Path: utzoo!attcan!uunet!lll-winken!uwm.edu!ux1.cso.uiuc.edu!tank!gargoyle!ddsw1!olsa99!zeusa!hendrik From: hendrik@zeusa.UUCP (Hendrik Vermooten) Newsgroups: comp.unix.wizards Subject: Unix security automating script Keywords: security automating script Message-ID: <799@zeusa.UUCP> Date: 19 Mar 90 15:26:01 GMT Organization: ZEUS software, Verwoerdburg Lines: 102 This script is used to try and improve a system's security. Go through the commands and you'll see what is done. The challenge is this: who has more and/or better ideas to improve this thing? Please mail me your [tested] suggestions, and I'll send in some follow-up articles. *** *** Hendrik Vermooten, ZEUS software * o o * Bang: ..!uunet!ddsw1!olsa99!zeusa!hendrik O| I |O or hendrik@zeusa.UUCP | *** | \*****/ # Security checking script. # # Hendrik Vermooten, ZEUS software (No copyright) # hendrik@zeusa.UUCP # ..!uunet!ddsw1!olsa99!zeusa!hendrik # DIR=/u/security CRONDIR=/usr/spool/cron/crontabs UUCPDIR=/usr/lib/uucp echo "*** Hendrik's UNIX security check script ***" date echo "" echo "* Logins with super user privileges:" awk 'BEGIN { FS=":" } { if ($3 == "0" || $3 == "") print $1 }' < /etc/passwd echo "" # echo "* Logins without passwords:" awk 'BEGIN { FS=":" } { if ($2 == "") print $1 }' < /etc/passwd echo "" # Check changes to passwd file echo "* Changes to /etc/passwd since `cat $DIR/prevrun`" diff /etc/passwd $DIR/passwd cp /etc/passwd $DIR/passwd echo "* Changes to /etc/group since `cat $DIR/prevrun`" diff /etc/group $DIR/group cp /etc/group $DIR/group echo "" # Check writeability of /etc/passwd ls -l /etc/passwd | grep -v "^-rw-r--r--" && echo "WARNING: Check this file's access mode!" ls -l /etc/group | grep -v "^-rw-r--r--" && echo "WARNING: Check this file's access mode!" ls -l /etc/rc | grep -v "^-rw-r--r--" && echo "WARNING: Check this file's access mode!" ls -l $CRONDIR/root | grep -v "^-rw-------" && echo "WARNING: Check this file's access mode!" if [ -f $CRONDIR/bin ] then ls -l $CRONDIR/bin | grep -v "^-rw-r--r--" && echo "WARNING: Check this file's access mode!" fi # If someone has changed root or bin crontabs, they can get in. # This section is not working yet, because I haven't figured out how to pass # shell variables as variables to 'awk' below. # echo "" # ls $CRONDIR | sort > $DIR/newcron # ls $DIR/crons | sort > $DIR/oldcron # echo "* New crontab files:" # diff $DIR/oldcron $DIR/newcron | grep "^>" # echo "* Changes to crontab files:" # ls $CRONDIR/* | awk '{ printf "echo %s:\ndiff %s/crons/%s %s/%s\n", $1, $DIR, $1, $CRONDIR, $1 }' | /bin/sh rm $DIR/newcron rm $DIR/oldcron mkdir $DIR/crons 2> /dev/null cp $CRONDIR/* $DIR/crons echo "" echo "* UUCP security:" echo "'Systems' file changes:" diff $UUCPDIR/Systems $DIR/Systems cp $UUCPDIR/Systems $DIR/Systems echo "'Permissions' file changes:" diff $UUCPDIR/Permissions $DIR/Permissions cp $UUCPDIR/Permissions $DIR/Permissions # # It would be nice to have full path names in the next two reports. But how? # echo "" echo "* Directories that can be written to by everyone:" ls -lR / | awk '/^d[rwx]......w[x-]/ { print }' echo "" echo "* Directories with search permissions for everyone:" ls -lR / | awk '/^d[rwx]......w[x-]/ { print }' # Check Set UIDs & GIDs: I left the most important check till last mv $DIR/setuids $DIR/setuids.prev find / \( -perm -4000 -o -perm -2000 \) -exec ls -ld {} \; | sort > $DIR/setuids echo "* Set UID status that have been enabled since `cat $DIR/prevrun`" diff $DIR/setuids.prev $DIR/setuids | grep "^>" date > $DIR/prevrun chown root $DIR/* chmod 600 $DIR/* chmod 700 $DIR chmod +x $DIR/$0 # Other checks: # Changes to files under /etc/rc.d/*