diff options
Diffstat (limited to 'cron-sh/security_check.sh')
-rwxr-xr-x | cron-sh/security_check.sh | 50 |
1 files changed, 25 insertions, 25 deletions
diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh index 844cd9d..6686dd3 100755 --- a/cron-sh/security_check.sh +++ b/cron-sh/security_check.sh @@ -4,7 +4,7 @@ # Written by Vandoorselaere Yoann, <yoann@mandrakesoft.com> # -if [ -f /etc/security/msec/security.conf ]; then +if [[ -f /etc/security/msec/security.conf ]]; then . /etc/security/msec/security.conf else echo "/etc/security/msec/security.conf don't exist." @@ -19,7 +19,7 @@ SECURITY="/tmp/secure.log" SECURITY_LOG="/var/log/security.log" TMP="/tmp/secure.tmp" -if [ ! -d /var/log/security ]; then +if [[ ! -d /var/log/security ]]; then mkdir /var/log/security fi @@ -49,7 +49,7 @@ Ttylog() { if [[ ${CHECK_WRITEABLE} == yes ]]; then find ${DIR} -xdev -type f -perm -2 -ls -print | awk '{print $11}' | sort > ${TMP} - if [ -s ${TMP} ]; then + if [[ -s ${TMP} ]]; then printf "\nSecurity Warning: World Writeable Files found :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi @@ -58,7 +58,7 @@ fi ### Search Un Owned file if [[ ${CHECK_UNOWNED} == yes ]]; then find ${DIR} -xdev -nouser -print -ls | awk '{print $11}' | sort > ${TMP} - if [ -s ${TMP} ]; then + if [[ -s ${TMP} ]]; then printf "\nSecurity Warning : the following file aren't owned by any user :\n" >> ${SECURITY} printf "\ttheses files now have user \"nobody\" as their owner." >> ${SECURE_LOG} cat ${TMP} >> ${SECURITY} @@ -66,7 +66,7 @@ if [[ ${CHECK_UNOWNED} == yes ]]; then fi find $DIR -xdev -nogroup -print -ls | awk '{print $11}' | sort > ${TMP} - if [ -s ${TMP} ]; then + if [[ -s ${TMP} ]]; then printf "\nSecurity Warning : the following file aren't owned by any group :\n" >> ${SECURITY} printf "\ttheses files now have group \"nogroup\" as their group owner." >> ${SECURITY} cat ${TMP} >> ${SECURITY} @@ -81,7 +81,7 @@ awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | while read username uid homedir; do for f in ${list} ; do file="${homedir}/${f}" - if [ -f ${file} ] ; then + if [[ -f ${file} ]] ; then printf "${uid} ${username} ${file} `ls -ldcgn ${file}`\n" fi done @@ -96,7 +96,7 @@ done | awk '$1 != $6 && $6 != "0" \ $4 ~ /^-.......w/ \ { print "\t\t- " $3 " : file is other writeable." }' > ${TMP} -if [ -s ${TMP} ]; then +if [[ -s ${TMP} ]]; then printf "\nSecurity Warning: these files shouldn't be owned by someone else or readable :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi @@ -110,7 +110,7 @@ awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | \ while read username uid homedir; do for f in ${list} ; do file=${homedir}/${f} - if [ -f ${file} ] ; then + if [[ -f ${file} ]] ; then printf "${uid} ${username} ${file} `ls -ldcgn ${file}`\n" fi done @@ -121,7 +121,7 @@ done | awk '$1 != $6 && $6 != "0" \ $4 ~ /^-.......w/ \ { print "\t\t- " $3 " : file is other writeable." }' > ${TMP} -if [ -s ${TMP} ]; then +if [[ -s ${TMP} ]]; then printf "\nSecurity Warning: theses files should not be owned by someone else or writeable :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi @@ -129,7 +129,7 @@ fi ### Check home directories. Directories should not be owned by someone else or writeable. awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ while read uid homedir; do - if [ -d ${homedir}/ ] ; then + if [[ -d ${homedir} ]] ; then file=`ls -ldg ${homedir}` printf "$uid $file\n" fi @@ -140,7 +140,7 @@ done | awk '$1 != $4 && $4 != "root" \ $2 ~ /^-.......w/ \ { print "user=" $1 " : home directory is other writeable." }' > ${TMP} -if [ -s $TMP ] ; then +if [[ -s $TMP ]] ; then printf "\nSecurity Warning: these home directory should not be owned by someone else or writeable :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi @@ -155,7 +155,7 @@ if [[ ${CHECK_PASSWD} == yes ]]; then printf("\t\t- /etc/passwd:%d: User \"%s\" has a real password (it is not shadowed).\n", FNR, $1); }' < /etc/passwd > ${TMP} - if [ -s ${TMP} ]; then + if [[ -s ${TMP} ]]; then printf "\nSecurity Warning: /etc/passwd check :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi @@ -168,14 +168,14 @@ if [[ ${CHECK_SHADOW} == yes ]]; then printf("\t\t- /etc/shadow:%d: User \"%s\" has no password !\n", FNR, $1); }' < /etc/shadow > ${TMP} - if [ -s ${TMP} ]; then + if [[ -s ${TMP} ]]; then printf "\nSecurity Warning: /etc/shadow check :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi fi ### File systems should not be globally exported. -if [ -s /etc/exports ] ; then +if [[ -s /etc/exports ]] ; then awk '{ if (($1 ~ /^#/) || ($1 ~ /^$/)) next; readonly = 0; @@ -190,7 +190,7 @@ if [ -s /etc/exports ] ; then } else print "\t\t- Nfs File system " $1 " globally exported, read-write."; }' < /etc/exports > ${TMP} - if [ -s ${TMP} ] ; then + if [[ -s ${TMP} ]] ; then printf "\nSecurity Warning: Some NFS filesystem are exported globally :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi @@ -198,7 +198,7 @@ fi ### nfs mounts with missing nosuid /bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > ${TMP} -if [ -s ${TMP} ] ; then +if [[ -s ${TMP} ]] ; then printf "\nSecurity Warning: The following NFS mounts haven't got the nosuid option set :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi @@ -206,7 +206,7 @@ fi ### Files that should not have + signs. list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" for file in $list ; do - if [ -s ${file} ] ; then + if [[ -s ${file} ]] ; then awk '{ if ($0 ~ /^\+@.*$/) next; @@ -219,7 +219,7 @@ done > ${TMP} awk -F: '{print $1" "$6}' /etc/passwd | while read username homedir; do for file in .rhosts .shosts; do - if [ -s ${homedir}/${file} ] ; then + if [[ -s ${homedir}/${file} ]] ; then awk '{ if ($0 ~ /^\+@.*$/) next; @@ -230,7 +230,7 @@ awk -F: '{print $1" "$6}' /etc/passwd | done >> ${TMP} done -if [ -s ${TMP} ]; then +if [[ -s ${TMP} ]]; then printf "\nSecurity Warning: '+' character found in hosts trusting files,\n" >> ${SECURITY} printf "\tthis probably mean that you trust certains users/domain\n" >> ${SECURITY} printf "\tto connect on this host without proper authentication :\n" >> ${SECURITY} @@ -240,13 +240,13 @@ fi ### executables should not be in the aliases file. list="/etc/aliases /etc/postfix/aliases" for file in ${list}; do - if [ -s ${file} ]; then + if [[ -s ${file} ]]; then grep -v '^#' /etc/aliases | grep '|' | while read line; do printf "\t\t- ${line}\n" done > ${TMP} fi - if [ -s ${TMP} ]; then + if [[ -s ${TMP} ]]; then printf "\nSecurity Warning: The following programs are executed in your mail\n" >> ${SECURITY} printf "\tvia ${file} files, this could lead to security problems :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} @@ -257,14 +257,14 @@ done if [[ ${CHECK_OPEN_PORT} == yes ]]; then netstat -pvlA inet > ${TMP}; - if [ -s ${TMP} ]; then + if [[ -s ${TMP} ]]; then printf "\nThese are the ports listening on your machine :\n" >> ${SECURITY} cat ${TMP} >> ${SECURITY} fi fi ### Report -if [ -s ${SECURITY} ]; then +if [[ -s ${SECURITY} ]]; then Syslog ${SECURITY} Ttylog ${SECURITY} date=`date` @@ -272,11 +272,11 @@ if [ -s ${SECURITY} ]; then cat ${SECURITY} >> ${SECURITY_LOG} fi -if [ -f ${SECURITY} ]; then +if [[ -f ${SECURITY} ]]; then rm -f ${SECURITY} fi -if [ -f ${TMP} ]; then +if [[ -f ${TMP} ]]; then rm -f ${TMP} fi |