security revision 1.31
11.1Scgd#!/bin/sh - 21.1Scgd# 31.31Slukem# $NetBSD: security,v 1.31 1998/01/26 12:02:55 lukem Exp $ 41.9Scgd# from: @(#)security 8.1 (Berkeley) 6/9/93 51.1Scgd# 61.1Scgd 71.9ScgdPATH=/sbin:/usr/sbin:/bin:/usr/bin 81.1Scgd 91.31Slukemif [ -f /etc/rc.subr ]; then 101.31Slukem . /etc/rc.subr 111.31Slukemelse 121.31Slukem echo "Can't read /etc/rc.subr; aborting." 131.31Slukem exit 1; 141.31Slukemfi 151.31Slukem 161.9Scgdumask 077 171.1Scgd 181.15Smrgif [ -s /etc/security.conf ]; then 191.15Smrg . /etc/security.conf 201.15Smrgfi 211.15Smrg 221.15SmrgSECUREDIR=/tmp/_securedir.$$ 231.15Smrgif ! mkdir $SECUREDIR; then 241.15Smrg echo can not create $SECUREDIR. 251.15Smrg exit 1 261.15Smrgfi 271.15Smrg 281.15Smrgif ! cd $SECUREDIR; then 291.15Smrg echo can not chdir to $SECUREDIR. 301.15Smrg exit 1 311.15Smrgfi 321.15Smrg 331.15SmrgERR=secure1.$$ 341.15SmrgTMP1=secure2.$$ 351.15SmrgTMP2=secure3.$$ 361.28SlukemMPBYUID=secure4.$$ 371.29SlukemMPBYPATH=secure5.$$ 381.27SlukemLIST=secure6.$$ 391.27SlukemOUTPUT=secure7.$$ 401.15Smrg 411.27Slukemtrap '/bin/rm -rf $SECUREDIR ; exit 0' 0 2 3 421.15Smrg 431.15SmrgMP=/etc/master.passwd 441.9Scgd 451.27Slukem# these is used several times. 461.28Slukemawk -F: '{ print $1 " " $3 }' $MP | sort -k2n > $MPBYUID 471.29Slukemawk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH 481.9Scgd 491.9Scgd# Check the master password file syntax. 501.31Slukemif checkyesno check_passwd; then 511.25Slukem awk ' 521.25Slukem BEGIN { 531.25Slukem while ( getline < "/etc/shells" > 0 ) { 541.25Slukem if ($LINE ~ /^\#/ || $LINE ~ /^$/ ) 551.25Slukem continue; 561.25Slukem shells[$1]++; 571.25Slukem } 581.25Slukem FS=":"; 591.25Slukem } 601.25Slukem 611.25Slukem { 621.15Smrg if ($0 ~ /^[ ]*$/) { 631.25Slukem printf "Line %d is a blank line.\n", NR; 641.15Smrg next; 651.15Smrg } 661.15Smrg if (NF != 10) 671.25Slukem printf "Line %d has the wrong number of fields.\n", NR; 681.15Smrg if ($1 !~ /^[A-Za-z0-9]*$/) 691.25Slukem printf "Login %s has non-alphanumeric characters.\n", 701.25Slukem $1; 711.15Smrg if (length($1) > 8) 721.25Slukem printf "Login %s has more than 8 characters.\n", $1; 731.15Smrg if ($2 == "") 741.25Slukem printf "Login %s has no password.\n", $1; 751.25Slukem if (length($2) != 13 && $2 != "") { 761.25Slukem if ($10 == "" || shells[$10]) 771.27Slukem printf "Login %s is off but still has a valid shell (%s)\n", 781.25Slukem $1, $10; 791.25Slukem } else if (! shells[$10]) 801.25Slukem printf "Login %s does not have a valid shell (%s)\n", 811.25Slukem $1, $10; 821.15Smrg if ($3 == 0 && $1 != "root" && $1 != "toor") 831.25Slukem printf "Login %s has a user id of 0.\n", $1; 841.15Smrg if ($3 < 0) 851.25Slukem printf "Login %s has a negative user id.\n", $1; 861.15Smrg if ($4 < 0) 871.25Slukem printf "Login %s has a negative group id.\n", $1; 881.15Smrg }' < $MP > $OUTPUT 891.15Smrg if [ -s $OUTPUT ] ; then 901.15Smrg printf "\nChecking the $MP file:\n" 911.15Smrg cat $OUTPUT 921.15Smrg fi 931.15Smrg 941.15Smrg awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT 951.15Smrg if [ -s $OUTPUT ] ; then 961.15Smrg printf "\n$MP has duplicate user names.\n" 971.15Smrg column $OUTPUT 981.15Smrg fi 991.15Smrg 1001.28Slukem < $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2 1011.15Smrg if [ -s $TMP2 ] ; then 1021.15Smrg printf "\n$MP has duplicate user id's.\n" 1031.15Smrg while read uid; do 1041.28Slukem grep -w $uid $MPBYUID 1051.15Smrg done < $TMP2 | column 1061.15Smrg fi 1071.9Scgdfi 1081.9Scgd 1091.9Scgd# Backup the master password file; a special case, the normal backup 1101.9Scgd# mechanisms also print out file differences and we don't want to do 1111.9Scgd# that because this file has encrypted passwords in it. 1121.9ScgdCUR=/var/backups/`basename $MP`.current 1131.9ScgdBACK=/var/backups/`basename $MP`.backup 1141.9Scgdif [ -s $CUR ] ; then 1151.9Scgd if cmp -s $CUR $MP; then 1161.9Scgd : 1171.9Scgd else 1181.9Scgd cp -p $CUR $BACK 1191.9Scgd cp -p $MP $CUR 1201.9Scgd chown root.wheel $CUR 1211.9Scgd fi 1221.9Scgdelse 1231.9Scgd cp -p $MP $CUR 1241.9Scgd chown root.wheel $CUR 1251.9Scgdfi 1261.9Scgd 1271.9Scgd# Check the group file syntax. 1281.31Slukemif checkyesno check_group; then 1291.15Smrg GRP=/etc/group 1301.15Smrg awk -F: '{ 1311.15Smrg if ($0 ~ /^[ ]*$/) { 1321.25Slukem printf "Line %d is a blank line.\n", NR; 1331.15Smrg next; 1341.15Smrg } 1351.15Smrg if (NF != 4) 1361.25Slukem printf "Line %d has the wrong number of fields.\n", NR; 1371.15Smrg if ($1 !~ /^[A-za-z0-9]*$/) 1381.25Slukem printf "Group %s has non-alphanumeric characters.\n", 1391.25Slukem $1; 1401.15Smrg if (length($1) > 8) 1411.25Slukem printf "Group %s has more than 8 characters.\n", $1; 1421.15Smrg if ($3 !~ /[0-9]*/) 1431.25Slukem printf "Login %s has a negative group id.\n", $1; 1441.15Smrg }' < $GRP > $OUTPUT 1451.15Smrg if [ -s $OUTPUT ] ; then 1461.15Smrg printf "\nChecking the $GRP file:\n" 1471.15Smrg cat $OUTPUT 1481.15Smrg fi 1491.15Smrg 1501.15Smrg awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT 1511.15Smrg if [ -s $OUTPUT ] ; then 1521.15Smrg printf "\n$GRP has duplicate group names.\n" 1531.15Smrg column $OUTPUT 1541.15Smrg fi 1551.9Scgdfi 1561.9Scgd 1571.9Scgd# Check for root paths, umask values in startup files. 1581.9Scgd# The check for the root paths is problematical -- it's likely to fail 1591.9Scgd# in other environments. Once the shells have been modified to warn 1601.9Scgd# of '.' in the path, the path tests should go away. 1611.31Slukemif checkyesno check_rootdotfiles; then 1621.28Slukem > $OUTPUT 1631.15Smrg rhome=`csh -fc "echo ~root"` 1641.15Smrg umaskset=no 1651.15Smrg list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" 1661.15Smrg for i in $list ; do 1671.15Smrg if [ -f $i ] ; then 1681.15Smrg if egrep umask $i > /dev/null ; then 1691.15Smrg umaskset=yes 1701.15Smrg fi 1711.15Smrg egrep umask $i | 1721.15Smrg awk '$2 % 100 < 20 \ 1731.27Slukem { print "\tRoot umask is group writeable" } 1741.15Smrg $2 % 10 < 2 \ 1751.27Slukem { print "\tRoot umask is other writeable" }' \ 1761.27Slukem >> $OUTPUT 1771.26Slukem SAVE_PATH=$PATH 1781.26Slukem unset PATH 1791.15Smrg /bin/csh -f -s << end-of-csh > /dev/null 2>&1 1801.15Smrg source $i 1811.15Smrg /bin/ls -ldgT \$path > $TMP1 1821.9Scgdend-of-csh 1831.26Slukem PATH=$SAVE_PATH 1841.15Smrg awk '{ 1851.15Smrg if ($10 ~ /^\.$/) { 1861.27Slukem print "\tThe root path includes ."; 1871.15Smrg next; 1881.15Smrg } 1891.15Smrg } 1901.15Smrg $1 ~ /^d....w/ \ 1911.27Slukem { print "\tRoot path directory " $10 " is group writeable." } \ 1921.15Smrg $1 ~ /^d.......w/ \ 1931.27Slukem { print "\tRoot path directory " $10 " is other writeable." }' \ 1941.15Smrg < $TMP1 >> $OUTPUT 1951.15Smrg fi 1961.15Smrg done 1971.15Smrg if [ $umaskset = "no" -o -s $OUTPUT ] ; then 1981.27Slukem printf "\nChecking root csh paths, umask values:\n$list\n\n" 1991.15Smrg if [ -s $OUTPUT ]; then 2001.15Smrg cat $OUTPUT 2011.15Smrg fi 2021.15Smrg if [ $umaskset = "no" ] ; then 2031.27Slukem printf "\tRoot csh startup files do not set the umask.\n" 2041.15Smrg fi 2051.9Scgd fi 2061.9Scgd 2071.28Slukem > $OUTPUT 2081.15Smrg rhome=/root 2091.15Smrg umaskset=no 2101.23Slukem list="/etc/profile ${rhome}/.profile" 2111.15Smrg for i in $list; do 2121.15Smrg if [ -f $i ] ; then 2131.15Smrg if egrep umask $i > /dev/null ; then 2141.15Smrg umaskset=yes 2151.15Smrg fi 2161.15Smrg egrep umask $i | 2171.15Smrg awk '$2 % 100 < 20 \ 2181.27Slukem { print "\tRoot umask is group writeable" } \ 2191.15Smrg $2 % 10 < 2 \ 2201.27Slukem { print "\tRoot umask is other writeable" }' \ 2211.27Slukem >> $OUTPUT 2221.26Slukem SAVE_PATH=$PATH 2231.26Slukem unset PATH 2241.15Smrg /bin/sh << end-of-sh > /dev/null 2>&1 2251.15Smrg . $i 2261.26Slukem list=\`echo \$PATH | /usr/bin/sed -e \ 2271.26Slukem 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\` 2281.15Smrg /bin/ls -ldgT \$list > $TMP1 2291.9Scgdend-of-sh 2301.26Slukem PATH=$SAVE_PATH 2311.15Smrg awk '{ 2321.15Smrg if ($10 ~ /^\.$/) { 2331.27Slukem print "\tThe root path includes ."; 2341.15Smrg next; 2351.15Smrg } 2361.15Smrg } 2371.15Smrg $1 ~ /^d....w/ \ 2381.27Slukem { print "\tRoot path directory " $10 " is group writeable." } \ 2391.15Smrg $1 ~ /^d.......w/ \ 2401.27Slukem { print "\tRoot path directory " $10 " is other writeable." }' \ 2411.15Smrg < $TMP1 >> $OUTPUT 2421.9Scgd 2431.15Smrg fi 2441.15Smrg done 2451.15Smrg if [ $umaskset = "no" -o -s $OUTPUT ] ; then 2461.15Smrg printf "\nChecking root sh paths, umask values:\n$list\n" 2471.15Smrg if [ -s $OUTPUT ]; then 2481.15Smrg cat $OUTPUT 2491.15Smrg fi 2501.15Smrg if [ $umaskset = "no" ] ; then 2511.27Slukem printf "\tRoot sh startup files do not set the umask.\n" 2521.15Smrg fi 2531.9Scgd fi 2541.9Scgdfi 2551.9Scgd 2561.9Scgd# Root and uucp should both be in /etc/ftpusers. 2571.31Slukemif checkyesno check_ftpusers; then 2581.28Slukem > $OUTPUT 2591.28Slukem list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID` 2601.27Slukem for i in $list; do 2611.29Slukem if /usr/libexec/ftpd -C $i ; then 2621.29Slukem printf "\t$i is not denied\n" >> $OUTPUT 2631.27Slukem fi 2641.27Slukem done 2651.28Slukem if [ -s $OUTPUT ]; then 2661.28Slukem printf "\nChecking the /etc/ftpusers configuration:\n" 2671.28Slukem cat $OUTPUT 2681.28Slukem fi 2691.9Scgdfi 2701.9Scgd 2711.9Scgd# Uudecode should not be in the /etc/aliases file. 2721.31Slukemif checkyesno check_aliases; then 2731.18Smikel if egrep '^[^#]*(uudecode|decode).*\|' /etc/aliases; then 2741.18Smikel printf "\nEntry for uudecode in /etc/aliases file.\n" 2751.15Smrg fi 2761.9Scgdfi 2771.9Scgd 2781.9Scgd# Files that should not have + signs. 2791.31Slukemif checkyesno check_rhosts; then 2801.15Smrg list="/etc/hosts.equiv /etc/hosts.lpd" 2811.15Smrg for f in $list ; do 2821.15Smrg if [ -f $f ] && egrep '\+' $f > /dev/null ; then 2831.15Smrg printf "\nPlus sign in $f file.\n" 2841.15Smrg fi 2851.15Smrg done 2861.15Smrg 2871.15Smrg # Check for special users with .rhosts files. Only root and toor should 2881.16Smikel # have .rhosts files. Also, .rhosts files should not have plus signs. 2891.15Smrg awk -F: '$1 != "root" && $1 != "toor" && \ 2901.15Smrg ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ 2911.20Smycroft { print $1 " " $9 }' $MP | 2921.19Smycroft sort -k2 | 2931.15Smrg while read uid homedir; do 2941.15Smrg if [ -f ${homedir}/.rhosts ] ; then 2951.15Smrg rhost=`ls -ldgT ${homedir}/.rhosts` 2961.15Smrg printf "$uid: $rhost\n" 2971.15Smrg fi 2981.15Smrg done > $OUTPUT 2991.15Smrg if [ -s $OUTPUT ] ; then 3001.15Smrg printf "\nChecking for special users with .rhosts files.\n" 3011.15Smrg cat $OUTPUT 3021.15Smrg fi 3031.15Smrg 3041.15Smrg while read uid homedir; do 3051.15Smrg if [ -f ${homedir}/.rhosts ] && \ 3061.15Smrg egrep '\+' ${homedir}/.rhosts > /dev/null ; then 3071.15Smrg printf "$uid: + in .rhosts file.\n" 3081.15Smrg fi 3091.29Slukem done < $MPBYPATH > $OUTPUT 3101.15Smrg if [ -s $OUTPUT ] ; then 3111.15Smrg printf "\nChecking .rhosts files syntax.\n" 3121.15Smrg cat $OUTPUT 3131.15Smrg fi 3141.9Scgdfi 3151.9Scgd 3161.9Scgd# Check home directories. Directories should not be owned by someone else 3171.9Scgd# or writeable. 3181.31Slukemif checkyesno check_homes; then 3191.15Smrg while read uid homedir; do 3201.15Smrg if [ -d ${homedir}/ ] ; then 3211.15Smrg file=`ls -ldgT ${homedir}` 3221.15Smrg printf "$uid $file\n" 3231.9Scgd fi 3241.29Slukem done < $MPBYPATH | 3251.15Smrg awk '$1 != $4 && $4 != "root" \ 3261.15Smrg { print "user " $1 " home directory is owned by " $4 } 3271.15Smrg $2 ~ /^-....w/ \ 3281.15Smrg { print "user " $1 " home directory is group writeable" } 3291.15Smrg $2 ~ /^-.......w/ \ 3301.27Slukem { print "user " $1 " home directory is other writeable" }' \ 3311.27Slukem > $OUTPUT 3321.15Smrg if [ -s $OUTPUT ] ; then 3331.15Smrg printf "\nChecking home directories.\n" 3341.15Smrg cat $OUTPUT 3351.15Smrg fi 3361.15Smrg 3371.15Smrg # Files that should not be owned by someone else or readable. 3381.27Slukem list=".Xauthority .netrc" 3391.15Smrg while read uid homedir; do 3401.15Smrg for f in $list ; do 3411.15Smrg file=${homedir}/${f} 3421.15Smrg if [ -f $file ] ; then 3431.15Smrg printf "$uid $f `ls -ldgT $file`\n" 3441.15Smrg fi 3451.15Smrg done 3461.29Slukem done < $MPBYPATH | 3471.15Smrg awk '$1 != $5 && $5 != "root" \ 3481.15Smrg { print "user " $1 " " $2 " file is owned by " $5 } 3491.15Smrg $3 ~ /^-...r/ \ 3501.15Smrg { print "user " $1 " " $2 " file is group readable" } 3511.15Smrg $3 ~ /^-......r/ \ 3521.15Smrg { print "user " $1 " " $2 " file is other readable" } 3531.15Smrg $3 ~ /^-....w/ \ 3541.15Smrg { print "user " $1 " " $2 " file is group writeable" } 3551.15Smrg $3 ~ /^-.......w/ \ 3561.27Slukem { print "user " $1 " " $2 " file is other writeable" }' \ 3571.27Slukem > $OUTPUT 3581.15Smrg 3591.15Smrg # Files that should not be owned by someone else or writeable. 3601.19Smycroft list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \ 3611.19Smycroft .cshrc .emacs .exrc .forward .history .klogin .login .logout \ 3621.27Slukem .profile .qmail .rc_history .rhosts .tcshrc .twmrc .xinitrc \ 3631.27Slukem .xsession" 3641.15Smrg while read uid homedir; do 3651.15Smrg for f in $list ; do 3661.15Smrg file=${homedir}/${f} 3671.15Smrg if [ -f $file ] ; then 3681.15Smrg printf "$uid $f `ls -ldgT $file`\n" 3691.15Smrg fi 3701.15Smrg done 3711.29Slukem done < $MPBYPATH | 3721.15Smrg awk '$1 != $5 && $5 != "root" \ 3731.15Smrg { print "user " $1 " " $2 " file is owned by " $5 } 3741.15Smrg $3 ~ /^-....w/ \ 3751.15Smrg { print "user " $1 " " $2 " file is group writeable" } 3761.15Smrg $3 ~ /^-.......w/ \ 3771.27Slukem { print "user " $1 " " $2 " file is other writeable" }' \ 3781.27Slukem >> $OUTPUT 3791.15Smrg if [ -s $OUTPUT ] ; then 3801.15Smrg printf "\nChecking dot files.\n" 3811.15Smrg cat $OUTPUT 3821.15Smrg fi 3831.9Scgdfi 3841.9Scgd 3851.9Scgd# Mailboxes should be owned by user and unreadable. 3861.31Slukemif checkyesno check_varmail; then 3871.15Smrg ls -l /var/mail | sed 1d | \ 3881.15Smrg awk '$3 != $9 \ 3891.15Smrg { print "user " $9 " mailbox is owned by " $3 } 3901.15Smrg $1 != "-rw-------" \ 3911.15Smrg { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT 3921.15Smrg if [ -s $OUTPUT ] ; then 3931.15Smrg printf "\nChecking mailbox ownership.\n" 3941.15Smrg cat $OUTPUT 3951.15Smrg fi 3961.15Smrgfi 3971.15Smrg 3981.31Slukemif checkyesno check_nfs; then 3991.15Smrg if [ -f /etc/exports ]; then 4001.15Smrg # File systems should not be globally exported. 4011.15Smrg awk '{ 4021.22Slukem # ignore comments and blank lines 4031.22Slukem if ($LINE ~ /^\#/ || $LINE ~ /^$/ ) 4041.22Slukem next; 4051.22Slukem 4061.15Smrg readonly = 0; 4071.15Smrg for (i = 2; i <= NF; ++i) { 4081.15Smrg if ($i ~ /-ro/) 4091.15Smrg readonly = 1; 4101.15Smrg else if ($i !~ /^-/) 4111.15Smrg next; 4121.15Smrg } 4131.15Smrg if (readonly) 4141.15Smrg print "File system " $1 " globally exported, read-only." 4151.15Smrg else 4161.15Smrg print "File system " $1 " globally exported, read-write." 4171.15Smrg }' < /etc/exports > $OUTPUT 4181.15Smrg if [ -s $OUTPUT ] ; then 4191.15Smrg printf "\nChecking for globally exported file systems.\n" 4201.15Smrg cat $OUTPUT 4211.15Smrg fi 4221.15Smrg fi 4231.9Scgdfi 4241.9Scgd 4251.9Scgd# Display any changes in setuid files and devices. 4261.31Slukemif checkyesno check_devices; then 4271.28Slukem > $ERR 4281.15Smrg (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ 4291.15Smrg -o -fstype procfs \) -a -prune -o \ 4301.21Smycroft \( \( -perm -u+s -a ! -type d \) -o \ 4311.21Smycroft \( -perm -g+s -a ! -type d \) -o \ 4321.24Slukem -type b -o -type c \) -print0 | \ 4331.24Slukem xargs -0 ls -ldgTq | sort +9 > $LIST) 2> $OUTPUT 4341.15Smrg 4351.15Smrg # Display any errors that occurred during system file walk. 4361.15Smrg if [ -s $OUTPUT ] ; then 4371.28Slukem printf "Setuid/device find errors:\n" >> $ERR 4381.28Slukem cat $OUTPUT >> $ERR 4391.28Slukem printf "\n" >> $ERR 4401.15Smrg fi 4411.15Smrg 4421.15Smrg # Display any changes in the setuid file list. 4431.15Smrg egrep -v '^[bc]' $LIST > $TMP1 4441.15Smrg if [ -s $TMP1 ] ; then 4451.15Smrg # Check to make sure uudecode isn't setuid. 4461.15Smrg if grep -w uudecode $TMP1 > /dev/null ; then 4471.28Slukem printf "\nUudecode is setuid.\n" >> $ERR 4481.15Smrg fi 4491.15Smrg 4501.15Smrg CUR=/var/backups/setuid.current 4511.15Smrg BACK=/var/backups/setuid.backup 4521.9Scgd 4531.15Smrg if [ -s $CUR ] ; then 4541.15Smrg if cmp -s $CUR $TMP1 ; then 4551.15Smrg : 4561.15Smrg else 4571.15Smrg > $TMP2 4581.15Smrg join -110 -210 -v2 $CUR $TMP1 > $OUTPUT 4591.15Smrg if [ -s $OUTPUT ] ; then 4601.28Slukem printf "Setuid additions:\n" >> $ERR 4611.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 4621.28Slukem printf "\n" >> $ERR 4631.15Smrg fi 4641.15Smrg 4651.15Smrg join -110 -210 -v1 $CUR $TMP1 > $OUTPUT 4661.15Smrg if [ -s $OUTPUT ] ; then 4671.28Slukem printf "Setuid deletions:\n" >> $ERR 4681.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 4691.28Slukem printf "\n" >> $ERR 4701.15Smrg fi 4711.15Smrg 4721.20Smycroft sort -k10 $TMP2 $CUR $TMP1 | \ 4731.27Slukem sed -e 's/[ ][ ]*/ /g' | \ 4741.27Slukem uniq -u > $OUTPUT 4751.15Smrg if [ -s $OUTPUT ] ; then 4761.28Slukem printf "Setuid changes:\n" >> $ERR 4771.28Slukem column -t $OUTPUT >> $ERR 4781.28Slukem printf "\n" >> $ERR 4791.15Smrg fi 4801.9Scgd 4811.15Smrg cp $CUR $BACK 4821.15Smrg cp $TMP1 $CUR 4831.9Scgd fi 4841.15Smrg else 4851.28Slukem printf "Setuid additions:\n" >> $ERR 4861.28Slukem column -t $TMP1 >> $ERR 4871.28Slukem printf "\n" >> $ERR 4881.9Scgd cp $TMP1 $CUR 4891.9Scgd fi 4901.15Smrg fi 4911.15Smrg 4921.27Slukem # Check for block and character disk devices that are readable or 4931.27Slukem # writeable or not owned by root.operator. 4941.15Smrg >$TMP1 4951.27Slukem DISKLIST="acd ccd cd ch fd hk hp mcd md ra rb rd rl rx rz \ 4961.27Slukem sd se ss tz uk up vnd wd xd xy" 4971.27Slukem# DISKLIST="$DISKLIST ct mt st wt" 4981.15Smrg for i in $DISKLIST; do 4991.15Smrg egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 5001.15Smrg egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 5011.15Smrg done 5021.15Smrg 5031.15Smrg awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ 5041.25Slukem { printf "Disk %s is user %s, group %s, permissions %s.\n", \ 5051.25Slukem $11, $3, $4, $1; }' < $TMP1 > $OUTPUT 5061.15Smrg if [ -s $OUTPUT ] ; then 5071.28Slukem printf "\nChecking disk ownership and permissions.\n" >> $ERR 5081.28Slukem cat $OUTPUT >> $ERR 5091.28Slukem printf "\n" >> $ERR 5101.9Scgd fi 5111.9Scgd 5121.15Smrg # Display any changes in the device file list. 5131.20Smycroft egrep '^[bc]' $LIST | sort -k11 > $TMP1 5141.15Smrg if [ -s $TMP1 ] ; then 5151.15Smrg CUR=/var/backups/device.current 5161.15Smrg BACK=/var/backups/device.backup 5171.15Smrg 5181.15Smrg if [ -s $CUR ] ; then 5191.15Smrg if cmp -s $CUR $TMP1 ; then 5201.15Smrg : 5211.15Smrg else 5221.15Smrg > $TMP2 5231.15Smrg join -111 -211 -v2 $CUR $TMP1 > $OUTPUT 5241.15Smrg if [ -s $OUTPUT ] ; then 5251.28Slukem printf "Device additions:\n" >> $ERR 5261.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 5271.28Slukem printf "\n" >> $ERR 5281.15Smrg fi 5291.15Smrg 5301.15Smrg join -111 -211 -v1 $CUR $TMP1 > $OUTPUT 5311.15Smrg if [ -s $OUTPUT ] ; then 5321.28Slukem printf "Device deletions:\n" >> $ERR 5331.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 5341.28Slukem printf "\n" >> $ERR 5351.15Smrg fi 5361.15Smrg 5371.27Slukem # Report any block device change. Ignore 5381.27Slukem # character devices, only the name is 5391.27Slukem # significant. 5401.15Smrg cat $TMP2 $CUR $TMP1 | \ 5411.27Slukem sed -e '/^c/d' | \ 5421.27Slukem sort -k11 | \ 5431.27Slukem sed -e 's/[ ][ ]*/ /g' | \ 5441.27Slukem uniq -u > $OUTPUT 5451.15Smrg if [ -s $OUTPUT ] ; then 5461.28Slukem printf "Block device changes:\n" >> $ERR 5471.28Slukem column -t $OUTPUT >> $ERR 5481.28Slukem printf "\n" >> $ERR 5491.15Smrg fi 5501.9Scgd 5511.15Smrg cp $CUR $BACK 5521.15Smrg cp $TMP1 $CUR 5531.9Scgd fi 5541.15Smrg else 5551.28Slukem printf "Device additions:\n" >> $ERR 5561.28Slukem column -t $TMP1 >> $ERR 5571.28Slukem printf "\n" >> $ERR 5581.28Slukem cp $TMP1 $CUR >> $ERR 5591.9Scgd fi 5601.28Slukem fi 5611.28Slukem if [ -s $ERR ] ; then 5621.28Slukem printf "\nChecking setuid files and devices:\n" 5631.28Slukem cat $ERR 5641.28Slukem printf "\n" 5651.9Scgd fi 5661.9Scgdfi 5671.9Scgd 5681.9Scgd# Check special files. 5691.9Scgd# Check system binaries. 5701.9Scgd# 5711.9Scgd# Create the mtree tree specifications using: 5721.9Scgd# 5731.9Scgd# mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure 5741.16Smikel# chown root.wheel DIR.secure 5751.16Smikel# chmod 600 DIR.secure 5761.9Scgd# 5771.9Scgd# Note, this is not complete protection against Trojan horsed binaries, as 5781.9Scgd# the hacker can modify the tree specification to match the replaced binary. 5791.9Scgd# For details on really protecting yourself against modified binaries, see 5801.9Scgd# the mtree(8) manual page. 5811.31Slukemif checkyesno check_mtree; then 5821.9Scgd mtree -e -p / -f /etc/mtree/special > $OUTPUT 5831.15Smrg if [ -s $OUTPUT ]; then 5841.9Scgd printf "\nChecking special files and directories.\n" 5851.9Scgd cat $OUTPUT 5861.9Scgd fi 5871.9Scgd 5881.9Scgd > $OUTPUT 5891.16Smikel for file in /etc/mtree/*.secure; do 5901.16Smikel [ $file = '/etc/mtree/*.secure' ] && continue 5911.9Scgd tree=`sed -n -e '3s/.* //p' -e 3q $file` 5921.9Scgd mtree -f $file -p $tree > $TMP1 5931.9Scgd if [ -s $TMP1 ]; then 5941.9Scgd printf "\nChecking $tree:\n" >> $OUTPUT 5951.9Scgd cat $TMP1 >> $OUTPUT 5961.9Scgd fi 5971.9Scgd done 5981.15Smrg if [ -s $OUTPUT ]; then 5991.9Scgd printf "\nChecking system binaries:\n" 6001.9Scgd cat $OUTPUT 6011.9Scgd fi 6021.9Scgdfi 6031.9Scgd 6041.9Scgd# List of files that get backed up and checked for any modifications. Each 6051.9Scgd# file is expected to have two backups, /var/backups/file.{current,backup}. 6061.9Scgd# Any changes cause the files to rotate. 6071.31Slukemif checkyesno check_changelist && [ -s /etc/changelist ] ; then 6081.27Slukem for file in `egrep -v "^#|$MP" /etc/changelist`; do 6091.9Scgd CUR=/var/backups/`basename $file`.current 6101.9Scgd BACK=/var/backups/`basename $file`.backup 6111.30Smycroft if [ -f $file ]; then 6121.30Smycroft if [ -f $CUR ] ; then 6131.9Scgd diff $CUR $file > $OUTPUT 6141.9Scgd if [ -s $OUTPUT ] ; then 6151.9Scgd printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file 6161.9Scgd cat $OUTPUT 6171.30Smycroft mv -f $CUR $BACK 6181.9Scgd cp -p $file $CUR 6191.30Smycroft chown root.wheel $CUR 6201.9Scgd fi 6211.9Scgd else 6221.30Smycroft printf "\n======\n%s added\n======\n" $file 6231.30Smycroft diff /dev/null $file 6241.9Scgd cp -p $file $CUR 6251.9Scgd chown root.wheel $CUR 6261.30Smycroft fi 6271.30Smycroft else 6281.30Smycroft if [ -f $CUR ]; then 6291.30Smycroft printf "\n======\n%s removed\n======\n" $file 6301.30Smycroft diff $CUR /dev/null 6311.30Smycroft mv -f $CUR $BACK 6321.9Scgd fi 6331.9Scgd fi 6341.9Scgd done 6351.9Scgdfi 636