diff --git a/src/etc/security b/src/etc/security deleted file mode 100644 index d767a1c9..00000000 --- a/src/etc/security +++ /dev/null @@ -1,664 +0,0 @@ -# -# $OpenBSD: security,v 1.88 2009/06/03 14:45:39 jj Exp $ -# from: @(#)security 8.1 (Berkeley) 6/9/93 -# - -PATH=/bin:/usr/bin:/sbin:/usr/sbin - -umask 077 - -DIR=`mktemp -d /tmp/_secure.XXXXXXXXXX` || exit 1 -TMP1=$DIR/_secure2 -TMP2=$DIR/_secure3 -LIST=$DIR/_secure5 - -trap 'rm -rf $DIR; exit 1' 0 1 2 3 13 15 - -# Check the master password file syntax. -MP=/etc/master.passwd -next_part "Checking the ${MP} file:" -awk -F: '{ - if ($0 ~ /^[ ]*$/) { - printf("Line %d is a blank line.\n", NR); - next; - } - if (NF != 10) - printf("Line %d has the wrong number of fields:\n%s\n", NR, $0); - if ($1 ~ /^[+-]/) - next; - if ($1 == "") - printf("Line %d has an empty login field:\n%s\n", NR, $0); - else if ($1 !~ /^[A-Za-z0-9_][A-Za-z0-9_\-\.]*\$?$/) - printf("Login %s has non-alphanumeric characters.\n", $1); - if (length($1) > 31) - printf("Login %s has more than 31 characters.\n", $1); - if ($2 == "") - printf("Login %s has no password.\n", $1); - if ($2 != "" && length($2) != 13 && ($10 ~ /.*sh$/ || $10 == "") && - ($2 !~ /^\$[0-9a-f]+\$/) && ($2 != "skey")) { - if (system("test -s /etc/skey/"$1"") == 0) - printf("Login %s is off but still has a valid shell and an entry in /etc/skey.\n", $1); - if (system("test -d "$9" -a ! -r "$9"") == 0) - printf("Login %s is off but still has valid shell and home directory is unreadable\n\t by root; cannot check for existence of alternate access files.\n", $1); - else if (system("for file in .ssh .rhosts .shosts .klogin; do if test -e "$9"/$file; then if ((ls -ld "$9"/$file | cut -b 2-10 | grep -q r) && (test ! -O "$9"/$file)) ; then exit 1; fi; fi; done")) - printf("Login %s is off but still has a valid shell and alternate access files in\n\t home directory are still readable.\n",$1); - } - if ($3 == 0 && $1 != "root") - printf("Login %s has a user ID of 0.\n", $1); - if ($3 < 0) - printf("Login %s has a negative user ID.\n", $1); - if ($4 < 0) - printf("Login %s has a negative group ID.\n", $1); - if (int($7) != 0 && system("test "$7" -lt `date +%s`") == 0) - printf("Login %s has expired.\n", $1); -}' < $MP - -next_part "${MP} has duplicate user names." -awk -F: '{ print $1 }' $MP | sort | uniq -d | column - -next_part "${MP} has duplicate user IDs." -awk -F: '/^[^\+]/ { print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 | -uniq -d -f 1 | awk '{ print $2 }' > $TMP2 -if [ -s $TMP2 ] ; then - while read uid; do - grep -w $uid $TMP1 - done < $TMP2 | column -fi - -# Backup the master password file; a special case, the normal backup -# mechanisms also print out file differences and we don't want to do -# that because this file has encrypted passwords in it. -if [ ! -d /var/backups ] ; then - mkdir /var/backups - chmod 700 /var/backups -fi -CUR=/var/backups/`basename $MP`.current -BACK=/var/backups/`basename $MP`.backup -if [ -s $CUR ] ; then - if cmp -s $CUR $MP; then - : - else - cp -p $CUR $BACK - cp -p $MP $CUR - chown root:wheel $CUR - fi -else - cp -p $MP $CUR - chown root:wheel $CUR -fi - -# Check the group file syntax. -GRP=/etc/group -next_part "Checking the ${GRP} file:" -awk -F: '{ - if ($0 ~ /^[ ]*$/) { - printf("Line %d is a blank line.\n", NR); - next; - } - if ($1 ~ /^[+-].*$/) - next; - if (NF != 4) - printf("Line %d has the wrong number of fields:\n%s\n", NR, $0); - if ($1 !~ /^[A-Za-z0-9_][A-Za-z0-9_\-\.]*$/) - printf("Group %s has non-alphanumeric characters.\n", $1); - if (length($1) > 31) - printf("Group %s has more than 31 characters.\n", $1); - if ($3 !~ /^[0-9]*$/) - printf("Group %s has an invalid group ID.\n", $1); -}' < $GRP - -next_part "${GRP} has duplicate group names." -awk -F: '{ print $1 }' $GRP | sort | uniq -d | column - -# Check for root paths, umask values in startup files. -# The check for the root paths is problematical -- it's likely to fail -# in other environments. Once the shells have been modified to warn -# of '.' in the path, the path tests should go away. -rhome=/root -umaskset=no -list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" -next_part "Checking root csh paths, umask values:\n${list}" -for i in $list ; do - if [ -s $i ] ; then - if egrep -aq '[[:space:]]*umask[[:space:]]' $i ; then - umaskset=yes - fi - awk '{ - if ($1 == "umask") { - if ($2 % 100 / 10 ~ /^[0145]/) - print "Root umask is group writable"; - if ($2 % 10 ~ /^[0145]/) - print "Root umask is other writable"; - } - }' < $i - SAVE_PATH=$PATH - unset PATH - /bin/csh -f -s << end-of-csh > /dev/null 2>&1 - source $i - if (\$?path) then - /bin/ls -ldgT \$path > $TMP1 - else - cat /dev/null > $TMP1 - endif -end-of-csh - PATH=$SAVE_PATH - awk '{ - if ($10 ~ /^\.$/) { - print "The root path includes ."; - next; - } - } - $1 ~ /^d....w/ \ - { print "Root path directory " $10 " is group writable." } \ - $1 ~ /^d.......w/ \ - { print "Root path directory " $10 " is other writable." }' \ - < $TMP1 - fi -done -if [ $umaskset = "no" ] ; then - echo "\nRoot csh startup files do not set the umask." -fi - -> $TMP2 -rhome=/root -umaskset=no -list="/etc/profile ${rhome}/.profile" -next_part "Checking root sh paths, umask values:\n${list}" -for i in $list; do - if [ -s $i ] ; then - if egrep -a umask $i > /dev/null ; then - umaskset=yes - fi - egrep -a umask $i | - awk '$2 % 100 < 20 \ - { print "Root umask is group writable" } \ - $2 % 10 < 2 \ - { print "Root umask is other writable" }' - SAVE_PATH=$PATH - SAVE_ENV=$ENV - unset PATH ENV - /bin/sh << end-of-sh > /dev/null 2>&1 - . $i - if [ X"\$PATH" != "X" ]; then - list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\` - /bin/ls -ldgT \$list > $TMP1 - else - > $TMP1 - fi - echo \$ENV >> $TMP2 -end-of-sh - PATH=$SAVE_PATH - ENV=$SAVE_ENV - awk '{ - if ($10 ~ /^\.$/) { - print "The root path includes ."; - next; - } - } - $1 ~ /^d....w/ \ - { print "Root path directory " $10 " is group writable." } \ - $1 ~ /^d.......w/ \ - { print "Root path directory " $10 " is other writable." }' \ - < $TMP1 - - fi -done -if [ $umaskset = "no" ] ; then - echo "\nRoot sh startup files do not set the umask." -fi - -# A good .kshrc will not have a umask or path, that being set in .profile -# check anyway. -rhome=/root -list="/etc/ksh.kshrc `cat $TMP2`" -next_part "Checking root ksh paths, umask values:\n${list}" -(cd $rhome - for i in $list; do - if [ -s $i ] ; then - egrep -a umask $i | - awk '$2 % 100 < 20 \ - { print "Root umask is group writable" } \ - $2 % 10 < 2 \ - { print "Root umask is other writable" }' - if egrep -a PATH= $i > /dev/null ; then - SAVE_PATH=$PATH - unset PATH - /bin/ksh << end-of-sh > /dev/null 2>&1 - . $i - if [ X"\$PATH" != "X" ]; then - list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\` - /bin/ls -ldgT \$list > $TMP1 - else - > $TMP1 - fi -end-of-sh - PATH=$SAVE_PATH - awk '{ - if ($10 ~ /^\.$/) { - print "The root path includes ."; - next; - } - } - $1 ~ /^d....w/ \ - { print "Root path directory " $10 " is group writable." } \ - $1 ~ /^d.......w/ \ - { print "Root path directory " $10 " is other writable." }' \ - < $TMP1 - fi - - fi - done -) - -next_part "Checking configuration files:" -# Root and uucp should both be in /etc/ftpusers. -if egrep root /etc/ftpusers > /dev/null ; then - : -else - echo "Root not listed in /etc/ftpusers file." -fi -if egrep uucp /etc/ftpusers > /dev/null ; then - : -else - echo "Uucp not listed in /etc/ftpusers file." -fi - -# Uudecode should not be in the /etc/mail/aliases file. -if egrep 'uudecode|decode' /etc/mail/aliases; then - echo "There is an entry for uudecode in the /etc/mail/aliases file." -fi - -# hostname.if files may contain secrets and should not be -# world-readable. - -for f in /etc/hostname.* ; do - if [ ! -e $f ]; then - continue - fi - if [ "$(stat -Lf "%SLp" $f)" != "---" ]; then - echo "$f is world readable." - fi -done - -# Files that should not have + signs. -list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" -for f in $list ; do - if [ -s $f ] ; then - awk '{ - if ($0 ~ /^\+@.*$/) - next; - if ($0 ~ /^\+.*$/) - printf("Plus sign in %s file.\n", FILENAME); - }' $f - fi -done - -# Check for special users with .rhosts/.shosts files. Only root -# should have .rhosts/.shosts files. Also, .rhosts/.shosts -# files should not have plus signs. -next_part "Checking for special users with .rhosts/.shosts files." -awk -F: '$1 != "root" && $1 !~ /^[+-]/ && \ - ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ - { print $1 " " $6 }' /etc/passwd | -while read uid homedir; do - for j in .rhosts .shosts; do - # Root owned .rhosts/.shosts files are ok. - if [ -s ${homedir}/$j -a ! -O ${homedir}/$j ] ; then - rhost=`ls -ldgT ${homedir}/$j` - echo "${uid}: ${rhost}" - fi - done -done - -next_part "Checking .rhosts/.shosts files syntax." -awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ -while read uid homedir; do - for j in .rhosts .shosts; do - if [ -s ${homedir}/$j ] ; then - awk '{ - if ($0 ~ /^+@.*$/ ) - next; - if ($0 ~ /^\+[ ]*$/ ) - printf("%s has + sign in it.\n", - FILENAME); - }' ${homedir}/$j - fi - done -done - -# Check home directories. Directories should not be owned by someone else -# or writeable. -next_part "Checking home directories." -awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ -while read uid homedir; do - if [ -d ${homedir}/ ] ; then - file=`ls -ldgT ${homedir}` - echo "${uid} ${file}" - fi -done | -awk '$1 != $4 && $4 != "root" \ - { print "user " $1 " home directory is owned by " $4 } - $2 ~ /^-....w/ \ - { print "user " $1 " home directory is group writable" } - $2 ~ /^-.......w/ \ - { print "user " $1 " home directory is other writable" }' - -# Files that should not be owned by someone else or readable. -list=".netrc .rhosts .gnupg/secring.gpg .gnupg/random_seed \ - .pgp/secring.pgp .shosts .ssh/identity .ssh/id_dsa .ssh/id_rsa" -next_part "Checking dot files." -awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ -while read uid homedir; do - for f in $list ; do - file=${homedir}/${f} - if [ -f $file ] ; then - echo "${uid} ${f} `ls -ldgT ${file}`" - fi - done -done | -awk '$1 != $5 && $5 != "root" \ - { print "user " $1 " " $2 " file is owned by " $5 } - $3 ~ /^-...r/ \ - { print "user " $1 " " $2 " file is group readable" } - $3 ~ /^-......r/ \ - { print "user " $1 " " $2 " file is other readable" } - $3 ~ /^-....w/ \ - { print "user " $1 " " $2 " file is group writable" } - $3 ~ /^-.......w/ \ - { print "user " $1 " " $2 " file is other writable" }' - -# Files that should not be owned by someone else or writeable. -list=".bashrc .bash_profile .bash_login .bash_logout .cshrc \ - .emacs .exrc .forward .fvwmrc .inputrc .klogin .kshrc .login \ - .logout .nexrc .profile .screenrc .ssh .ssh/config \ - .ssh/authorized_keys .ssh/authorized_keys2 .ssh/environment \ - .ssh/known_hosts .ssh/rc .tcshrc .twmrc .xsession .xinitrc \ - .Xdefaults .Xauthority" -awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ -while read uid homedir; do - for f in $list ; do - file=${homedir}/${f} - if [ -f $file ] ; then - echo "${uid} ${f} `ls -ldgT ${file}`" - fi - done -done | -awk '$1 != $5 && $5 != "root" \ - { print "user " $1 " " $2 " file is owned by " $5 } - $3 ~ /^-....w/ \ - { print "user " $1 " " $2 " file is group writable" } - $3 ~ /^-.......w/ \ - { print "user " $1 " " $2 " file is other writable" }' - -# Mailboxes should be owned by user and unreadable. -next_part "Checking mailbox ownership." -ls -l /var/mail | sed 1d | \ -awk '$3 != $9 \ - { print "user " $9 " mailbox is owned by " $3 } - $1 != "-rw-------" \ - { print "user " $9 " mailbox is " $1 ", group " $4 }' - -# File systems should not be globally exported. -next_part "Checking for globally exported file systems." -if [ -s /etc/exports ] ; then - awk '{ - if (($1 ~ /^#/) || ($1 ~ /^$/)) - next; - readonly = 0; - for (i = 2; i <= NF; ++i) { - if ($i ~ /^-ro$/) - readonly = 1; - else if ($i !~ /^-/ || $i ~ /^-network/) - next; - } - if (readonly) - print "File system " $1 " globally exported, read-only." - else - print "File system " $1 " globally exported, read-write." - }' < /etc/exports -fi - -# Display any changes in setuid/setgid files and devices. -next_part "Setuid/device find errors:" -( set -o noglob - find / \ - \( ! -fstype local -o -fstype procfs -o -fstype afs -o -fstype nnpfs \ - `for f in $SUIDSKIP; do echo -o -path $f; done` \ - \) -a -prune -o \ - -type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \ - ! -type d -a ! -type f -a ! -type l -a ! -type s -a ! -type p \ - -print0 | xargs -0 -r ls -ldgT | sort +9 > $LIST -) - -# Display any changes in the setuid/setgid file list. -next_part "Checking setuid/setgid files and devices:" -FIELDS1=1.1,1.2,1.3,1.4,1.5,1.6,1.7,1.8,1.9,0 -FIELDS2=2.1,2.2,2.3,2.4,2.5,2.6,2.7,2.8,2.9,0 -egrep -av '^[bc]' $LIST | join -o $FIELDS2 -110 -210 -v2 /dev/null - > $TMP1 -if [ -s $TMP1 ] ; then - # Check to make sure uudecode isn't setuid. - if grep -aw uudecode $TMP1 > /dev/null ; then - echo "Uudecode is setuid." - fi - - CUR=/var/backups/setuid.current - BACK=/var/backups/setuid.backup - - if [ -s $CUR ] ; then - if cmp -s $CUR $TMP1 ; then - : - else - next_part "Setuid additions:" - join -o $FIELDS2 -110 -210 -v2 $CUR $TMP1 | \ - tee $TMP2 | column -t - - next_part "Setuid deletions:" - join -o $FIELDS1 -110 -210 -v1 $CUR $TMP1 | \ - tee -a $TMP2 | column -t - - next_part "Setuid changes:" - sort +9 $TMP2 $CUR $TMP1 | \ - sed -e 's/[ ][ ]*/ /g' | uniq -u | column -t - - cp $CUR $BACK - cp $TMP1 $CUR - fi - else - next_part "Setuid additions:" - column -t $TMP1 - cp $TMP1 $CUR - fi -fi - -# Check for block and character disk devices that are readable or writeable -# or not owned by root.operator. -next_part "Checking disk ownership and permissions." ->$TMP1 -DISKLIST="ccd dk fd hd hk hp jb kra ra rb rd rl rx rz sd up vnd wd xd" -for i in $DISKLIST; do - egrep "^b.*/${i}[0-9][0-9]*[B-H]?[a-p]$" $LIST >> $TMP1 - egrep "^c.*/r${i}[0-9][0-9]*[B-H]?[a-p]$" $LIST >> $TMP1 -done - -awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ - { printf("Disk %s is user %s, group %s, permissions %s.\n", \ - $11, $3, $4, $1); }' < $TMP1 - -FIELDS1=1.1,1.2,1.3,1.4,1.5,1.6,1.7,1.8,1.9,1.10,0 -FIELDS2=2.1,2.2,2.3,2.4,2.5,2.6,2.7,2.8,2.9,2.10,0 -# Display any changes in the device file list. -egrep -a '^[bc]' $LIST | sort +10 | \ - join -o $FIELDS2 -111 -211 -v2 /dev/null - > $TMP1 -if [ -s $TMP1 ] ; then - CUR=/var/backups/device.current - BACK=/var/backups/device.backup - - if [ -s $CUR ] ; then - if cmp -s $CUR $TMP1 ; then - : - else - next_part "Device additions:" - join -o $FIELDS2 -111 -211 -v2 $CUR $TMP1 | \ - tee $TMP2 | column -t - - next_part "Device deletions:" - join -o $FIELDS1 -111 -211 -v1 $CUR $TMP1 | \ - tee -a $TMP2 | column -t - - # Report any block device change. Ignore character - # devices, only the name is significant. - next_part "Block device changes:" - cat $TMP2 $CUR $TMP1 | \ - sed -e '/^c/d' | \ - sort +10 | \ - sed -e 's/[ ][ ]*/ /g' | \ - uniq -u | \ - column -t - - cp $CUR $BACK - cp $TMP1 $CUR - fi - else - next_part "Device additions:" - column -t $TMP1 - cp $TMP1 $CUR - fi -fi - -# Check special files. -# Check system binaries. -# -# Create the mtree tree specifications using: -# -# mtree -cx -p DIR -K md5digest,type >/etc/mtree/DIR.secure -# chown root:wheel /etc/mtree/DIR.secure -# chmod 600 /etc/mtree/DIR.secure -# -# Note, this is not complete protection against Trojan horsed binaries, as -# the hacker can modify the tree specification to match the replaced binary. -# For details on really protecting yourself against modified binaries, see -# the mtree(8) manual page. -next_part "Checking special files and directories. -Output format is:\n\tfilename:\n\t\tcriteria (shouldbe, reallyis)" -if [ -d /etc/mtree ] ; then - cd /etc/mtree - mtree -e -l -p / -f /etc/mtree/special - for file in *.secure; do - [ $file = '*.secure' ] && continue - tree=`sed -n -e '3s/.* //p' -e 3q $file` - next_part "Checking system binaries in ${tree}:" - mtree -f $file -p $tree - done -else - echo /etc/mtree is missing -fi - -# List of files that get backed up and checked for any modifications. Each -# file is expected to have two backups, /var/backups/file.{current,backup}. -# Any changes cause the files to rotate. -_fnchg() { - echo "$1" | sed 's/^\///;s/\//_/g' -} -if [ -s /etc/changelist ] ; then - for file in `egrep -v "^(#|\+|$MP)" /etc/changelist`; do - CUR=/var/backups/$(_fnchg "$file").current - BACK=/var/backups/$(_fnchg "$file").backup - next_part "======\n${file} diffs (-OLD +NEW)\n======" - if [ -s $file -a ! -d $file ] ; then - if [ -s $CUR ] ; then - diff -ua $CUR $file - if [ -s $PARTOUT ] ; then - cp -p $CUR $BACK - cp -p $file $CUR - chown root:wheel $CUR $BACK - fi - else - diff -u /dev/null $file - cp -p $file $CUR - chown root:wheel $CUR - fi - fi - if [ ! -s $file -a -s $CUR ]; then - diff -u $CUR /dev/null - cp -p $CUR $BACK - rm -f $CUR - chown root:wheel $BACK - fi - done - for file in `sed -n 's/^+//p' /etc/changelist`; do - CUR=/var/backups/$(_fnchg "$file").current.md5 - BACK=/var/backups/$(_fnchg "$file").backup.md5 - if [ -s $file -a ! -d $file ] ; then - MD5_NEW=`md5 $file | sed 's/^.* //'` - if [ -s $CUR ] ; then - MD5_OLD="`cat $CUR`" - if [ "$MD5_NEW" != "$MD5_OLD" ]; then - next_part "======\n${file} MD5 checksums\n======" - echo "OLD: $MD5_OLD" - echo "NEW: $MD5_NEW" - cp -p $CUR $BACK - echo $MD5_NEW > $CUR - chown root:wheel $CUR $BACK - chmod 600 $CUR - fi - else - next_part "======\n${file} new MD5 checksum\n======" - echo "NEW: $MD5_NEW" - echo $MD5_NEW > $CUR - chown root:wheel $CUR - chmod 600 $CUR - fi - fi - if [ ! -s $file -a -s $CUR ]; then - MD5_OLD="`cat $CUR`" - next_part "======\n${file} removed MD5 checksum\n======" - echo "OLD: $MD5_OLD" - cp -p $CUR $BACK - rm $CUR - chown root:wheel $BACK - fi - done -fi - -# Make backups of the labels for any mounted disks and produce diffs -# when they change. -for d in `df -ln | sed -n 's:^/dev/\([a-z]*[0-9]*\)[a-p].*$:\1:p' | sort -u`; do - file=/var/backups/disklabel.$d - CUR=$file.current - BACK=$file.backup - next_part "======\n${d} diffs (-OLD +NEW)\n======" - if disklabel $d > $file 2>&1 ; then - if [ -s $CUR ] ; then - diff -u $CUR $file - if [ -s $PARTOUT ] ; then - cp -p $CUR $BACK - cp -p $file $CUR - chown root:wheel $CUR $BACK - fi - else - cp -p $file $CUR - chown root:wheel $CUR - fi - fi - rm -f $file -done - -# Backup the list of installed packages and produce diffs when it changes. -next_part "======\nPackage list changes (-OLD +NEW)\n======" -file=/var/backups/pkglist -CUR=$file.current -BACK=$file.backup -if pkg_info > $file 2>&1 ; then - if [ -s $CUR ] ; then - diff -u $CUR $file - if [ -s $PARTOUT ] ; then - cp -p $CUR $BACK - cp -p $file $CUR - chown root:wheel $CUR $BACK - fi - else - cp -p $file $CUR - chown root:wheel $CUR - fi -fi -rm -f $file