=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/etc/Attic/security,v retrieving revision 1.1 retrieving revision 1.2 diff -c -r1.1 -r1.2 *** src/etc/Attic/security 1995/10/18 08:37:57 1.1 --- src/etc/Attic/security 1995/12/18 16:56:37 1.2 *************** *** 1,7 **** #!/bin/sh - # # from: @(#)security 8.1 (Berkeley) 6/9/93 ! # $Id: security,v 1.1 1995/10/18 08:37:57 deraadt Exp $ # PATH=/sbin:/usr/sbin:/bin:/usr/bin --- 1,7 ---- #!/bin/sh - # # from: @(#)security 8.1 (Berkeley) 6/9/93 ! # $Id: security,v 1.2 1995/12/18 16:56:37 deraadt Exp $ # PATH=/sbin:/usr/sbin:/bin:/usr/bin *************** *** 26,32 **** } if (NF != 10) printf("Line %d has the wrong number of fields.\n", NR); ! if ($1 !~ /^[A-Za-z0-9]*$/) printf("Login %s has non-alphanumeric characters.\n", $1); if (length($1) > 8) printf("Login %s has more than 8 characters.\n", $1); --- 26,36 ---- } if (NF != 10) printf("Line %d has the wrong number of fields.\n", NR); ! if ($1 ~ /^[+-].*$/) ! next; ! if ($1 == "") ! printf("Line %d has an empty login field.\n",NR); ! else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_-]*$/) printf("Login %s has non-alphanumeric characters.\n", $1); if (length($1) > 8) printf("Login %s has more than 8 characters.\n", $1); *************** *** 52,58 **** column $OUTPUT fi ! awk -F: '{ print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 | uniq -d -f 1 | awk '{ print $2 }' > $TMP2 if [ -s $TMP2 ] ; then printf "\n$MP has duplicate user id's.\n" --- 56,62 ---- column $OUTPUT fi ! awk -F: '$1 != "toor" { print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 | uniq -d -f 1 | awk '{ print $2 }' > $TMP2 if [ -s $TMP2 ] ; then printf "\n$MP has duplicate user id's.\n" *************** *** 64,69 **** --- 68,77 ---- # Backup the master password file; a special case, the normal backup # mechanisms also print out file differences and we don't want to do # that because this file has encrypted passwords in it. + if [ ! -d /var/backups ] ; then + mkdir /var/backups + chmod 755 /var/backups + fi CUR=/var/backups/`basename $MP`.current BACK=/var/backups/`basename $MP`.backup if [ -s $CUR ] ; then *************** *** 86,91 **** --- 94,101 ---- printf("Line %d is a blank line.\n", NR); next; } + if ($1 ~ /^[+-].*$/) + next; if (NF != 4) printf("Line %d has the wrong number of fields.\n", NR); if ($1 !~ /^[A-za-z0-9]*$/) *************** *** 214,257 **** fi # Files that should not have + signs. ! list="/etc/hosts.equiv /etc/hosts.lpd" for f in $list ; do ! if egrep '\+' $f > /dev/null ; then ! printf "\nPlus sign in $f file.\n" fi done ! # Check for special users with .rhosts files. Only root and toor should ! # have a .rhosts files. Also, .rhosts files should not plus signs. ! awk -F: '$1 != "root" && $1 != "toor" && \ ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ { print $1 " " $6 }' /etc/passwd | while read uid homedir; do ! if [ -f ${homedir}/.rhosts ] ; then ! rhost=`ls -ldgT ${homedir}/.rhosts` ! printf "$uid: $rhost\n" ! fi done > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "\nChecking for special users with .rhosts files.\n" cat $OUTPUT fi awk -F: '{ print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do ! if [ -f ${homedir}/.rhosts ] && \ ! egrep '\+' ${homedir}/.rhosts > /dev/null ; then ! printf "$uid: + in .rhosts file.\n" ! fi done > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "\nChecking .rhosts files syntax.\n" cat $OUTPUT fi # Check home directories. Directories should not be owned by someone else # or writeable. ! awk -F: '{ print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do if [ -d ${homedir}/ ] ; then file=`ls -ldgT ${homedir}` --- 224,282 ---- fi # Files that should not have + signs. ! list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" for f in $list ; do ! if [ -f $f ] ; then ! awk '{ ! if ($0 ~ /^+@.*$/ ) ! next; ! if ($0 ~ /^+.*$/ ) ! printf("\nPlus sign in %s file.\n", FILENAME); ! }' $f fi done ! # Check for special users with .rhosts/.shosts files. Only root and ! # toor should have .rhosts/.shosts files. Also, .rhosts/.shosts files ! # should not have plus signs. ! awk -F: '$1 != "root" && $1 != "toor" && $1 !~ /^[+-].*$/ && \ ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ { print $1 " " $6 }' /etc/passwd | while read uid homedir; do ! for j in .rhosts .shosts; do ! if [ -f ${homedir}/$j ] ; then ! rhost=`ls -ldgT ${homedir}/$j` ! printf "$uid: $rhost\n" ! fi ! done done > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "\nChecking for special users with .rhosts/.shosts files.\n" cat $OUTPUT fi awk -F: '{ print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do ! for j in .rhosts .shosts; do ! if [ -f ${homedir}/$j ] ; then ! awk '{ ! if ($0 ~ /^+@.*$/ ) ! next; ! if ($0 ~ /^+.*$/ ) ! printf("%s has + sign in it.\n", ! FILENAME); ! }' ${homedir}/$j ! fi ! done done > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "\nChecking .rhosts/.shosts files syntax.\n" cat $OUTPUT fi # Check home directories. Directories should not be owned by someone else # or writeable. ! awk -F: '{ if ( $1 !~ /^[+-].*$/ ) print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do if [ -d ${homedir}/ ] ; then file=`ls -ldgT ${homedir}` *************** *** 270,276 **** fi # Files that should not be owned by someone else or readable. ! list=".netrc .rhosts" awk -F: '{ print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do for f in $list ; do --- 295,301 ---- fi # Files that should not be owned by someone else or readable. ! list=".netrc .rhosts .shosts" awk -F: '{ print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do for f in $list ; do *************** *** 282,289 **** done | awk '$1 != $5 && $5 != "root" \ { print "user " $1 " " $2 " file is owned by " $5 } - $3 ~ /^-...r/ \ - { print "user " $1 " " $2 " file is group readable" } $3 ~ /^-......r/ \ { print "user " $1 " " $2 " file is other readable" } $3 ~ /^-....w/ \ --- 307,312 ---- *************** *** 325,332 **** cat $OUTPUT fi ! # File systems should not be globally exported. ! awk '{ readonly = 0; for (i = 2; i <= NF; ++i) { if ($i ~ /-ro/) --- 348,356 ---- cat $OUTPUT fi ! if [ -f /etc/exports ]; then ! # File systems should not be globally exported. ! awk '{ readonly = 0; for (i = 2; i <= NF; ++i) { if ($i ~ /-ro/) *************** *** 338,360 **** print "File system " $1 " globally exported, read-only." else print "File system " $1 " globally exported, read-write." ! }' < /etc/exports > $OUTPUT ! if [ -s $OUTPUT ] ; then printf "\nChecking for globally exported file systems.\n" cat $OUTPUT fi # Display any changes in setuid files and devices. ! printf "\nChecking setuid files and devices:\n" (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ -o -fstype procfs \) -a -prune -o \ ! \( -perm -u+s -o -perm -g+s -o ! -type d -a ! -type f -a ! -type l -a \ ! ! -type s \) | \ sort | sed -e 's/^/ls -ldgT /' | sh > $LIST) 2> $OUTPUT # Display any errors that occurred during system file walk. if [ -s $OUTPUT ] ; then ! printf "Setuid/device find errors:\n" cat $OUTPUT printf "\n" fi --- 362,386 ---- print "File system " $1 " globally exported, read-only." else print "File system " $1 " globally exported, read-write." ! }' < /etc/exports > $OUTPUT ! if [ -s $OUTPUT ] ; then printf "\nChecking for globally exported file systems.\n" cat $OUTPUT + fi fi # Display any changes in setuid files and devices. ! pending="\nChecking setuid files and devices:\n" (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ -o -fstype procfs \) -a -prune -o \ ! -type f -a \( -perm -u+s -o -perm -g+s \) -print -o \ ! ! -type d -a ! -type f -a ! -type l -a ! -type s -print | \ sort | sed -e 's/^/ls -ldgT /' | sh > $LIST) 2> $OUTPUT # Display any errors that occurred during system file walk. if [ -s $OUTPUT ] ; then ! printf "${pending}Setuid/device find errors:\n" ! pending= cat $OUTPUT printf "\n" fi *************** *** 364,370 **** if [ -s $TMP1 ] ; then # Check to make sure uudecode isn't setuid. if grep -w uudecode $TMP1 > /dev/null ; then ! printf "\nUudecode is setuid.\n" fi CUR=/var/backups/setuid.current --- 390,397 ---- if [ -s $TMP1 ] ; then # Check to make sure uudecode isn't setuid. if grep -w uudecode $TMP1 > /dev/null ; then ! printf "${pending}\nUudecode is setuid.\n" ! pending= fi CUR=/var/backups/setuid.current *************** *** 377,390 **** > $TMP2 join -110 -210 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "Setuid additions:\n" tee -a $TMP2 < $OUTPUT printf "\n" fi join -110 -210 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "Setuid deletions:\n" tee -a $TMP2 < $OUTPUT printf "\n" fi --- 404,419 ---- > $TMP2 join -110 -210 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "${pending}Setuid additions:\n" ! pending= tee -a $TMP2 < $OUTPUT printf "\n" fi join -110 -210 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "${pending}Setuid deletions:\n" ! pending= tee -a $TMP2 < $OUTPUT printf "\n" fi *************** *** 392,398 **** sort +9 $TMP2 $CUR $TMP1 | \ sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "Setuid changes:\n" column -t $OUTPUT printf "\n" fi --- 421,428 ---- sort +9 $TMP2 $CUR $TMP1 | \ sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "${pending}Setuid changes:\n" ! pending= column -t $OUTPUT printf "\n" fi *************** *** 401,407 **** cp $TMP1 $CUR fi else ! printf "Setuid additions:\n" column -t $TMP1 printf "\n" cp $TMP1 $CUR --- 431,438 ---- cp $TMP1 $CUR fi else ! printf "${pending}Setuid additions:\n" ! pending= column -t $TMP1 printf "\n" cp $TMP1 $CUR *************** *** 411,417 **** # Check for block and character disk devices that are readable or writeable # or not owned by root.operator. >$TMP1 ! DISKLIST="dk fd hd hk hp jb kra ra rb rd rl rx rz sd up wd" for i in $DISKLIST; do egrep "^b.*/${i}[0-9][0-9]*[a-h]$" $LIST >> $TMP1 egrep "^c.*/r${i}[0-9][0-9]*[a-h]$" $LIST >> $TMP1 --- 442,448 ---- # Check for block and character disk devices that are readable or writeable # or not owned by root.operator. >$TMP1 ! DISKLIST="dk fd hd hk hp jb kra ra rb rd rl rx xd rz sd up wd vnd ccd" for i in $DISKLIST; do egrep "^b.*/${i}[0-9][0-9]*[a-h]$" $LIST >> $TMP1 egrep "^c.*/r${i}[0-9][0-9]*[a-h]$" $LIST >> $TMP1 *************** *** 481,494 **** # Create the mtree tree specifications using: # # mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure ! # chown root.wheel DIR.SECURE ! # chmod 600 DIR.SECURE # # Note, this is not complete protection against Trojan horsed binaries, as # the hacker can modify the tree specification to match the replaced binary. # For details on really protecting yourself against modified binaries, see # the mtree(8) manual page. ! if cd /etc/mtree; then mtree -e -p / -f /etc/mtree/special > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking special files and directories.\n" --- 512,526 ---- # Create the mtree tree specifications using: # # mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure ! # chown root.wheel DIR.secure ! # chmod 600 DIR.secure # # Note, this is not complete protection against Trojan horsed binaries, as # the hacker can modify the tree specification to match the replaced binary. # For details on really protecting yourself against modified binaries, see # the mtree(8) manual page. ! if [ -d /etc/mtree ]; then ! cd /etc/mtree mtree -e -p / -f /etc/mtree/special > $OUTPUT if [ -s $OUTPUT ] ; then printf "\nChecking special files and directories.\n" *************** *** 497,502 **** --- 529,535 ---- > $OUTPUT for file in *.secure; do + [ $file = '*.secure' ] && continue tree=`sed -n -e '3s/.* //p' -e 3q $file` mtree -f $file -p $tree > $TMP1 if [ -s $TMP1 ]; then *************** *** 508,513 **** --- 541,548 ---- printf "\nChecking system binaries:\n" cat $OUTPUT fi + else + echo /etc/mtree is missing fi # List of files that get backed up and checked for any modifications. Each