#!/bin/sh - # # @(#)security 5.3 (Berkeley) 5/28/91 # $FreeBSD$ # PATH=/sbin:/bin:/usr/bin LC_ALL=C; export LC_ALL separator () { echo '' echo '' } sflag=FALSE ignore= while getopts ams c do case "$c" in a) ignore="$ignore|^amd:";; m) ignore="$ignore|^mfs:";; s) sflag=TRUE;; esac done yesterday=`date -v-1d "+%b %e "` host=`hostname` [ $sflag = FALSE ] && echo "Subject: ${host} security check output" LOG=/var/log TMP=/var/run/_secure.$$ umask 027 echo "checking setuid files and devices:" # Don't have ncheck, but this does the equivalent of the commented out block. # Note that one of the original problems, the possibility of overrunning # the args to ls, is still here... # MP=`mount -t ufs | grep -v " nosuid" | sed 's;/dev/;&r;' | awk '{ print $3 }'` set ${MP} while [ $# -ge 1 ]; do mount=$1 shift find $mount -xdev -type f \ \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ \( -perm -u+s -or -perm -g+s \) -print0 done | xargs -0 -n 20 ls -lTd | sort +9 > ${TMP} if [ ! -f ${LOG}/setuid.today ]; then separator echo "no ${LOG}/setuid.today" cp ${TMP} ${LOG}/setuid.today fi if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null; then separator echo "${host} setuid diffs:" diff -b ${LOG}/setuid.today ${TMP} mv ${LOG}/setuid.today ${LOG}/setuid.yesterday mv ${TMP} ${LOG}/setuid.today fi # Show changes in the way filesystems are mounted # [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat if mount -p | $cmd > $TMP; then if [ ! -f $LOG/mount.today ]; then separator echo "no $LOG/mount.today" cp $TMP $LOG/mount.today fi if ! cmp $LOG/mount.today $TMP >/dev/null 2>&1; then separator echo "$host changes in mounted filesystems:" diff -b $LOG/mount.today $TMP mv $LOG/mount.today $LOG/mount.yesterday mv $TMP $LOG/mount.today fi fi separator echo "checking for uids of 0:" awk -F: '$3==0 {print $1,$3}' /etc/master.passwd separator echo "checking for passwordless accounts:" awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd # Show denied packets # if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then if [ ! -f ${LOG}/ipfw.today ]; then separator echo "no ${LOG}/ipfw.today" cp ${TMP} ${LOG}/ipfw.today fi if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then separator echo "${host} denied packets:" diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>" mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday mv ${TMP} ${LOG}/ipfw.today fi fi # Show ipfw rules which have reached the log limit # IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null` if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then ipfw -a l | grep " log " | perl -n -e \ '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP} if [ -s "${TMP}" ]; then separator echo "ipfw log limit reached:" cat ${TMP} fi fi # Show kernel log messages # if dmesg 2>/dev/null > ${TMP}; then if [ ! -f ${LOG}/dmesg.today ]; then separator echo "no ${LOG}/dmesg.today" cp ${TMP} ${LOG}/dmesg.today fi if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then separator echo "${host} kernel log messages:" diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>" mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday mv ${TMP} ${LOG}/dmesg.today fi fi # Show login failures # separator echo "${host} login failures:" zcat -f $LOG/messages.0* $LOG/messages | grep -i "^$yesterday.*login failure" # Show tcp_wrapper warning messages # separator echo "${host} refused connections:" zcat -f $LOG/messages.0* $LOG/messages | grep -i "^$yesterday.*refused connect" rm -f ${TMP}