Browse Source

Merged our changes back into 4.4BSD version.

Can't do "find -ls" since we need to store the date in an absolute format
(ls -T).  Use "find -print0" | xargs -0 instead.
OPENBSD_2_1
millert 28 years ago
parent
commit
bbb3533e89
1 changed files with 49 additions and 46 deletions
  1. +49
    -46
      src/etc/security

+ 49
- 46
src/etc/security View File

@ -1,7 +1,9 @@
#!/bin/sh -
#
# $OpenBSD: security,v 1.12 1996/11/23 19:10:43 millert Exp $
# $OpenBSD: security,v 1.13 1996/11/30 17:50:58 millert Exp $
# from: @(#)security 8.1 (Berkeley) 6/9/93
#
PATH=/sbin:/usr/sbin:/bin:/usr/bin
umask 077
@ -14,7 +16,6 @@ TMP3=$DIR/_secure4
LIST=$DIR/_secure5
OUTPUT=$DIR/_secure6
if ! mkdir $DIR ; then
printf "tmp directory %s already exists, looks like:\n" $DIR
ls -alF $DIR
@ -35,7 +36,7 @@ awk -F: '{
if ($1 ~ /^[+-].*$/)
next;
if ($1 == "")
printf("Line %d has an empty login field.\n",NR);
printf("Line %d has an empty login field.\n", NR);
else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_-]*$/)
printf("Login %s has non-alphanumeric characters.\n", $1);
if (length($1) > 8)
@ -104,7 +105,7 @@ awk -F: '{
next;
if (NF != 4)
printf("Line %d has the wrong number of fields.\n", NR);
if ($1 !~ /^[A-za-z0-9]*$/)
if ($1 !~ /^[A-za-z0-9][A-za-z0-9_-]*$/)
printf("Group %s has non-alphanumeric characters.\n", $1);
if (length($1) > 8)
printf("Group %s has more than 8 characters.\n", $1);
@ -160,7 +161,7 @@ end-of-csh
done
if [ $umaskset = "no" -o -s $OUTPUT ] ; then
printf "\nChecking root csh paths, umask values:\n$list\n"
if [ -s $OUTPUT ]; then
if [ -s $OUTPUT ] ; then
cat $OUTPUT
fi
if [ $umaskset = "no" ] ; then
@ -204,7 +205,7 @@ end-of-sh
done
if [ $umaskset = "no" -o -s $OUTPUT ] ; then
printf "\nChecking root sh paths, umask values:\n$list\n"
if [ -s $OUTPUT ]; then
if [ -s $OUTPUT ] ; then
cat $OUTPUT
fi
if [ $umaskset = "no" ] ; then
@ -234,17 +235,17 @@ list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd"
for f in $list ; do
if [ -s $f ] ; then
awk '{
if ($0 ~ /^\+@.*$/ )
if ($0 ~ /^\+@.*$/)
next;
if ($0 ~ /^\+.*$/ )
if ($0 ~ /^\+.*$/)
printf("\nPlus sign in %s file.\n", FILENAME);
}' $f
fi
done
# Check for special users with .rhosts/.shosts files. Only root should
# have .rhosts/.shosts files. Also, .rhosts/.shosts files
# should not have plus signs.
# Check for special users with .rhosts/.shosts files. Only root
# should have .rhosts/.shosts files. Also, .rhosts/.shosts
# files should not have plus signs.
awk -F: '$1 != "root" && $1 !~ /^[+-].*$/ && \
($3 < 100 || $1 == "ftp" || $1 == "uucp") \
{ print $1 " " $6 }' /etc/passwd |
@ -264,13 +265,13 @@ fi
awk -F: '{ print $1 " " $6 }' /etc/passwd | \
while read uid homedir; do
for j in .rhosts .shosts; do
if [ -f ${homedir}/$j ] ; then
if [ -s ${homedir}/$j ] ; then
awk '{
if ($0 ~ /^+@.*$/ )
next;
if ($0 ~ /^\+[ ]*$/ )
printf("%s has + sign in it.\n",
FILENAME);
FILENAME);
}' ${homedir}/$j
fi
done
@ -282,7 +283,7 @@ fi
# Check home directories. Directories should not be owned by someone else
# or writeable.
awk -F: '{ if ( $1 !~ /^[+-].*$/ ) print $1 " " $6 }' /etc/passwd | \
awk -F: '{ if ($1 !~ /^[+-].*$/) print $1 " " $6 }' /etc/passwd | \
while read uid homedir; do
if [ -d ${homedir}/ ] ; then
file=`ls -ldgT ${homedir}`
@ -313,6 +314,8 @@ while read uid homedir; do
done |
awk '$1 != $5 && $5 != "root" \
{ print "user " $1 " " $2 " file is owned by " $5 }
$3 ~ /^-...r/ \
{ print "user " $1 " " $2 " file is group readable" }
$3 ~ /^-......r/ \
{ print "user " $1 " " $2 " file is other readable" }
$3 ~ /^-....w/ \
@ -354,36 +357,36 @@ if [ -s $OUTPUT ] ; then
cat $OUTPUT
fi
if [ -f /etc/exports ]; then
# File systems should not be globally exported.
awk '{
if ($1 ~ /^#/)
next;
readonly = 0;
for (i = 2; i <= NF; ++i) {
if ($i ~ /-ro/)
readonly = 1;
else if ($i !~ /^-/)
# File systems should not be globally exported.
if [ -s /etc/exports ] ; then
awk '{
if ($1 ~ /^#/)
next;
}
if (readonly)
print "File system " $1 " globally exported, read-only."
else
print "File system " $1 " globally exported, read-write."
}' < /etc/exports > $OUTPUT
if [ -s $OUTPUT ] ; then
printf "\nChecking for globally exported file systems.\n"
cat $OUTPUT
fi
readonly = 0;
for (i = 2; i <= NF; ++i) {
if ($i ~ /-ro/)
readonly = 1;
else if ($i !~ /^-/)
next;
}
if (readonly)
print "File system " $1 " globally exported, read-only."
else
print "File system " $1 " globally exported, read-write."
}' < /etc/exports > $OUTPUT
if [ -s $OUTPUT ] ; then
printf "\nChecking for globally exported file systems.\n"
cat $OUTPUT
fi
fi
# Display any changes in setuid/setgid files and devices.
pending="\nChecking setuid/setgid files and devices:\n"
(find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \
-o -fstype procfs \) -a -prune -o \
-type f -a \( -perm -u+s -o -perm -g+s \) -ls -o \
! -type d -a ! -type f -a ! -type l -a ! -type s -ls | \
sort > $LIST) 2> $OUTPUT
-o -fstype procfs \) -a -prune -o \
-type f -a \( -perm -u+s -o -perm -g+s \) -print0 -o \
! -type d -a ! -type f -a ! -type l -a ! -type s -print0 | \
xargs -0 ls -ldgT | sort +9 > $LIST) 2> $OUTPUT
# Display any errors that occurred during system file walk.
if [ -s $OUTPUT ] ; then
@ -394,7 +397,7 @@ if [ -s $OUTPUT ] ; then
fi
# Display any changes in the setuid/setgid file list.
egrep -v '^ *[0-9]+ +[0-9]+ +[bc]' $LIST > $TMP1
egrep -v '^[bc]' $LIST > $TMP1
if [ -s $TMP1 ] ; then
# Check to make sure uudecode isn't setuid.
if grep -w uudecode $TMP1 > /dev/null ; then
@ -410,7 +413,7 @@ if [ -s $TMP1 ] ; then
:
else
> $TMP2
join -112 -212 -v2 $CUR $TMP1 > $OUTPUT
join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
if [ -s $OUTPUT ] ; then
printf "${pending}Setuid additions:\n"
pending=
@ -418,7 +421,7 @@ if [ -s $TMP1 ] ; then
printf "\n"
fi
join -112 -212 -v1 $CUR $TMP1 > $OUTPUT
join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
if [ -s $OUTPUT ] ; then
printf "${pending}Setuid deletions:\n"
pending=
@ -426,7 +429,7 @@ if [ -s $TMP1 ] ; then
printf "\n"
fi
sort +11 $TMP2 $CUR $TMP1 | \
sort +9 $TMP2 $CUR $TMP1 | \
sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT
if [ -s $OUTPUT ] ; then
printf "${pending}Setuid changes:\n"
@ -450,7 +453,7 @@ fi
# Check for block and character disk devices that are readable or writeable
# or not owned by root.operator.
>$TMP1
DISKLIST="dk fd hd hk hp jb kra ra rb rd rl rx xd rz sd up wd vnd ccd"
DISKLIST="ccd dk fd hd hk hp jb kra ra rb rd rl rx rz sd up vnd wd xd"
for i in $DISKLIST; do
egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1
egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1
@ -527,7 +530,7 @@ fi
# the hacker can modify the tree specification to match the replaced binary.
# For details on really protecting yourself against modified binaries, see
# the mtree(8) manual page.
if [ -d /etc/mtree ]; then
if [ -d /etc/mtree ] ; then
cd /etc/mtree
mtree -e -p / -f /etc/mtree/special > $OUTPUT
if [ -s $OUTPUT ] ; then
@ -540,7 +543,7 @@ if [ -d /etc/mtree ]; then
[ $file = '*.secure' ] && continue
tree=`sed -n -e '3s/.* //p' -e 3q $file`
mtree -f $file -p $tree > $TMP1
if [ -s $TMP1 ]; then
if [ -s $TMP1 ] ; then
printf "\nChecking $tree:\n" >> $OUTPUT
cat $TMP1 >> $OUTPUT
fi
@ -560,7 +563,7 @@ if [ -s /etc/changelist ] ; then
for file in `cat /etc/changelist`; do
CUR=/var/backups/`basename $file`.current
BACK=/var/backups/`basename $file`.backup
if [ -s $file ]; then
if [ -s $file ] ; then
if [ -s $CUR ] ; then
diff $CUR $file > $OUTPUT
if [ -s $OUTPUT ] ; then


Loading…
Cancel
Save