Added permission for /var/log/ and it's subdirectory

6 files changed, 211 insertions, 112 deletions

diff --git a/cron-sh/file_check.sh b/cron-sh/file_check.sh
index 7886387..f91dce3 100755
--- a/cron-sh/file_check.sh
+++ b/cron-sh/file_check.sh
@@ -15,6 +15,8 @@ if [ SECURITY_CHECK == "no" ]; then
     exit 0
 fi
 
+OUT=./blah
+
 # Modified filters coming from debian security scripts.
 CS_NFSAFS='(nfs|afs|xfs|coda)'
 CS_TYPES=' type (devpts|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|'$CS_NFSAFS')'
@@ -266,6 +268,128 @@ if [ ${CHECK_OPEN_PORT}=="yes" ]; then
     fi
 fi
 
+### /etc/exports check ###
+
+# File systems should not be globally exported.
+if [ -s /etc/exports ] ; then
+    awk '{
+	if (($1 ~ /^#/) || ($1 ~ /^$/)) next;
+	readonly = 0;
+                for (i = 2; i <= NF; ++i) {
+                        if ($i ~ /^-ro$/)
+                                readonly = 1;
+                        else if ($i !~ /^-/)
+                                next;
+                }
+                if (readonly) {
+		    print "Warning : Nfs File system " $1 " globally exported, read-only.";
+		} else print "Warning : Nfs File system " $1 " globally exported, read-write.";
+        }' < /etc/exports > $OUT
+        if [ -s "$OUT" ] ; then
+                printf "\nChecking for globally exported file systems.\n"
+                cat "$OUT"
+        fi
+fi
+
+
+# nfs mounts with missing nosuid
+/bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > $OUT
+if [ -s "$OUT" ] ; then
+    printf "\nThe following NFS mounts haven't got the nosuid option set:\n"
+    cat "$OUT"
+fi
+
+# Files that should not be owned by someone else or readable.
+list=".netrc .rhosts .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed"
+awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
+while read uid homedir; do
+        for f in $list ; do
+                file=${homedir}/${f}
+                if [ -f $file ] ; then
+                        printf "$uid $f `ls -ldcg $file`\n"
+                fi
+        done
+done |
+awk '$1 != $5 && $5 != "root" \
+        { print "user " $1 " " $2 " : file is owned by " $5 }
+     $3 ~ /^-...r/ \
+        { print "user " $1 " " $2 " : file is group readable" }
+     $3 ~ /^-......r/ \
+        { print "user " $1 " " $2 " : file is other readable" }
+     $3 ~ /^-....w/ \
+        { print "user " $1 " " $2 " : file is group writeable" }
+     $3 ~ /^-.......w/ \
+        { print "user " $1 " " $2 " : file is other writeable" }' > $OUT
+
+
+# Files that should not be owned by someone else or writeable.
+list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \
+.forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \
+.nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \
+.ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults"
+awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
+while read uid homedir; do
+        for f in $list ; do
+                file=${homedir}/${f}
+                if [ -f $file ] ; then
+                        printf "$uid $f `ls -ldcg $file`\n"
+                fi
+        done
+done |
+awk '$1 != $5 && $5 != "root" \
+        { print "user " $1 " " $2 " : file is owned by " $5 }
+     $3 ~ /^-....w/ \
+        { print "user " $1 " " $2 " : file is group writeable" }
+     $3 ~ /^-.......w/ \
+        { print "user " $1 " " $2 " : file is other writeable" }' >> $OUT
+if [ -s "$OUT" ] ; then
+        printf "\nChecking dot files.\n"
+        cat "$OUT"
+fi
+
+# Check home directories.  Directories should not be owned by someone else
+# or writeable.
+awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
+while read uid homedir; do
+        if [ -d ${homedir}/ ] ; then
+                file=`ls -ldg ${homedir}`
+                printf "$uid $file\n"
+        fi
+done |
+awk '$1 != $4 && $4 != "root" \
+        { print "user " $1 " : home directory is owned by " $4 }
+     $2 ~ /^-....w/ \
+        { print "user " $1 " : home directory is group writeable" }
+     $2 ~ /^-.......w/ \
+        { print "user " $1 " : home directory is other writeable" }' > $OUT
+if [ -s "$OUT" ] ; then
+        printf "\nChecking home directories.\n"
+        cat "$OUT"
+fi
+
+# Files that should not have + signs.
+list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd"
+for f in $list ; do
+        if [ -s $f ] ; then
+                awk '{
+                        if ($0 ~ /^\+@.*$/)
+                                next;
+                        if ($0 ~ /^\+.*$/)
+                                printf("\nPlus sign in the file %s\n", FILENAME);
+                }' $f
+        fi
+done
+
+
+# executables should not be in the /etc/aliases file.
+if [ -s /etc/aliases ]; then
+    grep -v '^#' /etc/aliases | grep '|' > $OUT
+    if [ -s "$OUT" ] ; then
+            printf "\nThe following programs are executed in your mail via /etc/aliases (bad!):\n"
+            cat "$OUT"
+    fi
+fi
+
 
 
 
diff --git a/init-sh/perm.1 b/init-sh/perm.1
index c63483a..0cae0d7 100644
--- a/init-sh/perm.1
+++ b/init-sh/perm.1
@@ -1,43 +1,18 @@
-#
-#
-# - Group for X user
-# - Group for audio user
-# - Group for dialout user
-# - Group for video user
-# Directories /
 # Welcome in Level 1
 ###
-
 /bin						root.root		755
 /boot						root.root		755
 /dev						root.root		755
 /dev/audio*					root.audio		660
 /dev/dsp*					root.audio		660
 /etc/						root.root		755
+/etc/conf.modules				root.root		644
 /etc/cron.daily/				root.root		755
 /etc/cron.hourly/				root.root		755
 /etc/cron.monthly/				root.root		755
 /etc/cron.weekly/				root.root		755
-/etc/dhcpcd/					root.root		755
-/etc/init.d/					root.root		755
-/etc/profile					root.root		644
-/home/						root.root		755
-/home/*						current			755
-/lib						root.root		755
-/mnt						root.root		755
-/root						root.root		755
-/sbin						root.root		755
-/tmp						root.root		1777
-/usr						root.root		755
-/usr/*						root.root		755
-/usr/X11R6/					root.root		755
-/usr/bin/					root.root		755
-/usr/bin/*					root.root		755
-/usr/sbin/					root.root		755
-/var						root.root		755
-
-/etc/conf.modules				root.root		644
 /etc/crontab					root.root		644
+/etc/dhcpcd/					root.root		755
 /etc/esd.conf					root.root		644
 /etc/ftpaccess					root.root		644
 /etc/ftpconversions				root.root		644
@@ -49,12 +24,14 @@
 /etc/hosts.deny					root.root		644
 /etc/hosts.equiv				root.root		644
 /etc/inetd.conf					root.root		644
+/etc/init.d/					root.root		755
 /etc/inittab					root.root		644
 /etc/ld.so.conf					root.root		644
 /etc/lilo.conf					root.root		644
 /etc/modules.conf				root.root		644
 /etc/motd					root.root		644
 /etc/printcap					root.root		644
+/etc/profile					root.root		644
 /etc/rc.d/					root.root		755
 /etc/securetty					root.root		644
 /etc/sendmail.cf				root.root		644
@@ -64,7 +41,24 @@
 /etc/sshd_config				root.root		644
 /etc/syslog.conf				root.root		644
 /etc/updatedb.conf				root.root		644
-
+/home/						root.root		755
+/home/*						current			755
+/lib						root.root		755
+/mnt						root.root		755
+/root						root.root		755
+/sbin						root.root		755
+/tmp						root.root		1777
+/usr						root.root		755
+/usr/*						root.root		755
+/usr/X11R6/					root.root		755
+/usr/bin/					root.root		755
+/usr/bin/*					root.root		755
+/usr/sbin/					root.root		755
+/var						root.root		755
+/var/log					root.root		755
+/var/log/*					root.adm		644
+/var/log/security/				root.root		700
+/var/log/security/*				root.root		600
 
 
 
diff --git a/init-sh/perm.2 b/init-sh/perm.2
index dcaf293..4c06b7b 100644
--- a/init-sh/perm.2
+++ b/init-sh/perm.2
@@ -1,43 +1,18 @@
-#
-#
-# - Group for X user
-# - Group for audio user
-# - Group for dialout user
-# - Group for video user
-# Directories /
 # Welcome in Level 2
 ###
-
 /bin						root.root		755
 /boot						root.root		755
 /dev						root.root		755
 /dev/audio*					root.audio		660
 /dev/dsp*					root.audio		660
 /etc/						root.root		755
+/etc/conf.modules				root.root		644
 /etc/cron.daily/				root.root		755
 /etc/cron.hourly/				root.root		755
 /etc/cron.monthly/				root.root		755
 /etc/cron.weekly/				root.root		755
-/etc/dhcpcd/					root.root		755
-/etc/init.d/					root.root		755
-/etc/profile					root.root		644
-/home/						root.root		755
-/home/*						current			755
-/lib						root.root		755
-/mnt						root.root		755
-/root						root.root		700
-/sbin						root.root		755
-/tmp						root.root		1777
-/usr						root.root		755
-/usr/*						root.root		755
-/usr/X11R6/					root.root		755
-/usr/bin/					root.root		755
-/usr/bin/*					root.root		755
-/usr/sbin/					root.root		755
-/var						root.root		755
-
-/etc/conf.modules				root.root		644
 /etc/crontab					root.root		644
+/etc/dhcpcd/					root.root		755
 /etc/esd.conf					root.root		644
 /etc/ftpaccess					root.root		644
 /etc/ftpconversions				root.root		644
@@ -49,12 +24,14 @@
 /etc/hosts.deny					root.root		644
 /etc/hosts.equiv				root.root		644
 /etc/inetd.conf					root.root		644
+/etc/init.d/					root.root		755
 /etc/inittab					root.root		644
 /etc/ld.so.conf					root.root		644
 /etc/lilo.conf					root.root		644
 /etc/modules.conf				root.root		644
 /etc/motd					root.root		644
 /etc/printcap					root.root		644
+/etc/profile					root.root		644
 /etc/rc.d/					root.root		755
 /etc/securetty					root.root		644
 /etc/sendmail.cf				root.root		644
@@ -64,9 +41,21 @@
 /etc/sshd_config				root.root		644
 /etc/syslog.conf				root.root		644
 /etc/updatedb.conf				root.root		644
-
-
-
-
-
-
+/home/						root.root		755
+/home/*						current			755
+/lib						root.root		755
+/mnt						root.root		755
+/root						root.root		700
+/sbin						root.root		755
+/tmp						root.root		1777
+/usr						root.root		755
+/usr/*						root.root		755
+/usr/X11R6/					root.root		755
+/usr/bin/					root.root		755
+/usr/bin/*					root.root		755
+/usr/sbin/					root.root		755
+/var						root.root		755
+/var/log					root.root		755
+/var/log/*					root.adm		640
+/var/log/security				root.root		700
+/var/log/security/*				root.root		600
diff --git a/init-sh/perm.3 b/init-sh/perm.3
index 94d12e7..aab758e 100644
--- a/init-sh/perm.3
+++ b/init-sh/perm.3
@@ -1,43 +1,18 @@
-#
-#
-# - Group for X user
-# - Group for audio user
-# - Group for dialout user
-# - Group for video user
-# Directories /
 # Welcome in Level 3
 ###
-
 /bin						root.root		755
 /boot						root.root		755
 /dev						root.root		755
 /dev/audio*					root.audio		660
 /dev/dsp*					root.audio		660
 /etc/						root.root		755
+/etc/conf.modules				root.root		644
 /etc/cron.daily/				root.root		755
 /etc/cron.hourly/				root.root		755
 /etc/cron.monthly/				root.root		755
 /etc/cron.weekly/				root.root		755
-/etc/dhcpcd/					root.root		755
-/etc/init.d/					root.root		755
-/etc/profile					root.root		644
-/home/						root.root		755
-/home/*						current			700
-/lib						root.root		755
-/mnt						root.root		755
-/root						root.root		700
-/sbin						root.root		755
-/tmp						root.root		1777
-/usr						root.root		755
-/usr/*						root.root		755
-/usr/X11R6/					root.root		755
-/usr/bin/					root.root		755
-/usr/bin/*					root.root		755
-/usr/sbin/					root.root		755
-/var						root.root		755
-
-/etc/conf.modules				root.root		644
 /etc/crontab					root.root		644
+/etc/dhcpcd/					root.root		755
 /etc/esd.conf					root.root		644
 /etc/ftpaccess					root.root		644
 /etc/ftpconversions				root.root		644
@@ -49,12 +24,14 @@
 /etc/hosts.deny					root.root		644
 /etc/hosts.equiv				root.root		644
 /etc/inetd.conf					root.root		644
+/etc/init.d/					root.root		755
 /etc/inittab					root.root		644
 /etc/ld.so.conf					root.root		644
 /etc/lilo.conf					root.root		644
 /etc/modules.conf				root.root		644
 /etc/motd					root.root		644
 /etc/printcap					root.root		644
+/etc/profile					root.root		644
 /etc/rc.d/					root.root		755
 /etc/securetty					root.root		644
 /etc/sendmail.cf				root.root		644
@@ -64,5 +41,34 @@
 /etc/sshd_config				root.root		644
 /etc/syslog.conf				root.root		644
 /etc/updatedb.conf				root.root		644
+/home/						root.root		755
+/home/*						current			700
+/lib						root.root		755
+/mnt						root.root		755
+/root						root.root		700
+/sbin						root.root		755
+/tmp						root.root		1777
+/usr						root.root		755
+/usr/*						root.root		755
+/usr/X11R6/					root.root		755
+/usr/bin/					root.root		755
+/usr/bin/*					root.root		755
+/usr/sbin/					root.root		755
+/var						root.root		755
+/var/log					root.root		755
+/var/log/*					root.root		600
+/var/log/security				root.root		700
+/var/log/security/*				root.root		600
+
+
+
+
+
+
+
+
+
+
+
 
 
diff --git a/init-sh/perm.4 b/init-sh/perm.4
index 8e422df..cf6b02f 100644
--- a/init-sh/perm.4
+++ b/init-sh/perm.4
@@ -1,11 +1,5 @@
-#
-#
-# - Group for X user
-# - Group for audio user
-# - Group for dialout user
-# - Group for video user
 # Welcome in Level 4, aka secure & usable.
-
+###
 /bin						root.root		711
 /boot						root.root		700
 /dev						root.root		711
@@ -47,7 +41,6 @@
 /etc/sshd_config				root.adm		640
 /etc/syslog.conf				root.adm		640
 /etc/updatedb.conf				root.adm		640
-
 /home/						root.adm		751
 /home/*						current			700
 /lib						root.adm		751
@@ -63,10 +56,7 @@
 /usr/sbin/					root.adm		751
 /usr/sbin/*					root.root		755
 /var						root.root		755
-
-
-
-
-
-
-
+/var/log					root.root		700
+/var/log/*					root.root		600
+/var/log/security				root.root		700
+/var/log/security/*				root.root		600
diff --git a/init-sh/perm.5 b/init-sh/perm.5
index 1965860..fffdfde 100644
--- a/init-sh/perm.5
+++ b/init-sh/perm.5
@@ -1,11 +1,5 @@
-#
-#
-# - Group for X user
-# - Group for audio user
-# - Group for dialout user
-# - Group for video user
 # Welcome in Level 5, aka paranoid.
-
+###
 /bin						root.root		711
 /boot						root.root		700
 /dev						root.root		711
@@ -47,7 +41,6 @@
 /etc/sshd_config				root.root		600
 /etc/syslog.conf				root.root		600
 /etc/updatedb.conf				root.root		600
-
 /home/						root.root		711
 /home/*						current			700
 /lib						root.root		711
@@ -64,4 +57,7 @@
 /usr/sbin/*					root.root		700
 /usr/sbin/sendmail				root.root		755
 /var						root.root		755
-
+/var/log					root.root		700
+/var/log/*					root.root		600
+/var/log/security				root.root		700
+/var/log/security/*				root.root		600