#!/bin/ksh #################################################################### # # sec_hilites # (formerly mailsecurityhilites.sh) # # This script is meant to be used with cron. # It sends out all info gathered by: # authwarning.sh # tcpdwarning.sh # daemwarning.sh # userwarning.sh (sometimes, can activate this below) # errpt -a (AIX only) # to admins. # # Chuck Geigner # Feb 2000 # -------------------------------------------------------- # # Sept 5, 2000 - modified # When no undue activity is reported, no # file will be sent. Keeps admins mbox # manageable. # Extra check was added: syslogd ck AND # Corrected parsing error between "date" # and wtmp. # # Also note - the "admin" address used is a common e-mail alias. # If you use a different # alias or want to send reports to different people, just replace # "admin" with usernames seperated with commas or another alias. # If you wish to use admin, and it is not already an alias, you # will need to modify sendmail's "aliases" file found in either # /etc or /etc/mail and then run "sendmail -bi" to have sendmail # recognize the new aliases file on the fly. # -CTG # # Future mods: add optional mail log check # ##################################################################### # # May 1 2003 - modified # Added errpt reporting module # Jun 6 2003 - came back to do some cleanup, streamlining. # Can't believe that I did some things the way I did # Fixing... :) # Jun 9 2003 - Un-kludged the date formatting. # Jun 11 2003 - Converted syslog file checking to 1 module # - Converted kludgy syslog proc chk to 1 line of awk # ##################################################################### # User Config area ADMIN="admin@example.com" ## sample value INSTALLDIR="/usr/local/bin" # Set which syslogd modules you call. Valid modes: #... auth,tcpd,daemon,user,mail set -A MODE auth tcpd daemon # END user config area ################################################################### VER="0.5-r3 Beta" VERMSG="sec_hilites Version ${VER}. By Chuck Geigner. http://chux0r.org" if [ "$1" = "-v" ];then echo ${VERMSG} exit fi TMPFILE="/tmp/maillogs.txt" TMPOUT="/tmp/shout.tmp" DATEFMT=`date +"%A, %B %e"` touch ${TMPOUT} _syslog_check() { TITLE=`echo "${MODE[$i]}" | tr '[a-z]' '[A-Z]'` echo "${TITLE} highlights:" >> ${TMPFILE} eval ${INSTALLDIR}/${MODE[$i]}warning.sh > ${TMPOUT} if [ -s ${TMPOUT} ]; then cat ${TMPOUT} >> ${TMPFILE} LOGDIRT="1" else echo "${MODE[$i]} log contains no adverse activity.\n" >> ${TMPFILE} fi } ### MESSAGE HEAD echo "${VERMSG}\n\ ------------------------------------------------------------------------" > ${TMPFILE} echo "Security highlights for $DATEFMT:\n" >> ${TMPFILE} ### SYSLOGD CHECK SYSLOGUP="0" echo "Checking syslogd........" >> ${TMPFILE} SYSLCHK=`ps -ef|awk '!/awk/ && /syslogd/{ print $5, $6 }'` if [ "$SYSLCHK" != "" ]; then echo "...passed. syslogd has been up since: ${SYSLCHK}\n" >> ${TMPFILE} SYSLOGUP="1" else echo "...FAILED. !!!WARNING!!! syslogd is NOT running.\n" >> ${TMPFILE} fi ### SYSLOG CHECK SCRIPTS LOGDIRT="0" i=0 while [ $i -lt ${#MODE[@]} ] do _syslog_check i=`expr $i + 1` done ### ERRPT CHECK ERR_RPT="0" echo "\nERROR REPORT highlights:" >> ${TMPFILE} ${INSTALLDIR}/err_report.sh > ${TMPOUT} if [ -s ${TMPOUT} ]; then ERR_RPT="1" cat ${TMPOUT} >> ${TMPFILE} else echo "error report contains no adverse activity." >> ${TMPFILE} fi echo "------------------------------------------------------------------------">> ${TMPFILE} echo "Logged users today (wtmp):\n" >> ${TMPFILE} ### LASTLOG CHECK DATEFMT=`date +"%b %d"` WTMP="0" last | grep "$DATEFMT" | grep -v begins > ${TMPOUT} if [ -s ${TMPOUT} ]; then cat ${TMPOUT} >> ${TMPFILE} WTMP="1" else echo "WTMP reports no logins today." >> ${TMPFILE} fi DATEFMT=`date +"%A %I:%M%p"` if [[ "$SYSLOGUP" = "1" &&\ "$LOGDIRT" = "0" &&\ "$ERR_RPT" = "1" &&\ "$WTMP" = "0" ]] then # Nothing to note here, so do not mesg admin, just exit gracefully. rm ${TMPFILE} rm ${TMPOUT} exit 0 else NNAME=`uname -n` mail -s "$NNAME SECURITY REPORT: $DATEFMT" ${ADMIN} < ${TMPFILE} & fi #clean up rm ${TMPFILE} rm ${TMPOUT}