|
@ -1,7 +1,9 @@ |
|
|
#!/bin/sh - |
|
|
#!/bin/sh - |
|
|
# |
|
|
# |
|
|
# $OpenBSD: security,v 1.12 1996/11/23 19:10:43 millert Exp $ |
|
|
|
|
|
|
|
|
# $OpenBSD: security,v 1.13 1996/11/30 17:50:58 millert Exp $ |
|
|
|
|
|
# from: @(#)security 8.1 (Berkeley) 6/9/93 |
|
|
# |
|
|
# |
|
|
|
|
|
|
|
|
PATH=/sbin:/usr/sbin:/bin:/usr/bin |
|
|
PATH=/sbin:/usr/sbin:/bin:/usr/bin |
|
|
|
|
|
|
|
|
umask 077 |
|
|
umask 077 |
|
@ -14,7 +16,6 @@ TMP3=$DIR/_secure4 |
|
|
LIST=$DIR/_secure5 |
|
|
LIST=$DIR/_secure5 |
|
|
OUTPUT=$DIR/_secure6 |
|
|
OUTPUT=$DIR/_secure6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if ! mkdir $DIR ; then |
|
|
if ! mkdir $DIR ; then |
|
|
printf "tmp directory %s already exists, looks like:\n" $DIR |
|
|
printf "tmp directory %s already exists, looks like:\n" $DIR |
|
|
ls -alF $DIR |
|
|
ls -alF $DIR |
|
@ -35,7 +36,7 @@ awk -F: '{ |
|
|
if ($1 ~ /^[+-].*$/) |
|
|
if ($1 ~ /^[+-].*$/) |
|
|
next; |
|
|
next; |
|
|
if ($1 == "") |
|
|
if ($1 == "") |
|
|
printf("Line %d has an empty login field.\n",NR); |
|
|
|
|
|
|
|
|
printf("Line %d has an empty login field.\n", NR); |
|
|
else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_-]*$/) |
|
|
else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_-]*$/) |
|
|
printf("Login %s has non-alphanumeric characters.\n", $1); |
|
|
printf("Login %s has non-alphanumeric characters.\n", $1); |
|
|
if (length($1) > 8) |
|
|
if (length($1) > 8) |
|
@ -104,7 +105,7 @@ awk -F: '{ |
|
|
next; |
|
|
next; |
|
|
if (NF != 4) |
|
|
if (NF != 4) |
|
|
printf("Line %d has the wrong number of fields.\n", NR); |
|
|
printf("Line %d has the wrong number of fields.\n", NR); |
|
|
if ($1 !~ /^[A-za-z0-9]*$/) |
|
|
|
|
|
|
|
|
if ($1 !~ /^[A-za-z0-9][A-za-z0-9_-]*$/) |
|
|
printf("Group %s has non-alphanumeric characters.\n", $1); |
|
|
printf("Group %s has non-alphanumeric characters.\n", $1); |
|
|
if (length($1) > 8) |
|
|
if (length($1) > 8) |
|
|
printf("Group %s has more than 8 characters.\n", $1); |
|
|
printf("Group %s has more than 8 characters.\n", $1); |
|
@ -160,7 +161,7 @@ end-of-csh |
|
|
done |
|
|
done |
|
|
if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
|
|
if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
|
|
printf "\nChecking root csh paths, umask values:\n$list\n" |
|
|
printf "\nChecking root csh paths, umask values:\n$list\n" |
|
|
if [ -s $OUTPUT ]; then |
|
|
|
|
|
|
|
|
if [ -s $OUTPUT ] ; then |
|
|
cat $OUTPUT |
|
|
cat $OUTPUT |
|
|
fi |
|
|
fi |
|
|
if [ $umaskset = "no" ] ; then |
|
|
if [ $umaskset = "no" ] ; then |
|
@ -204,7 +205,7 @@ end-of-sh |
|
|
done |
|
|
done |
|
|
if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
|
|
if [ $umaskset = "no" -o -s $OUTPUT ] ; then |
|
|
printf "\nChecking root sh paths, umask values:\n$list\n" |
|
|
printf "\nChecking root sh paths, umask values:\n$list\n" |
|
|
if [ -s $OUTPUT ]; then |
|
|
|
|
|
|
|
|
if [ -s $OUTPUT ] ; then |
|
|
cat $OUTPUT |
|
|
cat $OUTPUT |
|
|
fi |
|
|
fi |
|
|
if [ $umaskset = "no" ] ; then |
|
|
if [ $umaskset = "no" ] ; then |
|
@ -234,17 +235,17 @@ list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" |
|
|
for f in $list ; do |
|
|
for f in $list ; do |
|
|
if [ -s $f ] ; then |
|
|
if [ -s $f ] ; then |
|
|
awk '{ |
|
|
awk '{ |
|
|
if ($0 ~ /^\+@.*$/ ) |
|
|
|
|
|
|
|
|
if ($0 ~ /^\+@.*$/) |
|
|
next; |
|
|
next; |
|
|
if ($0 ~ /^\+.*$/ ) |
|
|
|
|
|
|
|
|
if ($0 ~ /^\+.*$/) |
|
|
printf("\nPlus sign in %s file.\n", FILENAME); |
|
|
printf("\nPlus sign in %s file.\n", FILENAME); |
|
|
}' $f |
|
|
}' $f |
|
|
fi |
|
|
fi |
|
|
done |
|
|
done |
|
|
|
|
|
|
|
|
# Check for special users with .rhosts/.shosts files. Only root should |
|
|
|
|
|
# have .rhosts/.shosts files. Also, .rhosts/.shosts files |
|
|
|
|
|
# should not have plus signs. |
|
|
|
|
|
|
|
|
# Check for special users with .rhosts/.shosts files. Only root |
|
|
|
|
|
# should have .rhosts/.shosts files. Also, .rhosts/.shosts |
|
|
|
|
|
# files should not have plus signs. |
|
|
awk -F: '$1 != "root" && $1 !~ /^[+-].*$/ && \ |
|
|
awk -F: '$1 != "root" && $1 !~ /^[+-].*$/ && \ |
|
|
($3 < 100 || $1 == "ftp" || $1 == "uucp") \ |
|
|
($3 < 100 || $1 == "ftp" || $1 == "uucp") \ |
|
|
{ print $1 " " $6 }' /etc/passwd | |
|
|
{ print $1 " " $6 }' /etc/passwd | |
|
@ -264,13 +265,13 @@ fi |
|
|
awk -F: '{ print $1 " " $6 }' /etc/passwd | \ |
|
|
awk -F: '{ print $1 " " $6 }' /etc/passwd | \ |
|
|
while read uid homedir; do |
|
|
while read uid homedir; do |
|
|
for j in .rhosts .shosts; do |
|
|
for j in .rhosts .shosts; do |
|
|
if [ -f ${homedir}/$j ] ; then |
|
|
|
|
|
|
|
|
if [ -s ${homedir}/$j ] ; then |
|
|
awk '{ |
|
|
awk '{ |
|
|
if ($0 ~ /^+@.*$/ ) |
|
|
if ($0 ~ /^+@.*$/ ) |
|
|
next; |
|
|
next; |
|
|
if ($0 ~ /^\+[ ]*$/ ) |
|
|
if ($0 ~ /^\+[ ]*$/ ) |
|
|
printf("%s has + sign in it.\n", |
|
|
printf("%s has + sign in it.\n", |
|
|
FILENAME); |
|
|
|
|
|
|
|
|
FILENAME); |
|
|
}' ${homedir}/$j |
|
|
}' ${homedir}/$j |
|
|
fi |
|
|
fi |
|
|
done |
|
|
done |
|
@ -282,7 +283,7 @@ fi |
|
|
|
|
|
|
|
|
# Check home directories. Directories should not be owned by someone else |
|
|
# Check home directories. Directories should not be owned by someone else |
|
|
# or writeable. |
|
|
# or writeable. |
|
|
awk -F: '{ if ( $1 !~ /^[+-].*$/ ) print $1 " " $6 }' /etc/passwd | \ |
|
|
|
|
|
|
|
|
awk -F: '{ if ($1 !~ /^[+-].*$/) print $1 " " $6 }' /etc/passwd | \ |
|
|
while read uid homedir; do |
|
|
while read uid homedir; do |
|
|
if [ -d ${homedir}/ ] ; then |
|
|
if [ -d ${homedir}/ ] ; then |
|
|
file=`ls -ldgT ${homedir}` |
|
|
file=`ls -ldgT ${homedir}` |
|
@ -313,6 +314,8 @@ while read uid homedir; do |
|
|
done | |
|
|
done | |
|
|
awk '$1 != $5 && $5 != "root" \ |
|
|
awk '$1 != $5 && $5 != "root" \ |
|
|
{ print "user " $1 " " $2 " file is owned by " $5 } |
|
|
{ print "user " $1 " " $2 " file is owned by " $5 } |
|
|
|
|
|
$3 ~ /^-...r/ \ |
|
|
|
|
|
{ print "user " $1 " " $2 " file is group readable" } |
|
|
$3 ~ /^-......r/ \ |
|
|
$3 ~ /^-......r/ \ |
|
|
{ print "user " $1 " " $2 " file is other readable" } |
|
|
{ print "user " $1 " " $2 " file is other readable" } |
|
|
$3 ~ /^-....w/ \ |
|
|
$3 ~ /^-....w/ \ |
|
@ -354,36 +357,36 @@ if [ -s $OUTPUT ] ; then |
|
|
cat $OUTPUT |
|
|
cat $OUTPUT |
|
|
fi |
|
|
fi |
|
|
|
|
|
|
|
|
if [ -f /etc/exports ]; then |
|
|
|
|
|
# File systems should not be globally exported. |
|
|
|
|
|
awk '{ |
|
|
|
|
|
if ($1 ~ /^#/) |
|
|
|
|
|
next; |
|
|
|
|
|
readonly = 0; |
|
|
|
|
|
for (i = 2; i <= NF; ++i) { |
|
|
|
|
|
if ($i ~ /-ro/) |
|
|
|
|
|
readonly = 1; |
|
|
|
|
|
else if ($i !~ /^-/) |
|
|
|
|
|
|
|
|
# File systems should not be globally exported. |
|
|
|
|
|
if [ -s /etc/exports ] ; then |
|
|
|
|
|
awk '{ |
|
|
|
|
|
if ($1 ~ /^#/) |
|
|
next; |
|
|
next; |
|
|
} |
|
|
|
|
|
if (readonly) |
|
|
|
|
|
print "File system " $1 " globally exported, read-only." |
|
|
|
|
|
else |
|
|
|
|
|
print "File system " $1 " globally exported, read-write." |
|
|
|
|
|
}' < /etc/exports > $OUTPUT |
|
|
|
|
|
if [ -s $OUTPUT ] ; then |
|
|
|
|
|
printf "\nChecking for globally exported file systems.\n" |
|
|
|
|
|
cat $OUTPUT |
|
|
|
|
|
fi |
|
|
|
|
|
|
|
|
readonly = 0; |
|
|
|
|
|
for (i = 2; i <= NF; ++i) { |
|
|
|
|
|
if ($i ~ /-ro/) |
|
|
|
|
|
readonly = 1; |
|
|
|
|
|
else if ($i !~ /^-/) |
|
|
|
|
|
next; |
|
|
|
|
|
} |
|
|
|
|
|
if (readonly) |
|
|
|
|
|
print "File system " $1 " globally exported, read-only." |
|
|
|
|
|
else |
|
|
|
|
|
print "File system " $1 " globally exported, read-write." |
|
|
|
|
|
}' < /etc/exports > $OUTPUT |
|
|
|
|
|
if [ -s $OUTPUT ] ; then |
|
|
|
|
|
printf "\nChecking for globally exported file systems.\n" |
|
|
|
|
|
cat $OUTPUT |
|
|
|
|
|
fi |
|
|
fi |
|
|
fi |
|
|
|
|
|
|
|
|
# Display any changes in setuid/setgid files and devices. |
|
|
# Display any changes in setuid/setgid files and devices. |
|
|
pending="\nChecking setuid/setgid files and devices:\n" |
|
|
pending="\nChecking setuid/setgid files and devices:\n" |
|
|
(find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ |
|
|
(find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ |
|
|
-o -fstype procfs \) -a -prune -o \ |
|
|
|
|
|
-type f -a \( -perm -u+s -o -perm -g+s \) -ls -o \ |
|
|
|
|
|
! -type d -a ! -type f -a ! -type l -a ! -type s -ls | \ |
|
|
|
|
|
sort > $LIST) 2> $OUTPUT |
|
|
|
|
|
|
|
|
-o -fstype procfs \) -a -prune -o \ |
|
|
|
|
|
-type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \ |
|
|
|
|
|
! -type d -a ! -type f -a ! -type l -a ! -type s -print0 | \ |
|
|
|
|
|
xargs -0 ls -ldgT | sort +9 > $LIST) 2> $OUTPUT |
|
|
|
|
|
|
|
|
# Display any errors that occurred during system file walk. |
|
|
# Display any errors that occurred during system file walk. |
|
|
if [ -s $OUTPUT ] ; then |
|
|
if [ -s $OUTPUT ] ; then |
|
@ -394,7 +397,7 @@ if [ -s $OUTPUT ] ; then |
|
|
fi |
|
|
fi |
|
|
|
|
|
|
|
|
# Display any changes in the setuid/setgid file list. |
|
|
# Display any changes in the setuid/setgid file list. |
|
|
egrep -v '^ *[0-9]+ +[0-9]+ +[bc]' $LIST > $TMP1 |
|
|
|
|
|
|
|
|
egrep -v '^[bc]' $LIST > $TMP1 |
|
|
if [ -s $TMP1 ] ; then |
|
|
if [ -s $TMP1 ] ; then |
|
|
# Check to make sure uudecode isn't setuid. |
|
|
# Check to make sure uudecode isn't setuid. |
|
|
if grep -w uudecode $TMP1 > /dev/null ; then |
|
|
if grep -w uudecode $TMP1 > /dev/null ; then |
|
@ -410,7 +413,7 @@ if [ -s $TMP1 ] ; then |
|
|
: |
|
|
: |
|
|
else |
|
|
else |
|
|
> $TMP2 |
|
|
> $TMP2 |
|
|
join -112 -212 -v2 $CUR $TMP1 > $OUTPUT |
|
|
|
|
|
|
|
|
join -110 -210 -v2 $CUR $TMP1 > $OUTPUT |
|
|
if [ -s $OUTPUT ] ; then |
|
|
if [ -s $OUTPUT ] ; then |
|
|
printf "${pending}Setuid additions:\n" |
|
|
printf "${pending}Setuid additions:\n" |
|
|
pending= |
|
|
pending= |
|
@ -418,7 +421,7 @@ if [ -s $TMP1 ] ; then |
|
|
printf "\n" |
|
|
printf "\n" |
|
|
fi |
|
|
fi |
|
|
|
|
|
|
|
|
join -112 -212 -v1 $CUR $TMP1 > $OUTPUT |
|
|
|
|
|
|
|
|
join -110 -210 -v1 $CUR $TMP1 > $OUTPUT |
|
|
if [ -s $OUTPUT ] ; then |
|
|
if [ -s $OUTPUT ] ; then |
|
|
printf "${pending}Setuid deletions:\n" |
|
|
printf "${pending}Setuid deletions:\n" |
|
|
pending= |
|
|
pending= |
|
@ -426,7 +429,7 @@ if [ -s $TMP1 ] ; then |
|
|
printf "\n" |
|
|
printf "\n" |
|
|
fi |
|
|
fi |
|
|
|
|
|
|
|
|
sort +11 $TMP2 $CUR $TMP1 | \ |
|
|
|
|
|
|
|
|
sort +9 $TMP2 $CUR $TMP1 | \ |
|
|
sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT |
|
|
sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT |
|
|
if [ -s $OUTPUT ] ; then |
|
|
if [ -s $OUTPUT ] ; then |
|
|
printf "${pending}Setuid changes:\n" |
|
|
printf "${pending}Setuid changes:\n" |
|
@ -450,7 +453,7 @@ fi |
|
|
# Check for block and character disk devices that are readable or writeable |
|
|
# Check for block and character disk devices that are readable or writeable |
|
|
# or not owned by root.operator. |
|
|
# or not owned by root.operator. |
|
|
>$TMP1 |
|
|
>$TMP1 |
|
|
DISKLIST="dk fd hd hk hp jb kra ra rb rd rl rx xd rz sd up wd vnd ccd" |
|
|
|
|
|
|
|
|
DISKLIST="ccd dk fd hd hk hp jb kra ra rb rd rl rx rz sd up vnd wd xd" |
|
|
for i in $DISKLIST; do |
|
|
for i in $DISKLIST; do |
|
|
egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 |
|
|
egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 |
|
|
egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 |
|
|
egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 |
|
@ -527,7 +530,7 @@ fi |
|
|
# the hacker can modify the tree specification to match the replaced binary. |
|
|
# the hacker can modify the tree specification to match the replaced binary. |
|
|
# For details on really protecting yourself against modified binaries, see |
|
|
# For details on really protecting yourself against modified binaries, see |
|
|
# the mtree(8) manual page. |
|
|
# the mtree(8) manual page. |
|
|
if [ -d /etc/mtree ]; then |
|
|
|
|
|
|
|
|
if [ -d /etc/mtree ] ; then |
|
|
cd /etc/mtree |
|
|
cd /etc/mtree |
|
|
mtree -e -p / -f /etc/mtree/special > $OUTPUT |
|
|
mtree -e -p / -f /etc/mtree/special > $OUTPUT |
|
|
if [ -s $OUTPUT ] ; then |
|
|
if [ -s $OUTPUT ] ; then |
|
@ -540,7 +543,7 @@ if [ -d /etc/mtree ]; then |
|
|
[ $file = '*.secure' ] && continue |
|
|
[ $file = '*.secure' ] && continue |
|
|
tree=`sed -n -e '3s/.* //p' -e 3q $file` |
|
|
tree=`sed -n -e '3s/.* //p' -e 3q $file` |
|
|
mtree -f $file -p $tree > $TMP1 |
|
|
mtree -f $file -p $tree > $TMP1 |
|
|
if [ -s $TMP1 ]; then |
|
|
|
|
|
|
|
|
if [ -s $TMP1 ] ; then |
|
|
printf "\nChecking $tree:\n" >> $OUTPUT |
|
|
printf "\nChecking $tree:\n" >> $OUTPUT |
|
|
cat $TMP1 >> $OUTPUT |
|
|
cat $TMP1 >> $OUTPUT |
|
|
fi |
|
|
fi |
|
@ -560,7 +563,7 @@ if [ -s /etc/changelist ] ; then |
|
|
for file in `cat /etc/changelist`; do |
|
|
for file in `cat /etc/changelist`; do |
|
|
CUR=/var/backups/`basename $file`.current |
|
|
CUR=/var/backups/`basename $file`.current |
|
|
BACK=/var/backups/`basename $file`.backup |
|
|
BACK=/var/backups/`basename $file`.backup |
|
|
if [ -s $file ]; then |
|
|
|
|
|
|
|
|
if [ -s $file ] ; then |
|
|
if [ -s $CUR ] ; then |
|
|
if [ -s $CUR ] ; then |
|
|
diff $CUR $file > $OUTPUT |
|
|
diff $CUR $file > $OUTPUT |
|
|
if [ -s $OUTPUT ] ; then |
|
|
if [ -s $OUTPUT ] ; then |
|
|