=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/etc/Attic/security,v retrieving revision 1.40 retrieving revision 1.41 diff -c -r1.40 -r1.41 *** src/etc/Attic/security 2000/10/18 16:45:27 1.40 --- src/etc/Attic/security 2000/10/20 16:27:16 1.41 *************** *** 1,6 **** #!/bin/sh - # ! # $OpenBSD: security,v 1.40 2000/10/18 16:45:27 hugh Exp $ # from: @(#)security 8.1 (Berkeley) 6/9/93 # --- 1,6 ---- #!/bin/sh - # ! # $OpenBSD: security,v 1.41 2000/10/20 16:27:16 millert Exp $ # from: @(#)security 8.1 (Berkeley) 6/9/93 # *************** *** 17,23 **** OUTPUT=$DIR/_secure6 if ! mkdir $DIR ; then ! printf "tmp directory %s already exists, looks like:\n" $DIR ls -alqF $DIR exit 1 fi --- 17,23 ---- OUTPUT=$DIR/_secure6 if ! mkdir $DIR ; then ! echo "tmp directory ${DIR} already exists, looks like:" ls -alqF $DIR exit 1 fi *************** *** 60,79 **** printf("Login %s has a negative group ID.\n", $1); }' < $MP > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "\nChecking the %s file:\n" "$MP" cat $OUTPUT fi awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "\n%s has duplicate user names.\n" "$MP" column $OUTPUT fi awk -F: '{ print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 | uniq -d -f 1 | awk '{ print $2 }' > $TMP2 if [ -s $TMP2 ] ; then ! printf "\n%s has duplicate user ID's.\n" "$MP" while read uid; do grep -w $uid $TMP1 done < $TMP2 | column --- 60,79 ---- printf("Login %s has a negative group ID.\n", $1); }' < $MP > $OUTPUT if [ -s $OUTPUT ] ; then ! echo "\nChecking the ${MP} file:" cat $OUTPUT fi awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT if [ -s $OUTPUT ] ; then ! echo "\n${MP} has duplicate user names." column $OUTPUT fi awk -F: '{ print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 | uniq -d -f 1 | awk '{ print $2 }' > $TMP2 if [ -s $TMP2 ] ; then ! echo "\n${MP} has duplicate user ID's." while read uid; do grep -w $uid $TMP1 done < $TMP2 | column *************** *** 120,132 **** printf("Login %s has a negative group ID.\n", $1); }' < $GRP > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "\nChecking the %s file:\n" "$GRP" cat $OUTPUT fi awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "\n%s has duplicate group names.\n" "$GRP" column $OUTPUT fi --- 120,132 ---- printf("Login %s has a negative group ID.\n", $1); }' < $GRP > $OUTPUT if [ -s $OUTPUT ] ; then ! echo "\nChecking the ${GRP} file:" cat $OUTPUT fi awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT if [ -s $OUTPUT ] ; then ! echo "\n${GRP} has duplicate group names." column $OUTPUT fi *************** *** 173,184 **** fi done if [ $umaskset = "no" -o -s $OUTPUT ] ; then ! printf "\nChecking root csh paths, umask values:\n%s\n" "$list" if [ -s $OUTPUT ] ; then cat $OUTPUT fi if [ $umaskset = "no" ] ; then ! printf "\nRoot csh startup files do not set the umask.\n" fi fi --- 173,184 ---- fi done if [ $umaskset = "no" -o -s $OUTPUT ] ; then ! echo "\nChecking root csh paths, umask values:\n${list}" if [ -s $OUTPUT ] ; then cat $OUTPUT fi if [ $umaskset = "no" ] ; then ! echo "\nRoot csh startup files do not set the umask." fi fi *************** *** 227,238 **** fi done if [ $umaskset = "no" -o -s $OUTPUT ] ; then ! printf "\nChecking root sh paths, umask values:\n%s\n" "$list" if [ -s $OUTPUT ] ; then cat $OUTPUT fi if [ $umaskset = "no" ] ; then ! printf "\nRoot sh startup files do not set the umask.\n" fi fi --- 227,238 ---- fi done if [ $umaskset = "no" -o -s $OUTPUT ] ; then ! echo "\nChecking root sh paths, umask values:\n${list}" if [ -s $OUTPUT ] ; then cat $OUTPUT fi if [ $umaskset = "no" ] ; then ! echo "\nRoot sh startup files do not set the umask." fi fi *************** *** 279,285 **** done ) if [ -s $OUTPUT ] ; then ! printf "\nChecking root ksh paths, umask values:\n%s\n" "$list" cat $OUTPUT fi --- 279,285 ---- done ) if [ -s $OUTPUT ] ; then ! echo "\nChecking root ksh paths, umask values:\n${list}" cat $OUTPUT fi *************** *** 287,303 **** if egrep root /etc/ftpusers > /dev/null ; then : else ! printf "\nRoot not listed in /etc/ftpusers file.\n" fi if egrep uucp /etc/ftpusers > /dev/null ; then : else ! printf "\nUucp not listed in /etc/ftpusers file.\n" fi # Uudecode should not be in the /etc/mail/aliases file. if egrep 'uudecode|decode' /etc/mail/aliases; then ! printf "\nThere is an entry for uudecode in the /etc/mail/aliases file.\n" fi # Files that should not have + signs. --- 287,303 ---- if egrep root /etc/ftpusers > /dev/null ; then : else ! echo "\nRoot not listed in /etc/ftpusers file." fi if egrep uucp /etc/ftpusers > /dev/null ; then : else ! echo "\nUucp not listed in /etc/ftpusers file." fi # Uudecode should not be in the /etc/mail/aliases file. if egrep 'uudecode|decode' /etc/mail/aliases; then ! echo "\nThere is an entry for uudecode in the /etc/mail/aliases file." fi # Files that should not have + signs. *************** *** 324,335 **** # Root owned .rhosts/.shosts files are ok. if [ -s ${homedir}/$j -a ! -O ${homedir}/$j ] ; then rhost=`ls -ldgT ${homedir}/$j` ! printf "%s: %s\n" "$uid" "$rhost" fi done done > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "\nChecking for special users with .rhosts/.shosts files.\n" cat $OUTPUT fi --- 324,335 ---- # Root owned .rhosts/.shosts files are ok. if [ -s ${homedir}/$j -a ! -O ${homedir}/$j ] ; then rhost=`ls -ldgT ${homedir}/$j` ! echo "${uid}: ${rhost}" fi done done > $OUTPUT if [ -s $OUTPUT ] ; then ! echo "\nChecking for special users with .rhosts/.shosts files." cat $OUTPUT fi *************** *** 348,354 **** done done > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "\nChecking .rhosts/.shosts files syntax.\n" cat $OUTPUT fi --- 348,354 ---- done done > $OUTPUT if [ -s $OUTPUT ] ; then ! echo "\nChecking .rhosts/.shosts files syntax." cat $OUTPUT fi *************** *** 358,364 **** while read uid homedir; do if [ -d ${homedir}/ ] ; then file=`ls -ldgT ${homedir}` ! printf "%s %s\n" "$uid" "$file" fi done | awk '$1 != $4 && $4 != "root" \ --- 358,364 ---- while read uid homedir; do if [ -d ${homedir}/ ] ; then file=`ls -ldgT ${homedir}` ! echo "${uid} ${file}" fi done | awk '$1 != $4 && $4 != "root" \ *************** *** 368,374 **** $2 ~ /^-.......w/ \ { print "user " $1 " home directory is other writeable" }' > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "\nChecking home directories.\n" cat $OUTPUT fi --- 368,374 ---- $2 ~ /^-.......w/ \ { print "user " $1 " home directory is other writeable" }' > $OUTPUT if [ -s $OUTPUT ] ; then ! echo "\nChecking home directories." cat $OUTPUT fi *************** *** 379,385 **** for f in $list ; do file=${homedir}/${f} if [ -f $file ] ; then ! printf "%s %s %s\n" "$uid" "$f" "`ls -ldgT $file`" fi done done | --- 379,385 ---- for f in $list ; do file=${homedir}/${f} if [ -f $file ] ; then ! echo "${uid} ${f} `ls -ldgT ${file}`" fi done done | *************** *** 405,411 **** for f in $list ; do file=${homedir}/${f} if [ -f $file ] ; then ! printf "%s %s %s\n" "$uid" "$f" "`ls -ldgT $file`" fi done done | --- 405,411 ---- for f in $list ; do file=${homedir}/${f} if [ -f $file ] ; then ! echo "${uid} ${f} `ls -ldgT ${file}`" fi done done | *************** *** 416,422 **** $3 ~ /^-.......w/ \ { print "user " $1 " " $2 " file is other writeable" }' >> $OUTPUT if [ -s $OUTPUT ] ; then ! printf "\nChecking dot files.\n" cat $OUTPUT fi --- 416,422 ---- $3 ~ /^-.......w/ \ { print "user " $1 " " $2 " file is other writeable" }' >> $OUTPUT if [ -s $OUTPUT ] ; then ! echo "\nChecking dot files." cat $OUTPUT fi *************** *** 427,433 **** $1 != "-rw-------" \ { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "\nChecking mailbox ownership.\n" cat $OUTPUT fi --- 427,433 ---- $1 != "-rw-------" \ { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT if [ -s $OUTPUT ] ; then ! echo "\nChecking mailbox ownership." cat $OUTPUT fi *************** *** 449,455 **** print "File system " $1 " globally exported, read-write." }' < /etc/exports > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "\nChecking for globally exported file systems.\n" cat $OUTPUT fi fi --- 449,455 ---- print "File system " $1 " globally exported, read-write." }' < /etc/exports > $OUTPUT if [ -s $OUTPUT ] ; then ! echo "\nChecking for globally exported file systems." cat $OUTPUT fi fi *************** *** 464,473 **** # Display any errors that occurred during system file walk. if [ -s $OUTPUT ] ; then ! printf "%sSetuid/device find errors:\n" "$pending" pending= cat $OUTPUT ! printf "\n" fi # Display any changes in the setuid/setgid file list. --- 464,473 ---- # Display any errors that occurred during system file walk. if [ -s $OUTPUT ] ; then ! echo "${pending}Setuid/device find errors:" pending= cat $OUTPUT ! echo "" fi # Display any changes in the setuid/setgid file list. *************** *** 475,481 **** if [ -s $TMP1 ] ; then # Check to make sure uudecode isn't setuid. if grep -w uudecode $TMP1 > /dev/null ; then ! printf "%s\nUudecode is setuid.\n" "$pending" pending= fi --- 475,481 ---- if [ -s $TMP1 ] ; then # Check to make sure uudecode isn't setuid. if grep -w uudecode $TMP1 > /dev/null ; then ! echo "${pending}\nUudecode is setuid." pending= fi *************** *** 489,525 **** > $TMP2 join -110 -210 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "%sSetuid additions:\n" "$pending" pending= tee -a $TMP2 < $OUTPUT ! printf "\n" fi join -110 -210 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "%sSetuid deletions:\n" "$pending" pending= tee -a $TMP2 < $OUTPUT ! printf "\n" fi sort +9 $TMP2 $CUR $TMP1 | \ sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "%sSetuid changes:\n" "$pending" pending= column -t $OUTPUT ! printf "\n" fi cp $CUR $BACK cp $TMP1 $CUR fi else ! printf "%sSetuid additions:\n" "$pending" pending= column -t $TMP1 ! printf "\n" cp $TMP1 $CUR fi fi --- 489,525 ---- > $TMP2 join -110 -210 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then ! echo "${pending}Setuid additions:" pending= tee -a $TMP2 < $OUTPUT ! echo "" fi join -110 -210 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then ! echo "${pending}Setuid deletions:" pending= tee -a $TMP2 < $OUTPUT ! echo "" fi sort +9 $TMP2 $CUR $TMP1 | \ sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then ! echo "${pending}Setuid changes:" pending= column -t $OUTPUT ! echo "" fi cp $CUR $BACK cp $TMP1 $CUR fi else ! echo "${pending}Setuid additions:" pending= column -t $TMP1 ! echo "" cp $TMP1 $CUR fi fi *************** *** 537,545 **** { printf("Disk %s is user %s, group %s, permissions %s.\n", \ $11, $3, $4, $1); }' < $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "\nChecking disk ownership and permissions.\n" cat $OUTPUT ! printf "\n" fi # Display any changes in the device file list. --- 537,545 ---- { printf("Disk %s is user %s, group %s, permissions %s.\n", \ $11, $3, $4, $1); }' < $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then ! echo "\nChecking disk ownership and permissions." cat $OUTPUT ! echo "" fi # Display any changes in the device file list. *************** *** 555,570 **** > $TMP2 join -111 -211 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "Device additions:\n" tee -a $TMP2 < $OUTPUT ! printf "\n" fi join -111 -211 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "Device deletions:\n" tee -a $TMP2 < $OUTPUT ! printf "\n" fi # Report any block device change. Ignore character --- 555,570 ---- > $TMP2 join -111 -211 -v2 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then ! echo "Device additions:" tee -a $TMP2 < $OUTPUT ! echo "" fi join -111 -211 -v1 $CUR $TMP1 > $OUTPUT if [ -s $OUTPUT ] ; then ! echo "Device deletions:" tee -a $TMP2 < $OUTPUT ! echo "" fi # Report any block device change. Ignore character *************** *** 575,592 **** sed -e 's/[ ][ ]*/ /g' | \ uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "Block device changes:\n" column -t $OUTPUT ! printf "\n" fi cp $CUR $BACK cp $TMP1 $CUR fi else ! printf "Device additions:\n" column -t $TMP1 ! printf "\n" cp $TMP1 $CUR fi fi --- 575,592 ---- sed -e 's/[ ][ ]*/ /g' | \ uniq -u > $OUTPUT if [ -s $OUTPUT ] ; then ! echo "Block device changes:" column -t $OUTPUT ! echo "" fi cp $CUR $BACK cp $TMP1 $CUR fi else ! echo "Device additions:" column -t $TMP1 ! echo "" cp $TMP1 $CUR fi fi *************** *** 608,616 **** cd /etc/mtree mtree -e -p / -f /etc/mtree/special > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "\nChecking special files and directories.\n" ! printf "Output format is:\n\tfilename:\n" ! printf "\t\tcriteria (shouldbe, reallyis)\n" cat $OUTPUT fi --- 608,616 ---- cd /etc/mtree mtree -e -p / -f /etc/mtree/special > $OUTPUT if [ -s $OUTPUT ] ; then ! echo "\nChecking special files and directories." ! echo "Output format is:\n\tfilename:" ! echo "\t\tcriteria (shouldbe, reallyis)" cat $OUTPUT fi *************** *** 620,631 **** tree=`sed -n -e '3s/.* //p' -e 3q $file` mtree -f $file -p $tree > $TMP1 if [ -s $TMP1 ] ; then ! printf "\nChecking %s:\n" "$tree" >> $OUTPUT cat $TMP1 >> $OUTPUT fi done if [ -s $OUTPUT ] ; then ! printf "\nChecking system binaries:\n" cat $OUTPUT fi else --- 620,631 ---- tree=`sed -n -e '3s/.* //p' -e 3q $file` mtree -f $file -p $tree > $TMP1 if [ -s $TMP1 ] ; then ! echo "\nChecking ${tree}:" >> $OUTPUT cat $TMP1 >> $OUTPUT fi done if [ -s $OUTPUT ] ; then ! echo "\nChecking system binaries:" cat $OUTPUT fi else *************** *** 646,652 **** if [ -s $CUR ] ; then diff $CUR $file > $OUTPUT if [ -s $OUTPUT ] ; then ! printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file cat $OUTPUT cp -p $CUR $BACK cp -p $file $CUR --- 646,652 ---- if [ -s $CUR ] ; then diff $CUR $file > $OUTPUT if [ -s $OUTPUT ] ; then ! echo "\n======\n${file} diffs (OLD < > NEW)\n======" cat $OUTPUT cp -p $CUR $BACK cp -p $file $CUR