security revision 1.25
1 #!/bin/sh - 2 # 3 # $NetBSD: security,v 1.25 1997/06/24 02:32:38 lukem Exp $ 4 # from: @(#)security 8.1 (Berkeley) 6/9/93 5 # 6 7 PATH=/sbin:/usr/sbin:/bin:/usr/bin 8 9 umask 077 10 11 if [ -s /etc/security.conf ]; then 12 . /etc/security.conf 13 fi 14 15 SECUREDIR=/tmp/_securedir.$$ 16 if ! mkdir $SECUREDIR; then 17 echo can not create $SECUREDIR. 18 exit 1 19 fi 20 21 if ! cd $SECUREDIR; then 22 echo can not chdir to $SECUREDIR. 23 exit 1 24 fi 25 26 ERR=secure1.$$ 27 TMP1=secure2.$$ 28 TMP2=secure3.$$ 29 TMP3=secure4.$$ 30 LIST=secure5.$$ 31 OUTPUT=secure6.$$ 32 33 trap 'rm -rf $SECUREDIR' 0 34 35 MP=/etc/master.passwd 36 37 # this is used several times. 38 awk -F: '{ print $1 " " $3 }' $MP | sort -k2n > $TMP1 39 40 # Check the master password file syntax. 41 if [ "$check_passwd" = YES ]; then 42 awk ' 43 BEGIN { 44 while ( getline < "/etc/shells" > 0 ) { 45 if ($LINE ~ /^\#/ || $LINE ~ /^$/ ) 46 continue; 47 shells[$1]++; 48 } 49 FS=":"; 50 } 51 52 { 53 if ($0 ~ /^[ ]*$/) { 54 printf "Line %d is a blank line.\n", NR; 55 next; 56 } 57 if (NF != 10) 58 printf "Line %d has the wrong number of fields.\n", NR; 59 if ($1 !~ /^[A-Za-z0-9]*$/) 60 printf "Login %s has non-alphanumeric characters.\n", 61 $1; 62 if (length($1) > 8) 63 printf "Login %s has more than 8 characters.\n", $1; 64 if ($2 == "") 65 printf "Login %s has no password.\n", $1; 66 if (length($2) != 13 && $2 != "") { 67 if ($10 == "" || shells[$10]) 68 printf "Login %s is off but still has a valid shell (%s)\n", 69 $1, $10; 70 } else if (! shells[$10]) 71 printf "Login %s does not have a valid shell (%s)\n", 72 $1, $10; 73 if ($3 == 0 && $1 != "root" && $1 != "toor") 74 printf "Login %s has a user id of 0.\n", $1; 75 if ($3 < 0) 76 printf "Login %s has a negative user id.\n", $1; 77 if ($4 < 0) 78 printf "Login %s has a negative group id.\n", $1; 79 }' < $MP > $OUTPUT 80 if [ -s $OUTPUT ] ; then 81 printf "\nChecking the $MP file:\n" 82 cat $OUTPUT 83 fi 84 85 awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT 86 if [ -s $OUTPUT ] ; then 87 printf "\n$MP has duplicate user names.\n" 88 column $OUTPUT 89 fi 90 91 < $TMP1 uniq -d -f 1 | awk '{ print $2 }' > $TMP2 92 if [ -s $TMP2 ] ; then 93 printf "\n$MP has duplicate user id's.\n" 94 while read uid; do 95 grep -w $uid $TMP1 96 done < $TMP2 | column 97 fi 98 fi 99 100 # Backup the master password file; a special case, the normal backup 101 # mechanisms also print out file differences and we don't want to do 102 # that because this file has encrypted passwords in it. 103 CUR=/var/backups/`basename $MP`.current 104 BACK=/var/backups/`basename $MP`.backup 105 if [ -s $CUR ] ; then 106 if cmp -s $CUR $MP; then 107 : 108 else 109 cp -p $CUR $BACK 110 cp -p $MP $CUR 111 chown root.wheel $CUR 112 fi 113 else 114 cp -p $MP $CUR 115 chown root.wheel $CUR 116 fi 117 118 # Check the group file syntax. 119 if [ "$check_group" = YES ]; then 120 GRP=/etc/group 121 awk -F: '{ 122 if ($0 ~ /^[ ]*$/) { 123 printf "Line %d is a blank line.\n", NR; 124 next; 125 } 126 if (NF != 4) 127 printf "Line %d has the wrong number of fields.\n", NR; 128 if ($1 !~ /^[A-za-z0-9]*$/) 129 printf "Group %s has non-alphanumeric characters.\n", 130 $1; 131 if (length($1) > 8) 132 printf "Group %s has more than 8 characters.\n", $1; 133 if ($3 !~ /[0-9]*/) 134 printf "Login %s has a negative group id.\n", $1; 135 }' < $GRP > $OUTPUT 136 if [ -s $OUTPUT ] ; then 137 printf "\nChecking the $GRP file:\n" 138 cat $OUTPUT 139 fi 140 141 awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT 142 if [ -s $OUTPUT ] ; then 143 printf "\n$GRP has duplicate group names.\n" 144 column $OUTPUT 145 fi 146 fi 147 148 # Check for root paths, umask values in startup files. 149 # The check for the root paths is problematical -- it's likely to fail 150 # in other environments. Once the shells have been modified to warn 151 # of '.' in the path, the path tests should go away. 152 if [ "$check_rootdotfiles" = YES ]; then 153 cp /dev/null $OUTPUT 154 rhome=`csh -fc "echo ~root"` 155 umaskset=no 156 list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" 157 for i in $list ; do 158 if [ -f $i ] ; then 159 if egrep umask $i > /dev/null ; then 160 umaskset=yes 161 fi 162 egrep umask $i | 163 awk '$2 % 100 < 20 \ 164 { print "Root umask is group writeable" } 165 $2 % 10 < 2 \ 166 { print "Root umask is other writeable" }' >> $OUTPUT 167 /bin/csh -f -s << end-of-csh > /dev/null 2>&1 168 unset path 169 source $i 170 /bin/ls -ldgT \$path > $TMP1 171 end-of-csh 172 awk '{ 173 if ($10 ~ /^\.$/) { 174 print "The root path includes ."; 175 next; 176 } 177 } 178 $1 ~ /^d....w/ \ 179 { print "Root path directory " $10 " is group writeable." } \ 180 $1 ~ /^d.......w/ \ 181 { print "Root path directory " $10 " is other writeable." }' \ 182 < $TMP1 >> $OUTPUT 183 fi 184 done 185 if [ $umaskset = "no" -o -s $OUTPUT ] ; then 186 printf "\nChecking root csh paths, umask values:\n$list\n" 187 if [ -s $OUTPUT ]; then 188 cat $OUTPUT 189 fi 190 if [ $umaskset = "no" ] ; then 191 printf "\nRoot csh startup files do not set the umask.\n" 192 fi 193 fi 194 195 cp /dev/null $OUTPUT 196 rhome=/root 197 umaskset=no 198 list="/etc/profile ${rhome}/.profile" 199 for i in $list; do 200 if [ -f $i ] ; then 201 if egrep umask $i > /dev/null ; then 202 umaskset=yes 203 fi 204 egrep umask $i | 205 awk '$2 % 100 < 20 \ 206 { print "Root umask is group writeable" } \ 207 $2 % 10 < 2 \ 208 { print "Root umask is other writeable" }' >> $OUTPUT 209 /bin/sh << end-of-sh > /dev/null 2>&1 210 PATH= 211 . $i 212 list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\` 213 /bin/ls -ldgT \$list > $TMP1 214 end-of-sh 215 awk '{ 216 if ($10 ~ /^\.$/) { 217 print "The root path includes ."; 218 next; 219 } 220 } 221 $1 ~ /^d....w/ \ 222 { print "Root path directory " $10 " is group writeable." } \ 223 $1 ~ /^d.......w/ \ 224 { print "Root path directory " $10 " is other writeable." }' \ 225 < $TMP1 >> $OUTPUT 226 227 fi 228 done 229 if [ $umaskset = "no" -o -s $OUTPUT ] ; then 230 printf "\nChecking root sh paths, umask values:\n$list\n" 231 if [ -s $OUTPUT ]; then 232 cat $OUTPUT 233 fi 234 if [ $umaskset = "no" ] ; then 235 printf "\nRoot sh startup files do not set the umask.\n" 236 fi 237 fi 238 fi 239 240 # Root and uucp should both be in /etc/ftpusers. 241 if [ "$check_ftpusers" = YES ]; then 242 if egrep root /etc/ftpusers > /dev/null ; then 243 : 244 else 245 printf "\nRoot not listed in /etc/ftpusers file.\n" 246 fi 247 if egrep uucp /etc/ftpusers > /dev/null ; then 248 : 249 else 250 printf "\nUucp not listed in /etc/ftpusers file.\n" 251 fi 252 fi 253 254 # Uudecode should not be in the /etc/aliases file. 255 if [ "$check_aliases" = YES ]; then 256 if egrep '^[^#]*(uudecode|decode).*\|' /etc/aliases; then 257 printf "\nEntry for uudecode in /etc/aliases file.\n" 258 fi 259 fi 260 261 # Files that should not have + signs. 262 if [ "$check_rhosts" = YES ]; then 263 list="/etc/hosts.equiv /etc/hosts.lpd" 264 for f in $list ; do 265 if [ -f $f ] && egrep '\+' $f > /dev/null ; then 266 printf "\nPlus sign in $f file.\n" 267 fi 268 done 269 270 # Check for special users with .rhosts files. Only root and toor should 271 # have .rhosts files. Also, .rhosts files should not have plus signs. 272 awk -F: '$1 != "root" && $1 != "toor" && \ 273 ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ 274 { print $1 " " $9 }' $MP | 275 sort -k2 | 276 while read uid homedir; do 277 if [ -f ${homedir}/.rhosts ] ; then 278 rhost=`ls -ldgT ${homedir}/.rhosts` 279 printf "$uid: $rhost\n" 280 fi 281 done > $OUTPUT 282 if [ -s $OUTPUT ] ; then 283 printf "\nChecking for special users with .rhosts files.\n" 284 cat $OUTPUT 285 fi 286 287 awk -F: '{ print $1 " " $9 }' $MP | 288 sort -k2 | 289 while read uid homedir; do 290 if [ -f ${homedir}/.rhosts ] && \ 291 egrep '\+' ${homedir}/.rhosts > /dev/null ; then 292 printf "$uid: + in .rhosts file.\n" 293 fi 294 done > $OUTPUT 295 if [ -s $OUTPUT ] ; then 296 printf "\nChecking .rhosts files syntax.\n" 297 cat $OUTPUT 298 fi 299 fi 300 301 # Check home directories. Directories should not be owned by someone else 302 # or writeable. 303 if [ "$check_homes" = YES ]; then 304 awk -F: '{ print $1 " " $9 }' $MP | 305 sort -k2 | 306 while read uid homedir; do 307 if [ -d ${homedir}/ ] ; then 308 file=`ls -ldgT ${homedir}` 309 printf "$uid $file\n" 310 fi 311 done | 312 awk '$1 != $4 && $4 != "root" \ 313 { print "user " $1 " home directory is owned by " $4 } 314 $2 ~ /^-....w/ \ 315 { print "user " $1 " home directory is group writeable" } 316 $2 ~ /^-.......w/ \ 317 { print "user " $1 " home directory is other writeable" }' > $OUTPUT 318 if [ -s $OUTPUT ] ; then 319 printf "\nChecking home directories.\n" 320 cat $OUTPUT 321 fi 322 323 # Files that should not be owned by someone else or readable. 324 list=".Xauthority .netrc .rhosts" 325 awk -F: '{ print $1 " " $9 }' $MP | 326 sort -k2 | 327 while read uid homedir; do 328 for f in $list ; do 329 file=${homedir}/${f} 330 if [ -f $file ] ; then 331 printf "$uid $f `ls -ldgT $file`\n" 332 fi 333 done 334 done | 335 awk '$1 != $5 && $5 != "root" \ 336 { print "user " $1 " " $2 " file is owned by " $5 } 337 $3 ~ /^-...r/ \ 338 { print "user " $1 " " $2 " file is group readable" } 339 $3 ~ /^-......r/ \ 340 { print "user " $1 " " $2 " file is other readable" } 341 $3 ~ /^-....w/ \ 342 { print "user " $1 " " $2 " file is group writeable" } 343 $3 ~ /^-.......w/ \ 344 { print "user " $1 " " $2 " file is other writeable" }' > $OUTPUT 345 346 # Files that should not be owned by someone else or writeable. 347 list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \ 348 .cshrc .emacs .exrc .forward .history .klogin .login .logout \ 349 .profile .qmail .rc_history .tcshrc .twmrc .xinitrc .xsession" 350 awk -F: '{ print $1 " " $9 }' $MP | 351 sort -k2 | 352 while read uid homedir; do 353 for f in $list ; do 354 file=${homedir}/${f} 355 if [ -f $file ] ; then 356 printf "$uid $f `ls -ldgT $file`\n" 357 fi 358 done 359 done | 360 awk '$1 != $5 && $5 != "root" \ 361 { print "user " $1 " " $2 " file is owned by " $5 } 362 $3 ~ /^-....w/ \ 363 { print "user " $1 " " $2 " file is group writeable" } 364 $3 ~ /^-.......w/ \ 365 { print "user " $1 " " $2 " file is other writeable" }' >> $OUTPUT 366 if [ -s $OUTPUT ] ; then 367 printf "\nChecking dot files.\n" 368 cat $OUTPUT 369 fi 370 fi 371 372 # Mailboxes should be owned by user and unreadable. 373 if [ "$check_varmail" = YES ]; then 374 ls -l /var/mail | sed 1d | \ 375 awk '$3 != $9 \ 376 { print "user " $9 " mailbox is owned by " $3 } 377 $1 != "-rw-------" \ 378 { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT 379 if [ -s $OUTPUT ] ; then 380 printf "\nChecking mailbox ownership.\n" 381 cat $OUTPUT 382 fi 383 fi 384 385 if [ "$check_nfs" = YES ]; then 386 if [ -f /etc/exports ]; then 387 # File systems should not be globally exported. 388 awk '{ 389 # ignore comments and blank lines 390 if ($LINE ~ /^\#/ || $LINE ~ /^$/ ) 391 next; 392 393 readonly = 0; 394 for (i = 2; i <= NF; ++i) { 395 if ($i ~ /-ro/) 396 readonly = 1; 397 else if ($i !~ /^-/) 398 next; 399 } 400 if (readonly) 401 print "File system " $1 " globally exported, read-only." 402 else 403 print "File system " $1 " globally exported, read-write." 404 }' < /etc/exports > $OUTPUT 405 if [ -s $OUTPUT ] ; then 406 printf "\nChecking for globally exported file systems.\n" 407 cat $OUTPUT 408 fi 409 fi 410 fi 411 412 # Display any changes in setuid files and devices. 413 if [ "$check_devices" = YES ]; then 414 printf "\nChecking setuid files and devices:\n" 415 (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ 416 -o -fstype procfs \) -a -prune -o \ 417 \( \( -perm -u+s -a ! -type d \) -o \ 418 \( -perm -g+s -a ! -type d \) -o \ 419 -type b -o -type c \) -print0 | \ 420 xargs -0 ls -ldgTq | sort +9 > $LIST) 2> $OUTPUT 421 422 # Display any errors that occurred during system file walk. 423 if [ -s $OUTPUT ] ; then 424 printf "Setuid/device find errors:\n" 425 cat $OUTPUT 426 printf "\n" 427 fi 428 429 # Display any changes in the setuid file list. 430 egrep -v '^[bc]' $LIST > $TMP1 431 if [ -s $TMP1 ] ; then 432 # Check to make sure uudecode isn't setuid. 433 if grep -w uudecode $TMP1 > /dev/null ; then 434 printf "\nUudecode is setuid.\n" 435 fi 436 437 CUR=/var/backups/setuid.current 438 BACK=/var/backups/setuid.backup 439 440 if [ -s $CUR ] ; then 441 if cmp -s $CUR $TMP1 ; then 442 : 443 else 444 > $TMP2 445 join -110 -210 -v2 $CUR $TMP1 > $OUTPUT 446 if [ -s $OUTPUT ] ; then 447 printf "Setuid additions:\n" 448 tee -a $TMP2 < $OUTPUT 449 printf "\n" 450 fi 451 452 join -110 -210 -v1 $CUR $TMP1 > $OUTPUT 453 if [ -s $OUTPUT ] ; then 454 printf "Setuid deletions:\n" 455 tee -a $TMP2 < $OUTPUT 456 printf "\n" 457 fi 458 459 sort -k10 $TMP2 $CUR $TMP1 | \ 460 sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT 461 if [ -s $OUTPUT ] ; then 462 printf "Setuid changes:\n" 463 column -t $OUTPUT 464 printf "\n" 465 fi 466 467 cp $CUR $BACK 468 cp $TMP1 $CUR 469 fi 470 else 471 printf "Setuid additions:\n" 472 column -t $TMP1 473 printf "\n" 474 cp $TMP1 $CUR 475 fi 476 fi 477 478 # Check for block and character disk devices that are readable or writeable 479 # or not owned by root.operator. 480 >$TMP1 481 DISKLIST="dk fd hd hk hp jb kra ra rb rd rl rx rz sd up wd xd xy" 482 for i in $DISKLIST; do 483 egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 484 egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 485 done 486 487 awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ 488 { printf "Disk %s is user %s, group %s, permissions %s.\n", \ 489 $11, $3, $4, $1; }' < $TMP1 > $OUTPUT 490 if [ -s $OUTPUT ] ; then 491 printf "\nChecking disk ownership and permissions.\n" 492 cat $OUTPUT 493 printf "\n" 494 fi 495 496 # Display any changes in the device file list. 497 egrep '^[bc]' $LIST | sort -k11 > $TMP1 498 if [ -s $TMP1 ] ; then 499 CUR=/var/backups/device.current 500 BACK=/var/backups/device.backup 501 502 if [ -s $CUR ] ; then 503 if cmp -s $CUR $TMP1 ; then 504 : 505 else 506 > $TMP2 507 join -111 -211 -v2 $CUR $TMP1 > $OUTPUT 508 if [ -s $OUTPUT ] ; then 509 printf "Device additions:\n" 510 tee -a $TMP2 < $OUTPUT 511 printf "\n" 512 fi 513 514 join -111 -211 -v1 $CUR $TMP1 > $OUTPUT 515 if [ -s $OUTPUT ] ; then 516 printf "Device deletions:\n" 517 tee -a $TMP2 < $OUTPUT 518 printf "\n" 519 fi 520 521 # Report any block device change. Ignore character 522 # devices, only the name is significant. 523 cat $TMP2 $CUR $TMP1 | \ 524 sed -e '/^c/d' | \ 525 sort -k11 | \ 526 sed -e 's/[ ][ ]*/ /g' | \ 527 uniq -u > $OUTPUT 528 if [ -s $OUTPUT ] ; then 529 printf "Block device changes:\n" 530 column -t $OUTPUT 531 printf "\n" 532 fi 533 534 cp $CUR $BACK 535 cp $TMP1 $CUR 536 fi 537 else 538 printf "Device additions:\n" 539 column -t $TMP1 540 printf "\n" 541 cp $TMP1 $CUR 542 fi 543 fi 544 fi 545 546 # Check special files. 547 # Check system binaries. 548 # 549 # Create the mtree tree specifications using: 550 # 551 # mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure 552 # chown root.wheel DIR.secure 553 # chmod 600 DIR.secure 554 # 555 # Note, this is not complete protection against Trojan horsed binaries, as 556 # the hacker can modify the tree specification to match the replaced binary. 557 # For details on really protecting yourself against modified binaries, see 558 # the mtree(8) manual page. 559 if [ "$check_mtree" = YES ]; then 560 mtree -e -p / -f /etc/mtree/special > $OUTPUT 561 if [ -s $OUTPUT ]; then 562 printf "\nChecking special files and directories.\n" 563 cat $OUTPUT 564 fi 565 566 > $OUTPUT 567 for file in /etc/mtree/*.secure; do 568 [ $file = '/etc/mtree/*.secure' ] && continue 569 tree=`sed -n -e '3s/.* //p' -e 3q $file` 570 mtree -f $file -p $tree > $TMP1 571 if [ -s $TMP1 ]; then 572 printf "\nChecking $tree:\n" >> $OUTPUT 573 cat $TMP1 >> $OUTPUT 574 fi 575 done 576 if [ -s $OUTPUT ]; then 577 printf "\nChecking system binaries:\n" 578 cat $OUTPUT 579 fi 580 fi 581 582 # List of files that get backed up and checked for any modifications. Each 583 # file is expected to have two backups, /var/backups/file.{current,backup}. 584 # Any changes cause the files to rotate. 585 if [ "$check_changelist" = YES ] && [ -s /etc/changelist ] ; then 586 for file in `cat /etc/changelist`; do 587 CUR=/var/backups/`basename $file`.current 588 BACK=/var/backups/`basename $file`.backup 589 if [ -s $file ]; then 590 if [ -s $CUR ] ; then 591 diff $CUR $file > $OUTPUT 592 if [ -s $OUTPUT ] ; then 593 printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file 594 cat $OUTPUT 595 cp -p $CUR $BACK 596 cp -p $file $CUR 597 chown root.wheel $CUR $BACK 598 fi 599 else 600 cp -p $file $CUR 601 chown root.wheel $CUR 602 fi 603 fi 604 done 605 fi 606
Indexes created Wed Oct 01 13:09:50 GMT 2025