aboutsummaryrefslogtreecommitdiffstats
path: root/cron-sh/security_check.sh
diff options
context:
space:
mode:
Diffstat (limited to 'cron-sh/security_check.sh')
-rwxr-xr-xcron-sh/security_check.sh50
1 files changed, 25 insertions, 25 deletions
diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh
index 844cd9d..6686dd3 100755
--- a/cron-sh/security_check.sh
+++ b/cron-sh/security_check.sh
@@ -4,7 +4,7 @@
# Written by Vandoorselaere Yoann, <yoann@mandrakesoft.com>
#
-if [ -f /etc/security/msec/security.conf ]; then
+if [[ -f /etc/security/msec/security.conf ]]; then
. /etc/security/msec/security.conf
else
echo "/etc/security/msec/security.conf don't exist."
@@ -19,7 +19,7 @@ SECURITY="/tmp/secure.log"
SECURITY_LOG="/var/log/security.log"
TMP="/tmp/secure.tmp"
-if [ ! -d /var/log/security ]; then
+if [[ ! -d /var/log/security ]]; then
mkdir /var/log/security
fi
@@ -49,7 +49,7 @@ Ttylog() {
if [[ ${CHECK_WRITEABLE} == yes ]]; then
find ${DIR} -xdev -type f -perm -2 -ls -print | awk '{print $11}' | sort > ${TMP}
- if [ -s ${TMP} ]; then
+ if [[ -s ${TMP} ]]; then
printf "\nSecurity Warning: World Writeable Files found :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
fi
@@ -58,7 +58,7 @@ fi
### Search Un Owned file
if [[ ${CHECK_UNOWNED} == yes ]]; then
find ${DIR} -xdev -nouser -print -ls | awk '{print $11}' | sort > ${TMP}
- if [ -s ${TMP} ]; then
+ if [[ -s ${TMP} ]]; then
printf "\nSecurity Warning : the following file aren't owned by any user :\n" >> ${SECURITY}
printf "\ttheses files now have user \"nobody\" as their owner." >> ${SECURE_LOG}
cat ${TMP} >> ${SECURITY}
@@ -66,7 +66,7 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then
fi
find $DIR -xdev -nogroup -print -ls | awk '{print $11}' | sort > ${TMP}
- if [ -s ${TMP} ]; then
+ if [[ -s ${TMP} ]]; then
printf "\nSecurity Warning : the following file aren't owned by any group :\n" >> ${SECURITY}
printf "\ttheses files now have group \"nogroup\" as their group owner." >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
@@ -81,7 +81,7 @@ awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd |
while read username uid homedir; do
for f in ${list} ; do
file="${homedir}/${f}"
- if [ -f ${file} ] ; then
+ if [[ -f ${file} ]] ; then
printf "${uid} ${username} ${file} `ls -ldcgn ${file}`\n"
fi
done
@@ -96,7 +96,7 @@ done | awk '$1 != $6 && $6 != "0" \
$4 ~ /^-.......w/ \
{ print "\t\t- " $3 " : file is other writeable." }' > ${TMP}
-if [ -s ${TMP} ]; then
+if [[ -s ${TMP} ]]; then
printf "\nSecurity Warning: these files shouldn't be owned by someone else or readable :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
fi
@@ -110,7 +110,7 @@ awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | \
while read username uid homedir; do
for f in ${list} ; do
file=${homedir}/${f}
- if [ -f ${file} ] ; then
+ if [[ -f ${file} ]] ; then
printf "${uid} ${username} ${file} `ls -ldcgn ${file}`\n"
fi
done
@@ -121,7 +121,7 @@ done | awk '$1 != $6 && $6 != "0" \
$4 ~ /^-.......w/ \
{ print "\t\t- " $3 " : file is other writeable." }' > ${TMP}
-if [ -s ${TMP} ]; then
+if [[ -s ${TMP} ]]; then
printf "\nSecurity Warning: theses files should not be owned by someone else or writeable :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
fi
@@ -129,7 +129,7 @@ fi
### Check home directories. Directories should not be owned by someone else or writeable.
awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \
while read uid homedir; do
- if [ -d ${homedir}/ ] ; then
+ if [[ -d ${homedir} ]] ; then
file=`ls -ldg ${homedir}`
printf "$uid $file\n"
fi
@@ -140,7 +140,7 @@ done | awk '$1 != $4 && $4 != "root" \
$2 ~ /^-.......w/ \
{ print "user=" $1 " : home directory is other writeable." }' > ${TMP}
-if [ -s $TMP ] ; then
+if [[ -s $TMP ]] ; then
printf "\nSecurity Warning: these home directory should not be owned by someone else or writeable :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
fi
@@ -155,7 +155,7 @@ if [[ ${CHECK_PASSWD} == yes ]]; then
printf("\t\t- /etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1);
}' < /etc/passwd > ${TMP}
- if [ -s ${TMP} ]; then
+ if [[ -s ${TMP} ]]; then
printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
fi
@@ -168,14 +168,14 @@ if [[ ${CHECK_SHADOW} == yes ]]; then
printf("\t\t- /etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1);
}' < /etc/shadow > ${TMP}
- if [ -s ${TMP} ]; then
+ if [[ -s ${TMP} ]]; then
printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
fi
fi
### File systems should not be globally exported.
-if [ -s /etc/exports ] ; then
+if [[ -s /etc/exports ]] ; then
awk '{
if (($1 ~ /^#/) || ($1 ~ /^$/)) next;
readonly = 0;
@@ -190,7 +190,7 @@ if [ -s /etc/exports ] ; then
} else print "\t\t- Nfs File system " $1 " globally exported, read-write.";
}' < /etc/exports > ${TMP}
- if [ -s ${TMP} ] ; then
+ if [[ -s ${TMP} ]] ; then
printf "\nSecurity Warning: Some NFS filesystem are exported globally :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
fi
@@ -198,7 +198,7 @@ fi
### nfs mounts with missing nosuid
/bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > ${TMP}
-if [ -s ${TMP} ] ; then
+if [[ -s ${TMP} ]] ; then
printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
fi
@@ -206,7 +206,7 @@ fi
### Files that should not have + signs.
list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd"
for file in $list ; do
- if [ -s ${file} ] ; then
+ if [[ -s ${file} ]] ; then
awk '{
if ($0 ~ /^\+@.*$/)
next;
@@ -219,7 +219,7 @@ done > ${TMP}
awk -F: '{print $1" "$6}' /etc/passwd |
while read username homedir; do
for file in .rhosts .shosts; do
- if [ -s ${homedir}/${file} ] ; then
+ if [[ -s ${homedir}/${file} ]] ; then
awk '{
if ($0 ~ /^\+@.*$/)
next;
@@ -230,7 +230,7 @@ awk -F: '{print $1" "$6}' /etc/passwd |
done >> ${TMP}
done
-if [ -s ${TMP} ]; then
+if [[ -s ${TMP} ]]; then
printf "\nSecurity Warning: '+' character found in hosts trusting files,\n" >> ${SECURITY}
printf "\tthis probably mean that you trust certains users/domain\n" >> ${SECURITY}
printf "\tto connect on this host without proper authentication :\n" >> ${SECURITY}
@@ -240,13 +240,13 @@ fi
### executables should not be in the aliases file.
list="/etc/aliases /etc/postfix/aliases"
for file in ${list}; do
- if [ -s ${file} ]; then
+ if [[ -s ${file} ]]; then
grep -v '^#' /etc/aliases | grep '|' | while read line; do
printf "\t\t- ${line}\n"
done > ${TMP}
fi
- if [ -s ${TMP} ]; then
+ if [[ -s ${TMP} ]]; then
printf "\nSecurity Warning: The following programs are executed in your mail\n" >> ${SECURITY}
printf "\tvia ${file} files, this could lead to security problems :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
@@ -257,14 +257,14 @@ done
if [[ ${CHECK_OPEN_PORT} == yes ]]; then
netstat -pvlA inet > ${TMP};
- if [ -s ${TMP} ]; then
+ if [[ -s ${TMP} ]]; then
printf "\nThese are the ports listening on your machine :\n" >> ${SECURITY}
cat ${TMP} >> ${SECURITY}
fi
fi
### Report
-if [ -s ${SECURITY} ]; then
+if [[ -s ${SECURITY} ]]; then
Syslog ${SECURITY}
Ttylog ${SECURITY}
date=`date`
@@ -272,11 +272,11 @@ if [ -s ${SECURITY} ]; then
cat ${SECURITY} >> ${SECURITY_LOG}
fi
-if [ -f ${SECURITY} ]; then
+if [[ -f ${SECURITY} ]]; then
rm -f ${SECURITY}
fi
-if [ -f ${TMP} ]; then
+if [[ -f ${TMP} ]]; then
rm -f ${TMP}
fi