eq "TRUE" ) @@ -96,12 +135,13 @@ } # Execute the file. + print "Executing plugin $name ($file)\n" if $opt_debug; system( $file ); } else { - print "\tDisabled\n"; - #print "Value was " . $GLOBAL_ENV{ "CHECK_$name" } . "\n"; + print "Plugin $name Disabled\n" if $opt_debug; + print "Value was ".$GLOBAL_ENV{ "CHECK_$name" } . "\n" if $opt_debug; } } --- checksecurity-2.0.7.orig/README.Debian +++ checksecurity-2.0.7/README.Debian @@ -5,7 +5,7 @@ checksecurity is a simple package which will scan your system for several simple security holes. - It uses a simple collection of plugins, which are mere shell + It uses a simple collection of plugins, all of which are shell scripts which are configured by enviromental variables. This release is the first release featuring this modularisation --- checksecurity-2.0.7.orig/man/check-setuid.8 +++ checksecurity-2.0.7/man/check-setuid.8 @@ -25,14 +25,13 @@ .B checksecurity is run by .B cron -on a daily basis, and the output stored in /var/log/setuid.changes. +on a daily basis, and the output stored in /var/log/setuid/setuid.changes. .SH CONFIGURATION The .B checksecurity.conf file defines several configuration variables: .BR CHECKSECURITY_FILTER , .BR CHECKSECURITY_NOFINDERRORS , -.BR CHECKSECURITY_DISABLE , .BR CHECKSECURITY_NONFSAFS , .BR CHECKSECURITY_EMAIL , .BR CHECKSECURITY_DEVICEFILTER , @@ -43,7 +42,7 @@ .PP The .B CHECKSECURITY_FILTER -environment variable which is the argument of 'grep -vE' applied to +environment variable which is the argument of 'grep \-vE' applied to the output of the .B mount command. In other words, the value of @@ -67,17 +66,11 @@ The .B CHECKSECURITY_NOFINDERRORS environment variable, if set to the literal "TRUE", disables -find errors from checksecurity (actually, it re-routes them to +find errors from checksecurity (actually, it re\-routes them to .B /dev/null ). .PP The -.B CHECKSECURITY_DISABLE -environment variable, if set to the literal "TRUE", disables -checksecurity entirely, as a sop to those who think it's safe to allow -random mounting of NFS and AFS disks without the nosuid or noexec flags. -.PP -The .B CHECKSECURITY_NONFSAFS environment variable, if set to the literal "TRUE", disables the message about .I nfs @@ -105,14 +98,14 @@ beneath /dev, you could set the following: .PP .RS -CHECKSECURITY_DEVICEFILTER='-path /dev/tty*' +CHECKSECURITY_DEVICEFILTER='\-path /dev/tty*' .RE .PP Note that any added or modified suid programs under that path would still be detected. If you want to specify multiple expressions, -separate them with '-o', but there is no need to surround the whole +separate them with '\-o', but there is no need to surround the whole clause with parentheses. To disable this filter, specify it as -'-false' (which is the default). +\&'\-false' (which is the default). .PP The .B CHECKSECURITY_PATHFILTER @@ -123,23 +116,23 @@ Thus, specifying .PP .RS -CHECKSECURITY_PATHFILTER='-path /var/ftp' +CHECKSECURITY_PATHFILTER='\-path /var/ftp' .RE .PP then the entire /var/ftp tree will be skipped. To disable this filter, -specify it as '-false' (which is the default). +specify it as '\-false' (which is the default). .PP .B LOGDIR sets the name of the directory which stores the files which track the permission and ownership changes. By default, they are in -.BR /var/log . +.BR /var/log/setuid . .SH FILES .TP .I /etc/checksecurity.conf checksecurity configuration file .TP -.I /var/log/setuid.today +.I /var/log/setuid/setuid.today setuid files from the most recent run .TP -.I /var/log/setuid.yesterday +.I /var/log/setuid/setuid.yesterday setuid files from the previous run --- checksecurity-2.0.7.orig/ChangeLog +++ checksecurity-2.0.7/ChangeLog @@ -6,8 +6,6 @@ * Completely rewrote checksecurity. * Added plugins. * Added manpages. - * - Steve -- --- checksecurity-2.0.7.orig/TODO +++ checksecurity-2.0.7/TODO @@ -1,12 +1,90 @@ - Document the code properly. + Move to 'standard' priority. (post-sarge) + * Set this package to 'standard' priority, we want our users to have a + limited set of security checks by default even those the ones provided + here still need to be improved (Closes: #197563) + Document the code properly. + - Include also documentation of new options + ('debug' through GetStdd::Long) + - The 'period' optional argument in checksecurity needs to be + added to the manpage + + Fix errors in setuid script: + - Specially #257395 and #102186, the first + one spouts false negatives and the second one + makes the check fail sometimes in network drives. + Add getopt processing for checksecurity. + - DONE but undocumented Add more tests. + See #163813 and the following discussions: + http://lists.debian.org/debian-devel/2002/12/msg01517.html + and + http://lists.debian.org/debian-devel/2002/12/msg01566.html + + See also + - OpenBSD /etc/security + http://www.openbsd.org/cgi-bin/cvsweb/src/etc/security?rev=1.54&content-type=text/x-cvsweb-markup + - SuSE's seccheck + http://www.suse.de/~marc/seccheck.html + - Mandrake's msec + http://freshmeat.net/projects/msec/ + +------------------------------------------------------------------------- + + Currently checksecurity will *only* do checks regarding SUID files which + is kind of misleading (since one would like 'checksecurity' to be a + security check and not just that). + + While reading an article about Security in Linux distributions [1] y found + out that SUSE's checksecurity [2] will do quite a little bit more and it + is, in fact, GPLd (what a surprise, available here [3]) + + I would like checksecurity to do more than SUID changes. I'm not sure, + however, of which features should be enabled by default. Some of this + checks are already done by Tiger (see [4]) and I'm not sure I want + checksecurity to do all of them (since they might be a little too much) + +From seccheck's README: + +The following daily checks are done: + /etc/passwd check : length/number/contents of fields, accounts with same uid + accounts with uid/gid of 0 or 1 beside root and bin + /etc/shadow check : length/number/contents of fields, accounts with no password + /etc/group check : length/number/contents of fields + user root checks : secure umask and PATH + /etc/ftpusers : checks if important system users are put there + /etc/aliases : checks for mail aliases which execute programs + .rhosts check : checks if users' .rhosts file contain + signs + homedirectory : checks if homedirectories are writable or owned by + someone else + dot-files check : checks many dot-files in the homedirectories if they + are writable or owned by someone else + mailbox check : checks if user mailboxes are owned by user and unreadable + NFS export check : exports should not be exported globaly + NFS import check : NFS mounts should have the "nosuid" option set + promisc check : checks if network cards are in promiscious mode + list modules : just lists loaded modules + list sockets : just lists open ports + +The following weekly checks are done: + password check : runs john to crack the password file, user will get an + email notice to change his password asap + rpm md5 check : checks for changed files via rpm's md5 checksum feature + suid/sgid check : lists all suid and sgid files + exec group write : lists all executables which are group/world writeable + writable check : lists all files which are world writable (incl. above) + device check : lists all devices + +The following monthly things are done: + The monthly file is not a diff like the daily/weekly ones but the full + reports in one file. + +[1] http://www.linuxjournal.com/article.php?sid=6362&mode=thread&order=0 - Document, document, document! +------------------------------------------------------------------------- -Steve --- -www.steve.org.uk +Tue, 15 Mar 2005 01:53:52 +0100 +Javier Fernandez-Sanguino