e375f2fa06
fail to detect 00. PR: 7218 Submitted by: Michal Listos <mcl@Amnesiac.123.org> Niall Smart <rotel@indigo.ie>
110 lines
2.6 KiB
Bash
110 lines
2.6 KiB
Bash
#!/bin/sh -
|
|
#
|
|
# @(#)security 5.3 (Berkeley) 5/28/91
|
|
# $Id: security,v 1.24 1998/06/27 11:13:59 andreas Exp $
|
|
#
|
|
PATH=/sbin:/bin:/usr/bin
|
|
LC_ALL=C; export LC_ALL
|
|
|
|
separator () {
|
|
echo ""
|
|
echo ""
|
|
}
|
|
|
|
host=`hostname -s`
|
|
echo "Subject: $host security check output"
|
|
|
|
LOG=/var/log
|
|
TMP=/var/run/_secure.$$
|
|
|
|
umask 027
|
|
|
|
echo "checking setuid files and devices:"
|
|
|
|
# don't have ncheck, but this does the equivalent of the commented out block.
|
|
# note that one of the original problem, the possibility of overrunning
|
|
# the args to ls, is still here...
|
|
#
|
|
MP=`mount -t ufs | grep -v " nosuid" | sed 's;/dev/;&r;' | awk '{ print $3 }'`
|
|
set $MP
|
|
while test $# -ge 1; do
|
|
mount=$1
|
|
shift
|
|
find $mount -xdev -type f \
|
|
\( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
|
|
\( -perm -u+s -or -perm -g+s \) -print0
|
|
done | xargs -0 -n 20 ls -lTd | sort +9 > $TMP
|
|
|
|
if [ ! -f $LOG/setuid.today ] ; then
|
|
separator
|
|
echo "no $LOG/setuid.today"
|
|
cp $TMP $LOG/setuid.today
|
|
fi
|
|
if cmp $LOG/setuid.today $TMP >/dev/null; then :; else
|
|
separator
|
|
echo "$host setuid diffs:"
|
|
diff -b $LOG/setuid.today $TMP
|
|
mv $LOG/setuid.today $LOG/setuid.yesterday
|
|
mv $TMP $LOG/setuid.today
|
|
fi
|
|
|
|
separator
|
|
echo "checking for uids of 0:"
|
|
awk 'BEGIN {FS=":"} $3==0 {print $1,$3}' /etc/master.passwd
|
|
|
|
# show denied packets
|
|
if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > $TMP; then
|
|
if [ ! -f $LOG/ipfw.today ] ; then
|
|
separator
|
|
echo "no $LOG/ipfw.today"
|
|
cp $TMP $LOG/ipfw.today
|
|
fi
|
|
if cmp $LOG/ipfw.today $TMP >/dev/null; then :; else
|
|
separator
|
|
echo "$host denied packets:"
|
|
diff -b $LOG/ipfw.today $TMP | egrep "^>"
|
|
mv $LOG/ipfw.today $LOG/ipfw.yesterday
|
|
mv $TMP $LOG/ipfw.today
|
|
fi
|
|
fi
|
|
|
|
# show ipfw rules which have reached the log limit
|
|
IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
|
|
if [ $? -eq 0 ] && [ $IPFW_LOG_LIMIT -ne 0 ]; then
|
|
ipfw -a l | grep " log " | perl -n -e \
|
|
'/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > $TMP
|
|
if [ -s $TMP ]; then
|
|
separator
|
|
echo "ipfw log limit reached:"
|
|
cat $TMP
|
|
fi
|
|
fi
|
|
|
|
# show kernel log messages
|
|
if dmesg 2>/dev/null > $TMP; then
|
|
if [ ! -f $LOG/dmesg.today ] ; then
|
|
separator
|
|
echo "no $LOG/dmesg.today"
|
|
cp $TMP $LOG/dmesg.today
|
|
fi
|
|
if cmp $LOG/dmesg.today $TMP >/dev/null 2>&1; then :; else
|
|
separator
|
|
echo "$host kernel log messages:"
|
|
diff -b $LOG/dmesg.today $TMP | egrep "^>"
|
|
mv $LOG/dmesg.today $LOG/dmesg.yesterday
|
|
mv $TMP $LOG/dmesg.today
|
|
fi
|
|
fi
|
|
|
|
# show login failures
|
|
separator
|
|
echo "$host login failures:"
|
|
grep -i "login failures" $LOG/messages
|
|
|
|
# show tcp_wrapper warning messages
|
|
separator
|
|
echo "$host refused connections:"
|
|
grep -i "refused connect" $LOG/messages
|
|
|
|
rm -f $TMP
|