security revision 1.26
1 #!/bin/sh - 2 # 3 # $NetBSD: security,v 1.26 1997/08/19 12:08:35 lukem Exp $ 4 # from: @(#)security 8.1 (Berkeley) 6/9/93 5 # 6 7 PATH=/sbin:/usr/sbin:/bin:/usr/bin 8 9 umask 077 10 11 if [ -s /etc/security.conf ]; then 12 . /etc/security.conf 13 fi 14 15 SECUREDIR=/tmp/_securedir.$$ 16 if ! mkdir $SECUREDIR; then 17 echo can not create $SECUREDIR. 18 exit 1 19 fi 20 21 if ! cd $SECUREDIR; then 22 echo can not chdir to $SECUREDIR. 23 exit 1 24 fi 25 26 ERR=secure1.$$ 27 TMP1=secure2.$$ 28 TMP2=secure3.$$ 29 TMP3=secure4.$$ 30 LIST=secure5.$$ 31 OUTPUT=secure6.$$ 32 33 trap 'rm -rf $SECUREDIR' 0 34 35 MP=/etc/master.passwd 36 37 # this is used several times. 38 awk -F: '{ print $1 " " $3 }' $MP | sort -k2n > $TMP1 39 40 # Check the master password file syntax. 41 if [ "$check_passwd" = YES ]; then 42 awk ' 43 BEGIN { 44 while ( getline < "/etc/shells" > 0 ) { 45 if ($LINE ~ /^\#/ || $LINE ~ /^$/ ) 46 continue; 47 shells[$1]++; 48 } 49 FS=":"; 50 } 51 52 { 53 if ($0 ~ /^[ ]*$/) { 54 printf "Line %d is a blank line.\n", NR; 55 next; 56 } 57 if (NF != 10) 58 printf "Line %d has the wrong number of fields.\n", NR; 59 if ($1 !~ /^[A-Za-z0-9]*$/) 60 printf "Login %s has non-alphanumeric characters.\n", 61 $1; 62 if (length($1) > 8) 63 printf "Login %s has more than 8 characters.\n", $1; 64 if ($2 == "") 65 printf "Login %s has no password.\n", $1; 66 if (length($2) != 13 && $2 != "") { 67 if ($10 == "" || shells[$10]) 68 printf "Login %s is off but still has a valid shell (%s)\n", 69 $1, $10; 70 } else if (! shells[$10]) 71 printf "Login %s does not have a valid shell (%s)\n", 72 $1, $10; 73 if ($3 == 0 && $1 != "root" && $1 != "toor") 74 printf "Login %s has a user id of 0.\n", $1; 75 if ($3 < 0) 76 printf "Login %s has a negative user id.\n", $1; 77 if ($4 < 0) 78 printf "Login %s has a negative group id.\n", $1; 79 }' < $MP > $OUTPUT 80 if [ -s $OUTPUT ] ; then 81 printf "\nChecking the $MP file:\n" 82 cat $OUTPUT 83 fi 84 85 awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT 86 if [ -s $OUTPUT ] ; then 87 printf "\n$MP has duplicate user names.\n" 88 column $OUTPUT 89 fi 90 91 < $TMP1 uniq -d -f 1 | awk '{ print $2 }' > $TMP2 92 if [ -s $TMP2 ] ; then 93 printf "\n$MP has duplicate user id's.\n" 94 while read uid; do 95 grep -w $uid $TMP1 96 done < $TMP2 | column 97 fi 98 fi 99 100 # Backup the master password file; a special case, the normal backup 101 # mechanisms also print out file differences and we don't want to do 102 # that because this file has encrypted passwords in it. 103 CUR=/var/backups/`basename $MP`.current 104 BACK=/var/backups/`basename $MP`.backup 105 if [ -s $CUR ] ; then 106 if cmp -s $CUR $MP; then 107 : 108 else 109 cp -p $CUR $BACK 110 cp -p $MP $CUR 111 chown root.wheel $CUR 112 fi 113 else 114 cp -p $MP $CUR 115 chown root.wheel $CUR 116 fi 117 118 # Check the group file syntax. 119 if [ "$check_group" = YES ]; then 120 GRP=/etc/group 121 awk -F: '{ 122 if ($0 ~ /^[ ]*$/) { 123 printf "Line %d is a blank line.\n", NR; 124 next; 125 } 126 if (NF != 4) 127 printf "Line %d has the wrong number of fields.\n", NR; 128 if ($1 !~ /^[A-za-z0-9]*$/) 129 printf "Group %s has non-alphanumeric characters.\n", 130 $1; 131 if (length($1) > 8) 132 printf "Group %s has more than 8 characters.\n", $1; 133 if ($3 !~ /[0-9]*/) 134 printf "Login %s has a negative group id.\n", $1; 135 }' < $GRP > $OUTPUT 136 if [ -s $OUTPUT ] ; then 137 printf "\nChecking the $GRP file:\n" 138 cat $OUTPUT 139 fi 140 141 awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT 142 if [ -s $OUTPUT ] ; then 143 printf "\n$GRP has duplicate group names.\n" 144 column $OUTPUT 145 fi 146 fi 147 148 # Check for root paths, umask values in startup files. 149 # The check for the root paths is problematical -- it's likely to fail 150 # in other environments. Once the shells have been modified to warn 151 # of '.' in the path, the path tests should go away. 152 if [ "$check_rootdotfiles" = YES ]; then 153 cp /dev/null $OUTPUT 154 rhome=`csh -fc "echo ~root"` 155 umaskset=no 156 list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" 157 for i in $list ; do 158 if [ -f $i ] ; then 159 if egrep umask $i > /dev/null ; then 160 umaskset=yes 161 fi 162 egrep umask $i | 163 awk '$2 % 100 < 20 \ 164 { print "Root umask is group writeable" } 165 $2 % 10 < 2 \ 166 { print "Root umask is other writeable" }' >> $OUTPUT 167 SAVE_PATH=$PATH 168 unset PATH 169 /bin/csh -f -s << end-of-csh > /dev/null 2>&1 170 source $i 171 /bin/ls -ldgT \$path > $TMP1 172 end-of-csh 173 PATH=$SAVE_PATH 174 awk '{ 175 if ($10 ~ /^\.$/) { 176 print "The root path includes ."; 177 next; 178 } 179 } 180 $1 ~ /^d....w/ \ 181 { print "Root path directory " $10 " is group writeable." } \ 182 $1 ~ /^d.......w/ \ 183 { print "Root path directory " $10 " is other writeable." }' \ 184 < $TMP1 >> $OUTPUT 185 fi 186 done 187 if [ $umaskset = "no" -o -s $OUTPUT ] ; then 188 printf "\nChecking root csh paths, umask values:\n$list\n" 189 if [ -s $OUTPUT ]; then 190 cat $OUTPUT 191 fi 192 if [ $umaskset = "no" ] ; then 193 printf "\nRoot csh startup files do not set the umask.\n" 194 fi 195 fi 196 197 cp /dev/null $OUTPUT 198 rhome=/root 199 umaskset=no 200 list="/etc/profile ${rhome}/.profile" 201 for i in $list; do 202 if [ -f $i ] ; then 203 if egrep umask $i > /dev/null ; then 204 umaskset=yes 205 fi 206 egrep umask $i | 207 awk '$2 % 100 < 20 \ 208 { print "Root umask is group writeable" } \ 209 $2 % 10 < 2 \ 210 { print "Root umask is other writeable" }' >> $OUTPUT 211 SAVE_PATH=$PATH 212 unset PATH 213 /bin/sh << end-of-sh > /dev/null 2>&1 214 . $i 215 list=\`echo \$PATH | /usr/bin/sed -e \ 216 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\` 217 /bin/ls -ldgT \$list > $TMP1 218 end-of-sh 219 PATH=$SAVE_PATH 220 awk '{ 221 if ($10 ~ /^\.$/) { 222 print "The root path includes ."; 223 next; 224 } 225 } 226 $1 ~ /^d....w/ \ 227 { print "Root path directory " $10 " is group writeable." } \ 228 $1 ~ /^d.......w/ \ 229 { print "Root path directory " $10 " is other writeable." }' \ 230 < $TMP1 >> $OUTPUT 231 232 fi 233 done 234 if [ $umaskset = "no" -o -s $OUTPUT ] ; then 235 printf "\nChecking root sh paths, umask values:\n$list\n" 236 if [ -s $OUTPUT ]; then 237 cat $OUTPUT 238 fi 239 if [ $umaskset = "no" ] ; then 240 printf "\nRoot sh startup files do not set the umask.\n" 241 fi 242 fi 243 fi 244 245 # Root and uucp should both be in /etc/ftpusers. 246 if [ "$check_ftpusers" = YES ]; then 247 if egrep root /etc/ftpusers > /dev/null ; then 248 : 249 else 250 printf "\nRoot not listed in /etc/ftpusers file.\n" 251 fi 252 if egrep uucp /etc/ftpusers > /dev/null ; then 253 : 254 else 255 printf "\nUucp not listed in /etc/ftpusers file.\n" 256 fi 257 fi 258 259 # Uudecode should not be in the /etc/aliases file. 260 if [ "$check_aliases" = YES ]; then 261 if egrep '^[^#]*(uudecode|decode).*\|' /etc/aliases; then 262 printf "\nEntry for uudecode in /etc/aliases file.\n" 263 fi 264 fi 265 266 # Files that should not have + signs. 267 if [ "$check_rhosts" = YES ]; then 268 list="/etc/hosts.equiv /etc/hosts.lpd" 269 for f in $list ; do 270 if [ -f $f ] && egrep '\+' $f > /dev/null ; then 271 printf "\nPlus sign in $f file.\n" 272 fi 273 done 274 275 # Check for special users with .rhosts files. Only root and toor should 276 # have .rhosts files. Also, .rhosts files should not have plus signs. 277 awk -F: '$1 != "root" && $1 != "toor" && \ 278 ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ 279 { print $1 " " $9 }' $MP | 280 sort -k2 | 281 while read uid homedir; do 282 if [ -f ${homedir}/.rhosts ] ; then 283 rhost=`ls -ldgT ${homedir}/.rhosts` 284 printf "$uid: $rhost\n" 285 fi 286 done > $OUTPUT 287 if [ -s $OUTPUT ] ; then 288 printf "\nChecking for special users with .rhosts files.\n" 289 cat $OUTPUT 290 fi 291 292 awk -F: '{ print $1 " " $9 }' $MP | 293 sort -k2 | 294 while read uid homedir; do 295 if [ -f ${homedir}/.rhosts ] && \ 296 egrep '\+' ${homedir}/.rhosts > /dev/null ; then 297 printf "$uid: + in .rhosts file.\n" 298 fi 299 done > $OUTPUT 300 if [ -s $OUTPUT ] ; then 301 printf "\nChecking .rhosts files syntax.\n" 302 cat $OUTPUT 303 fi 304 fi 305 306 # Check home directories. Directories should not be owned by someone else 307 # or writeable. 308 if [ "$check_homes" = YES ]; then 309 awk -F: '{ print $1 " " $9 }' $MP | 310 sort -k2 | 311 while read uid homedir; do 312 if [ -d ${homedir}/ ] ; then 313 file=`ls -ldgT ${homedir}` 314 printf "$uid $file\n" 315 fi 316 done | 317 awk '$1 != $4 && $4 != "root" \ 318 { print "user " $1 " home directory is owned by " $4 } 319 $2 ~ /^-....w/ \ 320 { print "user " $1 " home directory is group writeable" } 321 $2 ~ /^-.......w/ \ 322 { print "user " $1 " home directory is other writeable" }' > $OUTPUT 323 if [ -s $OUTPUT ] ; then 324 printf "\nChecking home directories.\n" 325 cat $OUTPUT 326 fi 327 328 # Files that should not be owned by someone else or readable. 329 list=".Xauthority .netrc .rhosts" 330 awk -F: '{ print $1 " " $9 }' $MP | 331 sort -k2 | 332 while read uid homedir; do 333 for f in $list ; do 334 file=${homedir}/${f} 335 if [ -f $file ] ; then 336 printf "$uid $f `ls -ldgT $file`\n" 337 fi 338 done 339 done | 340 awk '$1 != $5 && $5 != "root" \ 341 { print "user " $1 " " $2 " file is owned by " $5 } 342 $3 ~ /^-...r/ \ 343 { print "user " $1 " " $2 " file is group readable" } 344 $3 ~ /^-......r/ \ 345 { print "user " $1 " " $2 " file is other readable" } 346 $3 ~ /^-....w/ \ 347 { print "user " $1 " " $2 " file is group writeable" } 348 $3 ~ /^-.......w/ \ 349 { print "user " $1 " " $2 " file is other writeable" }' > $OUTPUT 350 351 # Files that should not be owned by someone else or writeable. 352 list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \ 353 .cshrc .emacs .exrc .forward .history .klogin .login .logout \ 354 .profile .qmail .rc_history .tcshrc .twmrc .xinitrc .xsession" 355 awk -F: '{ print $1 " " $9 }' $MP | 356 sort -k2 | 357 while read uid homedir; do 358 for f in $list ; do 359 file=${homedir}/${f} 360 if [ -f $file ] ; then 361 printf "$uid $f `ls -ldgT $file`\n" 362 fi 363 done 364 done | 365 awk '$1 != $5 && $5 != "root" \ 366 { print "user " $1 " " $2 " file is owned by " $5 } 367 $3 ~ /^-....w/ \ 368 { print "user " $1 " " $2 " file is group writeable" } 369 $3 ~ /^-.......w/ \ 370 { print "user " $1 " " $2 " file is other writeable" }' >> $OUTPUT 371 if [ -s $OUTPUT ] ; then 372 printf "\nChecking dot files.\n" 373 cat $OUTPUT 374 fi 375 fi 376 377 # Mailboxes should be owned by user and unreadable. 378 if [ "$check_varmail" = YES ]; then 379 ls -l /var/mail | sed 1d | \ 380 awk '$3 != $9 \ 381 { print "user " $9 " mailbox is owned by " $3 } 382 $1 != "-rw-------" \ 383 { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT 384 if [ -s $OUTPUT ] ; then 385 printf "\nChecking mailbox ownership.\n" 386 cat $OUTPUT 387 fi 388 fi 389 390 if [ "$check_nfs" = YES ]; then 391 if [ -f /etc/exports ]; then 392 # File systems should not be globally exported. 393 awk '{ 394 # ignore comments and blank lines 395 if ($LINE ~ /^\#/ || $LINE ~ /^$/ ) 396 next; 397 398 readonly = 0; 399 for (i = 2; i <= NF; ++i) { 400 if ($i ~ /-ro/) 401 readonly = 1; 402 else if ($i !~ /^-/) 403 next; 404 } 405 if (readonly) 406 print "File system " $1 " globally exported, read-only." 407 else 408 print "File system " $1 " globally exported, read-write." 409 }' < /etc/exports > $OUTPUT 410 if [ -s $OUTPUT ] ; then 411 printf "\nChecking for globally exported file systems.\n" 412 cat $OUTPUT 413 fi 414 fi 415 fi 416 417 # Display any changes in setuid files and devices. 418 if [ "$check_devices" = YES ]; then 419 printf "\nChecking setuid files and devices:\n" 420 (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ 421 -o -fstype procfs \) -a -prune -o \ 422 \( \( -perm -u+s -a ! -type d \) -o \ 423 \( -perm -g+s -a ! -type d \) -o \ 424 -type b -o -type c \) -print0 | \ 425 xargs -0 ls -ldgTq | sort +9 > $LIST) 2> $OUTPUT 426 427 # Display any errors that occurred during system file walk. 428 if [ -s $OUTPUT ] ; then 429 printf "Setuid/device find errors:\n" 430 cat $OUTPUT 431 printf "\n" 432 fi 433 434 # Display any changes in the setuid file list. 435 egrep -v '^[bc]' $LIST > $TMP1 436 if [ -s $TMP1 ] ; then 437 # Check to make sure uudecode isn't setuid. 438 if grep -w uudecode $TMP1 > /dev/null ; then 439 printf "\nUudecode is setuid.\n" 440 fi 441 442 CUR=/var/backups/setuid.current 443 BACK=/var/backups/setuid.backup 444 445 if [ -s $CUR ] ; then 446 if cmp -s $CUR $TMP1 ; then 447 : 448 else 449 > $TMP2 450 join -110 -210 -v2 $CUR $TMP1 > $OUTPUT 451 if [ -s $OUTPUT ] ; then 452 printf "Setuid additions:\n" 453 tee -a $TMP2 < $OUTPUT 454 printf "\n" 455 fi 456 457 join -110 -210 -v1 $CUR $TMP1 > $OUTPUT 458 if [ -s $OUTPUT ] ; then 459 printf "Setuid deletions:\n" 460 tee -a $TMP2 < $OUTPUT 461 printf "\n" 462 fi 463 464 sort -k10 $TMP2 $CUR $TMP1 | \ 465 sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT 466 if [ -s $OUTPUT ] ; then 467 printf "Setuid changes:\n" 468 column -t $OUTPUT 469 printf "\n" 470 fi 471 472 cp $CUR $BACK 473 cp $TMP1 $CUR 474 fi 475 else 476 printf "Setuid additions:\n" 477 column -t $TMP1 478 printf "\n" 479 cp $TMP1 $CUR 480 fi 481 fi 482 483 # Check for block and character disk devices that are readable or writeable 484 # or not owned by root.operator. 485 >$TMP1 486 DISKLIST="dk fd hd hk hp jb kra ra rb rd rl rx rz sd up wd xd xy" 487 for i in $DISKLIST; do 488 egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 489 egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 490 done 491 492 awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ 493 { printf "Disk %s is user %s, group %s, permissions %s.\n", \ 494 $11, $3, $4, $1; }' < $TMP1 > $OUTPUT 495 if [ -s $OUTPUT ] ; then 496 printf "\nChecking disk ownership and permissions.\n" 497 cat $OUTPUT 498 printf "\n" 499 fi 500 501 # Display any changes in the device file list. 502 egrep '^[bc]' $LIST | sort -k11 > $TMP1 503 if [ -s $TMP1 ] ; then 504 CUR=/var/backups/device.current 505 BACK=/var/backups/device.backup 506 507 if [ -s $CUR ] ; then 508 if cmp -s $CUR $TMP1 ; then 509 : 510 else 511 > $TMP2 512 join -111 -211 -v2 $CUR $TMP1 > $OUTPUT 513 if [ -s $OUTPUT ] ; then 514 printf "Device additions:\n" 515 tee -a $TMP2 < $OUTPUT 516 printf "\n" 517 fi 518 519 join -111 -211 -v1 $CUR $TMP1 > $OUTPUT 520 if [ -s $OUTPUT ] ; then 521 printf "Device deletions:\n" 522 tee -a $TMP2 < $OUTPUT 523 printf "\n" 524 fi 525 526 # Report any block device change. Ignore character 527 # devices, only the name is significant. 528 cat $TMP2 $CUR $TMP1 | \ 529 sed -e '/^c/d' | \ 530 sort -k11 | \ 531 sed -e 's/[ ][ ]*/ /g' | \ 532 uniq -u > $OUTPUT 533 if [ -s $OUTPUT ] ; then 534 printf "Block device changes:\n" 535 column -t $OUTPUT 536 printf "\n" 537 fi 538 539 cp $CUR $BACK 540 cp $TMP1 $CUR 541 fi 542 else 543 printf "Device additions:\n" 544 column -t $TMP1 545 printf "\n" 546 cp $TMP1 $CUR 547 fi 548 fi 549 fi 550 551 # Check special files. 552 # Check system binaries. 553 # 554 # Create the mtree tree specifications using: 555 # 556 # mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure 557 # chown root.wheel DIR.secure 558 # chmod 600 DIR.secure 559 # 560 # Note, this is not complete protection against Trojan horsed binaries, as 561 # the hacker can modify the tree specification to match the replaced binary. 562 # For details on really protecting yourself against modified binaries, see 563 # the mtree(8) manual page. 564 if [ "$check_mtree" = YES ]; then 565 mtree -e -p / -f /etc/mtree/special > $OUTPUT 566 if [ -s $OUTPUT ]; then 567 printf "\nChecking special files and directories.\n" 568 cat $OUTPUT 569 fi 570 571 > $OUTPUT 572 for file in /etc/mtree/*.secure; do 573 [ $file = '/etc/mtree/*.secure' ] && continue 574 tree=`sed -n -e '3s/.* //p' -e 3q $file` 575 mtree -f $file -p $tree > $TMP1 576 if [ -s $TMP1 ]; then 577 printf "\nChecking $tree:\n" >> $OUTPUT 578 cat $TMP1 >> $OUTPUT 579 fi 580 done 581 if [ -s $OUTPUT ]; then 582 printf "\nChecking system binaries:\n" 583 cat $OUTPUT 584 fi 585 fi 586 587 # List of files that get backed up and checked for any modifications. Each 588 # file is expected to have two backups, /var/backups/file.{current,backup}. 589 # Any changes cause the files to rotate. 590 if [ "$check_changelist" = YES ] && [ -s /etc/changelist ] ; then 591 for file in `cat /etc/changelist`; do 592 CUR=/var/backups/`basename $file`.current 593 BACK=/var/backups/`basename $file`.backup 594 if [ -s $file ]; then 595 if [ -s $CUR ] ; then 596 diff $CUR $file > $OUTPUT 597 if [ -s $OUTPUT ] ; then 598 printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file 599 cat $OUTPUT 600 cp -p $CUR $BACK 601 cp -p $file $CUR 602 chown root.wheel $CUR $BACK 603 fi 604 else 605 cp -p $file $CUR 606 chown root.wheel $CUR 607 fi 608 fi 609 done 610 fi 611
Indexes created Mon Sep 29 18:09:42 GMT 2025