version 1.27, 1997/08/22 09:40:17 |
version 1.28, 1997/09/18 05:16:19 |
|
|
ERR=secure1.$$ |
ERR=secure1.$$ |
TMP1=secure2.$$ |
TMP1=secure2.$$ |
TMP2=secure3.$$ |
TMP2=secure3.$$ |
MPUID=secure4.$$ |
MPBYUID=secure4.$$ |
MPPATH=secure5.$$ |
MPPATH=secure5.$$ |
LIST=secure6.$$ |
LIST=secure6.$$ |
OUTPUT=secure7.$$ |
OUTPUT=secure7.$$ |
Line 36 trap '/bin/rm -rf $SECUREDIR ; exit 0' 0 |
|
Line 36 trap '/bin/rm -rf $SECUREDIR ; exit 0' 0 |
|
MP=/etc/master.passwd |
MP=/etc/master.passwd |
|
|
# these is used several times. |
# these is used several times. |
awk -F: '{ print $1 " " $3 }' $MP | sort -k2n > $MPUID |
awk -F: '{ print $1 " " $3 }' $MP | sort -k2n > $MPBYUID |
awk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPPATH |
awk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPPATH |
|
|
# Check the master password file syntax. |
# Check the master password file syntax. |
Line 90 if [ "$check_passwd" = YES ]; then |
|
Line 90 if [ "$check_passwd" = YES ]; then |
|
column $OUTPUT |
column $OUTPUT |
fi |
fi |
|
|
< $MPUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2 |
< $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2 |
if [ -s $TMP2 ] ; then |
if [ -s $TMP2 ] ; then |
printf "\n$MP has duplicate user id's.\n" |
printf "\n$MP has duplicate user id's.\n" |
while read uid; do |
while read uid; do |
grep -w $uid $MPUID |
grep -w $uid $MPBYUID |
done < $TMP2 | column |
done < $TMP2 | column |
fi |
fi |
fi |
fi |
|
|
# in other environments. Once the shells have been modified to warn |
# in other environments. Once the shells have been modified to warn |
# of '.' in the path, the path tests should go away. |
# of '.' in the path, the path tests should go away. |
if [ "$check_rootdotfiles" = YES ]; then |
if [ "$check_rootdotfiles" = YES ]; then |
cp /dev/null $OUTPUT |
> $OUTPUT |
rhome=`csh -fc "echo ~root"` |
rhome=`csh -fc "echo ~root"` |
umaskset=no |
umaskset=no |
list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" |
list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" |
|
|
fi |
fi |
fi |
fi |
|
|
cp /dev/null $OUTPUT |
> $OUTPUT |
rhome=/root |
rhome=/root |
umaskset=no |
umaskset=no |
list="/etc/profile ${rhome}/.profile" |
list="/etc/profile ${rhome}/.profile" |
|
|
# Root and uucp should both be in /etc/ftpusers. |
# Root and uucp should both be in /etc/ftpusers. |
# XXX This should be updated to support the new format... |
# XXX This should be updated to support the new format... |
if [ "$check_ftpusers" = YES ]; then |
if [ "$check_ftpusers" = YES ]; then |
list="root uucp" |
> $OUTPUT |
|
list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID` |
for i in $list; do |
for i in $list; do |
if ! egrep "^$i$" /etc/ftpusers > /dev/null ; then |
if ! egrep "^$i$" /etc/ftpusers > /dev/null ; then |
printf "\n$i is not listed in /etc/ftpusers file.\n" |
printf "\t$i is not present\n" \ >> $OUTPUT |
fi |
fi |
done |
done |
|
if [ -s $OUTPUT ]; then |
|
printf "\nChecking the /etc/ftpusers configuration:\n" |
|
cat $OUTPUT |
|
fi |
fi |
fi |
|
|
# Uudecode should not be in the /etc/aliases file. |
# Uudecode should not be in the /etc/aliases file. |
|
|
|
|
# Display any changes in setuid files and devices. |
# Display any changes in setuid files and devices. |
if [ "$check_devices" = YES ]; then |
if [ "$check_devices" = YES ]; then |
printf "\nChecking setuid files and devices:\n" |
> $ERR |
(find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ |
(find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ |
-o -fstype procfs \) -a -prune -o \ |
-o -fstype procfs \) -a -prune -o \ |
\( \( -perm -u+s -a ! -type d \) -o \ |
\( \( -perm -u+s -a ! -type d \) -o \ |
Line 423 if [ "$check_devices" = YES ]; then |
|
Line 428 if [ "$check_devices" = YES ]; then |
|
|
|
# Display any errors that occurred during system file walk. |
# Display any errors that occurred during system file walk. |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "Setuid/device find errors:\n" |
printf "Setuid/device find errors:\n" >> $ERR |
cat $OUTPUT |
cat $OUTPUT >> $ERR |
printf "\n" |
printf "\n" >> $ERR |
fi |
fi |
|
|
# Display any changes in the setuid file list. |
# Display any changes in the setuid file list. |
Line 433 if [ "$check_devices" = YES ]; then |
|
Line 438 if [ "$check_devices" = YES ]; then |
|
if [ -s $TMP1 ] ; then |
if [ -s $TMP1 ] ; then |
# Check to make sure uudecode isn't setuid. |
# Check to make sure uudecode isn't setuid. |
if grep -w uudecode $TMP1 > /dev/null ; then |
if grep -w uudecode $TMP1 > /dev/null ; then |
printf "\nUudecode is setuid.\n" |
printf "\nUudecode is setuid.\n" >> $ERR |
fi |
fi |
|
|
CUR=/var/backups/setuid.current |
CUR=/var/backups/setuid.current |
Line 446 if [ "$check_devices" = YES ]; then |
|
Line 451 if [ "$check_devices" = YES ]; then |
|
> $TMP2 |
> $TMP2 |
join -110 -210 -v2 $CUR $TMP1 > $OUTPUT |
join -110 -210 -v2 $CUR $TMP1 > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "Setuid additions:\n" |
printf "Setuid additions:\n" >> $ERR |
tee -a $TMP2 < $OUTPUT |
tee -a $TMP2 < $OUTPUT >> $ERR |
printf "\n" |
printf "\n" >> $ERR |
fi |
fi |
|
|
join -110 -210 -v1 $CUR $TMP1 > $OUTPUT |
join -110 -210 -v1 $CUR $TMP1 > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "Setuid deletions:\n" |
printf "Setuid deletions:\n" >> $ERR |
tee -a $TMP2 < $OUTPUT |
tee -a $TMP2 < $OUTPUT >> $ERR |
printf "\n" |
printf "\n" >> $ERR |
fi |
fi |
|
|
sort -k10 $TMP2 $CUR $TMP1 | \ |
sort -k10 $TMP2 $CUR $TMP1 | \ |
sed -e 's/[ ][ ]*/ /g' | \ |
sed -e 's/[ ][ ]*/ /g' | \ |
uniq -u > $OUTPUT |
uniq -u > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "Setuid changes:\n" |
printf "Setuid changes:\n" >> $ERR |
column -t $OUTPUT |
column -t $OUTPUT >> $ERR |
printf "\n" |
printf "\n" >> $ERR |
fi |
fi |
|
|
cp $CUR $BACK |
cp $CUR $BACK |
cp $TMP1 $CUR |
cp $TMP1 $CUR |
fi |
fi |
else |
else |
printf "Setuid additions:\n" |
printf "Setuid additions:\n" >> $ERR |
column -t $TMP1 |
column -t $TMP1 >> $ERR |
printf "\n" |
printf "\n" >> $ERR |
cp $TMP1 $CUR |
cp $TMP1 $CUR |
fi |
fi |
fi |
fi |
Line 493 if [ "$check_devices" = YES ]; then |
|
Line 498 if [ "$check_devices" = YES ]; then |
|
{ printf "Disk %s is user %s, group %s, permissions %s.\n", \ |
{ printf "Disk %s is user %s, group %s, permissions %s.\n", \ |
$11, $3, $4, $1; }' < $TMP1 > $OUTPUT |
$11, $3, $4, $1; }' < $TMP1 > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "\nChecking disk ownership and permissions.\n" |
printf "\nChecking disk ownership and permissions.\n" >> $ERR |
cat $OUTPUT |
cat $OUTPUT >> $ERR |
printf "\n" |
printf "\n" >> $ERR |
fi |
fi |
|
|
# Display any changes in the device file list. |
# Display any changes in the device file list. |
Line 511 if [ "$check_devices" = YES ]; then |
|
Line 516 if [ "$check_devices" = YES ]; then |
|
> $TMP2 |
> $TMP2 |
join -111 -211 -v2 $CUR $TMP1 > $OUTPUT |
join -111 -211 -v2 $CUR $TMP1 > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "Device additions:\n" |
printf "Device additions:\n" >> $ERR |
tee -a $TMP2 < $OUTPUT |
tee -a $TMP2 < $OUTPUT >> $ERR |
printf "\n" |
printf "\n" >> $ERR |
fi |
fi |
|
|
join -111 -211 -v1 $CUR $TMP1 > $OUTPUT |
join -111 -211 -v1 $CUR $TMP1 > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "Device deletions:\n" |
printf "Device deletions:\n" >> $ERR |
tee -a $TMP2 < $OUTPUT |
tee -a $TMP2 < $OUTPUT >> $ERR |
printf "\n" |
printf "\n" >> $ERR |
fi |
fi |
|
|
# Report any block device change. Ignore |
# Report any block device change. Ignore |
Line 532 if [ "$check_devices" = YES ]; then |
|
Line 537 if [ "$check_devices" = YES ]; then |
|
sed -e 's/[ ][ ]*/ /g' | \ |
sed -e 's/[ ][ ]*/ /g' | \ |
uniq -u > $OUTPUT |
uniq -u > $OUTPUT |
if [ -s $OUTPUT ] ; then |
if [ -s $OUTPUT ] ; then |
printf "Block device changes:\n" |
printf "Block device changes:\n" >> $ERR |
column -t $OUTPUT |
column -t $OUTPUT >> $ERR |
printf "\n" |
printf "\n" >> $ERR |
fi |
fi |
|
|
cp $CUR $BACK |
cp $CUR $BACK |
cp $TMP1 $CUR |
cp $TMP1 $CUR |
fi |
fi |
else |
else |
printf "Device additions:\n" |
printf "Device additions:\n" >> $ERR |
column -t $TMP1 |
column -t $TMP1 >> $ERR |
printf "\n" |
printf "\n" >> $ERR |
cp $TMP1 $CUR |
cp $TMP1 $CUR >> $ERR |
fi |
fi |
fi |
fi |
|
if [ -s $ERR ] ; then |
|
printf "\nChecking setuid files and devices:\n" |
|
cat $ERR |
|
printf "\n" |
|
fi |
fi |
fi |
|
|
# Check special files. |
# Check special files. |