aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xcron-sh/file_check.sh124
-rw-r--r--init-sh/perm.150
-rw-r--r--init-sh/perm.255
-rw-r--r--init-sh/perm.360
-rw-r--r--init-sh/perm.420
-rw-r--r--init-sh/perm.514
6 files changed, 211 insertions, 112 deletions
diff --git a/cron-sh/file_check.sh b/cron-sh/file_check.sh
index 7886387..f91dce3 100755
--- a/cron-sh/file_check.sh
+++ b/cron-sh/file_check.sh
@@ -15,6 +15,8 @@ if [ SECURITY_CHECK == "no" ]; then
exit 0
fi
+OUT=./blah
+
# Modified filters coming from debian security scripts.
CS_NFSAFS='(nfs|afs|xfs|coda)'
CS_TYPES=' type (devpts|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|'$CS_NFSAFS')'
@@ -266,6 +268,128 @@ if [ ${CHECK_OPEN_PORT}=="yes" ]; then
fi
fi
+### /etc/exports check ###
+
+# File systems should not be globally exported.
+if [ -s /etc/exports ] ; then
+ awk '{
+ if (($1 ~ /^#/) || ($1 ~ /^$/)) next;
+ readonly = 0;
+ for (i = 2; i <= NF; ++i) {
+ if ($i ~ /^-ro$/)
+ readonly = 1;
+ else if ($i !~ /^-/)
+ next;
+ }
+ if (readonly) {
+ print "Warning : Nfs File system " $1 " globally exported, read-only.";
+ } else print "Warning : Nfs File system " $1 " globally exported, read-write.";
+ }' < /etc/exports > $OUT
+ if [ -s "$OUT" ] ; then
+ printf "\nChecking for globally exported file systems.\n"
+ cat "$OUT"
+ fi
+fi
+
+
+# nfs mounts with missing nosuid
+/bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > $OUT
+if [ -s "$OUT" ] ; then
+ printf "\nThe following NFS mounts haven't got the nosuid option set:\n"
+ cat "$OUT"
+fi
+
+# Files that should not be owned by someone else or readable.
+list=".netrc .rhosts .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed"
+awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
+while read uid homedir; do
+ for f in $list ; do
+ file=${homedir}/${f}
+ if [ -f $file ] ; then
+ printf "$uid $f `ls -ldcg $file`\n"
+ fi
+ done
+done |
+awk '$1 != $5 && $5 != "root" \
+ { print "user " $1 " " $2 " : file is owned by " $5 }
+ $3 ~ /^-...r/ \
+ { print "user " $1 " " $2 " : file is group readable" }
+ $3 ~ /^-......r/ \
+ { print "user " $1 " " $2 " : file is other readable" }
+ $3 ~ /^-....w/ \
+ { print "user " $1 " " $2 " : file is group writeable" }
+ $3 ~ /^-.......w/ \
+ { print "user " $1 " " $2 " : file is other writeable" }' > $OUT
+
+
+# Files that should not be owned by someone else or writeable.
+list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \
+.forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \
+.nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \
+.ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults"
+awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
+while read uid homedir; do
+ for f in $list ; do
+ file=${homedir}/${f}
+ if [ -f $file ] ; then
+ printf "$uid $f `ls -ldcg $file`\n"
+ fi
+ done
+done |
+awk '$1 != $5 && $5 != "root" \
+ { print "user " $1 " " $2 " : file is owned by " $5 }
+ $3 ~ /^-....w/ \
+ { print "user " $1 " " $2 " : file is group writeable" }
+ $3 ~ /^-.......w/ \
+ { print "user " $1 " " $2 " : file is other writeable" }' >> $OUT
+if [ -s "$OUT" ] ; then
+ printf "\nChecking dot files.\n"
+ cat "$OUT"
+fi
+
+# Check home directories. Directories should not be owned by someone else
+# or writeable.
+awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
+while read uid homedir; do
+ if [ -d ${homedir}/ ] ; then
+ file=`ls -ldg ${homedir}`
+ printf "$uid $file\n"
+ fi
+done |
+awk '$1 != $4 && $4 != "root" \
+ { print "user " $1 " : home directory is owned by " $4 }
+ $2 ~ /^-....w/ \
+ { print "user " $1 " : home directory is group writeable" }
+ $2 ~ /^-.......w/ \
+ { print "user " $1 " : home directory is other writeable" }' > $OUT
+if [ -s "$OUT" ] ; then
+ printf "\nChecking home directories.\n"
+ cat "$OUT"
+fi
+
+# Files that should not have + signs.
+list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd"
+for f in $list ; do
+ if [ -s $f ] ; then
+ awk '{
+ if ($0 ~ /^\+@.*$/)
+ next;
+ if ($0 ~ /^\+.*$/)
+ printf("\nPlus sign in the file %s\n", FILENAME);
+ }' $f
+ fi
+done
+
+
+# executables should not be in the /etc/aliases file.
+if [ -s /etc/aliases ]; then
+ grep -v '^#' /etc/aliases | grep '|' > $OUT
+ if [ -s "$OUT" ] ; then
+ printf "\nThe following programs are executed in your mail via /etc/aliases (bad!):\n"
+ cat "$OUT"
+ fi
+fi
+
diff --git a/init-sh/perm.1 b/init-sh/perm.1
index c63483a..0cae0d7 100644
--- a/init-sh/perm.1
+++ b/init-sh/perm.1
@@ -1,43 +1,18 @@
-#
-#
-# - Group for X user
-# - Group for audio user
-# - Group for dialout user
-# - Group for video user
-# Directories /
# Welcome in Level 1
###
-
/bin root.root 755
/boot root.root 755
/dev root.root 755
/dev/audio* root.audio 660
/dev/dsp* root.audio 660
/etc/ root.root 755
+/etc/conf.modules root.root 644
/etc/cron.daily/ root.root 755
/etc/cron.hourly/ root.root 755
/etc/cron.monthly/ root.root 755
/etc/cron.weekly/ root.root 755
-/etc/dhcpcd/ root.root 755
-/etc/init.d/ root.root 755
-/etc/profile root.root 644
-/home/ root.root 755
-/home/* current 755
-/lib root.root 755
-/mnt root.root 755
-/root root.root 755
-/sbin root.root 755
-/tmp root.root 1777
-/usr root.root 755
-/usr/* root.root 755
-/usr/X11R6/ root.root 755
-/usr/bin/ root.root 755
-/usr/bin/* root.root 755
-/usr/sbin/ root.root 755
-/var root.root 755
-
-/etc/conf.modules root.root 644
/etc/crontab root.root 644
+/etc/dhcpcd/ root.root 755
/etc/esd.conf root.root 644
/etc/ftpaccess root.root 644
/etc/ftpconversions root.root 644
@@ -49,12 +24,14 @@
/etc/hosts.deny root.root 644
/etc/hosts.equiv root.root 644
/etc/inetd.conf root.root 644
+/etc/init.d/ root.root 755
/etc/inittab root.root 644
/etc/ld.so.conf root.root 644
/etc/lilo.conf root.root 644
/etc/modules.conf root.root 644
/etc/motd root.root 644
/etc/printcap root.root 644
+/etc/profile root.root 644
/etc/rc.d/ root.root 755
/etc/securetty root.root 644
/etc/sendmail.cf root.root 644
@@ -64,7 +41,24 @@
/etc/sshd_config root.root 644
/etc/syslog.conf root.root 644
/etc/updatedb.conf root.root 644
-
+/home/ root.root 755
+/home/* current 755
+/lib root.root 755
+/mnt root.root 755
+/root root.root 755
+/sbin root.root 755
+/tmp root.root 1777
+/usr root.root 755
+/usr/* root.root 755
+/usr/X11R6/ root.root 755
+/usr/bin/ root.root 755
+/usr/bin/* root.root 755
+/usr/sbin/ root.root 755
+/var root.root 755
+/var/log root.root 755
+/var/log/* root.adm 644
+/var/log/security/ root.root 700
+/var/log/security/* root.root 600
diff --git a/init-sh/perm.2 b/init-sh/perm.2
index dcaf293..4c06b7b 100644
--- a/init-sh/perm.2
+++ b/init-sh/perm.2
@@ -1,43 +1,18 @@
-#
-#
-# - Group for X user
-# - Group for audio user
-# - Group for dialout user
-# - Group for video user
-# Directories /
# Welcome in Level 2
###
-
/bin root.root 755
/boot root.root 755
/dev root.root 755
/dev/audio* root.audio 660
/dev/dsp* root.audio 660
/etc/ root.root 755
+/etc/conf.modules root.root 644
/etc/cron.daily/ root.root 755
/etc/cron.hourly/ root.root 755
/etc/cron.monthly/ root.root 755
/etc/cron.weekly/ root.root 755
-/etc/dhcpcd/ root.root 755
-/etc/init.d/ root.root 755
-/etc/profile root.root 644
-/home/ root.root 755
-/home/* current 755
-/lib root.root 755
-/mnt root.root 755
-/root root.root 700
-/sbin root.root 755
-/tmp root.root 1777
-/usr root.root 755
-/usr/* root.root 755
-/usr/X11R6/ root.root 755
-/usr/bin/ root.root 755
-/usr/bin/* root.root 755
-/usr/sbin/ root.root 755
-/var root.root 755
-
-/etc/conf.modules root.root 644
/etc/crontab root.root 644
+/etc/dhcpcd/ root.root 755
/etc/esd.conf root.root 644
/etc/ftpaccess root.root 644
/etc/ftpconversions root.root 644
@@ -49,12 +24,14 @@
/etc/hosts.deny root.root 644
/etc/hosts.equiv root.root 644
/etc/inetd.conf root.root 644
+/etc/init.d/ root.root 755
/etc/inittab root.root 644
/etc/ld.so.conf root.root 644
/etc/lilo.conf root.root 644
/etc/modules.conf root.root 644
/etc/motd root.root 644
/etc/printcap root.root 644
+/etc/profile root.root 644
/etc/rc.d/ root.root 755
/etc/securetty root.root 644
/etc/sendmail.cf root.root 644
@@ -64,9 +41,21 @@
/etc/sshd_config root.root 644
/etc/syslog.conf root.root 644
/etc/updatedb.conf root.root 644
-
-
-
-
-
-
+/home/ root.root 755
+/home/* current 755
+/lib root.root 755
+/mnt root.root 755
+/root root.root 700
+/sbin root.root 755
+/tmp root.root 1777
+/usr root.root 755
+/usr/* root.root 755
+/usr/X11R6/ root.root 755
+/usr/bin/ root.root 755
+/usr/bin/* root.root 755
+/usr/sbin/ root.root 755
+/var root.root 755
+/var/log root.root 755
+/var/log/* root.adm 640
+/var/log/security root.root 700
+/var/log/security/* root.root 600
diff --git a/init-sh/perm.3 b/init-sh/perm.3
index 94d12e7..aab758e 100644
--- a/init-sh/perm.3
+++ b/init-sh/perm.3
@@ -1,43 +1,18 @@
-#
-#
-# - Group for X user
-# - Group for audio user
-# - Group for dialout user
-# - Group for video user
-# Directories /
# Welcome in Level 3
###
-
/bin root.root 755
/boot root.root 755
/dev root.root 755
/dev/audio* root.audio 660
/dev/dsp* root.audio 660
/etc/ root.root 755
+/etc/conf.modules root.root 644
/etc/cron.daily/ root.root 755
/etc/cron.hourly/ root.root 755
/etc/cron.monthly/ root.root 755
/etc/cron.weekly/ root.root 755
-/etc/dhcpcd/ root.root 755
-/etc/init.d/ root.root 755
-/etc/profile root.root 644
-/home/ root.root 755
-/home/* current 700
-/lib root.root 755
-/mnt root.root 755
-/root root.root 700
-/sbin root.root 755
-/tmp root.root 1777
-/usr root.root 755
-/usr/* root.root 755
-/usr/X11R6/ root.root 755
-/usr/bin/ root.root 755
-/usr/bin/* root.root 755
-/usr/sbin/ root.root 755
-/var root.root 755
-
-/etc/conf.modules root.root 644
/etc/crontab root.root 644
+/etc/dhcpcd/ root.root 755
/etc/esd.conf root.root 644
/etc/ftpaccess root.root 644
/etc/ftpconversions root.root 644
@@ -49,12 +24,14 @@
/etc/hosts.deny root.root 644
/etc/hosts.equiv root.root 644
/etc/inetd.conf root.root 644
+/etc/init.d/ root.root 755
/etc/inittab root.root 644
/etc/ld.so.conf root.root 644
/etc/lilo.conf root.root 644
/etc/modules.conf root.root 644
/etc/motd root.root 644
/etc/printcap root.root 644
+/etc/profile root.root 644
/etc/rc.d/ root.root 755
/etc/securetty root.root 644
/etc/sendmail.cf root.root 644
@@ -64,5 +41,34 @@
/etc/sshd_config root.root 644
/etc/syslog.conf root.root 644
/etc/updatedb.conf root.root 644
+/home/ root.root 755
+/home/* current 700
+/lib root.root 755
+/mnt root.root 755
+/root root.root 700
+/sbin root.root 755
+/tmp root.root 1777
+/usr root.root 755
+/usr/* root.root 755
+/usr/X11R6/ root.root 755
+/usr/bin/ root.root 755
+/usr/bin/* root.root 755
+/usr/sbin/ root.root 755
+/var root.root 755
+/var/log root.root 755
+/var/log/* root.root 600
+/var/log/security root.root 700
+/var/log/security/* root.root 600
+
+
+
+
+
+
+
+
+
+
+
diff --git a/init-sh/perm.4 b/init-sh/perm.4
index 8e422df..cf6b02f 100644
--- a/init-sh/perm.4
+++ b/init-sh/perm.4
@@ -1,11 +1,5 @@
-#
-#
-# - Group for X user
-# - Group for audio user
-# - Group for dialout user
-# - Group for video user
# Welcome in Level 4, aka secure & usable.
-
+###
/bin root.root 711
/boot root.root 700
/dev root.root 711
@@ -47,7 +41,6 @@
/etc/sshd_config root.adm 640
/etc/syslog.conf root.adm 640
/etc/updatedb.conf root.adm 640
-
/home/ root.adm 751
/home/* current 700
/lib root.adm 751
@@ -63,10 +56,7 @@
/usr/sbin/ root.adm 751
/usr/sbin/* root.root 755
/var root.root 755
-
-
-
-
-
-
-
+/var/log root.root 700
+/var/log/* root.root 600
+/var/log/security root.root 700
+/var/log/security/* root.root 600
diff --git a/init-sh/perm.5 b/init-sh/perm.5
index 1965860..fffdfde 100644
--- a/init-sh/perm.5
+++ b/init-sh/perm.5
@@ -1,11 +1,5 @@
-#
-#
-# - Group for X user
-# - Group for audio user
-# - Group for dialout user
-# - Group for video user
# Welcome in Level 5, aka paranoid.
-
+###
/bin root.root 711
/boot root.root 700
/dev root.root 711
@@ -47,7 +41,6 @@
/etc/sshd_config root.root 600
/etc/syslog.conf root.root 600
/etc/updatedb.conf root.root 600
-
/home/ root.root 711
/home/* current 700
/lib root.root 711
@@ -64,4 +57,7 @@
/usr/sbin/* root.root 700
/usr/sbin/sendmail root.root 755
/var root.root 755
-
+/var/log root.root 700
+/var/log/* root.root 600
+/var/log/security root.root 700
+/var/log/security/* root.root 600