security revision 1.35
11.1Scgd#!/bin/sh - 21.1Scgd# 31.35Sfair# $NetBSD: security,v 1.35 1999/03/16 06:18:17 fair Exp $ 41.9Scgd# from: @(#)security 8.1 (Berkeley) 6/9/93 51.1Scgd# 61.1Scgd 71.9ScgdPATH=/sbin:/usr/sbin:/bin:/usr/bin 81.1Scgd 91.31Slukemif [ -f /etc/rc.subr ]; then 101.31Slukem . /etc/rc.subr 111.31Slukemelse 121.31Slukem echo "Can't read /etc/rc.subr; aborting." 131.31Slukem exit 1; 141.31Slukemfi 151.31Slukem 161.9Scgdumask 077 171.1Scgd 181.15Smrgif [ -s /etc/security.conf ]; then 191.15Smrg . /etc/security.conf 201.15Smrgfi 211.15Smrg 221.15SmrgSECUREDIR=/tmp/_securedir.$$ 231.15Smrgif ! mkdir $SECUREDIR; then 241.15Smrg echo can not create $SECUREDIR. 251.15Smrg exit 1 261.15Smrgfi 271.15Smrg 281.15Smrgif ! cd $SECUREDIR; then 291.15Smrg echo can not chdir to $SECUREDIR. 301.15Smrg exit 1 311.15Smrgfi 321.15Smrg 331.34Sabsif [ -z "$max_loginlen" ];then 341.34Sabs max_loginlen=8 351.34Sabsfi 361.34Sabs 371.15SmrgERR=secure1.$$ 381.15SmrgTMP1=secure2.$$ 391.15SmrgTMP2=secure3.$$ 401.28SlukemMPBYUID=secure4.$$ 411.29SlukemMPBYPATH=secure5.$$ 421.27SlukemLIST=secure6.$$ 431.27SlukemOUTPUT=secure7.$$ 441.32SlukemLABELS=secure8.$$ 451.15Smrg 461.27Slukemtrap '/bin/rm -rf $SECUREDIR ; exit 0' 0 2 3 471.15Smrg 481.15SmrgMP=/etc/master.passwd 491.9Scgd 501.27Slukem# these is used several times. 511.34Sabsawk -F: '!/^+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID 521.29Slukemawk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH 531.9Scgd 541.9Scgd# Check the master password file syntax. 551.32Slukem# 561.31Slukemif checkyesno check_passwd; then 571.34Sabs awk -v "len=$max_loginlen" ' 581.25Slukem BEGIN { 591.25Slukem while ( getline < "/etc/shells" > 0 ) { 601.25Slukem if ($LINE ~ /^\#/ || $LINE ~ /^$/ ) 611.25Slukem continue; 621.25Slukem shells[$1]++; 631.25Slukem } 641.25Slukem FS=":"; 651.25Slukem } 661.25Slukem 671.25Slukem { 681.15Smrg if ($0 ~ /^[ ]*$/) { 691.25Slukem printf "Line %d is a blank line.\n", NR; 701.15Smrg next; 711.15Smrg } 721.34Sabs if (NF != 10 && ($1 != "+" || NF != 1)) 731.25Slukem printf "Line %d has the wrong number of fields.\n", NR; 741.34Sabs if ($1 == "+" ) { 751.34Sabs if (NF != 1 && $3 == 0) 761.34Sabs printf "Line %d includes entries with uid 0.\n", NR; 771.34Sabs next; 781.34Sabs } 791.15Smrg if ($1 !~ /^[A-Za-z0-9]*$/) 801.25Slukem printf "Login %s has non-alphanumeric characters.\n", 811.25Slukem $1; 821.34Sabs if (length($1) > len) 831.34Sabs printf "Login %s has more than "len" characters.\n", $1; 841.15Smrg if ($2 == "") 851.25Slukem printf "Login %s has no password.\n", $1; 861.33Stv if (length($2) != 13 && length($2) != 20 && $2 != "") { 871.25Slukem if ($10 == "" || shells[$10]) 881.27Slukem printf "Login %s is off but still has a valid shell (%s)\n", 891.25Slukem $1, $10; 901.25Slukem } else if (! shells[$10]) 911.25Slukem printf "Login %s does not have a valid shell (%s)\n", 921.25Slukem $1, $10; 931.15Smrg if ($3 == 0 && $1 != "root" && $1 != "toor") 941.25Slukem printf "Login %s has a user id of 0.\n", $1; 951.15Smrg if ($3 < 0) 961.25Slukem printf "Login %s has a negative user id.\n", $1; 971.15Smrg if ($4 < 0) 981.25Slukem printf "Login %s has a negative group id.\n", $1; 991.15Smrg }' < $MP > $OUTPUT 1001.15Smrg if [ -s $OUTPUT ] ; then 1011.15Smrg printf "\nChecking the $MP file:\n" 1021.15Smrg cat $OUTPUT 1031.15Smrg fi 1041.15Smrg 1051.15Smrg awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT 1061.15Smrg if [ -s $OUTPUT ] ; then 1071.15Smrg printf "\n$MP has duplicate user names.\n" 1081.15Smrg column $OUTPUT 1091.15Smrg fi 1101.15Smrg 1111.28Slukem < $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2 1121.15Smrg if [ -s $TMP2 ] ; then 1131.15Smrg printf "\n$MP has duplicate user id's.\n" 1141.15Smrg while read uid; do 1151.28Slukem grep -w $uid $MPBYUID 1161.15Smrg done < $TMP2 | column 1171.15Smrg fi 1181.9Scgdfi 1191.9Scgd 1201.9Scgd# Backup the master password file; a special case, the normal backup 1211.9Scgd# mechanisms also print out file differences and we don't want to do 1221.9Scgd# that because this file has encrypted passwords in it. 1231.32Slukem# 1241.9ScgdCUR=/var/backups/`basename $MP`.current 1251.9ScgdBACK=/var/backups/`basename $MP`.backup 1261.9Scgdif [ -s $CUR ] ; then 1271.9Scgd if cmp -s $CUR $MP; then 1281.9Scgd : 1291.9Scgd else 1301.9Scgd cp -p $CUR $BACK 1311.9Scgd cp -p $MP $CUR 1321.9Scgd chown root.wheel $CUR 1331.9Scgd fi 1341.9Scgdelse 1351.9Scgd cp -p $MP $CUR 1361.9Scgd chown root.wheel $CUR 1371.9Scgdfi 1381.9Scgd 1391.9Scgd# Check the group file syntax. 1401.32Slukem# 1411.31Slukemif checkyesno check_group; then 1421.15Smrg GRP=/etc/group 1431.15Smrg awk -F: '{ 1441.15Smrg if ($0 ~ /^[ ]*$/) { 1451.25Slukem printf "Line %d is a blank line.\n", NR; 1461.15Smrg next; 1471.15Smrg } 1481.34Sabs if (NF != 4 && ($1 != "+" || NF != 1)) 1491.25Slukem printf "Line %d has the wrong number of fields.\n", NR; 1501.34Sabs if ($1 == "+" ) { 1511.34Sabs next; 1521.34Sabs } 1531.15Smrg if ($1 !~ /^[A-za-z0-9]*$/) 1541.25Slukem printf "Group %s has non-alphanumeric characters.\n", 1551.25Slukem $1; 1561.15Smrg if (length($1) > 8) 1571.25Slukem printf "Group %s has more than 8 characters.\n", $1; 1581.15Smrg if ($3 !~ /[0-9]*/) 1591.25Slukem printf "Login %s has a negative group id.\n", $1; 1601.15Smrg }' < $GRP > $OUTPUT 1611.15Smrg if [ -s $OUTPUT ] ; then 1621.15Smrg printf "\nChecking the $GRP file:\n" 1631.15Smrg cat $OUTPUT 1641.15Smrg fi 1651.15Smrg 1661.15Smrg awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT 1671.15Smrg if [ -s $OUTPUT ] ; then 1681.15Smrg printf "\n$GRP has duplicate group names.\n" 1691.15Smrg column $OUTPUT 1701.15Smrg fi 1711.9Scgdfi 1721.9Scgd 1731.9Scgd# Check for root paths, umask values in startup files. 1741.9Scgd# The check for the root paths is problematical -- it's likely to fail 1751.9Scgd# in other environments. Once the shells have been modified to warn 1761.9Scgd# of '.' in the path, the path tests should go away. 1771.32Slukem# 1781.31Slukemif checkyesno check_rootdotfiles; then 1791.28Slukem > $OUTPUT 1801.15Smrg rhome=`csh -fc "echo ~root"` 1811.15Smrg umaskset=no 1821.15Smrg list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" 1831.15Smrg for i in $list ; do 1841.15Smrg if [ -f $i ] ; then 1851.15Smrg if egrep umask $i > /dev/null ; then 1861.15Smrg umaskset=yes 1871.15Smrg fi 1881.15Smrg egrep umask $i | 1891.15Smrg awk '$2 % 100 < 20 \ 1901.27Slukem { print "\tRoot umask is group writeable" } 1911.15Smrg $2 % 10 < 2 \ 1921.27Slukem { print "\tRoot umask is other writeable" }' \ 1931.27Slukem >> $OUTPUT 1941.26Slukem SAVE_PATH=$PATH 1951.26Slukem unset PATH 1961.15Smrg /bin/csh -f -s << end-of-csh > /dev/null 2>&1 1971.15Smrg source $i 1981.15Smrg /bin/ls -ldgT \$path > $TMP1 1991.9Scgdend-of-csh 2001.26Slukem PATH=$SAVE_PATH 2011.15Smrg awk '{ 2021.15Smrg if ($10 ~ /^\.$/) { 2031.27Slukem print "\tThe root path includes ."; 2041.15Smrg next; 2051.15Smrg } 2061.15Smrg } 2071.15Smrg $1 ~ /^d....w/ \ 2081.27Slukem { print "\tRoot path directory " $10 " is group writeable." } \ 2091.15Smrg $1 ~ /^d.......w/ \ 2101.27Slukem { print "\tRoot path directory " $10 " is other writeable." }' \ 2111.15Smrg < $TMP1 >> $OUTPUT 2121.15Smrg fi 2131.15Smrg done 2141.15Smrg if [ $umaskset = "no" -o -s $OUTPUT ] ; then 2151.27Slukem printf "\nChecking root csh paths, umask values:\n$list\n\n" 2161.15Smrg if [ -s $OUTPUT ]; then 2171.15Smrg cat $OUTPUT 2181.15Smrg fi 2191.15Smrg if [ $umaskset = "no" ] ; then 2201.27Slukem printf "\tRoot csh startup files do not set the umask.\n" 2211.15Smrg fi 2221.9Scgd fi 2231.9Scgd 2241.28Slukem > $OUTPUT 2251.15Smrg rhome=/root 2261.15Smrg umaskset=no 2271.23Slukem list="/etc/profile ${rhome}/.profile" 2281.15Smrg for i in $list; do 2291.15Smrg if [ -f $i ] ; then 2301.15Smrg if egrep umask $i > /dev/null ; then 2311.15Smrg umaskset=yes 2321.15Smrg fi 2331.15Smrg egrep umask $i | 2341.15Smrg awk '$2 % 100 < 20 \ 2351.27Slukem { print "\tRoot umask is group writeable" } \ 2361.15Smrg $2 % 10 < 2 \ 2371.27Slukem { print "\tRoot umask is other writeable" }' \ 2381.27Slukem >> $OUTPUT 2391.26Slukem SAVE_PATH=$PATH 2401.26Slukem unset PATH 2411.15Smrg /bin/sh << end-of-sh > /dev/null 2>&1 2421.15Smrg . $i 2431.26Slukem list=\`echo \$PATH | /usr/bin/sed -e \ 2441.26Slukem 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\` 2451.15Smrg /bin/ls -ldgT \$list > $TMP1 2461.9Scgdend-of-sh 2471.26Slukem PATH=$SAVE_PATH 2481.15Smrg awk '{ 2491.15Smrg if ($10 ~ /^\.$/) { 2501.27Slukem print "\tThe root path includes ."; 2511.15Smrg next; 2521.15Smrg } 2531.15Smrg } 2541.15Smrg $1 ~ /^d....w/ \ 2551.27Slukem { print "\tRoot path directory " $10 " is group writeable." } \ 2561.15Smrg $1 ~ /^d.......w/ \ 2571.27Slukem { print "\tRoot path directory " $10 " is other writeable." }' \ 2581.15Smrg < $TMP1 >> $OUTPUT 2591.9Scgd 2601.15Smrg fi 2611.15Smrg done 2621.15Smrg if [ $umaskset = "no" -o -s $OUTPUT ] ; then 2631.15Smrg printf "\nChecking root sh paths, umask values:\n$list\n" 2641.15Smrg if [ -s $OUTPUT ]; then 2651.15Smrg cat $OUTPUT 2661.15Smrg fi 2671.15Smrg if [ $umaskset = "no" ] ; then 2681.27Slukem printf "\tRoot sh startup files do not set the umask.\n" 2691.15Smrg fi 2701.9Scgd fi 2711.9Scgdfi 2721.9Scgd 2731.9Scgd# Root and uucp should both be in /etc/ftpusers. 2741.32Slukem# 2751.31Slukemif checkyesno check_ftpusers; then 2761.28Slukem > $OUTPUT 2771.28Slukem list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID` 2781.27Slukem for i in $list; do 2791.29Slukem if /usr/libexec/ftpd -C $i ; then 2801.29Slukem printf "\t$i is not denied\n" >> $OUTPUT 2811.27Slukem fi 2821.27Slukem done 2831.28Slukem if [ -s $OUTPUT ]; then 2841.28Slukem printf "\nChecking the /etc/ftpusers configuration:\n" 2851.28Slukem cat $OUTPUT 2861.28Slukem fi 2871.9Scgdfi 2881.9Scgd 2891.9Scgd# Uudecode should not be in the /etc/aliases file. 2901.32Slukem# 2911.31Slukemif checkyesno check_aliases; then 2921.18Smikel if egrep '^[^#]*(uudecode|decode).*\|' /etc/aliases; then 2931.18Smikel printf "\nEntry for uudecode in /etc/aliases file.\n" 2941.15Smrg fi 2951.9Scgdfi 2961.9Scgd 2971.9Scgd# Files that should not have + signs. 2981.32Slukem# 2991.31Slukemif checkyesno check_rhosts; then 3001.15Smrg list="/etc/hosts.equiv /etc/hosts.lpd" 3011.15Smrg for f in $list ; do 3021.15Smrg if [ -f $f ] && egrep '\+' $f > /dev/null ; then 3031.15Smrg printf "\nPlus sign in $f file.\n" 3041.15Smrg fi 3051.15Smrg done 3061.15Smrg 3071.15Smrg # Check for special users with .rhosts files. Only root and toor should 3081.16Smikel # have .rhosts files. Also, .rhosts files should not have plus signs. 3091.15Smrg awk -F: '$1 != "root" && $1 != "toor" && \ 3101.15Smrg ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ 3111.20Smycroft { print $1 " " $9 }' $MP | 3121.19Smycroft sort -k2 | 3131.15Smrg while read uid homedir; do 3141.15Smrg if [ -f ${homedir}/.rhosts ] ; then 3151.15Smrg rhost=`ls -ldgT ${homedir}/.rhosts` 3161.15Smrg printf "$uid: $rhost\n" 3171.15Smrg fi 3181.15Smrg done > $OUTPUT 3191.15Smrg if [ -s $OUTPUT ] ; then 3201.15Smrg printf "\nChecking for special users with .rhosts files.\n" 3211.15Smrg cat $OUTPUT 3221.15Smrg fi 3231.15Smrg 3241.15Smrg while read uid homedir; do 3251.35Sfair if [ -f ${homedir}/.rhosts -a -r ${homedir}/.rhosts ] && \ 3261.15Smrg egrep '\+' ${homedir}/.rhosts > /dev/null ; then 3271.15Smrg printf "$uid: + in .rhosts file.\n" 3281.15Smrg fi 3291.29Slukem done < $MPBYPATH > $OUTPUT 3301.15Smrg if [ -s $OUTPUT ] ; then 3311.15Smrg printf "\nChecking .rhosts files syntax.\n" 3321.15Smrg cat $OUTPUT 3331.15Smrg fi 3341.9Scgdfi 3351.9Scgd 3361.9Scgd# Check home directories. Directories should not be owned by someone else 3371.9Scgd# or writeable. 3381.32Slukem# 3391.31Slukemif checkyesno check_homes; then 3401.15Smrg while read uid homedir; do 3411.15Smrg if [ -d ${homedir}/ ] ; then 3421.15Smrg file=`ls -ldgT ${homedir}` 3431.15Smrg printf "$uid $file\n" 3441.9Scgd fi 3451.29Slukem done < $MPBYPATH | 3461.15Smrg awk '$1 != $4 && $4 != "root" \ 3471.15Smrg { print "user " $1 " home directory is owned by " $4 } 3481.15Smrg $2 ~ /^-....w/ \ 3491.15Smrg { print "user " $1 " home directory is group writeable" } 3501.15Smrg $2 ~ /^-.......w/ \ 3511.27Slukem { print "user " $1 " home directory is other writeable" }' \ 3521.27Slukem > $OUTPUT 3531.15Smrg if [ -s $OUTPUT ] ; then 3541.15Smrg printf "\nChecking home directories.\n" 3551.15Smrg cat $OUTPUT 3561.15Smrg fi 3571.15Smrg 3581.15Smrg # Files that should not be owned by someone else or readable. 3591.27Slukem list=".Xauthority .netrc" 3601.15Smrg while read uid homedir; do 3611.15Smrg for f in $list ; do 3621.15Smrg file=${homedir}/${f} 3631.15Smrg if [ -f $file ] ; then 3641.15Smrg printf "$uid $f `ls -ldgT $file`\n" 3651.15Smrg fi 3661.15Smrg done 3671.29Slukem done < $MPBYPATH | 3681.15Smrg awk '$1 != $5 && $5 != "root" \ 3691.15Smrg { print "user " $1 " " $2 " file is owned by " $5 } 3701.15Smrg $3 ~ /^-...r/ \ 3711.15Smrg { print "user " $1 " " $2 " file is group readable" } 3721.15Smrg $3 ~ /^-......r/ \ 3731.15Smrg { print "user " $1 " " $2 " file is other readable" } 3741.15Smrg $3 ~ /^-....w/ \ 3751.15Smrg { print "user " $1 " " $2 " file is group writeable" } 3761.15Smrg $3 ~ /^-.......w/ \ 3771.27Slukem { print "user " $1 " " $2 " file is other writeable" }' \ 3781.27Slukem > $OUTPUT 3791.15Smrg 3801.15Smrg # Files that should not be owned by someone else or writeable. 3811.19Smycroft list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \ 3821.19Smycroft .cshrc .emacs .exrc .forward .history .klogin .login .logout \ 3831.27Slukem .profile .qmail .rc_history .rhosts .tcshrc .twmrc .xinitrc \ 3841.27Slukem .xsession" 3851.15Smrg while read uid homedir; do 3861.15Smrg for f in $list ; do 3871.15Smrg file=${homedir}/${f} 3881.15Smrg if [ -f $file ] ; then 3891.15Smrg printf "$uid $f `ls -ldgT $file`\n" 3901.15Smrg fi 3911.15Smrg done 3921.29Slukem done < $MPBYPATH | 3931.15Smrg awk '$1 != $5 && $5 != "root" \ 3941.15Smrg { print "user " $1 " " $2 " file is owned by " $5 } 3951.15Smrg $3 ~ /^-....w/ \ 3961.15Smrg { print "user " $1 " " $2 " file is group writeable" } 3971.15Smrg $3 ~ /^-.......w/ \ 3981.27Slukem { print "user " $1 " " $2 " file is other writeable" }' \ 3991.27Slukem >> $OUTPUT 4001.15Smrg if [ -s $OUTPUT ] ; then 4011.15Smrg printf "\nChecking dot files.\n" 4021.15Smrg cat $OUTPUT 4031.15Smrg fi 4041.9Scgdfi 4051.9Scgd 4061.9Scgd# Mailboxes should be owned by user and unreadable. 4071.32Slukem# 4081.31Slukemif checkyesno check_varmail; then 4091.15Smrg ls -l /var/mail | sed 1d | \ 4101.15Smrg awk '$3 != $9 \ 4111.15Smrg { print "user " $9 " mailbox is owned by " $3 } 4121.15Smrg $1 != "-rw-------" \ 4131.15Smrg { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT 4141.15Smrg if [ -s $OUTPUT ] ; then 4151.15Smrg printf "\nChecking mailbox ownership.\n" 4161.15Smrg cat $OUTPUT 4171.15Smrg fi 4181.15Smrgfi 4191.15Smrg 4201.32Slukem# NFS exports shouldn't be globally exported 4211.32Slukem# 4221.32Slukemif checkyesno check_nfs && [ -f /etc/exports ]; then 4231.32Slukem awk '{ 4241.22Slukem # ignore comments and blank lines 4251.22Slukem if ($LINE ~ /^\#/ || $LINE ~ /^$/ ) 4261.22Slukem next; 4271.22Slukem 4281.15Smrg readonly = 0; 4291.15Smrg for (i = 2; i <= NF; ++i) { 4301.15Smrg if ($i ~ /-ro/) 4311.15Smrg readonly = 1; 4321.15Smrg else if ($i !~ /^-/) 4331.15Smrg next; 4341.15Smrg } 4351.15Smrg if (readonly) 4361.15Smrg print "File system " $1 " globally exported, read-only." 4371.15Smrg else 4381.15Smrg print "File system " $1 " globally exported, read-write." 4391.32Slukem }' < /etc/exports > $OUTPUT 4401.32Slukem if [ -s $OUTPUT ] ; then 4411.15Smrg printf "\nChecking for globally exported file systems.\n" 4421.15Smrg cat $OUTPUT 4431.15Smrg fi 4441.9Scgdfi 4451.9Scgd 4461.9Scgd# Display any changes in setuid files and devices. 4471.32Slukem# 4481.31Slukemif checkyesno check_devices; then 4491.28Slukem > $ERR 4501.15Smrg (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ 4511.15Smrg -o -fstype procfs \) -a -prune -o \ 4521.21Smycroft \( \( -perm -u+s -a ! -type d \) -o \ 4531.21Smycroft \( -perm -g+s -a ! -type d \) -o \ 4541.24Slukem -type b -o -type c \) -print0 | \ 4551.24Slukem xargs -0 ls -ldgTq | sort +9 > $LIST) 2> $OUTPUT 4561.15Smrg 4571.15Smrg # Display any errors that occurred during system file walk. 4581.15Smrg if [ -s $OUTPUT ] ; then 4591.28Slukem printf "Setuid/device find errors:\n" >> $ERR 4601.28Slukem cat $OUTPUT >> $ERR 4611.28Slukem printf "\n" >> $ERR 4621.15Smrg fi 4631.15Smrg 4641.15Smrg # Display any changes in the setuid file list. 4651.15Smrg egrep -v '^[bc]' $LIST > $TMP1 4661.15Smrg if [ -s $TMP1 ] ; then 4671.15Smrg # Check to make sure uudecode isn't setuid. 4681.15Smrg if grep -w uudecode $TMP1 > /dev/null ; then 4691.28Slukem printf "\nUudecode is setuid.\n" >> $ERR 4701.15Smrg fi 4711.15Smrg 4721.15Smrg CUR=/var/backups/setuid.current 4731.15Smrg BACK=/var/backups/setuid.backup 4741.9Scgd 4751.15Smrg if [ -s $CUR ] ; then 4761.15Smrg if cmp -s $CUR $TMP1 ; then 4771.15Smrg : 4781.15Smrg else 4791.15Smrg > $TMP2 4801.15Smrg join -110 -210 -v2 $CUR $TMP1 > $OUTPUT 4811.15Smrg if [ -s $OUTPUT ] ; then 4821.28Slukem printf "Setuid additions:\n" >> $ERR 4831.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 4841.28Slukem printf "\n" >> $ERR 4851.15Smrg fi 4861.15Smrg 4871.15Smrg join -110 -210 -v1 $CUR $TMP1 > $OUTPUT 4881.15Smrg if [ -s $OUTPUT ] ; then 4891.28Slukem printf "Setuid deletions:\n" >> $ERR 4901.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 4911.28Slukem printf "\n" >> $ERR 4921.15Smrg fi 4931.15Smrg 4941.20Smycroft sort -k10 $TMP2 $CUR $TMP1 | \ 4951.27Slukem sed -e 's/[ ][ ]*/ /g' | \ 4961.27Slukem uniq -u > $OUTPUT 4971.15Smrg if [ -s $OUTPUT ] ; then 4981.28Slukem printf "Setuid changes:\n" >> $ERR 4991.28Slukem column -t $OUTPUT >> $ERR 5001.28Slukem printf "\n" >> $ERR 5011.15Smrg fi 5021.9Scgd 5031.15Smrg cp $CUR $BACK 5041.15Smrg cp $TMP1 $CUR 5051.9Scgd fi 5061.15Smrg else 5071.28Slukem printf "Setuid additions:\n" >> $ERR 5081.28Slukem column -t $TMP1 >> $ERR 5091.28Slukem printf "\n" >> $ERR 5101.9Scgd cp $TMP1 $CUR 5111.9Scgd fi 5121.15Smrg fi 5131.15Smrg 5141.27Slukem # Check for block and character disk devices that are readable or 5151.27Slukem # writeable or not owned by root.operator. 5161.15Smrg >$TMP1 5171.27Slukem DISKLIST="acd ccd cd ch fd hk hp mcd md ra rb rd rl rx rz \ 5181.27Slukem sd se ss tz uk up vnd wd xd xy" 5191.27Slukem# DISKLIST="$DISKLIST ct mt st wt" 5201.15Smrg for i in $DISKLIST; do 5211.15Smrg egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 5221.15Smrg egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 5231.15Smrg done 5241.15Smrg 5251.15Smrg awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ 5261.25Slukem { printf "Disk %s is user %s, group %s, permissions %s.\n", \ 5271.25Slukem $11, $3, $4, $1; }' < $TMP1 > $OUTPUT 5281.15Smrg if [ -s $OUTPUT ] ; then 5291.28Slukem printf "\nChecking disk ownership and permissions.\n" >> $ERR 5301.28Slukem cat $OUTPUT >> $ERR 5311.28Slukem printf "\n" >> $ERR 5321.9Scgd fi 5331.9Scgd 5341.15Smrg # Display any changes in the device file list. 5351.20Smycroft egrep '^[bc]' $LIST | sort -k11 > $TMP1 5361.15Smrg if [ -s $TMP1 ] ; then 5371.15Smrg CUR=/var/backups/device.current 5381.15Smrg BACK=/var/backups/device.backup 5391.15Smrg 5401.15Smrg if [ -s $CUR ] ; then 5411.15Smrg if cmp -s $CUR $TMP1 ; then 5421.15Smrg : 5431.15Smrg else 5441.15Smrg > $TMP2 5451.15Smrg join -111 -211 -v2 $CUR $TMP1 > $OUTPUT 5461.15Smrg if [ -s $OUTPUT ] ; then 5471.28Slukem printf "Device additions:\n" >> $ERR 5481.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 5491.28Slukem printf "\n" >> $ERR 5501.15Smrg fi 5511.15Smrg 5521.15Smrg join -111 -211 -v1 $CUR $TMP1 > $OUTPUT 5531.15Smrg if [ -s $OUTPUT ] ; then 5541.28Slukem printf "Device deletions:\n" >> $ERR 5551.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 5561.28Slukem printf "\n" >> $ERR 5571.15Smrg fi 5581.15Smrg 5591.27Slukem # Report any block device change. Ignore 5601.27Slukem # character devices, only the name is 5611.27Slukem # significant. 5621.15Smrg cat $TMP2 $CUR $TMP1 | \ 5631.27Slukem sed -e '/^c/d' | \ 5641.27Slukem sort -k11 | \ 5651.27Slukem sed -e 's/[ ][ ]*/ /g' | \ 5661.27Slukem uniq -u > $OUTPUT 5671.15Smrg if [ -s $OUTPUT ] ; then 5681.28Slukem printf "Block device changes:\n" >> $ERR 5691.28Slukem column -t $OUTPUT >> $ERR 5701.28Slukem printf "\n" >> $ERR 5711.15Smrg fi 5721.9Scgd 5731.15Smrg cp $CUR $BACK 5741.15Smrg cp $TMP1 $CUR 5751.9Scgd fi 5761.15Smrg else 5771.28Slukem printf "Device additions:\n" >> $ERR 5781.28Slukem column -t $TMP1 >> $ERR 5791.28Slukem printf "\n" >> $ERR 5801.28Slukem cp $TMP1 $CUR >> $ERR 5811.9Scgd fi 5821.28Slukem fi 5831.28Slukem if [ -s $ERR ] ; then 5841.28Slukem printf "\nChecking setuid files and devices:\n" 5851.28Slukem cat $ERR 5861.28Slukem printf "\n" 5871.9Scgd fi 5881.9Scgdfi 5891.9Scgd 5901.9Scgd# Check special files. 5911.9Scgd# Check system binaries. 5921.9Scgd# 5931.9Scgd# Create the mtree tree specifications using: 5941.9Scgd# 5951.9Scgd# mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure 5961.16Smikel# chown root.wheel DIR.secure 5971.16Smikel# chmod 600 DIR.secure 5981.9Scgd# 5991.9Scgd# Note, this is not complete protection against Trojan horsed binaries, as 6001.9Scgd# the hacker can modify the tree specification to match the replaced binary. 6011.9Scgd# For details on really protecting yourself against modified binaries, see 6021.9Scgd# the mtree(8) manual page. 6031.32Slukem# 6041.31Slukemif checkyesno check_mtree; then 6051.9Scgd mtree -e -p / -f /etc/mtree/special > $OUTPUT 6061.15Smrg if [ -s $OUTPUT ]; then 6071.9Scgd printf "\nChecking special files and directories.\n" 6081.9Scgd cat $OUTPUT 6091.9Scgd fi 6101.9Scgd 6111.9Scgd > $OUTPUT 6121.16Smikel for file in /etc/mtree/*.secure; do 6131.16Smikel [ $file = '/etc/mtree/*.secure' ] && continue 6141.9Scgd tree=`sed -n -e '3s/.* //p' -e 3q $file` 6151.9Scgd mtree -f $file -p $tree > $TMP1 6161.9Scgd if [ -s $TMP1 ]; then 6171.9Scgd printf "\nChecking $tree:\n" >> $OUTPUT 6181.9Scgd cat $TMP1 >> $OUTPUT 6191.9Scgd fi 6201.9Scgd done 6211.15Smrg if [ -s $OUTPUT ]; then 6221.9Scgd printf "\nChecking system binaries:\n" 6231.9Scgd cat $OUTPUT 6241.9Scgd fi 6251.9Scgdfi 6261.9Scgd 6271.32SlukemCHANGELIST="" 6281.32Slukem 6291.32Slukem# Backup disklabels of available disks 6301.32Slukem# 6311.32Slukemif checkyesno check_disklabels; then 6321.32Slukem # generate list of old disklabels and remove them 6331.32Slukem ls -1d /var/backups/disklabel.* 2>/dev/null | 6341.32Slukem egrep -v '\.(backup|current)$' > $LABELS 6351.32Slukem xargs rm < $LABELS 6361.32Slukem 6371.32Slukem disks=`iostat -x | sed 1d | awk '$1 !~ /^[mf]d/ { print $1; }'` 6381.32Slukem for i in $disks; do 6391.32Slukem dlf="/var/backups/disklabel.$i" 6401.32Slukem disklabel $i > $dlf 2>/dev/null 6411.32Slukem done 6421.32Slukem 6431.32Slukem # append list of new disklabels, sort list 6441.32Slukem ls -1d /var/backups/disklabel.* 2>/dev/null | 6451.32Slukem egrep -v '\.(backup|current)$' >> $LABELS 6461.32Slukem sort -u -o $LABELS $LABELS 6471.32Slukem CHANGELIST=$LABELS 6481.32Slukemfi 6491.32Slukem 6501.9Scgd# List of files that get backed up and checked for any modifications. Each 6511.9Scgd# file is expected to have two backups, /var/backups/file.{current,backup}. 6521.9Scgd# Any changes cause the files to rotate. 6531.32Slukem# 6541.31Slukemif checkyesno check_changelist && [ -s /etc/changelist ] ; then 6551.32Slukem CHANGELIST="/etc/changelist $CHANGELIST" 6561.32Slukemfi 6571.32Slukem 6581.32Slukemif [ -n "$CHANGELIST" ]; then 6591.32Slukem for file in `egrep -hv "^#|$MP" $CHANGELIST`; do 6601.9Scgd CUR=/var/backups/`basename $file`.current 6611.9Scgd BACK=/var/backups/`basename $file`.backup 6621.30Smycroft if [ -f $file ]; then 6631.30Smycroft if [ -f $CUR ] ; then 6641.9Scgd diff $CUR $file > $OUTPUT 6651.9Scgd if [ -s $OUTPUT ] ; then 6661.9Scgd printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file 6671.9Scgd cat $OUTPUT 6681.30Smycroft mv -f $CUR $BACK 6691.9Scgd cp -p $file $CUR 6701.30Smycroft chown root.wheel $CUR 6711.9Scgd fi 6721.9Scgd else 6731.30Smycroft printf "\n======\n%s added\n======\n" $file 6741.30Smycroft diff /dev/null $file 6751.9Scgd cp -p $file $CUR 6761.9Scgd chown root.wheel $CUR 6771.30Smycroft fi 6781.30Smycroft else 6791.30Smycroft if [ -f $CUR ]; then 6801.30Smycroft printf "\n======\n%s removed\n======\n" $file 6811.30Smycroft diff $CUR /dev/null 6821.30Smycroft mv -f $CUR $BACK 6831.9Scgd fi 6841.9Scgd fi 6851.9Scgd done 6861.9Scgdfi 687