checksecurity-2.0.14/0000755000000000000000000000000011462117203011326 5ustar checksecurity-2.0.14/TODO0000644000000000000000000000752411206625360012032 0ustar Move to 'standard' priority. (post-sarge) * Set this package to 'standard' priority, we want our users to have a limited set of security checks by default even those the ones provided here still need to be improved (Closes: #197563) Document the code properly. - Include also documentation of new options ('debug' through GetStdd::Long) - The 'period' optional argument in checksecurity needs to be added to the manpage - Write a manpage for check-socket Fix errors in setuid script: - Specially #257395 and #102186, the first one spouts false negatives and the second one makes the check fail sometimes in network drives. Add getopt processing for checksecurity. - DONE but undocumented Add more tests. See #163813 and the following discussions: http://lists.debian.org/debian-devel/2002/12/msg01517.html and http://lists.debian.org/debian-devel/2002/12/msg01566.html See also - OpenBSD /etc/security http://www.openbsd.org/cgi-bin/cvsweb/src/etc/security?rev=1.54&content-type=text/x-cvsweb-markup - SuSE's seccheck http://www.suse.de/~marc/seccheck.html - Mandrake's msec http://freshmeat.net/projects/msec/ ------------------------------------------------------------------------- Currently checksecurity will *only* do checks regarding SUID files which is kind of misleading (since one would like 'checksecurity' to be a security check and not just that). While reading an article about Security in Linux distributions [1] y found out that SUSE's checksecurity [2] will do quite a little bit more and it is, in fact, GPLd (what a surprise, available here [3]) I would like checksecurity to do more than SUID changes. I'm not sure, however, of which features should be enabled by default. Some of this checks are already done by Tiger (see [4]) and I'm not sure I want checksecurity to do all of them (since they might be a little too much) From seccheck's README: The following daily checks are done: /etc/passwd check : length/number/contents of fields, accounts with same uid accounts with uid/gid of 0 or 1 beside root and bin /etc/shadow check : length/number/contents of fields, accounts with no password /etc/group check : length/number/contents of fields user root checks : secure umask and PATH /etc/ftpusers : checks if important system users are put there /etc/aliases : checks for mail aliases which execute programs .rhosts check : checks if users' .rhosts file contain + signs homedirectory : checks if homedirectories are writable or owned by someone else dot-files check : checks many dot-files in the homedirectories if they are writable or owned by someone else mailbox check : checks if user mailboxes are owned by user and unreadable NFS export check : exports should not be exported globaly NFS import check : NFS mounts should have the "nosuid" option set promisc check : checks if network cards are in promiscious mode list modules : just lists loaded modules list sockets : just lists open ports The following weekly checks are done: password check : runs john to crack the password file, user will get an email notice to change his password asap rpm md5 check : checks for changed files via rpm's md5 checksum feature suid/sgid check : lists all suid and sgid files exec group write : lists all executables which are group/world writeable writable check : lists all files which are world writable (incl. above) device check : lists all devices The following monthly things are done: The monthly file is not a diff like the daily/weekly ones but the full reports in one file. [1] http://www.linuxjournal.com/article.php?sid=6362&mode=thread&order=0 ------------------------------------------------------------------------- Tue, 15 Mar 2005 01:53:52 +0100 Javier Fernandez-Sanguino checksecurity-2.0.14/debian/0000755000000000000000000000000011464454244012563 5ustar checksecurity-2.0.14/debian/postinst0000644000000000000000000000155210617730050014363 0ustar #!/bin/sh -e # # Tell the user about the old configuration file. # . /usr/share/debconf/confmodule if [ "$1" = "configure" ] && [ -z "$2" ] && [ -f /etc/checksecurity.conf.cron ] ; then db_input low checksecurity/oldconf || true db_go || true fi db_stop # # If there is not a /var/log/setuid directory create it, and move # any old logfiles into it. # if [ ! -d /var/log/setuid ]; then mkdir -m 750 /var/log/setuid chown root:adm /var/log/setuid || true for file in /var/log/setuid.yesterday /var/log/setuid.today /var/log/setuid.changes \ /var/log/setuid.changes.*; do [ ! -e $file ] || mv $file /var/log/setuid done fi # # If there is no /var/log/checksecurity directory create it, and move # if [ ! -d /var/log/checksecurity ]; then mkdir -m 750 /var/log/checksecurity chown root:adm /var/log/checksecurity || true fi #DEBHELPER# exit 0 checksecurity-2.0.14/debian/changelog0000644000000000000000000004706611464454244014452 0ustar checksecurity (2.0.14ubuntu1) natty; urgency=low * Merge from debian unstable (LP: #668500). Remaining changes: - Downgrade all Recommends to Suggests. - Downgrade fcron from Depends to Suggest, it is in universe and we are already depending on anacron -- Angel Abad Fri, 29 Oct 2010 21:36:58 +0200 checksecurity (2.0.14) unstable; urgency=low * plugins/check-setuid: - Integrate changes to from Ubuntu to make use of ionice when calling find. (Closes: #578640) - Use the -ignore_readdir_race option when calling find to avoid error messages when encountering stale files (Closes: #583809) * etc/global-checksecurity.conf: Adjust comments associated to CHECKSECURITY_EMAIL to point to bsd-mailx instead of mailx and remove reference to cron. (Closes: #541636) * debian/control: Depend on util-linux (>= 2.15~rc1-1) which provides ionice. * debian/compat: Change from 4 to 5 * debian/rules: Adjust calls to dh_clean -- Javier Fernandez-Sanguino Pen~a Wed, 27 Oct 2010 23:44:51 +0200 checksecurity (2.0.13ubuntu2) lucid; urgency=low [ Matt Zimmerman ] * plugins/check-setuid: Use ionice to set idle I/O scheduling priority for find(1) across the whole filesystem. [ James Westby ] * plugins/check-setuid: Use the -t option to ionice so that failures to set I/O priority don't stop the command running. - Depend on util-linux (>= 2.15~rc1-1) to ensure the feature is available. - Thanks Colin Watson. -- James Westby Wed, 21 Apr 2010 13:45:42 +0100 checksecurity (2.0.13ubuntu1) karmic; urgency=low * Merge from debian unstable, remaining changes: - Downgrade all Recommends to Suggests. - Downgrade fcron from Depends to Suggest, it is in universe and we are already depending on anacron -- Muharem Hrnjadovic Wed, 03 Jun 2009 12:25:55 +0200 checksecurity (2.0.13) unstable; urgency=low * Do not report 'disk full' for filesystems mounted under /media. This includes the cdrom as well as possibly some other removal media like USB memories. Thanks to Tim Connors for detecting this bug and providing a patch (Closes: #514306) * Add some information in the both check-setuid's manpage and the configuration file related to false positives generated from /dev changes when a system is rebooted (due to changes in timestamps). And provide instructions on how to remove them. * Extend check-socket to make it possible to exclude certain lines from the output through the CHECKSECURITY_IGNORELINES variable. (Closes: #522749) * Added the 'lustre' filesystem to the network filesystem list in the default check-setuid.conf (Closes: #502421) * Change Makefile to include etc/check-socket.conf in the package. -- Javier Fernandez-Sanguino Pen~a Tue, 26 May 2009 01:14:49 +0200 checksecurity (2.0.12ubuntu1) karmic; urgency=low * Merge from debian unstable, remaining changes: LP: #370225) - Downgrade all Recommends to Suggests. - Downgrade fcron from Depends to Suggest, it is in universe and we are already depending on anacron -- Bhavani Shankar Fri, 01 May 2009 11:28:27 +0530 checksecurity (2.0.12) unstable; urgency=medium * Fix bug in plugins/check_sockets which prevented it from being actually useful. Thanks to Richard Kapolnai for detecting this bug and providing a patch. (Closes: #520654) -- Javier Fernandez-Sanguino Pen~a Sat, 21 Mar 2009 23:46:07 +0100 checksecurity (2.0.11ubuntu1) jaunty; urgency=low * Merge from Debian unstable (LP: #295260), Ubuntu remaining changes: - Downgrade all Recommends to Suggests. - Downgrade fcron from Depends to Suggest, it is in universe and we are already depending on anacron -- Pedro Fragoso Wed, 05 Nov 2008 02:28:39 +0000 checksecurity (2.0.11) unstable; urgency=low * Debconf Translation changes: - Included Portuguese debconf translation, submitted by Rui Branco (Closes: 489378) - Fixed "Project-Id-Version" field in Japanese translation -- Javier Fernandez-Sanguino Pen~a Mon, 28 Jul 2008 22:47:07 +0200 checksecurity (2.0.10) unstable; urgency=low * Remove chrony from the list of Depends: since it does not actually provide a task scheduler, change it to fcron (Closes: #478203, #479661) -- Javier Fernandez-Sanguino Pen~a Tue, 29 Apr 2008 02:46:50 +0200 checksecurity (2.0.9ubuntu1) intrepid; urgency=low * Merge from debian unstable, remaining changes: - Downgrade all Recommends to Suggests. -- Michael Vogt Thu, 29 May 2008 09:59:37 +0200 checksecurity (2.0.9) unstable; urgency=low * The "where did I leave my head release" * Acknowledge the 2.0.7-10.1 NMU, the updated PO files from some languages had not been included in the 2.0.7 release * Do not search fuse filesystems by default (Closes: #467299) * Lintian fix: remove debian/files from source (Closes: 451054) * Allow users to select cron facility by depending on cron | anacron | chrony (Closes: 375058) -- Javier Fernandez-Sanguino Pen~a Wed, 16 Apr 2008 10:09:03 +0200 checksecurity (2.0.8) unstable; urgency=low * Make it (again) a Debian native package. * Add a new check-sockets plugin to check for open sockets. Default configuration will run this daily. * Modify check-setuid so that the changes are actually preserved (no .changes file were getting generated) * Change the logrotate definition so that it will not rotate empty files. * Introduce a /var/log/checksecurity/ where all the new plugin logs will get saved to. Preserve /var/log/setuid for the time being (but it should be moved there) -- Javier Fernandez-Sanguino Pen~a Tue, 08 May 2007 01:01:34 +0200 checksecurity (2.0.7-11ubuntu1) gutsy; urgency=low * Merge from debian unstable, remaining changes: - Downgrade all Recommends to Suggests. -- Michael Vogt Mon, 14 May 2007 13:01:51 +0200 checksecurity (2.0.7-11) unstable; urgency=low * New translations: - Galician translation provided by Jacobo Tarrio (Closes: #413460) - Italian translation provided by Luca Monducci (Closes: #418173) * Have etc/check-setuid.conf default LOGDIR point to /var/log/setuid * Consistent use of email alerts: - Move the CHECKSECURITY_EMAIL configuration file over to the global checksecurity configuration file as more than one script will use this. (check-setuid and check-diskfree at least) - Make checksecurity preserve the CHECKSECURITY_EMAIL environment variable for all plugins unless redefined in the plugin configuration file. - Make check-diskfree use CHECKSECURITY_EMAIL (instead of MAILTO) to mail the results of the diskfree check to the defined user. (Closes: #232951) * Remove CHECKSECURITY_GREPOUT definition from check-setuid (Closes: #334435) * Fix spelling errors in the (root) README.Debian file -- Javier Fernandez-Sanguino Pen~a Mon, 07 May 2007 23:48:14 +0200 checksecurity (2.0.7-10.1ubuntu1) feisty; urgency=low * Resynchronise with Debian. Remaining changes: - Downgrade all Recommends to Suggests. -- Colin Watson Tue, 19 Dec 2006 14:54:03 +0000 checksecurity (2.0.7-10.1) unstable; urgency=low * Non-maintainer upload to fix longstanding l10n issues * Debconf templates translations: - Swedish added. Closes: #331305 - Vietnamese added. Sent during the call for updates of the NMU campaign. - Brazilian Portuguese updated. Sent during the call for updates of the NMU campaign. - Russian added. Sent during the call for updates of the NMU campaign. - Dzongkha added. Sent during the call for updates of the NMU campaign. - Basque added. Sent during the call for updates of the NMU campaign. -- Christian Perrier Thu, 16 Nov 2006 06:01:25 +0100 checksecurity (2.0.7-10ubuntu1) edgy; urgency=low * Downgrade all Recommends to Suggests -- Matt Zimmerman Tue, 15 Aug 2006 10:22:13 -0700 checksecurity (2.0.7-10) unstable; urgency=low * Clean up all logfiles on purge as required by policy. * Modified checksecurity.weekly to use its own lockfile and fix the error message. We should not be using the same lockfile as checksecurity.daily since the tests being run by default don't overlap (Closes: #326871) * Use debhelper compatibility version 4 * Fixed FSF address in debian/copyright * Updated the debian/copyright file with new authors -- Javier Fernandez-Sanguino Pen~a Wed, 21 Sep 2005 00:43:14 +0200 checksecurity (2.0.7-9) unstable; urgency=low * Added dependancies for "| debconf-2.0" as requested by Joey Hess -- Javier Fernandez-Sanguino Pen~a Thu, 4 Aug 2005 19:08:46 +0200 checksecurity (2.0.7-8) unstable; urgency=low * Prevent the setuid checks from traversing AFS filesystems under /vicep (Closes: #320407) -- Javier Fernandez-Sanguino Pen~a Mon, 1 Aug 2005 21:25:16 +0200 checksecurity (2.0.7-7) unstable; urgency=low * Added Vietnamese debconf translation provided by Clytie Siddall (Closes: #309632) * Recommend logwatch as an alternative to logcheck (Closes: #315019) -- Javier Fernandez-Sanguino Pen~a Sat, 9 Jul 2005 15:43:04 +0200 checksecurity (2.0.7-6) unstable; urgency=low * Checksecurity checks if you are root (effective uid) before running and so does the check-passwd plugin too. * Proper GPL header to the checksecurity program as well as to all of the plugins. -- Javier Fernandez-Sanguino Pen~a Thu, 7 Apr 2005 09:28:24 +0200 checksecurity (2.0.7-5) unstable; urgency=low * Added new configuration files to the conffiles definition (lintian error) -- Javier Fernandez-Sanguino Pen~a Tue, 22 Mar 2005 02:25:20 +0100 checksecurity (2.0.7-4) unstable; urgency=low * Use proper user for the logrotation facility (Closes: #299896) -- Javier Fernandez-Sanguino Pen~a Thu, 17 Mar 2005 09:24:44 +0100 checksecurity (2.0.7-3) unstable; urgency=low * Fix postinst's check for files so that the return code is always true, have the script run with -e and add also an 'exit 0' return status in any case. (Closes: #299811) -- Javier Fernandez-Sanguino Pen~a Thu, 17 Mar 2005 01:19:29 +0100 checksecurity (2.0.7-2) unstable; urgency=low * Adopted package (Closes: #298573) * Have the check_diskfree plugin mail to root the results of the test, if defined. Notice that the environment is currently cleaned up so that it will not work yet properly. This is the patch available in #232951 * Fixed the formatting issue in the check-setuid.8 manpage with the patch provided by Nicolas Francois (Closes: #274428) * Fixed the reference to checksecurity.conf in bin/checksecurity, the message now refers to checksecurity(8) (Closes: #276950) * Create /var/log/setuid with proper permissions (750), also, move the files in postinst through a loop checking first if they exist (Closes: #297691) * Rotate /var/log/setuid.changes, /var/log/diskfree.log and /var/log/checksecurity.log through logrotate instead of having this in the cron task, use dh_installlogrotate to install this. * Add Getopt::Long usage to bin/checksecurity and define a debug (-d or --debug option) (currently undocumented) * Introduce a 'period' argument in checksecurity (currently undocumented) which determines what checks should it run: - Modify global-checksecurity.conf so that diskfree and passwd checks are run daily and setuid is run weekly - Create a new checksecurity-weekly cron task that will run setuid This closes two long-standing bugs since users can adjust the configuration now to their needs. (Closes: #138484, #31902) * Recommend: Tiger, logcheck, and integrity checkers, also suggest some programs to check if newer packages are available, as bug #163813 has not been closed yet. This is an interim solution in order to warn users that there are more (advanced) security checks available they might want to implement in addition to checksecurity. * Added Czech po-debconf translation provided by Jan Outrata (Closes: #291576) -- Javier Fernandez-Sanguino Pen~a Fri, 11 Mar 2005 08:46:43 +0100 checksecurity (2.0.7-1) unstable; urgency=low * Removed obsolete documentation and support for CHECKSECURITY_DISABLE. This is handled in checksecurity.conf now. * Updated version number. * Switched to a non-Debian native package. * Avoid searching for setuid files on filesystems of type shfs and lufs. (Closes: #272402) * Place all the setuid logfiles in /var/log/setuid instead of /var/log. Move existing files into place on upgrade. (Closes: #164665) (Closes: #59809) * Added the German debconf translation. (Closes: #250944) Thanks to Erik Schanze. -- Steve Kemp Mon, 20 Sep 2004 22:04:11 +0000 checksecurity (2.0.6) unstable; urgency=low * Respect the NMU from Javier, much appreciated. * Cause the cronjob to terminate quietly if checksecurity doesnt exist. (Closes: #240462) * Included cifs in the list of network filesystems to ignore. (Closes: #268058) * Added the nl.po debconf translation. (Closes: #241422) Many thanks to Luk and the l10n-dutch team. * Updated standards version to 3.6.1 -- Steve Kemp Fri, 17 Sep 2004 22:02:58 +0000 checksecurity (2.0.5.2) unstable; urgency=low * NMU fixing bugs introduced in previous NMU (approved by maintainer) - Preinst now sorts /var/log/setuid.today before the upgrade (Closes: #239340) - Check_setuid does not guard against CHECKSECURITY_EMAIL being undefined since it's disabled per default (Closes: #239336) - Introduced an alternative fix for the Arla partitions and add new arla type 'nnpfs' and 'binfmt_misc' (Closes: #239314) -- Javier Fernandez-Sanguino Pen~a Mon, 22 Mar 2004 14:26:13 +0100 checksecurity (2.0.5.1) unstable; urgency=low * NMU with maintainer's approval (note this is not related to the BSP, that's why it's uploaded to 0-day) - Added sysfs to CS_TYPES (Closes: #229723) - Updated Spanish debconf translation provided by Javier Fernandez-Sanguino (Closes: #229010) - Added Danish debconf translation provided by Claus Hindsgaul (Closes: #233705) - Updated Japanese debconf translation provided by Kenshi Muto (Closes: #237781) - Sort setuid files by name instead of by inode # (Closes: #202077) - Guard against undefined vars in check-setuid(Closes: #154390) - Fixed typo in check-diskfree.conf (Closes: #229104) - Added LOGFILE definition in cron task, this would make it easier to switch to a different logfile in order to fix #232951. However, the older LOGFILES would need to be handled in order to avoid cruft in the system. - Added a README.Debian that explains why the conffile is handled as it is (Closes: #198933) - Check-diskfree now guards agains undefined vars and handles mount points with spaces in the patch (Closes: #190928) - Added comment in checksecurity.conf file indicating how you can disable check-setuid completely. This will have to suffice until check-security provides a better mechanism for fine-grane control of plugin execution (Closes: #177120) - Filter only xfs mounts if the devine name is arla (Closes: #171980) -- Javier Fernandez-Sanguino Pen~a Sun, 14 Mar 2004 22:29:16 +0100 checksecurity (2.0.5) unstable; urgency=low * Applied the Brazilian Portuguese translation to Debconf. (Closes: #218818) thanks to Andre Luis Lopes * Applied the updated French debconf translations. (Closes: #213791) thanks to Christian Perrier. * No output from check-diskfree unless there is at least one "error". -- Steve Kemp Thu, 20 Nov 2003 09:53:42 +0000 checksecurity (2.0.4) unstable; urgency=low * Fixed the last remaining bash-ism. (Closes: #216487) (Closes: #21650) (Closes: #214564) (Closes: #217419) * Depend upon Perl. (Closes: #219363) * Document plugin directory correctly in manpage for checksecurity (Closes: #215758) * Mention 'check-diskfree' in README.Debian (Closes: 218734) -- Steve Kemp Sat, 15 Nov 2003 20:45:02 +0000 checksecurity (2.0.3) unstable; urgency=low * Don't use obsolete diff option. (Closes: #214125) Thanks to Aaron Schrab * Only test filesystems for size which start with '/' This means we work with regardless of local. (Closes: #212710) thanks to Hile Tuohela * Removed several bashisms from check-setuid (Closes: #212650) * Added manpages for `check-diskfree` and `check-passwd` -- Steve Kemp Thur, 09 Oct 2003 22:24:10 +0000 checksecurity (2.0.2) unstable; urgency=low * Only test for empty passwords if /etc/shadow exists. (Closes: #212587) * Testing for free disk space now succeeds when the mount point has a long name. (Closes: #212388) Thanks to Chung-chieh Shan for the patch. * All relevent files in /etc/ are now marked as conffiles. (Closes: #212586) * Install the manpage into the correct directory. * Ignore mountpoints of type xfs. (Closes: #171980) * Added Japanese debconf tranlations. (Closes: #210712) Thanks to Kenshi Muto for the translation. -- Steve Kemp Wed, 23 Sep 2003 18:44:48 +0000 checksecurity (2.0.1) unstable; urgency=low * Fixed the handling of the check-setuid.conf file. (Closes: #212306) thanks to Michael Schuerig * Use ':' instead pf '.' when using chown. (Closes: #205369). * Applied a patch to clearup the check-setuid.conf file. (Closes: #210242) thanks to Andrew Shugg. -- Steve Kemp Tue, 22 Sep 2003 10:23:11 +0000 checksecurity (2.0.0) unstable; urgency=low * Created new configuration file. * Created makefile installation system. -- Steve Kemp Tue, 26 Aug 2003 20:58:02 +0000 checksecurity (1.0.4) unstable; urgency=low * This is the penultimate release before we move to a more comprensive plugin based system. You have been warned. * Switched to gettext-based debconf templates (Closes: #205801) thanks to Christian Perrier * Added French translation of gettext templates (Closes: #207117) thanks to Christian Perrier * Fixed typo in checksecurity.conf * Ignore mounts of type "bind" (Closes: #176090) thanks to Martin Schwenke -- Steve Kemp Mon, 25 Aug 2003 23:37:27 +0000 checksecurity (1.0.3) unstable; urgency=low * Updated the maintainer field, to make me the effective maintainer. -- Steve Kemp Wed, 16 Jul 2003 08:37:22 +0000 checksecurity (1.0.2) unstable; urgency=low * New maintainer. -- Steve Kemp Tues, 14 Jul 2003 09:11:20 +0000 checksecurity (1.0.1) unstable; urgency=low * Add overrides file for two lintian warnings. Debconf is used solely to display a message in the postinst on initial installation. It can't be done in the configuration stage because it must happen after the cron install. * Add missing debconf dependency. -- Steve Greenland Sun, 8 Jun 2003 15:20:13 -0500 checksecurity (1.0.0) unstable; urgency=low * Split from cron package * Only rotate setuid.changes if size > 0 (closes: #176995) -- Steve Greenland Sun, 8 Jun 2003 15:18:08 -0500 checksecurity-2.0.14/debian/rules0000755000000000000000000000201611462117322013631 0ustar #!/usr/bin/make -f # # Rules file for checksecurity # # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 build: build-stamp build-stamp: dh_testdir touch build-stamp clean: dh_testdir dh_testroot rm -f build-stamp dh_clean # Build architecture-independent files here. binary-arch: build # We have nothing to do by default. # Build architecture-dependent files here. binary-indep: build dh_testdir dh_testroot dh_prep dh_installdirs $(MAKE) install PREFIX=$(CURDIR)/debian/checksecurity install -m 644 debian/overrides debian/checksecurity/usr/share/lintian/overrides/checksecurity dh_installdocs dh_installcron dh_installlogrotate dh_installchangelogs dh_installdebconf dh_compress dh_fixperms dh_installdeb dh_shlibdeps dh_gencontrol dh_md5sums dh_builddeb source diff: @echo >&2 'source and diff are obsolete - use dpkg-source -b'; false binary: binary-indep binary-arch .PHONY: build clean binary-indep binary-arch binary checksecurity-2.0.14/debian/docs0000644000000000000000000000001507731235524013432 0ustar README.Debianchecksecurity-2.0.14/debian/postrm.debhelper0000644000000000000000000000027510314110772015753 0ustar # Automatically added by dh_installdebconf if [ "$1" = purge ] && [ -e /usr/share/debconf/confmodule ]; then . /usr/share/debconf/confmodule db_purge fi # End automatically added section checksecurity-2.0.14/debian/substvars0000644000000000000000000000005410314110772014525 0ustar misc:Depends=debconf (>= 0.5) | debconf-2.0 checksecurity-2.0.14/debian/preinst0000644000000000000000000000146510027564554014200 0ustar #!/bin/sh # # Move the existing checksecurity.conf out of the way if this is a new # install, so that we don't get bogus "file has been edited"" # interactions from dpkg, and so that I don't completely lose # /etc/checksecurity.conf under certain circumstances. if [ "$1" = "install" -a -z "$2" -a -f "/etc/checksecurity.conf" ] ; then mv /etc/checksecurity.conf /etc/checksecurity.conf.cron fi # Resort /var/log/setuid.today if upgrading from 2.0.5 or earlier if [ "$1" = "upgrade" ] && dpkg --compare-versions "$2" "<<" "0.2.5.1" then cp /var/log/setuid.today /var/log/setuid.preupgrade >/dev/null 2>&1 # Only continue if the above worked (disk full?) if [ "$?" -eq 0 ] then cat /var/log/setuid.preupgrade | sort -k 12 > /var/log/setuid.today rm -f /var/log/setuid.preupgrade fi fi #DEBHELPER# checksecurity-2.0.14/debian/checksecurity.cron.daily0000644000000000000000000000214510214253213017377 0ustar #!/bin/sh # /etc/cron.daily/checksecurity: Run the checksecurity script # Steve Greenland LOCKFILE=/var/lock/checksecurity.daily # The logfile we write our changes into. LOGFILE=/var/log/checksecurity.log umask 022 # # Exit silently if the checksecurity package is not installed. (We may be # here just because we're conffile left over from a previous installation). # [ -e /usr/sbin/checksecurity ] || exit 0 # # # Avoid running more than one at a time -- could happen if the # checksecurity script lands on a network drive. # if [ -x /usr/bin/lockfile-create ] ; then lockfile-create $LOCKFILE if [ $? -ne 0 ] ; then cat <>"$LOGFILE" # # Clean up lockfile # if [ -x /usr/bin/lockfile-create ] ; then kill $LOCKTOUCHPID lockfile-remove $LOCKFILE fi checksecurity-2.0.14/debian/postrm0000644000000000000000000000134610617730114014026 0ustar #! /bin/sh # postrm script for checksecurity # # see: dh_installdeb(1) set -e case "$1" in purge) # Clean up all log files on purge LOGDIR=/var/log for dir in $LOGDIR/setuid/ $LOGDIR/checksecurity/ do [ -d "$dir" ] && { find $dir -type f -exec rm -f {} \; rmdir $dir } done for file in setuid.today setuid.yesterday setuid.changes \ checksecurity.log do logfile=$LOGDIR/$file [ -f "$logfile" ] && rm -f $logfile done ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) # Do nothing ;; *) echo "postrm called with unknown argument \`$1'" >&2 exit 0 esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# checksecurity-2.0.14/debian/compat0000644000000000000000000000000211462117223013750 0ustar 5 checksecurity-2.0.14/debian/po/0000755000000000000000000000000011043430326013165 5ustar checksecurity-2.0.14/debian/po/ru.po0000644000000000000000000000442511001330744014155 0ustar # translation of checksecurity_debconf_ru.po to Russian # # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans# # Developers do not need to manually edit POT or PO files. # # Yuri Kozlov , 2006. msgid "" msgstr "" "Project-Id-Version: 2.0.7-10\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2006-11-23 17:13+0100\n" "PO-Revision-Date: 2006-11-27 10:15+0300\n" "Last-Translator: Yuri Kozlov \n" "Language-Team: Russian \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: KBabel 1.11.2\n" "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" #. Type: note #. Description #: ../templates:1001 msgid "Merge old configuration" msgstr "Добавление старой конфигурации" #. Type: note #. Description #: ../templates:1001 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " "configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " "had modified your configuration, you may want to merge those changes into " "the new /etc/checksecurity.conf file from this package." msgstr "" "Выполнена только начальная установка пакета checksecurity; в вашей " "системе уже был файл checksecurity.conf из пакета cron. Старый " "конфигурационный файл будет сохранён под " "именем \"/etc/checksecurity.conf.cron\". Если вы делали в нём изменения " "самостоятельно, вам может потребоваться " "перенести эти изменения в новый файл /etc/checksecurity.conf " "этого пакета." checksecurity-2.0.14/debian/po/da.po0000644000000000000000000000262310025147714014121 0ustar # translation of checksecurity_2.0.5_templates.po to Danish # Claus Hindsgaul , 2004. # msgid "" msgstr "" "Project-Id-Version: checksecurity_2.0.5_templates\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2003-09-24 19:14+0100\n" "PO-Revision-Date: 2004-02-19 16:37+0100\n" "Last-Translator: Claus Hindsgaul \n" "Language-Team: Danish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=ISO-8859-1\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: KBabel 1.3\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" #. Description #: ../templates:3 msgid "Merge old configuration" msgstr "Flet gammel opstning" #. Description #: ../templates:3 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " "configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " "had modified your configuration, you may want to merge those changes into " "the new /etc/checksecurity.conf file from this package." msgstr "" "Dette er din frste installation af pakken checksecurity, og du har en eksisterende " "opstningsfil checksecurity.conf fra cron-pakken. Den gamle opstningsfil " "er gemt som \"/etc/checksecurity.conf.cron\". Hvis du havde rettet i din opstning, " "kan du flette ndringerne ind i den nye /etc/checksecurity.conf-fil fra denne " "pakke." checksecurity-2.0.14/debian/po/de.po0000644000000000000000000000360310214246232014117 0ustar # # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans# # Developers do not need to manually edit POT or PO files. # Erik Schanze , 2004. # msgid "" msgstr "" "Project-Id-Version: checksecurity_2.0.5.2_templates\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2003-09-24 19:14+0100\n" "PO-Revision-Date: 2004-05-25 19:58+0200\n" "Last-Translator: Erik Schanze \n" "Language-Team: German \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: KBabel 1.3.1\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" #. Description #: ../templates:3 msgid "Merge old configuration" msgstr "Alte Einstellungen einbinden" #. Description #: ../templates:3 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " "configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " "had modified your configuration, you may want to merge those changes into " "the new /etc/checksecurity.conf file from this package." msgstr "" "Dies ist Ihre erste Installation des Paketes checksecurity und Sie haben " "schon eine Datei checksecurity.conf aus dem Paket cron. Die alte " "Konfigurationsdatei wurde als\"/etc/checksecurity.conf.cron\" erhalten. " "Wenn Sie Ihre Einstellungen geändert hatten, sollten Sie die Änderungen " "in die neue Datei /etc/checksecurity.conf dieses Paketes einbinden." checksecurity-2.0.14/debian/po/dz.po0000644000000000000000000000527611001331033014141 0ustar # # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans # # Developers do not need to manually edit POT or PO files. # msgid "" msgstr "" "Project-Id-Version: checksecurity\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2006-11-23 17:13+0100\n" "PO-Revision-Date: 2006-11-27 00:38+0530\n" "Last-Translator: yangka \n" "Language-Team: dzongkha \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2;plural=(n!=1);\n" "X-Poedit-Language: Dzongkha\n" "X-Poedit-Country: BHUTAN\n" "X-Poedit-SourceCharset: utf-8\n" #. Type: note #. Description #: ../templates:1001 msgid "Merge old configuration" msgstr "རིམ་སྒྲིག་རྙིངམ་མཉམ་བསྡོམས་འབད་ནི།" #. Type: note #. Description #: ../templates:1001 msgid "This is your initial install of the checksecurity package, and you had an existing checksecurity.conf file from the cron package. The old configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you had modified your configuration, you may want to merge those changes into the new /etc/checksecurity.conf file from this package." msgstr "འ་ནི་འདི་ཁྱོད་ཀྱི་ཞིབ་དཔྱད་སྲུང་སྐྱོབ་ཐུམ་སྒྲིལ་གྱི་འགོ་ཐོག་གཞི་འཛུགས་ཨིནམ་དང་་ཁྱོད་ལུ་ཀོརཱོན་ཐུམ་སྒྲིལ་འདི་ལས་ཞིབ་དཔྱད་རིམ་སྒྲིག་ཡིག་སྣོད་ཡོད་བཞིན་པ་ཡོད། རིམ་སྒྲིག་ཡིག་སྣོད་རྙིངམ་དེ་\"/etc/checksecurity.conf.cron\"སྦེ་ཉམས་སྲུང་འབད་ཡོདཔ་ཨིན། ཁྱོད་རའི་རིམ་སྒྲིག་ལེགས་བཅོས་འབད་ཡོད་པ་ཅིན་ཁྱོད་རང་ཐུམ་སྒྲིལ་འདི་ལས་ གསརཔ་/ལ་སོགས་པ་/ཞིབ་དཔྱད་རིམ་སྒྲིག་ཡིག་སྣོད་ནང་བསྒྱུར་བཅོས་ཚུ་མཉམ་བསྡོམས་འབད་བཏུབ་ཨིན།" checksecurity-2.0.14/debian/po/gl.po0000644000000000000000000000270210617717224014143 0ustar # Galician translation of checksecurity's debconf templates # This file is distributed under the same license as the checksecurity package. # Jacobo Tarrio , 2007. # msgid "" msgstr "" "Project-Id-Version: checksecurity\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2006-11-23 17:13+0100\n" "PO-Revision-Date: 2007-03-05 09:19+0100\n" "Last-Translator: Jacobo Tarrio \n" "Language-Team: Galician \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: note #. Description #: ../templates:1001 msgid "Merge old configuration" msgstr "Inclúa a configuración antiga" #. Type: note #. Description #: ../templates:1001 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " "configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " "had modified your configuration, you may want to merge those changes into " "the new /etc/checksecurity.conf file from this package." msgstr "" "Esta é a súa instalación inicial do paquete checksecurity, pero xa tiña un " "ficheiro checksecurity.conf do paquete cron. O ficheiro de configuración " "antigo conservouse coma \"/etc/checksecurity.conf.cron\". Se modificou esa " "configuración, pode interesarlle incluír eses cambios no novo ficheiro /etc/" "checksecurity.conf deste paquete." checksecurity-2.0.14/debian/po/fr.po0000644000000000000000000000343207757107712014157 0ustar # # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans # # Developers do not need to manually edit POT or PO files. # msgid "" msgstr "" "Project-Id-Version: checksecurity (1.0.3)\n" "POT-Creation-Date: 2003-09-24 19:14+0100\n" "PO-Revision-Date: 2003-10-02 07:43+0100\n" "Last-Translator: Christian Perrier \n" "Language-Team: French \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=iso-8859-15\n" "Content-Transfer-Encoding: 8bit\n" #. Description #: ../templates:3 msgid "Merge old configuration" msgstr "Intgration de l'ancienne configuration" #. Description #: ../templates:3 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " "configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " "had modified your configuration, you may want to merge those changes into " "the new /etc/checksecurity.conf file from this package." msgstr "" "Vous effectuez actuellement la premire installation de checksecurity et un " "fichier checksecurity.conf issu du paquet cron a t trouv. L'ancien " "fichier a t conserv sous le nom /etc/checksecurity.conf.cron . Si vous " "avez modifi cette configuration, il peut tre ncessaire reporter ces " "modifications dans le nouveau fichier /etc/checksecurity.conf install par " "ce paquet." checksecurity-2.0.14/debian/po/eu.po0000644000000000000000000000367411001330757014151 0ustar # translation of checksecurity.po to librezale # Piarres Beobide , 2006. # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans # Developers do not need to manually edit POT or PO files. msgid "" msgstr "" "Project-Id-Version: checksecurity\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2006-11-23 17:13+0100\n" "PO-Revision-Date: 2006-11-28 21:54+0100\n" "Last-Translator: Piarres Beobide \n" "Language-Team: librezale \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=(n != 1)\n" "X-Generator: KBabel 1.11.4\n" # Type: note # Description #. Type: note #. Description #: ../templates:1001 msgid "Merge old configuration" msgstr "Konfigurazio zaharra bateratu" # Type: note # Description #. Type: note #. Description #: ../templates:1001 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " "configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " "had modified your configuration, you may want to merge those changes into " "the new /etc/checksecurity.conf file from this package." msgstr "Hau checksecurity paketearen lehen instalazioa da eta dagoeneko cron paketeko checksecurity.conf fitxategia duzu. Konfigurazio zaharra \"/etc/checksecurity.conf.cron\" bezala gordeko da. Konfigurazioa aldatu egin bazenu aldaketa hauek pakete honetarako /etc/checksecurity.conf fitxategi berrian bateratu nahi izan ditzakezu." checksecurity-2.0.14/debian/po/it.po0000644000000000000000000000315510617717330014156 0ustar # Italian (it) translation of debconf templates for checksecurity # Copyright (C) 2007 Free Software Foundation, Inc. # This file is distributed under the same license as the checksecurity package. # Luca Monducci , 2007. # msgid "" msgstr "" "Project-Id-Version: checksecurity 2.0.7 italian debconf templates\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2006-11-23 17:13+0100\n" "PO-Revision-Date: 2007-04-07 10:18+0200\n" "Last-Translator: Luca Monducci \n" "Language-Team: Italian \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=ISO-8859-1\n" "Content-Transfer-Encoding: 8bit\n" #. Type: note #. Description #: ../templates:1001 msgid "Merge old configuration" msgstr "Unire la precedente configurazione" #. Type: note #. Description #: ../templates:1001 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " "configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " "had modified your configuration, you may want to merge those changes into " "the new /etc/checksecurity.conf file from this package." msgstr "" "Questa la prima installazione del pacchetto checksecurity, per esiste gi " "il file checksecurity.conf fornito dal pacchetto cron. Il vecchio file di " "configurazione viene preservato come \"/etc/checksecurity.conf.cron\". Se in " "passato si modificato la propria configurazione, si potrebbe volere unire " "le modifiche gi effettuate nel nuovo /etc/checksecurity.conf fornito da " "questo pacchetto."checksecurity-2.0.14/debian/po/es.po0000644000000000000000000000431110025147753014143 0ustar # check-security debconf translation to Spanish # Copyright (C) 2004 Software in the Public Interest # This file is distributed under the same license as the checksecurity package. # # Changes: # - Initial translation # Javier Fernandez-Sanguino Pea , 2004 # # # Traductores, si no conoce el formato PO, merece la pena leer la # documentacin de gettext, especialmente las secciones dedicadas a este # formato, por ejemplo ejecutando: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Equipo de traduccin al espaol, por favor lean antes de traducir # los siguientes documentos: # # - El proyecto de traduccin de Debian al espaol # http://www.debian.org/intl/spanish/coordinacion # especialmente las notas de traduccin en # http://www.debian.org/intl/spanish/notas # # - La gua de traduccin de po's de debconf: # /usr/share/doc/po-debconf/README-trans # o http://www.debian.org/intl/l10n/po-debconf/README-trans # msgid "" msgstr "" "Project-Id-Version: checksecurity 2.0.5\n" "POT-Creation-Date: 2003-09-24 19:14+0100\n" "PO-Revision-Date: 2004-01-20 20:54+0100\n" "Last-Translator: Javier Fernandez-Sanguino Pea \n" "Language-Team: Debian Spanish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=ISO-8859-15\n" "Content-Transfer-Encoding: 8bit\n" #. Description #: ../templates:3 msgid "Merge old configuration" msgstr "Fusionar la configuracin antigua" #. Description #: ../templates:3 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " "configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " "had modified your configuration, you may want to merge those changes into " "the new /etc/checksecurity.conf file from this package." msgstr "" "Esta es la primera vez que instala el paquete checksecurity, sin embargo, " "tiene el fichero checksecurity.conf del paquete cron. Esta configuracin " "antigua ha sido preservada movindola al fichero /etc/checksecurity.conf.cron. Quizs " "desee fusionar los cambios en el nuevo /etc/checksecurity.conf que provee " "este paquete." checksecurity-2.0.14/debian/po/pt.po0000644000000000000000000000264311043430265014157 0ustar # Portuguese translation of checksecurity's debconf messages. # 2006-11-29 - Rui Branco - initial translation # msgid "" msgstr "" "Project-Id-Version: checksecurity 2.0.9\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2006-11-23 17:13+0100\n" "PO-Revision-Date: 2006-11-29 00:35+0000\n" "Last-Translator: Rui Branco \n" "Language-Team: Portuguese \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit" #. Type: note #. Description #: ../templates:1001 msgid "Merge old configuration" msgstr "Fazer 'merge' à configuração antiga" #. Type: note #. Description #: ../templates:1001 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " "configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " "had modified your configuration, you may want to merge those changes into " "the new /etc/checksecurity.conf file from this package." msgstr "" "Esta é a instalação inicial do pacote checksecurity, e possui um ficheiro " "checksecurity.conf do pacote cron. O seu ficheiro de configuração antigo " "foi preservado como \"/etc/checksecurity.conf.cron\". Se modificou a sua " "configuração, pode ter que fazer um 'merge' dessas alterações para o novo " "ficheiro /etc/checksecurity.conf deste pacote." checksecurity-2.0.14/debian/po/templates.pot0000644000000000000000000000253307734357410015730 0ustar # # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans # # Developers do not need to manually edit POT or PO files. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2003-09-24 19:14+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=CHARSET\n" "Content-Transfer-Encoding: 8bit\n" #. Description #: ../templates:3 msgid "Merge old configuration" msgstr "" #. Description #: ../templates:3 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " "configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " "had modified your configuration, you may want to merge those changes into " "the new /etc/checksecurity.conf file from this package." msgstr "" checksecurity-2.0.14/debian/po/vi.po0000644000000000000000000000313511001331166014141 0ustar # Vietnamese Translation for checksecurity. # Copyright © 2005 Free Software Foundation, Inc. # Clytie Siddall , 2005. # msgid "" "" msgstr "Project-Id-Version: checksecurity 2.0.7-6\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2006-11-23 17:13+0100\n" "PO-Revision-Date: 2006-11-24 18:52+1030\n" "Last-Translator: Clytie Siddall \n" "Language-Team: Vietnamese \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=1; plural=0\n" "X-Generator: Mac PO Editor 1.0a9" #.Type: note #.Description #: ../templates:1001 msgid "Merge old configuration" msgstr "Trộn cấu hình cũ" #.Type: note #.Description #: ../templates:1001 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " "configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " "had modified your configuration, you may want to merge those changes into " "the new /etc/checksecurity.conf file from this package." msgstr "Đây là lần đầu tiên cài đặt gói checksecurity (kiểm tra bảo mật), còn bạn đã có " "một tập tin cấu hình « checksecurity.conf » cũ từ gói « cron ». Tập tin cấu hình cũ này đã được giữ lại dạng « /etc/checksecurity.conf.cron ». Nếu bạn đã sửa đổi cấu hình chưa thì có thể muốn trộn các thay đổi đó với tập tin « /etc/checksecurity.conf » mới của gói này." checksecurity-2.0.14/debian/po/pt_BR.po0000644000000000000000000000355211001331150014525 0ustar # # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans # # Developers do not need to manually edit POT or PO files. # msgid "" msgstr "" "Project-Id-Version: checksecurity_2.0.3\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2006-11-23 17:13+0100\n" "PO-Revision-Date: 2006-11-26 16:58-0200\n" "Last-Translator: Felipe Augusto van de Wiel (faw) \n" "Language-Team: l10n portuguese \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "pt_BR utf-8\n" #. Type: note #. Description #: ../templates:1001 msgid "Merge old configuration" msgstr "Unir com a configuração antiga" #. Type: note #. Description #: ../templates:1001 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " "configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " "had modified your configuration, you may want to merge those changes into " "the new /etc/checksecurity.conf file from this package." msgstr "" "Esta é sua instalação inicial do pacote checksecurity e você possuía um " "arquivo checksecurity.conf fornecido pelo pacote cron. O antigo arquivo de " "configuração foi preservado com o nome de \"/etc/checksecurity.conf.cron\". " "Caso você tenha modificado sua configuração, você pode querer unir suas " "mudanças no novo arquivo /etc/checksecurity.conf deste pacote." checksecurity-2.0.14/debian/po/sv.po0000644000000000000000000000334311001330727014156 0ustar # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans # Developers do not need to manually edit POT or PO files. # , fuzzy # # msgid "" msgstr "" "Project-Id-Version: checksecurity 2.0.7-10\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2006-11-23 17:13+0100\n" "PO-Revision-Date: 2005-10-03 23:32+0200\n" "Last-Translator: Daniel Nylander \n" "Language-Team: Swedish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=iso-8859-1\n" "Content-Transfer-Encoding: 8bit\n" #. Type: note #. Description #: ../templates:1001 msgid "Merge old configuration" msgstr "Flytta ver gammal konfiguration" #. Type: note #. Description #: ../templates:1001 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " "configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " "had modified your configuration, you may want to merge those changes into " "the new /etc/checksecurity.conf file from this package." msgstr "" "Detta r din frsta installation av paketet checksecurity och du har redan " "en checksecurity.conf fil frn cron-paketet. Den gamla konfigurationsfilen " "blev arkiverad som \"/etc/checksecurity.conf.cron\". Om du har modifierat " "din konfiguration kanske du vill flytta ver de ndringarna till den nya /" "etc/checksecurity.conf frn detta paketet." checksecurity-2.0.14/debian/po/nl.po0000644000000000000000000000331710122652424014144 0ustar # # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans # # Developers do not need to manually edit POT or PO files. # msgid "" msgstr "" "Project-Id-Version: checksecurity 2.0.5.1\n" "POT-Creation-Date: 2003-09-24 19:14+0100\n" "PO-Revision-Date: 2004-03-22 17:14+0100\n" "Last-Translator: Luk Claes \n" "Language-Team: Debian l10n Dutch \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=iso-8859-1\n" "Content-Transfer-Encoding: 8bit\n" #. Description #: ../templates:3 msgid "Merge old configuration" msgstr "Oude configuratie samenvoegen?" #. Description #: ../templates:3 msgid "This is your initial install of the checksecurity package, and you had an existing checksecurity.conf file from the cron package. The old configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you had modified your configuration, you may want to merge those changes into the new /etc/checksecurity.conf file from this package." msgstr "Dit is uw eerste installatie van het checksecurity-pakket, en u heeft een bestaand checksecurity.conf-bestand van het cron-pakket. Het oude configuratiebestand is bewaard als \"/etc/checksecurity.conf.cron\". Als u uw configuratie had aangepast, kunt u deze wijzigingen samenvoegen met het nieuwe /etc/checksecurity.conf-bestand van dit pakket." checksecurity-2.0.14/debian/po/POTFILES.in0000644000000000000000000000004407731235524014754 0ustar [type: gettext/rfc822deb] templates checksecurity-2.0.14/debian/po/ja.po0000644000000000000000000000326511043430326014125 0ustar # # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans # # Developers do not need to manually edit POT or PO files. # msgid "" msgstr "" "Project-Id-Version: checksecurity\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2003-09-24 19:14+0100\n" "PO-Revision-Date: 2004-03-13 22:16+0900\n" "Last-Translator: Kenshi Muto \n" "Language-Team: Japanese \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=EUC-JP\n" "Content-Transfer-Encoding: 8bit\n" #. Description #: ../templates:3 msgid "Merge old configuration" msgstr "ŤΥޡ" #. Description #: ../templates:3 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " "configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " "had modified your configuration, you may want to merge those changes into " "the new /etc/checksecurity.conf file from this package." msgstr " checksecurity ѥåκǽΥ󥹥ȡǤcron ѥå ¸ checksecurity.conf ե뤬ޤŤե \"/etc/checksecurity.conf.cron\" ȤƻĤƤޤѹƤΤǤСѹ򿷤ѥå /etc/checksecurity.conf ˥ޡΤ褤Ǥ礦" checksecurity-2.0.14/debian/po/cs.po0000644000000000000000000000331610214254564014144 0ustar # # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans # # Developers do not need to manually edit POT or PO files. # msgid "" msgstr "" "Project-Id-Version: checksecurity\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2003-09-24 19:14+0100\n" "PO-Revision-Date: 2005-01-21 14:16+0100\n" "Last-Translator: Jan Outrata \n" "Language-Team: Czech \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=ISO-8859-2\n" "Content-Transfer-Encoding: 8bit\n" #. Description #: ../templates:3 msgid "Merge old configuration" msgstr "Slouen star konfigurace" #. Description #: ../templates:3 msgid "" "This is your initial install of the checksecurity package, and you had an " "existing checksecurity.conf file from the cron package. The old " "configuration file was preserved as \"/etc/checksecurity.conf.cron\". If you " "had modified your configuration, you may want to merge those changes into " "the new /etc/checksecurity.conf file from this package." msgstr "" "Toto je vae prvotn instalace balku checksecurity a mli jste " "soubor checksecurity.conf z balku cron. Tento star konfiguran " "soubor byl zachovn jako \"/etc/checksecurity.conf.cron\". Pokud jste " "zmnili nkter nastaven, mete chtt provst tyto zmny do novho " "souboru /etc/checksecurity.conf z toho balku." checksecurity-2.0.14/debian/checksecurity.logrotate0000644000000000000000000000032710617731065017352 0ustar /var/log/checksecurity.log /var/log/diskfree.log /var/log/setuid/setuid.changes /var/log/checksecurity/socket.changes { weekly rotate 10 compress missingok notifempty create 0640 root adm } checksecurity-2.0.14/debian/templates0000755000000000000000000000065507731235524014515 0ustar Template: checksecurity/oldconf Type: note _Description: Merge old configuration This is your initial install of the checksecurity package, and you had an existing checksecurity.conf file from the cron package. The old configuration file was preserved as "/etc/checksecurity.conf.cron". If you had modified your configuration, you may want to merge those changes into the new /etc/checksecurity.conf file from this package. checksecurity-2.0.14/debian/copyright0000644000000000000000000000216310314111273014501 0ustar Modifications for Debian GNU/Linux Copyright 1994 Ian Jackson; checksecurity script: Copyright (C) 1994 Ian Jackson Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002 Steve Greenland Copyright (C) 2003-2005 Steve Kemp Copyright (C) 2005 Javier Fernandez-Sanguino The `checksecurity' script and its associated files (checksecurity.8 and checksecurity.conf) are free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. A copy of the GNU General Public License is available as `/usr/share/common-licenses/GPL' in the Debian GNU/Linux distribution or on the World Wide Web at `http://www.gnu.org/copyleft/gpl.html'. You can also obtain it by writing to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA checksecurity-2.0.14/debian/checksecurity.cron.weekly0000644000000000000000000000215110314110513017566 0ustar #!/bin/sh # /etc/cron.weekly/checksecurity: Run the checksecurity script # Steve Greenland LOCKFILE=/var/lock/checksecurity.weekly # The logfile we write our changes into. LOGFILE=/var/log/checksecurity.log umask 022 # # Exit silently if the checksecurity package is not installed. (We may be # here just because we're conffile left over from a previous installation). # [ -e /usr/sbin/checksecurity ] || exit 0 # # # Avoid running more than one at a time -- could happen if the # checksecurity script lands on a network drive. # if [ -x /usr/bin/lockfile-create ] ; then lockfile-create $LOCKFILE if [ $? -ne 0 ] ; then cat <>"$LOGFILE" # # Clean up lockfile # if [ -x /usr/bin/lockfile-create ] ; then kill $LOCKTOUCHPID lockfile-remove $LOCKFILE fi checksecurity-2.0.14/debian/README.Debian0000644000000000000000000000161110025152406014606 0ustar checksecurity ------------- Checksecurity has been spinned of cron (that's why it Replaces/Depends on it) however, old version of the cron package provided the checksecurity.conf configuration file. Due to the way dpkg handles conffiles in this cases 'checksecurity' will manage that conffile himself. There are several reasons for this: a) Dpkg gives bogus warnings: If you have NOT changed the checksecurity.conf file that was distributed with cron, but have an updated version in the new checksecurity package, dpkg reports that the local file has been modified by the user. That's bogus and confusing. The fact that the tetex maintainer does it all the time does not make it acceptable. b) Under some factors, the conffile might get "lost" For more information read: http://lists.debian.org/debian-devel/2003/debian-devel-200305/msg01313.html --- Javier Fernandez-Sanguino March 14th, 2004 checksecurity-2.0.14/debian/control0000644000000000000000000000254611464454244014175 0ustar Source: checksecurity Section: admin Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Javier Fernandez-Sanguino Pen~a Standards-Version: 3.6.1 Build-Depends-Indep: debhelper (>= 4.1.16) Package: checksecurity Architecture: all Depends: cron (>= 3.0pl1-74) | anacron, debconf (>= 0.5) | debconf-2.0, perl (>= 5.8.0), util-linux (>= 2.15~rc1-1) Suggests: apt-watch | cron-apt, lockfile-progs, tiger, logcheck, tripwire | integrit | aide | samhain | fcheck, fcron Conflicts: lockfile-progs (<< 0.1.7) Replaces: cron Provides: Description: basic system security checks Checksecurity does some very basic system security checks, such as looking for changes in which programs have setuid permissions, and that remote filesystems are not allowed to have runnable setuid programs. . Note that these are not to be considered in any way complete, and you should not rely on checksecurity to actually provide any useful information concerning the security or vulnerability of your system. . The lockfile-progs package is only a "Suggests" because of the poor way that dselect handles "Recommends", but I do strongly suggest that you install it; it prevents /etc/cron.daily/standard from running multiple times if something gets jammed. . Checksecurity was previously part of the cron package. checksecurity-2.0.14/debian/dirs0000644000000000000000000000014607731235524013450 0ustar etc etc/checksecurity usr/sbin usr/share/checksecurity usr/share/man/man8 usr/share/lintian/overrides checksecurity-2.0.14/debian/overrides0000644000000000000000000000010707731235524014506 0ustar checksecurity: no-debconf-config checksecurity: postinst-uses-db-input checksecurity-2.0.14/plugins/0000755000000000000000000000000011462120311013001 5ustar checksecurity-2.0.14/plugins/check-sockets0000755000000000000000000000621211206625251015467 0ustar #!/bin/sh # # Check-sockets checksecurity plugin # # This script is designed to find the TCP/UDP sockets bound present on the # system # # It is part of the 'checksecurity' package, and tests may be configured # by the global file '/etc/checksecurity.conf' and the file # '/etc/checksecurity/check-sockets.conf'. # # This check was based on the 'bound sockets' check available in SuSE's # seccheck package # # Copyright (C) 1999 Marc Heuse # Copyright (C) 2007 Javier Fernandez-Sanguino # # Licensed under the GNU General Public License # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. set -e PATH=/sbin:/bin:/usr/sbin:/usr/bin umask 027 cd / if [ -e /etc/checksecurity/check-socket.conf ] then . /etc/checksecurity/check-socket.conf fi if [ `/usr/bin/id -u` != 0 ] ; then echo "Only root has permission to run this script" exit 1 fi if [ ! -x /usr/bin/lsof ] ; then # Exit silently, lsof is not installed exit 0 fi TMPSOCKET=${LOGDIR:=/var/log/checksecurity}/sockets.new.tmp TMPDIFF=${LOGDIR:=/var/log/checksecurity}/sockets.diff.tmp # Guard against undefined vars [ -z "$LOGDIR" ] && LOGDIR=/var/log/checksecurity [ -z "$CHECKSECURITY_IGNORELINES" ] && CHECKSECURITY_IGNORELINES="^$" if [ ! -e "$LOGDIR" ] ; then echo "ERROR: Log directory $LOGDIR does not exist" exit 1 fi cd $LOGDIR test -f sockets.today || touch sockets.today # display programs with TCP/UDP bound sockets set -o noglob printf "\nThe following programs have got bound sockets:\n" >$TMPSOCKET # TODO: (jfs) Enhance using netstat if lsof is not available. # use the code @Tiger to do this. # TODO: (jfs) Make it possible to remove /usr/bin/lsof -i -n -P | egrep 'UDP|TCP.*LISTEN' | egrep -v 'UDP.*->.*' | sed 's/....[0-9]u IP.* / /' | sed 's/ FD TYPE DEVICE SIZE NODE NAME/PROTO PORT/' | sed 's/ [0-9][0-9]* / /' | sed 's/ PID / /'| sed -e 's/[ \t]\+/ /g' | egrep -v "$CHECKSECURITY_IGNORELINES" | sort -u >>$TMPSOCKET set +o noglob if cmp -s sockets.today $TMPSOCKET >/dev/null then : else diff -U0 sockets.today $TMPSOCKET >> $TMPDIFF || [ $? = 1 ] echo "`hostname` changes to TCP/UDP bound sockets:" cat $TMPDIFF if [ `cat $TMPDIFF | wc -l` -gt 0 -a ! -z "$CHECKSECURITY_EMAIL" ]; then /usr/bin/mail -s "Socket changes for `hostname -f` on `date '+%D %T'`" $CHECKSECURITY_EMAIL < $TMPDIFF fi cp $TMPDIFF sockets.changes mv sockets.today sockets.yesterday mv $TMPSOCKET sockets.today chown root:adm sockets.today fi rm -f $TMPDIFF rm -f $TMPSOCKET exit 0 checksecurity-2.0.14/plugins/check-passwd0000755000000000000000000000405310225161106015310 0ustar #!/bin/sh # # Check-passwd checksecurity plugin # # This script is designed to check for common weaknesses in passwords # # It is part of the 'checksecurity' package, and tests may be configured # by the global file '/etc/checksecurity.conf' and the file # '/etc/checksecurity/check-password.conf'. # # Copyright (C) 2003-2005 Steve Kemp # # Licensed under the GNU General Public License # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. if [ `/usr/bin/id -u` != 0 ] ; then echo "Only root has permission to run this script" exit 1 fi # # Test for duplicate root login accounts. # if [ "x$CHECK_PASSWORD_DUPLICATES" = "xTRUE" ]; then # Count of UID 0 accounts NROOT=`awk -F: '{if (0 == $3) print;}' /etc/passwd | wc -l` # If more than one warn if [ "$NROOT" != "1" ]; then # Warn and display offenders echo "There is more than one root login acounts" awk -F: '{if (0 == $3) print;}' /etc/passwd fi fi # # Test for accounts which have no password. # if [ "x$CHECK_PASSWORD_EMPTY" = "xTRUE" ]; then # # Only test for empty passwords if there is /etc/shadow. # if [ -e /etc/shadow ] ; then awk -F: '{print $1,$2}' /etc/shadow | while read username passwd do case $passwd in "") echo User $username has an empty password ;; *) ;; esac done fi fi checksecurity-2.0.14/plugins/check-diskfree0000755000000000000000000000363711206623305015616 0ustar #! /bin/sh # # Check-diskfree checksecurity plugin # # This script is designed to analyse the usage of the different # disks in the system. # # It is part of the 'checksecurity' package, and tests may be configured # by the global file '/etc/checksecurity.conf' and the file # '/etc/checksecurity/check-diskfree.conf'. # # Copyright (C) 2003-2005 Steve Kemp # # Licensed under the GNU General Public License # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # Sane default, just in case [ -z "$CHECK_DISK_PERCENT" ] && CHECK_DISK_PERCENT=90 [ -z "$LOGDIR" ] && LOGDIR=/var/log # Temporary file [ ! -d /var/run/checksecurity ] && { umask 022; mkdir -p /var/run/checksecurity; } TMPDF=/var/run/checksecurity/diskfree.log.tmp >$TMPDF df -klP | grep ^/ | grep -v /media/ | sed -e 's/.*[[:space:]]\([[:digit:]]\+\)%/\1/' | while read PERC LOCATION; do if [ "$PERC" -gt "$CHECK_DISK_PERCENT" ]; then echo "Usage warning on $CHECK_DISK_PERCENT" >>$TMPDF echo "${PERC}% ALERT - $LOCATION" >>$TMPDF fi done # The default behaviour is to output to stdout cat $TMPDF if [ -s "$TMPDF" ] && [ ! -z "$CHECKSECURITY_EMAIL" ]; then /usr/bin/mail -s "Diskfree alert for `hostname -f` on `date '+%D %T'`" $CHECKSECURITY_EMAIL < $TMPDF fi mv $TMPDF $LOGDIR/diskfree.log exit 0 checksecurity-2.0.14/plugins/check-setuid0000755000000000000000000000746411462120311015312 0ustar #!/bin/sh # # Check-setuid checksecurity plugin # # This script is designed to find the setuid files present on the system # # It is part of the 'checksecurity' package, and tests may be configured # by the global file '/etc/checksecurity.conf' and the file # '/etc/checksecurity/check-setuid.conf'. # # Copyright (C) 2003-2005 Steve Kemp # # Licensed under the GNU General Public License # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. set -e PATH=/sbin:/bin:/usr/sbin:/usr/bin umask 027 cd / if [ -e /etc/checksecurity/check-setuid.conf ] then . /etc/checksecurity/check-setuid.conf fi if [ `/usr/bin/id -u` != 0 ] ; then echo "Only root has permission to run this script" exit 1 fi TMPSETUID=${LOGDIR:=/var/log/setuid}/setuid.new.tmp TMPDIFF=${LOGDIR:=/var/log/setuid}/setuid.diff.tmp # # Check for NFS/AFS mounts that are not nosuid/nodev # if [ ! "$CHECKSECURITY_NONFSAFS" = "TRUE" ] ; then # temporarily disable error exit, as grep may give errors if no nfs/afs # are mounted. set +e nfssys=`mount | grep -E 'type (nfs|afs)' | grep -vE '\(.*(nosuid|noexec).*nodev.*\)'` nfssyscnt=`echo $nfssys |grep "[a-z]"| wc -l` set -e if [ $nfssyscnt -gt 0 ] ; then echo "The following NFS or AFS filesystems are mounted insecurely:" echo "" echo $nfssys echo "" echo "If this is intentional and you have supreme confidence in the" echo "security of the server for these file systems, you may disable" echo "this message by editing the value of CHECKSECURITY_NONFSAFS in" echo "the file /etc/checksecurity/check-setuid.conf." fi fi if [ "$CHECKSECURITY_NOFINDERRORS" = "TRUE" ] ; then exec 9>&2 exec 2>/dev/null fi # Guard against undefined vars [ -z "$LOGDIR" ] && LOGDIR=/var/log/setuid if [ ! -e "$LOGDIR" ] ; then echo "ERROR: Log directory $LOGDIR does not exist" exit 1 fi if [ -n "$CHECKSECURITY_PATHFILTER" ]; then PATHCHK="( $CHECKSECURITY_PATHFILTER ) -prune -o" else PATHCHK=" -prune -o" fi if [ -n "$CHECKSECURITY_DEVICEFILTER" ]; then DEVCHK="-a -not ( $CHECKSECURITY_DEVICEFILTER )" else DEVCHK="" fi # This is the only way to pass '*' through a variable (NODEVDIRS) -- Marc set -o noglob ionice -t -c3 \ find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3` \ -xdev $PATHCHK \ \( -type f -perm +06000 -o \( \( -type b -o -type c \) \ $DEVCHK \) \) \ -ignore_readdir_race \ -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort -k 12 >$TMPSETUID set +o noglob if [ "$CHECKSECURITY_NOFINDERRORS" = "TRUE" ] ; then exec 2>&9 fi cd $LOGDIR test -f setuid.today || touch setuid.today if cmp -s setuid.today $TMPSETUID >/dev/null then : else diff -U0 setuid.today $TMPSETUID >> $TMPDIFF || [ $? = 1 ] echo "`hostname` changes to setuid programs and devices:" cat $TMPDIFF if [ `cat $TMPDIFF | wc -l` -gt 0 -a ! -z "$CHECKSECURITY_EMAIL" ]; then /usr/bin/mail -s "Setuid changes for `hostname -f` on `date '+%D %T'`" $CHECKSECURITY_EMAIL < $TMPDIFF fi # Log the changes cp $TMPDIFF setuid.changes mv setuid.today setuid.yesterday mv $TMPSETUID setuid.today chown root:adm setuid.today fi rm -f $TMPDIFF rm -f $TMPSETUID exit 0 checksecurity-2.0.14/ChangeLog0000644000000000000000000000016710225160422013101 0ustar 2.0.0 ----- * Completely rewrote checksecurity. * Added plugins. * Added manpages. Steve -- www.steve.org.uk checksecurity-2.0.14/etc/0000755000000000000000000000000011462117675012116 5ustar checksecurity-2.0.14/etc/global-checksecurity.conf0000644000000000000000000000330011462117675017064 0ustar # # This is the global configuration file for checksecurity, it # defines several common settings, and controls which of the # tests are enabled. # ## ## This is the global configuration section. ## # # MAILTO controls where the results of the tests will be mailed # to upon alert conditions. # MAILTO=root # If the CHECKSECURITY_EMAIL is set, the report is mailed to the given # address. Note that if you set this, it is *assumed* that you have # /usr/bin/mail that accepts -s; the bsd-mailx package provides this; or # you can install mutt and create a link, or some other # alternative. No, I'm not going to fix it to write the appropriate # headers and use sendmail (although I'd consider patch), nor am I # going to add a {Depends|Recommends|Suggests} to this package. # Do not submit bugs about this unless you include the above mentioned # patch. You enabled this option -- you take responsibility. # #CHECKSECURITY_EMAIL="root" # # This is the path which the scripts are given when they are run. # PATH=/usr/sbin:/usr/bin:/sbin:/bin ## ## The next group of settings control which checks are enabled. ## # Which checks to run daily? CHECK_DAILY="DISKFREE PASSWD SOCKETS" # Which checks to run weekly? CHECK_WEEKLY="SETUID" # # Check for mounts which have very little disk space free. # CHECK_DISKFREE="TRUE" # Configure the checks in /etc/checksecurity/check-diskfree.conf # # Check passwords # CHECK_PASSWD="TRUE" # Configure the checks in /etc/checksecurity/check-passwd.conf # # Check setuid files # CHECK_SETUID="TRUE" # Configure the checks in /etc/checksecurity/check-setuid.conf # # Check open sockets # CHECK_SOCKETS="TRUE" # Configure the checks in /etc/checksecurity/check-sockets.conf checksecurity-2.0.14/etc/check-setuid.conf0000644000000000000000000000712311206625465015335 0ustar # # This is the check-setuid script configuration file contained # in the checksecurity package. # # These configuration variables may be set: # # CHECKSECURITY_FILTER # CHECKSECURITY_NOFINDERRORS # CHECKSECURITY_NONFSAFS # CHECKSECURITY_DEVICEFILTER # CHECKSECURITY_PATHFILTER # LOGDIR # # Each is described in its own section below -- search for #### # as a section divider. # #### # # The CHECKSECURITY_FILTER variable is used as an argument to # "grep -vE" to filter lines from the output of the "mount" command. # # The default is not check the following file systems: # # type proc # type bind # type msdos # type iso9660 # type ncpfs # type smbfs # type nfs # type afs # type auto (They'll typically be picked up on the nfs branch) # type ntfs # type coda (similar to afs) # type usbdevfs # type none (--bind mounts) # type fuse # # floppies (i.e. /dev/fd) # anything on /mnt or /amd # # Note that behaviour for nfs/afs has changed as of release -45. We # no longer run find across nfs/afs disks; instead we simply report # afs/nfs disks that are mounted insecurely (without -onosuid|noexec,nodev). # You can disable this report by going setting the CHECKSECURITY_NONFSAFS # variable below. # # Use temp variables to build up CHECKSECURITY_FILTER, to make it # a little more readable. # CS_NFSAFS='(type (nfs|afs|coda|lustre|mfs|nnpfs|)|^(arla .* type xfs))' # Uncomment the next line to get the old behaviour. #CS_NFSAFS='(nfs|afs) \(.*(nosuid|noexec).*nodev.*\)' # CS_TYPES='( type (auto|proc|sysfs|bind|msdos|fat|vfat|iso9660|usbdevfs|ncpfs|smbfs|cifs|ntfs|devpts|binfmt_misc|shfs|lufs|none|fuse))|'$CS_NFSAFS # CS_OPTS='\(.*(nosuid|noexec).*\)' # # Exclude floppy disks # NOTE: If you want to exclude all /dev use CHECKSECURITY_DEVICEFILTER # below CS_DEVS='^/dev/fd' # # Do not traverse /mnt (external mounts) or /vicep (AFS fileserver mounts) # CS_DIRS='on (/mnt|/vicep)' # CHECKSECURITY_FILTER="$CS_TYPES|$CS_OPTS|$CS_DEVS|$CS_DIRS" # # Note: You can also disable the check-setuid check entirely if # # CHECKSECURITY_PATHFILTER="-path /*" # # Clear the temporary variables. # unset CS_NFSAFS CS_TYPES CS_DIRS CS_OPTS # #### # # The CHECKSECURITY_NOFINDERRORS, if set to "TRUE" (case sensitive), # redirects any errors from the find command used in checksecurity # to /dev/null. # CHECKSECURITY_NOFINDERRORS="FALSE" #### # # The CHECKSECURITY_NONFSAFS, if set to "TRUE" (case sensitive), # disables the message about insecurely mounted nfs/afs disks. # CHECKSECURITY_NONFSAFS="FALSE" #### # # The CHECKSECURITY_DEVICEFILTER lets you tell find not to report # devices in those directories (if you choose the daily Emails, # devices like /dev/pts/?, /dev/tty?, or /dev/urandom will change # often and clutter your mailbox). Also, if the system gets rebooted # often many changes will be reported after a reboot due to differences # in timestamps for devices under /dev as they get recreated on reboot. # # Note that these directories are still searched for suid executables. # Also note that *something* must be defined, which is why the default is # "-false". # Examples: #CHECKSECURITY_DEVICEFILTER="-path /dev/*" #CHECKSECURITY_DEVICEFILTER="-path /dev/* -o -path /home/ftp/dev/*" CHECKSECURITY_DEVICEFILTER="-false" #### # The CHECKSECURITY_PATHFILTER variable lets you set a pattern of # pathnames that you don't want to check at all. You hopefully know # what you're doing if you do this :-). # Example: # CHECKSECURITY_PATHFILTER="-path /dev/rd* -o -path /var/home/ftp*" CHECKSECURITY_PATHFILTER="-false" #### # # Location of setuid file databases. # LOGDIR=/var/log/setuid checksecurity-2.0.14/etc/check-socket.conf0000644000000000000000000000127111206625141015315 0ustar # # This is the check-socket script configuration file contained # in the checksecurity package. # # These configuration variables may be set: # # CHECKSECURITY_IGNORELINES # LOGDIR # # Each is described in its own section below -- search for #### # as a section divider. # #### #### # # Location of socket status databases. # LOGDIR=/var/log/checksecurity #### # # Lines that will be ignored, you can use here any sintax # that 'egrep' will understand. Output lines that contain the # the regular expression defined here will be ignored. # # Example: ignore all rpc processes # CHECKSECURITY_IGNORELINES="^rpc\..*" # # Standard, just ignore empty lines: CHECKSECURITY_IGNORELINES="^$" checksecurity-2.0.14/etc/check-diskfree.conf0000644000000000000000000000062710025151256015624 0ustar # # This is the configuration file for the disk space check # which checksecurity will perform via the 'check-diskfree' plugin. # # To disable this series of tests edit /etc/checksecurity.conf # and set 'check-diskspace="FALSE"'. # ## ## # If the disk usage of any partition becomes more than 70% full # then we will generate an alert. # # Valid values or "0" - "100" # ## CHECK_DISK_PERCENT="70" checksecurity-2.0.14/etc/check-passwd.conf0000644000000000000000000000102007731235525015331 0ustar # # This is the configuration file for the password checks # which checksecurity will perform via the 'check-passwd' plugin. # # # To disable this series of tests edit /etc/checksecurity.conf # and set 'check-passwords="FALSE"'. # ## ## # Check for duplicate UID's. # # Valid values or "TRUE" or "FALSE". ## CHECK_PASSWORD_WARN_UIDS="TRUE" ## # The following controls whether we should warn about any # accounts which do not have a password set. # # Valid values or "TRUE" or "FALSE". ## CHECK_PASSWORD_EMPTY="TRUE" checksecurity-2.0.14/man/0000755000000000000000000000000011206622744012110 5ustar checksecurity-2.0.14/man/checksecurity.80000644000000000000000000000271607755511107015060 0ustar .\" -*- nroff -*- .TH CHECKSECURITY 8 "2 February 1997" "Debian Linux" .SH NAME checksecurity \- Run a collection of simple system checks .SH SYNOPSIS .B checksecurity .SH DESCRIPTION The .B checksecurity command runs a small collection of simple system checks which are designed to catch a few common security issues. .B checksecurity is run by .B cron in a daily basis. .SH CONFIGURATION The .B checksecurity.conf file defines several configuration variables: .BR MAILTO, .BR CHECK_DISKFREE , .BR CHECK_PASSWD and .BR CHECK_SETUID .BR LOGDIR . Each is described below. .PP The checksecurity program works with a collection of plugins which are located in /usr/share/checksecurity and are configured individually by their own configuration file. .B CHECK_PASSWD If this is set to .B TRUE then the check-passwd script will be invoked. This script is designed to report upon system accounts which have no passwords. .B CHECK_DISKFREE If this is set to .B TRUE then the check-diskfree script will be invoked and will allow an alert to be sent if there is any mounted partition is running short on disk space. .B CHECK_SETUID If this is set to .B TRUE then the check-setuid script will be invoked, this will compare the setuid binaries upon the system to those that existed previously and show the differences. .SH FILES .TP .I /etc/checksecurity.conf checksecurity configuration file .SH "SEE-ALSO" See also .BR check-diskfree (8), .BR check-setuid (8), and .BR check-passwd (8) checksecurity-2.0.14/man/check-setuid.80000644000000000000000000000752711206622744014564 0ustar .\" -*- nroff -*- .TH CHECKSECURITY 8 "2 February 1997" "Debian Linux" .SH NAME checksecurity \- check for changes to setuid programs .SH SYNOPSIS .B checksecurity .SH DESCRIPTION The .B checksecurity command scans the mounted files systems (subject to the filter defined in /etc/checksecurity.conf) and compares the list of setuid programs to the list created on the previous run. Any changes are printed to standard output. Also, it generates a list of .I nfs and .I afs filesystems that are mounted insecurely (i.e. they are missing the .I nodev and either the .I noexec or .I nosuid flags). .PP .B checksecurity is run by .B cron on a daily basis, and the output stored in /var/log/setuid/setuid.changes. .SH CONFIGURATION The .B checksecurity.conf file defines several configuration variables: .BR CHECKSECURITY_FILTER , .BR CHECKSECURITY_NOFINDERRORS , .BR CHECKSECURITY_NONFSAFS , .BR CHECKSECURITY_EMAIL , .BR CHECKSECURITY_DEVICEFILTER , .BR CHECKSECURITY_PATHFILTER , and .BR LOGDIR . Each is described below. .PP The .B CHECKSECURITY_FILTER environment variable which is the argument of 'grep \-vE' applied to the output of the .B mount command. In other words, the value of .B CHECKSECURITY_FILTER is a regular expression that removes matching lines from those file systems that will be scanned. The default value removes all file systems of type .I proc, bind, msdos, iso9660, ncpfs, nfs, afs, .I smbfs, auto, ntfs, coda file systems, anything mounted on /dev/fd*, anything mounted on /mnt or /amd, and anything mounted with option nosuid or noexec. .PP The .B checksecurity.conf file is sourced from .B checksecurity, so you could do some fairly tricky things to define .BR CHECKSECURITY_FILTER . .PP The .B CHECKSECURITY_NOFINDERRORS environment variable, if set to the literal "TRUE", disables find errors from checksecurity (actually, it re\-routes them to .B /dev/null ). .PP The .B CHECKSECURITY_NONFSAFS environment variable, if set to the literal "TRUE", disables the message about .I nfs and .I afs file systems that are mounted without the .I nodev and either the .I noexec or .I nosuid options. .PP If set, the .B CHECKSECURITY_EMAIL variable defines who is sent a copy of the setuid.changes file. .PP The .B CHECKSECURITY_DEVICEFILTER variable specifies a .B find clause for which matching block and character device files will not be monitored for changing owners and permissions. For example, if you don't want to check for permission changes on tty device files beneath /dev, you could set the following: .PP .RS CHECKSECURITY_DEVICEFILTER='\-path /dev/tty*' .RE .PP Note that any added or modified suid programs under that path would still be detected. If you want to specify multiple expressions, separate them with '\-o', but there is no need to surround the whole clause with parentheses. To disable this filter, specify it as \&'\-false' (which is the default). .PP Note that if the system gets restarted often checksecurity will report a lot of changes in the /dev/ subdirectory due to timestamp changes. In this case you might want to change it to: .PP .RS CHECKSECURITY_DEVICEFILTER='\-path /dev/' .RE .PP The .B CHECKSECURITY_PATHFILTER variable specifies a .B find clause which will be pruned from the search path. .B This means that the entire subtree will be completely skipped. Thus, specifying .PP .RS CHECKSECURITY_PATHFILTER='\-path /var/ftp' .RE .PP then the entire /var/ftp tree will be skipped. To disable this filter, specify it as '\-false' (which is the default). .PP .B LOGDIR sets the name of the directory which stores the files which track the permission and ownership changes. By default, they are in .BR /var/log/setuid . .SH FILES .TP .I /etc/checksecurity.conf checksecurity configuration file .TP .I /var/log/setuid/setuid.today setuid files from the most recent run .TP .I /var/log/setuid/setuid.yesterday setuid files from the previous run checksecurity-2.0.14/man/check-diskfree.80000644000000000000000000000150707741355077015066 0ustar .\" -*- nroff -*- .TH CHECK-DISKFREE 8 "2 February 1997" "Debian Linux" .SH NAME check-free \- check for mounted filesystems nearing capacity .SH SYNOPSIS .B check-diskfree .SH DESCRIPTION The .B check-diskfree command scans mounted filesystems and allows alerts to be sent when usage exceeds a given threshold. This is a plugin which is invoked by .B checksecurity (8) if enabled. .SH CONFIGURATION The .B check-diskfree.conf file defines the configuration variable: .BR CHECK_DISK_PERCENT which is described below. .PP The .B CHECK_DISK_PERCENT variable is the percentage full the filesystem must be before an alert is sent. Valid values are any numerical value between 1 and 100. .SH FILES .TP .I /etc/checksecurity.conf Specifies whether this script is invoked .TP .I /etc/checksecurity/check-diskfree.conf The configuration file. checksecurity-2.0.14/man/check-passwd.80000644000000000000000000000206207741355110014554 0ustar .\" -*- nroff -*- .TH CHECK-PASSWD 8 "2 February 1997" "Debian Linux" .SH NAME check-passwd \- check for empty or duplicate system accounts. .SH SYNOPSIS .B check-passwd .SH DESCRIPTION The .B check-passwd command scans the system password file, and looks for either duplicate accounts or accounts without a password set. This is a plugin which is invoked by .B checksecurity (8) if enabled. .SH CONFIGURATION The .B check-passwd.conf file defines the configuration variables: .BR CHECK_PASSWORD_WARN_UIDS and .BR CHECK_PASSWORD_WARN_DUPLICATES Each is described below. .PP The .B CHECK_PASSWORD_WARN_EMPTY variable controls whether this script will warn about accounts with empty passwords. Valid values are .B TRUE or .B FALSE The .B CHECK_PASSWORD_WARN_UIDS variable controls whether this script will warn about duplicate accounts sharing the same UID within the passwords file. Valid values are .B TRUE or .B FALSE .SH FILES .TP .I /etc/checksecurity.conf Specifies whether this script is invoked .TP .I /etc/checksecurity/check-passwd.conf The configuration file. checksecurity-2.0.14/README.Debian0000644000000000000000000000226510617724541013406 0ustar checksecurity ------------- checksecurity is a simple package which will scan your system for several simple security holes. It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables. This release is the first release featuring this modularisation so there may well be bugs lying the code. Plugins ------- Plugins are located in /usr/share/checksecurity, with a prefix of 'check-'. These files are each given the contents of the configuration file '/etc/checksecurity/name.conf' in their environment. The scripts and configuration files are all documented in the included in manpages. Tests ----- Currently the plugins supplied perform the following tests: check_passwd: * Check for more than one UID 0 account in /etc/passwd * Check for accounts with no passwords. * Check for accounts with login == password. check_setuid: * Check permissions on setuid files within the system. check_diskfree * Check that all mounted partitions do not exceed a given threshold of used space. Feedback -------- Ideas and contributed scripts would be appreciated. Steve -- www.steve.org.uk checksecurity-2.0.14/Makefile0000644000000000000000000000315411206624161012773 0ustar # # This is the makefile for the Debian checksecurity package. # # It installs the software in $(PREFIX)/usr/sbin, etc. # PREFIX= CONFDIR=$(PREFIX)/etc PLUGINDIR=$(PREFIX)/usr/share/checksecurity install: clean install -d $(PREFIX)/usr/sbin install -d $(PREFIX)/usr/share/man/man8 install -d $(CONFDIR) install -d $(CONFDIR)/checksecurity install -d $(PLUGINDIR) cp bin/checksecurity $(PREFIX)/usr/sbin chown root:root $(PREFIX)/usr/sbin/checksecurity chmod 755 $(PREFIX)/usr/sbin/checksecurity cp man/checksecurity.8 $(PREFIX)/usr/share/man/man8 cp man/check-diskfree.8 $(PREFIX)/usr/share/man/man8 cp man/check-passwd.8 $(PREFIX)/usr/share/man/man8 cp man/check-setuid.8 $(PREFIX)/usr/share/man/man8 cp etc/check-setuid.conf $(CONFDIR)/checksecurity cp etc/check-socket.conf $(CONFDIR)/checksecurity chmod 744 $(CONFDIR)/checksecurity/check-setuid.conf chmod 744 $(CONFDIR)/checksecurity/check-socket.conf cp etc/check-passwd.conf $(CONFDIR)/checksecurity chmod 744 $(CONFDIR)/checksecurity/check-passwd.conf cp etc/check-diskfree.conf $(CONFDIR)/checksecurity chmod 744 $(CONFDIR)/checksecurity/check-diskfree.conf cp etc/global-checksecurity.conf $(CONFDIR)/checksecurity.conf cp plugins/check-* $(PLUGINDIR) chown root:root $(PLUGINDIR)/check-* chmod 755 $(PLUGINDIR)/check-* chmod -x $(CONFDIR)/checksecurity/*.conf uninstall: rm -f $(PREFIX)/usr/sbin/checksecurity rm -f $(PREFIX)/usr/share/man/man8/checksecurity.conf.8 rm -f $(CONFDIR)/checksecurity.conf rm -rf $(CONFDIR)/checksecurity rm -rf $(PLUGINDIR) clean: -find . -name '*~' -print | xargs rm -f -rm -f build-stamp -rm -f debian/files checksecurity-2.0.14/bin/0000755000000000000000000000000010617723216012106 5ustar checksecurity-2.0.14/bin/checksecurity0000755000000000000000000001126710617723216014710 0ustar #!/usr/bin/perl # # Debian's checksecurity. # Runs a set of plugins which check the security of an installed # system. # # (c) 2003-2005 Steve Kemp , http://www.steve.org.uk # (c) 2005 Javier Fernandez-Sanguino # Licensed under the GNU General Public License # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # use strict; use Env; use Getopt::Long; my $opt_debug = 0; GetOptions( 'debug!' => \$opt_debug, ); # Are we root? if ( $> != 0 ) { print STDERR "Sorry, only root can run checksecurity"; exit 1; } # # The fixed settings we work with. # my $CONFIG = "/etc/checksecurity.conf"; my $PLUGIN_DIR = "/usr/share/checksecurity"; my $VERSION = "2.0.7"; # Argument determine which checks will be run my $period = "all"; $period = $ARGV[0] if defined $ARGV[0]; # Accepted periods if ( $period !~ /^(all|daily|weekly)$/ ) { print STDERR "Unknown period requested ($period) reverting to 'all'\n"; $period = "all"; } # Copy of the environmental variables. my %SAFE_ENV = %ENV; # Environmental settings we read from the configuration file. my %GLOBAL_ENV = (); # The environment that we send to the plugins we call. my %PLUGIN_ENV = (); # # Source the configuration file. # if ( -e $CONFIG ) { %GLOBAL_ENV = readConfig( $CONFIG ); } else { print <) ) { chomp $line; if ($line =~ s/\\$//) { $line .= ; redo unless eof(FILY); } # Skip lines beginning with comments next if ( $line =~ /^([ \t]*)\#/ ); # Skip blank lines next if ( length( $line ) < 1 ); # Strip trailing comments. if ( $line =~ /(.*)\#(.*)/ ) { $line = $1; } # Find variable settings if ( $line =~ /([^=]+)=([^\n]+)/ ) { my $key = $1; my $val = $2; # Strip leading and trailing whitespace. $key =~ s/^\s+//; $key =~ s/\s+$//; $val =~ s/^\s+//; $val =~ s/\s+$//; # Strip enclosing "'s if ( $val =~ /^['"](.*)['"]$/ ) { $val = $1; } # Store value. $HASH{ $key } = $val; } } close(FILY); return(%HASH); }