Unix security automating script
Hendrik Vermooten
hendrik at zeusa.UUCP
Fri Mar 23 23:58:45 AEST 1990
I refer back to a UNIX security checking script that I posted a while ago.
There were plenty replies to that one! Thanks for everybody that gave more
ideas. I incorporated most of the ideas into this one.
The idea behind this script is to point out potential security holes in your
system. If anybody has *even more* ideas, please mail to me, or if it isn't
a lot, post it. If enough stuff arrives, I'll post it again.
-------------- Cut here ---------------
# Security checking script.
#
# Hendrik Vermooten, ZEUS software (No copyright)
# hendrik at zeusa.UUCP
# ..!uunet!ddsw1!olsa99!zeusa!hendrik
#
# Thanks for all the tips on passing shell variables to awk scripts.
#
# Originally posted by hendrik at zeusa.UUCP, with help & suggestions from:
# (There were 4 more: I threw away my mail by mistake! Sorry guys!)
# riacs!rutgers!coat.com!andyb (Andy Behrens)
# uwm!swbatl.SWBT.COM!dwn (David Neill-OKCy Mktg 405-278-4007)
# riacs!rutgers!ux1.cso.uiuc.edu!hugh%slee01 (Hugh Fader)
# Joseph C. Konczal <uunet!mail-gw.ncsl.nist.gov!konczal>
# riacs!rutgers!gouldfr.encore.fr!kstock (Kevin Stock)
# "Michael J. Chinni, SMCAR-CCS-E" <!uunet!PICA.ARMY.MIL!mchinni>
# uunet!ddsw1!olsa99!oct1!cside1!mike (Mike Morris)
# Paul Smee <uunet!bris.ac.uk!P.Smee>
#
# BSD suggestions from:
# "Michael J. Chinni, SMCAR-CCS-E" <!uunet!PICA.ARMY.MIL!mchinni>
# Change the next line to BSD=1 for BSD systems
BSD=0
# This is the directory where this utility lives:
DIR=/u/security
CRONDIR=/usr/spool/cron/crontabs
UUCPDIR=/usr/lib/uucp
# This line, for skipping NFS directories, didn't work on my (XENIX) system:
# FSTYPE="\( -fstype nfs -prune \) -o "
FSTYPE=""
echo "*** Hendrik's UNIX security check script ***"
date
echo ""
echo "* Logins with super user privileges:"
awk 'BEGIN { FS=":" } { if ($3 == "0" || $3 == "") print $1 }' < /etc/passwd
echo ""
#
echo "* Logins without passwords:"
awk 'BEGIN { FS=":" } { if ($2 == "") print $1 }' < /etc/passwd
# Next line from: Paul Smee <uunet!bris.ac.uk!P.Smee>
awk 'BEGIN { FS=":" } (NF<2) {print "Blank or incomplete entry, line ", NR}' < /etc/passwd
echo ""
# Check changes to passwd file
echo "* Changes to /etc/passwd since `cat $DIR/prevrun`:"
diff /etc/passwd $DIR/passwd
cp /etc/passwd $DIR/passwd
echo "* Changes to /etc/group since `cat $DIR/prevrun`:"
diff /etc/group $DIR/group
cp /etc/group $DIR/group
echo ""
# Check writeability of /etc/passwd
ls -l /etc/passwd | grep -v "^-rw-r--r--" && echo "WARNING: Check this file's access mode!"
ls -l /etc/group | grep -v "^-rw-r--r--" && echo "WARNING: Check this file's access mode!"
ls -l /etc/rc | grep -v "^-rw-r--r--" && echo "WARNING: Check this file's access mode!"
if [ $BSD -eq 1 ]
then
ls -l /usr/lib/crontab | grep -v "^-rw-------" && echo "WARNING: Check this file's access mode!"
ls -l /etc/rc.boot | grep -v "^-rw-------" && echo "WARNING: Check this file's access mode!"
ls -l /etc/rc.local | grep -v "^-rw-------" && echo "WARNING: Check this file's access mode!"
else
ls -l $CRONDIR/root | grep -v "^-rw-------" && echo "WARNING: Check this file's access mode!"
if [ -f $CRONDIR/bin ]
then
ls -l $CRONDIR/bin | grep -v "^-rw-r--r--" && echo "WARNING: Check this file's access mode!"
fi
fi
# If someone has changed root or bin crontabs, they can get in.
# Thanks to ddsw1!riacs!rutgers!ux1.cso.uiuc.edu!hugh%slee01 (Hugh Fader)
echo ""
if [ $BSD -eq 1 ]
then
echo "* Changes to /usr/lib/crontab since `cat $DIR/prevrun`"
diff /usr/lib/crontab $DIR/crontab
cp /usr/lib/crontab $DIR/crontab
echo ""
echo "* Changes to /etc/rc.boot since `cat $DIR/prevrun`"
diff /etc/rc.boot $DIR/rc.boot
cp /etc/rc.boot $DIR/rc.boot
echo ""
echo "* Changes to /etc/rc.local since `cat $DIR/prevrun`"
diff /etc/rc.local $DIR/rc.local
cp /etc/rc.local $DIR/rc.local
echo ""
else
# System V
ls $CRONDIR | sort > $DIR/newcron
ls $DIR/crons | sort > $DIR/oldcron
echo "* New crontab files:"
diff $DIR/oldcron $DIR/newcron | grep "^>"
echo "* Changes to crontab files:"
for i in $DIR/crons/*; do
user=`basename $i`
diff $i $CRONDIR/$user > $DIR/crondiffs
if [ $? -ne 0 ]; then
echo "* $user: "
cat $DIR/crondiffs
fi
done
rm $DIR/crondiffs
rm $DIR/newcron
rm $DIR/oldcron
mkdir $DIR/crons 2> /dev/null
cp $CRONDIR/* $DIR/crons
fi
# Naughty hackers might try to change their uucp access rights:
#
echo ""
echo "* UUCP security:"
if [ -f $UUCPDIR/L.sys ]
then
echo "'L.sys' file changes:"
diff $UUCPDIR/L.sys $DIR/L.sys
cp $UUCPDIR/L.sys $DIR/L.sys
fi
if [ -f $UUCPDIR/Systems ]
then
echo "'Systems' file changes:"
diff $UUCPDIR/Systems $DIR/Systems
cp $UUCPDIR/Systems $DIR/Systems
fi
if [ -f $UUCPDIR/Permissions ]
then
echo "'Permissions' file changes:"
diff $UUCPDIR/Permissions $DIR/Permissions
cp $UUCPDIR/Permissions $DIR/Permissions
fi
#
# It would be nice to have full path names in the next two reports. But how?
# Thanks to ddsw1!riacs!rutgers!ux1.cso.uiuc.edu!hugh%slee01 (Hugh Fader):
# > With the find command that's how. Notice the -fstype clause causes skips
# > over nfs directories. The two finds could probably be combined.
#
echo ""
echo "* Directories that can be written to by everyone:"
ls -lR / | awk '/^d[rwx]......w[x-]/ { print }'
# My find doesn't have the -ls option. If you have, try using:
# find / -ls | awk '/d[rwx]......w[x-]/ { print }'
echo ""
echo "* Directories with search permissions for everyone:"
ls -lR / | awk '/^d[rwx]......w[x-]/ { print }'
# My find doesn't have the -ls option. If you have, try using:
#find / $FSTYPE -ls | awk '/d[rwx]......w[x-]/ { print }'
# Check Set UIDs & GIDs: I left the most important check till last
# Thanks to ddsw1!riacs!rutgers!ux1.cso.uiuc.edu!hugh%slee01 (Hugh Fader):
# Skips over NFS directories
mv $DIR/setuids $DIR/setuids.prev
find / $FSTYPE \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \; | sort > $DIR/setuids
echo "* Set UID status that have been enabled since `cat $DIR/prevrun`"
diff $DIR/setuids.prev $DIR/setuids | grep "^>"
grep "^-[rwx]......w" $DIR/setuids && echo "* Set UID executeables that are writeable by Other"
grep "^-[rwx]...w" $DIR/setuids && echo "* Set UID executeables that are writeable by the group"
date > $DIR/prevrun
chown root $DIR/*
chmod 600 $DIR/*
chmod 700 $DIR
chmod +x $DIR/$0
# Other checks:
# Changes to files under /etc/rc.d/*
# Check only for set UID/GID to bin & root?
-------------- Cut here ---------------
*** *** Hendrik Vermooten, ZEUS software
* o o * Bang: ..!uunet!ddsw1!olsa99!zeusa!hendrik
O| I |O or hendrik at zeusa.UUCP
| *** |
\*****/
More information about the Comp.unix.wizards
mailing list