Annotation of src/etc/security, Revision 1.56
1.1 deraadt 1: #!/bin/sh -
2: #
1.56 ! millert 3: # $OpenBSD: security,v 1.55 2002/12/30 13:59:54 millert Exp $
1.13 millert 4: # from: @(#)security 8.1 (Berkeley) 6/9/93
1.1 deraadt 5: #
1.13 millert 6:
1.55 millert 7: PATH=/bin:/usr/bin:/sbin:/usr/sbin
1.1 deraadt 8:
9: umask 077
10:
1.50 pvalchev 11: DIR=`mktemp -d /tmp/_secure.XXXXXX` || exit 1
1.7 deraadt 12: ERR=$DIR/_secure1
13: TMP1=$DIR/_secure2
14: TMP2=$DIR/_secure3
15: TMP3=$DIR/_secure4
16: LIST=$DIR/_secure5
17: OUTPUT=$DIR/_secure6
1.8 deraadt 18:
1.25 deraadt 19: trap 'rm -rf $DIR; exit 1' 0 1 2 3 13 15
1.1 deraadt 20:
21: # Check the master password file syntax.
22: MP=/etc/master.passwd
23: awk -F: '{
24: if ($0 ~ /^[ ]*$/) {
25: printf("Line %d is a blank line.\n", NR);
26: next;
27: }
28: if (NF != 10)
1.32 espie 29: printf("Line %d has the wrong number of fields:\n%s\n", NR, $0);
1.15 millert 30: if ($1 ~ /^[+-]/)
1.2 deraadt 31: next;
32: if ($1 == "")
1.32 espie 33: printf("Line %d has an empty login field:\n%s\n", NR, $0);
1.52 jcs 34: else if ($1 !~ /^[A-Za-z0-9_][A-Za-z0-9_-]*$/)
1.1 deraadt 35: printf("Login %s has non-alphanumeric characters.\n", $1);
1.48 brad 36: if (length($1) > 31)
37: printf("Login %s has more than 31 characters.\n", $1);
1.1 deraadt 38: if ($2 == "")
39: printf("Login %s has no password.\n", $1);
1.23 deraadt 40: if ($2 != "" && length($2) != 13 && ($10 ~ /.*sh$/ || $10 == "") &&
41: ($2 !~ /^\$[0-9a-f]+\$/) && ($2 != "skey")) {
1.51 millert 42: if (system("test -s /etc/skey/"$1"") == 0)
43: printf("Login %s is off but still has a valid shell and an entry in /etc/skey.\n", $1);
1.23 deraadt 44: if (system("test -d "$9" -a ! -r "$9"") == 0)
1.40 hugh 45: printf("Login %s is off but still has valid shell and home directory is unreadable\n\t by root; cannot check for existence of alternate access files.\n", $1);
1.23 deraadt 46: else if (system("for file in .ssh .rhosts .shosts .klogin; do if test -e "$9"/$file; then if ((ls -ld "$9"/$file | cut -b 2-10 | grep -q r) && (test ! -O "$9"/$file)) ; then exit 1; fi; fi; done"))
47: printf("Login %s is off but still has a valid shell and alternate access files in\n\t home directory are still readable.\n",$1);
48: }
1.9 deraadt 49: if ($3 == 0 && $1 != "root")
1.36 aaron 50: printf("Login %s has a user ID of 0.\n", $1);
1.1 deraadt 51: if ($3 < 0)
1.36 aaron 52: printf("Login %s has a negative user ID.\n", $1);
1.1 deraadt 53: if ($4 < 0)
1.36 aaron 54: printf("Login %s has a negative group ID.\n", $1);
1.53 pvalchev 55: if ($7 != 0 && system("test "$7" -lt `date +%s`") == 0)
56: printf("Login %s has expired.\n", $1);
1.1 deraadt 57: }' < $MP > $OUTPUT
58: if [ -s $OUTPUT ] ; then
1.41 millert 59: echo "\nChecking the ${MP} file:"
1.1 deraadt 60: cat $OUTPUT
61: fi
62:
63: awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT
64: if [ -s $OUTPUT ] ; then
1.41 millert 65: echo "\n${MP} has duplicate user names."
1.1 deraadt 66: column $OUTPUT
67: fi
68:
1.47 millert 69: awk -F: '/^[^\+]/ { print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 |
1.1 deraadt 70: uniq -d -f 1 | awk '{ print $2 }' > $TMP2
71: if [ -s $TMP2 ] ; then
1.41 millert 72: echo "\n${MP} has duplicate user ID's."
1.1 deraadt 73: while read uid; do
74: grep -w $uid $TMP1
75: done < $TMP2 | column
76: fi
77:
78: # Backup the master password file; a special case, the normal backup
79: # mechanisms also print out file differences and we don't want to do
80: # that because this file has encrypted passwords in it.
1.2 deraadt 81: if [ ! -d /var/backups ] ; then
82: mkdir /var/backups
1.31 deraadt 83: chmod 700 /var/backups
1.2 deraadt 84: fi
1.1 deraadt 85: CUR=/var/backups/`basename $MP`.current
86: BACK=/var/backups/`basename $MP`.backup
87: if [ -s $CUR ] ; then
88: if cmp -s $CUR $MP; then
89: :
90: else
91: cp -p $CUR $BACK
92: cp -p $MP $CUR
1.56 ! millert 93: chown root:wheel $CUR
1.1 deraadt 94: fi
95: else
96: cp -p $MP $CUR
1.56 ! millert 97: chown root:wheel $CUR
1.1 deraadt 98: fi
99:
100: # Check the group file syntax.
101: GRP=/etc/group
102: awk -F: '{
103: if ($0 ~ /^[ ]*$/) {
104: printf("Line %d is a blank line.\n", NR);
105: next;
106: }
1.2 deraadt 107: if ($1 ~ /^[+-].*$/)
108: next;
1.1 deraadt 109: if (NF != 4)
1.32 espie 110: printf("Line %d has the wrong number of fields:\n%s\n", NR, $0);
1.13 millert 111: if ($1 !~ /^[A-za-z0-9][A-za-z0-9_-]*$/)
1.1 deraadt 112: printf("Group %s has non-alphanumeric characters.\n", $1);
1.48 brad 113: if (length($1) > 31)
114: printf("Group %s has more than 31 characters.\n", $1);
1.1 deraadt 115: if ($3 !~ /[0-9]*/)
1.36 aaron 116: printf("Login %s has a negative group ID.\n", $1);
1.1 deraadt 117: }' < $GRP > $OUTPUT
118: if [ -s $OUTPUT ] ; then
1.41 millert 119: echo "\nChecking the ${GRP} file:"
1.1 deraadt 120: cat $OUTPUT
121: fi
122:
123: awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT
124: if [ -s $OUTPUT ] ; then
1.41 millert 125: echo "\n${GRP} has duplicate group names."
1.1 deraadt 126: column $OUTPUT
127: fi
128:
129: # Check for root paths, umask values in startup files.
130: # The check for the root paths is problematical -- it's likely to fail
131: # in other environments. Once the shells have been modified to warn
132: # of '.' in the path, the path tests should go away.
133: > $OUTPUT
134: rhome=/root
135: umaskset=no
136: list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login"
137: for i in $list ; do
1.15 millert 138: if [ -s $i ] ; then
1.1 deraadt 139: if egrep umask $i > /dev/null ; then
140: umaskset=yes
141: fi
142: egrep umask $i |
143: awk '$2 % 100 < 20 \
1.54 henning 144: { print "Root umask is group writable" }
1.1 deraadt 145: $2 % 10 < 2 \
1.54 henning 146: { print "Root umask is other writable" }' >> $OUTPUT
1.21 deraadt 147: SAVE_PATH=$PATH
148: unset PATH
1.1 deraadt 149: /bin/csh -f -s << end-of-csh > /dev/null 2>&1
150: source $i
1.29 marc 151: if (\$?path) then
152: /bin/ls -ldgT \$path > $TMP1
153: else
154: cat /dev/null > $TMP1
155: endif
1.1 deraadt 156: end-of-csh
1.21 deraadt 157: PATH=$SAVE_PATH
1.1 deraadt 158: awk '{
159: if ($10 ~ /^\.$/) {
160: print "The root path includes .";
161: next;
162: }
163: }
164: $1 ~ /^d....w/ \
1.54 henning 165: { print "Root path directory " $10 " is group writable." } \
1.1 deraadt 166: $1 ~ /^d.......w/ \
1.54 henning 167: { print "Root path directory " $10 " is other writable." }' \
1.1 deraadt 168: < $TMP1 >> $OUTPUT
169: fi
170: done
171: if [ $umaskset = "no" -o -s $OUTPUT ] ; then
1.41 millert 172: echo "\nChecking root csh paths, umask values:\n${list}"
1.13 millert 173: if [ -s $OUTPUT ] ; then
1.1 deraadt 174: cat $OUTPUT
175: fi
176: if [ $umaskset = "no" ] ; then
1.41 millert 177: echo "\nRoot csh startup files do not set the umask."
1.1 deraadt 178: fi
179: fi
180:
181: > $OUTPUT
1.29 marc 182: > $TMP2
1.1 deraadt 183: rhome=/root
184: umaskset=no
1.20 millert 185: list="/etc/profile ${rhome}/.profile"
1.1 deraadt 186: for i in $list; do
1.15 millert 187: if [ -s $i ] ; then
1.1 deraadt 188: if egrep umask $i > /dev/null ; then
189: umaskset=yes
190: fi
191: egrep umask $i |
192: awk '$2 % 100 < 20 \
1.54 henning 193: { print "Root umask is group writable" } \
1.1 deraadt 194: $2 % 10 < 2 \
1.54 henning 195: { print "Root umask is other writable" }' >> $OUTPUT
1.21 deraadt 196: SAVE_PATH=$PATH
1.29 marc 197: SAVE_ENV=$ENV
198: unset PATH ENV
1.1 deraadt 199: /bin/sh << end-of-sh > /dev/null 2>&1
200: . $i
1.29 marc 201: if [ X"\$PATH" != "X" ]; then
202: list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\`
203: /bin/ls -ldgT \$list > $TMP1
204: else
205: > $TMP1
206: fi
207: echo \$ENV >> $TMP2
1.1 deraadt 208: end-of-sh
1.21 deraadt 209: PATH=$SAVE_PATH
1.29 marc 210: ENV=$SAVE_ENV
1.1 deraadt 211: awk '{
212: if ($10 ~ /^\.$/) {
213: print "The root path includes .";
214: next;
215: }
216: }
217: $1 ~ /^d....w/ \
1.54 henning 218: { print "Root path directory " $10 " is group writable." } \
1.1 deraadt 219: $1 ~ /^d.......w/ \
1.54 henning 220: { print "Root path directory " $10 " is other writable." }' \
1.1 deraadt 221: < $TMP1 >> $OUTPUT
222:
223: fi
224: done
225: if [ $umaskset = "no" -o -s $OUTPUT ] ; then
1.41 millert 226: echo "\nChecking root sh paths, umask values:\n${list}"
1.13 millert 227: if [ -s $OUTPUT ] ; then
1.1 deraadt 228: cat $OUTPUT
229: fi
230: if [ $umaskset = "no" ] ; then
1.41 millert 231: echo "\nRoot sh startup files do not set the umask."
1.1 deraadt 232: fi
233: fi
234:
1.27 marc 235: # A good .kshrc will not have a umask or path, that being set in .profile
236: # check anyway.
237: > $OUTPUT
238: rhome=/root
1.29 marc 239: list="/etc/ksh.kshrc `cat $TMP2`"
240: (cd $rhome
241: for i in $list; do
1.27 marc 242: if [ -s $i ] ; then
243: egrep umask $i |
244: awk '$2 % 100 < 20 \
1.54 henning 245: { print "Root umask is group writable" } \
1.27 marc 246: $2 % 10 < 2 \
1.54 henning 247: { print "Root umask is other writable" }' >> $OUTPUT
1.27 marc 248: if egrep PATH= $i > /dev/null ; then
249: SAVE_PATH=$PATH
250: unset PATH
251: /bin/ksh << end-of-sh > /dev/null 2>&1
252: . $i
1.29 marc 253: if [ X"\$PATH" != "X" ]; then
254: list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\`
255: /bin/ls -ldgT \$list > $TMP1
256: else
257: > $TMP1
258: fi
1.27 marc 259: end-of-sh
260: PATH=$SAVE_PATH
261: awk '{
262: if ($10 ~ /^\.$/) {
263: print "The root path includes .";
264: next;
265: }
266: }
267: $1 ~ /^d....w/ \
1.54 henning 268: { print "Root path directory " $10 " is group writable." } \
1.27 marc 269: $1 ~ /^d.......w/ \
1.54 henning 270: { print "Root path directory " $10 " is other writable." }' \
1.27 marc 271: < $TMP1 >> $OUTPUT
272: fi
273:
274: fi
1.29 marc 275: done
276: )
1.27 marc 277: if [ -s $OUTPUT ] ; then
1.41 millert 278: echo "\nChecking root ksh paths, umask values:\n${list}"
1.27 marc 279: cat $OUTPUT
280: fi
281:
1.1 deraadt 282: # Root and uucp should both be in /etc/ftpusers.
283: if egrep root /etc/ftpusers > /dev/null ; then
284: :
285: else
1.41 millert 286: echo "\nRoot not listed in /etc/ftpusers file."
1.1 deraadt 287: fi
288: if egrep uucp /etc/ftpusers > /dev/null ; then
289: :
290: else
1.41 millert 291: echo "\nUucp not listed in /etc/ftpusers file."
1.1 deraadt 292: fi
293:
1.35 millert 294: # Uudecode should not be in the /etc/mail/aliases file.
295: if egrep 'uudecode|decode' /etc/mail/aliases; then
1.41 millert 296: echo "\nThere is an entry for uudecode in the /etc/mail/aliases file."
1.1 deraadt 297: fi
298:
299: # Files that should not have + signs.
1.2 deraadt 300: list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd"
1.1 deraadt 301: for f in $list ; do
1.6 millert 302: if [ -s $f ] ; then
1.2 deraadt 303: awk '{
1.13 millert 304: if ($0 ~ /^\+@.*$/)
1.2 deraadt 305: next;
1.13 millert 306: if ($0 ~ /^\+.*$/)
1.2 deraadt 307: printf("\nPlus sign in %s file.\n", FILENAME);
308: }' $f
1.1 deraadt 309: fi
310: done
311:
1.13 millert 312: # Check for special users with .rhosts/.shosts files. Only root
313: # should have .rhosts/.shosts files. Also, .rhosts/.shosts
314: # files should not have plus signs.
1.14 millert 315: awk -F: '$1 != "root" && $1 !~ /^[+-]/ && \
1.1 deraadt 316: ($3 < 100 || $1 == "ftp" || $1 == "uucp") \
317: { print $1 " " $6 }' /etc/passwd |
318: while read uid homedir; do
1.2 deraadt 319: for j in .rhosts .shosts; do
1.14 millert 320: # Root owned .rhosts/.shosts files are ok.
1.15 millert 321: if [ -s ${homedir}/$j -a ! -O ${homedir}/$j ] ; then
1.2 deraadt 322: rhost=`ls -ldgT ${homedir}/$j`
1.41 millert 323: echo "${uid}: ${rhost}"
1.2 deraadt 324: fi
325: done
1.1 deraadt 326: done > $OUTPUT
327: if [ -s $OUTPUT ] ; then
1.41 millert 328: echo "\nChecking for special users with .rhosts/.shosts files."
1.1 deraadt 329: cat $OUTPUT
330: fi
331:
1.14 millert 332: awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
1.1 deraadt 333: while read uid homedir; do
1.2 deraadt 334: for j in .rhosts .shosts; do
1.13 millert 335: if [ -s ${homedir}/$j ] ; then
1.2 deraadt 336: awk '{
337: if ($0 ~ /^+@.*$/ )
338: next;
1.4 deraadt 339: if ($0 ~ /^\+[ ]*$/ )
1.2 deraadt 340: printf("%s has + sign in it.\n",
1.13 millert 341: FILENAME);
1.2 deraadt 342: }' ${homedir}/$j
343: fi
344: done
1.1 deraadt 345: done > $OUTPUT
346: if [ -s $OUTPUT ] ; then
1.41 millert 347: echo "\nChecking .rhosts/.shosts files syntax."
1.1 deraadt 348: cat $OUTPUT
349: fi
350:
351: # Check home directories. Directories should not be owned by someone else
352: # or writeable.
1.14 millert 353: awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
1.1 deraadt 354: while read uid homedir; do
355: if [ -d ${homedir}/ ] ; then
356: file=`ls -ldgT ${homedir}`
1.41 millert 357: echo "${uid} ${file}"
1.1 deraadt 358: fi
359: done |
360: awk '$1 != $4 && $4 != "root" \
361: { print "user " $1 " home directory is owned by " $4 }
362: $2 ~ /^-....w/ \
1.54 henning 363: { print "user " $1 " home directory is group writable" }
1.1 deraadt 364: $2 ~ /^-.......w/ \
1.54 henning 365: { print "user " $1 " home directory is other writable" }' > $OUTPUT
1.1 deraadt 366: if [ -s $OUTPUT ] ; then
1.41 millert 367: echo "\nChecking home directories."
1.1 deraadt 368: cat $OUTPUT
369: fi
370:
371: # Files that should not be owned by someone else or readable.
1.43 todd 372: list=".netrc .rhosts .gnupg/secring.gpg .gnupg/random_seed \
1.45 millert 373: .pgp/secring.pgp .shosts .ssh/identity .ssh/id_dsa .ssh/id_rsa"
1.14 millert 374: awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
1.1 deraadt 375: while read uid homedir; do
376: for f in $list ; do
377: file=${homedir}/${f}
378: if [ -f $file ] ; then
1.41 millert 379: echo "${uid} ${f} `ls -ldgT ${file}`"
1.1 deraadt 380: fi
381: done
382: done |
383: awk '$1 != $5 && $5 != "root" \
384: { print "user " $1 " " $2 " file is owned by " $5 }
1.13 millert 385: $3 ~ /^-...r/ \
386: { print "user " $1 " " $2 " file is group readable" }
1.1 deraadt 387: $3 ~ /^-......r/ \
388: { print "user " $1 " " $2 " file is other readable" }
389: $3 ~ /^-....w/ \
1.54 henning 390: { print "user " $1 " " $2 " file is group writable" }
1.1 deraadt 391: $3 ~ /^-.......w/ \
1.54 henning 392: { print "user " $1 " " $2 " file is other writable" }' > $OUTPUT
1.1 deraadt 393:
394: # Files that should not be owned by someone else or writeable.
1.28 todd 395: list=".bashrc .bash_profile .bash_login .bash_logout .cshrc \
396: .emacs .exrc .forward .fvwmrc .inputrc .klogin .kshrc .login \
397: .logout .nexrc .profile .screenrc .ssh .ssh/config \
1.45 millert 398: .ssh/authorized_keys .ssh/authorized_keys2 .ssh/environment \
399: .ssh/known_hosts .ssh/rc .tcshrc .twmrc .xsession .xinitrc \
400: .Xdefaults .Xauthority"
1.14 millert 401: awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
1.1 deraadt 402: while read uid homedir; do
403: for f in $list ; do
404: file=${homedir}/${f}
405: if [ -f $file ] ; then
1.41 millert 406: echo "${uid} ${f} `ls -ldgT ${file}`"
1.1 deraadt 407: fi
408: done
409: done |
410: awk '$1 != $5 && $5 != "root" \
411: { print "user " $1 " " $2 " file is owned by " $5 }
412: $3 ~ /^-....w/ \
1.54 henning 413: { print "user " $1 " " $2 " file is group writable" }
1.1 deraadt 414: $3 ~ /^-.......w/ \
1.54 henning 415: { print "user " $1 " " $2 " file is other writable" }' >> $OUTPUT
1.1 deraadt 416: if [ -s $OUTPUT ] ; then
1.41 millert 417: echo "\nChecking dot files."
1.1 deraadt 418: cat $OUTPUT
419: fi
420:
421: # Mailboxes should be owned by user and unreadable.
422: ls -l /var/mail | sed 1d | \
423: awk '$3 != $9 \
424: { print "user " $9 " mailbox is owned by " $3 }
425: $1 != "-rw-------" \
426: { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT
427: if [ -s $OUTPUT ] ; then
1.41 millert 428: echo "\nChecking mailbox ownership."
1.1 deraadt 429: cat $OUTPUT
430: fi
431:
1.13 millert 432: # File systems should not be globally exported.
433: if [ -s /etc/exports ] ; then
434: awk '{
1.19 flipk 435: if (($1 ~ /^#/) || ($1 ~ /^$/))
1.1 deraadt 436: next;
1.13 millert 437: readonly = 0;
438: for (i = 2; i <= NF; ++i) {
1.19 flipk 439: if ($i ~ /^-ro$/)
1.13 millert 440: readonly = 1;
441: else if ($i !~ /^-/)
442: next;
443: }
444: if (readonly)
445: print "File system " $1 " globally exported, read-only."
446: else
447: print "File system " $1 " globally exported, read-write."
448: }' < /etc/exports > $OUTPUT
449: if [ -s $OUTPUT ] ; then
1.41 millert 450: echo "\nChecking for globally exported file systems."
1.13 millert 451: cat $OUTPUT
452: fi
1.1 deraadt 453: fi
454:
1.5 deraadt 455: # Display any changes in setuid/setgid files and devices.
456: pending="\nChecking setuid/setgid files and devices:\n"
1.1 deraadt 457: (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \
1.13 millert 458: -o -fstype procfs \) -a -prune -o \
459: -type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \
1.30 millert 460: ! -type d -a ! -type f -a ! -type l -a ! -type s -a ! -type p \
461: -print0 | xargs -0 ls -ldgT | sort +9 > $LIST) 2> $OUTPUT
1.1 deraadt 462:
463: # Display any errors that occurred during system file walk.
464: if [ -s $OUTPUT ] ; then
1.41 millert 465: echo "${pending}Setuid/device find errors:"
1.2 deraadt 466: pending=
1.1 deraadt 467: cat $OUTPUT
1.41 millert 468: echo ""
1.1 deraadt 469: fi
470:
1.12 millert 471: # Display any changes in the setuid/setgid file list.
1.13 millert 472: egrep -v '^[bc]' $LIST > $TMP1
1.1 deraadt 473: if [ -s $TMP1 ] ; then
474: # Check to make sure uudecode isn't setuid.
475: if grep -w uudecode $TMP1 > /dev/null ; then
1.41 millert 476: echo "${pending}\nUudecode is setuid."
1.2 deraadt 477: pending=
1.1 deraadt 478: fi
479:
480: CUR=/var/backups/setuid.current
481: BACK=/var/backups/setuid.backup
482:
483: if [ -s $CUR ] ; then
484: if cmp -s $CUR $TMP1 ; then
485: :
486: else
487: > $TMP2
1.13 millert 488: join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
1.1 deraadt 489: if [ -s $OUTPUT ] ; then
1.41 millert 490: echo "${pending}Setuid additions:"
1.2 deraadt 491: pending=
1.1 deraadt 492: tee -a $TMP2 < $OUTPUT
1.41 millert 493: echo ""
1.1 deraadt 494: fi
495:
1.13 millert 496: join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
1.1 deraadt 497: if [ -s $OUTPUT ] ; then
1.41 millert 498: echo "${pending}Setuid deletions:"
1.2 deraadt 499: pending=
1.1 deraadt 500: tee -a $TMP2 < $OUTPUT
1.41 millert 501: echo ""
1.1 deraadt 502: fi
503:
1.13 millert 504: sort +9 $TMP2 $CUR $TMP1 | \
1.1 deraadt 505: sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT
506: if [ -s $OUTPUT ] ; then
1.41 millert 507: echo "${pending}Setuid changes:"
1.2 deraadt 508: pending=
1.1 deraadt 509: column -t $OUTPUT
1.41 millert 510: echo ""
1.1 deraadt 511: fi
512:
513: cp $CUR $BACK
514: cp $TMP1 $CUR
515: fi
516: else
1.41 millert 517: echo "${pending}Setuid additions:"
1.2 deraadt 518: pending=
1.1 deraadt 519: column -t $TMP1
1.41 millert 520: echo ""
1.1 deraadt 521: cp $TMP1 $CUR
522: fi
523: fi
524:
525: # Check for block and character disk devices that are readable or writeable
526: # or not owned by root.operator.
527: >$TMP1
1.13 millert 528: DISKLIST="ccd dk fd hd hk hp jb kra ra rb rd rl rx rz sd up vnd wd xd"
1.1 deraadt 529: for i in $DISKLIST; do
1.33 millert 530: egrep "^b.*/${i}[0-9][0-9]*[B-H]?[a-p]$" $LIST >> $TMP1
531: egrep "^c.*/r${i}[0-9][0-9]*[B-H]?[a-p]$" $LIST >> $TMP1
1.1 deraadt 532: done
533:
534: awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \
535: { printf("Disk %s is user %s, group %s, permissions %s.\n", \
536: $11, $3, $4, $1); }' < $TMP1 > $OUTPUT
537: if [ -s $OUTPUT ] ; then
1.41 millert 538: echo "\nChecking disk ownership and permissions."
1.1 deraadt 539: cat $OUTPUT
1.41 millert 540: echo ""
1.1 deraadt 541: fi
542:
543: # Display any changes in the device file list.
544: egrep '^[bc]' $LIST | sort +10 > $TMP1
545: if [ -s $TMP1 ] ; then
546: CUR=/var/backups/device.current
547: BACK=/var/backups/device.backup
548:
549: if [ -s $CUR ] ; then
550: if cmp -s $CUR $TMP1 ; then
551: :
552: else
553: > $TMP2
554: join -111 -211 -v2 $CUR $TMP1 > $OUTPUT
555: if [ -s $OUTPUT ] ; then
1.41 millert 556: echo "Device additions:"
1.1 deraadt 557: tee -a $TMP2 < $OUTPUT
1.41 millert 558: echo ""
1.1 deraadt 559: fi
560:
561: join -111 -211 -v1 $CUR $TMP1 > $OUTPUT
562: if [ -s $OUTPUT ] ; then
1.41 millert 563: echo "Device deletions:"
1.1 deraadt 564: tee -a $TMP2 < $OUTPUT
1.41 millert 565: echo ""
1.1 deraadt 566: fi
567:
568: # Report any block device change. Ignore character
569: # devices, only the name is significant.
570: cat $TMP2 $CUR $TMP1 | \
571: sed -e '/^c/d' | \
572: sort +10 | \
573: sed -e 's/[ ][ ]*/ /g' | \
574: uniq -u > $OUTPUT
575: if [ -s $OUTPUT ] ; then
1.41 millert 576: echo "Block device changes:"
1.1 deraadt 577: column -t $OUTPUT
1.41 millert 578: echo ""
1.1 deraadt 579: fi
580:
581: cp $CUR $BACK
582: cp $TMP1 $CUR
583: fi
584: else
1.41 millert 585: echo "Device additions:"
1.1 deraadt 586: column -t $TMP1
1.41 millert 587: echo ""
1.1 deraadt 588: cp $TMP1 $CUR
589: fi
590: fi
591:
592: # Check special files.
593: # Check system binaries.
594: #
595: # Create the mtree tree specifications using:
596: #
597: # mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure
1.56 ! millert 598: # chown root:wheel DIR.secure
1.2 deraadt 599: # chmod 600 DIR.secure
1.1 deraadt 600: #
601: # Note, this is not complete protection against Trojan horsed binaries, as
602: # the hacker can modify the tree specification to match the replaced binary.
603: # For details on really protecting yourself against modified binaries, see
604: # the mtree(8) manual page.
1.13 millert 605: if [ -d /etc/mtree ] ; then
1.2 deraadt 606: cd /etc/mtree
1.49 jakob 607: mtree -e -l -p / -f /etc/mtree/special > $OUTPUT
1.1 deraadt 608: if [ -s $OUTPUT ] ; then
1.41 millert 609: echo "\nChecking special files and directories."
610: echo "Output format is:\n\tfilename:"
611: echo "\t\tcriteria (shouldbe, reallyis)"
1.1 deraadt 612: cat $OUTPUT
613: fi
614:
615: > $OUTPUT
616: for file in *.secure; do
1.2 deraadt 617: [ $file = '*.secure' ] && continue
1.1 deraadt 618: tree=`sed -n -e '3s/.* //p' -e 3q $file`
619: mtree -f $file -p $tree > $TMP1
1.13 millert 620: if [ -s $TMP1 ] ; then
1.41 millert 621: echo "\nChecking ${tree}:" >> $OUTPUT
1.1 deraadt 622: cat $TMP1 >> $OUTPUT
623: fi
624: done
625: if [ -s $OUTPUT ] ; then
1.41 millert 626: echo "\nChecking system binaries:"
1.1 deraadt 627: cat $OUTPUT
628: fi
1.2 deraadt 629: else
630: echo /etc/mtree is missing
1.1 deraadt 631: fi
632:
633: # List of files that get backed up and checked for any modifications. Each
634: # file is expected to have two backups, /var/backups/file.{current,backup}.
635: # Any changes cause the files to rotate.
1.37 todd 636: _fnchg() {
637: echo "$1" | sed 's/^\///;s/\//_/g'
638: }
1.1 deraadt 639: if [ -s /etc/changelist ] ; then
1.46 millert 640: for file in `egrep -v "^(#|\+|$MP)" /etc/changelist`; do
1.37 todd 641: CUR=/var/backups/$(_fnchg "$file").current
642: BACK=/var/backups/$(_fnchg "$file").backup
643: if [ -s $file -a ! -d $file ] ; then
1.1 deraadt 644: if [ -s $CUR ] ; then
1.42 marc 645: diff -u $CUR $file > $OUTPUT
1.1 deraadt 646: if [ -s $OUTPUT ] ; then
1.42 marc 647: echo "\n======\n${file} diffs (-OLD +NEW)\n======"
1.1 deraadt 648: cat $OUTPUT
649: cp -p $CUR $BACK
650: cp -p $file $CUR
1.56 ! millert 651: chown root:wheel $CUR $BACK
1.1 deraadt 652: fi
653: else
654: cp -p $file $CUR
1.56 ! millert 655: chown root:wheel $CUR
1.46 millert 656: fi
657: fi
658: done
659: for file in `egrep "^\+" /etc/changelist`; do
660: file="${file#+}"
661: CUR=/var/backups/$(_fnchg "$file").current.md5
662: BACK=/var/backups/$(_fnchg "$file").backup.md5
663: if [ -s $file -a ! -d $file ] ; then
664: MD5_NEW=`md5 $file | sed 's/^.* //'`
665: if [ -s $CUR ] ; then
666: MD5_OLD="`cat $CUR`"
667: if [ "$MD5_NEW" != "$MD5_OLD" ]; then
668: echo "\n======\n${file} MD5 checksums\n======"
669: echo "OLD: $MD5_OLD"
670: echo "NEW: $MD5_NEW"
671: cp -p $CUR $BACK
672: echo $MD5_NEW > $CUR
1.56 ! millert 673: chown root:wheel $CUR $BACK
1.46 millert 674: chmod 600 $CUR
675: fi
676: else
677: echo $MD5_NEW > $CUR
1.56 ! millert 678: chown root:wheel $CUR
1.46 millert 679: chmod 600 $CUR
1.1 deraadt 680: fi
681: fi
682: done
683: fi