--- checksecurity-2.0.7.orig/debian/checksecurity.cron.daily +++ checksecurity-2.0.7/debian/checksecurity.cron.daily @@ -3,10 +3,9 @@ # Steve Greenland LOCKFILE=/var/lock/checksecurity.daily -# Previous value: -LOGFILE=/var/log/setuid.changes -# New proposed value -# LOGFILE=/var/log/checksecurity.log + +# The logfile we write our changes into. +LOGFILE=/var/log/checksecurity.log umask 022 # @@ -39,10 +38,7 @@ LOCKTOUCHPID="$!" fi -cd /var/log -umask 027 -[ -s "$LOGFILE" ] && savelog -c 7 -m 640 -u root -g adm "$LOGFILE" >/dev/null -checksecurity >"$LOGFILE" +checksecurity daily >>"$LOGFILE" # # Clean up lockfile --- checksecurity-2.0.7.orig/debian/changelog +++ checksecurity-2.0.7/debian/changelog @@ -1,3 +1,173 @@ +checksecurity (2.0.7-11ubuntu1) gutsy; urgency=low + + * Merge from debian unstable, remaining changes: + - Downgrade all Recommends to Suggests. + + -- Michael Vogt Mon, 14 May 2007 13:01:51 +0200 + +checksecurity (2.0.7-11) unstable; urgency=low + + * New translations: + - Galician translation provided by Jacobo Tarrio (Closes: #413460) + - Italian translation provided by Luca Monducci (Closes: #418173) + * Have etc/check-setuid.conf default LOGDIR point to /var/log/setuid + * Consistent use of email alerts: + - Move the CHECKSECURITY_EMAIL configuration file over to the global + checksecurity configuration file as more than one script will use this. + (check-setuid and check-diskfree at least) + - Make checksecurity preserve the CHECKSECURITY_EMAIL environment variable + for all plugins unless redefined in the plugin configuration file. + - Make check-diskfree use CHECKSECURITY_EMAIL (instead of MAILTO) to + mail the results of the diskfree check to the defined user. + (Closes: #232951) + * Remove CHECKSECURITY_GREPOUT definition from check-setuid + (Closes: #334435) + * Fix spelling errors in the (root) README.Debian file + + -- Javier Fernandez-Sanguino Pen~a Mon, 07 May 2007 23:48:14 +0200 + +checksecurity (2.0.7-10.1ubuntu1) feisty; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Downgrade all Recommends to Suggests. + + -- Colin Watson Tue, 19 Dec 2006 14:54:03 +0000 + +checksecurity (2.0.7-10.1) unstable; urgency=low + + * Non-maintainer upload to fix longstanding l10n issues + * Debconf templates translations: + - Swedish added. Closes: #331305 + - Vietnamese added. Sent during the call for updates of the NMU campaign. + - Brazilian Portuguese updated. Sent during the call for updates of + the NMU campaign. + - Russian added. Sent during the call for updates of the NMU campaign. + - Dzongkha added. Sent during the call for updates of the NMU campaign. + - Basque added. Sent during the call for updates of the NMU campaign. + + -- Christian Perrier Thu, 16 Nov 2006 06:01:25 +0100 + +checksecurity (2.0.7-10ubuntu1) edgy; urgency=low + + * Downgrade all Recommends to Suggests + + -- Matt Zimmerman Tue, 15 Aug 2006 10:22:13 -0700 + +checksecurity (2.0.7-10) unstable; urgency=low + + * Clean up all logfiles on purge as required by policy. + * Modified checksecurity.weekly to use its own lockfile and fix the + error message. We should not be using the same lockfile as + checksecurity.daily since the tests being run by default don't overlap + (Closes: #326871) + * Use debhelper compatibility version 4 + * Fixed FSF address in debian/copyright + * Updated the debian/copyright file with new authors + + -- Javier Fernandez-Sanguino Pen~a Wed, 21 Sep 2005 00:43:14 +0200 + +checksecurity (2.0.7-9) unstable; urgency=low + + * Added dependancies for "| debconf-2.0" as requested by Joey Hess + + -- Javier Fernandez-Sanguino Pen~a Thu, 4 Aug 2005 19:08:46 +0200 + +checksecurity (2.0.7-8) unstable; urgency=low + + * Prevent the setuid checks from traversing AFS filesystems under + /vicep (Closes: #320407) + + -- Javier Fernandez-Sanguino Pen~a Mon, 1 Aug 2005 21:25:16 +0200 + +checksecurity (2.0.7-7) unstable; urgency=low + + * Added Vietnamese debconf translation provided by Clytie Siddall (Closes: #309632) + * Recommend logwatch as an alternative to logcheck (Closes: #315019) + + -- Javier Fernandez-Sanguino Pen~a Sat, 9 Jul 2005 15:43:04 +0200 + +checksecurity (2.0.7-6) unstable; urgency=low + + * Checksecurity checks if you are root (effective uid) before running and + so does the check-passwd plugin too. + * Proper GPL header to the checksecurity program as well as to all of + the plugins. + + -- Javier Fernandez-Sanguino Pen~a Thu, 7 Apr 2005 09:28:24 +0200 + +checksecurity (2.0.7-5) unstable; urgency=low + + * Added new configuration files to the conffiles definition (lintian + error) + + -- Javier Fernandez-Sanguino Pen~a Tue, 22 Mar 2005 02:25:20 +0100 + +checksecurity (2.0.7-4) unstable; urgency=low + + * Use proper user for the logrotation facility (Closes: #299896) + + -- Javier Fernandez-Sanguino Pen~a Thu, 17 Mar 2005 09:24:44 +0100 + +checksecurity (2.0.7-3) unstable; urgency=low + + * Fix postinst's check for files so that the return code is always + true, have the script run with -e and add also an 'exit 0' + return status in any case. (Closes: #299811) + + -- Javier Fernandez-Sanguino Pen~a Thu, 17 Mar 2005 01:19:29 +0100 + +checksecurity (2.0.7-2) unstable; urgency=low + + * Adopted package (Closes: #298573) + * Have the check_diskfree plugin mail to root the results of the test, if + defined. Notice that the environment is currently cleaned up so that + it will not work yet properly. This is the patch available in #232951 + * Fixed the formatting issue in the check-setuid.8 manpage with the + patch provided by Nicolas Francois (Closes: #274428) + * Fixed the reference to checksecurity.conf in bin/checksecurity, the + message now refers to checksecurity(8) (Closes: #276950) + * Create /var/log/setuid with proper permissions (750), also, move the + files in postinst through a loop checking first if they exist + (Closes: #297691) + * Rotate /var/log/setuid.changes, /var/log/diskfree.log and + /var/log/checksecurity.log through logrotate instead of having this in + the cron task, use dh_installlogrotate to install this. + * Add Getopt::Long usage to bin/checksecurity and define a debug (-d or + --debug option) (currently undocumented) + * Introduce a 'period' argument in checksecurity (currently undocumented) + which determines what checks should it run: + - Modify global-checksecurity.conf so that diskfree and passwd checks + are run daily and setuid is run weekly + - Create a new checksecurity-weekly cron task that will run setuid + This closes two long-standing bugs since users can adjust the + configuration now to their needs. (Closes: #138484, #31902) + * Recommend: Tiger, logcheck, and integrity checkers, also + suggest some programs to check if newer packages are available, + as bug #163813 has not been closed yet. + This is an interim solution in order to warn users that + there are more (advanced) security checks available they might want + to implement in addition to checksecurity. + * Added Czech po-debconf translation provided by Jan Outrata + (Closes: #291576) + + -- Javier Fernandez-Sanguino Pen~a Fri, 11 Mar 2005 08:46:43 +0100 + +checksecurity (2.0.7-1) unstable; urgency=low + + * Removed obsolete documentation and support for CHECKSECURITY_DISABLE. + This is handled in checksecurity.conf now. + * Updated version number. + * Switched to a non-Debian native package. + * Avoid searching for setuid files on filesystems of type shfs and lufs. + (Closes: #272402) + * Place all the setuid logfiles in /var/log/setuid instead of /var/log. + Move existing files into place on upgrade. + (Closes: #164665) (Closes: #59809) + * Added the German debconf translation. + (Closes: #250944) Thanks to Erik Schanze. + + -- Steve Kemp Mon, 20 Sep 2004 22:04:11 +0000 + checksecurity (2.0.6) unstable; urgency=low * Respect the NMU from Javier, much appreciated. @@ -167,3 +337,4 @@ * Only rotate setuid.changes if size > 0 (closes: #176995) -- Steve Greenland Sun, 8 Jun 2003 15:18:08 -0500 + --- checksecurity-2.0.7.orig/debian/control +++ checksecurity-2.0.7/debian/control @@ -1,15 +1,14 @@ Source: checksecurity Section: admin Priority: optional -Maintainer: Steve Kemp +Maintainer: Javier Fernandez-Sanguino Pen~a Standards-Version: 3.6.1 Build-Depends-Indep: debhelper (>= 4.1.16) Package: checksecurity Architecture: all -Depends: cron (>= 3.0pl1-74), debconf (>= 0.5), perl (>= 5.8.0) -Recommends: -Suggests: lockfile-progs +Depends: cron (>= 3.0pl1-74), debconf (>= 0.5) | debconf-2.0, perl (>= 5.8.0) +Suggests: apt-watch | cron-apt, lockfile-progs, tiger, logcheck, tripwire | integrit | aide | samhain | fcheck Conflicts: lockfile-progs (<< 0.1.7) Replaces: cron Provides: @@ -17,6 +16,7 @@ Checksecurity does some very basic system security checks, such as looking for changes in which programs have setuid permissions, and that remote filesystems are not allowed to have runnable setuid programs. + . Note that these are not to be considered in any way complete, and you should not rely on checksecurity to actually provide any useful information concerning the security or vulnerability of your system. --- checksecurity-2.0.7.orig/debian/postinst +++ checksecurity-2.0.7/debian/postinst @@ -1,14 +1,29 @@ -#!/bin/sh +#!/bin/sh -e # # Tell the user about the old configuration file. # . /usr/share/debconf/confmodule -if [ "$1" = "configure" -a -z "$2" -a -f /etc/checksecurity.conf.cron ] ; then +if [ "$1" = "configure" ] && [ -z "$2" ] && [ -f /etc/checksecurity.conf.cron ] ; then db_input low checksecurity/oldconf || true db_go || true fi db_stop +# +# If there is not a /var/log/setuid directory create it, and move +# any old logfiles into it. +# +if [ ! -d /var/log/setuid ]; then + mkdir -m 750 /var/log/setuid + chown root:adm /var/log/setuid || true + for file in /var/log/setuid.yesterday /var/log/setuid.today /var/log/setuid.changes \ + /var/log/setuid.changes.*; do + [ ! -e $file ] || mv $file /var/log/setuid + done +fi + + #DEBHELPER# +exit 0 --- checksecurity-2.0.7.orig/debian/rules +++ checksecurity-2.0.7/debian/rules @@ -31,13 +31,13 @@ dh_clean -k dh_installdirs - # Add here commands to install the files into debian/tmp - $(MAKE) install PREFIX=$(CURDIR)/debian/tmp - install -m 644 debian/overrides debian/tmp/usr/share/lintian/overrides/checksecurity + # Add here commands to install the files into debian/checksecurity + $(MAKE) install PREFIX=$(CURDIR)/debian/checksecurity + install -m 644 debian/overrides debian/checksecurity/usr/share/lintian/overrides/checksecurity dh_installdocs dh_installcron -# dh_installman man/checksecurity.8 + dh_installlogrotate dh_installchangelogs dh_installdebconf dh_compress --- checksecurity-2.0.7.orig/debian/copyright +++ checksecurity-2.0.7/debian/copyright @@ -2,6 +2,9 @@ checksecurity script: Copyright (C) 1994 Ian Jackson Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002 Steve Greenland +Copyright (C) 2003-2005 Steve Kemp +Copyright (C) 2005 Javier Fernandez-Sanguino + The `checksecurity' script and its associated files (checksecurity.8 and checksecurity.conf) are free software; you can redistribute it @@ -18,6 +21,5 @@ `/usr/share/common-licenses/GPL' in the Debian GNU/Linux distribution or on the World Wide Web at `http://www.gnu.org/copyleft/gpl.html'. You can also obtain it by -writing to the Free Software Foundation, Inc., 59 Temple Place - Suite -330, Boston, MA 02111-1307, USA. - +writing to the Free Software Foundation, Inc., +51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA --- checksecurity-2.0.7.orig/debian/po/vi.po +++ checksecurity-2.0.7/debian/po/vi.po @@ -0,0 +1,29 @@ +# Vietnamese Translation for checksecurity. +# Copyright © 2005 Free Software Foundation, Inc. +# Clytie Siddall , 2005. +# +msgid "" +msgstr "" +"Project-Id-Version: checksecurity 2.0.7-6\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2003-09-24 19:14+0100\n" +"PO-Revision-Date: 2005-05-18 22:13+0930\n" +"Last-Translator: Clytie Siddall \n" +"Language-Team: Vietnamese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0\n" + +#. Description +#: ../templates:3 +msgid "Merge old configuration" +msgstr "Phối cấu hình cũ" + +#. Description +#: ../templates:3 +msgid "" +"This is your initial install of the checksecurity package, and you had an existing checksecurity.conf file from the cron package. The old configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you had modified your configuration, you may want to merge those changes into the new /etc/checksecurity.conf file from this package." +msgstr "Đây là lần đầu cài đặt gói tin checksecurity (kiểm tra bảo mật), còn bạn có một tập tin checksecurity.conf cũ từ gói tin cron. Như thệ thì đã giữ tập tin cấu hình cũ là:\n" +"/etc/checksecurity.conf.cron\n" +"Nếu bạn đã sửa đổi cấu hình chưa thì có lẽ sẽ muốn phối các thay đổi ấy vào tập tin /etc/checksecurity.conf mới thuộc về gói tin này." --- checksecurity-2.0.7.orig/debian/po/it.po +++ checksecurity-2.0.7/debian/po/it.po @@ -0,0 +1,39 @@ +# Italian (it) translation of debconf templates for checksecurity +# Copyright (C) 2007 Free Software Foundation, Inc. +# This file is distributed under the same license as the checksecurity package. +# Luca Monducci , 2007. +# +msgid "" +msgstr "" +"Project-Id-Version: checksecurity 2.0.7 italian debconf templates\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2006-11-23 17:13+0100\n" +"PO-Revision-Date: 2007-04-07 10:18+0200\n" +"Last-Translator: Luca Monducci \n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-1\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: note +#. Description +#: ../templates:1001 +msgid "Merge old configuration" +msgstr "Unire la precedente configurazione" + +#. Type: note +#. Description +#: ../templates:1001 +msgid "" +"This is your initial install of the checksecurity package, and you had an " +"existing checksecurity.conf file from the cron package. The old " +"configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " +"had modified your configuration, you may want to merge those changes into " +"the new /etc/checksecurity.conf file from this package." +msgstr "" +"Questa la prima installazione del pacchetto checksecurity, per esiste gi " +"il file checksecurity.conf fornito dal pacchetto cron. Il vecchio file di " +"configurazione viene preservato come \"/etc/checksecurity.conf.cron\". Se in " +"passato si modificato la propria configurazione, si potrebbe volere unire " +"le modifiche gi effettuate nel nuovo /etc/checksecurity.conf fornito da " +"questo pacchetto." \ No newline at end of file --- checksecurity-2.0.7.orig/debian/po/gl.po +++ checksecurity-2.0.7/debian/po/gl.po @@ -0,0 +1,37 @@ +# Galician translation of checksecurity's debconf templates +# This file is distributed under the same license as the checksecurity package. +# Jacobo Tarrio , 2007. +# +msgid "" +msgstr "" +"Project-Id-Version: checksecurity\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2006-11-23 17:13+0100\n" +"PO-Revision-Date: 2007-03-05 09:19+0100\n" +"Last-Translator: Jacobo Tarrio \n" +"Language-Team: Galician \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: note +#. Description +#: ../templates:1001 +msgid "Merge old configuration" +msgstr "Inclúa a configuración antiga" + +#. Type: note +#. Description +#: ../templates:1001 +msgid "" +"This is your initial install of the checksecurity package, and you had an " +"existing checksecurity.conf file from the cron package. The old " +"configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " +"had modified your configuration, you may want to merge those changes into " +"the new /etc/checksecurity.conf file from this package." +msgstr "" +"Esta é a súa instalación inicial do paquete checksecurity, pero xa tiña un " +"ficheiro checksecurity.conf do paquete cron. O ficheiro de configuración " +"antigo conservouse coma \"/etc/checksecurity.conf.cron\". Se modificou esa " +"configuración, pode interesarlle incluír eses cambios no novo ficheiro /etc/" +"checksecurity.conf deste paquete." --- checksecurity-2.0.7.orig/debian/po/cs.po +++ checksecurity-2.0.7/debian/po/cs.po @@ -0,0 +1,44 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: checksecurity\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2003-09-24 19:14+0100\n" +"PO-Revision-Date: 2005-01-21 14:16+0100\n" +"Last-Translator: Jan Outrata \n" +"Language-Team: Czech \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-2\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Description +#: ../templates:3 +msgid "Merge old configuration" +msgstr "Slouen star konfigurace" + +#. Description +#: ../templates:3 +msgid "" +"This is your initial install of the checksecurity package, and you had an " +"existing checksecurity.conf file from the cron package. The old " +"configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " +"had modified your configuration, you may want to merge those changes into " +"the new /etc/checksecurity.conf file from this package." +msgstr "" +"Toto je vae prvotn instalace balku checksecurity a mli jste " +"soubor checksecurity.conf z balku cron. Tento star konfiguran " +"soubor byl zachovn jako \"/etc/checksecurity.conf.cron\". Pokud jste " +"zmnili nkter nastaven, mete chtt provst tyto zmny do novho " +"souboru /etc/checksecurity.conf z toho balku." --- checksecurity-2.0.7.orig/debian/po/de.po +++ checksecurity-2.0.7/debian/po/de.po @@ -0,0 +1,46 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans# +# Developers do not need to manually edit POT or PO files. +# Erik Schanze , 2004. +# +msgid "" +msgstr "" +"Project-Id-Version: checksecurity_2.0.5.2_templates\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2003-09-24 19:14+0100\n" +"PO-Revision-Date: 2004-05-25 19:58+0200\n" +"Last-Translator: Erik Schanze \n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.3.1\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Description +#: ../templates:3 +msgid "Merge old configuration" +msgstr "Alte Einstellungen einbinden" + +#. Description +#: ../templates:3 +msgid "" +"This is your initial install of the checksecurity package, and you had an " +"existing checksecurity.conf file from the cron package. The old " +"configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " +"had modified your configuration, you may want to merge those changes into " +"the new /etc/checksecurity.conf file from this package." +msgstr "" +"Dies ist Ihre erste Installation des Paketes checksecurity und Sie haben " +"schon eine Datei checksecurity.conf aus dem Paket cron. Die alte " +"Konfigurationsdatei wurde als\"/etc/checksecurity.conf.cron\" erhalten. " +"Wenn Sie Ihre Einstellungen geändert hatten, sollten Sie die Änderungen " +"in die neue Datei /etc/checksecurity.conf dieses Paketes einbinden." + --- checksecurity-2.0.7.orig/debian/files +++ checksecurity-2.0.7/debian/files @@ -1 +1 @@ -checksecurity_2.0.6_all.deb admin optional +checksecurity_2.0.7-11_all.deb admin optional --- checksecurity-2.0.7.orig/debian/postrm.debhelper +++ checksecurity-2.0.7/debian/postrm.debhelper @@ -0,0 +1,6 @@ +# Automatically added by dh_installdebconf +if [ "$1" = purge ] && [ -e /usr/share/debconf/confmodule ]; then + . /usr/share/debconf/confmodule + db_purge +fi +# End automatically added section --- checksecurity-2.0.7.orig/debian/checksecurity.logrotate +++ checksecurity-2.0.7/debian/checksecurity.logrotate @@ -0,0 +1,8 @@ +/var/log/checksecurity.log /var/log/diskfree.log /var/log/setuid/setuid.changes { + weekly + rotate 10 + compress + missingok + create 0640 root adm +} + --- checksecurity-2.0.7.orig/debian/checksecurity.cron.weekly +++ checksecurity-2.0.7/debian/checksecurity.cron.weekly @@ -0,0 +1,49 @@ +#!/bin/sh +# /etc/cron.weekly/checksecurity: Run the checksecurity script +# Steve Greenland + +LOCKFILE=/var/lock/checksecurity.weekly + +# The logfile we write our changes into. +LOGFILE=/var/log/checksecurity.log +umask 022 + +# +# Exit silently if the checksecurity package is not installed. (We may be +# here just because we're conffile left over from a previous installation). +# +[ -e /usr/sbin/checksecurity ] || exit 0 +# + +# +# Avoid running more than one at a time -- could happen if the +# checksecurity script lands on a network drive. +# + +if [ -x /usr/bin/lockfile-create ] ; then + lockfile-create $LOCKFILE + if [ $? -ne 0 ] ; then + cat <>"$LOGFILE" + +# +# Clean up lockfile +# +if [ -x /usr/bin/lockfile-create ] ; then + kill $LOCKTOUCHPID + lockfile-remove $LOCKFILE +fi --- checksecurity-2.0.7.orig/debian/postrm +++ checksecurity-2.0.7/debian/postrm @@ -0,0 +1,39 @@ +#! /bin/sh +# postrm script for checksecurity +# +# see: dh_installdeb(1) + +set -e + +case "$1" in + purge) +# Clean up all log files on purge + LOGDIR=/var/log + for dir in $LOGDIR/setuid/ + do + [ -d "$dir" ] && { + find $dir -type f -exec rm -f {} \; + rmdir $dir + } + done + for file in setuid.today setuid.yesterday setuid.changes \ + checksecurity.log + do + logfile=$LOGDIR/$file + [ -f "$logfile" ] && rm -f $logfile + done + + ;; + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) +# Do nothing + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 0 +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# --- checksecurity-2.0.7.orig/debian/substvars +++ checksecurity-2.0.7/debian/substvars @@ -0,0 +1 @@ +misc:Depends=debconf (>= 0.5) | debconf-2.0 --- checksecurity-2.0.7.orig/debian/compat +++ checksecurity-2.0.7/debian/compat @@ -0,0 +1 @@ +4 --- checksecurity-2.0.7.orig/plugins/check-passwd +++ checksecurity-2.0.7/plugins/check-passwd @@ -1,17 +1,36 @@ #!/bin/sh # -# This script is designed to check for common weaknesses in passwords +# Check-passwd checksecurity plugin +# +# This script is designed to check for common weaknesses in passwords # -# It is part of the 'checksecurity' package, and tests may be configured +# It is part of the 'checksecurity' package, and tests may be configured # by the global file '/etc/checksecurity.conf' and the file # '/etc/checksecurity/check-password.conf'. # +# Copyright (C) 2003-2005 Steve Kemp +# +# Licensed under the GNU General Public License +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. # -# Steve -# -- -# http://www.steve.org.uk/ +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +if [ `/usr/bin/id -u` != 0 ] ; then + echo "Only root has permission to run this script" + exit 1 +fi # # Test for duplicate root login accounts. --- checksecurity-2.0.7.orig/plugins/check-diskfree +++ checksecurity-2.0.7/plugins/check-diskfree @@ -1,15 +1,60 @@ #! /bin/sh +# +# Check-diskfree checksecurity plugin # +# This script is designed to analyse the usage of the different +# disks in the system. +# +# It is part of the 'checksecurity' package, and tests may be configured +# by the global file '/etc/checksecurity.conf' and the file +# '/etc/checksecurity/check-diskfree.conf'. +# +# Copyright (C) 2003-2005 Steve Kemp +# +# Licensed under the GNU General Public License +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # Sane default, just in case [ -z "$CHECK_DISK_PERCENT" ] && CHECK_DISK_PERCENT=90 +[ -z "$LOGDIR" ] && LOGDIR=/var/log + +# Temporary file +[ ! -d /var/run/checksecurity ] && { umask 022; mkdir -p /var/run/checksecurity; } +TMPDF=/var/run/checksecurity/diskfree.log.tmp +>$TMPDF + df -klP | grep ^/ | sed -e 's/.*[[:space:]]\([[:digit:]]\+\)%/\1/' | while read PERC LOCATION; do - if [ $PERC -gt $CHECK_DISK_PERCENT ]; then - echo "Warning on $CHECK_DISK_PERCENT" - echo "${PERC}% ALERT - $LOCATION" + if [ "$PERC" -gt "$CHECK_DISK_PERCENT" ]; then + echo "Usage warning on $CHECK_DISK_PERCENT" >>$TMPDF + echo "${PERC}% ALERT - $LOCATION" >>$TMPDF fi -done +done + +# The default behaviour is to output to stdout +cat $TMPDF + +if [ -s "$TMPDF" ] && [ ! -z "$CHECKSECURITY_EMAIL" ]; then + /usr/bin/mail -s "Diskfree alert for `hostname -f` on `date '+%D %T'`" $CHECKSECURITY_EMAIL < $TMPDF +fi + + +mv $TMPDF $LOGDIR/diskfree.log + +exit 0 --- checksecurity-2.0.7.orig/plugins/check-setuid +++ checksecurity-2.0.7/plugins/check-setuid @@ -1,5 +1,30 @@ #!/bin/sh -# Security checks script - run daily out of the system crontab +# +# Check-setuid checksecurity plugin +# +# This script is designed to find the setuid files present on the system +# +# It is part of the 'checksecurity' package, and tests may be configured +# by the global file '/etc/checksecurity.conf' and the file +# '/etc/checksecurity/check-setuid.conf'. +# +# Copyright (C) 2003-2005 Steve Kemp +# +# Licensed under the GNU General Public License +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. set -e @@ -16,19 +41,11 @@ if [ `/usr/bin/id -u` != 0 ] ; then echo "Only root has permission to run this script" - exit -fi - -if [ "$CHECKSECURITY_DISABLE" = "TRUE" ] ; then - exit + exit 1 fi -if [ -z "$CHECKSECURITY_GREPOUT" ]; then - CHECKSECURITY_GREPOUT="$^" -fi - -TMPSETUID=${LOGDIR:=/var/log}/setuid.new.tmp -TMPDIFF=${LOGDIR:=/var/log}/setuid.diff.tmp +TMPSETUID=${LOGDIR:=/var/log/setuid}/setuid.new.tmp +TMPDIFF=${LOGDIR:=/var/log/setuid}/setuid.diff.tmp # # Check for NFS/AFS mounts that are not nosuid/nodev @@ -58,7 +75,7 @@ fi # Guard against undefined vars -[ -z "$LOGDIR" ] && LOGDIR=/var/log +[ -z "$LOGDIR" ] && LOGDIR=/var/log/setuid if [ -n "$CHECKSECURITY_PATHFILTER" ]; then PATHCHK="( $CHECKSECURITY_PATHFILTER ) -prune -o" else @@ -108,3 +125,5 @@ fi rm -f $TMPDIFF rm -f $TMPSETUID + +exit 0 --- checksecurity-2.0.7.orig/etc/check-setuid.conf +++ checksecurity-2.0.7/etc/check-setuid.conf @@ -6,9 +6,7 @@ # # CHECKSECURITY_FILTER # CHECKSECURITY_NOFINDERRORS -# CHECKSECURITY_DISABLE # CHECKSECURITY_NONFSAFS -# CHECKSECURITY_EMAIL # CHECKSECURITY_DEVICEFILTER # CHECKSECURITY_PATHFILTER # LOGDIR @@ -53,13 +51,15 @@ # Uncomment the next line to get the old behaviour. #CS_NFSAFS='(nfs|afs) \(.*(nosuid|noexec).*nodev.*\)' # -CS_TYPES='( type (auto|proc|sysfs|bind|msdos|fat|vfat|iso9660|usbdevfs|ncpfs|smbfs|cifs|ntfs|devpts|binfmt_misc|none))|'$CS_NFSAFS +CS_TYPES='( type (auto|proc|sysfs|bind|msdos|fat|vfat|iso9660|usbdevfs|ncpfs|smbfs|cifs|ntfs|devpts|binfmt_misc|shfs|lufs|none))|'$CS_NFSAFS # CS_OPTS='\(.*(nosuid|noexec).*\)' # CS_DEVS='^/dev/fd' # -CS_DIRS='on /mnt' +# Do not traverse /mnt (external mounts) or /vicep (AFS fileserver mounts) +# +CS_DIRS='on (/mnt|/vicep)' # CHECKSECURITY_FILTER="$CS_TYPES|$CS_OPTS|$CS_DEVS|$CS_DIRS" # @@ -81,31 +81,12 @@ CHECKSECURITY_NOFINDERRORS="FALSE" #### # -# The CHECKSECURITY_DISABLE, if set to "TRUE" (case sensitive), -# disables the running of checksecurity. -# -CHECKSECURITY_DISABLE="FALSE" -#### -# # The CHECKSECURITY_NONFSAFS, if set to "TRUE" (case sensitive), # disables the message about insecurely mounted nfs/afs disks. # CHECKSECURITY_NONFSAFS="FALSE" #### # -# If the CHECKSECURITY_EMAIL is set, the report is mailed to the given -# address. Note that if you set this, it is *assumed* that you have -# /usr/bin/mail that accepts -s; the mailx package provides this; or -# you can install mutt and create a link, or some other -# alternative. No, I'm not going to fix it to write the appropriate -# headers and use sendmail (although I'd consider patch), nor am I -# going to add a {Depends|Recommends|Suggests} to the cron package. -# Do not submit bugs about this unless you include the above mentioned -# patch. You enabled this option -- you take responsibility. -# -#CHECKSECURITY_EMAIL="root" -#### -# # The CHECKSECURITY_DEVICEFILTER lets you tell find not to report # devices in those directories (if you choose the daily Emails, # devices like /dev/pts/?, /dev/tty?, or /dev/urandom will change @@ -125,8 +106,6 @@ CHECKSECURITY_PATHFILTER="-false" #### # -# Location of setuid file databases. Probably should -# be in /var/lib/cron, but I don't want to move them now. After -# the release, maybe. +# Location of setuid file databases. # -LOGDIR=/var/log +LOGDIR=/var/log/setuid --- checksecurity-2.0.7.orig/etc/global-checksecurity.conf +++ checksecurity-2.0.7/etc/global-checksecurity.conf @@ -17,6 +17,17 @@ # MAILTO=root +# If the CHECKSECURITY_EMAIL is set, the report is mailed to the given +# address. Note that if you set this, it is *assumed* that you have +# /usr/bin/mail that accepts -s; the mailx package provides this; or +# you can install mutt and create a link, or some other +# alternative. No, I'm not going to fix it to write the appropriate +# headers and use sendmail (although I'd consider patch), nor am I +# going to add a {Depends|Recommends|Suggests} to the cron package. +# Do not submit bugs about this unless you include the above mentioned +# patch. You enabled this option -- you take responsibility. +# +#CHECKSECURITY_EMAIL="root" # # This is the path which the scripts are given when they are run. @@ -28,7 +39,11 @@ ## The next group of settings control which checks are enabled. ## +# Which checks to run daily? +CHECK_DAILY="DISKFREE PASSWD" +# Which checks to run weekly? +CHECK_WEEKLY="SETUID" # # Check for mounts which have very little disk space free. --- checksecurity-2.0.7.orig/bin/checksecurity +++ checksecurity-2.0.7/bin/checksecurity @@ -1,22 +1,57 @@ -#!/usr/bin/perl +#!/usr/bin/perl # -# Run the plugins which have been setup. -# -# Steve -# -- -# http://www.steve.org.uk +# Debian's checksecurity. +# Runs a set of plugins which check the security of an installed +# system. +# +# (c) 2003-2005 Steve Kemp , http://www.steve.org.uk +# (c) 2005 Javier Fernandez-Sanguino +# Licensed under the GNU General Public License +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # use strict; use Env; +use Getopt::Long; +my $opt_debug = 0; +GetOptions( + 'debug!' => \$opt_debug, +); + +# Are we root? +if ( $> != 0 ) { + print STDERR "Sorry, only root can run checksecurity"; + exit 1; +} # # The fixed settings we work with. # my $CONFIG = "/etc/checksecurity.conf"; my $PLUGIN_DIR = "/usr/share/checksecurity"; -my $VERSION = "2.0.0"; +my $VERSION = "2.0.7"; +# Argument determine which checks will be run +my $period = "all"; +$period = $ARGV[0] if defined $ARGV[0]; +# Accepted periods +if ( $period !~ /^(all|daily|weekly)$/ ) { + print STDERR "Unknown period requested ($period) reverting to 'all'\n"; + $period = "all"; +} # Copy of the environmental variables. @@ -43,7 +78,7 @@ The global configuration file that checksecurity wishes to read in order to know which plugins are enabled is missing. - Please see man 'checksecurity.conf' for details of the contents + Please see man checksecurity(8) for details of the contents this file should have. Aborting. @@ -68,6 +103,10 @@ } $name = uc( $name ); + print "Checking plugin $name\n" if $opt_debug; + + # Are we configured to run it in this period? + next if ( $period ne "all" && $GLOBAL_ENV{ "CHECK_".uc($period) } !~ /$name/ ); # See if the plugin is enabled. if ( $GLOBAL_ENV{ "CHECK_$name" } eq "TRUE" ) @@ -95,13 +134,20 @@ $ENV{$k} = $PLUGIN_ENV{$k}; } + # We inherit the CHECKSECURITY_EMAIL environment from the global + # file if the script does not redefine it. + if ( ! defined $ENV{'CHECKSECURITY_EMAIL'} && defined $GLOBAL_ENV{'CHECKSECURITY_EMAIL'} ) { + $ENV{'CHECKSECURITY_EMAIL'} = $GLOBAL_ENV{'CHECKSECURITY_EMAIL'}; + } + # Execute the file. + print "Executing plugin $name ($file)\n" if $opt_debug; system( $file ); } else { - print "\tDisabled\n"; - #print "Value was " . $GLOBAL_ENV{ "CHECK_$name" } . "\n"; + print "Plugin $name Disabled\n" if $opt_debug; + print "Value was ".$GLOBAL_ENV{ "CHECK_$name" } . "\n" if $opt_debug; } } --- checksecurity-2.0.7.orig/README.Debian +++ checksecurity-2.0.7/README.Debian @@ -5,8 +5,8 @@ checksecurity is a simple package which will scan your system for several simple security holes. - It uses a simple collection of plugins, which are mere shell - scripts which are configured by enviromental variables. + It uses a simple collection of plugins, all of which are shell + scripts which are configured by environmental variables. This release is the first release featuring this modularisation so there may well be bugs lying the code. @@ -38,7 +38,7 @@ * Check for accounts with login == password. check_setuid: - * Check permissions on setuid files wihtin the system. + * Check permissions on setuid files within the system. check_diskfree * Check that all mounted partitions do not exceed a given threshold --- checksecurity-2.0.7.orig/man/check-setuid.8 +++ checksecurity-2.0.7/man/check-setuid.8 @@ -25,14 +25,13 @@ .B checksecurity is run by .B cron -on a daily basis, and the output stored in /var/log/setuid.changes. +on a daily basis, and the output stored in /var/log/setuid/setuid.changes. .SH CONFIGURATION The .B checksecurity.conf file defines several configuration variables: .BR CHECKSECURITY_FILTER , .BR CHECKSECURITY_NOFINDERRORS , -.BR CHECKSECURITY_DISABLE , .BR CHECKSECURITY_NONFSAFS , .BR CHECKSECURITY_EMAIL , .BR CHECKSECURITY_DEVICEFILTER , @@ -43,7 +42,7 @@ .PP The .B CHECKSECURITY_FILTER -environment variable which is the argument of 'grep -vE' applied to +environment variable which is the argument of 'grep \-vE' applied to the output of the .B mount command. In other words, the value of @@ -67,17 +66,11 @@ The .B CHECKSECURITY_NOFINDERRORS environment variable, if set to the literal "TRUE", disables -find errors from checksecurity (actually, it re-routes them to +find errors from checksecurity (actually, it re\-routes them to .B /dev/null ). .PP The -.B CHECKSECURITY_DISABLE -environment variable, if set to the literal "TRUE", disables -checksecurity entirely, as a sop to those who think it's safe to allow -random mounting of NFS and AFS disks without the nosuid or noexec flags. -.PP -The .B CHECKSECURITY_NONFSAFS environment variable, if set to the literal "TRUE", disables the message about .I nfs @@ -105,14 +98,14 @@ beneath /dev, you could set the following: .PP .RS -CHECKSECURITY_DEVICEFILTER='-path /dev/tty*' +CHECKSECURITY_DEVICEFILTER='\-path /dev/tty*' .RE .PP Note that any added or modified suid programs under that path would still be detected. If you want to specify multiple expressions, -separate them with '-o', but there is no need to surround the whole +separate them with '\-o', but there is no need to surround the whole clause with parentheses. To disable this filter, specify it as -'-false' (which is the default). +\&'\-false' (which is the default). .PP The .B CHECKSECURITY_PATHFILTER @@ -123,23 +116,23 @@ Thus, specifying .PP .RS -CHECKSECURITY_PATHFILTER='-path /var/ftp' +CHECKSECURITY_PATHFILTER='\-path /var/ftp' .RE .PP then the entire /var/ftp tree will be skipped. To disable this filter, -specify it as '-false' (which is the default). +specify it as '\-false' (which is the default). .PP .B LOGDIR sets the name of the directory which stores the files which track the permission and ownership changes. By default, they are in -.BR /var/log . +.BR /var/log/setuid . .SH FILES .TP .I /etc/checksecurity.conf checksecurity configuration file .TP -.I /var/log/setuid.today +.I /var/log/setuid/setuid.today setuid files from the most recent run .TP -.I /var/log/setuid.yesterday +.I /var/log/setuid/setuid.yesterday setuid files from the previous run --- checksecurity-2.0.7.orig/ChangeLog +++ checksecurity-2.0.7/ChangeLog @@ -6,8 +6,6 @@ * Completely rewrote checksecurity. * Added plugins. * Added manpages. - * - Steve -- --- checksecurity-2.0.7.orig/TODO +++ checksecurity-2.0.7/TODO @@ -1,12 +1,90 @@ - Document the code properly. + Move to 'standard' priority. (post-sarge) + * Set this package to 'standard' priority, we want our users to have a + limited set of security checks by default even those the ones provided + here still need to be improved (Closes: #197563) + Document the code properly. + - Include also documentation of new options + ('debug' through GetStdd::Long) + - The 'period' optional argument in checksecurity needs to be + added to the manpage + + Fix errors in setuid script: + - Specially #257395 and #102186, the first + one spouts false negatives and the second one + makes the check fail sometimes in network drives. + Add getopt processing for checksecurity. + - DONE but undocumented Add more tests. + See #163813 and the following discussions: + http://lists.debian.org/debian-devel/2002/12/msg01517.html + and + http://lists.debian.org/debian-devel/2002/12/msg01566.html + + See also + - OpenBSD /etc/security + http://www.openbsd.org/cgi-bin/cvsweb/src/etc/security?rev=1.54&content-type=text/x-cvsweb-markup + - SuSE's seccheck + http://www.suse.de/~marc/seccheck.html + - Mandrake's msec + http://freshmeat.net/projects/msec/ + +------------------------------------------------------------------------- + + Currently checksecurity will *only* do checks regarding SUID files which + is kind of misleading (since one would like 'checksecurity' to be a + security check and not just that). + + While reading an article about Security in Linux distributions [1] y found + out that SUSE's checksecurity [2] will do quite a little bit more and it + is, in fact, GPLd (what a surprise, available here [3]) + + I would like checksecurity to do more than SUID changes. I'm not sure, + however, of which features should be enabled by default. Some of this + checks are already done by Tiger (see [4]) and I'm not sure I want + checksecurity to do all of them (since they might be a little too much) + +From seccheck's README: + +The following daily checks are done: + /etc/passwd check : length/number/contents of fields, accounts with same uid + accounts with uid/gid of 0 or 1 beside root and bin + /etc/shadow check : length/number/contents of fields, accounts with no password + /etc/group check : length/number/contents of fields + user root checks : secure umask and PATH + /etc/ftpusers : checks if important system users are put there + /etc/aliases : checks for mail aliases which execute programs + .rhosts check : checks if users' .rhosts file contain + signs + homedirectory : checks if homedirectories are writable or owned by + someone else + dot-files check : checks many dot-files in the homedirectories if they + are writable or owned by someone else + mailbox check : checks if user mailboxes are owned by user and unreadable + NFS export check : exports should not be exported globaly + NFS import check : NFS mounts should have the "nosuid" option set + promisc check : checks if network cards are in promiscious mode + list modules : just lists loaded modules + list sockets : just lists open ports + +The following weekly checks are done: + password check : runs john to crack the password file, user will get an + email notice to change his password asap + rpm md5 check : checks for changed files via rpm's md5 checksum feature + suid/sgid check : lists all suid and sgid files + exec group write : lists all executables which are group/world writeable + writable check : lists all files which are world writable (incl. above) + device check : lists all devices + +The following monthly things are done: + The monthly file is not a diff like the daily/weekly ones but the full + reports in one file. + +[1] http://www.linuxjournal.com/article.php?sid=6362&mode=thread&order=0 - Document, document, document! +------------------------------------------------------------------------- -Steve --- -www.steve.org.uk +Tue, 15 Mar 2005 01:53:52 +0100 +Javier Fernandez-Sanguino