--- checksecurity-2.0.7.orig/debian/checksecurity.cron.daily +++ checksecurity-2.0.7/debian/checksecurity.cron.daily @@ -3,10 +3,9 @@ # Steve Greenland LOCKFILE=/var/lock/checksecurity.daily -# Previous value: -LOGFILE=/var/log/setuid.changes -# New proposed value -# LOGFILE=/var/log/checksecurity.log + +# The logfile we write our changes into. +LOGFILE=/var/log/checksecurity.log umask 022 # @@ -39,10 +38,7 @@ LOCKTOUCHPID="$!" fi -cd /var/log -umask 027 -[ -s "$LOGFILE" ] && savelog -c 7 -m 640 -u root -g adm "$LOGFILE" >/dev/null -checksecurity >"$LOGFILE" +checksecurity daily >>"$LOGFILE" # # Clean up lockfile --- checksecurity-2.0.7.orig/debian/changelog +++ checksecurity-2.0.7/debian/changelog @@ -1,3 +1,85 @@ +checksecurity (2.0.7-6) unstable; urgency=low + + * Checksecurity checks if you are root (effective uid) before running and + so does the check-passwd plugin too. + * Proper GPL header to the checksecurity program as well as to all of + the plugins. + + -- Javier Fernandez-Sanguino Pen~a Thu, 7 Apr 2005 09:28:24 +0200 + +checksecurity (2.0.7-5) unstable; urgency=low + + * Added new configuration files to the conffiles definition (lintian + error) + + -- Javier Fernandez-Sanguino Pen~a Tue, 22 Mar 2005 02:25:20 +0100 + +checksecurity (2.0.7-4) unstable; urgency=low + + * Use proper user for the logrotation facility (Closes: #299896) + + -- Javier Fernandez-Sanguino Pen~a Thu, 17 Mar 2005 09:24:44 +0100 + +checksecurity (2.0.7-3) unstable; urgency=low + + * Fix postinst's check for files so that the return code is always + true, have the script run with -e and add also an 'exit 0' + return status in any case. (Closes: #299811) + + -- Javier Fernandez-Sanguino Pen~a Thu, 17 Mar 2005 01:19:29 +0100 + +checksecurity (2.0.7-2) unstable; urgency=low + + * Adopted package (Closes: #298573) + * Have the check_diskfree plugin mail to root the results of the test, if + defined. Notice that the environment is currently cleaned up so that + it will not work yet properly. This is the patch available in #232951 + * Fixed the formatting issue in the check-setuid.8 manpage with the + patch provided by Nicolas Francois (Closes: #274428) + * Fixed the reference to checksecurity.conf in bin/checksecurity, the + message now refers to checksecurity(8) (Closes: #276950) + * Create /var/log/setuid with proper permissions (750), also, move the + files in postinst through a loop checking first if they exist + (Closes: #297691) + * Rotate /var/log/setuid.changes, /var/log/diskfree.log and + /var/log/checksecurity.log through logrotate instead of having this in + the cron task, use dh_installlogrotate to install this. + * Add Getopt::Long usage to bin/checksecurity and define a debug (-d or + --debug option) (currently undocumented) + * Introduce a 'period' argument in checksecurity (currently undocumented) + which determines what checks should it run: + - Modify global-checksecurity.conf so that diskfree and passwd checks + are run daily and setuid is run weekly + - Create a new checksecurity-weekly cron task that will run setuid + This closes two long-standing bugs since users can adjust the + configuration now to their needs. (Closes: #138484, #31902) + * Recommend: Tiger, logcheck, and integrity checkers, also + suggest some programs to check if newer packages are available, + as bug #163813 has not been closed yet. + This is an interim solution in order to warn users that + there are more (advanced) security checks available they might want + to implement in addition to checksecurity. + * Added Czech po-debconf translation provided by Jan Outrata + (Closes: #291576) + + -- Javier Fernandez-Sanguino Pen~a Fri, 11 Mar 2005 08:46:43 +0100 + +checksecurity (2.0.7-1) unstable; urgency=low + + * Removed obsolete documentation and support for CHECKSECURITY_DISABLE. + This is handled in checksecurity.conf now. + * Updated version number. + * Switched to a non-Debian native package. + * Avoid searching for setuid files on filesystems of type shfs and lufs. + (Closes: #272402) + * Place all the setuid logfiles in /var/log/setuid instead of /var/log. + Move existing files into place on upgrade. + (Closes: #164665) (Closes: #59809) + * Added the German debconf translation. + (Closes: #250944) Thanks to Erik Schanze. + + -- Steve Kemp Mon, 20 Sep 2004 22:04:11 +0000 + checksecurity (2.0.6) unstable; urgency=low * Respect the NMU from Javier, much appreciated. --- checksecurity-2.0.7.orig/debian/control +++ checksecurity-2.0.7/debian/control @@ -1,15 +1,15 @@ Source: checksecurity Section: admin Priority: optional -Maintainer: Steve Kemp +Maintainer: Javier Fernandez-Sanguino Pen~a Standards-Version: 3.6.1 Build-Depends-Indep: debhelper (>= 4.1.16) Package: checksecurity Architecture: all Depends: cron (>= 3.0pl1-74), debconf (>= 0.5), perl (>= 5.8.0) -Recommends: -Suggests: lockfile-progs +Recommends: tiger, logcheck, tripwire | integrit | aide | samhain | fcheck +Suggests: apt-watch | cron-apt, lockfile-progs Conflicts: lockfile-progs (<< 0.1.7) Replaces: cron Provides: @@ -17,6 +17,7 @@ Checksecurity does some very basic system security checks, such as looking for changes in which programs have setuid permissions, and that remote filesystems are not allowed to have runnable setuid programs. + . Note that these are not to be considered in any way complete, and you should not rely on checksecurity to actually provide any useful information concerning the security or vulnerability of your system. --- checksecurity-2.0.7.orig/debian/postinst +++ checksecurity-2.0.7/debian/postinst @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/sh -e # # Tell the user about the old configuration file. # @@ -10,5 +10,20 @@ db_stop +# +# If there is not a /var/log/setuid directory create it, and move +# any old logfiles into it. +# +if [ ! -d /var/log/setuid ]; then + mkdir -m 750 /var/log/setuid + chown root:adm /var/log/setuid || true + for file in /var/log/setuid.yesterday /var/log/setuid.today /var/log/setuid.changes \ + /var/log/setuid.changes.*; do + [ ! -e $file ] || mv $file /var/log/setuid + done +fi + + #DEBHELPER# +exit 0 --- checksecurity-2.0.7.orig/debian/conffiles +++ checksecurity-2.0.7/debian/conffiles @@ -1,5 +1,7 @@ /etc/checksecurity.conf /etc/cron.daily/checksecurity +/etc/cron.weekly/checksecurity +/etc/logrotate.d/checksecurity /etc/checksecurity/check-setuid.conf /etc/checksecurity/check-diskfree.conf /etc/checksecurity/check-passwd.conf --- checksecurity-2.0.7.orig/debian/rules +++ checksecurity-2.0.7/debian/rules @@ -37,6 +37,7 @@ dh_installdocs dh_installcron + dh_installlogrotate # dh_installman man/checksecurity.8 dh_installchangelogs dh_installdebconf --- checksecurity-2.0.7.orig/debian/po/cs.po +++ checksecurity-2.0.7/debian/po/cs.po @@ -0,0 +1,44 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: checksecurity\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2003-09-24 19:14+0100\n" +"PO-Revision-Date: 2005-01-21 14:16+0100\n" +"Last-Translator: Jan Outrata \n" +"Language-Team: Czech \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-2\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Description +#: ../templates:3 +msgid "Merge old configuration" +msgstr "Sloučení staré konfigurace" + +#. Description +#: ../templates:3 +msgid "" +"This is your initial install of the checksecurity package, and you had an " +"existing checksecurity.conf file from the cron package. The old " +"configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " +"had modified your configuration, you may want to merge those changes into " +"the new /etc/checksecurity.conf file from this package." +msgstr "" +"Toto je vaše prvotní instalace balíčku checksecurity a měli jste " +"soubor checksecurity.conf z balíčku cron. Tento starý konfigurační " +"soubor byl zachován jako \"/etc/checksecurity.conf.cron\". Pokud jste " +"změnili některá nastavení, můžete chtít provést tyto změny do nového " +"souboru /etc/checksecurity.conf z toho balíčku." --- checksecurity-2.0.7.orig/debian/po/de.po +++ checksecurity-2.0.7/debian/po/de.po @@ -0,0 +1,46 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans# +# Developers do not need to manually edit POT or PO files. +# Erik Schanze , 2004. +# +msgid "" +msgstr "" +"Project-Id-Version: checksecurity_2.0.5.2_templates\n" +"Report-Msgid-Bugs-To: \n" +"POT-Creation-Date: 2003-09-24 19:14+0100\n" +"PO-Revision-Date: 2004-05-25 19:58+0200\n" +"Last-Translator: Erik Schanze \n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.3.1\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Description +#: ../templates:3 +msgid "Merge old configuration" +msgstr "Alte Einstellungen einbinden" + +#. Description +#: ../templates:3 +msgid "" +"This is your initial install of the checksecurity package, and you had an " +"existing checksecurity.conf file from the cron package. The old " +"configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " +"had modified your configuration, you may want to merge those changes into " +"the new /etc/checksecurity.conf file from this package." +msgstr "" +"Dies ist Ihre erste Installation des Paketes checksecurity und Sie haben " +"schon eine Datei checksecurity.conf aus dem Paket cron. Die alte " +"Konfigurationsdatei wurde als\"/etc/checksecurity.conf.cron\" erhalten. " +"Wenn Sie Ihre Einstellungen geändert hatten, sollten Sie die Änderungen " +"in die neue Datei /etc/checksecurity.conf dieses Paketes einbinden." + --- checksecurity-2.0.7.orig/debian/files +++ checksecurity-2.0.7/debian/files @@ -1 +1 @@ -checksecurity_2.0.6_all.deb admin optional +checksecurity_2.0.7-5_all.deb admin optional --- checksecurity-2.0.7.orig/debian/checksecurity.cron.weekly +++ checksecurity-2.0.7/debian/checksecurity.cron.weekly @@ -0,0 +1,49 @@ +#!/bin/sh +# /etc/cron.weekly/checksecurity: Run the checksecurity script +# Steve Greenland + +LOCKFILE=/var/lock/checksecurity.daily + +# The logfile we write our changes into. +LOGFILE=/var/log/checksecurity.log +umask 022 + +# +# Exit silently if the checksecurity package is not installed. (We may be +# here just because we're conffile left over from a previous installation). +# +[ -e /usr/sbin/checksecurity ] || exit 0 +# + +# +# Avoid running more than one at a time -- could happen if the +# checksecurity script lands on a network drive. +# + +if [ -x /usr/bin/lockfile-create ] ; then + lockfile-create $LOCKFILE + if [ $? -ne 0 ] ; then + cat <>"$LOGFILE" + +# +# Clean up lockfile +# +if [ -x /usr/bin/lockfile-create ] ; then + kill $LOCKTOUCHPID + lockfile-remove $LOCKFILE +fi --- checksecurity-2.0.7.orig/debian/checksecurity.logrotate +++ checksecurity-2.0.7/debian/checksecurity.logrotate @@ -0,0 +1,8 @@ +/var/log/checksecurity.log /var/log/diskfree.log /var/log/setuid/setuid.changes { + weekly + rotate 10 + compress + missingok + create 0640 root adm +} + --- checksecurity-2.0.7.orig/plugins/check-passwd +++ checksecurity-2.0.7/plugins/check-passwd @@ -1,17 +1,36 @@ #!/bin/sh # -# This script is designed to check for common weaknesses in passwords +# Check-passwd checksecurity plugin +# +# This script is designed to check for common weaknesses in passwords # -# It is part of the 'checksecurity' package, and tests may be configured +# It is part of the 'checksecurity' package, and tests may be configured # by the global file '/etc/checksecurity.conf' and the file # '/etc/checksecurity/check-password.conf'. # +# Copyright (C) 2003-2005 Steve Kemp +# +# Licensed under the GNU General Public License +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. # -# Steve -# -- -# http://www.steve.org.uk/ +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +if [ `/usr/bin/id -u` != 0 ] ; then + echo "Only root has permission to run this script" + exit 1 +fi # # Test for duplicate root login accounts. --- checksecurity-2.0.7.orig/plugins/check-diskfree +++ checksecurity-2.0.7/plugins/check-diskfree @@ -1,15 +1,61 @@ #! /bin/sh +# +# Check-diskfree checksecurity plugin # +# This script is designed to analyse the usage of the different +# disks in the system. +# +# It is part of the 'checksecurity' package, and tests may be configured +# by the global file '/etc/checksecurity.conf' and the file +# '/etc/checksecurity/check-diskfree.conf'. +# +# Copyright (C) 2003-2005 Steve Kemp +# +# Licensed under the GNU General Public License +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # Sane default, just in case [ -z "$CHECK_DISK_PERCENT" ] && CHECK_DISK_PERCENT=90 +[ -z "$LOGDIR" ] && LOGDIR=/var/log +# [ -z "$MAILTO" ] && MAILTO=root + +# Temporary file +[ ! -d /var/run/checksecurity ] && { umask 022; mkdir -p /var/run/checksecurity; } +TMPDF=/var/run/checksecurity/diskfree.log.tmp +>$TMPDF + df -klP | grep ^/ | sed -e 's/.*[[:space:]]\([[:digit:]]\+\)%/\1/' | while read PERC LOCATION; do - if [ $PERC -gt $CHECK_DISK_PERCENT ]; then - echo "Warning on $CHECK_DISK_PERCENT" - echo "${PERC}% ALERT - $LOCATION" + if [ "$PERC" -gt "$CHECK_DISK_PERCENT" ]; then + echo "Usage warning on $CHECK_DISK_PERCENT" >>$TMPDF + echo "${PERC}% ALERT - $LOCATION" >>$TMPDF fi -done +done + +# The default behaviour is to output to stdout +cat $TMPDF + +if [ -s "$TMPDF" ] && [ ! -z "$CHECKSECURITY_EMAIL" ]; then + /usr/bin/mail -s "Diskfree alert for `hostname -f` on `date '+%D %T'`" $MAILTO < $TMPDF +fi + + +mv $TMPDF $LOGDIR/diskfree.log + +exit 0 --- checksecurity-2.0.7.orig/plugins/check-setuid +++ checksecurity-2.0.7/plugins/check-setuid @@ -1,5 +1,30 @@ #!/bin/sh -# Security checks script - run daily out of the system crontab +# +# Check-setuid checksecurity plugin +# +# This script is designed to find the setuid files present on the system +# +# It is part of the 'checksecurity' package, and tests may be configured +# by the global file '/etc/checksecurity.conf' and the file +# '/etc/checksecurity/check-setuid.conf'. +# +# Copyright (C) 2003-2005 Steve Kemp +# +# Licensed under the GNU General Public License +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. set -e @@ -16,19 +41,15 @@ if [ `/usr/bin/id -u` != 0 ] ; then echo "Only root has permission to run this script" - exit -fi - -if [ "$CHECKSECURITY_DISABLE" = "TRUE" ] ; then - exit + exit 1 fi if [ -z "$CHECKSECURITY_GREPOUT" ]; then CHECKSECURITY_GREPOUT="$^" fi -TMPSETUID=${LOGDIR:=/var/log}/setuid.new.tmp -TMPDIFF=${LOGDIR:=/var/log}/setuid.diff.tmp +TMPSETUID=${LOGDIR:=/var/log/setuid}/setuid.new.tmp +TMPDIFF=${LOGDIR:=/var/log/setuid}/setuid.diff.tmp # # Check for NFS/AFS mounts that are not nosuid/nodev @@ -58,7 +79,7 @@ fi # Guard against undefined vars -[ -z "$LOGDIR" ] && LOGDIR=/var/log +[ -z "$LOGDIR" ] && LOGDIR=/var/log/setuid if [ -n "$CHECKSECURITY_PATHFILTER" ]; then PATHCHK="( $CHECKSECURITY_PATHFILTER ) -prune -o" else @@ -108,3 +129,5 @@ fi rm -f $TMPDIFF rm -f $TMPSETUID + +exit 0 --- checksecurity-2.0.7.orig/etc/check-setuid.conf +++ checksecurity-2.0.7/etc/check-setuid.conf @@ -6,7 +6,6 @@ # # CHECKSECURITY_FILTER # CHECKSECURITY_NOFINDERRORS -# CHECKSECURITY_DISABLE # CHECKSECURITY_NONFSAFS # CHECKSECURITY_EMAIL # CHECKSECURITY_DEVICEFILTER @@ -53,7 +52,7 @@ # Uncomment the next line to get the old behaviour. #CS_NFSAFS='(nfs|afs) \(.*(nosuid|noexec).*nodev.*\)' # -CS_TYPES='( type (auto|proc|sysfs|bind|msdos|fat|vfat|iso9660|usbdevfs|ncpfs|smbfs|cifs|ntfs|devpts|binfmt_misc|none))|'$CS_NFSAFS +CS_TYPES='( type (auto|proc|sysfs|bind|msdos|fat|vfat|iso9660|usbdevfs|ncpfs|smbfs|cifs|ntfs|devpts|binfmt_misc|shfs|lufs|none))|'$CS_NFSAFS # CS_OPTS='\(.*(nosuid|noexec).*\)' # @@ -81,12 +80,6 @@ CHECKSECURITY_NOFINDERRORS="FALSE" #### # -# The CHECKSECURITY_DISABLE, if set to "TRUE" (case sensitive), -# disables the running of checksecurity. -# -CHECKSECURITY_DISABLE="FALSE" -#### -# # The CHECKSECURITY_NONFSAFS, if set to "TRUE" (case sensitive), # disables the message about insecurely mounted nfs/afs disks. # --- checksecurity-2.0.7.orig/etc/global-checksecurity.conf +++ checksecurity-2.0.7/etc/global-checksecurity.conf @@ -28,7 +28,11 @@ ## The next group of settings control which checks are enabled. ## +# Which checks to run daily? +CHECK_DAILY="DISKFREE PASSWD" +# Which checks to run weekly? +CHECK_WEEKLY="SETUID" # # Check for mounts which have very little disk space free. --- checksecurity-2.0.7.orig/bin/checksecurity +++ checksecurity-2.0.7/bin/checksecurity @@ -1,22 +1,57 @@ -#!/usr/bin/perl +#!/usr/bin/perl # -# Run the plugins which have been setup. -# -# Steve -# -- -# http://www.steve.org.uk +# Debian's checksecurity. +# Runs a set of plugins which check the security of an installed +# system. +# +# (c) 2003-2005 Steve Kemp , http://www.steve.org.uk +# (c) 2005 Javier Fernandez-Sanguino +# Licensed under the GNU General Public License +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # use strict; use Env; +use Getopt::Long; +my $opt_debug = 0; +GetOptions( + 'debug!' => \$opt_debug, +); + +# Are we root? +if ( $> != 0 ) { + print STDERR "Sorry, only root can run checksecurity"; + exit 1; +} # # The fixed settings we work with. # my $CONFIG = "/etc/checksecurity.conf"; my $PLUGIN_DIR = "/usr/share/checksecurity"; -my $VERSION = "2.0.0"; +my $VERSION = "2.0.7"; +# Argument determine which checks will be run +my $period = "all"; +$period = $ARGV[0] if defined $ARGV[0]; +# Accepted periods +if ( $period !~ /^(all|daily|weekly)$/ ) { + print STDERR "Unknown period requested ($period) reverting to 'all'\n"; + $period = "all"; +} # Copy of the environmental variables. @@ -43,7 +78,7 @@ The global configuration file that checksecurity wishes to read in order to know which plugins are enabled is missing. - Please see man 'checksecurity.conf' for details of the contents + Please see man checksecurity(8) for details of the contents this file should have. Aborting. @@ -68,6 +103,10 @@ } $name = uc( $name ); + print "Checking plugin $name\n" if $opt_debug; + + # Are we configured to run it in this period? + next if ( $period ne "all" && $GLOBAL_ENV{ "CHECK_".uc($period) } !~ /$name/ ); # See if the plugin is enabled. if ( $GLOBAL_ENV{ "CHECK_$name" } eq "TRUE" ) @@ -96,12 +135,13 @@ } # Execute the file. + print "Executing plugin $name ($file)\n" if $opt_debug; system( $file ); } else { - print "\tDisabled\n"; - #print "Value was " . $GLOBAL_ENV{ "CHECK_$name" } . "\n"; + print "Plugin $name Disabled\n" if $opt_debug; + print "Value was ".$GLOBAL_ENV{ "CHECK_$name" } . "\n" if $opt_debug; } } --- checksecurity-2.0.7.orig/README.Debian +++ checksecurity-2.0.7/README.Debian @@ -5,7 +5,7 @@ checksecurity is a simple package which will scan your system for several simple security holes. - It uses a simple collection of plugins, which are mere shell + It uses a simple collection of plugins, all of which are shell scripts which are configured by enviromental variables. This release is the first release featuring this modularisation --- checksecurity-2.0.7.orig/man/check-setuid.8 +++ checksecurity-2.0.7/man/check-setuid.8 @@ -25,14 +25,13 @@ .B checksecurity is run by .B cron -on a daily basis, and the output stored in /var/log/setuid.changes. +on a daily basis, and the output stored in /var/log/setuid/setuid.changes. .SH CONFIGURATION The .B checksecurity.conf file defines several configuration variables: .BR CHECKSECURITY_FILTER , .BR CHECKSECURITY_NOFINDERRORS , -.BR CHECKSECURITY_DISABLE , .BR CHECKSECURITY_NONFSAFS , .BR CHECKSECURITY_EMAIL , .BR CHECKSECURITY_DEVICEFILTER , @@ -43,7 +42,7 @@ .PP The .B CHECKSECURITY_FILTER -environment variable which is the argument of 'grep -vE' applied to +environment variable which is the argument of 'grep \-vE' applied to the output of the .B mount command. In other words, the value of @@ -67,17 +66,11 @@ The .B CHECKSECURITY_NOFINDERRORS environment variable, if set to the literal "TRUE", disables -find errors from checksecurity (actually, it re-routes them to +find errors from checksecurity (actually, it re\-routes them to .B /dev/null ). .PP The -.B CHECKSECURITY_DISABLE -environment variable, if set to the literal "TRUE", disables -checksecurity entirely, as a sop to those who think it's safe to allow -random mounting of NFS and AFS disks without the nosuid or noexec flags. -.PP -The .B CHECKSECURITY_NONFSAFS environment variable, if set to the literal "TRUE", disables the message about .I nfs @@ -105,14 +98,14 @@ beneath /dev, you could set the following: .PP .RS -CHECKSECURITY_DEVICEFILTER='-path /dev/tty*' +CHECKSECURITY_DEVICEFILTER='\-path /dev/tty*' .RE .PP Note that any added or modified suid programs under that path would still be detected. If you want to specify multiple expressions, -separate them with '-o', but there is no need to surround the whole +separate them with '\-o', but there is no need to surround the whole clause with parentheses. To disable this filter, specify it as -'-false' (which is the default). +\&'\-false' (which is the default). .PP The .B CHECKSECURITY_PATHFILTER @@ -123,23 +116,23 @@ Thus, specifying .PP .RS -CHECKSECURITY_PATHFILTER='-path /var/ftp' +CHECKSECURITY_PATHFILTER='\-path /var/ftp' .RE .PP then the entire /var/ftp tree will be skipped. To disable this filter, -specify it as '-false' (which is the default). +specify it as '\-false' (which is the default). .PP .B LOGDIR sets the name of the directory which stores the files which track the permission and ownership changes. By default, they are in -.BR /var/log . +.BR /var/log/setuid . .SH FILES .TP .I /etc/checksecurity.conf checksecurity configuration file .TP -.I /var/log/setuid.today +.I /var/log/setuid/setuid.today setuid files from the most recent run .TP -.I /var/log/setuid.yesterday +.I /var/log/setuid/setuid.yesterday setuid files from the previous run --- checksecurity-2.0.7.orig/ChangeLog +++ checksecurity-2.0.7/ChangeLog @@ -6,8 +6,6 @@ * Completely rewrote checksecurity. * Added plugins. * Added manpages. - * - Steve -- --- checksecurity-2.0.7.orig/TODO +++ checksecurity-2.0.7/TODO @@ -1,12 +1,90 @@ - Document the code properly. + Move to 'standard' priority. (post-sarge) + * Set this package to 'standard' priority, we want our users to have a + limited set of security checks by default even those the ones provided + here still need to be improved (Closes: #197563) + Document the code properly. + - Include also documentation of new options + ('debug' through GetStdd::Long) + - The 'period' optional argument in checksecurity needs to be + added to the manpage + + Fix errors in setuid script: + - Specially #257395 and #102186, the first + one spouts false negatives and the second one + makes the check fail sometimes in network drives. + Add getopt processing for checksecurity. + - DONE but undocumented Add more tests. + See #163813 and the following discussions: + http://lists.debian.org/debian-devel/2002/12/msg01517.html + and + http://lists.debian.org/debian-devel/2002/12/msg01566.html + + See also + - OpenBSD /etc/security + http://www.openbsd.org/cgi-bin/cvsweb/src/etc/security?rev=1.54&content-type=text/x-cvsweb-markup + - SuSE's seccheck + http://www.suse.de/~marc/seccheck.html + - Mandrake's msec + http://freshmeat.net/projects/msec/ + +------------------------------------------------------------------------- + + Currently checksecurity will *only* do checks regarding SUID files which + is kind of misleading (since one would like 'checksecurity' to be a + security check and not just that). + + While reading an article about Security in Linux distributions [1] y found + out that SUSE's checksecurity [2] will do quite a little bit more and it + is, in fact, GPLd (what a surprise, available here [3]) + + I would like checksecurity to do more than SUID changes. I'm not sure, + however, of which features should be enabled by default. Some of this + checks are already done by Tiger (see [4]) and I'm not sure I want + checksecurity to do all of them (since they might be a little too much) + +From seccheck's README: + +The following daily checks are done: + /etc/passwd check : length/number/contents of fields, accounts with same uid + accounts with uid/gid of 0 or 1 beside root and bin + /etc/shadow check : length/number/contents of fields, accounts with no password + /etc/group check : length/number/contents of fields + user root checks : secure umask and PATH + /etc/ftpusers : checks if important system users are put there + /etc/aliases : checks for mail aliases which execute programs + .rhosts check : checks if users' .rhosts file contain + signs + homedirectory : checks if homedirectories are writable or owned by + someone else + dot-files check : checks many dot-files in the homedirectories if they + are writable or owned by someone else + mailbox check : checks if user mailboxes are owned by user and unreadable + NFS export check : exports should not be exported globaly + NFS import check : NFS mounts should have the "nosuid" option set + promisc check : checks if network cards are in promiscious mode + list modules : just lists loaded modules + list sockets : just lists open ports + +The following weekly checks are done: + password check : runs john to crack the password file, user will get an + email notice to change his password asap + rpm md5 check : checks for changed files via rpm's md5 checksum feature + suid/sgid check : lists all suid and sgid files + exec group write : lists all executables which are group/world writeable + writable check : lists all files which are world writable (incl. above) + device check : lists all devices + +The following monthly things are done: + The monthly file is not a diff like the daily/weekly ones but the full + reports in one file. + +[1] http://www.linuxjournal.com/article.php?sid=6362&mode=thread&order=0 - Document, document, document! +------------------------------------------------------------------------- -Steve --- -www.steve.org.uk +Tue, 15 Mar 2005 01:53:52 +0100 +Javier Fernandez-Sanguino