From 81fd9c016d08d9f26cb784dff1049a967b209a01 Mon Sep 17 00:00:00 2001 From: Yoann Vandoorselaere Date: Mon, 6 Dec 1999 09:01:39 +0000 Subject: Added permission for /var/log/ and it's subdirectory --- cron-sh/file_check.sh | 124 ++++++++++++++++++++++++++++++++++++++++++++++++++ init-sh/perm.1 | 50 +++++++++----------- init-sh/perm.2 | 55 +++++++++------------- init-sh/perm.3 | 60 +++++++++++++----------- init-sh/perm.4 | 20 ++------ init-sh/perm.5 | 14 ++---- 6 files changed, 211 insertions(+), 112 deletions(-) diff --git a/cron-sh/file_check.sh b/cron-sh/file_check.sh index 7886387..f91dce3 100755 --- a/cron-sh/file_check.sh +++ b/cron-sh/file_check.sh @@ -15,6 +15,8 @@ if [ SECURITY_CHECK == "no" ]; then exit 0 fi +OUT=./blah + # Modified filters coming from debian security scripts. CS_NFSAFS='(nfs|afs|xfs|coda)' CS_TYPES=' type (devpts|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|'$CS_NFSAFS')' @@ -266,6 +268,128 @@ if [ ${CHECK_OPEN_PORT}=="yes" ]; then fi fi +### /etc/exports check ### + +# File systems should not be globally exported. +if [ -s /etc/exports ] ; then + awk '{ + if (($1 ~ /^#/) || ($1 ~ /^$/)) next; + readonly = 0; + for (i = 2; i <= NF; ++i) { + if ($i ~ /^-ro$/) + readonly = 1; + else if ($i !~ /^-/) + next; + } + if (readonly) { + print "Warning : Nfs File system " $1 " globally exported, read-only."; + } else print "Warning : Nfs File system " $1 " globally exported, read-write."; + }' < /etc/exports > $OUT + if [ -s "$OUT" ] ; then + printf "\nChecking for globally exported file systems.\n" + cat "$OUT" + fi +fi + + +# nfs mounts with missing nosuid +/bin/mount | /bin/grep -v nosuid | /bin/grep ' nfs ' > $OUT +if [ -s "$OUT" ] ; then + printf "\nThe following NFS mounts haven't got the nosuid option set:\n" + cat "$OUT" +fi + +# Files that should not be owned by someone else or readable. +list=".netrc .rhosts .shosts .Xauthority .pgp/secring.pgp .ssh/identity .ssh/random_seed" +awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ +while read uid homedir; do + for f in $list ; do + file=${homedir}/${f} + if [ -f $file ] ; then + printf "$uid $f `ls -ldcg $file`\n" + fi + done +done | +awk '$1 != $5 && $5 != "root" \ + { print "user " $1 " " $2 " : file is owned by " $5 } + $3 ~ /^-...r/ \ + { print "user " $1 " " $2 " : file is group readable" } + $3 ~ /^-......r/ \ + { print "user " $1 " " $2 " : file is other readable" } + $3 ~ /^-....w/ \ + { print "user " $1 " " $2 " : file is group writeable" } + $3 ~ /^-.......w/ \ + { print "user " $1 " " $2 " : file is other writeable" }' > $OUT + + +# Files that should not be owned by someone else or writeable. +list=".bashrc .bash_profile .bash_login .bash_logout .cshrc .emacs .exrc \ +.forward .klogin .login .logout .profile .tcshrc .fvwmrc .inputrc .kshrc \ +.nexrc .screenrc .ssh .ssh/config .ssh/authorized_keys .ssh/environment \ +.ssh/known_hosts .ssh/rc .twmrc .xsession .xinitrc .Xdefaults" +awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ +while read uid homedir; do + for f in $list ; do + file=${homedir}/${f} + if [ -f $file ] ; then + printf "$uid $f `ls -ldcg $file`\n" + fi + done +done | +awk '$1 != $5 && $5 != "root" \ + { print "user " $1 " " $2 " : file is owned by " $5 } + $3 ~ /^-....w/ \ + { print "user " $1 " " $2 " : file is group writeable" } + $3 ~ /^-.......w/ \ + { print "user " $1 " " $2 " : file is other writeable" }' >> $OUT +if [ -s "$OUT" ] ; then + printf "\nChecking dot files.\n" + cat "$OUT" +fi + +# Check home directories. Directories should not be owned by someone else +# or writeable. +awk -F: '/^[^+-]/ { print $1 " " $6 }' /etc/passwd | \ +while read uid homedir; do + if [ -d ${homedir}/ ] ; then + file=`ls -ldg ${homedir}` + printf "$uid $file\n" + fi +done | +awk '$1 != $4 && $4 != "root" \ + { print "user " $1 " : home directory is owned by " $4 } + $2 ~ /^-....w/ \ + { print "user " $1 " : home directory is group writeable" } + $2 ~ /^-.......w/ \ + { print "user " $1 " : home directory is other writeable" }' > $OUT +if [ -s "$OUT" ] ; then + printf "\nChecking home directories.\n" + cat "$OUT" +fi + +# Files that should not have + signs. +list="/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd" +for f in $list ; do + if [ -s $f ] ; then + awk '{ + if ($0 ~ /^\+@.*$/) + next; + if ($0 ~ /^\+.*$/) + printf("\nPlus sign in the file %s\n", FILENAME); + }' $f + fi +done + + +# executables should not be in the /etc/aliases file. +if [ -s /etc/aliases ]; then + grep -v '^#' /etc/aliases | grep '|' > $OUT + if [ -s "$OUT" ] ; then + printf "\nThe following programs are executed in your mail via /etc/aliases (bad!):\n" + cat "$OUT" + fi +fi + diff --git a/init-sh/perm.1 b/init-sh/perm.1 index c63483a..0cae0d7 100644 --- a/init-sh/perm.1 +++ b/init-sh/perm.1 @@ -1,43 +1,18 @@ -# -# -# - Group for X user -# - Group for audio user -# - Group for dialout user -# - Group for video user -# Directories / # Welcome in Level 1 ### - /bin root.root 755 /boot root.root 755 /dev root.root 755 /dev/audio* root.audio 660 /dev/dsp* root.audio 660 /etc/ root.root 755 +/etc/conf.modules root.root 644 /etc/cron.daily/ root.root 755 /etc/cron.hourly/ root.root 755 /etc/cron.monthly/ root.root 755 /etc/cron.weekly/ root.root 755 -/etc/dhcpcd/ root.root 755 -/etc/init.d/ root.root 755 -/etc/profile root.root 644 -/home/ root.root 755 -/home/* current 755 -/lib root.root 755 -/mnt root.root 755 -/root root.root 755 -/sbin root.root 755 -/tmp root.root 1777 -/usr root.root 755 -/usr/* root.root 755 -/usr/X11R6/ root.root 755 -/usr/bin/ root.root 755 -/usr/bin/* root.root 755 -/usr/sbin/ root.root 755 -/var root.root 755 - -/etc/conf.modules root.root 644 /etc/crontab root.root 644 +/etc/dhcpcd/ root.root 755 /etc/esd.conf root.root 644 /etc/ftpaccess root.root 644 /etc/ftpconversions root.root 644 @@ -49,12 +24,14 @@ /etc/hosts.deny root.root 644 /etc/hosts.equiv root.root 644 /etc/inetd.conf root.root 644 +/etc/init.d/ root.root 755 /etc/inittab root.root 644 /etc/ld.so.conf root.root 644 /etc/lilo.conf root.root 644 /etc/modules.conf root.root 644 /etc/motd root.root 644 /etc/printcap root.root 644 +/etc/profile root.root 644 /etc/rc.d/ root.root 755 /etc/securetty root.root 644 /etc/sendmail.cf root.root 644 @@ -64,7 +41,24 @@ /etc/sshd_config root.root 644 /etc/syslog.conf root.root 644 /etc/updatedb.conf root.root 644 - +/home/ root.root 755 +/home/* current 755 +/lib root.root 755 +/mnt root.root 755 +/root root.root 755 +/sbin root.root 755 +/tmp root.root 1777 +/usr root.root 755 +/usr/* root.root 755 +/usr/X11R6/ root.root 755 +/usr/bin/ root.root 755 +/usr/bin/* root.root 755 +/usr/sbin/ root.root 755 +/var root.root 755 +/var/log root.root 755 +/var/log/* root.adm 644 +/var/log/security/ root.root 700 +/var/log/security/* root.root 600 diff --git a/init-sh/perm.2 b/init-sh/perm.2 index dcaf293..4c06b7b 100644 --- a/init-sh/perm.2 +++ b/init-sh/perm.2 @@ -1,43 +1,18 @@ -# -# -# - Group for X user -# - Group for audio user -# - Group for dialout user -# - Group for video user -# Directories / # Welcome in Level 2 ### - /bin root.root 755 /boot root.root 755 /dev root.root 755 /dev/audio* root.audio 660 /dev/dsp* root.audio 660 /etc/ root.root 755 +/etc/conf.modules root.root 644 /etc/cron.daily/ root.root 755 /etc/cron.hourly/ root.root 755 /etc/cron.monthly/ root.root 755 /etc/cron.weekly/ root.root 755 -/etc/dhcpcd/ root.root 755 -/etc/init.d/ root.root 755 -/etc/profile root.root 644 -/home/ root.root 755 -/home/* current 755 -/lib root.root 755 -/mnt root.root 755 -/root root.root 700 -/sbin root.root 755 -/tmp root.root 1777 -/usr root.root 755 -/usr/* root.root 755 -/usr/X11R6/ root.root 755 -/usr/bin/ root.root 755 -/usr/bin/* root.root 755 -/usr/sbin/ root.root 755 -/var root.root 755 - -/etc/conf.modules root.root 644 /etc/crontab root.root 644 +/etc/dhcpcd/ root.root 755 /etc/esd.conf root.root 644 /etc/ftpaccess root.root 644 /etc/ftpconversions root.root 644 @@ -49,12 +24,14 @@ /etc/hosts.deny root.root 644 /etc/hosts.equiv root.root 644 /etc/inetd.conf root.root 644 +/etc/init.d/ root.root 755 /etc/inittab root.root 644 /etc/ld.so.conf root.root 644 /etc/lilo.conf root.root 644 /etc/modules.conf root.root 644 /etc/motd root.root 644 /etc/printcap root.root 644 +/etc/profile root.root 644 /etc/rc.d/ root.root 755 /etc/securetty root.root 644 /etc/sendmail.cf root.root 644 @@ -64,9 +41,21 @@ /etc/sshd_config root.root 644 /etc/syslog.conf root.root 644 /etc/updatedb.conf root.root 644 - - - - - - +/home/ root.root 755 +/home/* current 755 +/lib root.root 755 +/mnt root.root 755 +/root root.root 700 +/sbin root.root 755 +/tmp root.root 1777 +/usr root.root 755 +/usr/* root.root 755 +/usr/X11R6/ root.root 755 +/usr/bin/ root.root 755 +/usr/bin/* root.root 755 +/usr/sbin/ root.root 755 +/var root.root 755 +/var/log root.root 755 +/var/log/* root.adm 640 +/var/log/security root.root 700 +/var/log/security/* root.root 600 diff --git a/init-sh/perm.3 b/init-sh/perm.3 index 94d12e7..aab758e 100644 --- a/init-sh/perm.3 +++ b/init-sh/perm.3 @@ -1,43 +1,18 @@ -# -# -# - Group for X user -# - Group for audio user -# - Group for dialout user -# - Group for video user -# Directories / # Welcome in Level 3 ### - /bin root.root 755 /boot root.root 755 /dev root.root 755 /dev/audio* root.audio 660 /dev/dsp* root.audio 660 /etc/ root.root 755 +/etc/conf.modules root.root 644 /etc/cron.daily/ root.root 755 /etc/cron.hourly/ root.root 755 /etc/cron.monthly/ root.root 755 /etc/cron.weekly/ root.root 755 -/etc/dhcpcd/ root.root 755 -/etc/init.d/ root.root 755 -/etc/profile root.root 644 -/home/ root.root 755 -/home/* current 700 -/lib root.root 755 -/mnt root.root 755 -/root root.root 700 -/sbin root.root 755 -/tmp root.root 1777 -/usr root.root 755 -/usr/* root.root 755 -/usr/X11R6/ root.root 755 -/usr/bin/ root.root 755 -/usr/bin/* root.root 755 -/usr/sbin/ root.root 755 -/var root.root 755 - -/etc/conf.modules root.root 644 /etc/crontab root.root 644 +/etc/dhcpcd/ root.root 755 /etc/esd.conf root.root 644 /etc/ftpaccess root.root 644 /etc/ftpconversions root.root 644 @@ -49,12 +24,14 @@ /etc/hosts.deny root.root 644 /etc/hosts.equiv root.root 644 /etc/inetd.conf root.root 644 +/etc/init.d/ root.root 755 /etc/inittab root.root 644 /etc/ld.so.conf root.root 644 /etc/lilo.conf root.root 644 /etc/modules.conf root.root 644 /etc/motd root.root 644 /etc/printcap root.root 644 +/etc/profile root.root 644 /etc/rc.d/ root.root 755 /etc/securetty root.root 644 /etc/sendmail.cf root.root 644 @@ -64,5 +41,34 @@ /etc/sshd_config root.root 644 /etc/syslog.conf root.root 644 /etc/updatedb.conf root.root 644 +/home/ root.root 755 +/home/* current 700 +/lib root.root 755 +/mnt root.root 755 +/root root.root 700 +/sbin root.root 755 +/tmp root.root 1777 +/usr root.root 755 +/usr/* root.root 755 +/usr/X11R6/ root.root 755 +/usr/bin/ root.root 755 +/usr/bin/* root.root 755 +/usr/sbin/ root.root 755 +/var root.root 755 +/var/log root.root 755 +/var/log/* root.root 600 +/var/log/security root.root 700 +/var/log/security/* root.root 600 + + + + + + + + + + + diff --git a/init-sh/perm.4 b/init-sh/perm.4 index 8e422df..cf6b02f 100644 --- a/init-sh/perm.4 +++ b/init-sh/perm.4 @@ -1,11 +1,5 @@ -# -# -# - Group for X user -# - Group for audio user -# - Group for dialout user -# - Group for video user # Welcome in Level 4, aka secure & usable. - +### /bin root.root 711 /boot root.root 700 /dev root.root 711 @@ -47,7 +41,6 @@ /etc/sshd_config root.adm 640 /etc/syslog.conf root.adm 640 /etc/updatedb.conf root.adm 640 - /home/ root.adm 751 /home/* current 700 /lib root.adm 751 @@ -63,10 +56,7 @@ /usr/sbin/ root.adm 751 /usr/sbin/* root.root 755 /var root.root 755 - - - - - - - +/var/log root.root 700 +/var/log/* root.root 600 +/var/log/security root.root 700 +/var/log/security/* root.root 600 diff --git a/init-sh/perm.5 b/init-sh/perm.5 index 1965860..fffdfde 100644 --- a/init-sh/perm.5 +++ b/init-sh/perm.5 @@ -1,11 +1,5 @@ -# -# -# - Group for X user -# - Group for audio user -# - Group for dialout user -# - Group for video user # Welcome in Level 5, aka paranoid. - +### /bin root.root 711 /boot root.root 700 /dev root.root 711 @@ -47,7 +41,6 @@ /etc/sshd_config root.root 600 /etc/syslog.conf root.root 600 /etc/updatedb.conf root.root 600 - /home/ root.root 711 /home/* current 700 /lib root.root 711 @@ -64,4 +57,7 @@ /usr/sbin/* root.root 700 /usr/sbin/sendmail root.root 755 /var root.root 755 - +/var/log root.root 700 +/var/log/* root.root 600 +/var/log/security root.root 700 +/var/log/security/* root.root 600 -- cgit v1.2.1