From 1ed92e187ae2dfb51f5f2d62c290a85f93b6dc21 Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Thu, 14 Aug 2014 19:54:00 +0200
Subject: [PATCH] - Added security check script. - Create md5 sums of all files
 at install and update.

---
 install/install.php                |   5 ++
 install/update.php                 |   5 ++
 interface/web/admin/users_edit.php |   2 +-
 security/check.php                 | 113 ++++++++++++++++++++++++++++-
 security/security_settings.ini     |   4 +-
 server/server.sh                   |   6 +-
 6 files changed, 126 insertions(+), 9 deletions(-)

diff --git a/install/install.php b/install/install.php
index 108ed05b2e..49c2720403 100644
--- a/install/install.php
+++ b/install/install.php
@@ -679,6 +679,11 @@ if($install_mode == 'standard') {
 
 } //* << $install_mode / 'Standard' or Genius
 
+//* Create md5 filelist
+$md5_filename = '/usr/local/ispconfig/security/data/file_checksums_'.date('Y-m-d_h-i').'.md5';
+exec('find /usr/local/ispconfig -type f -print0 | xargs -0 md5sum > '.$md5_filename);
+chmod($md5_filename,0700);
+
 
 echo "Installation completed.\n";
 
diff --git a/install/update.php b/install/update.php
index eec69bad3b..803e47d435 100644
--- a/install/update.php
+++ b/install/update.php
@@ -497,6 +497,11 @@ if($reconfigure_services_answer == 'yes') {
 	}
 }
 
+//* Create md5 filelist
+$md5_filename = '/usr/local/ispconfig/security/data/file_checksums_'.date('Y-m-d_h-i').'.md5';
+exec('find /usr/local/ispconfig -type f -print0 | xargs -0 md5sum > '.$md5_filename);
+chmod($md5_filename,0700);
+
 echo "Update finished.\n";
 
 ?>
diff --git a/interface/web/admin/users_edit.php b/interface/web/admin/users_edit.php
index a405db4aed..0a14ca5e1e 100644
--- a/interface/web/admin/users_edit.php
+++ b/interface/web/admin/users_edit.php
@@ -70,7 +70,7 @@ class page_action extends tform_actions {
 		global $app, $conf;
 
 		if($conf['demo_mode'] == true && $_REQUEST['id'] <= 3) $app->error('This function is disabled in demo mode.');
-		
+
 		//* Security settings check
 		if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin') {
 			$app->auth->check_security_permissions('admin_allow_new_admin');
diff --git a/security/check.php b/security/check.php
index d6518a1c52..dc930c5b79 100644
--- a/security/check.php
+++ b/security/check.php
@@ -28,9 +28,8 @@ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
 EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 
-define('SCRIPT_PATH', dirname($_SERVER["SCRIPT_FILENAME"]));
-require SCRIPT_PATH."/lib/config.inc.php";
-require SCRIPT_PATH."/lib/app.inc.php";
+require "/usr/local/ispconfig/server/lib/config.inc.php";
+require "/usr/local/ispconfig/server/lib/app.inc.php";
 
 set_time_limit(0);
 ini_set('error_reporting', E_ALL & ~E_NOTICE);
@@ -41,6 +40,114 @@ $conf['server_id'] = intval($conf['server_id']);
 
 // Load required base-classes
 $app->uses('ini_parser,file,services,getconf,system');
+
+// get security config
+$security_config = $app->getconf->get_security_config('systemcheck');
+
+$alert = '';
+$data_dir = '/usr/local/ispconfig/security/data';
+
+
+// Check if a new ispconfig user has been added
+if($security_config['warn_new_admin'] == 'yes') {
+	$data_file = $data_dir.'/admincount';
+	//get number of admins
+	$tmp = $app->db->queryOneRecord("SELECT count(userid) AS number FROM sys_user WHERE typ = 'admin'");
+	$admin_user_count_new = intval($tmp['number']);
+	
+	if(is_file($data_file)) {
+		$admin_user_count_old = intval(file_get_contents($data_file));
+		if($admin_user_count_new != $admin_user_count_old) {
+			$alert .= "The number of ISPConfig administrator users has changed. Old: $admin_user_count_old New: $admin_user_count_new \n";
+			file_put_contents($data_file,$admin_user_count_new);
+		}
+	} else {
+		// first run, so we save the current count
+		file_put_contents($data_file,$admin_user_count_new);
+		chmod($data_file,0700);
+	}
+}
+
+// Check if /etc/passwd file has been changed
+if($security_config['warn_passwd_change'] == 'yes') {
+	$data_file = $data_dir.'/passwd.md5';
+	$md5sum_new = md5_file('/etc/passwd');
+	
+	if(is_file($data_file)) {
+		$md5sum_old = trim(file_get_contents($data_file));
+		if($md5sum_new != $md5sum_old) {
+			$alert .= "The file /etc/passwd has been changed.\n";
+			file_put_contents($data_file,$md5sum_new);
+		}
+	} else {
+		file_put_contents($data_file,$md5sum_new);
+		chmod($data_file,0700);
+	}
+}
+
+// Check if /etc/shadow file has been changed
+if($security_config['warn_shadow_change'] == 'yes') {
+	$data_file = $data_dir.'/shadow.md5';
+	$md5sum_new = md5_file('/etc/shadow');
+	
+	if(is_file($data_file)) {
+		$md5sum_old = trim(file_get_contents($data_file));
+		if($md5sum_new != $md5sum_old) {
+			$alert .= "The file /etc/shadow has been changed.\n";
+			file_put_contents($data_file,$md5sum_new);
+		}
+	} else {
+		file_put_contents($data_file,$md5sum_new);
+		chmod($data_file,0700);
+	}
+}
+
+// Check if /etc/group file has been changed
+if($security_config['warn_group_change'] == 'yes') {
+	$data_file = $data_dir.'/group.md5';
+	$md5sum_new = md5_file('/etc/group');
+	
+	if(is_file($data_file)) {
+		$md5sum_old = trim(file_get_contents($data_file));
+		if($md5sum_new != $md5sum_old) {
+			$alert .= "The file /etc/group has been changed.\n";
+			file_put_contents($data_file,$md5sum_new);
+		}
+	} else {
+		file_put_contents($data_file,$md5sum_new);
+		chmod($data_file,0700);
+	}
+}
+
+
+if($alert != '') {
+	$admin_email = $security_config['security_admin_email'];
+	$admin_email_subject = $security_config['security_admin_email_subject'];
+	mail($admin_email, $admin_email_subject, $alert);
+	//$app->log(str_replace("\n"," -- ",$alert),1);
+	echo str_replace("\n"," -- ",$alert)."\n";
+}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 
 
 
diff --git a/security/security_settings.ini b/security/security_settings.ini
index 0ea46f2d96..4dfe001624 100644
--- a/security/security_settings.ini
+++ b/security/security_settings.ini
@@ -18,8 +18,8 @@ remote_api_allowed=yes
 
 [systemcheck]
 security_admin_email=root@localhost
+security_admin_email_subject=Security alert from server
 warn_new_admin=yes
 warn_passwd_change=no
 warn_shadow_change=no
-check_groups_in_passwd=yes
-check_ispconfig_md5=yes
\ No newline at end of file
+warn_group_change=no
\ No newline at end of file
diff --git a/server/server.sh b/server/server.sh
index 88c30e7445..522e0d5f74 100755
--- a/server/server.sh
+++ b/server/server.sh
@@ -13,8 +13,8 @@ if [ -f /usr/local/ispconfig/server/lib/php.ini ]; then
         fi
 fi
 
-cd /usr/local/ispconfig/security
-/usr/bin/php -q /usr/local/ispconfig/security/check.php
-
 cd /usr/local/ispconfig/server
 /usr/bin/php -q /usr/local/ispconfig/server/server.php
+
+cd /usr/local/ispconfig/security
+/usr/bin/php -q /usr/local/ispconfig/security/check.php
-- 
GitLab