security revision 1.36
11.1Scgd#!/bin/sh - 21.1Scgd# 31.36Swrstuden# $NetBSD: security,v 1.36 1999/03/17 02:58:11 wrstuden Exp $ 41.9Scgd# from: @(#)security 8.1 (Berkeley) 6/9/93 51.1Scgd# 61.1Scgd 71.9ScgdPATH=/sbin:/usr/sbin:/bin:/usr/bin 81.1Scgd 91.31Slukemif [ -f /etc/rc.subr ]; then 101.31Slukem . /etc/rc.subr 111.31Slukemelse 121.31Slukem echo "Can't read /etc/rc.subr; aborting." 131.31Slukem exit 1; 141.31Slukemfi 151.31Slukem 161.9Scgdumask 077 171.1Scgd 181.15Smrgif [ -s /etc/security.conf ]; then 191.15Smrg . /etc/security.conf 201.15Smrgfi 211.15Smrg 221.15SmrgSECUREDIR=/tmp/_securedir.$$ 231.15Smrgif ! mkdir $SECUREDIR; then 241.15Smrg echo can not create $SECUREDIR. 251.15Smrg exit 1 261.15Smrgfi 271.15Smrg 281.15Smrgif ! cd $SECUREDIR; then 291.15Smrg echo can not chdir to $SECUREDIR. 301.15Smrg exit 1 311.15Smrgfi 321.15Smrg 331.34Sabsif [ -z "$max_loginlen" ];then 341.34Sabs max_loginlen=8 351.34Sabsfi 361.34Sabs 371.15SmrgERR=secure1.$$ 381.15SmrgTMP1=secure2.$$ 391.15SmrgTMP2=secure3.$$ 401.28SlukemMPBYUID=secure4.$$ 411.29SlukemMPBYPATH=secure5.$$ 421.27SlukemLIST=secure6.$$ 431.27SlukemOUTPUT=secure7.$$ 441.32SlukemLABELS=secure8.$$ 451.15Smrg 461.27Slukemtrap '/bin/rm -rf $SECUREDIR ; exit 0' 0 2 3 471.15Smrg 481.15SmrgMP=/etc/master.passwd 491.9Scgd 501.27Slukem# these is used several times. 511.34Sabsawk -F: '!/^+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID 521.29Slukemawk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH 531.9Scgd 541.9Scgd# Check the master password file syntax. 551.32Slukem# 561.31Slukemif checkyesno check_passwd; then 571.34Sabs awk -v "len=$max_loginlen" ' 581.25Slukem BEGIN { 591.25Slukem while ( getline < "/etc/shells" > 0 ) { 601.25Slukem if ($LINE ~ /^\#/ || $LINE ~ /^$/ ) 611.25Slukem continue; 621.25Slukem shells[$1]++; 631.25Slukem } 641.25Slukem FS=":"; 651.25Slukem } 661.25Slukem 671.25Slukem { 681.15Smrg if ($0 ~ /^[ ]*$/) { 691.25Slukem printf "Line %d is a blank line.\n", NR; 701.15Smrg next; 711.15Smrg } 721.34Sabs if (NF != 10 && ($1 != "+" || NF != 1)) 731.25Slukem printf "Line %d has the wrong number of fields.\n", NR; 741.34Sabs if ($1 == "+" ) { 751.34Sabs if (NF != 1 && $3 == 0) 761.34Sabs printf "Line %d includes entries with uid 0.\n", NR; 771.34Sabs next; 781.34Sabs } 791.15Smrg if ($1 !~ /^[A-Za-z0-9]*$/) 801.25Slukem printf "Login %s has non-alphanumeric characters.\n", 811.25Slukem $1; 821.34Sabs if (length($1) > len) 831.34Sabs printf "Login %s has more than "len" characters.\n", $1; 841.15Smrg if ($2 == "") 851.25Slukem printf "Login %s has no password.\n", $1; 861.33Stv if (length($2) != 13 && length($2) != 20 && $2 != "") { 871.25Slukem if ($10 == "" || shells[$10]) 881.27Slukem printf "Login %s is off but still has a valid shell (%s)\n", 891.25Slukem $1, $10; 901.25Slukem } else if (! shells[$10]) 911.25Slukem printf "Login %s does not have a valid shell (%s)\n", 921.25Slukem $1, $10; 931.15Smrg if ($3 == 0 && $1 != "root" && $1 != "toor") 941.25Slukem printf "Login %s has a user id of 0.\n", $1; 951.15Smrg if ($3 < 0) 961.25Slukem printf "Login %s has a negative user id.\n", $1; 971.15Smrg if ($4 < 0) 981.25Slukem printf "Login %s has a negative group id.\n", $1; 991.15Smrg }' < $MP > $OUTPUT 1001.15Smrg if [ -s $OUTPUT ] ; then 1011.15Smrg printf "\nChecking the $MP file:\n" 1021.15Smrg cat $OUTPUT 1031.15Smrg fi 1041.15Smrg 1051.15Smrg awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT 1061.15Smrg if [ -s $OUTPUT ] ; then 1071.15Smrg printf "\n$MP has duplicate user names.\n" 1081.15Smrg column $OUTPUT 1091.15Smrg fi 1101.15Smrg 1111.36Swrstuden# the corner case of a "toor " account is caught in the invalid character 1121.36Swrstuden# test above. 1131.36Swrstuden < $MPBYUID egrep -v '^toor ' | uniq -d -f 1 | awk '{ print $2 }' > $TMP2 1141.15Smrg if [ -s $TMP2 ] ; then 1151.15Smrg printf "\n$MP has duplicate user id's.\n" 1161.15Smrg while read uid; do 1171.28Slukem grep -w $uid $MPBYUID 1181.15Smrg done < $TMP2 | column 1191.15Smrg fi 1201.9Scgdfi 1211.9Scgd 1221.9Scgd# Backup the master password file; a special case, the normal backup 1231.9Scgd# mechanisms also print out file differences and we don't want to do 1241.9Scgd# that because this file has encrypted passwords in it. 1251.32Slukem# 1261.9ScgdCUR=/var/backups/`basename $MP`.current 1271.9ScgdBACK=/var/backups/`basename $MP`.backup 1281.9Scgdif [ -s $CUR ] ; then 1291.9Scgd if cmp -s $CUR $MP; then 1301.9Scgd : 1311.9Scgd else 1321.9Scgd cp -p $CUR $BACK 1331.9Scgd cp -p $MP $CUR 1341.9Scgd chown root.wheel $CUR 1351.9Scgd fi 1361.9Scgdelse 1371.9Scgd cp -p $MP $CUR 1381.9Scgd chown root.wheel $CUR 1391.9Scgdfi 1401.9Scgd 1411.9Scgd# Check the group file syntax. 1421.32Slukem# 1431.31Slukemif checkyesno check_group; then 1441.15Smrg GRP=/etc/group 1451.15Smrg awk -F: '{ 1461.15Smrg if ($0 ~ /^[ ]*$/) { 1471.25Slukem printf "Line %d is a blank line.\n", NR; 1481.15Smrg next; 1491.15Smrg } 1501.34Sabs if (NF != 4 && ($1 != "+" || NF != 1)) 1511.25Slukem printf "Line %d has the wrong number of fields.\n", NR; 1521.34Sabs if ($1 == "+" ) { 1531.34Sabs next; 1541.34Sabs } 1551.15Smrg if ($1 !~ /^[A-za-z0-9]*$/) 1561.25Slukem printf "Group %s has non-alphanumeric characters.\n", 1571.25Slukem $1; 1581.15Smrg if (length($1) > 8) 1591.25Slukem printf "Group %s has more than 8 characters.\n", $1; 1601.15Smrg if ($3 !~ /[0-9]*/) 1611.25Slukem printf "Login %s has a negative group id.\n", $1; 1621.15Smrg }' < $GRP > $OUTPUT 1631.15Smrg if [ -s $OUTPUT ] ; then 1641.15Smrg printf "\nChecking the $GRP file:\n" 1651.15Smrg cat $OUTPUT 1661.15Smrg fi 1671.15Smrg 1681.15Smrg awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT 1691.15Smrg if [ -s $OUTPUT ] ; then 1701.15Smrg printf "\n$GRP has duplicate group names.\n" 1711.15Smrg column $OUTPUT 1721.15Smrg fi 1731.9Scgdfi 1741.9Scgd 1751.9Scgd# Check for root paths, umask values in startup files. 1761.9Scgd# The check for the root paths is problematical -- it's likely to fail 1771.9Scgd# in other environments. Once the shells have been modified to warn 1781.9Scgd# of '.' in the path, the path tests should go away. 1791.32Slukem# 1801.31Slukemif checkyesno check_rootdotfiles; then 1811.28Slukem > $OUTPUT 1821.15Smrg rhome=`csh -fc "echo ~root"` 1831.15Smrg umaskset=no 1841.15Smrg list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" 1851.15Smrg for i in $list ; do 1861.15Smrg if [ -f $i ] ; then 1871.15Smrg if egrep umask $i > /dev/null ; then 1881.15Smrg umaskset=yes 1891.15Smrg fi 1901.15Smrg egrep umask $i | 1911.15Smrg awk '$2 % 100 < 20 \ 1921.27Slukem { print "\tRoot umask is group writeable" } 1931.15Smrg $2 % 10 < 2 \ 1941.27Slukem { print "\tRoot umask is other writeable" }' \ 1951.27Slukem >> $OUTPUT 1961.26Slukem SAVE_PATH=$PATH 1971.26Slukem unset PATH 1981.15Smrg /bin/csh -f -s << end-of-csh > /dev/null 2>&1 1991.15Smrg source $i 2001.15Smrg /bin/ls -ldgT \$path > $TMP1 2011.9Scgdend-of-csh 2021.26Slukem PATH=$SAVE_PATH 2031.15Smrg awk '{ 2041.15Smrg if ($10 ~ /^\.$/) { 2051.27Slukem print "\tThe root path includes ."; 2061.15Smrg next; 2071.15Smrg } 2081.15Smrg } 2091.15Smrg $1 ~ /^d....w/ \ 2101.27Slukem { print "\tRoot path directory " $10 " is group writeable." } \ 2111.15Smrg $1 ~ /^d.......w/ \ 2121.27Slukem { print "\tRoot path directory " $10 " is other writeable." }' \ 2131.15Smrg < $TMP1 >> $OUTPUT 2141.15Smrg fi 2151.15Smrg done 2161.15Smrg if [ $umaskset = "no" -o -s $OUTPUT ] ; then 2171.27Slukem printf "\nChecking root csh paths, umask values:\n$list\n\n" 2181.15Smrg if [ -s $OUTPUT ]; then 2191.15Smrg cat $OUTPUT 2201.15Smrg fi 2211.15Smrg if [ $umaskset = "no" ] ; then 2221.27Slukem printf "\tRoot csh startup files do not set the umask.\n" 2231.15Smrg fi 2241.9Scgd fi 2251.9Scgd 2261.28Slukem > $OUTPUT 2271.15Smrg rhome=/root 2281.15Smrg umaskset=no 2291.23Slukem list="/etc/profile ${rhome}/.profile" 2301.15Smrg for i in $list; do 2311.15Smrg if [ -f $i ] ; then 2321.15Smrg if egrep umask $i > /dev/null ; then 2331.15Smrg umaskset=yes 2341.15Smrg fi 2351.15Smrg egrep umask $i | 2361.15Smrg awk '$2 % 100 < 20 \ 2371.27Slukem { print "\tRoot umask is group writeable" } \ 2381.15Smrg $2 % 10 < 2 \ 2391.27Slukem { print "\tRoot umask is other writeable" }' \ 2401.27Slukem >> $OUTPUT 2411.26Slukem SAVE_PATH=$PATH 2421.26Slukem unset PATH 2431.15Smrg /bin/sh << end-of-sh > /dev/null 2>&1 2441.15Smrg . $i 2451.26Slukem list=\`echo \$PATH | /usr/bin/sed -e \ 2461.26Slukem 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\` 2471.15Smrg /bin/ls -ldgT \$list > $TMP1 2481.9Scgdend-of-sh 2491.26Slukem PATH=$SAVE_PATH 2501.15Smrg awk '{ 2511.15Smrg if ($10 ~ /^\.$/) { 2521.27Slukem print "\tThe root path includes ."; 2531.15Smrg next; 2541.15Smrg } 2551.15Smrg } 2561.15Smrg $1 ~ /^d....w/ \ 2571.27Slukem { print "\tRoot path directory " $10 " is group writeable." } \ 2581.15Smrg $1 ~ /^d.......w/ \ 2591.27Slukem { print "\tRoot path directory " $10 " is other writeable." }' \ 2601.15Smrg < $TMP1 >> $OUTPUT 2611.9Scgd 2621.15Smrg fi 2631.15Smrg done 2641.15Smrg if [ $umaskset = "no" -o -s $OUTPUT ] ; then 2651.15Smrg printf "\nChecking root sh paths, umask values:\n$list\n" 2661.15Smrg if [ -s $OUTPUT ]; then 2671.15Smrg cat $OUTPUT 2681.15Smrg fi 2691.15Smrg if [ $umaskset = "no" ] ; then 2701.27Slukem printf "\tRoot sh startup files do not set the umask.\n" 2711.15Smrg fi 2721.9Scgd fi 2731.9Scgdfi 2741.9Scgd 2751.9Scgd# Root and uucp should both be in /etc/ftpusers. 2761.32Slukem# 2771.31Slukemif checkyesno check_ftpusers; then 2781.28Slukem > $OUTPUT 2791.28Slukem list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID` 2801.27Slukem for i in $list; do 2811.29Slukem if /usr/libexec/ftpd -C $i ; then 2821.29Slukem printf "\t$i is not denied\n" >> $OUTPUT 2831.27Slukem fi 2841.27Slukem done 2851.28Slukem if [ -s $OUTPUT ]; then 2861.28Slukem printf "\nChecking the /etc/ftpusers configuration:\n" 2871.28Slukem cat $OUTPUT 2881.28Slukem fi 2891.9Scgdfi 2901.9Scgd 2911.9Scgd# Uudecode should not be in the /etc/aliases file. 2921.32Slukem# 2931.31Slukemif checkyesno check_aliases; then 2941.18Smikel if egrep '^[^#]*(uudecode|decode).*\|' /etc/aliases; then 2951.18Smikel printf "\nEntry for uudecode in /etc/aliases file.\n" 2961.15Smrg fi 2971.9Scgdfi 2981.9Scgd 2991.9Scgd# Files that should not have + signs. 3001.32Slukem# 3011.31Slukemif checkyesno check_rhosts; then 3021.15Smrg list="/etc/hosts.equiv /etc/hosts.lpd" 3031.15Smrg for f in $list ; do 3041.15Smrg if [ -f $f ] && egrep '\+' $f > /dev/null ; then 3051.15Smrg printf "\nPlus sign in $f file.\n" 3061.15Smrg fi 3071.15Smrg done 3081.15Smrg 3091.15Smrg # Check for special users with .rhosts files. Only root and toor should 3101.16Smikel # have .rhosts files. Also, .rhosts files should not have plus signs. 3111.15Smrg awk -F: '$1 != "root" && $1 != "toor" && \ 3121.15Smrg ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ 3131.20Smycroft { print $1 " " $9 }' $MP | 3141.19Smycroft sort -k2 | 3151.15Smrg while read uid homedir; do 3161.15Smrg if [ -f ${homedir}/.rhosts ] ; then 3171.15Smrg rhost=`ls -ldgT ${homedir}/.rhosts` 3181.15Smrg printf "$uid: $rhost\n" 3191.15Smrg fi 3201.15Smrg done > $OUTPUT 3211.15Smrg if [ -s $OUTPUT ] ; then 3221.15Smrg printf "\nChecking for special users with .rhosts files.\n" 3231.15Smrg cat $OUTPUT 3241.15Smrg fi 3251.15Smrg 3261.15Smrg while read uid homedir; do 3271.35Sfair if [ -f ${homedir}/.rhosts -a -r ${homedir}/.rhosts ] && \ 3281.15Smrg egrep '\+' ${homedir}/.rhosts > /dev/null ; then 3291.15Smrg printf "$uid: + in .rhosts file.\n" 3301.15Smrg fi 3311.29Slukem done < $MPBYPATH > $OUTPUT 3321.15Smrg if [ -s $OUTPUT ] ; then 3331.15Smrg printf "\nChecking .rhosts files syntax.\n" 3341.15Smrg cat $OUTPUT 3351.15Smrg fi 3361.9Scgdfi 3371.9Scgd 3381.9Scgd# Check home directories. Directories should not be owned by someone else 3391.9Scgd# or writeable. 3401.32Slukem# 3411.31Slukemif checkyesno check_homes; then 3421.15Smrg while read uid homedir; do 3431.15Smrg if [ -d ${homedir}/ ] ; then 3441.15Smrg file=`ls -ldgT ${homedir}` 3451.15Smrg printf "$uid $file\n" 3461.9Scgd fi 3471.29Slukem done < $MPBYPATH | 3481.15Smrg awk '$1 != $4 && $4 != "root" \ 3491.15Smrg { print "user " $1 " home directory is owned by " $4 } 3501.15Smrg $2 ~ /^-....w/ \ 3511.15Smrg { print "user " $1 " home directory is group writeable" } 3521.15Smrg $2 ~ /^-.......w/ \ 3531.27Slukem { print "user " $1 " home directory is other writeable" }' \ 3541.27Slukem > $OUTPUT 3551.15Smrg if [ -s $OUTPUT ] ; then 3561.15Smrg printf "\nChecking home directories.\n" 3571.15Smrg cat $OUTPUT 3581.15Smrg fi 3591.15Smrg 3601.15Smrg # Files that should not be owned by someone else or readable. 3611.27Slukem list=".Xauthority .netrc" 3621.15Smrg while read uid homedir; do 3631.15Smrg for f in $list ; do 3641.15Smrg file=${homedir}/${f} 3651.15Smrg if [ -f $file ] ; then 3661.15Smrg printf "$uid $f `ls -ldgT $file`\n" 3671.15Smrg fi 3681.15Smrg done 3691.29Slukem done < $MPBYPATH | 3701.15Smrg awk '$1 != $5 && $5 != "root" \ 3711.15Smrg { print "user " $1 " " $2 " file is owned by " $5 } 3721.15Smrg $3 ~ /^-...r/ \ 3731.15Smrg { print "user " $1 " " $2 " file is group readable" } 3741.15Smrg $3 ~ /^-......r/ \ 3751.15Smrg { print "user " $1 " " $2 " file is other readable" } 3761.15Smrg $3 ~ /^-....w/ \ 3771.15Smrg { print "user " $1 " " $2 " file is group writeable" } 3781.15Smrg $3 ~ /^-.......w/ \ 3791.27Slukem { print "user " $1 " " $2 " file is other writeable" }' \ 3801.27Slukem > $OUTPUT 3811.15Smrg 3821.15Smrg # Files that should not be owned by someone else or writeable. 3831.19Smycroft list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \ 3841.19Smycroft .cshrc .emacs .exrc .forward .history .klogin .login .logout \ 3851.27Slukem .profile .qmail .rc_history .rhosts .tcshrc .twmrc .xinitrc \ 3861.27Slukem .xsession" 3871.15Smrg while read uid homedir; do 3881.15Smrg for f in $list ; do 3891.15Smrg file=${homedir}/${f} 3901.15Smrg if [ -f $file ] ; then 3911.15Smrg printf "$uid $f `ls -ldgT $file`\n" 3921.15Smrg fi 3931.15Smrg done 3941.29Slukem done < $MPBYPATH | 3951.15Smrg awk '$1 != $5 && $5 != "root" \ 3961.15Smrg { print "user " $1 " " $2 " file is owned by " $5 } 3971.15Smrg $3 ~ /^-....w/ \ 3981.15Smrg { print "user " $1 " " $2 " file is group writeable" } 3991.15Smrg $3 ~ /^-.......w/ \ 4001.27Slukem { print "user " $1 " " $2 " file is other writeable" }' \ 4011.27Slukem >> $OUTPUT 4021.15Smrg if [ -s $OUTPUT ] ; then 4031.15Smrg printf "\nChecking dot files.\n" 4041.15Smrg cat $OUTPUT 4051.15Smrg fi 4061.9Scgdfi 4071.9Scgd 4081.9Scgd# Mailboxes should be owned by user and unreadable. 4091.32Slukem# 4101.31Slukemif checkyesno check_varmail; then 4111.15Smrg ls -l /var/mail | sed 1d | \ 4121.15Smrg awk '$3 != $9 \ 4131.15Smrg { print "user " $9 " mailbox is owned by " $3 } 4141.15Smrg $1 != "-rw-------" \ 4151.15Smrg { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT 4161.15Smrg if [ -s $OUTPUT ] ; then 4171.15Smrg printf "\nChecking mailbox ownership.\n" 4181.15Smrg cat $OUTPUT 4191.15Smrg fi 4201.15Smrgfi 4211.15Smrg 4221.32Slukem# NFS exports shouldn't be globally exported 4231.32Slukem# 4241.32Slukemif checkyesno check_nfs && [ -f /etc/exports ]; then 4251.32Slukem awk '{ 4261.22Slukem # ignore comments and blank lines 4271.22Slukem if ($LINE ~ /^\#/ || $LINE ~ /^$/ ) 4281.22Slukem next; 4291.22Slukem 4301.15Smrg readonly = 0; 4311.15Smrg for (i = 2; i <= NF; ++i) { 4321.15Smrg if ($i ~ /-ro/) 4331.15Smrg readonly = 1; 4341.15Smrg else if ($i !~ /^-/) 4351.15Smrg next; 4361.15Smrg } 4371.15Smrg if (readonly) 4381.15Smrg print "File system " $1 " globally exported, read-only." 4391.15Smrg else 4401.15Smrg print "File system " $1 " globally exported, read-write." 4411.32Slukem }' < /etc/exports > $OUTPUT 4421.32Slukem if [ -s $OUTPUT ] ; then 4431.15Smrg printf "\nChecking for globally exported file systems.\n" 4441.15Smrg cat $OUTPUT 4451.15Smrg fi 4461.9Scgdfi 4471.9Scgd 4481.9Scgd# Display any changes in setuid files and devices. 4491.32Slukem# 4501.31Slukemif checkyesno check_devices; then 4511.28Slukem > $ERR 4521.15Smrg (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ 4531.15Smrg -o -fstype procfs \) -a -prune -o \ 4541.21Smycroft \( \( -perm -u+s -a ! -type d \) -o \ 4551.21Smycroft \( -perm -g+s -a ! -type d \) -o \ 4561.24Slukem -type b -o -type c \) -print0 | \ 4571.24Slukem xargs -0 ls -ldgTq | sort +9 > $LIST) 2> $OUTPUT 4581.15Smrg 4591.15Smrg # Display any errors that occurred during system file walk. 4601.15Smrg if [ -s $OUTPUT ] ; then 4611.28Slukem printf "Setuid/device find errors:\n" >> $ERR 4621.28Slukem cat $OUTPUT >> $ERR 4631.28Slukem printf "\n" >> $ERR 4641.15Smrg fi 4651.15Smrg 4661.15Smrg # Display any changes in the setuid file list. 4671.15Smrg egrep -v '^[bc]' $LIST > $TMP1 4681.15Smrg if [ -s $TMP1 ] ; then 4691.15Smrg # Check to make sure uudecode isn't setuid. 4701.15Smrg if grep -w uudecode $TMP1 > /dev/null ; then 4711.28Slukem printf "\nUudecode is setuid.\n" >> $ERR 4721.15Smrg fi 4731.15Smrg 4741.15Smrg CUR=/var/backups/setuid.current 4751.15Smrg BACK=/var/backups/setuid.backup 4761.9Scgd 4771.15Smrg if [ -s $CUR ] ; then 4781.15Smrg if cmp -s $CUR $TMP1 ; then 4791.15Smrg : 4801.15Smrg else 4811.15Smrg > $TMP2 4821.15Smrg join -110 -210 -v2 $CUR $TMP1 > $OUTPUT 4831.15Smrg if [ -s $OUTPUT ] ; then 4841.28Slukem printf "Setuid additions:\n" >> $ERR 4851.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 4861.28Slukem printf "\n" >> $ERR 4871.15Smrg fi 4881.15Smrg 4891.15Smrg join -110 -210 -v1 $CUR $TMP1 > $OUTPUT 4901.15Smrg if [ -s $OUTPUT ] ; then 4911.28Slukem printf "Setuid deletions:\n" >> $ERR 4921.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 4931.28Slukem printf "\n" >> $ERR 4941.15Smrg fi 4951.15Smrg 4961.20Smycroft sort -k10 $TMP2 $CUR $TMP1 | \ 4971.27Slukem sed -e 's/[ ][ ]*/ /g' | \ 4981.27Slukem uniq -u > $OUTPUT 4991.15Smrg if [ -s $OUTPUT ] ; then 5001.28Slukem printf "Setuid changes:\n" >> $ERR 5011.28Slukem column -t $OUTPUT >> $ERR 5021.28Slukem printf "\n" >> $ERR 5031.15Smrg fi 5041.9Scgd 5051.15Smrg cp $CUR $BACK 5061.15Smrg cp $TMP1 $CUR 5071.9Scgd fi 5081.15Smrg else 5091.28Slukem printf "Setuid additions:\n" >> $ERR 5101.28Slukem column -t $TMP1 >> $ERR 5111.28Slukem printf "\n" >> $ERR 5121.9Scgd cp $TMP1 $CUR 5131.9Scgd fi 5141.15Smrg fi 5151.15Smrg 5161.27Slukem # Check for block and character disk devices that are readable or 5171.27Slukem # writeable or not owned by root.operator. 5181.15Smrg >$TMP1 5191.27Slukem DISKLIST="acd ccd cd ch fd hk hp mcd md ra rb rd rl rx rz \ 5201.27Slukem sd se ss tz uk up vnd wd xd xy" 5211.27Slukem# DISKLIST="$DISKLIST ct mt st wt" 5221.15Smrg for i in $DISKLIST; do 5231.15Smrg egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 5241.15Smrg egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 5251.15Smrg done 5261.15Smrg 5271.15Smrg awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ 5281.25Slukem { printf "Disk %s is user %s, group %s, permissions %s.\n", \ 5291.25Slukem $11, $3, $4, $1; }' < $TMP1 > $OUTPUT 5301.15Smrg if [ -s $OUTPUT ] ; then 5311.28Slukem printf "\nChecking disk ownership and permissions.\n" >> $ERR 5321.28Slukem cat $OUTPUT >> $ERR 5331.28Slukem printf "\n" >> $ERR 5341.9Scgd fi 5351.9Scgd 5361.15Smrg # Display any changes in the device file list. 5371.20Smycroft egrep '^[bc]' $LIST | sort -k11 > $TMP1 5381.15Smrg if [ -s $TMP1 ] ; then 5391.15Smrg CUR=/var/backups/device.current 5401.15Smrg BACK=/var/backups/device.backup 5411.15Smrg 5421.15Smrg if [ -s $CUR ] ; then 5431.15Smrg if cmp -s $CUR $TMP1 ; then 5441.15Smrg : 5451.15Smrg else 5461.15Smrg > $TMP2 5471.15Smrg join -111 -211 -v2 $CUR $TMP1 > $OUTPUT 5481.15Smrg if [ -s $OUTPUT ] ; then 5491.28Slukem printf "Device additions:\n" >> $ERR 5501.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 5511.28Slukem printf "\n" >> $ERR 5521.15Smrg fi 5531.15Smrg 5541.15Smrg join -111 -211 -v1 $CUR $TMP1 > $OUTPUT 5551.15Smrg if [ -s $OUTPUT ] ; then 5561.28Slukem printf "Device deletions:\n" >> $ERR 5571.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 5581.28Slukem printf "\n" >> $ERR 5591.15Smrg fi 5601.15Smrg 5611.27Slukem # Report any block device change. Ignore 5621.27Slukem # character devices, only the name is 5631.27Slukem # significant. 5641.15Smrg cat $TMP2 $CUR $TMP1 | \ 5651.27Slukem sed -e '/^c/d' | \ 5661.27Slukem sort -k11 | \ 5671.27Slukem sed -e 's/[ ][ ]*/ /g' | \ 5681.27Slukem uniq -u > $OUTPUT 5691.15Smrg if [ -s $OUTPUT ] ; then 5701.28Slukem printf "Block device changes:\n" >> $ERR 5711.28Slukem column -t $OUTPUT >> $ERR 5721.28Slukem printf "\n" >> $ERR 5731.15Smrg fi 5741.9Scgd 5751.15Smrg cp $CUR $BACK 5761.15Smrg cp $TMP1 $CUR 5771.9Scgd fi 5781.15Smrg else 5791.28Slukem printf "Device additions:\n" >> $ERR 5801.28Slukem column -t $TMP1 >> $ERR 5811.28Slukem printf "\n" >> $ERR 5821.28Slukem cp $TMP1 $CUR >> $ERR 5831.9Scgd fi 5841.28Slukem fi 5851.28Slukem if [ -s $ERR ] ; then 5861.28Slukem printf "\nChecking setuid files and devices:\n" 5871.28Slukem cat $ERR 5881.28Slukem printf "\n" 5891.9Scgd fi 5901.9Scgdfi 5911.9Scgd 5921.9Scgd# Check special files. 5931.9Scgd# Check system binaries. 5941.9Scgd# 5951.9Scgd# Create the mtree tree specifications using: 5961.9Scgd# 5971.9Scgd# mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure 5981.16Smikel# chown root.wheel DIR.secure 5991.16Smikel# chmod 600 DIR.secure 6001.9Scgd# 6011.9Scgd# Note, this is not complete protection against Trojan horsed binaries, as 6021.9Scgd# the hacker can modify the tree specification to match the replaced binary. 6031.9Scgd# For details on really protecting yourself against modified binaries, see 6041.9Scgd# the mtree(8) manual page. 6051.32Slukem# 6061.31Slukemif checkyesno check_mtree; then 6071.9Scgd mtree -e -p / -f /etc/mtree/special > $OUTPUT 6081.15Smrg if [ -s $OUTPUT ]; then 6091.9Scgd printf "\nChecking special files and directories.\n" 6101.9Scgd cat $OUTPUT 6111.9Scgd fi 6121.9Scgd 6131.9Scgd > $OUTPUT 6141.16Smikel for file in /etc/mtree/*.secure; do 6151.16Smikel [ $file = '/etc/mtree/*.secure' ] && continue 6161.9Scgd tree=`sed -n -e '3s/.* //p' -e 3q $file` 6171.9Scgd mtree -f $file -p $tree > $TMP1 6181.9Scgd if [ -s $TMP1 ]; then 6191.9Scgd printf "\nChecking $tree:\n" >> $OUTPUT 6201.9Scgd cat $TMP1 >> $OUTPUT 6211.9Scgd fi 6221.9Scgd done 6231.15Smrg if [ -s $OUTPUT ]; then 6241.9Scgd printf "\nChecking system binaries:\n" 6251.9Scgd cat $OUTPUT 6261.9Scgd fi 6271.9Scgdfi 6281.9Scgd 6291.32SlukemCHANGELIST="" 6301.32Slukem 6311.32Slukem# Backup disklabels of available disks 6321.32Slukem# 6331.32Slukemif checkyesno check_disklabels; then 6341.32Slukem # generate list of old disklabels and remove them 6351.32Slukem ls -1d /var/backups/disklabel.* 2>/dev/null | 6361.32Slukem egrep -v '\.(backup|current)$' > $LABELS 6371.32Slukem xargs rm < $LABELS 6381.32Slukem 6391.32Slukem disks=`iostat -x | sed 1d | awk '$1 !~ /^[mf]d/ { print $1; }'` 6401.32Slukem for i in $disks; do 6411.32Slukem dlf="/var/backups/disklabel.$i" 6421.32Slukem disklabel $i > $dlf 2>/dev/null 6431.32Slukem done 6441.32Slukem 6451.32Slukem # append list of new disklabels, sort list 6461.32Slukem ls -1d /var/backups/disklabel.* 2>/dev/null | 6471.32Slukem egrep -v '\.(backup|current)$' >> $LABELS 6481.32Slukem sort -u -o $LABELS $LABELS 6491.32Slukem CHANGELIST=$LABELS 6501.32Slukemfi 6511.32Slukem 6521.9Scgd# List of files that get backed up and checked for any modifications. Each 6531.9Scgd# file is expected to have two backups, /var/backups/file.{current,backup}. 6541.9Scgd# Any changes cause the files to rotate. 6551.32Slukem# 6561.31Slukemif checkyesno check_changelist && [ -s /etc/changelist ] ; then 6571.32Slukem CHANGELIST="/etc/changelist $CHANGELIST" 6581.32Slukemfi 6591.32Slukem 6601.32Slukemif [ -n "$CHANGELIST" ]; then 6611.32Slukem for file in `egrep -hv "^#|$MP" $CHANGELIST`; do 6621.9Scgd CUR=/var/backups/`basename $file`.current 6631.9Scgd BACK=/var/backups/`basename $file`.backup 6641.30Smycroft if [ -f $file ]; then 6651.30Smycroft if [ -f $CUR ] ; then 6661.9Scgd diff $CUR $file > $OUTPUT 6671.9Scgd if [ -s $OUTPUT ] ; then 6681.9Scgd printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file 6691.9Scgd cat $OUTPUT 6701.30Smycroft mv -f $CUR $BACK 6711.9Scgd cp -p $file $CUR 6721.30Smycroft chown root.wheel $CUR 6731.9Scgd fi 6741.9Scgd else 6751.30Smycroft printf "\n======\n%s added\n======\n" $file 6761.30Smycroft diff /dev/null $file 6771.9Scgd cp -p $file $CUR 6781.9Scgd chown root.wheel $CUR 6791.30Smycroft fi 6801.30Smycroft else 6811.30Smycroft if [ -f $CUR ]; then 6821.30Smycroft printf "\n======\n%s removed\n======\n" $file 6831.30Smycroft diff $CUR /dev/null 6841.30Smycroft mv -f $CUR $BACK 6851.9Scgd fi 6861.9Scgd fi 6871.9Scgd done 6881.9Scgdfi 689