- Added security check script. - Create md5 sums of all files at install an...

Till Brehm

2014-08-14 1ed92e187ae2dfb51f5f2d62c290a85f93b6dc21

- Added security check script.
- Create md5 sums of all files at install and update.

 install/install.php

@@ -679,6 +679,11 @@

} //* << $install_mode / 'Standard' or Genius

//* Create md5 filelist
$md5_filename = '/usr/local/ispconfig/security/data/file_checksums_'.date('Y-m-d_h-i').'.md5';
exec('find /usr/local/ispconfig -type f -print0 | xargs -0 md5sum > '.$md5_filename);
chmod($md5_filename,0700);


echo "Installation completed.\n";


 install/update.php

@@ -497,6 +497,11 @@
    }
}

//* Create md5 filelist
$md5_filename = '/usr/local/ispconfig/security/data/file_checksums_'.date('Y-m-d_h-i').'.md5';
exec('find /usr/local/ispconfig -type f -print0 | xargs -0 md5sum > '.$md5_filename);
chmod($md5_filename,0700);

echo "Update finished.\n";

?>

 interface/web/admin/users_edit.php

@@ -70,7 +70,7 @@
        global $app, $conf;

        if($conf['demo_mode'] == true && $_REQUEST['id'] <= 3) $app->error('This function is disabled in demo mode.');
		

        //* Security settings check
        if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin') {
            $app->auth->check_security_permissions('admin_allow_new_admin');

 security/check.php

@@ -28,9 +28,8 @@
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

define('SCRIPT_PATH', dirname($_SERVER["SCRIPT_FILENAME"]));
require SCRIPT_PATH."/lib/config.inc.php";
require SCRIPT_PATH."/lib/app.inc.php";
require "/usr/local/ispconfig/server/lib/config.inc.php";
require "/usr/local/ispconfig/server/lib/app.inc.php";

set_time_limit(0);
ini_set('error_reporting', E_ALL & ~E_NOTICE);
@@ -42,6 +41,114 @@
// Load required base-classes
$app->uses('ini_parser,file,services,getconf,system');

// get security config
$security_config = $app->getconf->get_security_config('systemcheck');

$alert = '';
$data_dir = '/usr/local/ispconfig/security/data';


// Check if a new ispconfig user has been added
if($security_config['warn_new_admin'] == 'yes') {
    $data_file = $data_dir.'/admincount';
    //get number of admins
    $tmp = $app->db->queryOneRecord("SELECT count(userid) AS number FROM sys_user WHERE typ = 'admin'");
    $admin_user_count_new = intval($tmp['number']);
	
    if(is_file($data_file)) {
        $admin_user_count_old = intval(file_get_contents($data_file));
        if($admin_user_count_new != $admin_user_count_old) {
            $alert .= "The number of ISPConfig administrator users has changed. Old: $admin_user_count_old New: $admin_user_count_new \n";
            file_put_contents($data_file,$admin_user_count_new);
        }
    } else {
        // first run, so we save the current count
        file_put_contents($data_file,$admin_user_count_new);
        chmod($data_file,0700);
    }
}

// Check if /etc/passwd file has been changed
if($security_config['warn_passwd_change'] == 'yes') {
    $data_file = $data_dir.'/passwd.md5';
    $md5sum_new = md5_file('/etc/passwd');
	
    if(is_file($data_file)) {
        $md5sum_old = trim(file_get_contents($data_file));
        if($md5sum_new != $md5sum_old) {
            $alert .= "The file /etc/passwd has been changed.\n";
            file_put_contents($data_file,$md5sum_new);
        }
    } else {
        file_put_contents($data_file,$md5sum_new);
        chmod($data_file,0700);
    }
}

// Check if /etc/shadow file has been changed
if($security_config['warn_shadow_change'] == 'yes') {
    $data_file = $data_dir.'/shadow.md5';
    $md5sum_new = md5_file('/etc/shadow');
	
    if(is_file($data_file)) {
        $md5sum_old = trim(file_get_contents($data_file));
        if($md5sum_new != $md5sum_old) {
            $alert .= "The file /etc/shadow has been changed.\n";
            file_put_contents($data_file,$md5sum_new);
        }
    } else {
        file_put_contents($data_file,$md5sum_new);
        chmod($data_file,0700);
    }
}

// Check if /etc/group file has been changed
if($security_config['warn_group_change'] == 'yes') {
    $data_file = $data_dir.'/group.md5';
    $md5sum_new = md5_file('/etc/group');
	
    if(is_file($data_file)) {
        $md5sum_old = trim(file_get_contents($data_file));
        if($md5sum_new != $md5sum_old) {
            $alert .= "The file /etc/group has been changed.\n";
            file_put_contents($data_file,$md5sum_new);
        }
    } else {
        file_put_contents($data_file,$md5sum_new);
        chmod($data_file,0700);
    }
}


if($alert != '') {
    $admin_email = $security_config['security_admin_email'];
    $admin_email_subject = $security_config['security_admin_email_subject'];
    mail($admin_email, $admin_email_subject, $alert);
    //$app->log(str_replace("\n"," -- ",$alert),1);
    echo str_replace("\n"," -- ",$alert)."\n";
}
























?>

 security/security_settings.ini

@@ -18,8 +18,8 @@

[systemcheck]
security_admin_email=root@localhost
security_admin_email_subject=Security alert from server
warn_new_admin=yes
warn_passwd_change=no
warn_shadow_change=no
check_groups_in_passwd=yes
check_ispconfig_md5=yes
warn_group_change=no

 server/server.sh

@@ -13,8 +13,8 @@
        fi
fi

cd /usr/local/ispconfig/security
/usr/bin/php -q /usr/local/ispconfig/security/check.php

cd /usr/local/ispconfig/server
/usr/bin/php -q /usr/local/ispconfig/server/server.php

cd /usr/local/ispconfig/security
/usr/bin/php -q /usr/local/ispconfig/security/check.php