Commit 1ed92e18 authored by Till Brehm's avatar Till Brehm

- Added security check script.

- Create md5 sums of all files at install and update.
parent 9edea997
...@@ -679,6 +679,11 @@ if($install_mode == 'standard') { ...@@ -679,6 +679,11 @@ if($install_mode == 'standard') {
} //* << $install_mode / 'Standard' or Genius } //* << $install_mode / 'Standard' or Genius
//* Create md5 filelist
$md5_filename = '/usr/local/ispconfig/security/data/file_checksums_'.date('Y-m-d_h-i').'.md5';
exec('find /usr/local/ispconfig -type f -print0 | xargs -0 md5sum > '.$md5_filename);
chmod($md5_filename,0700);
echo "Installation completed.\n"; echo "Installation completed.\n";
......
...@@ -497,6 +497,11 @@ if($reconfigure_services_answer == 'yes') { ...@@ -497,6 +497,11 @@ if($reconfigure_services_answer == 'yes') {
} }
} }
//* Create md5 filelist
$md5_filename = '/usr/local/ispconfig/security/data/file_checksums_'.date('Y-m-d_h-i').'.md5';
exec('find /usr/local/ispconfig -type f -print0 | xargs -0 md5sum > '.$md5_filename);
chmod($md5_filename,0700);
echo "Update finished.\n"; echo "Update finished.\n";
?> ?>
...@@ -70,7 +70,7 @@ class page_action extends tform_actions { ...@@ -70,7 +70,7 @@ class page_action extends tform_actions {
global $app, $conf; global $app, $conf;
if($conf['demo_mode'] == true && $_REQUEST['id'] <= 3) $app->error('This function is disabled in demo mode.'); if($conf['demo_mode'] == true && $_REQUEST['id'] <= 3) $app->error('This function is disabled in demo mode.');
//* Security settings check //* Security settings check
if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin') { if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin') {
$app->auth->check_security_permissions('admin_allow_new_admin'); $app->auth->check_security_permissions('admin_allow_new_admin');
......
...@@ -28,9 +28,8 @@ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, ...@@ -28,9 +28,8 @@ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/ */
define('SCRIPT_PATH', dirname($_SERVER["SCRIPT_FILENAME"])); require "/usr/local/ispconfig/server/lib/config.inc.php";
require SCRIPT_PATH."/lib/config.inc.php"; require "/usr/local/ispconfig/server/lib/app.inc.php";
require SCRIPT_PATH."/lib/app.inc.php";
set_time_limit(0); set_time_limit(0);
ini_set('error_reporting', E_ALL & ~E_NOTICE); ini_set('error_reporting', E_ALL & ~E_NOTICE);
...@@ -41,6 +40,114 @@ $conf['server_id'] = intval($conf['server_id']); ...@@ -41,6 +40,114 @@ $conf['server_id'] = intval($conf['server_id']);
// Load required base-classes // Load required base-classes
$app->uses('ini_parser,file,services,getconf,system'); $app->uses('ini_parser,file,services,getconf,system');
// get security config
$security_config = $app->getconf->get_security_config('systemcheck');
$alert = '';
$data_dir = '/usr/local/ispconfig/security/data';
// Check if a new ispconfig user has been added
if($security_config['warn_new_admin'] == 'yes') {
$data_file = $data_dir.'/admincount';
//get number of admins
$tmp = $app->db->queryOneRecord("SELECT count(userid) AS number FROM sys_user WHERE typ = 'admin'");
$admin_user_count_new = intval($tmp['number']);
if(is_file($data_file)) {
$admin_user_count_old = intval(file_get_contents($data_file));
if($admin_user_count_new != $admin_user_count_old) {
$alert .= "The number of ISPConfig administrator users has changed. Old: $admin_user_count_old New: $admin_user_count_new \n";
file_put_contents($data_file,$admin_user_count_new);
}
} else {
// first run, so we save the current count
file_put_contents($data_file,$admin_user_count_new);
chmod($data_file,0700);
}
}
// Check if /etc/passwd file has been changed
if($security_config['warn_passwd_change'] == 'yes') {
$data_file = $data_dir.'/passwd.md5';
$md5sum_new = md5_file('/etc/passwd');
if(is_file($data_file)) {
$md5sum_old = trim(file_get_contents($data_file));
if($md5sum_new != $md5sum_old) {
$alert .= "The file /etc/passwd has been changed.\n";
file_put_contents($data_file,$md5sum_new);
}
} else {
file_put_contents($data_file,$md5sum_new);
chmod($data_file,0700);
}
}
// Check if /etc/shadow file has been changed
if($security_config['warn_shadow_change'] == 'yes') {
$data_file = $data_dir.'/shadow.md5';
$md5sum_new = md5_file('/etc/shadow');
if(is_file($data_file)) {
$md5sum_old = trim(file_get_contents($data_file));
if($md5sum_new != $md5sum_old) {
$alert .= "The file /etc/shadow has been changed.\n";
file_put_contents($data_file,$md5sum_new);
}
} else {
file_put_contents($data_file,$md5sum_new);
chmod($data_file,0700);
}
}
// Check if /etc/group file has been changed
if($security_config['warn_group_change'] == 'yes') {
$data_file = $data_dir.'/group.md5';
$md5sum_new = md5_file('/etc/group');
if(is_file($data_file)) {
$md5sum_old = trim(file_get_contents($data_file));
if($md5sum_new != $md5sum_old) {
$alert .= "The file /etc/group has been changed.\n";
file_put_contents($data_file,$md5sum_new);
}
} else {
file_put_contents($data_file,$md5sum_new);
chmod($data_file,0700);
}
}
if($alert != '') {
$admin_email = $security_config['security_admin_email'];
$admin_email_subject = $security_config['security_admin_email_subject'];
mail($admin_email, $admin_email_subject, $alert);
//$app->log(str_replace("\n"," -- ",$alert),1);
echo str_replace("\n"," -- ",$alert)."\n";
}
......
...@@ -18,8 +18,8 @@ remote_api_allowed=yes ...@@ -18,8 +18,8 @@ remote_api_allowed=yes
[systemcheck] [systemcheck]
security_admin_email=root@localhost security_admin_email=root@localhost
security_admin_email_subject=Security alert from server
warn_new_admin=yes warn_new_admin=yes
warn_passwd_change=no warn_passwd_change=no
warn_shadow_change=no warn_shadow_change=no
check_groups_in_passwd=yes warn_group_change=no
check_ispconfig_md5=yes \ No newline at end of file
\ No newline at end of file
...@@ -13,8 +13,8 @@ if [ -f /usr/local/ispconfig/server/lib/php.ini ]; then ...@@ -13,8 +13,8 @@ if [ -f /usr/local/ispconfig/server/lib/php.ini ]; then
fi fi
fi fi
cd /usr/local/ispconfig/security
/usr/bin/php -q /usr/local/ispconfig/security/check.php
cd /usr/local/ispconfig/server cd /usr/local/ispconfig/server
/usr/bin/php -q /usr/local/ispconfig/server/server.php /usr/bin/php -q /usr/local/ispconfig/server/server.php
cd /usr/local/ispconfig/security
/usr/bin/php -q /usr/local/ispconfig/security/check.php
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment