security revision 1.127
11.1Scgd#!/bin/sh - 21.1Scgd# 31.127Swiz# $NetBSD: security,v 1.127 2020/12/02 14:18:13 wiz Exp $ 41.9Scgd# from: @(#)security 8.1 (Berkeley) 6/9/93 51.1Scgd# 61.1Scgd 71.9ScgdPATH=/sbin:/usr/sbin:/bin:/usr/bin 81.1Scgd 91.89Sjmmvrcvar_manpage='security.conf(5)' 101.89Sjmmv 111.31Slukemif [ -f /etc/rc.subr ]; then 121.31Slukem . /etc/rc.subr 131.31Slukemelse 141.31Slukem echo "Can't read /etc/rc.subr; aborting." 151.31Slukem exit 1; 161.31Slukemfi 171.31Slukem 181.9Scgdumask 077 191.64ScjsTZ=UTC; export TZ 201.1Scgd 211.15Smrgif [ -s /etc/security.conf ]; then 221.15Smrg . /etc/security.conf 231.15Smrgfi 241.112Sagcif [ -s /etc/pkgpath.conf ]; then 251.112Sagc . /etc/pkgpath.conf 261.112Sagcfi 271.15Smrg 281.67Slukem# Set reasonable defaults (if they're not set in security.conf) 291.67Slukem# 301.67Slukembackup_dir=${backup_dir:-/var/backups} 311.67Slukemmax_loginlen=${max_loginlen:-8} 321.67Slukemmax_grouplen=${max_grouplen:-8} 331.113Sprlw1pkg_admin=${pkg_admin:-/usr/sbin/pkg_admin} 341.104Sadrianppkg_info=${pkg_info:-/usr/sbin/pkg_info} 351.67Slukem 361.67Slukem# Other configurable variables 371.67Slukem# 381.67Slukemspecial_files="/etc/mtree/special /etc/mtree/special.local" 391.67SlukemMP=/etc/master.passwd 401.67SlukemCHANGELIST="" 411.67Slukemwork_dir=$backup_dir/work 421.67Slukem 431.67Slukemif [ ! -d "$work_dir" ]; then 441.67Slukem mkdir -p "$work_dir" 451.67Slukemfi 461.67Slukem 471.102SmarttiSECUREDIR=$(mktemp -d -t _securedir) || exit 1 481.56Slukem 491.67Slukemtrap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE 501.15Smrg 511.56Slukemif ! cd "$SECUREDIR"; then 521.56Slukem echo "Can not cd to $SECUREDIR". 531.15Smrg exit 1 541.15Smrgfi 551.15Smrg 561.91SlukemERR=err.$$ 571.91SlukemTMP1=tmp1.$$ 581.91SlukemTMP2=tmp2.$$ 591.91SlukemMPBYUID=mpbyuid.$$ 601.91SlukemMPBYPATH=mpbypath.$$ 611.91SlukemLIST=list.$$ 621.91SlukemOUTPUT=output.$$ 631.91SlukemLABELS=labels.$$ 641.106ShaadLVM_LABELS=lvm.$$ 651.91SlukemPKGS=pkgs.$$ 661.91SlukemCHANGEFILES=changefiles.$$ 671.91SlukemSPECIALSPEC=specialspec.$$ 681.67Slukem 691.108Sjmmvif [ -n "${pkgdb_dir}" ]; then 701.118Suebayasi echo "WARNING: Setting pkgdb_dir in security.conf(5) is deprecated" 711.118Suebayasi echo "WARNING: Please define PKG_DBDIR in pkg_install.conf(5) instead" 721.118Suebayasi _compat_K_flag="-K ${pkgdb_dir}" 731.108Sjmmvfi 741.108Sjmmv 751.108Sjmmvhave_pkgs() { 761.108Sjmmv $pkg_info ${_compat_K_flag} -q -E '*' 771.108Sjmmv} 781.108Sjmmv 791.67Slukem# migrate_file old new 801.67Slukem# Determine if the "${old}" path name needs to be migrated to the 811.67Slukem# "${new}" path. Also checks if "${old}.current" needs migrating, 821.67Slukem# and if so, migrate it and possibly "${old}.current,v" and 831.67Slukem# "${old}.backup". 841.67Slukem# 851.67Slukemmigrate_file() 861.67Slukem{ 871.67Slukem _old=$1 881.67Slukem _new=$2 891.123Skre if [ -z "$_old" ] || [ -z "$_new" ]; then 901.67Slukem err 3 "USAGE: migrate_file old new" 911.67Slukem fi 921.67Slukem if [ ! -d "${_new%/*}" ]; then 931.67Slukem mkdir -p "${_new%/*}" 941.67Slukem fi 951.123Skre if [ -f "${_old}" ] && ! [ -f "${_new}" ]; then 961.67Slukem echo "==> migrating ${_old}" 971.67Slukem echo " to ${_new}" 981.67Slukem mv "${_old}" "${_new}" 991.67Slukem fi 1001.123Skre if [ -f "${_old}.current" ] && ! [ -f "${_new}.current" ]; then 1011.67Slukem echo "==> migrating ${_old}.current" 1021.67Slukem echo " to ${_new}.current" 1031.67Slukem mv "${_old}.current" "${_new}.current" 1041.123Skre if [ -f "${_old}.current,v" ] && 1051.123Skre ! [ -f "${_new}.current,v" ]; then 1061.67Slukem echo "==> migrating ${_old}.current,v" 1071.67Slukem echo " to ${_new}.current,v" 1081.67Slukem mv "${_old}.current,v" "${_new}.current,v" 1091.67Slukem fi 1101.123Skre if [ -f "${_old}.backup" ] && ! [ -f "${_new}.backup" ]; then 1111.67Slukem echo "==> migrating ${_old}.backup" 1121.67Slukem echo " to ${_new}.backup" 1131.67Slukem mv "${_old}.backup" "${_new}.backup" 1141.67Slukem fi 1151.67Slukem fi 1161.67Slukem} 1171.67Slukem 1181.67Slukem 1191.67Slukem# backup_and_diff file printdiff 1201.67Slukem# Determine if file needs backing up, and if so, do it. 1211.118Suebayasi# If printdiff is yes, display the diffs, otherwise 1221.67Slukem# just print a message saying "[changes omitted]". 1231.67Slukem# 1241.67Slukembackup_and_diff() 1251.67Slukem{ 1261.67Slukem _file=$1 1271.67Slukem _printdiff=$2 1281.123Skre if [ -z "$_file" ] || [ -z "$_printdiff" ]; then 1291.67Slukem err 3 "USAGE: backup_and_diff file printdiff" 1301.67Slukem fi 1311.67Slukem ! checkyesno _printdiff 1321.67Slukem _printdiff=$? 1331.67Slukem 1341.67Slukem _old=$backup_dir/${_file##*/} 1351.67Slukem case "$_file" in 1361.67Slukem $work_dir/*) 1371.67Slukem _new=$_file 1381.67Slukem migrate_file "$backup_dir/$_old" "$_new" 1391.67Slukem migrate_file "$_old" "$_new" 1401.67Slukem ;; 1411.67Slukem *) 1421.67Slukem _new=$backup_dir/$_file 1431.67Slukem migrate_file "$_old" "$_new" 1441.67Slukem ;; 1451.67Slukem esac 1461.67Slukem CUR=${_new}.current 1471.67Slukem BACK=${_new}.backup 1481.67Slukem if [ -f $_file ]; then 1491.67Slukem if [ -f $CUR ] ; then 1501.67Slukem if [ "$_printdiff" -ne 0 ]; then 1511.83Sjhawk diff ${diff_options} $CUR $_file > $OUTPUT 1521.67Slukem else 1531.67Slukem if ! cmp -s $CUR $_file; then 1541.67Slukem echo "[changes omitted]" 1551.67Slukem fi > $OUTPUT 1561.67Slukem fi 1571.67Slukem if [ -s $OUTPUT ] ; then 1581.67Slukem printf \ 1591.67Slukem "\n======\n%s diffs (OLD < > NEW)\n======\n" $_file 1601.67Slukem cat $OUTPUT 1611.67Slukem backup_file update $_file $CUR $BACK 1621.67Slukem fi 1631.67Slukem else 1641.67Slukem printf "\n======\n%s added\n======\n" $_file 1651.67Slukem if [ "$_printdiff" -ne 0 ]; then 1661.83Sjhawk diff ${diff_options} /dev/null $_file 1671.67Slukem else 1681.67Slukem echo "[changes omitted]" 1691.67Slukem fi 1701.67Slukem backup_file add $_file $CUR $BACK 1711.67Slukem fi 1721.67Slukem else 1731.67Slukem if [ -f $CUR ]; then 1741.67Slukem printf "\n======\n%s removed\n======\n" $_file 1751.67Slukem if [ "$_printdiff" -ne 0 ]; then 1761.83Sjhawk diff ${diff_options} $CUR /dev/null 1771.67Slukem else 1781.67Slukem echo "[changes omitted]" 1791.67Slukem fi 1801.67Slukem backup_file remove $_file $CUR $BACK 1811.67Slukem fi 1821.67Slukem fi 1831.67Slukem} 1841.48Sabs 1851.9Scgd 1861.67Slukem# These are used several times. 1871.67Slukem# 1881.91Slukemawk -F: '!/^\+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID 1891.29Slukemawk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH 1901.91Slukemfor file in $special_files; do 1911.91Slukem [ -s $file ] && cat $file 1921.91Slukemdone | mtree -CM -k all > $SPECIALSPEC || exit 1 1931.9Scgd 1941.67Slukem 1951.9Scgd# Check the master password file syntax. 1961.32Slukem# 1971.31Slukemif checkyesno check_passwd; then 1981.118Suebayasi # XXX: the sense of permit_star is reversed; the code works as 1991.118Suebayasi # implemented, but usage needs to be negated. 2001.81Sjhawk checkyesno check_passwd_permit_star && permit_star=0 || permit_star=1 2011.94Sjdolecek checkyesno check_passwd_permit_nonalpha \ 2021.94Sjdolecek && permit_nonalpha=1 || permit_nonalpha=0 2031.94Sjdolecek 2041.81Sjhawk awk -v "len=$max_loginlen" \ 2051.81Sjhawk -v "nowarn_shells_list=$check_passwd_nowarn_shells" \ 2061.81Sjhawk -v "nowarn_users_list=$check_passwd_nowarn_users" \ 2071.94Sjdolecek -v "permit_star=$permit_star" \ 2081.94Sjdolecek -v "permit_nonalpha=$permit_nonalpha" \ 2091.94Sjdolecek ' 2101.25Slukem BEGIN { 2111.25Slukem while ( getline < "/etc/shells" > 0 ) { 2121.39Shubertf if ($0 ~ /^\#/ || $0 ~ /^$/ ) 2131.25Slukem continue; 2141.25Slukem shells[$1]++; 2151.25Slukem } 2161.81Sjhawk split(nowarn_shells_list, a); 2171.81Sjhawk for (i in a) nowarn_shells[a[i]]++; 2181.81Sjhawk split(nowarn_users_list, a); 2191.81Sjhawk for (i in a) nowarn_users[a[i]]++; 2201.81Sjhawk uid0_users_list="root toor" 2211.81Sjhawk split(uid0_users_list, a); 2221.81Sjhawk for (i in a) uid0_users[a[i]]++; 2231.25Slukem FS=":"; 2241.25Slukem } 2251.25Slukem 2261.25Slukem { 2271.15Smrg if ($0 ~ /^[ ]*$/) { 2281.25Slukem printf "Line %d is a blank line.\n", NR; 2291.15Smrg next; 2301.15Smrg } 2311.105Sdholland 2321.105Sdholland # NIS compat entry? 2331.105Sdholland compatline = $1 ~ "^[\\+-]"; 2341.105Sdholland if (compatline) { 2351.105Sdholland if ($1 == "+" && NF == 1) { 2361.105Sdholland next; 2371.105Sdholland } 2381.105Sdholland sub("^.", "", $1); 2391.105Sdholland } 2401.105Sdholland if (NF != 10) 2411.25Slukem printf "Line %d has the wrong number of fields.\n", NR; 2421.105Sdholland if (compatline) { 2431.105Sdholland if ($3 == 0) 2441.81Sjhawk printf "Line %d includes entries with uid 0.\n", 2451.81Sjhawk NR; 2461.105Sdholland if ($1 == "") 2471.105Sdholland next; 2481.34Sabs } 2491.94Sjdolecek if (!permit_nonalpha && 2501.95Speter $1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/) 2511.25Slukem printf "Login %s has non-alphanumeric characters.\n", 2521.25Slukem $1; 2531.34Sabs if (length($1) > len) 2541.81Sjhawk printf "Login %s has more than "len" characters.\n", 2551.81Sjhawk $1; 2561.105Sdholland if ($2 == "" && !compatline && !nowarn_users[$1]) 2571.81Sjhawk printf "Login %s has no password.\n", $1; 2581.81Sjhawk if (!nowarn_shells[$10] && !nowarn_users[$1]) { 2591.81Sjhawk if (length($2) != 13 && 2601.81Sjhawk length($2) != 20 && 2611.81Sjhawk $2 !~ /^\$1/ && 2621.81Sjhawk $2 !~ /^\$2/ && 2631.99Sjmcneill $2 !~ /^\$sha1/ && 2641.81Sjhawk $2 != "" && 2651.81Sjhawk (permit_star || $2 != "*") && 2661.81Sjhawk $2 !~ /^\*[A-z-]+$/ && 2671.81Sjhawk $1 != "toor") { 2681.81Sjhawk if ($10 == "" || shells[$10]) 2691.81Sjhawk printf "Login %s is off but still has "\ 2701.81Sjhawk "a valid shell (%s)\n", $1, $10; 2711.105Sdholland } else if (compatline && $10 == "") { 2721.105Sdholland # nothing 2731.81Sjhawk } else if (! shells[$10]) 2741.81Sjhawk printf "Login %s does not have a valid "\ 2751.81Sjhawk "shell (%s)\n", $1, $10; 2761.81Sjhawk } 2771.81Sjhawk if ($3 == 0 && !uid0_users[$1] && !nowarn_users[$1]) 2781.25Slukem printf "Login %s has a user id of 0.\n", $1; 2791.105Sdholland if ($3 != "" && $3 < 0) 2801.25Slukem printf "Login %s has a negative user id.\n", $1; 2811.105Sdholland if ($4 != "" && $4 < 0) 2821.25Slukem printf "Login %s has a negative group id.\n", $1; 2831.15Smrg }' < $MP > $OUTPUT 2841.15Smrg if [ -s $OUTPUT ] ; then 2851.15Smrg printf "\nChecking the $MP file:\n" 2861.15Smrg cat $OUTPUT 2871.15Smrg fi 2881.15Smrg 2891.15Smrg awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT 2901.15Smrg if [ -s $OUTPUT ] ; then 2911.15Smrg printf "\n$MP has duplicate user names.\n" 2921.15Smrg column $OUTPUT 2931.15Smrg fi 2941.15Smrg 2951.111Sspz awk -v "permit_dups_list=$check_passwd_permit_dups" \ 2961.111Sspz ' 2971.111Sspz BEGIN { 2981.111Sspz split(permit_dups_list, a); 2991.111Sspz for (i in a) permit_dups[a[i]]++; 3001.111Sspz } 3011.111Sspz { 3021.111Sspz if (!permit_dups[$1]) 3031.111Sspz print $2; 3041.111Sspz }' < $MPBYUID | uniq -d > $TMP2 3051.15Smrg if [ -s $TMP2 ] ; then 3061.111Sspz printf "\n$MP has duplicate user ids.\n" 3071.15Smrg while read uid; do 3081.28Slukem grep -w $uid $MPBYUID 3091.15Smrg done < $TMP2 | column 3101.15Smrg fi 3111.9Scgdfi 3121.9Scgd 3131.9Scgd# Check the group file syntax. 3141.32Slukem# 3151.31Slukemif checkyesno check_group; then 3161.15Smrg GRP=/etc/group 3171.49Sjdolecek awk -F: -v "len=$max_grouplen" '{ 3181.15Smrg if ($0 ~ /^[ ]*$/) { 3191.25Slukem printf "Line %d is a blank line.\n", NR; 3201.15Smrg next; 3211.15Smrg } 3221.34Sabs if (NF != 4 && ($1 != "+" || NF != 1)) 3231.25Slukem printf "Line %d has the wrong number of fields.\n", NR; 3241.34Sabs if ($1 == "+" ) { 3251.34Sabs next; 3261.34Sabs } 3271.95Speter if ($1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/) 3281.25Slukem printf "Group %s has non-alphanumeric characters.\n", 3291.25Slukem $1; 3301.49Sjdolecek if (length($1) > len) 3311.49Sjdolecek printf "Group %s has more than "len" characters.\n", $1; 3321.15Smrg if ($3 !~ /[0-9]*/) 3331.25Slukem printf "Login %s has a negative group id.\n", $1; 3341.15Smrg }' < $GRP > $OUTPUT 3351.15Smrg if [ -s $OUTPUT ] ; then 3361.15Smrg printf "\nChecking the $GRP file:\n" 3371.15Smrg cat $OUTPUT 3381.15Smrg fi 3391.15Smrg 3401.15Smrg awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT 3411.114Sspz dupgroups="" 3421.114Sspz for group in $(cat $OUTPUT) ; do 3431.116Sapb gcount=$(awk -F: "/$group/ { print \$1,\$3 }" $GRP | 3441.116Sapb sort -u | wc -l) 3451.114Sspz if [ $gcount -gt 1 ]; then 3461.114Sspz dupgroups="$dupgroups $group" 3471.114Sspz fi 3481.114Sspz done 3491.114Sspz if [ ! -z $dupgroups ] ; then 3501.15Smrg printf "\n$GRP has duplicate group names.\n" 3511.114Sspz printf "$dupgroups\n" 3521.15Smrg fi 3531.9Scgdfi 3541.9Scgd 3551.9Scgd# Check for root paths, umask values in startup files. 3561.9Scgd# The check for the root paths is problematical -- it's likely to fail 3571.9Scgd# in other environments. Once the shells have been modified to warn 3581.9Scgd# of '.' in the path, the path tests should go away. 3591.32Slukem# 3601.31Slukemif checkyesno check_rootdotfiles; then 3611.67Slukem rhome=~root 3621.15Smrg umaskset=no 3631.15Smrg list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" 3641.15Smrg for i in $list ; do 3651.15Smrg if [ -f $i ] ; then 3661.67Slukem if egrep '^[ \t]*umask[ \t]+[0-7]+' $i > /dev/null ; 3671.67Slukem then 3681.15Smrg umaskset=yes 3691.15Smrg fi 3701.63Slukem # Double check the umask value itself; ensure that 3711.67Slukem # both the group and other write bits are set. 3721.67Slukem # 3731.45Ssommerfe egrep '^[ \t]*umask[ \t]+[0-7]+' $i | 3741.63Slukem awk '{ 3751.67Slukem if ($2 ~ /^.$/ || $2 ~! /[^2367].$/) { 3761.80Swiz print "\tRoot umask is group writable" 3771.63Slukem } 3781.67Slukem if ($2 ~ /[^2367]$/) { 3791.80Swiz print "\tRoot umask is other writable" 3801.63Slukem } 3811.67Slukem }' | sort -u 3821.26Slukem SAVE_PATH=$PATH 3831.26Slukem unset PATH 3841.15Smrg /bin/csh -f -s << end-of-csh > /dev/null 2>&1 3851.15Smrg source $i 3861.15Smrg /bin/ls -ldgT \$path > $TMP1 3871.9Scgdend-of-csh 3881.76Satatat export PATH=$SAVE_PATH 3891.15Smrg awk '{ 3901.15Smrg if ($10 ~ /^\.$/) { 3911.27Slukem print "\tThe root path includes ."; 3921.15Smrg next; 3931.15Smrg } 3941.15Smrg } 3951.15Smrg $1 ~ /^d....w/ \ 3961.80Swiz { print "\tRoot path directory " $10 " is group writable." } \ 3971.15Smrg $1 ~ /^d.......w/ \ 3981.80Swiz { print "\tRoot path directory " $10 " is other writable." }' \ 3991.67Slukem < $TMP1 4001.15Smrg fi 4011.67Slukem done > $OUTPUT 4021.124Skre if [ $umaskset = no ] || [ -s $OUTPUT ] ; then 4031.27Slukem printf "\nChecking root csh paths, umask values:\n$list\n\n" 4041.15Smrg if [ -s $OUTPUT ]; then 4051.15Smrg cat $OUTPUT 4061.15Smrg fi 4071.123Skre if [ $umaskset = no ] ; then 4081.27Slukem printf "\tRoot csh startup files do not set the umask.\n" 4091.15Smrg fi 4101.9Scgd fi 4111.9Scgd 4121.15Smrg umaskset=no 4131.23Slukem list="/etc/profile ${rhome}/.profile" 4141.15Smrg for i in $list; do 4151.15Smrg if [ -f $i ] ; then 4161.15Smrg if egrep umask $i > /dev/null ; then 4171.15Smrg umaskset=yes 4181.15Smrg fi 4191.15Smrg egrep umask $i | 4201.67Slukem awk '$2 ~ /^.$/ || $2 ~ /[^2367].$/ \ 4211.80Swiz { print "\tRoot umask is group writable" } \ 4221.67Slukem $2 ~ /[^2367]$/ \ 4231.80Swiz { print "\tRoot umask is other writable" }' 4241.26Slukem SAVE_PATH=$PATH 4251.26Slukem unset PATH 4261.15Smrg /bin/sh << end-of-sh > /dev/null 2>&1 4271.15Smrg . $i 4281.110Schristos list=\$(echo \$PATH | /usr/bin/sed -e \ 4291.110Schristos 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g') 4301.15Smrg /bin/ls -ldgT \$list > $TMP1 4311.9Scgdend-of-sh 4321.76Satatat export PATH=$SAVE_PATH 4331.15Smrg awk '{ 4341.15Smrg if ($10 ~ /^\.$/) { 4351.27Slukem print "\tThe root path includes ."; 4361.15Smrg next; 4371.15Smrg } 4381.15Smrg } 4391.15Smrg $1 ~ /^d....w/ \ 4401.80Swiz { print "\tRoot path directory " $10 " is group writable." } \ 4411.15Smrg $1 ~ /^d.......w/ \ 4421.80Swiz { print "\tRoot path directory " $10 " is other writable." }' \ 4431.67Slukem < $TMP1 4441.9Scgd 4451.15Smrg fi 4461.67Slukem done > $OUTPUT 4471.123Skre if [ $umaskset = no ] || [ -s $OUTPUT ] ; then 4481.15Smrg printf "\nChecking root sh paths, umask values:\n$list\n" 4491.15Smrg if [ -s $OUTPUT ]; then 4501.15Smrg cat $OUTPUT 4511.15Smrg fi 4521.123Skre if [ $umaskset = no ] ; then 4531.27Slukem printf "\tRoot sh startup files do not set the umask.\n" 4541.15Smrg fi 4551.9Scgd fi 4561.9Scgdfi 4571.9Scgd 4581.9Scgd# Root and uucp should both be in /etc/ftpusers. 4591.32Slukem# 4601.31Slukemif checkyesno check_ftpusers; then 4611.109Schristos list="uucp "$(awk '$2 == 0 { print $1 }' $MPBYUID) 4621.27Slukem for i in $list; do 4631.29Slukem if /usr/libexec/ftpd -C $i ; then 4641.67Slukem printf "\t$i is not denied\n" 4651.27Slukem fi 4661.67Slukem done > $OUTPUT 4671.28Slukem if [ -s $OUTPUT ]; then 4681.28Slukem printf "\nChecking the /etc/ftpusers configuration:\n" 4691.28Slukem cat $OUTPUT 4701.28Slukem fi 4711.9Scgdfi 4721.9Scgd 4731.43Sitojun# Uudecode should not be in the /etc/mail/aliases file. 4741.32Slukem# 4751.31Slukemif checkyesno check_aliases; then 4761.43Sitojun for f in /etc/mail/aliases /etc/aliases; do 4771.43Sitojun if [ -f $f ] && egrep '^[^#]*(uudecode|decode).*\|' $f; then 4781.43Sitojun printf "\nEntry for uudecode in $f file.\n" 4791.43Sitojun fi 4801.43Sitojun done 4811.9Scgdfi 4821.9Scgd 4831.9Scgd# Files that should not have + signs. 4841.32Slukem# 4851.31Slukemif checkyesno check_rhosts; then 4861.15Smrg list="/etc/hosts.equiv /etc/hosts.lpd" 4871.15Smrg for f in $list ; do 4881.15Smrg if [ -f $f ] && egrep '\+' $f > /dev/null ; then 4891.15Smrg printf "\nPlus sign in $f file.\n" 4901.15Smrg fi 4911.15Smrg done 4921.15Smrg 4931.15Smrg # Check for special users with .rhosts files. Only root and toor should 4941.16Smikel # have .rhosts files. Also, .rhosts files should not have plus signs. 4951.15Smrg awk -F: '$1 != "root" && $1 != "toor" && \ 4961.15Smrg ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ 4971.20Smycroft { print $1 " " $9 }' $MP | 4981.19Smycroft sort -k2 | 4991.15Smrg while read uid homedir; do 5001.15Smrg if [ -f ${homedir}/.rhosts ] ; then 5011.109Schristos rhost=$(ls -ldgT ${homedir}/.rhosts) 5021.46Schristos printf -- "$uid: $rhost\n" 5031.15Smrg fi 5041.15Smrg done > $OUTPUT 5051.15Smrg if [ -s $OUTPUT ] ; then 5061.15Smrg printf "\nChecking for special users with .rhosts files.\n" 5071.15Smrg cat $OUTPUT 5081.15Smrg fi 5091.15Smrg 5101.15Smrg while read uid homedir; do 5111.123Skre if [ -f ${homedir}/.rhosts ] && 5121.123Skre [ -r ${homedir}/.rhosts ] && 5131.123Skre cat -f ${homedir}/.rhosts | egrep '\+' > /dev/null 5141.123Skre then 5151.46Schristos printf -- "$uid: + in .rhosts file.\n" 5161.15Smrg fi 5171.29Slukem done < $MPBYPATH > $OUTPUT 5181.15Smrg if [ -s $OUTPUT ] ; then 5191.15Smrg printf "\nChecking .rhosts files syntax.\n" 5201.15Smrg cat $OUTPUT 5211.15Smrg fi 5221.9Scgdfi 5231.9Scgd 5241.9Scgd# Check home directories. Directories should not be owned by someone else 5251.80Swiz# or writable. 5261.32Slukem# 5271.31Slukemif checkyesno check_homes; then 5281.85Sjhawk checkyesno check_homes_permit_usergroups && \ 5291.85Sjhawk permit_usergroups=1 || permit_usergroups=0 5301.15Smrg while read uid homedir; do 5311.15Smrg if [ -d ${homedir}/ ] ; then 5321.109Schristos file=$(ls -ldgT ${homedir}) 5331.46Schristos printf -- "$uid $file\n" 5341.9Scgd fi 5351.29Slukem done < $MPBYPATH | 5361.115Sspz awk -v "usergroups=$permit_usergroups" \ 5371.118Suebayasi -v "permit_owners_list=$check_homes_permit_other_owner" ' 5381.115Sspz BEGIN { 5391.115Sspz split(permit_owners_list, a); 5401.115Sspz for (i in a) permit_owners[a[i]]++; 5411.115Sspz } 5421.115Sspz $1 != $4 && $4 != "root" && !permit_owners[$1] \ 5431.15Smrg { print "user " $1 " home directory is owned by " $4 } 5441.101Sjnemeth $2 ~ /^d....w/ && (!usergroups || $5 != $1) \ 5451.80Swiz { print "user " $1 " home directory is group writable" } 5461.101Sjnemeth $2 ~ /^d.......w/ \ 5471.80Swiz { print "user " $1 " home directory is other writable" }' \ 5481.27Slukem > $OUTPUT 5491.15Smrg if [ -s $OUTPUT ] ; then 5501.15Smrg printf "\nChecking home directories.\n" 5511.15Smrg cat $OUTPUT 5521.15Smrg fi 5531.15Smrg 5541.15Smrg # Files that should not be owned by someone else or readable. 5551.67Slukem list=".Xauthority .netrc .ssh/id_dsa .ssh/id_rsa .ssh/identity" 5561.15Smrg while read uid homedir; do 5571.15Smrg for f in $list ; do 5581.15Smrg file=${homedir}/${f} 5591.15Smrg if [ -f $file ] ; then 5601.109Schristos printf -- "$uid $f $(ls -ldgT $file)\n" 5611.15Smrg fi 5621.15Smrg done 5631.29Slukem done < $MPBYPATH | 5641.115Sspz awk -v "usergroups=$permit_usergroups" \ 5651.118Suebayasi -v "permit_owners_list=$check_homes_permit_other_owner" ' 5661.115Sspz BEGIN { 5671.115Sspz split(permit_owners_list, a); 5681.115Sspz for (i in a) permit_owners[a[i]]++; 5691.115Sspz } 5701.115Sspz $1 != $5 && $5 != "root" && !permit_owners[$1] \ 5711.15Smrg { print "user " $1 " " $2 " file is owned by " $5 } 5721.85Sjhawk $3 ~ /^-...r/ && (!usergroups || $6 != $1) \ 5731.15Smrg { print "user " $1 " " $2 " file is group readable" } 5741.15Smrg $3 ~ /^-......r/ \ 5751.15Smrg { print "user " $1 " " $2 " file is other readable" } 5761.85Sjhawk $3 ~ /^-....w/ && (!usergroups || $6 != $1) \ 5771.80Swiz { print "user " $1 " " $2 " file is group writable" } 5781.15Smrg $3 ~ /^-.......w/ \ 5791.80Swiz { print "user " $1 " " $2 " file is other writable" }' \ 5801.27Slukem > $OUTPUT 5811.15Smrg 5821.80Swiz # Files that should not be owned by someone else or writable. 5831.19Smycroft list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \ 5841.79Selric .cshrc .emacs .exrc .forward .history .k5login .klogin .login \ 5851.79Selric .logout .profile .qmail .rc_history .rhosts .shosts ssh .tcshrc \ 5861.79Selric .twmrc .xinitrc .xsession .ssh/authorized_keys \ 5871.79Selric .ssh/authorized_keys2 .ssh/config .ssh/id_dsa.pub \ 5881.79Selric .ssh/id_rsa.pub .ssh/identity.pub .ssh/known_hosts \ 5891.79Selric .ssh/known_hosts2" 5901.15Smrg while read uid homedir; do 5911.15Smrg for f in $list ; do 5921.15Smrg file=${homedir}/${f} 5931.15Smrg if [ -f $file ] ; then 5941.109Schristos printf -- "$uid $f $(ls -ldgT $file)\n" 5951.15Smrg fi 5961.15Smrg done 5971.29Slukem done < $MPBYPATH | 5981.115Sspz awk -v "usergroups=$permit_usergroups" \ 5991.118Suebayasi -v "permit_owners_list=$check_homes_permit_other_owner" ' 6001.115Sspz BEGIN { 6011.115Sspz split(permit_owners_list, a); 6021.115Sspz for (i in a) permit_owners[a[i]]++; 6031.115Sspz } 6041.115Sspz $1 != $5 && $5 != "root" && !permit_owners[$1] \ 6051.15Smrg { print "user " $1 " " $2 " file is owned by " $5 } 6061.85Sjhawk $3 ~ /^-....w/ && (!usergroups || $6 != $1) \ 6071.80Swiz { print "user " $1 " " $2 " file is group writable" } 6081.15Smrg $3 ~ /^-.......w/ \ 6091.80Swiz { print "user " $1 " " $2 " file is other writable" }' \ 6101.27Slukem >> $OUTPUT 6111.15Smrg if [ -s $OUTPUT ] ; then 6121.15Smrg printf "\nChecking dot files.\n" 6131.15Smrg cat $OUTPUT 6141.15Smrg fi 6151.9Scgdfi 6161.9Scgd 6171.9Scgd# Mailboxes should be owned by user and unreadable. 6181.32Slukem# 6191.31Slukemif checkyesno check_varmail; then 6201.86Sjhawk ls -lA /var/mail | \ 6211.63Slukem awk ' NR == 1 { next; } 6221.86Sjhawk $9 ~ /^\./ {next; } 6231.63Slukem $3 != $9 { 6241.63Slukem print "user " $9 " mailbox is owned by " $3 6251.63Slukem } 6261.63Slukem $1 != "-rw-------" { 6271.63Slukem print "user " $9 " mailbox is " $1 ", group " $4 6281.63Slukem }' > $OUTPUT 6291.15Smrg if [ -s $OUTPUT ] ; then 6301.15Smrg printf "\nChecking mailbox ownership.\n" 6311.15Smrg cat $OUTPUT 6321.15Smrg fi 6331.15Smrgfi 6341.15Smrg 6351.32Slukem# NFS exports shouldn't be globally exported 6361.32Slukem# 6371.32Slukemif checkyesno check_nfs && [ -f /etc/exports ]; then 6381.32Slukem awk '{ 6391.22Slukem # ignore comments and blank lines 6401.39Shubertf if ($0 ~ /^\#/ || $0 ~ /^$/ ) 6411.22Slukem next; 6421.100Stron # manage line continuation 6431.100Stron while ($NF ~ /^\\$/) { 6441.100Stron $NF = ""; 6451.100Stron line = $0 ""; 6461.100Stron getline; 6471.100Stron $0 = line $0 ""; 6481.100Stron } 6491.22Slukem 6501.100Stron delete dir; 6511.100Stron readonly = ndir = 0; 6521.100Stron for (i = 1; i <= NF; ++i) { 6531.100Stron if ($i ~ /^\//) dir[ndir++] = $i; 6541.100Stron else if ($i ~ /^-/) { 6551.100Stron if ($i ~ /^-(ro|o)$/) readonly = 1; 6561.100Stron if ($i ~ /^-network/) next; 6571.100Stron } 6581.100Stron else next; 6591.15Smrg } 6601.15Smrg if (readonly) 6611.100Stron for (item in dir) 6621.100Stron rodir[nrodir++] = dir[item]; 6631.15Smrg else 6641.100Stron for (item in dir) 6651.100Stron rwdir[nrwdir++] = dir[item]; 6661.100Stron 6671.100Stron } 6681.100Stron 6691.100Stron END { 6701.100Stron if (nrodir) { 6711.100Stron printf("Globally exported file system%s, read-only:\n", 6721.100Stron nrodir > 1 ? "s" : ""); 6731.100Stron for (item in rodir) 6741.100Stron printf("\t%s\n", rodir[item]); 6751.100Stron } 6761.100Stron if (nrwdir) { 6771.100Stron printf("Globally exported file system%s, read-write:\n", 6781.100Stron nrwdir > 1 ? "s" : ""); 6791.100Stron for (item in rwdir) 6801.100Stron printf("\t%s\n", rwdir[item]); 6811.100Stron } 6821.32Slukem }' < /etc/exports > $OUTPUT 6831.32Slukem if [ -s $OUTPUT ] ; then 6841.15Smrg printf "\nChecking for globally exported file systems.\n" 6851.15Smrg cat $OUTPUT 6861.15Smrg fi 6871.9Scgdfi 6881.9Scgd 6891.9Scgd# Display any changes in setuid files and devices. 6901.32Slukem# 6911.31Slukemif checkyesno check_devices; then 6921.28Slukem > $ERR 6931.92Serh ( 6941.98Slukem 6951.98Slukem # Convert check_devices_ignore_fstypes="foo !bar bax" 6961.98Slukem # into "-fstype foo -o ! -fstype bar -o -fstype bax" 6971.98Slukem # and check_devices_ignore_paths="/foo !/bar /bax" 6981.98Slukem # into " -path /foo -o ! -path /bar -o -path /bax" 6991.98Slukem # 7001.98Slukem ignexpr=$(\ 7011.98Slukem echo $check_devices_ignore_fstypes | \ 7021.98Slukem sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -fstype \2/g' ; \ 7031.98Slukem echo $check_devices_ignore_paths | \ 7041.98Slukem sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -path \2/g' \ 7051.98Slukem ) 7061.98Slukem 7071.98Slukem # Massage the expression into ( $ignexpr ) -a -prune -o 7081.98Slukem if [ -n "${ignexpr}" ]; then 7091.98Slukem ignexpr=$(\ 7101.98Slukem echo $ignexpr | \ 7111.98Slukem sed -e 's/^-o /( /' \ 7121.98Slukem -e 's/$/ ) -a -prune -o/' \ 7131.98Slukem ) 7141.98Slukem fi 7151.98Slukem 7161.98Slukem find / $ignexpr \ 7171.21Smycroft \( \( -perm -u+s -a ! -type d \) -o \ 7181.21Smycroft \( -perm -g+s -a ! -type d \) -o \ 7191.24Slukem -type b -o -type c \) -print0 | \ 7201.98Slukem xargs -0 ls -ldgTq | sort +9 > $LIST 7211.98Slukem 7221.98Slukem ) 2> $OUTPUT 7231.15Smrg 7241.15Smrg # Display any errors that occurred during system file walk. 7251.15Smrg if [ -s $OUTPUT ] ; then 7261.28Slukem printf "Setuid/device find errors:\n" >> $ERR 7271.28Slukem cat $OUTPUT >> $ERR 7281.28Slukem printf "\n" >> $ERR 7291.15Smrg fi 7301.15Smrg 7311.15Smrg # Display any changes in the setuid file list. 7321.15Smrg egrep -v '^[bc]' $LIST > $TMP1 7331.15Smrg if [ -s $TMP1 ] ; then 7341.15Smrg # Check to make sure uudecode isn't setuid. 7351.15Smrg if grep -w uudecode $TMP1 > /dev/null ; then 7361.28Slukem printf "\nUudecode is setuid.\n" >> $ERR 7371.15Smrg fi 7381.15Smrg 7391.67Slukem file=$work_dir/setuid 7401.67Slukem migrate_file "$backup_dir/setuid" "$file" 7411.67Slukem CUR=${file}.current 7421.67Slukem BACK=${file}.backup 7431.15Smrg if [ -s $CUR ] ; then 7441.15Smrg if cmp -s $CUR $TMP1 ; then 7451.15Smrg : 7461.15Smrg else 7471.15Smrg > $TMP2 7481.15Smrg join -110 -210 -v2 $CUR $TMP1 > $OUTPUT 7491.15Smrg if [ -s $OUTPUT ] ; then 7501.28Slukem printf "Setuid additions:\n" >> $ERR 7511.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 7521.28Slukem printf "\n" >> $ERR 7531.15Smrg fi 7541.15Smrg 7551.15Smrg join -110 -210 -v1 $CUR $TMP1 > $OUTPUT 7561.15Smrg if [ -s $OUTPUT ] ; then 7571.28Slukem printf "Setuid deletions:\n" >> $ERR 7581.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 7591.28Slukem printf "\n" >> $ERR 7601.15Smrg fi 7611.15Smrg 7621.20Smycroft sort -k10 $TMP2 $CUR $TMP1 | \ 7631.27Slukem sed -e 's/[ ][ ]*/ /g' | \ 7641.27Slukem uniq -u > $OUTPUT 7651.15Smrg if [ -s $OUTPUT ] ; then 7661.28Slukem printf "Setuid changes:\n" >> $ERR 7671.28Slukem column -t $OUTPUT >> $ERR 7681.28Slukem printf "\n" >> $ERR 7691.15Smrg fi 7701.9Scgd 7711.52Satatat backup_file update $TMP1 $CUR $BACK 7721.9Scgd fi 7731.15Smrg else 7741.28Slukem printf "Setuid additions:\n" >> $ERR 7751.28Slukem column -t $TMP1 >> $ERR 7761.28Slukem printf "\n" >> $ERR 7771.52Satatat backup_file add $TMP1 $CUR $BACK 7781.9Scgd fi 7791.15Smrg fi 7801.15Smrg 7811.27Slukem # Check for block and character disk devices that are readable or 7821.80Swiz # writable or not owned by root.operator. 7831.15Smrg >$TMP1 7841.61Slukem DISKLIST="ccd ch hk hp ld md ra raid rb rd rl rx \ 7851.57Ssimonb sd se ss uk up vnd wd xd xy" 7861.27Slukem# DISKLIST="$DISKLIST ct mt st wt" 7871.15Smrg for i in $DISKLIST; do 7881.15Smrg egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 7891.15Smrg egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 7901.15Smrg done 7911.15Smrg 7921.15Smrg awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ 7931.25Slukem { printf "Disk %s is user %s, group %s, permissions %s.\n", \ 7941.25Slukem $11, $3, $4, $1; }' < $TMP1 > $OUTPUT 7951.15Smrg if [ -s $OUTPUT ] ; then 7961.28Slukem printf "\nChecking disk ownership and permissions.\n" >> $ERR 7971.28Slukem cat $OUTPUT >> $ERR 7981.28Slukem printf "\n" >> $ERR 7991.9Scgd fi 8001.9Scgd 8011.15Smrg # Display any changes in the device file list. 8021.20Smycroft egrep '^[bc]' $LIST | sort -k11 > $TMP1 8031.15Smrg if [ -s $TMP1 ] ; then 8041.67Slukem file=$work_dir/device 8051.67Slukem migrate_file "$backup_dir/device" "$file" 8061.67Slukem CUR=${file}.current 8071.67Slukem BACK=${file}.backup 8081.15Smrg 8091.15Smrg if [ -s $CUR ] ; then 8101.15Smrg if cmp -s $CUR $TMP1 ; then 8111.15Smrg : 8121.15Smrg else 8131.15Smrg > $TMP2 8141.15Smrg join -111 -211 -v2 $CUR $TMP1 > $OUTPUT 8151.15Smrg if [ -s $OUTPUT ] ; then 8161.28Slukem printf "Device additions:\n" >> $ERR 8171.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 8181.28Slukem printf "\n" >> $ERR 8191.15Smrg fi 8201.15Smrg 8211.15Smrg join -111 -211 -v1 $CUR $TMP1 > $OUTPUT 8221.15Smrg if [ -s $OUTPUT ] ; then 8231.28Slukem printf "Device deletions:\n" >> $ERR 8241.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 8251.28Slukem printf "\n" >> $ERR 8261.15Smrg fi 8271.15Smrg 8281.27Slukem # Report any block device change. Ignore 8291.27Slukem # character devices, only the name is 8301.27Slukem # significant. 8311.15Smrg cat $TMP2 $CUR $TMP1 | \ 8321.27Slukem sed -e '/^c/d' | \ 8331.27Slukem sort -k11 | \ 8341.27Slukem sed -e 's/[ ][ ]*/ /g' | \ 8351.27Slukem uniq -u > $OUTPUT 8361.15Smrg if [ -s $OUTPUT ] ; then 8371.28Slukem printf "Block device changes:\n" >> $ERR 8381.28Slukem column -t $OUTPUT >> $ERR 8391.28Slukem printf "\n" >> $ERR 8401.15Smrg fi 8411.9Scgd 8421.52Satatat backup_file update $TMP1 $CUR $BACK 8431.9Scgd fi 8441.15Smrg else 8451.28Slukem printf "Device additions:\n" >> $ERR 8461.28Slukem column -t $TMP1 >> $ERR 8471.28Slukem printf "\n" >> $ERR 8481.52Satatat backup_file add $TMP1 $CUR $BACK >> $ERR 8491.9Scgd fi 8501.28Slukem fi 8511.28Slukem if [ -s $ERR ] ; then 8521.28Slukem printf "\nChecking setuid files and devices:\n" 8531.28Slukem cat $ERR 8541.28Slukem printf "\n" 8551.9Scgd fi 8561.9Scgdfi 8571.9Scgd 8581.9Scgd# Check special files. 8591.9Scgd# Check system binaries. 8601.9Scgd# 8611.9Scgd# Create the mtree tree specifications using: 8621.67Slukem# mtree -cx -pDIR -kmd5,uid,gid,mode,nlink,size,link,time > DIR.secure 8631.38Skleink# chown root:wheel DIR.secure 8641.67Slukem# chmod u+r,go= DIR.secure 8651.9Scgd# 8661.9Scgd# Note, this is not complete protection against Trojan horsed binaries, as 8671.9Scgd# the hacker can modify the tree specification to match the replaced binary. 8681.9Scgd# For details on really protecting yourself against modified binaries, see 8691.9Scgd# the mtree(8) manual page. 8701.32Slukem# 8711.31Slukemif checkyesno check_mtree; then 8721.82Sjhawk if checkyesno check_mtree_follow_symlinks; then 8731.82Sjhawk check_mtree_flags="-L" 8741.82Sjhawk else 8751.82Sjhawk check_mtree_flags="" 8761.82Sjhawk fi 8771.91Slukem mtree -e -l -p / $check_mtree_flags -f $SPECIALSPEC 3>&1 >$OUTPUT 2>&3 | 8781.87Sjhawk grep -v '^mtree: dev/tty: Device not configured$' >&2 8791.15Smrg if [ -s $OUTPUT ]; then 8801.9Scgd printf "\nChecking special files and directories.\n" 8811.9Scgd cat $OUTPUT 8821.9Scgd fi 8831.9Scgd 8841.16Smikel for file in /etc/mtree/*.secure; do 8851.16Smikel [ $file = '/etc/mtree/*.secure' ] && continue 8861.109Schristos tree=$(sed -n -e '3s/.* //p' -e 3q $file) 8871.82Sjhawk mtree $check_mtree_flags -f $file -p $tree > $TMP1 8881.9Scgd if [ -s $TMP1 ]; then 8891.67Slukem printf "\nChecking $tree:\n" 8901.67Slukem cat $TMP1 8911.9Scgd fi 8921.67Slukem done > $OUTPUT 8931.15Smrg if [ -s $OUTPUT ]; then 8941.9Scgd printf "\nChecking system binaries:\n" 8951.9Scgd cat $OUTPUT 8961.9Scgd fi 8971.9Scgdfi 8981.9Scgd 8991.32Slukem# Backup disklabels of available disks 9001.32Slukem# 9011.32Slukemif checkyesno check_disklabels; then 9021.67Slukem # migrate old disklabels 9031.109Schristos for file in $(ls -1d $backup_dir/$backup_dir/disklabel.* \ 9041.109Schristos $backup_dir/disklabel.* 2>/dev/null); do 9051.67Slukem migrate_file "$file" "$work_dir/${file##*/}" 9061.67Slukem done 9071.67Slukem 9081.116Sapb # generate list of old disklabels, fdisks & wedges, 9091.116Sapb # and remove them 9101.116Sapb ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* \ 9111.116Sapb 2>/dev/null | 9121.52Satatat egrep -v '\.(backup|current)(,v)?$' > $LABELS 9131.32Slukem xargs rm < $LABELS 9141.32Slukem 9151.122Smlelstv disks="$(/sbin/sysctl -n hw.iostatnames)" 9161.117Schristos 9171.117Schristos # generate disklabels of all disks excluding: cd fd md dk st 9181.117Schristos # nfs and "device" (the header of iostat) 9191.32Slukem for i in $disks; do 9201.117Schristos case $i in 9211.122Smlelstv [cfm]d[0-9]*|dk[0-9]*|st[0-9]*|nfs[0-9]*) 9221.117Schristos ;; 9231.117Schristos *) 9241.120Spgoyette if disklabel $i > /dev/null 2>&1; then 9251.117Schristos disklabel $i > "$work_dir/disklabel.$i" 9261.117Schristos fi 9271.117Schristos ;; 9281.117Schristos esac 9291.32Slukem done 9301.32Slukem 9311.67Slukem # if fdisk is available, generate fdisks for: ed ld sd wd 9321.67Slukem if [ -x /sbin/fdisk ]; then 9331.67Slukem for i in $disks; do 9341.117Schristos case $i in 9351.117Schristos [elsw]d[0-9]*) 9361.117Schristos /sbin/fdisk $i > "$work_dir/fdisk.$i" \ 9371.117Schristos 2>/dev/null 9381.117Schristos ;; 9391.117Schristos esac 9401.67Slukem done 9411.67Slukem fi 9421.67Slukem 9431.116Sapb # if dkctl is available, generate dkctl listwedges 9441.116Sapb # for: ed ld sd wd cgd ofdisk ra rl raid 9451.103Stron if [ -x /sbin/dkctl ]; then 9461.103Stron for i in $disks; do 9471.117Schristos case $i in 9481.117Schristos [elsw]d[0-9]*|cgd[0-9]*|ofdisk[0-9]*|r[al][0-9]*|raid[0-9]*) 9491.122Smlelstv if /sbin/dkctl $i listwedges | 9501.122Smlelstv grep -qe '[0-9] wedges:'; then 9511.117Schristos /sbin/dkctl $i listwedges \ 9521.117Schristos > "$work_dir/wedges.$i" 2>/dev/null 9531.117Schristos fi 9541.117Schristos ;; 9551.117Schristos esac 9561.103Stron done 9571.103Stron fi 9581.103Stron 9591.121Sriastrad # if raidctl is available, generate raidctls for: raid 9601.121Sriastrad if [ -x /sbin/raidctl ]; then 9611.121Sriastrad disks=$(iostat -x | awk 'NR > 1 && $1 ~ /^raid/ { print $1; }') 9621.121Sriastrad for i in $disks; do 9631.121Sriastrad /sbin/raidctl -G $i > "$work_dir/raidconf.$i" \ 9641.121Sriastrad 2>/dev/null 9651.121Sriastrad done 9661.121Sriastrad fi 9671.121Sriastrad 9681.103Stron # append list of new disklabels, fdisks and wedges 9691.116Sapb ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* \ 9701.121Sriastrad $work_dir/raidconf.* 2>/dev/null | 9711.52Satatat egrep -v '\.(backup|current)(,v)?$' >> $LABELS 9721.62Satatat CHANGELIST="$LABELS $CHANGELIST" 9731.62Satatatfi 9741.62Satatat 9751.106Shaadif checkyesno check_lvm; then 9761.118Suebayasi # generate list of existing LVM elements Physical Volumes, 9771.118Suebayasi # Volume Groups and Logical Volumes. 9781.118Suebayasi if [ -x /sbin/lvm ]; then 9791.118Suebayasi lvm pvdisplay -m >"$work_dir/lvm.pv" 2>/dev/null 9801.118Suebayasi lvm vgdisplay -m >"$work_dir/lvm.vg" 2>/dev/null 9811.118Suebayasi lvm lvdisplay -m >"$work_dir/lvm.lv" 2>/dev/null 9821.118Suebayasi fi 9831.118Suebayasi ls -1d $work_dir/lvm.* 2>/dev/null | 9841.118Suebayasi egrep -v '\.(backup|current)(,v)?$'>> $LVM_LABELS 9851.118Suebayasi CHANGELIST="$CHANGELIST $LVM_LABELS" 9861.106Shaadfi 9871.106Shaad 9881.62Satatat# Check for changes in the list of installed pkgs 9891.62Satatat# 9901.108Sjmmvif checkyesno check_pkgs && have_pkgs; then 9911.67Slukem pkgs=$work_dir/pkgs 9921.67Slukem migrate_file "$backup_dir/pkgs" "$pkgs" 9931.112Sagc pkg_dbdir=$(${pkg_admin} config-var PKG_DBDIR) 9941.127Swiz : ${pkg_dbdir:=/usr/pkg/pkgdb} 9951.108Sjmmv ( cd $pkg_dbdir 9961.104Sadrianp $pkg_info | sort 9971.62Satatat echo "" 9981.62Satatat find . \( -name +REQUIRED_BY -o -name +CONTENTS \) -print0 | 9991.72Slukem xargs -0 ls -ldgTq | sort -t. +1 | sed -e 's, \./, ,' 10001.62Satatat ) > $pkgs 10011.67Slukem echo "$pkgs" > $PKGS 10021.62Satatat CHANGELIST="$PKGS $CHANGELIST" 10031.32Slukemfi 10041.32Slukem 10051.67Slukem# List of files that get backed up and checked for any modifications. 10061.9Scgd# Any changes cause the files to rotate. 10071.32Slukem# 10081.67Slukemif checkyesno check_changelist ; then 10091.91Slukem mtree -D -k type -f $SPECIALSPEC -E exclude | 10101.91Slukem sed '/^type=file/!d ; s/type=file \.//' | unvis > $CHANGEFILES 10111.67Slukem 10121.75Slukem ( 10131.68Slukem # Add other files which might dynamically exist: 10141.67Slukem # /etc/ifconfig.* 10151.67Slukem # /etc/raid*.conf 10161.68Slukem # /etc/rc.d/* 10171.67Slukem # /etc/rc.conf.d/* 10181.68Slukem # 10191.75Slukem echo "/etc/ifconfig.*" 10201.75Slukem echo "/etc/raid*.conf" 10211.75Slukem echo "/etc/rc.d/*" 10221.75Slukem echo "/etc/rc.conf.d/*" 10231.106Shaad echo "/etc/lvm/backup/*" 10241.106Shaad echo "/etc/lvm/archive/*" 10251.67Slukem 10261.68Slukem # Add /etc/changelist 10271.68Slukem # 10281.75Slukem if [ -s /etc/changelist ]; then 10291.75Slukem grep -v '^#' /etc/changelist 10301.75Slukem fi 10311.75Slukem ) | while read file; do 10321.75Slukem case "$file" in 10331.75Slukem *[\*\?\[]*) # If changelist line is a glob ... 10341.75Slukem # ... expand possible backup files 10351.75Slukem # 10361.125Suwe ls -1d $backup_dir/${file}.current 2>/dev/null \ 10371.75Slukem | sed "s,^$backup_dir/,, ; s,\.current$,," 10381.118Suebayasi 10391.75Slukem # ... expand possible files 10401.75Slukem # 10411.125Suwe ls -1d $file 2>/dev/null 10421.75Slukem ;; 10431.75Slukem *) 10441.75Slukem # Otherwise, just print the filename 10451.75Slukem echo $file 10461.75Slukem ;; 10471.75Slukem esac 10481.75Slukem done >> $CHANGEFILES 10491.67Slukem CHANGELIST="$CHANGEFILES $CHANGELIST" 10501.67Slukemfi 10511.67Slukem 10521.126Sriastrad# Save entropy to ${random_file} if defined, like 10531.126Sriastrad# /etc/rc.d/random_seed. 10541.126Sriastrad# 10551.126Sriastradif [ -n "${random_file:-}" ]; then 10561.126Sriastrad rndctl -S "$random_file" 10571.126Sriastradfi 10581.126Sriastrad 10591.67Slukem# Special case backups, including the master password file and 10601.67Slukem# ssh private host keys. The normal backup mechanisms for 10611.67Slukem# $check_changelist (see below) also print out the actual file 10621.67Slukem# differences and we don't want to do that for these files 10631.67Slukem# 10641.67Slukemecho $MP > $TMP1 # always add /etc/master.passwd 10651.91Slukemmtree -D -k type -f $SPECIALSPEC -I nodiff | 10661.91Slukem sed '/^type=file/!d ; s/type=file \.//' | unvis >> $TMP1 10671.73Slukemgrep -v '^$' $TMP1 | sort -u > $TMP2 10681.68Slukem 10691.69Slukemwhile read file; do 10701.67Slukem backup_and_diff "$file" no 10711.69Slukemdone < $TMP2 10721.67Slukem 10731.32Slukem 10741.32Slukemif [ -n "$CHANGELIST" ]; then 10751.73Slukem grep -h -v '^$' $CHANGELIST | sort -u > $TMP1 10761.68Slukem comm -23 $TMP1 $TMP2 | while read file; do 10771.67Slukem backup_and_diff "$file" yes 10781.9Scgd done 10791.44Sadfi 10801.44Sad 10811.108Sjmmvif have_pkgs; then 10821.107Sjmmv if checkyesno check_pkg_vulnerabilities; then 10831.112Sagc ${pkg_admin} ${_compat_K_flag} audit >${OUTPUT} 2>&1 10841.107Sjmmv if [ -s ${OUTPUT} ]; then 10851.107Sjmmv printf "\nInstalled vulnerable packages:\n" 10861.107Sjmmv cat ${OUTPUT} 10871.107Sjmmv fi 10881.107Sjmmv fi 10891.107Sjmmv 10901.107Sjmmv if checkyesno check_pkg_signatures; then 10911.112Sagc ${pkg_admin} ${_compat_K_flag} check >${OUTPUT} 2>&1 10921.107Sjmmv if [ $? -ne 0 ]; then 10931.107Sjmmv printf "\nFiles with invalid signatures:\n" 10941.107Sjmmv cat ${OUTPUT} 10951.107Sjmmv fi 10961.107Sjmmv fi 10971.107Sjmmvfi 10981.107Sjmmv 10991.44Sadif [ -f /etc/security.local ]; then 11001.90Skim . /etc/security.local > $OUTPUT 2>&1 11011.84Sjhawk if [ -s $OUTPUT ] ; then 11021.84Sjhawk printf "\nRunning /etc/security.local:\n" 11031.84Sjhawk cat $OUTPUT 11041.84Sjhawk fi 11051.9Scgdfi 1106