xref: /csrg-svn/etc/security (revision 53098) 
142328Sbostic#!/bin/sh -
242328Sbostic#
3*53098Sbostic#	@(#)security	5.13 (Berkeley) 03/31/92
442328Sbostic#
552578SbosticPATH=/sbin:/usr/sbin:/bin:/usr/bin
642328Sbostic
752215Sbosticumask 22
852215Sbostic
9*53098SbosticERR=/tmp/_secure1.$$
10*53098SbosticTMP1=/tmp/_secure2.$$
11*53098SbosticTMP2=/tmp/_secure3.$$
12*53098SbosticLIST=/tmp/_secure4.$$
1352578Sbostic
14*53098Sbostictrap 'rm -f $ERR $LIST $TMP1 $TMP2' 0
1552578Sbostic
16*53098Sbostic# Display uids of 0.
1752573Sbosticecho ""
1852573Sbosticecho "Checking for uids of 0:"
1952573Sbosticawk -F: "\$3==\"0\" {print \"user: \" \$1 \", uid: \" \$3 }" /etc/master.passwd
2042328Sbostic
21*53098Sbostic# Display uids without passwords.
2252151Sbosticecho ""
2352573Sbosticecho "Checking for uids without passwords:"
2452573Sbosticawk -F: "\$2==\"\" {print \"user: \" \$1 \", uid: \" \$3 }" /etc/master.passwd
2552573Sbostic
26*53098Sbostic# Display setuid and device changes.
2752573Sbosticecho ""
2852143Sbosticecho "Checking setuid files and devices:"
29*53098Sbostic(find / ! -fstype local -a -prune -o \
3052573Sbostic    \( -perm -u+s -o -perm -g+s -o ! -type d -a ! -type f -a ! -type l \) | \
31*53098Sbostic    sort | sed -e 's/^/ls -lgT /' | sh >$TMP1) 2>$ERR
3242328Sbostic
33*53098Sbostic# Display any errors that occurred during system file walk.
34*53098Sbosticif [ -s $ERR ] ; then
35*53098Sbostic	echo "Setuid/device find errors:"
36*53098Sbostic	cat $ERR
3752573Sbostic	echo ""
3842328Sbosticfi
3942328Sbostic
40*53098Sbostic# Display any changes in the setuid file list.
41*53098Sbosticegrep -v '^[bc]' $TMP1 > $LIST
4252573Sbosticif [ -s $LIST ] ; then
43*53098Sbostic	CUR=/var/log/setuid.current
44*53098Sbostic	BACK=/var/log/setuid.backup
4552215Sbostic
46*53098Sbostic	if [ -s $CUR ] ; then
47*53098Sbostic		if cmp -s $CUR $LIST ; then
4852573Sbostic			:
4952573Sbostic		else
50*53098Sbostic			:> $TMP1
51*53098Sbostic			join -110 -210 -v2 $CUR $LIST >$TMP2
52*53098Sbostic			if [ -s $TMP2 ] ; then
53*53098Sbostic				echo "Setuid additions:"
54*53098Sbostic				tee -a $TMP1 < $TMP2
5552573Sbostic				echo ""
5652573Sbostic			fi
5752573Sbostic
58*53098Sbostic			join -110 -210 -v1 $CUR $LIST >$TMP2
59*53098Sbostic			if [ -s $TMP2 ] ; then
60*53098Sbostic				echo "Setuid deletions:"
61*53098Sbostic				tee -a $TMP1 < $TMP2
6252573Sbostic				echo ""
6352573Sbostic			fi
6452573Sbostic
65*53098Sbostic			sort +9 $TMP1 $CUR $LIST | \
66*53098Sbostic			    sed -e 's/[	 ][	 ]*/ /g' | uniq -u >$TMP2
67*53098Sbostic			if [ -s $TMP2 ] ; then
68*53098Sbostic				echo "Setuid changes:"
69*53098Sbostic				column $TMP2
7052573Sbostic				echo ""
7152573Sbostic			fi
7252573Sbostic
73*53098Sbostic			mv $CUR $BACK
74*53098Sbostic			mv $LIST $CUR
7552573Sbostic		fi
7652573Sbostic	else
77*53098Sbostic		echo "Setuid additions:"
7852573Sbostic		cat $LIST
7952573Sbostic		echo ""
80*53098Sbostic		mv $LIST $CUR
8152573Sbostic	fi
8252215Sbosticfi
8352215Sbostic
84*53098Sbostic# Display any changes in the device file list.
85*53098Sbosticegrep '^[bc]' $TMP1 > $LIST
86*53098Sbosticif [ -s $LIST ] ; then
87*53098Sbostic	CUR=/var/log/device.current
88*53098Sbostic	BACK=/var/log/device.backup
89*53098Sbostic
90*53098Sbostic	if [ -s $CUR ] ; then
91*53098Sbostic		if cmp -s $CUR $LIST ; then
92*53098Sbostic			:
93*53098Sbostic		else
94*53098Sbostic			:> $TMP1
95*53098Sbostic			join -111 -211 -v2 $CUR $LIST >$TMP2
96*53098Sbostic			if [ -s $TMP2 ] ; then
97*53098Sbostic				echo "Device additions:"
98*53098Sbostic				tee -a $TMP1 < $TMP2
99*53098Sbostic				echo ""
100*53098Sbostic			fi
101*53098Sbostic
102*53098Sbostic			join -111 -211 -v1 $CUR $LIST >$TMP2
103*53098Sbostic			if [ -s $TMP2 ] ; then
104*53098Sbostic				echo "Device deletions:"
105*53098Sbostic				tee -a $TMP1 < $TMP2
106*53098Sbostic				echo ""
107*53098Sbostic			fi
108*53098Sbostic
109*53098Sbostic			sort +10 $TMP1 $CUR $LIST | \
110*53098Sbostic			    sed -e 's/[	 ][	 ]*/ /g' | uniq -u >$TMP2
111*53098Sbostic			if [ -s $TMP2 ] ; then
112*53098Sbostic				echo "Device changes:"
113*53098Sbostic				column $TMP2
114*53098Sbostic				echo ""
115*53098Sbostic			fi
116*53098Sbostic
117*53098Sbostic			mv $CUR $BACK
118*53098Sbostic			mv $LIST $CUR
119*53098Sbostic		fi
120*53098Sbostic	else
121*53098Sbostic		echo "Device additions:"
122*53098Sbostic		cat $LIST
123*53098Sbostic		echo ""
124*53098Sbostic		mv $LIST $CUR
125*53098Sbostic	fi
126*53098Sbosticfi
127*53098Sbosticexit
128*53098Sbostic
12952578Sbostic# Check the system binaries.
13052578Sbostic# Create the mtree tree specifications using:
13152578Sbostic#
13252578Sbostic#	mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure
13352578Sbostic#	chown bin.bin DIR.SECURE
13452578Sbostic#	chmod 444 DIR.SECURE
13552578Sbostic#
13652578Sbostic# Note, this is not complete protection against Trojan horsed binaries, as
13752578Sbostic# the hacker can modify the tree specification to match the replaced binary.
13852578Sbostic# For details on really protecting yourself against modified binaries, see
13952578Sbostic# the mtree(8) manual page.
14052578Sbostic
14152578Sbosticif cd /etc/mtree; then
14252578Sbostic	echo ""
14352578Sbostic	echo "Checking system binaries:"
14452578Sbostic	for file in *.secure; do
14552578Sbostic		tree=`sed -n -e '3s/.* //p' -e 3q $file`
14652578Sbostic		echo ""
14752578Sbostic		echo "Checking $tree:"
14852578Sbostic		mtree -f $file -p $tree
14952578Sbostic	done
15052578Sbosticfi
151