[RLUG] File Checker Script

Craig H. Block Wed, 16 Jul 2003 18:26:44 -0700

By request, following is the script that runs nightly on my system.  It
checks files that are suid against a small flat file, checks for unknown UID
and GID, and checks the permissions on /etc/passwd and /etc/group.  The
adduser command leaves copies of group and passwd in /etc so the script
checks those have been removed.  Also, I don't run an .rhosts file so if the
script finds one, it prints it.  If one exists and I didn't put it there...
The "lock" command at the end of the script calls another script that sets
the read-only attribute on a list of files/directories for further security.
Setting that attribute makes it so not even root can modify the file.
Although root can simply remove the attribute and edit the file, but it may
make things more difficult for an intruder especially if it's a script
kiddy.


  - Craig

------------------------------------------------------------------------

#! /bin/bash

# chkfiles - checks system files

cd /

files=$(find / -maxdepth 1 -mindepth 1 -print)

if [ ! -f /var/log/setuid.log ]; then
  for file in $files; do
    if [ $file != "/proc" ]; then
      find $file -type f \( -perm -04000 \) >>/var/log/setuid.log
      find $file -type f \( -perm -02000 \) >>/var/log/setuid.log
    fi
  done
  chmod 600 /var/log/setuid.log
  echo "WARNING! /var/log/setuid has been reset"
fi

for file in $files; do
  if [ $file != "/proc" ]; then
    find $file -type f \( -perm -04000 \) >>/tmp/setuid.log
    find $file -type f \( -perm -02000 \) >>/tmp/setuid.log
    nouser=$(find $file -nouser -print)
    if [ ! -z "$nouser" ]; then
      echo
      echo "The following file(s):"
      echo $nouser
      echo "have undefined UID. The system may have been compromised."
      echo
    fi
    nogrp=$(find $file -nogroup -print)
    if [ ! -z "$nogrp" ]; then
      echo
      echo "The following file(s):"
      echo $nogrp
      echo "have undefined GID. The system may have been compromised."
      echo
    fi
  fi
done

find /home /root -name .rhosts -print

diff /var/log/setuid.log /tmp/setuid.log
if [ $? -ne 0 ]; then
  echo
  echo "WARNING! System has been comprimised."
  echo "The above file(s) are setuid and shouldn't exist."
  echo
fi
rm /tmp/setuid.log

ls /etc/group? >/dev/null 2>&1 && echo "Extraneous group file exists"
ls /etc/passwd? >/dev/null 2>&1 && echo "Extraneous passwd file exists"
ls -l /etc/group |grep -q "\-rw\-r\-\-\-\-\-    1 root     users" || echo \
"Permissions or groups are wrong on /etc/group."
ls -l /etc/passwd |grep -q "\-rw\-r\-\-\-\-\-    1 root     users" || echo \
"Permissions or groups are wrong on /etc/passwd."
lock
sync


_______________________________________________
RLUG mailing list
[EMAIL PROTECTED]
http://www.rlug.org/mailman/listinfo/rlug

[RLUG] File Checker Script

Reply via email to