I have ported the /etc/security script to Linux, and wanted to mention
some of the changes that I made. Maybe they will help you in developing
/etc/security.
--
Peter Halliday
Online Application Developer
Whetstone Logic, Inc. http://www.whetstonelogic.com
icq#75769411 AIM screen name: hoaggelos
@@ -1,14 +1,19 @@
#
# @(#)security 5.3 (Berkeley) 5/28/91
# $FreeBSD: src/etc/security,v 1.36.2.6 2000/09/20 20:16:19 brian Exp $
#
-PATH=/sbin:/bin:/usr/bin
+# THIS PRODUCT COMES WITH NO EXPLICIT OR IMPLICIT WARRANTEES OR
+# GUARANTEES. THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGE THAT MAY
+# OCCUR
+VERSION=0.1.0
+PATH=/bin;/usr/bin;/sbin;/usr/sbin
LC_ALL=C; export LC_ALL
rc=0
LOG=/var/log
-TMP=/var/run/_secure.$$
+IFS='
+'
+TMP=`/bin/mktemp /var/run/_secure.XXXXXX`
separator () {
echo ''
@@ -16,8 +21,7 @@
}
catmsgs() {
- [ -f $LOG/messages.0.gz ] && zcat $LOG/messages.0.gz
- [ -f $LOG/messages.0 ] && cat $LOG/messages.0
+ [ -f $LOG/messages.1 ] && cat $LOG/messages.1
[ -f $LOG/messages ] && cat $LOG/messages
}
@@ -31,130 +35,165 @@
esac
done
-yesterday=`date -v-1d "+%b %e "`
+#yesterday=`date -v-1d "+%b %e "`
host=`hostname`
-[ $sflag = FALSE ] && echo "Subject: ${host} security check output"
-umask 027
+separator
+echo "security-script $VERSION"
+echo
+echo "THIS PRODUCT COMES WITH NO EXPLICIT OR IMPLICIT WARRANTEES OR GUARANTEES. THE
+AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGE THAT MAY OCCUR."
+
+
+#check roots umask
+if [ "`umask`" != "177" ] ; then
+ separator
+ echo "Root's umask is insecure. Please change it to 177"
+fi
+umask 177
+
-echo "checking setuid files and devices:"
# Don't have ncheck, but this does the equivalent of the commented out block.
# Note that one of the original problems, the possibility of overrunning
# the args to ls, is still here...
#
-MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`
+MP=`mount -t ext2,reiserfs,ufs 2>/dev/null | grep -v " nosuid" | awk '{ print $3 }' |
+sort`
set ${MP}
while [ $# -ge 1 ]; do
mount=$1
shift
find $mount -xdev -type f \
\( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
- \( -perm -u+s -or -perm -g+s \) -print0
-done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP}
+ \( -perm -u+s -or -perm -g+s \) -print0 2>/dev/null
+done | xargs -0 -n 20 /bin/ls -lid | sort +10 > ${TMP}
if [ ! -f ${LOG}/setuid.today ]; then
[ $rc -lt 1 ] && rc=1
- separator
+ separator
+ echo "checking setuid files and devices:"
echo "no ${LOG}/setuid.today"
- cp ${TMP} ${LOG}/setuid.today || rc=3
+ cp -f ${TMP} ${LOG}/setuid.today || rc=3
fi
if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null; then
[ $rc -lt 1 ] && rc=1
- separator
+ separator
+ echo "checking setuid files and devices:"
echo "${host} setuid diffs:"
diff -w ${LOG}/setuid.today ${TMP}
- mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3
- mv ${TMP} ${LOG}/setuid.today || rc=3
+ mv -f ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3
+ mv -f ${TMP} ${LOG}/setuid.today || rc=3
+fi
+
+
+
+
+# Don't have ncheck, but this does the equivalent of the commented out block.
+# Note that one of the original problems, the possibility of overrunning
+# the args to ls, is still here...
+#
+RK=`mount -t ext2,reiserfs,ufs 2>/dev/null | grep -v " nosuid" | awk '{ print $3 }' |
+sort`
+set ${RK}
+while [ $# -ge 1 ]; do
+ mount=$1
+ shift
+ find $mount -name ".*" 2>/dev/null
+done | sort +10 > ${TMP}
+
+
+if [ ! -f ${LOG}/rootkit.today ]; then
+ [ $rc -lt 1 ] && rc=1
+ separator
+ echo "checking for possible rootkits:"
+ echo "no ${LOG}/rootkit.today"
+ cp -f ${TMP} ${LOG}/rootkit.today || rc=3
+fi
+
+if ! cmp ${LOG}/rootkit.today ${TMP} >/dev/null; then
+ [ $rc -lt 1 ] && rc=1
+ separator
+ echo "checking for possible rootkits:"
+ echo "${host} rootkit diffs:"
+ diff -w ${LOG}/rootkit.today ${TMP}
+ mv -f ${LOG}/rootkit.today ${LOG}/rootkit.yesterday || rc=3
+ mv -f ${TMP} ${LOG}/rootkit.today || rc=3
fi
+
+
# Show changes in the way filesystems are mounted
#
[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
-if mount -p | $cmd > $TMP; then
+if mount | $cmd > $TMP; then
if [ ! -f $LOG/mount.today ]; then
[ $rc -lt 1 ] && rc=1
- separator
+ separator
+ echo "Checking diffs in mounting of filesystems:"
echo "no $LOG/mount.today"
- cp $TMP $LOG/mount.today || rc=3
+ cp -f $TMP $LOG/mount.today || rc=3
fi
if ! cmp $LOG/mount.today $TMP >/dev/null 2>&1; then
[ $rc -lt 1 ] && rc=1
- separator
+ separator
+ echo "Checking diffs in mounting of filesystems:"
echo "$host changes in mounted filesystems:"
diff -b $LOG/mount.today $TMP
- mv $LOG/mount.today $LOG/mount.yesterday || rc=3
- mv $TMP $LOG/mount.today || rc=3
+ mv -f $LOG/mount.today $LOG/mount.yesterday || rc=3
+ mv -f $TMP $LOG/mount.today || rc=3
fi
fi
separator
echo "checking for uids of 0:"
-n=$(awk -F: '$3==0 {print $1,$3}' /etc/master.passwd |
- tee /dev/stderr |
- sed -e '/^root 0$/d' -e '/^toor 0$/d' |
- wc -l)
-[ $n -gt 0 -a $rc -lt 1 ] && rc=1
-
+awk -F: '$3==0 {print $1,$3}' /etc/passwd
+
separator
echo "checking for passwordless accounts:"
-n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd |
- tee /dev/stderr | wc -l)
-[ $n -gt 0 -a $rc -lt 1 ] && rc=1
-
+awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/passwd
+
# Show denied packets
#
-if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
- if [ ! -f ${LOG}/ipfw.today ]; then
+if /sbin/ipchains -L -v --line-numbers 2>/dev/null | egrep "DENY|REJECT" > ${TMP};
+then
+ if [ ! -f ${LOG}/ipchains.today ]; then
[ $rc -lt 1 ] && rc=1
- separator
- echo "no ${LOG}/ipfw.today"
- cp ${TMP} ${LOG}/ipfw.today || rc=3
+ separator
+ echo "Checking fire wall rule count:"
+ echo "no ${LOG}/ipchains.today"
+ cp -f ${TMP} ${LOG}/ipchains.today || rc=3
fi
- if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then
+ if ! cmp ${LOG}/ipchains.today ${TMP} >/dev/null; then
[ $rc -lt 1 ] && rc=1
- separator
- echo "${host} denied packets:"
- diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>"
- mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3
- mv ${TMP} ${LOG}/ipfw.today || rc=3
+ separator
+ echo "Checking fire wall rule count:"
+ echo "${host} denied or rejected packets:"
+ diff -b ${LOG}/ipchains.today ${TMP} | egrep "^>"
+ mv -f ${LOG}/ipchains.today ${LOG}/ipchains.yesterday || rc=3
+ mv -f ${TMP} ${LOG}/ipchains.today || rc=3
fi
fi
-# Show ipfw rules which have reached the log limit
-#
-IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
-if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then
- ipfw -a l | grep " log " | perl -n -e \
- '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
- if [ -s "${TMP}" ]; then
- [ $rc -lt 1 ] && rc=1
- separator
- echo "ipfw log limit reached:"
- cat ${TMP}
- fi
-fi
# Show kernel log messages
#
-if dmesg 2>/dev/null > ${TMP}; then
+if /bin/dmesg 2>/dev/null > ${TMP}; then
if [ ! -f ${LOG}/dmesg.today ]; then
[ $rc -lt 1 ] && rc=1
- separator
+ separator
+ echo "Checking kernal message:"
echo "no ${LOG}/dmesg.today"
- cp ${TMP} ${LOG}/dmesg.today || rc=3
+ cp -f ${TMP} ${LOG}/dmesg.today || rc=3
fi
if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then
[ $rc -lt 1 ] && rc=1
- separator
+ separator
+ echo "Checking kernal message:"
echo "${host} kernel log messages:"
diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>"
- mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3
- mv ${TMP} ${LOG}/dmesg.today || rc=3
+ mv -f ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3
+ mv -f ${TMP} ${LOG}/dmesg.today || rc=3
fi
fi
@@ -162,17 +201,85 @@
#
separator
echo "${host} login failures:"
-n=$(catmsgs | grep -i "^$yesterday.*login failure" | tee /dev/stderr | wc -l)
-[ $n -gt 0 -a $rc -lt 1 ] && rc=1
-
+catmsgs | grep -i "failed login" | /usr/bin/tee /dev/stderr
+
# Show tcp_wrapper warning messages
#
separator
echo "${host} refused connections:"
-n=$(catmsgs | grep -i "^$yesterday.*refused connect" | tee /dev/stderr | wc -l)
-[ $n -gt 0 -a $rc -lt 1 ] && rc=1
+catmsgs | grep -i "refused connect" | /usr/bin/tee /dev/stderr
-rm -f ${TMP}
+# Show authentication failures
+#
+separator
+echo "${host} authentication failures:"
+catmsgs | grep -i "authentication failure" | /usr/bin/tee /dev/stderr
-exit $rc
+# check for any interfaces in promiscuous mode
+separator
+echo "${host} interfaces in promiscuous mode:"
+catmsgs | grep -i "entered promiscuous mode" | /usr/bin/tee /dev/stderr
+
+# check for sticky-bit on /tmp and exit if not found
+if [ `/bin/ls -ld /tmp | cut -c10` != "t" ] ; then
+ echo "/tmp does not have sticky-bit turned on. Please 'chmod +t /tmp'"
+ exit 1
+fi
+
+
+
+# check for incorrect perm on /etc/cron.d if it exists
+if [ -d /etc/cron.d ] ; then
+ if [ "`/bin/ls -ld /etc/cron.d | cut -c1-10`" != "drwxr-x---" ] ; then
+ separator
+ echo "Permissions too lax on /etc/cron.d. Please 'chmod -R 750
+/etc/cron.d"
+ fi
+fi
+
+# check for incorrect perms on /etc/crontab if it exists
+if [ -f /etc/crontab ] ; then
+ if [ "`/bin/ls -l /etc/crontab | cut -c1-10`" != "-rw-r-----" ] ; then
+ separator
+ echo "Permissions too lax on /etc/crontab. Please 'chmod 640
+/etc/crontab'"
+ fi
+fi
+# check for incorrect perms on /etc/syslog.conf if it exists
+if [ -f /etc/syslog.conf ] ; then
+ if [ "`/bin/ls -l /etc/syslog.conf | cut -c1-10`" != "-rw-------" ] ; then
+ separator
+ echo "Permission too lax on /etc/syslog.conf. Please 'chmod 600
+/etc/syslog.conf'"
+ fi
+fi
+
+# check for incorrect perms on /var/log and it's subdirs
+separator
+echo "Please 'chmod 700' the following directories"
+find /var/log -type d ! -perm 0700
+
+# check for incorrect perms on logfiles
+separator
+echo "Please 'chmod 600' the following files"
+find /var/log -type d ! -perm 0600
+
+# check for incorrect perms on /etc/lilo.conf
+if [ -f /etc/lilo.conf ] ; then
+ if [ "`/bin/ls -l /etc/lilo.conf`" != "-rw-------" ] ; then
+ separator
+ echo "Please 'chmod 600 /etc/lilo.conf'"
+ fi
+fi
+
+# check for .rhosts files
+separator
+echo "Checking for .rhosts files"
+find / -name '.rhosts' -print
+
+# check for readable .netrc files
+separator
+echo "Checking for readable .netrc files (chmod 600 to correct)"
+find / -name '.netrc' ! -perm 0600 -print
+
+
+rm -f ${TMP}
+exit $rc
