=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/etc/Attic/security,v retrieving revision 1.83 retrieving revision 1.84 diff -c -r1.83 -r1.84 *** src/etc/Attic/security 2009/05/04 00:37:03 1.83 --- src/etc/Attic/security 2009/05/14 21:24:33 1.84 *************** *** 1,6 **** - #!/bin/sh - # ! # $OpenBSD: security,v 1.83 2009/05/04 00:37:03 schwarze Exp $ # from: @(#)security 8.1 (Berkeley) 6/9/93 # --- 1,5 ---- # ! # $OpenBSD: security,v 1.84 2009/05/14 21:24:33 schwarze Exp $ # from: @(#)security 8.1 (Berkeley) 6/9/93 # *************** *** 9,25 **** umask 077 DIR=`mktemp -d /tmp/_secure.XXXXXXXXXX` || exit 1 - ERR=$DIR/_secure1 TMP1=$DIR/_secure2 TMP2=$DIR/_secure3 - TMP3=$DIR/_secure4 LIST=$DIR/_secure5 - OUTPUT=$DIR/_secure6 trap 'rm -rf $DIR; exit 1' 0 1 2 3 13 15 # Check the master password file syntax. MP=/etc/master.passwd awk -F: '{ if ($0 ~ /^[ ]*$/) { printf("Line %d is a blank line.\n", NR); --- 8,22 ---- umask 077 DIR=`mktemp -d /tmp/_secure.XXXXXXXXXX` || exit 1 TMP1=$DIR/_secure2 TMP2=$DIR/_secure3 LIST=$DIR/_secure5 trap 'rm -rf $DIR; exit 1' 0 1 2 3 13 15 # Check the master password file syntax. MP=/etc/master.passwd + next_part "Checking the ${MP} file:" awk -F: '{ if ($0 ~ /^[ ]*$/) { printf("Line %d is a blank line.\n", NR); *************** *** 54,75 **** printf("Login %s has a negative group ID.\n", $1); if (int($7) != 0 && system("test "$7" -lt `date +%s`") == 0) printf("Login %s has expired.\n", $1); ! }' < $MP > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "\nChecking the ${MP} file:" ! cat $OUTPUT ! fi ! awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "\n${MP} has duplicate user names." ! column $OUTPUT ! fi awk -F: '/^[^\+]/ { print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 | uniq -d -f 1 | awk '{ print $2 }' > $TMP2 if [ -s $TMP2 ] ; then - echo "\n${MP} has duplicate user IDs." while read uid; do grep -w $uid $TMP1 done < $TMP2 | column --- 51,65 ---- printf("Login %s has a negative group ID.\n", $1); if (int($7) != 0 && system("test "$7" -lt `date +%s`") == 0) printf("Login %s has expired.\n", $1); ! }' < $MP ! next_part "${MP} has duplicate user names." ! awk -F: '{ print $1 }' $MP | sort | uniq -d | column + next_part "${MP} has duplicate user IDs." awk -F: '/^[^\+]/ { print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 | uniq -d -f 1 | awk '{ print $2 }' > $TMP2 if [ -s $TMP2 ] ; then while read uid; do grep -w $uid $TMP1 done < $TMP2 | column *************** *** 99,104 **** --- 89,95 ---- # Check the group file syntax. GRP=/etc/group + next_part "Checking the ${GRP} file:" awk -F: '{ if ($0 ~ /^[ ]*$/) { printf("Line %d is a blank line.\n", NR); *************** *** 114,139 **** printf("Group %s has more than 31 characters.\n", $1); if ($3 !~ /^[0-9]*$/) printf("Group %s has an invalid group ID.\n", $1); ! }' < $GRP > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "\nChecking the ${GRP} file:" ! cat $OUTPUT ! fi ! awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "\n${GRP} has duplicate group names." ! column $OUTPUT ! fi # Check for root paths, umask values in startup files. # The check for the root paths is problematical -- it's likely to fail # in other environments. Once the shells have been modified to warn # of '.' in the path, the path tests should go away. - > $OUTPUT rhome=/root umaskset=no list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" for i in $list ; do if [ -s $i ] ; then if egrep -aq '[[:space:]]*umask[[:space:]]' $i ; then --- 105,123 ---- printf("Group %s has more than 31 characters.\n", $1); if ($3 !~ /^[0-9]*$/) printf("Group %s has an invalid group ID.\n", $1); ! }' < $GRP ! next_part "${GRP} has duplicate group names." ! awk -F: '{ print $1 }' $GRP | sort | uniq -d | column # Check for root paths, umask values in startup files. # The check for the root paths is problematical -- it's likely to fail # in other environments. Once the shells have been modified to warn # of '.' in the path, the path tests should go away. rhome=/root umaskset=no list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" + next_part "Checking root csh paths, umask values:\n${list}" for i in $list ; do if [ -s $i ] ; then if egrep -aq '[[:space:]]*umask[[:space:]]' $i ; then *************** *** 146,152 **** if ($2 % 10 ~ /^[0145]/) print "Root umask is other writable"; } ! }' < $i >> $OUTPUT SAVE_PATH=$PATH unset PATH /bin/csh -f -s << end-of-csh > /dev/null 2>&1 --- 130,136 ---- if ($2 % 10 ~ /^[0145]/) print "Root umask is other writable"; } ! }' < $i SAVE_PATH=$PATH unset PATH /bin/csh -f -s << end-of-csh > /dev/null 2>&1 *************** *** 168,191 **** { print "Root path directory " $10 " is group writable." } \ $1 ~ /^d.......w/ \ { print "Root path directory " $10 " is other writable." }' \ ! < $TMP1 >> $OUTPUT fi done ! if [ $umaskset = "no" -o -s $OUTPUT ] ; then ! echo "\nChecking root csh paths, umask values:\n${list}" ! if [ -s $OUTPUT ] ; then ! cat $OUTPUT ! fi ! if [ $umaskset = "no" ] ; then ! echo "\nRoot csh startup files do not set the umask." ! fi fi - > $OUTPUT > $TMP2 rhome=/root umaskset=no list="/etc/profile ${rhome}/.profile" for i in $list; do if [ -s $i ] ; then if egrep -a umask $i > /dev/null ; then --- 152,169 ---- { print "Root path directory " $10 " is group writable." } \ $1 ~ /^d.......w/ \ { print "Root path directory " $10 " is other writable." }' \ ! < $TMP1 fi done ! if [ $umaskset = "no" ] ; then ! echo "\nRoot csh startup files do not set the umask." fi > $TMP2 rhome=/root umaskset=no list="/etc/profile ${rhome}/.profile" + next_part "Checking root sh paths, umask values:\n${list}" for i in $list; do if [ -s $i ] ; then if egrep -a umask $i > /dev/null ; then *************** *** 195,201 **** awk '$2 % 100 < 20 \ { print "Root umask is group writable" } \ $2 % 10 < 2 \ ! { print "Root umask is other writable" }' >> $OUTPUT SAVE_PATH=$PATH SAVE_ENV=$ENV unset PATH ENV --- 173,179 ---- awk '$2 % 100 < 20 \ { print "Root umask is group writable" } \ $2 % 10 < 2 \ ! { print "Root umask is other writable" }' SAVE_PATH=$PATH SAVE_ENV=$ENV unset PATH ENV *************** *** 221,245 **** { print "Root path directory " $10 " is group writable." } \ $1 ~ /^d.......w/ \ { print "Root path directory " $10 " is other writable." }' \ ! < $TMP1 >> $OUTPUT fi done ! if [ $umaskset = "no" -o -s $OUTPUT ] ; then ! echo "\nChecking root sh paths, umask values:\n${list}" ! if [ -s $OUTPUT ] ; then ! cat $OUTPUT ! fi ! if [ $umaskset = "no" ] ; then ! echo "\nRoot sh startup files do not set the umask." ! fi fi # A good .kshrc will not have a umask or path, that being set in .profile # check anyway. - > $OUTPUT rhome=/root list="/etc/ksh.kshrc `cat $TMP2`" (cd $rhome for i in $list; do if [ -s $i ] ; then --- 199,217 ---- { print "Root path directory " $10 " is group writable." } \ $1 ~ /^d.......w/ \ { print "Root path directory " $10 " is other writable." }' \ ! < $TMP1 fi done ! if [ $umaskset = "no" ] ; then ! echo "\nRoot sh startup files do not set the umask." fi # A good .kshrc will not have a umask or path, that being set in .profile # check anyway. rhome=/root list="/etc/ksh.kshrc `cat $TMP2`" + next_part "Checking root ksh paths, umask values:\n${list}" (cd $rhome for i in $list; do if [ -s $i ] ; then *************** *** 247,253 **** awk '$2 % 100 < 20 \ { print "Root umask is group writable" } \ $2 % 10 < 2 \ ! { print "Root umask is other writable" }' >> $OUTPUT if egrep -a PATH= $i > /dev/null ; then SAVE_PATH=$PATH unset PATH --- 219,225 ---- awk '$2 % 100 < 20 \ { print "Root umask is group writable" } \ $2 % 10 < 2 \ ! { print "Root umask is other writable" }' if egrep -a PATH= $i > /dev/null ; then SAVE_PATH=$PATH unset PATH *************** *** 271,302 **** { print "Root path directory " $10 " is group writable." } \ $1 ~ /^d.......w/ \ { print "Root path directory " $10 " is other writable." }' \ ! < $TMP1 >> $OUTPUT fi fi done ) - if [ -s $OUTPUT ] ; then - echo "\nChecking root ksh paths, umask values:\n${list}" - cat $OUTPUT - fi # Root and uucp should both be in /etc/ftpusers. if egrep root /etc/ftpusers > /dev/null ; then : else ! echo "\nRoot not listed in /etc/ftpusers file." fi if egrep uucp /etc/ftpusers > /dev/null ; then : else ! echo "\nUucp not listed in /etc/ftpusers file." fi # Uudecode should not be in the /etc/mail/aliases file. if egrep 'uudecode|decode' /etc/mail/aliases; then ! echo "\nThere is an entry for uudecode in the /etc/mail/aliases file." fi # hostname.if files may contain secrets and should not be --- 243,271 ---- { print "Root path directory " $10 " is group writable." } \ $1 ~ /^d.......w/ \ { print "Root path directory " $10 " is other writable." }' \ ! < $TMP1 fi fi done ) + next_part "Checking configuration files:" # Root and uucp should both be in /etc/ftpusers. if egrep root /etc/ftpusers > /dev/null ; then : else ! echo "Root not listed in /etc/ftpusers file." fi if egrep uucp /etc/ftpusers > /dev/null ; then : else ! echo "Uucp not listed in /etc/ftpusers file." fi # Uudecode should not be in the /etc/mail/aliases file. if egrep 'uudecode|decode' /etc/mail/aliases; then ! echo "There is an entry for uudecode in the /etc/mail/aliases file." fi # hostname.if files may contain secrets and should not be *************** *** 307,313 **** continue fi if [ "$(stat -Lf "%SLp" $f)" != "---" ]; then ! echo "\n$f is world readable." fi done --- 276,282 ---- continue fi if [ "$(stat -Lf "%SLp" $f)" != "---" ]; then ! echo "$f is world readable." fi done *************** *** 319,325 **** if ($0 ~ /^\+@.*$/) next; if ($0 ~ /^\+.*$/) ! printf("\nPlus sign in %s file.\n", FILENAME); }' $f fi done --- 288,294 ---- if ($0 ~ /^\+@.*$/) next; if ($0 ~ /^\+.*$/) ! printf("Plus sign in %s file.\n", FILENAME); }' $f fi done *************** *** 327,332 **** --- 296,302 ---- # Check for special users with .rhosts/.shosts files. Only root # should have .rhosts/.shosts files. Also, .rhosts/.shosts # files should not have plus signs. + next_part "Checking for special users with .rhosts/.shosts files." awk -F: '$1 != "root" && $1 !~ /^[+-]/ && \ ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ { print $1 " " $6 }' /etc/passwd | *************** *** 338,349 **** echo "${uid}: ${rhost}" fi done ! done > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "\nChecking for special users with .rhosts/.shosts files." ! cat $OUTPUT ! fi awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do for j in .rhosts .shosts; do --- 308,316 ---- echo "${uid}: ${rhost}" fi done ! done + next_part "Checking .rhosts/.shosts files syntax." awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do for j in .rhosts .shosts; do *************** *** 357,370 **** }' ${homedir}/$j fi done ! done > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "\nChecking .rhosts/.shosts files syntax." ! cat $OUTPUT ! fi # Check home directories. Directories should not be owned by someone else # or writeable. awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do if [ -d ${homedir}/ ] ; then --- 324,334 ---- }' ${homedir}/$j fi done ! done # Check home directories. Directories should not be owned by someone else # or writeable. + next_part "Checking home directories." awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do if [ -d ${homedir}/ ] ; then *************** *** 377,391 **** $2 ~ /^-....w/ \ { print "user " $1 " home directory is group writable" } $2 ~ /^-.......w/ \ ! { print "user " $1 " home directory is other writable" }' > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "\nChecking home directories." ! cat $OUTPUT ! fi # Files that should not be owned by someone else or readable. list=".netrc .rhosts .gnupg/secring.gpg .gnupg/random_seed \ .pgp/secring.pgp .shosts .ssh/identity .ssh/id_dsa .ssh/id_rsa" awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do for f in $list ; do --- 341,352 ---- $2 ~ /^-....w/ \ { print "user " $1 " home directory is group writable" } $2 ~ /^-.......w/ \ ! { print "user " $1 " home directory is other writable" }' # Files that should not be owned by someone else or readable. list=".netrc .rhosts .gnupg/secring.gpg .gnupg/random_seed \ .pgp/secring.pgp .shosts .ssh/identity .ssh/id_dsa .ssh/id_rsa" + next_part "Checking dot files." awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do for f in $list ; do *************** *** 404,410 **** $3 ~ /^-....w/ \ { print "user " $1 " " $2 " file is group writable" } $3 ~ /^-.......w/ \ ! { print "user " $1 " " $2 " file is other writable" }' > $OUTPUT # Files that should not be owned by someone else or writeable. list=".bashrc .bash_profile .bash_login .bash_logout .cshrc \ --- 365,371 ---- $3 ~ /^-....w/ \ { print "user " $1 " " $2 " file is group writable" } $3 ~ /^-.......w/ \ ! { print "user " $1 " " $2 " file is other writable" }' # Files that should not be owned by someone else or writeable. list=".bashrc .bash_profile .bash_login .bash_logout .cshrc \ *************** *** 427,450 **** $3 ~ /^-....w/ \ { print "user " $1 " " $2 " file is group writable" } $3 ~ /^-.......w/ \ ! { print "user " $1 " " $2 " file is other writable" }' >> $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "\nChecking dot files." ! cat $OUTPUT ! fi # Mailboxes should be owned by user and unreadable. ls -l /var/mail | sed 1d | \ awk '$3 != $9 \ { print "user " $9 " mailbox is owned by " $3 } $1 != "-rw-------" \ ! { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "\nChecking mailbox ownership." ! cat $OUTPUT ! fi # File systems should not be globally exported. if [ -s /etc/exports ] ; then awk '{ if (($1 ~ /^#/) || ($1 ~ /^$/)) --- 388,405 ---- $3 ~ /^-....w/ \ { print "user " $1 " " $2 " file is group writable" } $3 ~ /^-.......w/ \ ! { print "user " $1 " " $2 " file is other writable" }' # Mailboxes should be owned by user and unreadable. + next_part "Checking mailbox ownership." ls -l /var/mail | sed 1d | \ awk '$3 != $9 \ { print "user " $9 " mailbox is owned by " $3 } $1 != "-rw-------" \ ! { print "user " $9 " mailbox is " $1 ", group " $4 }' # File systems should not be globally exported. + next_part "Checking for globally exported file systems." if [ -s /etc/exports ] ; then awk '{ if (($1 ~ /^#/) || ($1 ~ /^$/)) *************** *** 460,497 **** print "File system " $1 " globally exported, read-only." else print "File system " $1 " globally exported, read-write." ! }' < /etc/exports > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "\nChecking for globally exported file systems." ! cat $OUTPUT ! fi fi # Display any changes in setuid/setgid files and devices. ! pending="\nChecking setuid/setgid files and devices:\n" ! (find / \( ! -fstype local \ -o -fstype procfs -o -fstype afs -o -fstype xfs \) -a -prune -o \ -type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \ ! -type d -a ! -type f -a ! -type l -a ! -type s -a ! -type p \ ! -print0 | xargs -0 ls -ldgT | sort +9 > $LIST) 2> $OUTPUT - # Display any errors that occurred during system file walk. - if [ -s $OUTPUT ] ; then - echo "${pending}Setuid/device find errors:" - pending= - cat $OUTPUT - echo "" - fi - # Display any changes in the setuid/setgid file list. FIELDS1=1.1,1.2,1.3,1.4,1.5,1.6,1.7,1.8,1.9,0 FIELDS2=2.1,2.2,2.3,2.4,2.5,2.6,2.7,2.8,2.9,0 egrep -av '^[bc]' $LIST | join -o $FIELDS2 -110 -210 -v2 /dev/null - > $TMP1 if [ -s $TMP1 ] ; then # Check to make sure uudecode isn't setuid. if grep -aw uudecode $TMP1 > /dev/null ; then ! echo "${pending}\nUudecode is setuid." ! pending= fi CUR=/var/backups/setuid.current --- 415,440 ---- print "File system " $1 " globally exported, read-only." else print "File system " $1 " globally exported, read-write." ! }' < /etc/exports fi # Display any changes in setuid/setgid files and devices. ! next_part "Setuid/device find errors:" ! find / \( ! -fstype local \ -o -fstype procfs -o -fstype afs -o -fstype xfs \) -a -prune -o \ -type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \ ! -type d -a ! -type f -a ! -type l -a ! -type s -a ! -type p \ ! -print0 | xargs -0 ls -ldgT | sort +9 > $LIST # Display any changes in the setuid/setgid file list. + next_part "Checking setuid/setgid files and devices:" FIELDS1=1.1,1.2,1.3,1.4,1.5,1.6,1.7,1.8,1.9,0 FIELDS2=2.1,2.2,2.3,2.4,2.5,2.6,2.7,2.8,2.9,0 egrep -av '^[bc]' $LIST | join -o $FIELDS2 -110 -210 -v2 /dev/null - > $TMP1 if [ -s $TMP1 ] ; then # Check to make sure uudecode isn't setuid. if grep -aw uudecode $TMP1 > /dev/null ; then ! echo "Uudecode is setuid." fi CUR=/var/backups/setuid.current *************** *** 501,546 **** if cmp -s $CUR $TMP1 ; then : else ! > $TMP2 ! join -o $FIELDS2 -110 -210 -v2 $CUR $TMP1 > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "${pending}Setuid additions:" ! pending= ! tee -a $TMP2 < $OUTPUT | column -t ! echo "" ! fi ! join -o $FIELDS1 -110 -210 -v1 $CUR $TMP1 > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "${pending}Setuid deletions:" ! pending= ! tee -a $TMP2 < $OUTPUT | column -t ! echo "" ! fi sort +9 $TMP2 $CUR $TMP1 | \ ! sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "${pending}Setuid changes:" ! pending= ! column -t $OUTPUT ! echo "" ! fi cp $CUR $BACK cp $TMP1 $CUR fi else ! echo "${pending}Setuid additions:" ! pending= column -t $TMP1 - echo "" cp $TMP1 $CUR fi fi # Check for block and character disk devices that are readable or writeable # or not owned by root.operator. >$TMP1 DISKLIST="ccd dk fd hd hk hp jb kra ra rb rd rl rx rz sd up vnd wd xd" for i in $DISKLIST; do --- 444,474 ---- if cmp -s $CUR $TMP1 ; then : else ! next_part "Setuid additions:" ! join -o $FIELDS2 -110 -210 -v2 $CUR $TMP1 | \ ! tee $TMP2 | column -t ! next_part "Setuid deletions:" ! join -o $FIELDS1 -110 -210 -v1 $CUR $TMP1 | \ ! tee -a $TMP2 | column -t + next_part "Setuid changes:" sort +9 $TMP2 $CUR $TMP1 | \ ! sed -e 's/[ ][ ]*/ /g' | uniq -u | column -t cp $CUR $BACK cp $TMP1 $CUR fi else ! echo "Setuid additions:" column -t $TMP1 cp $TMP1 $CUR fi fi # Check for block and character disk devices that are readable or writeable # or not owned by root.operator. + next_part "Checking disk ownership and permissions." >$TMP1 DISKLIST="ccd dk fd hd hk hp jb kra ra rb rd rl rx rz sd up vnd wd xd" for i in $DISKLIST; do *************** *** 550,561 **** awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ { printf("Disk %s is user %s, group %s, permissions %s.\n", \ ! $11, $3, $4, $1); }' < $TMP1 > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "\nChecking disk ownership and permissions." ! cat $OUTPUT ! echo "" ! fi FIELDS1=1.1,1.2,1.3,1.4,1.5,1.6,1.7,1.8,1.9,1.10,0 FIELDS2=2.1,2.2,2.3,2.4,2.5,2.6,2.7,2.8,2.9,2.10,0 --- 478,484 ---- awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ { printf("Disk %s is user %s, group %s, permissions %s.\n", \ ! $11, $3, $4, $1); }' < $TMP1 FIELDS1=1.1,1.2,1.3,1.4,1.5,1.6,1.7,1.8,1.9,1.10,0 FIELDS2=2.1,2.2,2.3,2.4,2.5,2.6,2.7,2.8,2.9,2.10,0 *************** *** 570,602 **** if cmp -s $CUR $TMP1 ; then : else ! > $TMP2 ! join -o $FIELDS2 -111 -211 -v2 $CUR $TMP1 > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "Device additions:" ! tee -a $TMP2 < $OUTPUT | column -t ! echo "" ! fi ! join -o $FIELDS1 -111 -211 -v1 $CUR $TMP1 > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "Device deletions:" ! tee -a $TMP2 < $OUTPUT | column -t ! echo "" ! fi # Report any block device change. Ignore character # devices, only the name is significant. cat $TMP2 $CUR $TMP1 | \ sed -e '/^c/d' | \ sort +10 | \ sed -e 's/[ ][ ]*/ /g' | \ ! uniq -u > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "Block device changes:" ! column -t $OUTPUT ! echo "" ! fi cp $CUR $BACK cp $TMP1 $CUR --- 493,515 ---- if cmp -s $CUR $TMP1 ; then : else ! next_part "Device additions:" ! join -o $FIELDS2 -111 -211 -v2 $CUR $TMP1 | \ ! tee $TMP2 | column -t ! next_part "Device deletions:" ! join -o $FIELDS1 -111 -211 -v1 $CUR $TMP1 | \ ! tee -a $TMP2 | column -t # Report any block device change. Ignore character # devices, only the name is significant. + next_part "Block device changes:" cat $TMP2 $CUR $TMP1 | \ sed -e '/^c/d' | \ sort +10 | \ sed -e 's/[ ][ ]*/ /g' | \ ! uniq -u | \ ! column -t cp $CUR $BACK cp $TMP1 $CUR *************** *** 622,651 **** # the hacker can modify the tree specification to match the replaced binary. # For details on really protecting yourself against modified binaries, see # the mtree(8) manual page. if [ -d /etc/mtree ] ; then cd /etc/mtree ! mtree -e -l -p / -f /etc/mtree/special > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "\nChecking special files and directories." ! echo "Output format is:\n\tfilename:" ! echo "\t\tcriteria (shouldbe, reallyis)" ! cat $OUTPUT ! fi ! ! > $OUTPUT for file in *.secure; do [ $file = '*.secure' ] && continue tree=`sed -n -e '3s/.* //p' -e 3q $file` ! mtree -f $file -p $tree > $TMP1 ! if [ -s $TMP1 ] ; then ! echo "\nChecking ${tree}:" >> $OUTPUT ! cat $TMP1 >> $OUTPUT ! fi done - if [ -s $OUTPUT ] ; then - echo "\nChecking system binaries:" - cat $OUTPUT - fi else echo /etc/mtree is missing fi --- 535,551 ---- # the hacker can modify the tree specification to match the replaced binary. # For details on really protecting yourself against modified binaries, see # the mtree(8) manual page. + next_part "Checking special files and directories. + Output format is:\n\tfilename:\n\t\tcriteria (shouldbe, reallyis)" if [ -d /etc/mtree ] ; then cd /etc/mtree ! mtree -e -l -p / -f /etc/mtree/special for file in *.secure; do [ $file = '*.secure' ] && continue tree=`sed -n -e '3s/.* //p' -e 3q $file` ! next_part "Checking system binaries in ${tree}:" ! mtree -f $file -p $tree done else echo /etc/mtree is missing fi *************** *** 660,684 **** for file in `egrep -v "^(#|\+|$MP)" /etc/changelist`; do CUR=/var/backups/$(_fnchg "$file").current BACK=/var/backups/$(_fnchg "$file").backup if [ -s $file -a ! -d $file ] ; then if [ -s $CUR ] ; then ! diff -ua $CUR $file > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "\n======\n${file} diffs (-OLD +NEW)\n======" ! cat $OUTPUT cp -p $CUR $BACK cp -p $file $CUR chown root:wheel $CUR $BACK fi else - echo "\n======\n${file} diffs (-OLD +NEW)\n======" diff -u /dev/null $file cp -p $file $CUR chown root:wheel $CUR fi fi if [ ! -s $file -a -s $CUR ]; then - echo "\n======\n${file} diffs (-OLD +NEW)\n======" diff -u $CUR /dev/null cp -p $CUR $BACK rm -f $CUR --- 560,581 ---- for file in `egrep -v "^(#|\+|$MP)" /etc/changelist`; do CUR=/var/backups/$(_fnchg "$file").current BACK=/var/backups/$(_fnchg "$file").backup + next_part "======\n${file} diffs (-OLD +NEW)\n======" if [ -s $file -a ! -d $file ] ; then if [ -s $CUR ] ; then ! diff -ua $CUR $file ! if [ -s $PARTOUT ] ; then cp -p $CUR $BACK cp -p $file $CUR chown root:wheel $CUR $BACK fi else diff -u /dev/null $file cp -p $file $CUR chown root:wheel $CUR fi fi if [ ! -s $file -a -s $CUR ]; then diff -u $CUR /dev/null cp -p $CUR $BACK rm -f $CUR *************** *** 727,738 **** file=/var/backups/disklabel.$d CUR=$file.current BACK=$file.backup if disklabel $d > $file 2>&1 ; then if [ -s $CUR ] ; then ! diff -u $CUR $file > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "\n======\n${d} diffs (-OLD +NEW)\n======" ! cat $OUTPUT cp -p $CUR $BACK cp -p $file $CUR chown root:wheel $CUR $BACK --- 624,634 ---- file=/var/backups/disklabel.$d CUR=$file.current BACK=$file.backup + next_part "======\n${d} diffs (-OLD +NEW)\n======" if disklabel $d > $file 2>&1 ; then if [ -s $CUR ] ; then ! diff -u $CUR $file ! if [ -s $PARTOUT ] ; then cp -p $CUR $BACK cp -p $file $CUR chown root:wheel $CUR $BACK *************** *** 746,760 **** done # Backup the list of installed packages and produce diffs when it changes. file=/var/backups/pkglist CUR=$file.current BACK=$file.backup if pkg_info > $file 2>&1 ; then if [ -s $CUR ] ; then ! diff -u $CUR $file > $OUTPUT ! if [ -s $OUTPUT ] ; then ! echo "\n======\nPackage list changes (-OLD +NEW)\n======" ! cat $OUTPUT cp -p $CUR $BACK cp -p $file $CUR chown root:wheel $CUR $BACK --- 642,655 ---- done # Backup the list of installed packages and produce diffs when it changes. + next_part "======\nPackage list changes (-OLD +NEW)\n======" file=/var/backups/pkglist CUR=$file.current BACK=$file.backup if pkg_info > $file 2>&1 ; then if [ -s $CUR ] ; then ! diff -u $CUR $file ! if [ -s $PARTOUT ] ; then cp -p $CUR $BACK cp -p $file $CUR chown root:wheel $CUR $BACK