From 74055382de3e44e81bf084d08883e7a9e5b90b04 Mon Sep 17 00:00:00 2001
From: Yoann Vandoorselaere <yoann@mandriva.com>
Date: Mon, 6 Dec 1999 18:11:39 +0000
Subject: *** empty log message ***

---
 cron-sh/security_check.sh | 279 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 279 insertions(+)
 create mode 100755 cron-sh/security_check.sh

(limited to 'cron-sh/security_check.sh')

diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh
new file mode 100755
index 0000000..5dffc48
--- /dev/null
+++ b/cron-sh/security_check.sh
@@ -0,0 +1,279 @@
+#!/bin/bash
+
+#
+# Basic security checking for suid files.
+# Written by Vandoorselaere Yoann, <yoann@mandrakesoft.com>
+#
+
+if [ -f /etc/security/msec/security.conf ]; then
+    . /etc/security/msec/security.conf
+else
+    exit 1
+fi
+
+if [ SECURITY_CHECK == "no" ]; then
+    exit 0
+fi
+
+SECURITY_LOG="/tmp/secure.log"
+SECURITY="/var/log/security.log"
+TMP="/tmp/secure.tmp"
+
+if [ ! -d /var/log/security ]; then
+    mkdir /var/log/security
+fi
+
+chattr -a /var/log/security/ >& /dev/null
+chattr -a /var/log/security/* >& /dev/null
+rm -f ${SECURITY_LOG} ${TMP} >& /dev/null
+
+### Functions ###
+
+Syslog() {
+    if [ $SYS_LOG=="yes" ]; then
+	cat ${1} | while read line; do
+	    /sbin/initlog --string="${line}"
+	done
+    fi
+}
+
+Ttylog() {
+	if [ $TTY_LOG=="yes" ]; then
+		for i in `w | grep -v "load\|TTY" | awk '{print $2}'` ; do
+			echo -e "$1" > /dev/$i
+		done
+	fi
+}
+
+### Writeable file detection
+if [ ${CHECK_WRITEABLE}=="yes" ]; then
+    find ${DIR} -xdev -type f -perm -2 -ls -print | awk '{print $11}' | sort > ${TMP}
+
+    if [ -s ${TMP} ]; then
+	printf "\nSecurity Warning: World Writeable Files found :\n" >> ${SECURITY_LOG}
+	cat ${TMP} >> ${SECURITY_LOG}
+    fi
+fi
+
+### Search Un Owned file
+if [ ${CHECK_UNOWNED}=="yes" ]; then
+    find ${DIR} -xdev -nouser -print -ls | awk '{print $11}' | sort > ${TMP}
+    if [ -s ${TMP} ]; then
+	printf "\nSecurity Warning : the following file aren't owned by any user :\n" >> ${SECURITY_LOG}
+	printf "\ttheses files now have user \"nobody\" as their owner." >> ${SECURE_LOG}
+	cat ${TMP} >> ${SECURITY_LOG}
+        cat ${TMP} | while read line; do chown nobody ${line}; done	
+    fi
+
+    find $DIR -xdev -nogroup -print -ls | awk '{print $11}' | sort > ${TMP}
+    if [ -s ${TMP} ]; then
+	printf "\nSecurity Warning : the following file aren't owned by any group :\n" >> ${SECURITY_LOG}
+        printf "\ttheses files now have group \"nogroup\" as their group owner." >> ${SECURITY_LOG}
+	cat ${TMP} >> ${SECURITY_LOG}
+	cat ${TMP} | while read line; do chgrp nogroup ${line}; done
+    fi
+fi
+
+if [ ${CHECK_PERMISSIONS}=="yes" ]; then
+# Files that should not be owned by someone else or readable.
+list=".netrc .rhosts .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed"
+awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
+while read uid homedir; do
+        for f in ${list} ; do
+                file="${homedir}/${f}"
+                if [ -f ${file} ] ; then
+                        printf "${uid} ${f} `ls -ldcg ${file}`\n"
+                fi
+        done
+done | awk '$1 != $5 && $5 != "root" \
+        { print "\t\tuser=" $1 ", file=" $2 " : file is owned by " $5 }
+     $3 ~ /^-...r/ \
+        { print "\t\tuser=" $1 ", file=" $2 " : file is group readable" }
+     $3 ~ /^-......r/ \
+        { print "\t\tuser=" $1 ", file=" $2 " : file is other readable" }
+     $3 ~ /^-....w/ \
+        { print "\t\tuser=" $1 ", file=" $2 " : file is group writeable" }
+     $3 ~ /^-.......w/ \
+        { print "\t\tuser=" $1 ", file=" $2 " : file is other writeable" }' > ${TMP}
+
+if [ -s ${TMP} ]; then
+    printf "\nSecurity Warning: these files shouldn't be owned by someone else or readable :\n" >> ${SECURITY_LOG}
+    cat ${TMP} >> ${SECURITY_LOG}
+fi
+
+
+### Files that should not be owned by someone else or writeable.
+list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \
+.forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \
+.nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \
+.ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults"
+awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
+while read uid homedir; do
+        for f in ${list} ; do
+                file="${homedir}/${f}"
+                if [ -f $file ] ; then
+                        printf "$uid ${f} `ls -ldcg ${file}`\n"
+                fi
+        done
+done | awk '$1 != $5 && $5 != "root" \
+        { print "\t\t- user=" $1 ", file=" $2 " : file is owned by " $5 }
+     $3 ~ /^-....w/ \
+        { print "\t\t- user=" $1 ", file=" $2 " : file is group writeable" }
+     $3 ~ /^-.......w/ \
+        { print "\t\t- user=" $1 ", file=" $2 " : file is other writeable" }' > ${TMP}
+
+if [ -s ${TMP} ]; then
+    printf "\nSecurity Warning: theses files should not be owned by someone else or writeable :\n" >> ${SECURITY_LOG}
+    cat ${TMP} >> ${SECURITY_LOG}
+fi
+
+### Check home directories.  Directories should not be owned by someone else or writeable.
+awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
+while read uid homedir; do
+        if [ -d ${homedir}/ ] ; then
+                file=`ls -ldg ${homedir}`
+                printf "$uid $file\n"
+        fi
+done | awk '$1 != $4 && $4 != "root" \
+        { print "user=" $1 " : home directory is owned by " $4 }
+     $2 ~ /^-....w/ \
+        { print "user=" $1 " : home directory is group writeable" }
+     $2 ~ /^-.......w/ \
+        { print "user=" $1 " : home directory is other writeable" }' > ${TMP}
+
+if [ -s $TMP ] ; then
+        printf "\nSecurity Warning: these home directory should not be owned by someone else or writeable :\n" >> ${SECURITY_LOG}
+        cat ${TMP} >> ${SECURITY_LOG}
+fi
+fi
+
+if [ ${CHECK_SECURITY}=="yes" ]; then
+### Passwd file check
+if [ ${CHECK_PASSWD}=="yes" ]; then    
+    awk -F: '{
+        if ( $2 == "" )
+	    printf("\t\t- /etc/passwd:%d: User \"%s\" has no password !\n", FNR, $1);
+	else if ($2 !~ /^[x*!]+$/)
+	    printf("\t\t- /etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1);
+    }' < /etc/passwd > ${TMP}
+    
+    if [ -s ${TMP} ]; then
+	printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY_LOG}
+	cat ${TMP} >> ${SECURITY_LOG}
+    fi
+fi
+
+### Shadow password file Check
+if [ ${CHECK_SHADOW}=="yes" ]; then
+    awk -F: '{
+	if ( $2 == "" )
+	    printf("\t\t- /etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1);
+    }' < /etc/shadow > ${TMP}
+
+    if [ -s ${TMP} ]; then
+	printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY_LOG}
+	cat ${TMP} >> ${SECURITY_LOG}
+    fi
+fi
+
+### File systems should not be globally exported.
+if [ -s /etc/exports ] ; then
+    awk '{
+        if (($1 ~ /^#/) || ($1 ~ /^$/)) next;
+	readonly = 0;
+                for (i = 2; i <= NF; ++i) {
+                        if ($i ~ /^-ro$/)
+                                readonly = 1;
+                        else if ($i !~ /^-/)
+                                next;
+                }
+                if (readonly) {
+		    print "\t\t- Nfs File system " $1 " globally exported, read-only.";
+		} else print "\t\t- Nfs File system " $1 " globally exported, read-write.";
+        }' < /etc/exports > ${TMP}
+        
+    if [ -s ${TMP} ] ; then
+	printf "\nSecurity Warning: Some NFS filesystem are exported to globally :\n" >> ${SECURITY_LOG}
+	cat ${TMP} >> ${SECURITY_LOG}
+    fi
+fi
+
+### nfs mounts with missing nosuid
+/bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > ${TMP}
+if [ -s ${TMP} ] ; then
+    printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY_LOG}
+    cat ${TMP} >> ${SECURITY_LOG}
+fi
+
+### Files that should not have + signs.
+list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd"
+for file in $list ; do
+        if [ -s ${file} ] ; then
+                awk '{
+                        if ($0 ~ /^\+@.*$/)
+				next;
+                        if ($0 ~ /^\+.*$/)
+			        printf("\t\t- %s: %s\n", FILENAME, $0);
+                }' ${file}
+        fi
+done > ${TMP}
+
+awk -F: '{print $1" "$6}' /etc/passwd |
+    while read username homedir; do
+	for file in .rhosts .shosts; do
+	    if [ -s ${homedir}/${file} ] ; then
+		awk '{
+			if ($0 ~ /^\+@.*$/)
+			    next;
+			if ($0 ~ /^\+.*$/)
+			    printf("\t\t- %s: %s\n", FILENAME, $0);
+		}' ${homedir}/${file}
+	    fi
+	done >> ${TMP}
+    done
+	
+if [ -s ${TMP} ]; then
+    printf "\nSecurity Warning: '+' character found in hosts trusting files,\n" >> ${SECURITY_LOG}
+    printf "\tthis probably mean that you trust certains users/domain\n" >> ${SECURITY_LOG}
+    printf "\tto connect on this host without proper authentication :\n" >> ${SECURITY_LOG}
+    cat ${TMP} >> ${SECURITY_LOG}
+fi
+
+### executables should not be in the aliases file.
+list="/etc/aliases /etc/postfix/aliases"
+for file in ${list}; do
+    if [ -s ${file} ]; then
+	grep -v '^#' /etc/aliases | grep '|' | while read line; do
+	    printf "\t\t- ${line}\n"
+	done > ${TMP}
+    fi
+
+    if [ -s ${TMP} ]; then
+	printf "\nSecurity Warning: The following programs are executed in your mail\n" >> ${SECURITY_LOG}
+	printf "\tvia ${file} files, this could lead to security problems :\n" >> ${SECURITY_LOG}
+        cat ${TMP} >> ${SECURITY_LOG}
+    fi
+done
+
+### Dump a list of open port.
+if [ ${CHECK_OPEN_PORT}=="yes" ]; then
+    netstat -pvlA inet > ${TMP};
+    
+    if [ -s ${TMP} ]; then
+	printf "\nThese are the ports listening on your machine :\n" >> ${SECURITY_LOG}
+	cat ${TMP} >> ${SECURITY_LOG}
+    fi
+fi
+fi # end of CHECK_SECURITY
+
+### Report
+if [ -s ${SECURITY_LOG} ]; then
+    Syslog ${SECURITY_LOG}
+    Ttylog ${SECURITY_LOG}
+    cat ${SECURITY_LOG} >> ${SECURITY}
+fi
+
+
+
+
+
-- 
cgit v1.2.1