version 1.40, 2000/10/18 16:45:27 |
version 1.41, 2000/10/20 16:27:16 |
|
|
OUTPUT=$DIR/_secure6 |
OUTPUT=$DIR/_secure6 |
|
|
if ! mkdir $DIR ; then |
if ! mkdir $DIR ; then |
printf "tmp directory %s already exists, looks like:\n" $DIR |
echo "tmp directory ${DIR} already exists, looks like:" |
ls -alqF $DIR |
ls -alqF $DIR |
exit 1 |
exit 1 |
fi |
fi |
|
|
printf("Login %s has a negative group ID.\n", $1); |
printf("Login %s has a negative group ID.\n", $1); |
}' < $MP > $OUTPUT |
}' < $MP > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "\nChecking the %s file:\n" "$MP" |
echo "\nChecking the ${MP} file:" |
cat $OUTPUT |
cat $OUTPUT |
fi |
fi |
|
|
awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT |
awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "\n%s has duplicate user names.\n" "$MP" |
echo "\n${MP} has duplicate user names." |
column $OUTPUT |
column $OUTPUT |
fi |
fi |
|
|
awk -F: '{ print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 | |
awk -F: '{ print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 | |
uniq -d -f 1 | awk '{ print $2 }' > $TMP2 |
uniq -d -f 1 | awk '{ print $2 }' > $TMP2 |
if [ -s $TMP2 ] ; then |
if [ -s $TMP2 ] ; then |
printf "\n%s has duplicate user ID's.\n" "$MP" |
echo "\n${MP} has duplicate user ID's." |
while read uid; do |
while read uid; do |
grep -w $uid $TMP1 |
grep -w $uid $TMP1 |
done < $TMP2 | column |
done < $TMP2 | column |
|
|
printf("Login %s has a negative group ID.\n", $1); |
printf("Login %s has a negative group ID.\n", $1); |
}' < $GRP > $OUTPUT |
}' < $GRP > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "\nChecking the %s file:\n" "$GRP" |
echo "\nChecking the ${GRP} file:" |
cat $OUTPUT |
cat $OUTPUT |
fi |
fi |
|
|
awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT |
awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "\n%s has duplicate group names.\n" "$GRP" |
echo "\n${GRP} has duplicate group names." |
column $OUTPUT |
column $OUTPUT |
fi |
fi |
|
|
|
|
fi |
fi |
done |
done |
if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
printf "\nChecking root csh paths, umask values:\n%s\n" "$list" |
echo "\nChecking root csh paths, umask values:\n${list}" |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
cat $OUTPUT |
cat $OUTPUT |
fi |
fi |
if [ $umaskset = "no" ] ; then |
if [ $umaskset = "no" ] ; then |
printf "\nRoot csh startup files do not set the umask.\n" |
echo "\nRoot csh startup files do not set the umask." |
fi |
fi |
fi |
fi |
|
|
|
|
fi |
fi |
done |
done |
if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
printf "\nChecking root sh paths, umask values:\n%s\n" "$list" |
echo "\nChecking root sh paths, umask values:\n${list}" |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
cat $OUTPUT |
cat $OUTPUT |
fi |
fi |
if [ $umaskset = "no" ] ; then |
if [ $umaskset = "no" ] ; then |
printf "\nRoot sh startup files do not set the umask.\n" |
echo "\nRoot sh startup files do not set the umask." |
fi |
fi |
fi |
fi |
|
|
|
|
done |
done |
) |
) |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "\nChecking root ksh paths, umask values:\n%s\n" "$list" |
echo "\nChecking root ksh paths, umask values:\n${list}" |
cat $OUTPUT |
cat $OUTPUT |
fi |
fi |
|
|
|
|
if egrep root /etc/ftpusers > /dev/null ; then |
if egrep root /etc/ftpusers > /dev/null ; then |
: |
: |
else |
else |
printf "\nRoot not listed in /etc/ftpusers file.\n" |
echo "\nRoot not listed in /etc/ftpusers file." |
fi |
fi |
if egrep uucp /etc/ftpusers > /dev/null ; then |
if egrep uucp /etc/ftpusers > /dev/null ; then |
: |
: |
else |
else |
printf "\nUucp not listed in /etc/ftpusers file.\n" |
echo "\nUucp not listed in /etc/ftpusers file." |
fi |
fi |
|
|
# Uudecode should not be in the /etc/mail/aliases file. |
# Uudecode should not be in the /etc/mail/aliases file. |
if egrep 'uudecode|decode' /etc/mail/aliases; then |
if egrep 'uudecode|decode' /etc/mail/aliases; then |
printf "\nThere is an entry for uudecode in the /etc/mail/aliases file.\n" |
echo "\nThere is an entry for uudecode in the /etc/mail/aliases file." |
fi |
fi |
|
|
# Files that should not have + signs. |
# Files that should not have + signs. |
|
|
# Root owned .rhosts/.shosts files are ok. |
# Root owned .rhosts/.shosts files are ok. |
if [ -s ${homedir}/$j -a ! -O ${homedir}/$j ] ; then |
if [ -s ${homedir}/$j -a ! -O ${homedir}/$j ] ; then |
rhost=`ls -ldgT ${homedir}/$j` |
rhost=`ls -ldgT ${homedir}/$j` |
printf "%s: %s\n" "$uid" "$rhost" |
echo "${uid}: ${rhost}" |
fi |
fi |
done |
done |
done > $OUTPUT |
done > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "\nChecking for special users with .rhosts/.shosts files.\n" |
echo "\nChecking for special users with .rhosts/.shosts files." |
cat $OUTPUT |
cat $OUTPUT |
fi |
fi |
|
|
|
|
done |
done |
done > $OUTPUT |
done > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "\nChecking .rhosts/.shosts files syntax.\n" |
echo "\nChecking .rhosts/.shosts files syntax." |
cat $OUTPUT |
cat $OUTPUT |
fi |
fi |
|
|
|
|
while read uid homedir; do |
while read uid homedir; do |
if [ -d ${homedir}/ ] ; then |
if [ -d ${homedir}/ ] ; then |
file=`ls -ldgT ${homedir}` |
file=`ls -ldgT ${homedir}` |
printf "%s %s\n" "$uid" "$file" |
echo "${uid} ${file}" |
fi |
fi |
done | |
done | |
awk '$1 != $4 && $4 != "root" \ |
awk '$1 != $4 && $4 != "root" \ |
|
|
$2 ~ /^-.......w/ \ |
$2 ~ /^-.......w/ \ |
{ print "user " $1 " home directory is other writeable" }' > $OUTPUT |
{ print "user " $1 " home directory is other writeable" }' > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "\nChecking home directories.\n" |
echo "\nChecking home directories." |
cat $OUTPUT |
cat $OUTPUT |
fi |
fi |
|
|
|
|
for f in $list ; do |
for f in $list ; do |
file=${homedir}/${f} |
file=${homedir}/${f} |
if [ -f $file ] ; then |
if [ -f $file ] ; then |
printf "%s %s %s\n" "$uid" "$f" "`ls -ldgT $file`" |
echo "${uid} ${f} `ls -ldgT ${file}`" |
fi |
fi |
done |
done |
done | |
done | |
|
|
for f in $list ; do |
for f in $list ; do |
file=${homedir}/${f} |
file=${homedir}/${f} |
if [ -f $file ] ; then |
if [ -f $file ] ; then |
printf "%s %s %s\n" "$uid" "$f" "`ls -ldgT $file`" |
echo "${uid} ${f} `ls -ldgT ${file}`" |
fi |
fi |
done |
done |
done | |
done | |
|
|
$3 ~ /^-.......w/ \ |
$3 ~ /^-.......w/ \ |
{ print "user " $1 " " $2 " file is other writeable" }' >> $OUTPUT |
{ print "user " $1 " " $2 " file is other writeable" }' >> $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "\nChecking dot files.\n" |
echo "\nChecking dot files." |
cat $OUTPUT |
cat $OUTPUT |
fi |
fi |
|
|
|
|
$1 != "-rw-------" \ |
$1 != "-rw-------" \ |
{ print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT |
{ print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "\nChecking mailbox ownership.\n" |
echo "\nChecking mailbox ownership." |
cat $OUTPUT |
cat $OUTPUT |
fi |
fi |
|
|
|
|
print "File system " $1 " globally exported, read-write." |
print "File system " $1 " globally exported, read-write." |
}' < /etc/exports > $OUTPUT |
}' < /etc/exports > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "\nChecking for globally exported file systems.\n" |
echo "\nChecking for globally exported file systems." |
cat $OUTPUT |
cat $OUTPUT |
fi |
fi |
fi |
fi |
|
|
|
|
# Display any errors that occurred during system file walk. |
# Display any errors that occurred during system file walk. |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "%sSetuid/device find errors:\n" "$pending" |
echo "${pending}Setuid/device find errors:" |
pending= |
pending= |
cat $OUTPUT |
cat $OUTPUT |
printf "\n" |
echo "" |
fi |
fi |
|
|
# Display any changes in the setuid/setgid file list. |
# Display any changes in the setuid/setgid file list. |
|
|
if [ -s $TMP1 ] ; then |
if [ -s $TMP1 ] ; then |
# Check to make sure uudecode isn't setuid. |
# Check to make sure uudecode isn't setuid. |
if grep -w uudecode $TMP1 > /dev/null ; then |
if grep -w uudecode $TMP1 > /dev/null ; then |
printf "%s\nUudecode is setuid.\n" "$pending" |
echo "${pending}\nUudecode is setuid." |
pending= |
pending= |
fi |
fi |
|
|
|
|
> $TMP2 |
> $TMP2 |
join -110 -210 -v2 $CUR $TMP1 > $OUTPUT |
join -110 -210 -v2 $CUR $TMP1 > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "%sSetuid additions:\n" "$pending" |
echo "${pending}Setuid additions:" |
pending= |
pending= |
tee -a $TMP2 < $OUTPUT |
tee -a $TMP2 < $OUTPUT |
printf "\n" |
echo "" |
fi |
fi |
|
|
join -110 -210 -v1 $CUR $TMP1 > $OUTPUT |
join -110 -210 -v1 $CUR $TMP1 > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "%sSetuid deletions:\n" "$pending" |
echo "${pending}Setuid deletions:" |
pending= |
pending= |
tee -a $TMP2 < $OUTPUT |
tee -a $TMP2 < $OUTPUT |
printf "\n" |
echo "" |
fi |
fi |
|
|
sort +9 $TMP2 $CUR $TMP1 | \ |
sort +9 $TMP2 $CUR $TMP1 | \ |
sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT |
sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "%sSetuid changes:\n" "$pending" |
echo "${pending}Setuid changes:" |
pending= |
pending= |
column -t $OUTPUT |
column -t $OUTPUT |
printf "\n" |
echo "" |
fi |
fi |
|
|
cp $CUR $BACK |
cp $CUR $BACK |
cp $TMP1 $CUR |
cp $TMP1 $CUR |
fi |
fi |
else |
else |
printf "%sSetuid additions:\n" "$pending" |
echo "${pending}Setuid additions:" |
pending= |
pending= |
column -t $TMP1 |
column -t $TMP1 |
printf "\n" |
echo "" |
cp $TMP1 $CUR |
cp $TMP1 $CUR |
fi |
fi |
fi |
fi |
|
|
{ printf("Disk %s is user %s, group %s, permissions %s.\n", \ |
{ printf("Disk %s is user %s, group %s, permissions %s.\n", \ |
$11, $3, $4, $1); }' < $TMP1 > $OUTPUT |
$11, $3, $4, $1); }' < $TMP1 > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "\nChecking disk ownership and permissions.\n" |
echo "\nChecking disk ownership and permissions." |
cat $OUTPUT |
cat $OUTPUT |
printf "\n" |
echo "" |
fi |
fi |
|
|
# Display any changes in the device file list. |
# Display any changes in the device file list. |
|
|
> $TMP2 |
> $TMP2 |
join -111 -211 -v2 $CUR $TMP1 > $OUTPUT |
join -111 -211 -v2 $CUR $TMP1 > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "Device additions:\n" |
echo "Device additions:" |
tee -a $TMP2 < $OUTPUT |
tee -a $TMP2 < $OUTPUT |
printf "\n" |
echo "" |
fi |
fi |
|
|
join -111 -211 -v1 $CUR $TMP1 > $OUTPUT |
join -111 -211 -v1 $CUR $TMP1 > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "Device deletions:\n" |
echo "Device deletions:" |
tee -a $TMP2 < $OUTPUT |
tee -a $TMP2 < $OUTPUT |
printf "\n" |
echo "" |
fi |
fi |
|
|
# Report any block device change. Ignore character |
# Report any block device change. Ignore character |
|
|
sed -e 's/[ ][ ]*/ /g' | \ |
sed -e 's/[ ][ ]*/ /g' | \ |
uniq -u > $OUTPUT |
uniq -u > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "Block device changes:\n" |
echo "Block device changes:" |
column -t $OUTPUT |
column -t $OUTPUT |
printf "\n" |
echo "" |
fi |
fi |
|
|
cp $CUR $BACK |
cp $CUR $BACK |
cp $TMP1 $CUR |
cp $TMP1 $CUR |
fi |
fi |
else |
else |
printf "Device additions:\n" |
echo "Device additions:" |
column -t $TMP1 |
column -t $TMP1 |
printf "\n" |
echo "" |
cp $TMP1 $CUR |
cp $TMP1 $CUR |
fi |
fi |
fi |
fi |
|
|
cd /etc/mtree |
cd /etc/mtree |
mtree -e -p / -f /etc/mtree/special > $OUTPUT |
mtree -e -p / -f /etc/mtree/special > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "\nChecking special files and directories.\n" |
echo "\nChecking special files and directories." |
printf "Output format is:\n\tfilename:\n" |
echo "Output format is:\n\tfilename:" |
printf "\t\tcriteria (shouldbe, reallyis)\n" |
echo "\t\tcriteria (shouldbe, reallyis)" |
cat $OUTPUT |
cat $OUTPUT |
fi |
fi |
|
|
|
|
tree=`sed -n -e '3s/.* //p' -e 3q $file` |
tree=`sed -n -e '3s/.* //p' -e 3q $file` |
mtree -f $file -p $tree > $TMP1 |
mtree -f $file -p $tree > $TMP1 |
if [ -s $TMP1 ] ; then |
if [ -s $TMP1 ] ; then |
printf "\nChecking %s:\n" "$tree" >> $OUTPUT |
echo "\nChecking ${tree}:" >> $OUTPUT |
cat $TMP1 >> $OUTPUT |
cat $TMP1 >> $OUTPUT |
fi |
fi |
done |
done |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "\nChecking system binaries:\n" |
echo "\nChecking system binaries:" |
cat $OUTPUT |
cat $OUTPUT |
fi |
fi |
else |
else |
|
|
if [ -s $CUR ] ; then |
if [ -s $CUR ] ; then |
diff $CUR $file > $OUTPUT |
diff $CUR $file > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file |
echo "\n======\n${file} diffs (OLD < > NEW)\n======" |
cat $OUTPUT |
cat $OUTPUT |
cp -p $CUR $BACK |
cp -p $CUR $BACK |
cp -p $file $CUR |
cp -p $file $CUR |