Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!tut.cis.ohio-state.edu!usenet.ins.cwru.edu!mephisto!ncar!tank!gargoyle!ddsw1!olsa99!zeusa!hendrik From: hendrik@zeusa.UUCP (Hendrik Vermooten) Newsgroups: comp.unix.wizards Subject: Re: Unix security automating script Summary: Response to improvements of UNIX security script. Keywords: security automating script Message-ID: <803@zeusa.UUCP> Date: 23 Mar 90 13:58:45 GMT References: <799@zeusa.UUCP> Organization: ZEUS software, Verwoerdburg Lines: 185 I refer back to a UNIX security checking script that I posted a while ago. There were plenty replies to that one! Thanks for everybody that gave more ideas. I incorporated most of the ideas into this one. The idea behind this script is to point out potential security holes in your system. If anybody has *even more* ideas, please mail to me, or if it isn't a lot, post it. If enough stuff arrives, I'll post it again. -------------- Cut here --------------- # Security checking script. # # Hendrik Vermooten, ZEUS software (No copyright) # hendrik@zeusa.UUCP # ..!uunet!ddsw1!olsa99!zeusa!hendrik # # Thanks for all the tips on passing shell variables to awk scripts. # # Originally posted by hendrik@zeusa.UUCP, with help & suggestions from: # (There were 4 more: I threw away my mail by mistake! Sorry guys!) # riacs!rutgers!coat.com!andyb (Andy Behrens) # uwm!swbatl.SWBT.COM!dwn (David Neill-OKCy Mktg 405-278-4007) # riacs!rutgers!ux1.cso.uiuc.edu!hugh%slee01 (Hugh Fader) # Joseph C. Konczal # riacs!rutgers!gouldfr.encore.fr!kstock (Kevin Stock) # "Michael J. Chinni, SMCAR-CCS-E" # uunet!ddsw1!olsa99!oct1!cside1!mike (Mike Morris) # Paul Smee # # BSD suggestions from: # "Michael J. Chinni, SMCAR-CCS-E" # Change the next line to BSD=1 for BSD systems BSD=0 # This is the directory where this utility lives: DIR=/u/security CRONDIR=/usr/spool/cron/crontabs UUCPDIR=/usr/lib/uucp # This line, for skipping NFS directories, didn't work on my (XENIX) system: # FSTYPE="\( -fstype nfs -prune \) -o " FSTYPE="" echo "*** Hendrik's UNIX security check script ***" date echo "" echo "* Logins with super user privileges:" awk 'BEGIN { FS=":" } { if ($3 == "0" || $3 == "") print $1 }' < /etc/passwd echo "" # echo "* Logins without passwords:" awk 'BEGIN { FS=":" } { if ($2 == "") print $1 }' < /etc/passwd # Next line from: Paul Smee awk 'BEGIN { FS=":" } (NF<2) {print "Blank or incomplete entry, line ", NR}' < /etc/passwd echo "" # Check changes to passwd file echo "* Changes to /etc/passwd since `cat $DIR/prevrun`:" diff /etc/passwd $DIR/passwd cp /etc/passwd $DIR/passwd echo "* Changes to /etc/group since `cat $DIR/prevrun`:" diff /etc/group $DIR/group cp /etc/group $DIR/group echo "" # Check writeability of /etc/passwd ls -l /etc/passwd | grep -v "^-rw-r--r--" && echo "WARNING: Check this file's access mode!" ls -l /etc/group | grep -v "^-rw-r--r--" && echo "WARNING: Check this file's access mode!" ls -l /etc/rc | grep -v "^-rw-r--r--" && echo "WARNING: Check this file's access mode!" if [ $BSD -eq 1 ] then ls -l /usr/lib/crontab | grep -v "^-rw-------" && echo "WARNING: Check this file's access mode!" ls -l /etc/rc.boot | grep -v "^-rw-------" && echo "WARNING: Check this file's access mode!" ls -l /etc/rc.local | grep -v "^-rw-------" && echo "WARNING: Check this file's access mode!" else ls -l $CRONDIR/root | grep -v "^-rw-------" && echo "WARNING: Check this file's access mode!" if [ -f $CRONDIR/bin ] then ls -l $CRONDIR/bin | grep -v "^-rw-r--r--" && echo "WARNING: Check this file's access mode!" fi fi # If someone has changed root or bin crontabs, they can get in. # Thanks to ddsw1!riacs!rutgers!ux1.cso.uiuc.edu!hugh%slee01 (Hugh Fader) echo "" if [ $BSD -eq 1 ] then echo "* Changes to /usr/lib/crontab since `cat $DIR/prevrun`" diff /usr/lib/crontab $DIR/crontab cp /usr/lib/crontab $DIR/crontab echo "" echo "* Changes to /etc/rc.boot since `cat $DIR/prevrun`" diff /etc/rc.boot $DIR/rc.boot cp /etc/rc.boot $DIR/rc.boot echo "" echo "* Changes to /etc/rc.local since `cat $DIR/prevrun`" diff /etc/rc.local $DIR/rc.local cp /etc/rc.local $DIR/rc.local echo "" else # System V ls $CRONDIR | sort > $DIR/newcron ls $DIR/crons | sort > $DIR/oldcron echo "* New crontab files:" diff $DIR/oldcron $DIR/newcron | grep "^>" echo "* Changes to crontab files:" for i in $DIR/crons/*; do user=`basename $i` diff $i $CRONDIR/$user > $DIR/crondiffs if [ $? -ne 0 ]; then echo "* $user: " cat $DIR/crondiffs fi done rm $DIR/crondiffs rm $DIR/newcron rm $DIR/oldcron mkdir $DIR/crons 2> /dev/null cp $CRONDIR/* $DIR/crons fi # Naughty hackers might try to change their uucp access rights: # echo "" echo "* UUCP security:" if [ -f $UUCPDIR/L.sys ] then echo "'L.sys' file changes:" diff $UUCPDIR/L.sys $DIR/L.sys cp $UUCPDIR/L.sys $DIR/L.sys fi if [ -f $UUCPDIR/Systems ] then echo "'Systems' file changes:" diff $UUCPDIR/Systems $DIR/Systems cp $UUCPDIR/Systems $DIR/Systems fi if [ -f $UUCPDIR/Permissions ] then echo "'Permissions' file changes:" diff $UUCPDIR/Permissions $DIR/Permissions cp $UUCPDIR/Permissions $DIR/Permissions fi # # It would be nice to have full path names in the next two reports. But how? # Thanks to ddsw1!riacs!rutgers!ux1.cso.uiuc.edu!hugh%slee01 (Hugh Fader): # > With the find command that's how. Notice the -fstype clause causes skips # > over nfs directories. The two finds could probably be combined. # echo "" echo "* Directories that can be written to by everyone:" ls -lR / | awk '/^d[rwx]......w[x-]/ { print }' # My find doesn't have the -ls option. If you have, try using: # find / -ls | awk '/d[rwx]......w[x-]/ { print }' echo "" echo "* Directories with search permissions for everyone:" ls -lR / | awk '/^d[rwx]......w[x-]/ { print }' # My find doesn't have the -ls option. If you have, try using: #find / $FSTYPE -ls | awk '/d[rwx]......w[x-]/ { print }' # Check Set UIDs & GIDs: I left the most important check till last # Thanks to ddsw1!riacs!rutgers!ux1.cso.uiuc.edu!hugh%slee01 (Hugh Fader): # Skips over NFS directories mv $DIR/setuids $DIR/setuids.prev find / $FSTYPE \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \; | sort > $DIR/setuids echo "* Set UID status that have been enabled since `cat $DIR/prevrun`" diff $DIR/setuids.prev $DIR/setuids | grep "^>" grep "^-[rwx]......w" $DIR/setuids && echo "* Set UID executeables that are writeable by Other" grep "^-[rwx]...w" $DIR/setuids && echo "* Set UID executeables that are writeable by the group" date > $DIR/prevrun chown root $DIR/* chmod 600 $DIR/* chmod 700 $DIR chmod +x $DIR/$0 # Other checks: # Changes to files under /etc/rc.d/* # Check only for set UID/GID to bin & root? -------------- Cut here --------------- *** *** Hendrik Vermooten, ZEUS software * o o * Bang: ..!uunet!ddsw1!olsa99!zeusa!hendrik O| I |O or hendrik@zeusa.UUCP | *** | \*****/