xref: /csrg-svn/etc/security (revision 52578) 
142328Sbostic#!/bin/sh -
242328Sbostic#
3*52578Sbostic#	@(#)security	5.10 (Berkeley) 02/19/92
442328Sbostic#
5*52578SbosticPATH=/sbin:/usr/sbin:/bin:/usr/bin
642328Sbostic
752151Sbostichost=`hostname`
842328Sbosticecho "Subject: $host security check output"
942328Sbostic
1052215Sbosticumask 22
1152215Sbostic
12*52578SbosticDONE=/tmp/_secure1.$$
13*52578SbosticLIST=/tmp/_secure2.$$
14*52578SbosticTMP=/tmp/_secure3.$$
15*52578Sbostic
16*52578Sbostictrap 'rm -f $DONE $LIST $TMP' 0
17*52578Sbostic
1852573Sbosticecho ""
1952573Sbosticecho "Checking for uids of 0:"
2052573Sbosticawk -F: "\$3==\"0\" {print \"user: \" \$1 \", uid: \" \$3 }" /etc/master.passwd
2142328Sbostic
2252151Sbosticecho ""
2352573Sbosticecho "Checking for uids without passwords:"
2452573Sbosticawk -F: "\$2==\"\" {print \"user: \" \$1 \", uid: \" \$3 }" /etc/master.passwd
2552573Sbostic
2652573Sbosticecho ""
2752143Sbosticecho "Checking setuid files and devices:"
2852573Sbostic(find /sbin \( ! -fstype local \) -a -prune -o \
2952573Sbostic    \( -perm -u+s -o -perm -g+s -o ! -type d -a ! -type f -a ! -type l \) | \
3052573Sbostic    sort | sed -e 's/^/ls -lgT /' | sh >$LIST) 2>$TMP
3142328Sbostic
3252573Sbosticif [ -s $TMP ] ; then
3352215Sbostic	echo "$host setuid/device find errors:"
3452573Sbostic	cat $TMP
3552573Sbostic	echo ""
3642328Sbosticfi
3742328Sbostic
3852573Sbosticif [ -s $LIST ] ; then
3952573Sbostic	SETCUR=/var/log/setuid.current
4052573Sbostic	SETBACK=/var/log/setuid.backup
4152215Sbostic
4252573Sbostic	if [ -s $SETCUR ] ; then
4352573Sbostic		if cmp -s $SETCUR $LIST ; then
4452573Sbostic			:
4552573Sbostic		else
4652573Sbostic			:> $DONE
4752573Sbostic			join -110 -210 -v2 $SETCUR $LIST >$TMP
4852573Sbostic			if [ -s $TMP ] ; then
4952573Sbostic				echo "$host setuid/device additions:"
5052573Sbostic				tee -a $DONE < $TMP
5152573Sbostic				echo ""
5252573Sbostic			fi
5352573Sbostic
5452573Sbostic			join -110 -210 -v1 $SETCUR $LIST >$TMP
5552573Sbostic			if [ -s $TMP ] ; then
5652573Sbostic				echo "$host setuid/device deletions:"
5752573Sbostic				tee -a $DONE < $TMP
5852573Sbostic				echo ""
5952573Sbostic			fi
6052573Sbostic
6152573Sbostic			sort +9 $DONE $SETCUR $LIST | uniq -u >$TMP
6252573Sbostic			if [ -s $TMP ] ; then
6352573Sbostic				echo "$host setuid/device changes:"
6452573Sbostic				cat $TMP
6552573Sbostic				echo ""
6652573Sbostic			fi
6752573Sbostic
6852573Sbostic			mv $SETCUR $SETBACK
6952573Sbostic			mv $LIST $SETCUR
7052573Sbostic		fi
7152573Sbostic	else
7252573Sbostic		echo "$host setuid/device additions:"
7352573Sbostic		cat $LIST
7452573Sbostic		echo ""
7552573Sbostic		mv $LIST $SETCUR
7652573Sbostic	fi
7752215Sbosticfi
7852215Sbostic
79*52578Sbostic# Check the system binaries.
80*52578Sbostic# Create the mtree tree specifications using:
81*52578Sbostic#
82*52578Sbostic#	mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure
83*52578Sbostic#	chown bin.bin DIR.SECURE
84*52578Sbostic#	chmod 444 DIR.SECURE
85*52578Sbostic#
86*52578Sbostic# Note, this is not complete protection against Trojan horsed binaries, as
87*52578Sbostic# the hacker can modify the tree specification to match the replaced binary.
88*52578Sbostic# For details on really protecting yourself against modified binaries, see
89*52578Sbostic# the mtree(8) manual page.
90*52578Sbostic
91*52578Sbosticif cd /etc/mtree; then
92*52578Sbostic	echo ""
93*52578Sbostic	echo "Checking system binaries:"
94*52578Sbostic	for file in *.secure; do
95*52578Sbostic		tree=`sed -n -e '3s/.* //p' -e 3q $file`
96*52578Sbostic		echo ""
97*52578Sbostic		echo "Checking $tree:"
98*52578Sbostic		mtree -f $file -p $tree
99*52578Sbostic	done
100*52578Sbosticfi
101