security revision 1.37
11.1Scgd#!/bin/sh - 21.1Scgd# 31.37Swrstuden# $NetBSD: security,v 1.37 1999/03/17 19:11:05 wrstuden Exp $ 41.9Scgd# from: @(#)security 8.1 (Berkeley) 6/9/93 51.1Scgd# 61.1Scgd 71.9ScgdPATH=/sbin:/usr/sbin:/bin:/usr/bin 81.1Scgd 91.31Slukemif [ -f /etc/rc.subr ]; then 101.31Slukem . /etc/rc.subr 111.31Slukemelse 121.31Slukem echo "Can't read /etc/rc.subr; aborting." 131.31Slukem exit 1; 141.31Slukemfi 151.31Slukem 161.9Scgdumask 077 171.1Scgd 181.15Smrgif [ -s /etc/security.conf ]; then 191.15Smrg . /etc/security.conf 201.15Smrgfi 211.15Smrg 221.15SmrgSECUREDIR=/tmp/_securedir.$$ 231.15Smrgif ! mkdir $SECUREDIR; then 241.15Smrg echo can not create $SECUREDIR. 251.15Smrg exit 1 261.15Smrgfi 271.15Smrg 281.15Smrgif ! cd $SECUREDIR; then 291.15Smrg echo can not chdir to $SECUREDIR. 301.15Smrg exit 1 311.15Smrgfi 321.15Smrg 331.34Sabsif [ -z "$max_loginlen" ];then 341.34Sabs max_loginlen=8 351.34Sabsfi 361.34Sabs 371.15SmrgERR=secure1.$$ 381.15SmrgTMP1=secure2.$$ 391.15SmrgTMP2=secure3.$$ 401.28SlukemMPBYUID=secure4.$$ 411.29SlukemMPBYPATH=secure5.$$ 421.27SlukemLIST=secure6.$$ 431.27SlukemOUTPUT=secure7.$$ 441.32SlukemLABELS=secure8.$$ 451.15Smrg 461.27Slukemtrap '/bin/rm -rf $SECUREDIR ; exit 0' 0 2 3 471.15Smrg 481.15SmrgMP=/etc/master.passwd 491.9Scgd 501.27Slukem# these is used several times. 511.34Sabsawk -F: '!/^+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID 521.29Slukemawk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH 531.9Scgd 541.9Scgd# Check the master password file syntax. 551.32Slukem# 561.31Slukemif checkyesno check_passwd; then 571.34Sabs awk -v "len=$max_loginlen" ' 581.25Slukem BEGIN { 591.25Slukem while ( getline < "/etc/shells" > 0 ) { 601.25Slukem if ($LINE ~ /^\#/ || $LINE ~ /^$/ ) 611.25Slukem continue; 621.25Slukem shells[$1]++; 631.25Slukem } 641.25Slukem FS=":"; 651.25Slukem } 661.25Slukem 671.25Slukem { 681.15Smrg if ($0 ~ /^[ ]*$/) { 691.25Slukem printf "Line %d is a blank line.\n", NR; 701.15Smrg next; 711.15Smrg } 721.34Sabs if (NF != 10 && ($1 != "+" || NF != 1)) 731.25Slukem printf "Line %d has the wrong number of fields.\n", NR; 741.34Sabs if ($1 == "+" ) { 751.34Sabs if (NF != 1 && $3 == 0) 761.34Sabs printf "Line %d includes entries with uid 0.\n", NR; 771.34Sabs next; 781.34Sabs } 791.15Smrg if ($1 !~ /^[A-Za-z0-9]*$/) 801.25Slukem printf "Login %s has non-alphanumeric characters.\n", 811.25Slukem $1; 821.34Sabs if (length($1) > len) 831.34Sabs printf "Login %s has more than "len" characters.\n", $1; 841.15Smrg if ($2 == "") 851.25Slukem printf "Login %s has no password.\n", $1; 861.33Stv if (length($2) != 13 && length($2) != 20 && $2 != "") { 871.25Slukem if ($10 == "" || shells[$10]) 881.27Slukem printf "Login %s is off but still has a valid shell (%s)\n", 891.25Slukem $1, $10; 901.25Slukem } else if (! shells[$10]) 911.25Slukem printf "Login %s does not have a valid shell (%s)\n", 921.25Slukem $1, $10; 931.15Smrg if ($3 == 0 && $1 != "root" && $1 != "toor") 941.25Slukem printf "Login %s has a user id of 0.\n", $1; 951.15Smrg if ($3 < 0) 961.25Slukem printf "Login %s has a negative user id.\n", $1; 971.15Smrg if ($4 < 0) 981.25Slukem printf "Login %s has a negative group id.\n", $1; 991.15Smrg }' < $MP > $OUTPUT 1001.15Smrg if [ -s $OUTPUT ] ; then 1011.15Smrg printf "\nChecking the $MP file:\n" 1021.15Smrg cat $OUTPUT 1031.15Smrg fi 1041.15Smrg 1051.15Smrg awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT 1061.15Smrg if [ -s $OUTPUT ] ; then 1071.15Smrg printf "\n$MP has duplicate user names.\n" 1081.15Smrg column $OUTPUT 1091.15Smrg fi 1101.15Smrg 1111.37Swrstuden# To not exclude 'toor', a standard duplicate root account, from the duplicate 1121.37Swrstuden# account test, uncomment the line below (without egrep in it)and comment 1131.37Swrstuden# out the line (with egrep in it) below it. 1141.37Swrstuden# 1151.37Swrstuden# < $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2 1161.36Swrstuden < $MPBYUID egrep -v '^toor ' | uniq -d -f 1 | awk '{ print $2 }' > $TMP2 1171.15Smrg if [ -s $TMP2 ] ; then 1181.15Smrg printf "\n$MP has duplicate user id's.\n" 1191.15Smrg while read uid; do 1201.28Slukem grep -w $uid $MPBYUID 1211.15Smrg done < $TMP2 | column 1221.15Smrg fi 1231.9Scgdfi 1241.9Scgd 1251.9Scgd# Backup the master password file; a special case, the normal backup 1261.9Scgd# mechanisms also print out file differences and we don't want to do 1271.9Scgd# that because this file has encrypted passwords in it. 1281.32Slukem# 1291.9ScgdCUR=/var/backups/`basename $MP`.current 1301.9ScgdBACK=/var/backups/`basename $MP`.backup 1311.9Scgdif [ -s $CUR ] ; then 1321.9Scgd if cmp -s $CUR $MP; then 1331.9Scgd : 1341.9Scgd else 1351.9Scgd cp -p $CUR $BACK 1361.9Scgd cp -p $MP $CUR 1371.9Scgd chown root.wheel $CUR 1381.9Scgd fi 1391.9Scgdelse 1401.9Scgd cp -p $MP $CUR 1411.9Scgd chown root.wheel $CUR 1421.9Scgdfi 1431.9Scgd 1441.9Scgd# Check the group file syntax. 1451.32Slukem# 1461.31Slukemif checkyesno check_group; then 1471.15Smrg GRP=/etc/group 1481.15Smrg awk -F: '{ 1491.15Smrg if ($0 ~ /^[ ]*$/) { 1501.25Slukem printf "Line %d is a blank line.\n", NR; 1511.15Smrg next; 1521.15Smrg } 1531.34Sabs if (NF != 4 && ($1 != "+" || NF != 1)) 1541.25Slukem printf "Line %d has the wrong number of fields.\n", NR; 1551.34Sabs if ($1 == "+" ) { 1561.34Sabs next; 1571.34Sabs } 1581.15Smrg if ($1 !~ /^[A-za-z0-9]*$/) 1591.25Slukem printf "Group %s has non-alphanumeric characters.\n", 1601.25Slukem $1; 1611.15Smrg if (length($1) > 8) 1621.25Slukem printf "Group %s has more than 8 characters.\n", $1; 1631.15Smrg if ($3 !~ /[0-9]*/) 1641.25Slukem printf "Login %s has a negative group id.\n", $1; 1651.15Smrg }' < $GRP > $OUTPUT 1661.15Smrg if [ -s $OUTPUT ] ; then 1671.15Smrg printf "\nChecking the $GRP file:\n" 1681.15Smrg cat $OUTPUT 1691.15Smrg fi 1701.15Smrg 1711.15Smrg awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT 1721.15Smrg if [ -s $OUTPUT ] ; then 1731.15Smrg printf "\n$GRP has duplicate group names.\n" 1741.15Smrg column $OUTPUT 1751.15Smrg fi 1761.9Scgdfi 1771.9Scgd 1781.9Scgd# Check for root paths, umask values in startup files. 1791.9Scgd# The check for the root paths is problematical -- it's likely to fail 1801.9Scgd# in other environments. Once the shells have been modified to warn 1811.9Scgd# of '.' in the path, the path tests should go away. 1821.32Slukem# 1831.31Slukemif checkyesno check_rootdotfiles; then 1841.28Slukem > $OUTPUT 1851.15Smrg rhome=`csh -fc "echo ~root"` 1861.15Smrg umaskset=no 1871.15Smrg list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" 1881.15Smrg for i in $list ; do 1891.15Smrg if [ -f $i ] ; then 1901.15Smrg if egrep umask $i > /dev/null ; then 1911.15Smrg umaskset=yes 1921.15Smrg fi 1931.15Smrg egrep umask $i | 1941.15Smrg awk '$2 % 100 < 20 \ 1951.27Slukem { print "\tRoot umask is group writeable" } 1961.15Smrg $2 % 10 < 2 \ 1971.27Slukem { print "\tRoot umask is other writeable" }' \ 1981.27Slukem >> $OUTPUT 1991.26Slukem SAVE_PATH=$PATH 2001.26Slukem unset PATH 2011.15Smrg /bin/csh -f -s << end-of-csh > /dev/null 2>&1 2021.15Smrg source $i 2031.15Smrg /bin/ls -ldgT \$path > $TMP1 2041.9Scgdend-of-csh 2051.26Slukem PATH=$SAVE_PATH 2061.15Smrg awk '{ 2071.15Smrg if ($10 ~ /^\.$/) { 2081.27Slukem print "\tThe root path includes ."; 2091.15Smrg next; 2101.15Smrg } 2111.15Smrg } 2121.15Smrg $1 ~ /^d....w/ \ 2131.27Slukem { print "\tRoot path directory " $10 " is group writeable." } \ 2141.15Smrg $1 ~ /^d.......w/ \ 2151.27Slukem { print "\tRoot path directory " $10 " is other writeable." }' \ 2161.15Smrg < $TMP1 >> $OUTPUT 2171.15Smrg fi 2181.15Smrg done 2191.15Smrg if [ $umaskset = "no" -o -s $OUTPUT ] ; then 2201.27Slukem printf "\nChecking root csh paths, umask values:\n$list\n\n" 2211.15Smrg if [ -s $OUTPUT ]; then 2221.15Smrg cat $OUTPUT 2231.15Smrg fi 2241.15Smrg if [ $umaskset = "no" ] ; then 2251.27Slukem printf "\tRoot csh startup files do not set the umask.\n" 2261.15Smrg fi 2271.9Scgd fi 2281.9Scgd 2291.28Slukem > $OUTPUT 2301.15Smrg rhome=/root 2311.15Smrg umaskset=no 2321.23Slukem list="/etc/profile ${rhome}/.profile" 2331.15Smrg for i in $list; do 2341.15Smrg if [ -f $i ] ; then 2351.15Smrg if egrep umask $i > /dev/null ; then 2361.15Smrg umaskset=yes 2371.15Smrg fi 2381.15Smrg egrep umask $i | 2391.15Smrg awk '$2 % 100 < 20 \ 2401.27Slukem { print "\tRoot umask is group writeable" } \ 2411.15Smrg $2 % 10 < 2 \ 2421.27Slukem { print "\tRoot umask is other writeable" }' \ 2431.27Slukem >> $OUTPUT 2441.26Slukem SAVE_PATH=$PATH 2451.26Slukem unset PATH 2461.15Smrg /bin/sh << end-of-sh > /dev/null 2>&1 2471.15Smrg . $i 2481.26Slukem list=\`echo \$PATH | /usr/bin/sed -e \ 2491.26Slukem 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\` 2501.15Smrg /bin/ls -ldgT \$list > $TMP1 2511.9Scgdend-of-sh 2521.26Slukem PATH=$SAVE_PATH 2531.15Smrg awk '{ 2541.15Smrg if ($10 ~ /^\.$/) { 2551.27Slukem print "\tThe root path includes ."; 2561.15Smrg next; 2571.15Smrg } 2581.15Smrg } 2591.15Smrg $1 ~ /^d....w/ \ 2601.27Slukem { print "\tRoot path directory " $10 " is group writeable." } \ 2611.15Smrg $1 ~ /^d.......w/ \ 2621.27Slukem { print "\tRoot path directory " $10 " is other writeable." }' \ 2631.15Smrg < $TMP1 >> $OUTPUT 2641.9Scgd 2651.15Smrg fi 2661.15Smrg done 2671.15Smrg if [ $umaskset = "no" -o -s $OUTPUT ] ; then 2681.15Smrg printf "\nChecking root sh paths, umask values:\n$list\n" 2691.15Smrg if [ -s $OUTPUT ]; then 2701.15Smrg cat $OUTPUT 2711.15Smrg fi 2721.15Smrg if [ $umaskset = "no" ] ; then 2731.27Slukem printf "\tRoot sh startup files do not set the umask.\n" 2741.15Smrg fi 2751.9Scgd fi 2761.9Scgdfi 2771.9Scgd 2781.9Scgd# Root and uucp should both be in /etc/ftpusers. 2791.32Slukem# 2801.31Slukemif checkyesno check_ftpusers; then 2811.28Slukem > $OUTPUT 2821.28Slukem list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID` 2831.27Slukem for i in $list; do 2841.29Slukem if /usr/libexec/ftpd -C $i ; then 2851.29Slukem printf "\t$i is not denied\n" >> $OUTPUT 2861.27Slukem fi 2871.27Slukem done 2881.28Slukem if [ -s $OUTPUT ]; then 2891.28Slukem printf "\nChecking the /etc/ftpusers configuration:\n" 2901.28Slukem cat $OUTPUT 2911.28Slukem fi 2921.9Scgdfi 2931.9Scgd 2941.9Scgd# Uudecode should not be in the /etc/aliases file. 2951.32Slukem# 2961.31Slukemif checkyesno check_aliases; then 2971.18Smikel if egrep '^[^#]*(uudecode|decode).*\|' /etc/aliases; then 2981.18Smikel printf "\nEntry for uudecode in /etc/aliases file.\n" 2991.15Smrg fi 3001.9Scgdfi 3011.9Scgd 3021.9Scgd# Files that should not have + signs. 3031.32Slukem# 3041.31Slukemif checkyesno check_rhosts; then 3051.15Smrg list="/etc/hosts.equiv /etc/hosts.lpd" 3061.15Smrg for f in $list ; do 3071.15Smrg if [ -f $f ] && egrep '\+' $f > /dev/null ; then 3081.15Smrg printf "\nPlus sign in $f file.\n" 3091.15Smrg fi 3101.15Smrg done 3111.15Smrg 3121.15Smrg # Check for special users with .rhosts files. Only root and toor should 3131.16Smikel # have .rhosts files. Also, .rhosts files should not have plus signs. 3141.15Smrg awk -F: '$1 != "root" && $1 != "toor" && \ 3151.15Smrg ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ 3161.20Smycroft { print $1 " " $9 }' $MP | 3171.19Smycroft sort -k2 | 3181.15Smrg while read uid homedir; do 3191.15Smrg if [ -f ${homedir}/.rhosts ] ; then 3201.15Smrg rhost=`ls -ldgT ${homedir}/.rhosts` 3211.15Smrg printf "$uid: $rhost\n" 3221.15Smrg fi 3231.15Smrg done > $OUTPUT 3241.15Smrg if [ -s $OUTPUT ] ; then 3251.15Smrg printf "\nChecking for special users with .rhosts files.\n" 3261.15Smrg cat $OUTPUT 3271.15Smrg fi 3281.15Smrg 3291.15Smrg while read uid homedir; do 3301.35Sfair if [ -f ${homedir}/.rhosts -a -r ${homedir}/.rhosts ] && \ 3311.15Smrg egrep '\+' ${homedir}/.rhosts > /dev/null ; then 3321.15Smrg printf "$uid: + in .rhosts file.\n" 3331.15Smrg fi 3341.29Slukem done < $MPBYPATH > $OUTPUT 3351.15Smrg if [ -s $OUTPUT ] ; then 3361.15Smrg printf "\nChecking .rhosts files syntax.\n" 3371.15Smrg cat $OUTPUT 3381.15Smrg fi 3391.9Scgdfi 3401.9Scgd 3411.9Scgd# Check home directories. Directories should not be owned by someone else 3421.9Scgd# or writeable. 3431.32Slukem# 3441.31Slukemif checkyesno check_homes; then 3451.15Smrg while read uid homedir; do 3461.15Smrg if [ -d ${homedir}/ ] ; then 3471.15Smrg file=`ls -ldgT ${homedir}` 3481.15Smrg printf "$uid $file\n" 3491.9Scgd fi 3501.29Slukem done < $MPBYPATH | 3511.15Smrg awk '$1 != $4 && $4 != "root" \ 3521.15Smrg { print "user " $1 " home directory is owned by " $4 } 3531.15Smrg $2 ~ /^-....w/ \ 3541.15Smrg { print "user " $1 " home directory is group writeable" } 3551.15Smrg $2 ~ /^-.......w/ \ 3561.27Slukem { print "user " $1 " home directory is other writeable" }' \ 3571.27Slukem > $OUTPUT 3581.15Smrg if [ -s $OUTPUT ] ; then 3591.15Smrg printf "\nChecking home directories.\n" 3601.15Smrg cat $OUTPUT 3611.15Smrg fi 3621.15Smrg 3631.15Smrg # Files that should not be owned by someone else or readable. 3641.27Slukem list=".Xauthority .netrc" 3651.15Smrg while read uid homedir; do 3661.15Smrg for f in $list ; do 3671.15Smrg file=${homedir}/${f} 3681.15Smrg if [ -f $file ] ; then 3691.15Smrg printf "$uid $f `ls -ldgT $file`\n" 3701.15Smrg fi 3711.15Smrg done 3721.29Slukem done < $MPBYPATH | 3731.15Smrg awk '$1 != $5 && $5 != "root" \ 3741.15Smrg { print "user " $1 " " $2 " file is owned by " $5 } 3751.15Smrg $3 ~ /^-...r/ \ 3761.15Smrg { print "user " $1 " " $2 " file is group readable" } 3771.15Smrg $3 ~ /^-......r/ \ 3781.15Smrg { print "user " $1 " " $2 " file is other readable" } 3791.15Smrg $3 ~ /^-....w/ \ 3801.15Smrg { print "user " $1 " " $2 " file is group writeable" } 3811.15Smrg $3 ~ /^-.......w/ \ 3821.27Slukem { print "user " $1 " " $2 " file is other writeable" }' \ 3831.27Slukem > $OUTPUT 3841.15Smrg 3851.15Smrg # Files that should not be owned by someone else or writeable. 3861.19Smycroft list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \ 3871.19Smycroft .cshrc .emacs .exrc .forward .history .klogin .login .logout \ 3881.27Slukem .profile .qmail .rc_history .rhosts .tcshrc .twmrc .xinitrc \ 3891.27Slukem .xsession" 3901.15Smrg while read uid homedir; do 3911.15Smrg for f in $list ; do 3921.15Smrg file=${homedir}/${f} 3931.15Smrg if [ -f $file ] ; then 3941.15Smrg printf "$uid $f `ls -ldgT $file`\n" 3951.15Smrg fi 3961.15Smrg done 3971.29Slukem done < $MPBYPATH | 3981.15Smrg awk '$1 != $5 && $5 != "root" \ 3991.15Smrg { print "user " $1 " " $2 " file is owned by " $5 } 4001.15Smrg $3 ~ /^-....w/ \ 4011.15Smrg { print "user " $1 " " $2 " file is group writeable" } 4021.15Smrg $3 ~ /^-.......w/ \ 4031.27Slukem { print "user " $1 " " $2 " file is other writeable" }' \ 4041.27Slukem >> $OUTPUT 4051.15Smrg if [ -s $OUTPUT ] ; then 4061.15Smrg printf "\nChecking dot files.\n" 4071.15Smrg cat $OUTPUT 4081.15Smrg fi 4091.9Scgdfi 4101.9Scgd 4111.9Scgd# Mailboxes should be owned by user and unreadable. 4121.32Slukem# 4131.31Slukemif checkyesno check_varmail; then 4141.15Smrg ls -l /var/mail | sed 1d | \ 4151.15Smrg awk '$3 != $9 \ 4161.15Smrg { print "user " $9 " mailbox is owned by " $3 } 4171.15Smrg $1 != "-rw-------" \ 4181.15Smrg { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT 4191.15Smrg if [ -s $OUTPUT ] ; then 4201.15Smrg printf "\nChecking mailbox ownership.\n" 4211.15Smrg cat $OUTPUT 4221.15Smrg fi 4231.15Smrgfi 4241.15Smrg 4251.32Slukem# NFS exports shouldn't be globally exported 4261.32Slukem# 4271.32Slukemif checkyesno check_nfs && [ -f /etc/exports ]; then 4281.32Slukem awk '{ 4291.22Slukem # ignore comments and blank lines 4301.22Slukem if ($LINE ~ /^\#/ || $LINE ~ /^$/ ) 4311.22Slukem next; 4321.22Slukem 4331.15Smrg readonly = 0; 4341.15Smrg for (i = 2; i <= NF; ++i) { 4351.15Smrg if ($i ~ /-ro/) 4361.15Smrg readonly = 1; 4371.15Smrg else if ($i !~ /^-/) 4381.15Smrg next; 4391.15Smrg } 4401.15Smrg if (readonly) 4411.15Smrg print "File system " $1 " globally exported, read-only." 4421.15Smrg else 4431.15Smrg print "File system " $1 " globally exported, read-write." 4441.32Slukem }' < /etc/exports > $OUTPUT 4451.32Slukem if [ -s $OUTPUT ] ; then 4461.15Smrg printf "\nChecking for globally exported file systems.\n" 4471.15Smrg cat $OUTPUT 4481.15Smrg fi 4491.9Scgdfi 4501.9Scgd 4511.9Scgd# Display any changes in setuid files and devices. 4521.32Slukem# 4531.31Slukemif checkyesno check_devices; then 4541.28Slukem > $ERR 4551.15Smrg (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ 4561.15Smrg -o -fstype procfs \) -a -prune -o \ 4571.21Smycroft \( \( -perm -u+s -a ! -type d \) -o \ 4581.21Smycroft \( -perm -g+s -a ! -type d \) -o \ 4591.24Slukem -type b -o -type c \) -print0 | \ 4601.24Slukem xargs -0 ls -ldgTq | sort +9 > $LIST) 2> $OUTPUT 4611.15Smrg 4621.15Smrg # Display any errors that occurred during system file walk. 4631.15Smrg if [ -s $OUTPUT ] ; then 4641.28Slukem printf "Setuid/device find errors:\n" >> $ERR 4651.28Slukem cat $OUTPUT >> $ERR 4661.28Slukem printf "\n" >> $ERR 4671.15Smrg fi 4681.15Smrg 4691.15Smrg # Display any changes in the setuid file list. 4701.15Smrg egrep -v '^[bc]' $LIST > $TMP1 4711.15Smrg if [ -s $TMP1 ] ; then 4721.15Smrg # Check to make sure uudecode isn't setuid. 4731.15Smrg if grep -w uudecode $TMP1 > /dev/null ; then 4741.28Slukem printf "\nUudecode is setuid.\n" >> $ERR 4751.15Smrg fi 4761.15Smrg 4771.15Smrg CUR=/var/backups/setuid.current 4781.15Smrg BACK=/var/backups/setuid.backup 4791.9Scgd 4801.15Smrg if [ -s $CUR ] ; then 4811.15Smrg if cmp -s $CUR $TMP1 ; then 4821.15Smrg : 4831.15Smrg else 4841.15Smrg > $TMP2 4851.15Smrg join -110 -210 -v2 $CUR $TMP1 > $OUTPUT 4861.15Smrg if [ -s $OUTPUT ] ; then 4871.28Slukem printf "Setuid additions:\n" >> $ERR 4881.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 4891.28Slukem printf "\n" >> $ERR 4901.15Smrg fi 4911.15Smrg 4921.15Smrg join -110 -210 -v1 $CUR $TMP1 > $OUTPUT 4931.15Smrg if [ -s $OUTPUT ] ; then 4941.28Slukem printf "Setuid deletions:\n" >> $ERR 4951.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 4961.28Slukem printf "\n" >> $ERR 4971.15Smrg fi 4981.15Smrg 4991.20Smycroft sort -k10 $TMP2 $CUR $TMP1 | \ 5001.27Slukem sed -e 's/[ ][ ]*/ /g' | \ 5011.27Slukem uniq -u > $OUTPUT 5021.15Smrg if [ -s $OUTPUT ] ; then 5031.28Slukem printf "Setuid changes:\n" >> $ERR 5041.28Slukem column -t $OUTPUT >> $ERR 5051.28Slukem printf "\n" >> $ERR 5061.15Smrg fi 5071.9Scgd 5081.15Smrg cp $CUR $BACK 5091.15Smrg cp $TMP1 $CUR 5101.9Scgd fi 5111.15Smrg else 5121.28Slukem printf "Setuid additions:\n" >> $ERR 5131.28Slukem column -t $TMP1 >> $ERR 5141.28Slukem printf "\n" >> $ERR 5151.9Scgd cp $TMP1 $CUR 5161.9Scgd fi 5171.15Smrg fi 5181.15Smrg 5191.27Slukem # Check for block and character disk devices that are readable or 5201.27Slukem # writeable or not owned by root.operator. 5211.15Smrg >$TMP1 5221.27Slukem DISKLIST="acd ccd cd ch fd hk hp mcd md ra rb rd rl rx rz \ 5231.27Slukem sd se ss tz uk up vnd wd xd xy" 5241.27Slukem# DISKLIST="$DISKLIST ct mt st wt" 5251.15Smrg for i in $DISKLIST; do 5261.15Smrg egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 5271.15Smrg egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 5281.15Smrg done 5291.15Smrg 5301.15Smrg awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ 5311.25Slukem { printf "Disk %s is user %s, group %s, permissions %s.\n", \ 5321.25Slukem $11, $3, $4, $1; }' < $TMP1 > $OUTPUT 5331.15Smrg if [ -s $OUTPUT ] ; then 5341.28Slukem printf "\nChecking disk ownership and permissions.\n" >> $ERR 5351.28Slukem cat $OUTPUT >> $ERR 5361.28Slukem printf "\n" >> $ERR 5371.9Scgd fi 5381.9Scgd 5391.15Smrg # Display any changes in the device file list. 5401.20Smycroft egrep '^[bc]' $LIST | sort -k11 > $TMP1 5411.15Smrg if [ -s $TMP1 ] ; then 5421.15Smrg CUR=/var/backups/device.current 5431.15Smrg BACK=/var/backups/device.backup 5441.15Smrg 5451.15Smrg if [ -s $CUR ] ; then 5461.15Smrg if cmp -s $CUR $TMP1 ; then 5471.15Smrg : 5481.15Smrg else 5491.15Smrg > $TMP2 5501.15Smrg join -111 -211 -v2 $CUR $TMP1 > $OUTPUT 5511.15Smrg if [ -s $OUTPUT ] ; then 5521.28Slukem printf "Device additions:\n" >> $ERR 5531.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 5541.28Slukem printf "\n" >> $ERR 5551.15Smrg fi 5561.15Smrg 5571.15Smrg join -111 -211 -v1 $CUR $TMP1 > $OUTPUT 5581.15Smrg if [ -s $OUTPUT ] ; then 5591.28Slukem printf "Device deletions:\n" >> $ERR 5601.28Slukem tee -a $TMP2 < $OUTPUT >> $ERR 5611.28Slukem printf "\n" >> $ERR 5621.15Smrg fi 5631.15Smrg 5641.27Slukem # Report any block device change. Ignore 5651.27Slukem # character devices, only the name is 5661.27Slukem # significant. 5671.15Smrg cat $TMP2 $CUR $TMP1 | \ 5681.27Slukem sed -e '/^c/d' | \ 5691.27Slukem sort -k11 | \ 5701.27Slukem sed -e 's/[ ][ ]*/ /g' | \ 5711.27Slukem uniq -u > $OUTPUT 5721.15Smrg if [ -s $OUTPUT ] ; then 5731.28Slukem printf "Block device changes:\n" >> $ERR 5741.28Slukem column -t $OUTPUT >> $ERR 5751.28Slukem printf "\n" >> $ERR 5761.15Smrg fi 5771.9Scgd 5781.15Smrg cp $CUR $BACK 5791.15Smrg cp $TMP1 $CUR 5801.9Scgd fi 5811.15Smrg else 5821.28Slukem printf "Device additions:\n" >> $ERR 5831.28Slukem column -t $TMP1 >> $ERR 5841.28Slukem printf "\n" >> $ERR 5851.28Slukem cp $TMP1 $CUR >> $ERR 5861.9Scgd fi 5871.28Slukem fi 5881.28Slukem if [ -s $ERR ] ; then 5891.28Slukem printf "\nChecking setuid files and devices:\n" 5901.28Slukem cat $ERR 5911.28Slukem printf "\n" 5921.9Scgd fi 5931.9Scgdfi 5941.9Scgd 5951.9Scgd# Check special files. 5961.9Scgd# Check system binaries. 5971.9Scgd# 5981.9Scgd# Create the mtree tree specifications using: 5991.9Scgd# 6001.9Scgd# mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure 6011.16Smikel# chown root.wheel DIR.secure 6021.16Smikel# chmod 600 DIR.secure 6031.9Scgd# 6041.9Scgd# Note, this is not complete protection against Trojan horsed binaries, as 6051.9Scgd# the hacker can modify the tree specification to match the replaced binary. 6061.9Scgd# For details on really protecting yourself against modified binaries, see 6071.9Scgd# the mtree(8) manual page. 6081.32Slukem# 6091.31Slukemif checkyesno check_mtree; then 6101.9Scgd mtree -e -p / -f /etc/mtree/special > $OUTPUT 6111.15Smrg if [ -s $OUTPUT ]; then 6121.9Scgd printf "\nChecking special files and directories.\n" 6131.9Scgd cat $OUTPUT 6141.9Scgd fi 6151.9Scgd 6161.9Scgd > $OUTPUT 6171.16Smikel for file in /etc/mtree/*.secure; do 6181.16Smikel [ $file = '/etc/mtree/*.secure' ] && continue 6191.9Scgd tree=`sed -n -e '3s/.* //p' -e 3q $file` 6201.9Scgd mtree -f $file -p $tree > $TMP1 6211.9Scgd if [ -s $TMP1 ]; then 6221.9Scgd printf "\nChecking $tree:\n" >> $OUTPUT 6231.9Scgd cat $TMP1 >> $OUTPUT 6241.9Scgd fi 6251.9Scgd done 6261.15Smrg if [ -s $OUTPUT ]; then 6271.9Scgd printf "\nChecking system binaries:\n" 6281.9Scgd cat $OUTPUT 6291.9Scgd fi 6301.9Scgdfi 6311.9Scgd 6321.32SlukemCHANGELIST="" 6331.32Slukem 6341.32Slukem# Backup disklabels of available disks 6351.32Slukem# 6361.32Slukemif checkyesno check_disklabels; then 6371.32Slukem # generate list of old disklabels and remove them 6381.32Slukem ls -1d /var/backups/disklabel.* 2>/dev/null | 6391.32Slukem egrep -v '\.(backup|current)$' > $LABELS 6401.32Slukem xargs rm < $LABELS 6411.32Slukem 6421.32Slukem disks=`iostat -x | sed 1d | awk '$1 !~ /^[mf]d/ { print $1; }'` 6431.32Slukem for i in $disks; do 6441.32Slukem dlf="/var/backups/disklabel.$i" 6451.32Slukem disklabel $i > $dlf 2>/dev/null 6461.32Slukem done 6471.32Slukem 6481.32Slukem # append list of new disklabels, sort list 6491.32Slukem ls -1d /var/backups/disklabel.* 2>/dev/null | 6501.32Slukem egrep -v '\.(backup|current)$' >> $LABELS 6511.32Slukem sort -u -o $LABELS $LABELS 6521.32Slukem CHANGELIST=$LABELS 6531.32Slukemfi 6541.32Slukem 6551.9Scgd# List of files that get backed up and checked for any modifications. Each 6561.9Scgd# file is expected to have two backups, /var/backups/file.{current,backup}. 6571.9Scgd# Any changes cause the files to rotate. 6581.32Slukem# 6591.31Slukemif checkyesno check_changelist && [ -s /etc/changelist ] ; then 6601.32Slukem CHANGELIST="/etc/changelist $CHANGELIST" 6611.32Slukemfi 6621.32Slukem 6631.32Slukemif [ -n "$CHANGELIST" ]; then 6641.32Slukem for file in `egrep -hv "^#|$MP" $CHANGELIST`; do 6651.9Scgd CUR=/var/backups/`basename $file`.current 6661.9Scgd BACK=/var/backups/`basename $file`.backup 6671.30Smycroft if [ -f $file ]; then 6681.30Smycroft if [ -f $CUR ] ; then 6691.9Scgd diff $CUR $file > $OUTPUT 6701.9Scgd if [ -s $OUTPUT ] ; then 6711.9Scgd printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file 6721.9Scgd cat $OUTPUT 6731.30Smycroft mv -f $CUR $BACK 6741.9Scgd cp -p $file $CUR 6751.30Smycroft chown root.wheel $CUR 6761.9Scgd fi 6771.9Scgd else 6781.30Smycroft printf "\n======\n%s added\n======\n" $file 6791.30Smycroft diff /dev/null $file 6801.9Scgd cp -p $file $CUR 6811.9Scgd chown root.wheel $CUR 6821.30Smycroft fi 6831.30Smycroft else 6841.30Smycroft if [ -f $CUR ]; then 6851.30Smycroft printf "\n======\n%s removed\n======\n" $file 6861.30Smycroft diff $CUR /dev/null 6871.30Smycroft mv -f $CUR $BACK 6881.9Scgd fi 6891.9Scgd fi 6901.9Scgd done 6911.9Scgdfi 692