From a9efb63860e5b338431f3d9060894a74aa2d1189 Mon Sep 17 00:00:00 2001 From: mrg Date: Sun, 5 Jan 1997 11:46:12 +0000 Subject: [PATCH] add configuration file for security, as security.conf. the file allows each action taken by security to be turned on or off. --- etc/security | 824 ++++++++++++++++++++++++---------------------- etc/security.conf | 16 + 2 files changed, 448 insertions(+), 392 deletions(-) create mode 100644 etc/security.conf diff --git a/etc/security b/etc/security index 9aa76cebcec3..4895f56cc391 100644 --- a/etc/security +++ b/etc/security @@ -1,6 +1,6 @@ #!/bin/sh - # -# $NetBSD: security,v 1.14 1996/05/22 00:51:08 mrg Exp $ +# $NetBSD: security,v 1.15 1997/01/05 11:46:12 mrg Exp $ # from: @(#)security 8.1 (Berkeley) 6/9/93 # @@ -8,57 +8,77 @@ PATH=/sbin:/usr/sbin:/bin:/usr/bin umask 077 -ERR=/tmp/_secure1.$$ -TMP1=/tmp/_secure2.$$ -TMP2=/tmp/_secure3.$$ -TMP3=/tmp/_secure4.$$ -LIST=/tmp/_secure5.$$ -OUTPUT=/tmp/_secure6.$$ +if [ -s /etc/security.conf ]; then + . /etc/security.conf +fi -trap 'rm -f $ERR $TMP1 $TMP2 $TMP3 $LIST $OUTPUT' 0 +SECUREDIR=/tmp/_securedir.$$ +if ! mkdir $SECUREDIR; then + echo can not create $SECUREDIR. + exit 1 +fi + +if ! cd $SECUREDIR; then + echo can not chdir to $SECUREDIR. + exit 1 +fi + +ERR=secure1.$$ +TMP1=secure2.$$ +TMP2=secure3.$$ +TMP3=secure4.$$ +LIST=secure5.$$ +OUTPUT=secure6.$$ + +trap 'rm -rf $SECUREDIR' 0 + +MP=/etc/master.passwd + +# this is used several times. +awk -F: '{ print $1 " " $3 }' $MP | sort -n +1 > $TMP1 # Check the master password file syntax. -MP=/etc/master.passwd -awk -F: '{ - if ($0 ~ /^[ ]*$/) { - printf("Line %d is a blank line.\n", NR); - next; - } - if (NF != 10) - printf("Line %d has the wrong number of fields.\n", NR); - if ($1 !~ /^[A-Za-z0-9]*$/) - printf("Login %s has non-alphanumeric characters.\n", $1); - if (length($1) > 8) - printf("Login %s has more than 8 characters.\n", $1); - if ($2 == "") - printf("Login %s has no password.\n", $1); - if (length($2) != 13 && $2 != "" && ($10 ~ /.*sh$/ || $10 == "")) - printf("Login %s is off but still has a valid shell.\n", $1); - if ($3 == 0 && $1 != "root" && $1 != "toor") - printf("Login %s has a user id of 0.\n", $1); - if ($3 < 0) - printf("Login %s has a negative user id.\n", $1); - if ($4 < 0) - printf("Login %s has a negative group id.\n", $1); -}' < $MP > $OUTPUT -if [ -s $OUTPUT ] ; then - printf "\nChecking the $MP file:\n" - cat $OUTPUT -fi +if [ X"$check_passwd" = XYES ]; then + awk -F: '{ + if ($0 ~ /^[ ]*$/) { + printf("Line %d is a blank line.\n", NR); + next; + } + if (NF != 10) + printf("Line %d has the wrong number of fields.\n", NR); + if ($1 !~ /^[A-Za-z0-9]*$/) + printf("Login %s has non-alphanumeric characters.\n", $1); + if (length($1) > 8) + printf("Login %s has more than 8 characters.\n", $1); + if ($2 == "") + printf("Login %s has no password.\n", $1); + if (length($2) != 13 && $2 != "" && ($10 ~ /.*sh$/ || $10 == "")) + printf("Login %s is off but still has a valid shell.\n", $1); + if ($3 == 0 && $1 != "root" && $1 != "toor") + printf("Login %s has a user id of 0.\n", $1); + if ($3 < 0) + printf("Login %s has a negative user id.\n", $1); + if ($4 < 0) + printf("Login %s has a negative group id.\n", $1); + }' < $MP > $OUTPUT + if [ -s $OUTPUT ] ; then + printf "\nChecking the $MP file:\n" + cat $OUTPUT + fi -awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT -if [ -s $OUTPUT ] ; then - printf "\n$MP has duplicate user names.\n" - column $OUTPUT -fi + awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT + if [ -s $OUTPUT ] ; then + printf "\n$MP has duplicate user names.\n" + column $OUTPUT + fi -awk -F: '{ print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 | -uniq -d -f 1 | awk '{ print $2 }' > $TMP2 -if [ -s $TMP2 ] ; then - printf "\n$MP has duplicate user id's.\n" - while read uid; do - grep -w $uid $TMP1 - done < $TMP2 | column + < $TMP1 uniq -d -f 1 | awk '{ print $2 }' > $TMP2 + if [ -s $TMP2 ] ; then + printf "\n$MP has duplicate user id's.\n" + while read uid; do + grep -w $uid $TMP1 + done < $TMP2 | column + fi fi # Backup the master password file; a special case, the normal backup @@ -80,401 +100,419 @@ else fi # Check the group file syntax. -GRP=/etc/group -awk -F: '{ - if ($0 ~ /^[ ]*$/) { - printf("Line %d is a blank line.\n", NR); - next; - } - if (NF != 4) - printf("Line %d has the wrong number of fields.\n", NR); - if ($1 !~ /^[A-za-z0-9]*$/) - printf("Group %s has non-alphanumeric characters.\n", $1); - if (length($1) > 8) - printf("Group %s has more than 8 characters.\n", $1); - if ($3 !~ /[0-9]*/) - printf("Login %s has a negative group id.\n", $1); -}' < $GRP > $OUTPUT -if [ -s $OUTPUT ] ; then - printf "\nChecking the $GRP file:\n" - cat $OUTPUT -fi +if [ X"$check_group" = XYES ]; then + GRP=/etc/group + awk -F: '{ + if ($0 ~ /^[ ]*$/) { + printf("Line %d is a blank line.\n", NR); + next; + } + if (NF != 4) + printf("Line %d has the wrong number of fields.\n", NR); + if ($1 !~ /^[A-za-z0-9]*$/) + printf("Group %s has non-alphanumeric characters.\n", $1); + if (length($1) > 8) + printf("Group %s has more than 8 characters.\n", $1); + if ($3 !~ /[0-9]*/) + printf("Login %s has a negative group id.\n", $1); + }' < $GRP > $OUTPUT + if [ -s $OUTPUT ] ; then + printf "\nChecking the $GRP file:\n" + cat $OUTPUT + fi -awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT -if [ -s $OUTPUT ] ; then - printf "\n$GRP has duplicate group names.\n" - column $OUTPUT + awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT + if [ -s $OUTPUT ] ; then + printf "\n$GRP has duplicate group names.\n" + column $OUTPUT + fi fi # Check for root paths, umask values in startup files. # The check for the root paths is problematical -- it's likely to fail # in other environments. Once the shells have been modified to warn # of '.' in the path, the path tests should go away. -> $OUTPUT -rhome=/root -umaskset=no -list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" -for i in $list ; do - if [ -f $i ] ; then - if egrep umask $i > /dev/null ; then - umaskset=yes - fi - egrep umask $i | - awk '$2 % 100 < 20 \ - { print "Root umask is group writeable" } - $2 % 10 < 2 \ - { print "Root umask is other writeable" }' >> $OUTPUT - /bin/csh -f -s << end-of-csh > /dev/null 2>&1 - unset path - source $i - /bin/ls -ldgT \$path > $TMP1 +if [ X"$check_rootdotfiles" = XYES ]; then + cp /dev/null $OUTPUT + rhome=`csh -fc "echo ~root"` + umaskset=no + list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login" + for i in $list ; do + if [ -f $i ] ; then + if egrep umask $i > /dev/null ; then + umaskset=yes + fi + egrep umask $i | + awk '$2 % 100 < 20 \ + { print "Root umask is group writeable" } + $2 % 10 < 2 \ + { print "Root umask is other writeable" }' >> $OUTPUT + /bin/csh -f -s << end-of-csh > /dev/null 2>&1 + unset path + source $i + /bin/ls -ldgT \$path > $TMP1 end-of-csh - awk '{ - if ($10 ~ /^\.$/) { - print "The root path includes ."; - next; - } - } - $1 ~ /^d....w/ \ - { print "Root path directory " $10 " is group writeable." } \ - $1 ~ /^d.......w/ \ - { print "Root path directory " $10 " is other writeable." }' \ - < $TMP1 >> $OUTPUT - fi -done -if [ $umaskset = "no" -o -s $OUTPUT ] ; then - printf "\nChecking root csh paths, umask values:\n$list\n" - if [ -s $OUTPUT ]; then - cat $OUTPUT - fi - if [ $umaskset = "no" ] ; then - printf "\nRoot csh startup files do not set the umask.\n" - fi -fi - -> $OUTPUT -rhome=/root -umaskset=no -list="${rhome}/.profile" -for i in $list; do - if [ -f $i ] ; then - if egrep umask $i > /dev/null ; then - umaskset=yes + awk '{ + if ($10 ~ /^\.$/) { + print "The root path includes ."; + next; + } + } + $1 ~ /^d....w/ \ + { print "Root path directory " $10 " is group writeable." } \ + $1 ~ /^d.......w/ \ + { print "Root path directory " $10 " is other writeable." }' \ + < $TMP1 >> $OUTPUT fi - egrep umask $i | - awk '$2 % 100 < 20 \ - { print "Root umask is group writeable" } \ - $2 % 10 < 2 \ - { print "Root umask is other writeable" }' >> $OUTPUT - /bin/sh << end-of-sh > /dev/null 2>&1 - PATH= - . $i - list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\` - /bin/ls -ldgT \$list > $TMP1 -end-of-sh - awk '{ - if ($10 ~ /^\.$/) { - print "The root path includes ."; - next; - } - } - $1 ~ /^d....w/ \ - { print "Root path directory " $10 " is group writeable." } \ - $1 ~ /^d.......w/ \ - { print "Root path directory " $10 " is other writeable." }' \ - < $TMP1 >> $OUTPUT + done + if [ $umaskset = "no" -o -s $OUTPUT ] ; then + printf "\nChecking root csh paths, umask values:\n$list\n" + if [ -s $OUTPUT ]; then + cat $OUTPUT + fi + if [ $umaskset = "no" ] ; then + printf "\nRoot csh startup files do not set the umask.\n" + fi + fi - fi -done -if [ $umaskset = "no" -o -s $OUTPUT ] ; then - printf "\nChecking root sh paths, umask values:\n$list\n" - if [ -s $OUTPUT ]; then - cat $OUTPUT - fi - if [ $umaskset = "no" ] ; then - printf "\nRoot sh startup files do not set the umask.\n" + cp /dev/null $OUTPUT + rhome=/root + umaskset=no + list="${rhome}/.profile" + for i in $list; do + if [ -f $i ] ; then + if egrep umask $i > /dev/null ; then + umaskset=yes + fi + egrep umask $i | + awk '$2 % 100 < 20 \ + { print "Root umask is group writeable" } \ + $2 % 10 < 2 \ + { print "Root umask is other writeable" }' >> $OUTPUT + /bin/sh << end-of-sh > /dev/null 2>&1 + PATH= + . $i + list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\` + /bin/ls -ldgT \$list > $TMP1 +end-of-sh + awk '{ + if ($10 ~ /^\.$/) { + print "The root path includes ."; + next; + } + } + $1 ~ /^d....w/ \ + { print "Root path directory " $10 " is group writeable." } \ + $1 ~ /^d.......w/ \ + { print "Root path directory " $10 " is other writeable." }' \ + < $TMP1 >> $OUTPUT + + fi + done + if [ $umaskset = "no" -o -s $OUTPUT ] ; then + printf "\nChecking root sh paths, umask values:\n$list\n" + if [ -s $OUTPUT ]; then + cat $OUTPUT + fi + if [ $umaskset = "no" ] ; then + printf "\nRoot sh startup files do not set the umask.\n" + fi fi fi # Root and uucp should both be in /etc/ftpusers. -if egrep root /etc/ftpusers > /dev/null ; then - : -else - printf "\nRoot not listed in /etc/ftpusers file.\n" -fi -if egrep uucp /etc/ftpusers > /dev/null ; then - : -else - printf "\nUucp not listed in /etc/ftpusers file.\n" +if [ X"$check_ftpusers" = XYES ]; then + if egrep root /etc/ftpusers > /dev/null ; then + : + else + printf "\nRoot not listed in /etc/ftpusers file.\n" + fi + if egrep uucp /etc/ftpusers > /dev/null ; then + : + else + printf "\nUucp not listed in /etc/ftpusers file.\n" + fi fi # Uudecode should not be in the /etc/aliases file. -if egrep 'uudecode|decode' /etc/aliases; then - printf "\nThere is an entry for uudecode in the /etc/aliases file.\n" +if [ X"$check_aliases" = XYES ]; then + if egrep 'uudecode|decode' /etc/aliases; then + printf "\nThere is an entry for uudecode in the /etc/aliases file.\n" + fi fi # Files that should not have + signs. -list="/etc/hosts.equiv /etc/hosts.lpd" -for f in $list ; do - if [ -f $f ] && egrep '\+' $f > /dev/null ; then - printf "\nPlus sign in $f file.\n" - fi -done +if [ X"$check_rhosts" = XYES ]; then + list="/etc/hosts.equiv /etc/hosts.lpd" + for f in $list ; do + if [ -f $f ] && egrep '\+' $f > /dev/null ; then + printf "\nPlus sign in $f file.\n" + fi + done -# Check for special users with .rhosts files. Only root and toor should -# have a .rhosts files. Also, .rhosts files should not plus signs. -awk -F: '$1 != "root" && $1 != "toor" && \ - ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ - { print $1 " " $6 }' /etc/passwd | -while read uid homedir; do - if [ -f ${homedir}/.rhosts ] ; then - rhost=`ls -ldgT ${homedir}/.rhosts` - printf "$uid: $rhost\n" + # Check for special users with .rhosts files. Only root and toor should + # have a .rhosts files. Also, .rhosts files should not have plus signs. + awk -F: '$1 != "root" && $1 != "toor" && \ + ($3 < 100 || $1 == "ftp" || $1 == "uucp") \ + { print $1 " " $9 }' /etc/master.passwd | + while read uid homedir; do + if [ -f ${homedir}/.rhosts ] ; then + rhost=`ls -ldgT ${homedir}/.rhosts` + printf "$uid: $rhost\n" + fi + done > $OUTPUT + if [ -s $OUTPUT ] ; then + printf "\nChecking for special users with .rhosts files.\n" + cat $OUTPUT fi -done > $OUTPUT -if [ -s $OUTPUT ] ; then - printf "\nChecking for special users with .rhosts files.\n" - cat $OUTPUT -fi -awk -F: '{ print $1 " " $6 }' /etc/passwd | \ -while read uid homedir; do - if [ -f ${homedir}/.rhosts ] && \ - egrep '\+' ${homedir}/.rhosts > /dev/null ; then - printf "$uid: + in .rhosts file.\n" + awk -F: '{ print $1 " " $9 }' /etc/master.passwd | \ + while read uid homedir; do + if [ -f ${homedir}/.rhosts ] && \ + egrep '\+' ${homedir}/.rhosts > /dev/null ; then + printf "$uid: + in .rhosts file.\n" + fi + done > $OUTPUT + if [ -s $OUTPUT ] ; then + printf "\nChecking .rhosts files syntax.\n" + cat $OUTPUT fi -done > $OUTPUT -if [ -s $OUTPUT ] ; then - printf "\nChecking .rhosts files syntax.\n" - cat $OUTPUT fi # Check home directories. Directories should not be owned by someone else # or writeable. -awk -F: '{ print $1 " " $6 }' /etc/passwd | \ -while read uid homedir; do - if [ -d ${homedir}/ ] ; then - file=`ls -ldgT ${homedir}` - printf "$uid $file\n" +if [ X"$check_homes" = XYES ]; then + awk -F: '{ print $1 " " $9 }' /etc/master.passwd | \ + while read uid homedir; do + if [ -d ${homedir}/ ] ; then + file=`ls -ldgT ${homedir}` + printf "$uid $file\n" + fi + done | + awk '$1 != $4 && $4 != "root" \ + { print "user " $1 " home directory is owned by " $4 } + $2 ~ /^-....w/ \ + { print "user " $1 " home directory is group writeable" } + $2 ~ /^-.......w/ \ + { print "user " $1 " home directory is other writeable" }' > $OUTPUT + if [ -s $OUTPUT ] ; then + printf "\nChecking home directories.\n" + cat $OUTPUT fi -done | -awk '$1 != $4 && $4 != "root" \ - { print "user " $1 " home directory is owned by " $4 } - $2 ~ /^-....w/ \ - { print "user " $1 " home directory is group writeable" } - $2 ~ /^-.......w/ \ - { print "user " $1 " home directory is other writeable" }' > $OUTPUT -if [ -s $OUTPUT ] ; then - printf "\nChecking home directories.\n" - cat $OUTPUT -fi -# Files that should not be owned by someone else or readable. -list=".netrc .rhosts" -awk -F: '{ print $1 " " $6 }' /etc/passwd | \ -while read uid homedir; do - for f in $list ; do - file=${homedir}/${f} - if [ -f $file ] ; then - printf "$uid $f `ls -ldgT $file`\n" - fi - done -done | -awk '$1 != $5 && $5 != "root" \ - { print "user " $1 " " $2 " file is owned by " $5 } - $3 ~ /^-...r/ \ - { print "user " $1 " " $2 " file is group readable" } - $3 ~ /^-......r/ \ - { print "user " $1 " " $2 " file is other readable" } - $3 ~ /^-....w/ \ - { print "user " $1 " " $2 " file is group writeable" } - $3 ~ /^-.......w/ \ - { print "user " $1 " " $2 " file is other writeable" }' > $OUTPUT + # Files that should not be owned by someone else or readable. + list=".netrc .rhosts" + awk -F: '{ print $1 " " $9 }' /etc/master.passwd | \ + while read uid homedir; do + for f in $list ; do + file=${homedir}/${f} + if [ -f $file ] ; then + printf "$uid $f `ls -ldgT $file`\n" + fi + done + done | + awk '$1 != $5 && $5 != "root" \ + { print "user " $1 " " $2 " file is owned by " $5 } + $3 ~ /^-...r/ \ + { print "user " $1 " " $2 " file is group readable" } + $3 ~ /^-......r/ \ + { print "user " $1 " " $2 " file is other readable" } + $3 ~ /^-....w/ \ + { print "user " $1 " " $2 " file is group writeable" } + $3 ~ /^-.......w/ \ + { print "user " $1 " " $2 " file is other writeable" }' > $OUTPUT -# Files that should not be owned by someone else or writeable. -list=".bashrc .cshrc .emacs .exrc .forward .klogin .login .logout \ - .profile .tcshrc" -awk -F: '{ print $1 " " $6 }' /etc/passwd | \ -while read uid homedir; do - for f in $list ; do - file=${homedir}/${f} - if [ -f $file ] ; then - printf "$uid $f `ls -ldgT $file`\n" - fi - done -done | -awk '$1 != $5 && $5 != "root" \ - { print "user " $1 " " $2 " file is owned by " $5 } - $3 ~ /^-....w/ \ - { print "user " $1 " " $2 " file is group writeable" } - $3 ~ /^-.......w/ \ - { print "user " $1 " " $2 " file is other writeable" }' >> $OUTPUT -if [ -s $OUTPUT ] ; then - printf "\nChecking dot files.\n" - cat $OUTPUT + # Files that should not be owned by someone else or writeable. + list=".bashrc .cshrc .emacs .exrc .forward .klogin .login .logout \ + .profile .tcshrc .qmail" + awk -F: '{ print $1 " " $9 }' /etc/master.passwd | \ + while read uid homedir; do + for f in $list ; do + file=${homedir}/${f} + if [ -f $file ] ; then + printf "$uid $f `ls -ldgT $file`\n" + fi + done + done | + awk '$1 != $5 && $5 != "root" \ + { print "user " $1 " " $2 " file is owned by " $5 } + $3 ~ /^-....w/ \ + { print "user " $1 " " $2 " file is group writeable" } + $3 ~ /^-.......w/ \ + { print "user " $1 " " $2 " file is other writeable" }' >> $OUTPUT + if [ -s $OUTPUT ] ; then + printf "\nChecking dot files.\n" + cat $OUTPUT + fi fi # Mailboxes should be owned by user and unreadable. -ls -l /var/mail | sed 1d | \ -awk '$3 != $9 \ - { print "user " $9 " mailbox is owned by " $3 } - $1 != "-rw-------" \ - { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT -if [ -s $OUTPUT ] ; then - printf "\nChecking mailbox ownership.\n" - cat $OUTPUT +if [ X"$check_varmail" = XYES ]; then + ls -l /var/mail | sed 1d | \ + awk '$3 != $9 \ + { print "user " $9 " mailbox is owned by " $3 } + $1 != "-rw-------" \ + { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT + if [ -s $OUTPUT ] ; then + printf "\nChecking mailbox ownership.\n" + cat $OUTPUT + fi fi -if [ -f /etc/exports ]; then - # File systems should not be globally exported. - awk '{ - readonly = 0; - for (i = 2; i <= NF; ++i) { - if ($i ~ /-ro/) - readonly = 1; - else if ($i !~ /^-/) - next; - } - if (readonly) - print "File system " $1 " globally exported, read-only." - else - print "File system " $1 " globally exported, read-write." - }' < /etc/exports > $OUTPUT - if [ -s $OUTPUT ] ; then - printf "\nChecking for globally exported file systems.\n" - cat $OUTPUT - fi +if [ X"$check_nfs" = XYES ]; then + if [ -f /etc/exports ]; then + # File systems should not be globally exported. + awk '{ + readonly = 0; + for (i = 2; i <= NF; ++i) { + if ($i ~ /-ro/) + readonly = 1; + else if ($i !~ /^-/) + next; + } + if (readonly) + print "File system " $1 " globally exported, read-only." + else + print "File system " $1 " globally exported, read-write." + }' < /etc/exports > $OUTPUT + if [ -s $OUTPUT ] ; then + printf "\nChecking for globally exported file systems.\n" + cat $OUTPUT + fi + fi fi # Display any changes in setuid files and devices. -printf "\nChecking setuid files and devices:\n" -(find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ - -o -fstype procfs \) -a -prune -o \ - \( -perm -u+s -o \( -perm -g+s -a ! -type d \) -o \ - ! -type d -a ! -type f -a ! -type l -a \ - ! -type s \) -print | \ -sort | sed -e 's/^/ls -ldgT /' | sh > $LIST) 2> $OUTPUT +if [ X"$check_devices" = XYES ]; then + printf "\nChecking setuid files and devices:\n" + (find / \( ! -fstype local -o -fstype fdesc -o -fstype kernfs \ + -o -fstype procfs \) -a -prune -o \ + \( -perm -u+s -o \( -perm -g+s -a ! -type d \) -o \ + ! -type d -a ! -type f -a ! -type l -a \ + ! -type s \) -print | \ + sort | sed -e 's/^/ls -ldgT /' | sh > $LIST) 2> $OUTPUT -# Display any errors that occurred during system file walk. -if [ -s $OUTPUT ] ; then - printf "Setuid/device find errors:\n" - cat $OUTPUT - printf "\n" -fi - -# Display any changes in the setuid file list. -egrep -v '^[bc]' $LIST > $TMP1 -if [ -s $TMP1 ] ; then - # Check to make sure uudecode isn't setuid. - if grep -w uudecode $TMP1 > /dev/null ; then - printf "\nUudecode is setuid.\n" + # Display any errors that occurred during system file walk. + if [ -s $OUTPUT ] ; then + printf "Setuid/device find errors:\n" + cat $OUTPUT + printf "\n" fi - CUR=/var/backups/setuid.current - BACK=/var/backups/setuid.backup + # Display any changes in the setuid file list. + egrep -v '^[bc]' $LIST > $TMP1 + if [ -s $TMP1 ] ; then + # Check to make sure uudecode isn't setuid. + if grep -w uudecode $TMP1 > /dev/null ; then + printf "\nUudecode is setuid.\n" + fi - if [ -s $CUR ] ; then - if cmp -s $CUR $TMP1 ; then - : + CUR=/var/backups/setuid.current + BACK=/var/backups/setuid.backup + + if [ -s $CUR ] ; then + if cmp -s $CUR $TMP1 ; then + : + else + > $TMP2 + join -110 -210 -v2 $CUR $TMP1 > $OUTPUT + if [ -s $OUTPUT ] ; then + printf "Setuid additions:\n" + tee -a $TMP2 < $OUTPUT + printf "\n" + fi + + join -110 -210 -v1 $CUR $TMP1 > $OUTPUT + if [ -s $OUTPUT ] ; then + printf "Setuid deletions:\n" + tee -a $TMP2 < $OUTPUT + printf "\n" + fi + + sort +9 $TMP2 $CUR $TMP1 | \ + sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT + if [ -s $OUTPUT ] ; then + printf "Setuid changes:\n" + column -t $OUTPUT + printf "\n" + fi + + cp $CUR $BACK + cp $TMP1 $CUR + fi else - > $TMP2 - join -110 -210 -v2 $CUR $TMP1 > $OUTPUT - if [ -s $OUTPUT ] ; then - printf "Setuid additions:\n" - tee -a $TMP2 < $OUTPUT - printf "\n" - fi - - join -110 -210 -v1 $CUR $TMP1 > $OUTPUT - if [ -s $OUTPUT ] ; then - printf "Setuid deletions:\n" - tee -a $TMP2 < $OUTPUT - printf "\n" - fi - - sort +9 $TMP2 $CUR $TMP1 | \ - sed -e 's/[ ][ ]*/ /g' | uniq -u > $OUTPUT - if [ -s $OUTPUT ] ; then - printf "Setuid changes:\n" - column -t $OUTPUT - printf "\n" - fi - - cp $CUR $BACK + printf "Setuid additions:\n" + column -t $TMP1 + printf "\n" cp $TMP1 $CUR fi - else - printf "Setuid additions:\n" - column -t $TMP1 - printf "\n" - cp $TMP1 $CUR fi -fi -# Check for block and character disk devices that are readable or writeable -# or not owned by root.operator. ->$TMP1 -DISKLIST="dk fd hd hk hp jb kra ra rb rd rl rx rz sd up wd" -for i in $DISKLIST; do - egrep "^b.*/${i}[0-9][0-9]*[a-h]$" $LIST >> $TMP1 - egrep "^c.*/r${i}[0-9][0-9]*[a-h]$" $LIST >> $TMP1 -done + # Check for block and character disk devices that are readable or writeable + # or not owned by root.operator. + >$TMP1 + DISKLIST="dk fd hd hk hp jb kra ra rb rd rl rx rz sd up wd xd xy" + for i in $DISKLIST; do + egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 + egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1 + done -awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ - { printf("Disk %s is user %s, group %s, permissions %s.\n", \ - $11, $3, $4, $1); }' < $TMP1 > $OUTPUT -if [ -s $OUTPUT ] ; then - printf "\nChecking disk ownership and permissions.\n" - cat $OUTPUT - printf "\n" -fi + awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \ + { printf("Disk %s is user %s, group %s, permissions %s.\n", \ + $11, $3, $4, $1); }' < $TMP1 > $OUTPUT + if [ -s $OUTPUT ] ; then + printf "\nChecking disk ownership and permissions.\n" + cat $OUTPUT + printf "\n" + fi -# Display any changes in the device file list. -egrep '^[bc]' $LIST | sort +10 > $TMP1 -if [ -s $TMP1 ] ; then - CUR=/var/backups/device.current - BACK=/var/backups/device.backup + # Display any changes in the device file list. + egrep '^[bc]' $LIST | sort +10 > $TMP1 + if [ -s $TMP1 ] ; then + CUR=/var/backups/device.current + BACK=/var/backups/device.backup - if [ -s $CUR ] ; then - if cmp -s $CUR $TMP1 ; then - : + if [ -s $CUR ] ; then + if cmp -s $CUR $TMP1 ; then + : + else + > $TMP2 + join -111 -211 -v2 $CUR $TMP1 > $OUTPUT + if [ -s $OUTPUT ] ; then + printf "Device additions:\n" + tee -a $TMP2 < $OUTPUT + printf "\n" + fi + + join -111 -211 -v1 $CUR $TMP1 > $OUTPUT + if [ -s $OUTPUT ] ; then + printf "Device deletions:\n" + tee -a $TMP2 < $OUTPUT + printf "\n" + fi + + # Report any block device change. Ignore character + # devices, only the name is significant. + cat $TMP2 $CUR $TMP1 | \ + sed -e '/^c/d' | \ + sort +10 | \ + sed -e 's/[ ][ ]*/ /g' | \ + uniq -u > $OUTPUT + if [ -s $OUTPUT ] ; then + printf "Block device changes:\n" + column -t $OUTPUT + printf "\n" + fi + + cp $CUR $BACK + cp $TMP1 $CUR + fi else - > $TMP2 - join -111 -211 -v2 $CUR $TMP1 > $OUTPUT - if [ -s $OUTPUT ] ; then - printf "Device additions:\n" - tee -a $TMP2 < $OUTPUT - printf "\n" - fi - - join -111 -211 -v1 $CUR $TMP1 > $OUTPUT - if [ -s $OUTPUT ] ; then - printf "Device deletions:\n" - tee -a $TMP2 < $OUTPUT - printf "\n" - fi - - # Report any block device change. Ignore character - # devices, only the name is significant. - cat $TMP2 $CUR $TMP1 | \ - sed -e '/^c/d' | \ - sort +10 | \ - sed -e 's/[ ][ ]*/ /g' | \ - uniq -u > $OUTPUT - if [ -s $OUTPUT ] ; then - printf "Block device changes:\n" - column -t $OUTPUT - printf "\n" - fi - - cp $CUR $BACK + printf "Device additions:\n" + column -t $TMP1 + printf "\n" cp $TMP1 $CUR fi - else - printf "Device additions:\n" - column -t $TMP1 - printf "\n" - cp $TMP1 $CUR fi fi @@ -491,9 +529,10 @@ fi # the hacker can modify the tree specification to match the replaced binary. # For details on really protecting yourself against modified binaries, see # the mtree(8) manual page. -if cd /etc/mtree; then +if [ X"$check_mtree" = XYES ] && cd /etc/mtree; then +( mtree -e -p / -f /etc/mtree/special > $OUTPUT - if [ -s $OUTPUT ] ; then + if [ -s $OUTPUT ]; then printf "\nChecking special files and directories.\n" cat $OUTPUT fi @@ -508,16 +547,17 @@ if cd /etc/mtree; then cat $TMP1 >> $OUTPUT fi done - if [ -s $OUTPUT ] ; then + if [ -s $OUTPUT ]; then printf "\nChecking system binaries:\n" cat $OUTPUT fi +) fi # List of files that get backed up and checked for any modifications. Each # file is expected to have two backups, /var/backups/file.{current,backup}. # Any changes cause the files to rotate. -if [ -s /etc/changelist ] ; then +if [ X"$check_changelist" = XYES -a -s /etc/changelist ] ; then for file in `cat /etc/changelist`; do CUR=/var/backups/`basename $file`.current BACK=/var/backups/`basename $file`.backup diff --git a/etc/security.conf b/etc/security.conf new file mode 100644 index 000000000000..00f826c535d7 --- /dev/null +++ b/etc/security.conf @@ -0,0 +1,16 @@ +# $NetBSD: security.conf,v 1.1 1997/01/05 11:46:13 mrg Exp $ +# +# see security.conf(5) for more information. + +check_passwd=YES +check_group=YES +check_rootdotfiles=YES +check_ftpusers=YES +check_aliases=YES +check_rhosts=YES +check_homes=YES +check_varmail=YES +check_nfs=YES +check_devices=YES +check_mtree=YES +check_changelist=YES