| version 1.40, 2000/10/18 16:45:27 |
version 1.41, 2000/10/20 16:27:16 |
|
|
| OUTPUT=$DIR/_secure6 |
OUTPUT=$DIR/_secure6 |
| |
|
| if ! mkdir $DIR ; then |
if ! mkdir $DIR ; then |
| printf "tmp directory %s already exists, looks like:\n" $DIR |
echo "tmp directory ${DIR} already exists, looks like:" |
| ls -alqF $DIR |
ls -alqF $DIR |
| exit 1 |
exit 1 |
| fi |
fi |
|
|
| printf("Login %s has a negative group ID.\n", $1); |
printf("Login %s has a negative group ID.\n", $1); |
| }' < $MP > $OUTPUT |
}' < $MP > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "\nChecking the %s file:\n" "$MP" |
echo "\nChecking the ${MP} file:" |
| cat $OUTPUT |
cat $OUTPUT |
| fi |
fi |
| |
|
| awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT |
awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "\n%s has duplicate user names.\n" "$MP" |
echo "\n${MP} has duplicate user names." |
| column $OUTPUT |
column $OUTPUT |
| fi |
fi |
| |
|
| awk -F: '{ print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 | |
awk -F: '{ print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 | |
| uniq -d -f 1 | awk '{ print $2 }' > $TMP2 |
uniq -d -f 1 | awk '{ print $2 }' > $TMP2 |
| if [ -s $TMP2 ] ; then |
if [ -s $TMP2 ] ; then |
| printf "\n%s has duplicate user ID's.\n" "$MP" |
echo "\n${MP} has duplicate user ID's." |
| while read uid; do |
while read uid; do |
| grep -w $uid $TMP1 |
grep -w $uid $TMP1 |
| done < $TMP2 | column |
done < $TMP2 | column |
|
|
| printf("Login %s has a negative group ID.\n", $1); |
printf("Login %s has a negative group ID.\n", $1); |
| }' < $GRP > $OUTPUT |
}' < $GRP > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "\nChecking the %s file:\n" "$GRP" |
echo "\nChecking the ${GRP} file:" |
| cat $OUTPUT |
cat $OUTPUT |
| fi |
fi |
| |
|
| awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT |
awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "\n%s has duplicate group names.\n" "$GRP" |
echo "\n${GRP} has duplicate group names." |
| column $OUTPUT |
column $OUTPUT |
| fi |
fi |
| |
|
|
|
| fi |
fi |
| done |
done |
| if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
| printf "\nChecking root csh paths, umask values:\n%s\n" "$list" |
echo "\nChecking root csh paths, umask values:\n${list}" |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| cat $OUTPUT |
cat $OUTPUT |
| fi |
fi |
| if [ $umaskset = "no" ] ; then |
if [ $umaskset = "no" ] ; then |
| printf "\nRoot csh startup files do not set the umask.\n" |
echo "\nRoot csh startup files do not set the umask." |
| fi |
fi |
| fi |
fi |
| |
|
|
|
| fi |
fi |
| done |
done |
| if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
| printf "\nChecking root sh paths, umask values:\n%s\n" "$list" |
echo "\nChecking root sh paths, umask values:\n${list}" |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| cat $OUTPUT |
cat $OUTPUT |
| fi |
fi |
| if [ $umaskset = "no" ] ; then |
if [ $umaskset = "no" ] ; then |
| printf "\nRoot sh startup files do not set the umask.\n" |
echo "\nRoot sh startup files do not set the umask." |
| fi |
fi |
| fi |
fi |
| |
|
|
|
| done |
done |
| ) |
) |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "\nChecking root ksh paths, umask values:\n%s\n" "$list" |
echo "\nChecking root ksh paths, umask values:\n${list}" |
| cat $OUTPUT |
cat $OUTPUT |
| fi |
fi |
| |
|
|
|
| if egrep root /etc/ftpusers > /dev/null ; then |
if egrep root /etc/ftpusers > /dev/null ; then |
| : |
: |
| else |
else |
| printf "\nRoot not listed in /etc/ftpusers file.\n" |
echo "\nRoot not listed in /etc/ftpusers file." |
| fi |
fi |
| if egrep uucp /etc/ftpusers > /dev/null ; then |
if egrep uucp /etc/ftpusers > /dev/null ; then |
| : |
: |
| else |
else |
| printf "\nUucp not listed in /etc/ftpusers file.\n" |
echo "\nUucp not listed in /etc/ftpusers file." |
| fi |
fi |
| |
|
| # Uudecode should not be in the /etc/mail/aliases file. |
# Uudecode should not be in the /etc/mail/aliases file. |
| if egrep 'uudecode|decode' /etc/mail/aliases; then |
if egrep 'uudecode|decode' /etc/mail/aliases; then |
| printf "\nThere is an entry for uudecode in the /etc/mail/aliases file.\n" |
echo "\nThere is an entry for uudecode in the /etc/mail/aliases file." |
| fi |
fi |
| |
|
| # Files that should not have + signs. |
# Files that should not have + signs. |
|
|
| # Root owned .rhosts/.shosts files are ok. |
# Root owned .rhosts/.shosts files are ok. |
| if [ -s ${homedir}/$j -a ! -O ${homedir}/$j ] ; then |
if [ -s ${homedir}/$j -a ! -O ${homedir}/$j ] ; then |
| rhost=`ls -ldgT ${homedir}/$j` |
rhost=`ls -ldgT ${homedir}/$j` |
| printf "%s: %s\n" "$uid" "$rhost" |
echo "${uid}: ${rhost}" |
| fi |
fi |
| done |
done |
| done > $OUTPUT |
done > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "\nChecking for special users with .rhosts/.shosts files.\n" |
echo "\nChecking for special users with .rhosts/.shosts files." |
| cat $OUTPUT |
cat $OUTPUT |
| fi |
fi |
| |
|
|
|
| done |
done |
| done > $OUTPUT |
done > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "\nChecking .rhosts/.shosts files syntax.\n" |
echo "\nChecking .rhosts/.shosts files syntax." |
| cat $OUTPUT |
cat $OUTPUT |
| fi |
fi |
| |
|
|
|
| while read uid homedir; do |
while read uid homedir; do |
| if [ -d ${homedir}/ ] ; then |
if [ -d ${homedir}/ ] ; then |
| file=`ls -ldgT ${homedir}` |
file=`ls -ldgT ${homedir}` |
| printf "%s %s\n" "$uid" "$file" |
echo "${uid} ${file}" |
| fi |
fi |
| done | |
done | |
| awk '$1 != $4 && $4 != "root" \ |
awk '$1 != $4 && $4 != "root" \ |
|
|
| $2 ~ /^-.......w/ \ |
$2 ~ /^-.......w/ \ |
| { print "user " $1 " home directory is other writeable" }' > $OUTPUT |
{ print "user " $1 " home directory is other writeable" }' > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "\nChecking home directories.\n" |
echo "\nChecking home directories." |
| cat $OUTPUT |
cat $OUTPUT |
| fi |
fi |
| |
|
|
|
| for f in $list ; do |
for f in $list ; do |
| file=${homedir}/${f} |
file=${homedir}/${f} |
| if [ -f $file ] ; then |
if [ -f $file ] ; then |
| printf "%s %s %s\n" "$uid" "$f" "`ls -ldgT $file`" |
echo "${uid} ${f} `ls -ldgT ${file}`" |
| fi |
fi |
| done |
done |
| done | |
done | |
|
|
| for f in $list ; do |
for f in $list ; do |
| file=${homedir}/${f} |
file=${homedir}/${f} |
| if [ -f $file ] ; then |
if [ -f $file ] ; then |
| printf "%s %s %s\n" "$uid" "$f" "`ls -ldgT $file`" |
echo "${uid} ${f} `ls -ldgT ${file}`" |
| fi |
fi |
| done |
done |
| done | |
done | |
|
|
| $3 ~ /^-.......w/ \ |
$3 ~ /^-.......w/ \ |
| { print "user " $1 " " $2 " file is other writeable" }' >> $OUTPUT |
{ print "user " $1 " " $2 " file is other writeable" }' >> $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "\nChecking dot files.\n" |
echo "\nChecking dot files." |
| cat $OUTPUT |
cat $OUTPUT |
| fi |
fi |
| |
|
|
|
| $1 != "-rw-------" \ |
$1 != "-rw-------" \ |
| { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT |
{ print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "\nChecking mailbox ownership.\n" |
echo "\nChecking mailbox ownership." |
| cat $OUTPUT |
cat $OUTPUT |
| fi |
fi |
| |
|
|
|
| print "File system " $1 " globally exported, read-write." |
print "File system " $1 " globally exported, read-write." |
| }' < /etc/exports > $OUTPUT |
}' < /etc/exports > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "\nChecking for globally exported file systems.\n" |
echo "\nChecking for globally exported file systems." |
| cat $OUTPUT |
cat $OUTPUT |
| fi |
fi |
| fi |
fi |
|
|
| |
|
| # Display any errors that occurred during system file walk. |
# Display any errors that occurred during system file walk. |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "%sSetuid/device find errors:\n" "$pending" |
echo "${pending}Setuid/device find errors:" |
| pending= |
pending= |
| cat $OUTPUT |
cat $OUTPUT |
| printf "\n" |
echo "" |
| fi |
fi |
| |
|
| # Display any changes in the setuid/setgid file list. |
# Display any changes in the setuid/setgid file list. |
|
|
| if [ -s $TMP1 ] ; then |
if [ -s $TMP1 ] ; then |
| # Check to make sure uudecode isn't setuid. |
# Check to make sure uudecode isn't setuid. |
| if grep -w uudecode $TMP1 > /dev/null ; then |
if grep -w uudecode $TMP1 > /dev/null ; then |
| printf "%s\nUudecode is setuid.\n" "$pending" |
echo "${pending}\nUudecode is setuid." |
| pending= |
pending= |
| fi |
fi |
| |
|
|
|
| > $TMP2 |
> $TMP2 |
| join -110 -210 -v2 $CUR $TMP1 > $OUTPUT |
join -110 -210 -v2 $CUR $TMP1 > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "%sSetuid additions:\n" "$pending" |
echo "${pending}Setuid additions:" |
| pending= |
pending= |
| tee -a $TMP2 < $OUTPUT |
tee -a $TMP2 < $OUTPUT |
| printf "\n" |
echo "" |
| fi |
fi |
| |
|
| join -110 -210 -v1 $CUR $TMP1 > $OUTPUT |
join -110 -210 -v1 $CUR $TMP1 > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "%sSetuid deletions:\n" "$pending" |
echo "${pending}Setuid deletions:" |
| pending= |
pending= |
| tee -a $TMP2 < $OUTPUT |
tee -a $TMP2 < $OUTPUT |
| printf "\n" |
echo "" |
| fi |
fi |
| |
|
| sort +9 $TMP2 $CUR $TMP1 | \ |
sort +9 $TMP2 $CUR $TMP1 | \ |
| sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT |
sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "%sSetuid changes:\n" "$pending" |
echo "${pending}Setuid changes:" |
| pending= |
pending= |
| column -t $OUTPUT |
column -t $OUTPUT |
| printf "\n" |
echo "" |
| fi |
fi |
| |
|
| cp $CUR $BACK |
cp $CUR $BACK |
| cp $TMP1 $CUR |
cp $TMP1 $CUR |
| fi |
fi |
| else |
else |
| printf "%sSetuid additions:\n" "$pending" |
echo "${pending}Setuid additions:" |
| pending= |
pending= |
| column -t $TMP1 |
column -t $TMP1 |
| printf "\n" |
echo "" |
| cp $TMP1 $CUR |
cp $TMP1 $CUR |
| fi |
fi |
| fi |
fi |
|
|
| { printf("Disk %s is user %s, group %s, permissions %s.\n", \ |
{ printf("Disk %s is user %s, group %s, permissions %s.\n", \ |
| $11, $3, $4, $1); }' < $TMP1 > $OUTPUT |
$11, $3, $4, $1); }' < $TMP1 > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "\nChecking disk ownership and permissions.\n" |
echo "\nChecking disk ownership and permissions." |
| cat $OUTPUT |
cat $OUTPUT |
| printf "\n" |
echo "" |
| fi |
fi |
| |
|
| # Display any changes in the device file list. |
# Display any changes in the device file list. |
|
|
| > $TMP2 |
> $TMP2 |
| join -111 -211 -v2 $CUR $TMP1 > $OUTPUT |
join -111 -211 -v2 $CUR $TMP1 > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "Device additions:\n" |
echo "Device additions:" |
| tee -a $TMP2 < $OUTPUT |
tee -a $TMP2 < $OUTPUT |
| printf "\n" |
echo "" |
| fi |
fi |
| |
|
| join -111 -211 -v1 $CUR $TMP1 > $OUTPUT |
join -111 -211 -v1 $CUR $TMP1 > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "Device deletions:\n" |
echo "Device deletions:" |
| tee -a $TMP2 < $OUTPUT |
tee -a $TMP2 < $OUTPUT |
| printf "\n" |
echo "" |
| fi |
fi |
| |
|
| # Report any block device change. Ignore character |
# Report any block device change. Ignore character |
|
|
| sed -e 's/[ ][ ]*/ /g' | \ |
sed -e 's/[ ][ ]*/ /g' | \ |
| uniq -u > $OUTPUT |
uniq -u > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "Block device changes:\n" |
echo "Block device changes:" |
| column -t $OUTPUT |
column -t $OUTPUT |
| printf "\n" |
echo "" |
| fi |
fi |
| |
|
| cp $CUR $BACK |
cp $CUR $BACK |
| cp $TMP1 $CUR |
cp $TMP1 $CUR |
| fi |
fi |
| else |
else |
| printf "Device additions:\n" |
echo "Device additions:" |
| column -t $TMP1 |
column -t $TMP1 |
| printf "\n" |
echo "" |
| cp $TMP1 $CUR |
cp $TMP1 $CUR |
| fi |
fi |
| fi |
fi |
|
|
| cd /etc/mtree |
cd /etc/mtree |
| mtree -e -p / -f /etc/mtree/special > $OUTPUT |
mtree -e -p / -f /etc/mtree/special > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "\nChecking special files and directories.\n" |
echo "\nChecking special files and directories." |
| printf "Output format is:\n\tfilename:\n" |
echo "Output format is:\n\tfilename:" |
| printf "\t\tcriteria (shouldbe, reallyis)\n" |
echo "\t\tcriteria (shouldbe, reallyis)" |
| cat $OUTPUT |
cat $OUTPUT |
| fi |
fi |
| |
|
|
|
| tree=`sed -n -e '3s/.* //p' -e 3q $file` |
tree=`sed -n -e '3s/.* //p' -e 3q $file` |
| mtree -f $file -p $tree > $TMP1 |
mtree -f $file -p $tree > $TMP1 |
| if [ -s $TMP1 ] ; then |
if [ -s $TMP1 ] ; then |
| printf "\nChecking %s:\n" "$tree" >> $OUTPUT |
echo "\nChecking ${tree}:" >> $OUTPUT |
| cat $TMP1 >> $OUTPUT |
cat $TMP1 >> $OUTPUT |
| fi |
fi |
| done |
done |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "\nChecking system binaries:\n" |
echo "\nChecking system binaries:" |
| cat $OUTPUT |
cat $OUTPUT |
| fi |
fi |
| else |
else |
|
|
| if [ -s $CUR ] ; then |
if [ -s $CUR ] ; then |
| diff $CUR $file > $OUTPUT |
diff $CUR $file > $OUTPUT |
| if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
| printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file |
echo "\n======\n${file} diffs (OLD < > NEW)\n======" |
| cat $OUTPUT |
cat $OUTPUT |
| cp -p $CUR $BACK |
cp -p $CUR $BACK |
| cp -p $file $CUR |
cp -p $file $CUR |
![[BACK]](/icons/back.gif){kind=icon}
Return to security CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / etc