security revision 1.32
11.1Scgd#!/bin/sh - 21.1Scgd# 31.32Slukem# $NetBSD: security,v 1.32 1998/08/25 13:47:29 lukem Exp $ 41.9Scgd# from: @(#)security 8.1 (Berkeley) 6/9/93 51.1Scgd# 61.1Scgd 71.9ScgdPATH=/sbin:/usr/sbin:/bin:/usr/bin 81.1Scgd 91.31Slukemif [ -f /etc/rc.subr ]; then 101.31Slukem . /etc/rc.subr 111.31Slukemelse 121.31Slukem echo "Can't read /etc/rc.subr; aborting." 131.31Slukem exit 1; 141.31Slukemfi 151.31Slukem 161.9Scgdumask 077 171.1Scgd 181.15Smrgif [ -s /etc/security.conf ]; then 191.15Smrg . /etc/security.conf 201.15Smrgfi 211.15Smrg 221.15SmrgSECUREDIR=/tmp/_securedir.$$ 231.15Smrgif ! mkdir $SECUREDIR; then 241.15Smrg echo can not create $SECUREDIR. 251.15Smrg exit 1 261.15Smrgfi 271.15Smrg 281.15Smrgif ! cd $SECUREDIR; then 291.15Smrg echo can not chdir to $SECUREDIR. 301.15Smrg exit 1 311.15Smrgfi 321.15Smrg 331.15SmrgERR=secure1.$$ 341.15SmrgTMP1=secure2.$$ 351.15SmrgTMP2=secure3.$$ 361.28SlukemMPBYUID=secure4.$$ 371.29SlukemMPBYPATH=secure5.$$ 381.27SlukemLIST=secure6.$$ 391.27SlukemOUTPUT=secure7.$$ 401.32SlukemLABELS=secure8.$$ 411.15Smrg 421.27Slukemtrap '/bin/rm -rf $SECUREDIR ; exit 0' 0 2 3 431.15Smrg 441.15SmrgMP=/etc/master.passwd 451.9Scgd 461.27Slukem# these is used several times. 471.28Slukemawk -F: '{ print $1 " " $3 }' $MP | sort -k2n > $MPBYUID 481.29Slukemawk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH 491.9Scgd 501.9Scgd# Check the master password file syntax. 511.32Slukem# 521.31Slukemif checkyesno check_passwd; then 531.25Slukem awk ' 541.25Slukem BEGIN { 551.25Slukem while ( getline < "/etc/shells" > 0 ) { 561.25Slukem if ($LINE ~ /^\#/ || $LINE ~ /^$/ ) 571.25Slukem continue; 581.25Slukem shells[$1]++; 591.25Slukem } 601.25Slukem FS=":"; 611.25Slukem } 621.25Slukem 631.25Slukem { 641.15Smrg if ($0 ~ /^[ ]*$/) { 651.25Slukem printf "Line %d is a blank line.\n", NR; 661.15Smrg next; 671.15Smrg } 681.15Smrg if (NF != 10) 691.25Slukem printf "Line %d has the wrong number of fields.\n", NR; 701.15Smrg if ($1 !~ /^[A-Za-z0-9]*$/) 711.25Slukem printf "Login %s has non-alphanumeric characters.\n", 721.25Slukem $1; 731.15Smrg if (length($1) > 8) 741.25Slukem printf "Login %s has more than 8 characters.\n", $1; 751.15Smrg if ($2 == "") 761.25Slukem printf "Login %s has no password.\n", $1; 771.25Slukem if (length($2) != 13 && $2 != "") { 781.25Slukem if ($10 == "" || shells[$10]) 791.27Slukem printf "Login %s is off but still has a valid shell (%s)\n", 801.25Slukem $1, $10; 811.25Slukem } else if (! shells[$10]) 821.25Slukem printf "Login %s does not have a valid shell (%s)\n", 831.25Slukem $1, $10; 841.15Smrg if ($3 == 0 && $1 != "root" && $1 != "toor") 851.25Slukem printf "Login %s has a user id of 0.\n", $1; 861.15Smrg if ($3 < 0) 871.25Slukem printf "Login %s has a negative user id.\n", $1; 881.15Smrg if ($4 < 0) 891.25Slukem printf "Login %s has a negative group id.\n", $1; 901.15Smrg }' < $MP > $OUTPUT 911.15Smrg if [ -s $OUTPUT ] ; then 921.15Smrg printf "\nChecking the $MP file:\n" 931.15Smrg cat $OUTPUT 941.15Smrg fi 951.15Smrg 961.15Smrg awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT 971.15Smrg if [ -s $OUTPUT ] ; then 981.15Smrg printf "\n$MP has duplicate user names.\n" 991.15Smrg column $OUTPUT 1001.15Smrg fi 1011.15Smrg 1021.28Slukem < $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2 1031.15Smrg if [ -s $TMP2 ] ; then 1041.15Smrg printf "\n$MP has duplicate user id's.\n" 1051.15Smrg while read uid; do 1061.28Slukem grep -w $uid $MPBYUID 1071.15Smrg done < $TMP2 | column 1081.15Smrg fi 1091.9Scgdfi 1101.9Scgd 1111.9Scgd# Backup the master password file; a special case, the normal backup 1121.9Scgd# mechanisms also print out file differences and we don't want to do 1131.9Scgd# that because this file has encrypted passwords in it. 1141.32Slukem# 1151.9ScgdCUR=/var/backups/`basename $MP`.current 1161.9ScgdBACK=/var/backups/`basename $MP`.backup 1171.9Scgdif [ -s $CUR ] ; then 1181.9Scgd if cmp -s $CUR $MP; then 1191.9Scgd : 1201.9Scgd else 1211.9Scgd cp -p $CUR $BACK 1221.9Scgd cp -p $MP $CUR 1231.9Scgd chown root.wheel $CUR 1241.9Scgd fi 1251.9Scgdelse 1261.9Scgd cp -p $MP $CUR 1271.9Scgd chown root.wheel $CUR 1281.9Scgdfi 1291.9Scgd 1301.9Scgd# Check the group file syntax. 1311.32Slukem# 1321.31Slukemif checkyesno check_group; then 1331.15Smrg GRP=/etc/group 1341.15Smrg awk -F: '{ 1351.15Smrg if ($0 ~ /^[ ]*$/) { 1361.25Slukem printf "Line %d is a blank line.\n", NR; 1371.15Smrg next; 1381.15Smrg } 1391.15Smrg if (NF != 4) 1401.25Slukem printf "Line %d has the wrong number of fields.\n", NR; 1411.15Smrg if ($1 !~ /^[A-za-z0-9]*$/) 1421.25Slukem printf "Group %s has non-alphanumeric characters.\n", 1431.25Slukem $1; 1441.15Smrg if (length($1) > 8) 1451.25Slukem printf "Group %s has more than 8 characters.\n", $1; 1461.15Smrg if ($3 !~ /[0-9]*/) 1471.25Slukem printf "Login %s has a negative group id.\n", $1; 1481.15Smrg }' < $GRP > $OUTPUT 1491.15Smrg if [ -s $OUTPUT ] ; then 1501.15Smrg printf "\nChecking the $GRP file:\n" 1511.15Smrg cat $OUTPUT 1521.15Smrg fi 1531.15Smrg 1541.15Smrg awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT 1551.15Smrg if [ -s $OUTPUT ] ; then 1561.15Smrg printf "\n$GRP has duplicate group names.\n" 1571.15Smrg column $OUTPUT 1581.15Smrg fi 1591.9Scgdfi 1601.9Scgd 1611.9Scgd# Check for root paths, umask values in startup files. 1621.9Scgd# The check for the root paths is problematical -- it's likely to fail 1631.9Scgd# in other environments. Once the shells have been modified to warn 1641.9Scgd# of '.' in the path, the path tests should go away. 1651.32Slukem# 1661.31Slukemif checkyesno check_rootdotfiles; then 1671.28Slukem > $OUTPUT 1681.15Smrg rhome=`csh -fc "echo ~root"` 1691.15Smrg umaskset=no 1701.15Smrg list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" 1711.15Smrg for i in $list ; do 1721.15Smrg if [ -f $i ] ; then 1731.15Smrg if egrep umask $i > /dev/null ; then 1741.15Smrg umaskset=yes 1751.15Smrg fi 1761.15Smrg egrep umask $i | 1771.15Smrg awk '$2 % 100 < 20 \ 1781.27Slukem { print "\tRoot umask is group writeable" } 1791.15Smrg $2 % 10 < 2 \ 1801.27Slukem { print "\tRoot umask is other writeable" }' \ 1811.27Slukem >> $OUTPUT 1821.26Slukem SAVE_PATH=$PATH 1831.26Slukem unset PATH 1841.15Smrg /bin/csh -f -s << end-of-csh > /dev/null 2>&1 1851.15Smrg source $i 1861.15Smrg /bin/ls -ldgT \$path > $TMP1 1871.9Scgdend-of-csh 1881.26Slukem PATH=$SAVE_PATH 1891.15Smrg awk '{ 1901.15Smrg if ($10 ~ /^\.$/) { 1911.27Slukem print "\tThe root path includes ."; 1921.15Smrg next; 1931.15Smrg } 1941.15Smrg } 1951.15Smrg $1 ~ /^d....w/ \ 1961.27Slukem { print "\tRoot path directory " $10 " is group writeable." } \ 1971.15Smrg $1 ~ /^d.......w/ \ 1981.27Slukem { print "\tRoot path directory " $10 " is other writeable." }' \ 1991.15Smrg < $TMP1 >> $OUTPUT 2001.15Smrg fi 2011.15Smrg done 2021.15Smrg if [ $umaskset = "no" -o -s $OUTPUT ] ; then 2031.27Slukem printf "\nChecking root csh paths, umask values:\n$list\n\n" 2041.15Smrg if [ -s $OUTPUT ]; then 2051.15Smrg cat $OUTPUT 2061.15Smrg fi 2071.15Smrg if [ $umaskset = "no" ] ; then 2081.27Slukem printf "\tRoot csh startup files do not set the umask.\n" 2091.15Smrg fi 2101.9Scgd fi 2111.9Scgd 2121.28Slukem > $OUTPUT 2131.15Smrg rhome=/root 2141.15Smrg umaskset=no 2151.23Slukem list="/etc/profile ${rhome}/.profile" 2161.15Smrg for i in $list; do 2171.15Smrg if [ -f $i ] ; then 2181.15Smrg if egrep umask $i > /dev/null ; then 2191.15Smrg umaskset=yes 2201.15Smrg fi 2211.15Smrg egrep umask $i | 2221.15Smrg awk '$2 % 100 < 20 \ 2231.27Slukem { print "\tRoot umask is group writeable" } \ 2241.15Smrg $2 % 10 < 2 \ 2251.27Slukem { print "\tRoot umask is other writeable" }' \ 2261.27Slukem >> $OUTPUT 2271.26Slukem SAVE_PATH=$PATH 2281.26Slukem unset PATH 2291.15Smrg /bin/sh << end-of-sh > /dev/null 2>&1 2301.15Smrg . $i 2311.26Slukem list=\`echo \$PATH | /usr/bin/sed -e \ 2321.26Slukem 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\` 2331.15Smrg /bin/ls -ldgT \$list > $TMP1 2341.9Scgdend-of-sh 2351.26Slukem PATH=$SAVE_PATH 2361.15Smrg awk '{ 2371.15Smrg if ($10 ~ /^\.$/) { 2381.27Slukem print "\tThe root path includes ."; 2391.15Smrg next; 2401.15Smrg } 2411.15Smrg } 2421.15Smrg $1 ~ /^d....w/ \ 2431.27Slukem { print "\tRoot path directory " $10 " is group writeable." } \ 2441.15Smrg $1 ~ /^d.......w/ \ 2451.27Slukem { print "\tRoot path directory " $10 " is other writeable." }' \ 2461.15Smrg < $TMP1 >> $OUTPUT 2471.9Scgd 2481.15Smrg fi 2491.15Smrg done 2501.15Smrg if [ $umaskset = "no" -o -s $OUTPUT ] ; then 2511.15Smrg printf "\nChecking root sh paths, umask values:\n$list\n" 2521.15Smrg if [ -s $OUTPUT ]; then 2531.15Smrg cat $OUTPUT 2541.15Smrg fi 2551.15Smrg if [ $umaskset = "no" ] ; then 2561.27Slukem printf "\tRoot sh startup files do not set the umask.\n" 2571.15Smrg fi 2581.9Scgd fi 2591.9Scgdfi 2601.9Scgd 2611.9Scgd# Root and uucp should both be in /etc/ftpusers. 2621.32Slukem# 2631.31Slukemif checkyesno check_ftpusers; then 2641.28Slukem > $OUTPUT 2651.28Slukem list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID` 2661.27Slukem for i in $list; do 2671.29Slukem if /usr/libexec/ftpd -C $i ; then 2681.29Slukem printf "\t$i is not denied\n" >> $OUTPUT 2691.27Slukem fi 2701.27Slukem done 2711.28Slukem if [ -s $OUTPUT ]; then 2721.28Slukem printf "\nChecking the /etc/ftpusers configuration:\n" 2731.28Slukem cat $OUTPUT 2741.28Slukem fi 2751.9Scgdfi 2761.9Scgd 2771.9Scgd# Uudecode should not be in the /etc/aliases file. 2781.32Slukem# 2791.31Slukemif checkyesno check_aliases; then 2801.18Smikel if egrep '^[^#]*(uudecode|decode).*\|' /etc/aliases; then 2811.18Smikel printf "\nEntry for uudecode in /etc/aliases file.\n" 2821.15Smrg fi 2831.9Scgdfi 2841.9Scgd 2851.9Scgd# Files that should not have + signs. 2861.32Slukem# 2871.31Slukemif checkyesno check_rhosts; then 2881.15Smrg list="/etc/hosts.equiv /etc/hosts.lpd" 2891.15Smrg for f in $list ; do 2901.15Smrg if [ -f $f ] && egrep '\+' $f > /dev/null ; then 2911.15Smrg printf "\nPlus sign in $f file.\n" 2921.15Smrg fi 2931.15Smrg done 2941.15Smrg 2951.15Smrg # Check for special users with .rhosts files. Only root and toor should 2961.16Smikel # have .rhosts files. Also, .rhosts files should not have plus signs. 2971.15Smrg awk -F: '$1 != "root" && $1 != "toor" && \ 2981.15Smrg ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ 2991.20Smycroft { print $1 " " $9 }' $MP | 3001.19Smycroft sort -k2 | 3011.15Smrg while read uid homedir; do 3021.15Smrg if [ -f ${homedir}/.rhosts ] ; then 3031.15Smrg rhost=`ls -ldgT ${homedir}/.rhosts` 3041.15Smrg printf "$uid: $rhost\n" 3051.15Smrg fi 3061.15Smrg done > $OUTPUT 3071.15Smrg if [ -s $OUTPUT ] ; then 3081.15Smrg printf "\nChecking for special users with .rhosts files.\n" 3091.15Smrg cat $OUTPUT 3101.15Smrg fi 3111.15Smrg 3121.15Smrg while read uid homedir; do 3131.15Smrg if [ -f ${homedir}/.rhosts ] && \ 3141.15Smrg egrep '\+' ${homedir}/.rhosts > /dev/null ; then 3151.15Smrg printf "$uid: + in .rhosts file.\n" 3161.15Smrg fi 3171.29Slukem done < $MPBYPATH > $OUTPUT 3181.15Smrg if [ -s $OUTPUT ] ; then 3191.15Smrg printf "\nChecking .rhosts files syntax.\n" 3201.15Smrg cat $OUTPUT 3211.15Smrg fi 3221.9Scgdfi 3231.9Scgd 3241.9Scgd# Check home directories. Directories should not be owned by someone else 3251.9Scgd# or writeable. 3261.32Slukem# 3271.31Slukemif checkyesno check_homes; then 3281.15Smrg while read uid homedir; do 3291.15Smrg if [ -d ${homedir}/ ] ; then 3301.15Smrg file=`ls -ldgT ${homedir}` 3311.15Smrg printf "$uid $file\n" 3321.9Scgd fi 3331.29Slukem done < $MPBYPATH | 3341.15Smrg awk '$1 != $4 && $4 != "root" \ 3351.15Smrg { print "user " $1 " home directory is owned by " $4 } 3361.15Smrg $2 ~ /^-....w/ \ 3371.15Smrg { print "user " $1 " home directory is group writeable" } 3381.15Smrg $2 ~ /^-.......w/ \ 3391.27Slukem { print "user " $1 " home directory is other writeable" }' \ 3401.27Slukem > $OUTPUT 3411.15Smrg if [ -s $OUTPUT ] ; then 3421.15Smrg printf "\nChecking home directories.\n" 3431.15Smrg cat $OUTPUT 3441.15Smrg fi 3451.15Smrg 3461.15Smrg # Files that should not be owned by someone else or readable. 3471.27Slukem list=".Xauthority .netrc" 3481.15Smrg while read uid homedir; do 3491.15Smrg for f in $list ; do 3501.15Smrg file=${homedir}/${f} 3511.15Smrg if [ -f $file ] ; then 3521.15Smrg printf "$uid $f `ls -ldgT $file`\n" 3531.15Smrg fi 3541.15Smrg done 3551.29Slukem done < $MPBYPATH | 3561.15Smrg awk '$1 != $5 && $5 != "root" \ 3571.15Smrg { print "user " $1 " " $2 " file is owned by " $5 } 3581.15Smrg $3 ~ /^-...r/ \ 3591.15Smrg { print "user " $1 " " $2 " file is group readable" } 3601.15Smrg $3 ~ /^-......r/ \ 3611.15Smrg { print "user " $1 " " $2 " file is other readable" } 3621.15Smrg $3 ~ /^-....w/ \ 3631.15Smrg { print "user " $1 " " $2 " file is group writeable" } 3641.15Smrg $3 ~ /^-.......w/ \ 3651.27Slukem { print "user " $1 " " $2 " file is other writeable" }' \ 3661.27Slukem > $OUTPUT 3671.15Smrg 3681.15Smrg # Files that should not be owned by someone else or writeable. 3691.19Smycroft list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \ 3701.19Smycroft .cshrc .emacs .exrc .forward .history .klogin .login .logout \ 3711.27Slukem .profile .qmail .rc_history .rhosts .tcshrc .twmrc .xinitrc \ 3721.27Slukem .xsession" 3731.15Smrg while read uid homedir; do 3741.15Smrg for f in $list ; do 3751.15Smrg file=${homedir}/${f} 3761.15Smrg if [ -f $file ] ; then 3771.15Smrg printf "$uid $f `ls -ldgT $file`\n" 3781.15Smrg fi 3791.15Smrg done 3801.29Slukem done < $MPBYPATH | 3811.15Smrg awk '$1 != $5 && $5 != "root" \ 3821.15Smrg { print "user " $1 " " $2 " file is owned by " $5 } 3831.15Smrg $3 ~ /^-....w/ \ 3841.15Smrg { print "user " $1 " " $2 " file is group writeable" } 3851.15Smrg $3 ~ /^-.......w/ \ 3861.27Slukem { print "user " $1 " " $2 " file is other writeable" }' \ 3871.27Slukem >> $OUTPUT 3881.15Smrg if [ -s $OUTPUT ] ; then 3891.15Smrg printf "\nChecking dot files.\n" 3901.15Smrg cat $OUTPUT 3911.15Smrg fi 3921.9Scgdfi 3931.9Scgd 3941.9Scgd# Mailboxes should be owned by user and unreadable. 3951.32Slukem# 3961.31Slukemif checkyesno check_varmail; then 3971.15Smrg ls -l /var/mail | sed 1d | \ 3981.15Smrg awk '$3 != $9 \ 3991.15Smrg { print "user " $9 " mailbox is owned by " $3 } 4001.15Smrg $1 != "-rw-------" \ 4011.15Smrg { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT 4021.15Smrg if [ -s $OUTPUT ] ; then 4031.15Smrg printf "\nChecking mailbox ownership.\n" 4041.15Smrg cat $OUTPUT 4051.15Smrg fi 4061.15Smrgfi 4071.15Smrg 4081.32Slukem# NFS exports shouldn't be globally exported 4091.32Slukem# 4101.32Slukemif checkyesno check_nfs && [ -f /etc/exports ]; then 4111.32Slukem awk '{ 4121.22Slukem # ignore comments and blank lines 4131.22Slukem if ($LINE ~ /^\#/ || $LINE ~ /^$/ ) 4141.22Slukem next; 4151.22Slukem 4161.15Smrg readonly = 0; 4171.15Smrg for (i = 2; i <= NF; ++i) { 4181.15Smrg if ($i ~ /-ro/) 4191.15Smrg readonly = 1; 4201.15Smrg else if ($i !~ /^-/) 4211.15Smrg next; 4221.15Smrg } 4231.15Smrg if (readonly) 4241.15Smrg print "File system " $1 " globally exported, read-only." 4251.15Smrg else 4261.15Smrg print "File system " $1 " globally exported, read-write." 4271.32Slukem }' < /etc/exports > $OUTPUT 4281.32Slukem if [ -s $OUTPUT ] ; then 4291.15Smrg printf "\nChecking for globally exported file systems.\n" 4301.15Smrg cat $OUTPUT 4311.15Smrg fi 4321.9Scgdfi 4331.9Scgd 4341.9Scgd# Display any changes in setuid files and devices. 4351.32Slukem# 4361.31Slukemif checkyesno check_devices; then 4371.28Slukem > $ERR 4381.15Smrg (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ 4391.15Smrg -o -fstype procfs \) -a -prune -o \ 4401.21Smycroft \( \( -perm -u+s -a ! -type d \) -o \ 4411.21Smycroft \( -perm -g+s -a ! -type d \) -o \ 4421.24Slukem -type b -o -type c \) -print0 | \ 4431.24Slukem xargs -0 ls -ldgTq | sort +9 > $LIST) 2> $OUTPUT 4441.15Smrg 4451.15Smrg # Display any errors that occurred during system file walk. 4461.15Smrg if [ -s $OUTPUT ] ; then 4471.28Slukem printf "Setuid/device find errors:\n" >> $ERR 4481.28Slukem cat $OUTPUT >> $ERR 4491.28Slukem printf "\n" >> $ERR 4501.15Smrg fi 4511.15Smrg 4521.15Smrg # Display any changes in the setuid file list. 4531.15Smrg egrep -v '^[bc]' $LIST > $TMP1 4541.15Smrg if [ -s $TMP1 ] ; then 4551.15Smrg # Check to make sure uudecode isn't setuid. 4561.15Smrg if grep -w uudecode $TMP1 > /dev/null ; then 4571.28Slukem printf "\nUudecode is setuid.\n" >> $ERR 4581.15Smrg fi 4591.15Smrg 4601.15Smrg CUR=/var/backups/setuid.current 4611.15Smrg BACK=/var/backups/setuid.backup 4621.9Scgd 4631.15Smrg if [ -s $CUR ] ; then 4641.15Smrg if cmp -s $CUR $TMP1 ; then 4651.15Smrg : 4661.15Smrg else 4671.15Smrg > $TMP2 4681.15Smrg join -110 -210 -v2 $CUR $TMP1 > $OUTPUT 4691.15Smrg if [ -s $OUTPUT ] ; then 4701.28Slukem printf "Setuid additions:\n" >> $ERR 4711.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 4721.28Slukem printf "\n" >> $ERR 4731.15Smrg fi 4741.15Smrg 4751.15Smrg join -110 -210 -v1 $CUR $TMP1 > $OUTPUT 4761.15Smrg if [ -s $OUTPUT ] ; then 4771.28Slukem printf "Setuid deletions:\n" >> $ERR 4781.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 4791.28Slukem printf "\n" >> $ERR 4801.15Smrg fi 4811.15Smrg 4821.20Smycroft sort -k10 $TMP2 $CUR $TMP1 | \ 4831.27Slukem sed -e 's/[ ][ ]*/ /g' | \ 4841.27Slukem uniq -u > $OUTPUT 4851.15Smrg if [ -s $OUTPUT ] ; then 4861.28Slukem printf "Setuid changes:\n" >> $ERR 4871.28Slukem column -t $OUTPUT >> $ERR 4881.28Slukem printf "\n" >> $ERR 4891.15Smrg fi 4901.9Scgd 4911.15Smrg cp $CUR $BACK 4921.15Smrg cp $TMP1 $CUR 4931.9Scgd fi 4941.15Smrg else 4951.28Slukem printf "Setuid additions:\n" >> $ERR 4961.28Slukem column -t $TMP1 >> $ERR 4971.28Slukem printf "\n" >> $ERR 4981.9Scgd cp $TMP1 $CUR 4991.9Scgd fi 5001.15Smrg fi 5011.15Smrg 5021.27Slukem # Check for block and character disk devices that are readable or 5031.27Slukem # writeable or not owned by root.operator. 5041.15Smrg >$TMP1 5051.27Slukem DISKLIST="acd ccd cd ch fd hk hp mcd md ra rb rd rl rx rz \ 5061.27Slukem sd se ss tz uk up vnd wd xd xy" 5071.27Slukem# DISKLIST="$DISKLIST ct mt st wt" 5081.15Smrg for i in $DISKLIST; do 5091.15Smrg egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 5101.15Smrg egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 5111.15Smrg done 5121.15Smrg 5131.15Smrg awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ 5141.25Slukem { printf "Disk %s is user %s, group %s, permissions %s.\n", \ 5151.25Slukem $11, $3, $4, $1; }' < $TMP1 > $OUTPUT 5161.15Smrg if [ -s $OUTPUT ] ; then 5171.28Slukem printf "\nChecking disk ownership and permissions.\n" >> $ERR 5181.28Slukem cat $OUTPUT >> $ERR 5191.28Slukem printf "\n" >> $ERR 5201.9Scgd fi 5211.9Scgd 5221.15Smrg # Display any changes in the device file list. 5231.20Smycroft egrep '^[bc]' $LIST | sort -k11 > $TMP1 5241.15Smrg if [ -s $TMP1 ] ; then 5251.15Smrg CUR=/var/backups/device.current 5261.15Smrg BACK=/var/backups/device.backup 5271.15Smrg 5281.15Smrg if [ -s $CUR ] ; then 5291.15Smrg if cmp -s $CUR $TMP1 ; then 5301.15Smrg : 5311.15Smrg else 5321.15Smrg > $TMP2 5331.15Smrg join -111 -211 -v2 $CUR $TMP1 > $OUTPUT 5341.15Smrg if [ -s $OUTPUT ] ; then 5351.28Slukem printf "Device additions:\n" >> $ERR 5361.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 5371.28Slukem printf "\n" >> $ERR 5381.15Smrg fi 5391.15Smrg 5401.15Smrg join -111 -211 -v1 $CUR $TMP1 > $OUTPUT 5411.15Smrg if [ -s $OUTPUT ] ; then 5421.28Slukem printf "Device deletions:\n" >> $ERR 5431.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 5441.28Slukem printf "\n" >> $ERR 5451.15Smrg fi 5461.15Smrg 5471.27Slukem # Report any block device change. Ignore 5481.27Slukem # character devices, only the name is 5491.27Slukem # significant. 5501.15Smrg cat $TMP2 $CUR $TMP1 | \ 5511.27Slukem sed -e '/^c/d' | \ 5521.27Slukem sort -k11 | \ 5531.27Slukem sed -e 's/[ ][ ]*/ /g' | \ 5541.27Slukem uniq -u > $OUTPUT 5551.15Smrg if [ -s $OUTPUT ] ; then 5561.28Slukem printf "Block device changes:\n" >> $ERR 5571.28Slukem column -t $OUTPUT >> $ERR 5581.28Slukem printf "\n" >> $ERR 5591.15Smrg fi 5601.9Scgd 5611.15Smrg cp $CUR $BACK 5621.15Smrg cp $TMP1 $CUR 5631.9Scgd fi 5641.15Smrg else 5651.28Slukem printf "Device additions:\n" >> $ERR 5661.28Slukem column -t $TMP1 >> $ERR 5671.28Slukem printf "\n" >> $ERR 5681.28Slukem cp $TMP1 $CUR >> $ERR 5691.9Scgd fi 5701.28Slukem fi 5711.28Slukem if [ -s $ERR ] ; then 5721.28Slukem printf "\nChecking setuid files and devices:\n" 5731.28Slukem cat $ERR 5741.28Slukem printf "\n" 5751.9Scgd fi 5761.9Scgdfi 5771.9Scgd 5781.9Scgd# Check special files. 5791.9Scgd# Check system binaries. 5801.9Scgd# 5811.9Scgd# Create the mtree tree specifications using: 5821.9Scgd# 5831.9Scgd# mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure 5841.16Smikel# chown root.wheel DIR.secure 5851.16Smikel# chmod 600 DIR.secure 5861.9Scgd# 5871.9Scgd# Note, this is not complete protection against Trojan horsed binaries, as 5881.9Scgd# the hacker can modify the tree specification to match the replaced binary. 5891.9Scgd# For details on really protecting yourself against modified binaries, see 5901.9Scgd# the mtree(8) manual page. 5911.32Slukem# 5921.31Slukemif checkyesno check_mtree; then 5931.9Scgd mtree -e -p / -f /etc/mtree/special > $OUTPUT 5941.15Smrg if [ -s $OUTPUT ]; then 5951.9Scgd printf "\nChecking special files and directories.\n" 5961.9Scgd cat $OUTPUT 5971.9Scgd fi 5981.9Scgd 5991.9Scgd > $OUTPUT 6001.16Smikel for file in /etc/mtree/*.secure; do 6011.16Smikel [ $file = '/etc/mtree/*.secure' ] && continue 6021.9Scgd tree=`sed -n -e '3s/.* //p' -e 3q $file` 6031.9Scgd mtree -f $file -p $tree > $TMP1 6041.9Scgd if [ -s $TMP1 ]; then 6051.9Scgd printf "\nChecking $tree:\n" >> $OUTPUT 6061.9Scgd cat $TMP1 >> $OUTPUT 6071.9Scgd fi 6081.9Scgd done 6091.15Smrg if [ -s $OUTPUT ]; then 6101.9Scgd printf "\nChecking system binaries:\n" 6111.9Scgd cat $OUTPUT 6121.9Scgd fi 6131.9Scgdfi 6141.9Scgd 6151.32SlukemCHANGELIST="" 6161.32Slukem 6171.32Slukem# Backup disklabels of available disks 6181.32Slukem# 6191.32Slukemif checkyesno check_disklabels; then 6201.32Slukem # generate list of old disklabels and remove them 6211.32Slukem ls -1d /var/backups/disklabel.* 2>/dev/null | 6221.32Slukem egrep -v '\.(backup|current)$' > $LABELS 6231.32Slukem xargs rm < $LABELS 6241.32Slukem 6251.32Slukem disks=`iostat -x | sed 1d | awk '$1 !~ /^[mf]d/ { print $1; }'` 6261.32Slukem for i in $disks; do 6271.32Slukem dlf="/var/backups/disklabel.$i" 6281.32Slukem disklabel $i > $dlf 2>/dev/null 6291.32Slukem done 6301.32Slukem 6311.32Slukem # append list of new disklabels, sort list 6321.32Slukem ls -1d /var/backups/disklabel.* 2>/dev/null | 6331.32Slukem egrep -v '\.(backup|current)$' >> $LABELS 6341.32Slukem sort -u -o $LABELS $LABELS 6351.32Slukem CHANGELIST=$LABELS 6361.32Slukemfi 6371.32Slukem 6381.9Scgd# List of files that get backed up and checked for any modifications. Each 6391.9Scgd# file is expected to have two backups, /var/backups/file.{current,backup}. 6401.9Scgd# Any changes cause the files to rotate. 6411.32Slukem# 6421.31Slukemif checkyesno check_changelist && [ -s /etc/changelist ] ; then 6431.32Slukem CHANGELIST="/etc/changelist $CHANGELIST" 6441.32Slukemfi 6451.32Slukem 6461.32Slukemif [ -n "$CHANGELIST" ]; then 6471.32Slukem for file in `egrep -hv "^#|$MP" $CHANGELIST`; do 6481.9Scgd CUR=/var/backups/`basename $file`.current 6491.9Scgd BACK=/var/backups/`basename $file`.backup 6501.30Smycroft if [ -f $file ]; then 6511.30Smycroft if [ -f $CUR ] ; then 6521.9Scgd diff $CUR $file > $OUTPUT 6531.9Scgd if [ -s $OUTPUT ] ; then 6541.9Scgd printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file 6551.9Scgd cat $OUTPUT 6561.30Smycroft mv -f $CUR $BACK 6571.9Scgd cp -p $file $CUR 6581.30Smycroft chown root.wheel $CUR 6591.9Scgd fi 6601.9Scgd else 6611.30Smycroft printf "\n======\n%s added\n======\n" $file 6621.30Smycroft diff /dev/null $file 6631.9Scgd cp -p $file $CUR 6641.9Scgd chown root.wheel $CUR 6651.30Smycroft fi 6661.30Smycroft else 6671.30Smycroft if [ -f $CUR ]; then 6681.30Smycroft printf "\n======\n%s removed\n======\n" $file 6691.30Smycroft diff $CUR /dev/null 6701.30Smycroft mv -f $CUR $BACK 6711.9Scgd fi 6721.9Scgd fi 6731.9Scgd done 6741.9Scgdfi 675