diff options
Diffstat (limited to 'contrib/perl5/eg/scan')
-rw-r--r-- | contrib/perl5/eg/scan/scan_df | 51 | ||||
-rw-r--r-- | contrib/perl5/eg/scan/scan_last | 57 | ||||
-rw-r--r-- | contrib/perl5/eg/scan/scan_messages | 222 | ||||
-rw-r--r-- | contrib/perl5/eg/scan/scan_passwd | 30 | ||||
-rw-r--r-- | contrib/perl5/eg/scan/scan_ps | 32 | ||||
-rw-r--r-- | contrib/perl5/eg/scan/scan_sudo | 54 | ||||
-rw-r--r-- | contrib/perl5/eg/scan/scan_suid | 84 | ||||
-rw-r--r-- | contrib/perl5/eg/scan/scanner | 87 |
8 files changed, 0 insertions, 617 deletions
diff --git a/contrib/perl5/eg/scan/scan_df b/contrib/perl5/eg/scan/scan_df deleted file mode 100644 index c221cdc..0000000 --- a/contrib/perl5/eg/scan/scan_df +++ /dev/null @@ -1,51 +0,0 @@ -#!/usr/bin/perl -P - -# $RCSfile: scan_df,v $$Revision: 4.1 $$Date: 92/08/07 17:20:33 $ - -# This report points out filesystems that are in danger of overflowing. - -(chdir '/usr/adm/private/memories') || die "Can't cd to memories: $!\n"; -`df >newdf`; -open(Df, 'olddf'); - -while (<Df>) { - ($fs,$kbytes,$used,$avail,$capacity,$mounted_on) = split; - next if $fs =~ /:/; - next if $fs eq ''; - $oldused{$fs} = $used; -} - -open(Df, 'newdf') || die "scan_df: can't open newdf"; - -while (<Df>) { - ($fs,$kbytes,$used,$avail,$capacity,$mounted_on) = split; - next if $fs =~ /:/; - next if $fs eq ''; - $oldused = $oldused{$fs}; - next if ($oldused == $used && $capacity < 99); # inactive filesystem - if ($capacity >= 90) { -#if defined(mc300) || defined(mc500) || defined(mc700) - $_ = substr($_,0,13) . ' ' . substr($_,13,1000); - $kbytes /= 2; # translate blocks to K - $used /= 2; - $oldused /= 2; - $avail /= 2; -#endif - $diff = int($used - $oldused); - if ($avail < $diff * 2) { # mark specially if in danger - $mounted_on .= ' *'; - } - next if $diff < 50 && $mounted_on eq '/'; - $fs =~ s|/dev/||; - if ($diff >= 0) { - $diff = '(+' . $diff . ')'; - } - else { - $diff = '(' . $diff . ')'; - } - printf "%-8s%8d%8d %-8s%8d%7s %s\n", - $fs,$kbytes,$used,$diff,$avail,$capacity,$mounted_on; - } -} - -rename('newdf','olddf'); diff --git a/contrib/perl5/eg/scan/scan_last b/contrib/perl5/eg/scan/scan_last deleted file mode 100644 index 4d15ca0..0000000 --- a/contrib/perl5/eg/scan/scan_last +++ /dev/null @@ -1,57 +0,0 @@ -#!/usr/bin/perl -P - -# $RCSfile: scan_last,v $$Revision: 4.1 $$Date: 92/08/07 17:20:35 $ - -# This reports who was logged on at weird hours - -($dy, $mo, $lastdt) = split(/ +/,`date`); - -open(Last, 'exec last 2>&1 |') || die "scan_last: can't run last"; - -while (<Last>) { -#if defined(mc300) || defined(mc500) || defined(mc700) - $_ = substr($_,0,19) . substr($_,23,100); -#endif - next if /^$/; - (print),next if m|^/|; - $login = substr($_,0,8); - $tty = substr($_,10,7); - $from = substr($_,19,15); - $day = substr($_,36,3); - $mo = substr($_,40,3); - $dt = substr($_,44,2); - $hr = substr($_,47,2); - $min = substr($_,50,2); - $dash = substr($_,53,1); - $tohr = substr($_,55,2); - $tomin = substr($_,58,2); - $durhr = substr($_,63,2); - $durmin = substr($_,66,2); - - next unless $hr; - next if $login eq 'reboot '; - next if $login eq 'shutdown'; - - if ($dt != $lastdt) { - if ($lastdt < $dt) { - $seen += $dt - $lastdt; - } - else { - $seen++; - } - $lastdt = $dt; - } - - $inat = $hr + $min / 60; - if ($tohr =~ /^[a-z]/) { - $outat = 12; # something innocuous - } else { - $outat = $tohr + $tomin / 60; - } - - last if $seen + ($inat < 8) > 1; - - if ($inat < 5 || $inat > 21 || $outat < 6 || $outat > 23) { - print; - } -} diff --git a/contrib/perl5/eg/scan/scan_messages b/contrib/perl5/eg/scan/scan_messages deleted file mode 100644 index 6cf0997..0000000 --- a/contrib/perl5/eg/scan/scan_messages +++ /dev/null @@ -1,222 +0,0 @@ -#!/usr/bin/perl -P - -# $RCSfile: scan_messages,v $$Revision: 4.1 $$Date: 92/08/07 17:20:37 $ - -# This prints out extraordinary console messages. You'll need to customize. - -chdir('/usr/adm/private/memories') || die "Can't cd to memories: $!\n"; - -$maxpos = `cat oldmsgs 2>&1`; - -#if defined(mc300) || defined(mc500) || defined(mc700) -open(Msgs, '/dev/null') || die "scan_messages: can't open messages"; -#else -open(Msgs, '/usr/adm/messages') || die "scan_messages: can't open messages"; -#endif - -($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime, - $blksize,$blocks) = stat(Msgs); - -if ($size < $maxpos) { # Did somebody truncate messages file? - $maxpos = 0; -} - -seek(Msgs,$maxpos,0); # Start where we left off last time. - -while (<Msgs>) { - s/\[(\d+)\]/#/ && s/$1/#/g; -#ifdef vax - $_ =~ s/[A-Z][a-z][a-z] +\w+ +[0-9:]+ +\w+ +//; - next if /root@.*:/; - next if /^vmunix: 4.3 BSD UNIX/; - next if /^vmunix: Copyright/; - next if /^vmunix: avail mem =/; - next if /^vmunix: SBIA0 at /; - next if /^vmunix: disk ra81 is/; - next if /^vmunix: dmf. at uba/; - next if /^vmunix: dmf.:.*asynch/; - next if /^vmunix: ex. at uba/; - next if /^vmunix: ex.: HW/; - next if /^vmunix: il. at uba/; - next if /^vmunix: il.: hardware/; - next if /^vmunix: ra. at uba/; - next if /^vmunix: ra.: media/; - next if /^vmunix: real mem/; - next if /^vmunix: syncing disks/; - next if /^vmunix: tms/; - next if /^vmunix: tmscp. at uba/; - next if /^vmunix: uba. at /; - next if /^vmunix: uda. at /; - next if /^vmunix: uda.: unit . ONLIN/; - next if /^vmunix: .*buffers containing/; - next if /^syslogd: .*newslog/; -#endif - next if /unknown service/; - next if /^\.\.\.$/; - if (/^[A-Z][a-z][a-z] [ 0-9][0-9] [ 0-9][0-9]:[0-9][0-9]/) { - $pfx = ''; - next; - } - next if /^[ \t]*$/; - next if /^[ 0-9]*done$/; - if (/^A/) { - next if /^Accounting [sr]/; - } - elsif (/^C/) { - next if /^Called from/; - next if /^Copyright/; - } - elsif (/^E/) { - next if /^End traceback/; - next if /^Ethernet address =/; - } - elsif (/^K/) { - next if /^KERNEL MODE/; - } - elsif (/^R/) { - next if /^Rebooting Unix/; - } - elsif (/^S/) { - next if /^Sun UNIX 4\.2 Release/; - } - elsif (/^W/) { - next if /^WARNING: clock gained/; - } - elsif (/^a/) { - next if /^arg /; - next if /^avail mem =/; - } - elsif (/^b/) { - next if /^bwtwo[0-9] at /; - } - elsif (/^c/) { - next if /^cgone[0-9] at /; - next if /^cdp[0-9] at /; - next if /^csr /; - } - elsif (/^d/) { - next if /^dcpa: init/; - next if /^done$/; - next if /^dts/; - next if /^dump i\/o error/; - next if /^dumping to dev/; - next if /^dump succeeded/; - $pfx = '*' if /^dev = /; - } - elsif (/^e/) { - next if /^end \*\*/; - next if /^error in copy/; - } - elsif (/^f/) { - next if /^found /; - } - elsif (/^i/) { - next if /^ib[0-9] at /; - next if /^ie[0-9] at /; - } - elsif (/^l/) { - next if /^le[0-9] at /; - } - elsif (/^m/) { - next if /^mem = /; - next if /^mt[0-9] at /; - next if /^mti[0-9] at /; - $pfx = '*' if /^mode = /; - } - elsif (/^n/) { - next if /^not found /; - } - elsif (/^p/) { - next if /^page map /; - next if /^pi[0-9] at /; - $pfx = '*' if /^panic/; - } - elsif (/^q/) { - next if /^qqq /; - } - elsif (/^r/) { - next if /^read /; - next if /^revarp: Requesting/; - next if /^root [od]/; - } - elsif (/^s/) { - next if /^sc[0-9] at /; - next if /^sd[0-9] at /; - next if /^sd[0-9]: </; - next if /^si[0-9] at /; - next if /^si_getstatus/; - next if /^sk[0-9] at /; - next if /^skioctl/; - next if /^skopen/; - next if /^skprobe/; - next if /^skread/; - next if /^skwrite/; - next if /^sky[0-9] at /; - next if /^st[0-9] at /; - next if /^st0:.*load/; - next if /^stat1 = /; - next if /^syncing disks/; - next if /^syslogd: going down on signal 15/; - } - elsif (/^t/) { - next if /^timeout [0-9]/; - next if /^tm[0-9] at /; - next if /^tod[0-9] at /; - next if /^tv [0-9]/; - $pfx = '*' if /^trap address/; - } - elsif (/^u/) { - next if /^unit nsk/; - next if /^use one of/; - $pfx = '' if /^using/; - next if /^using [0-9]+ buffers/; - } - elsif (/^x/) { - next if /^xy[0-9] at /; - next if /^write [0-9]/; - next if /^xy[0-9]: </; - next if /^xyc[0-9] at /; - } - elsif (/^y/) { - next if /^yyy [0-9]/; - } - elsif (/^z/) { - next if /^zs[0-9] at /; - } - $pfx = '*' if /^[a-z]+:$/; - s/pid [0-9]+: //; - if (/last message repeated ([0-9]+) time/) { - $seen{$last} += $1; - next; - } - s/^/$pfx/ if $pfx; - unless ($seen{$_}++) { - push(@seen,$_); - } - $last = $_; -} -$max = tell(Msgs); - -open(tmp,'|sort >oldmsgs.tmp') || die "Can't create tmp file: $!\n"; -while ($_ = pop(@seen)) { - print tmp $_; -} -close(tmp); -open(tmp,'oldmsgs.tmp') || die "Can't reopen tmp file: $!\n"; -while (<tmp>) { - if (/^nd:/) { - next if $seen{$_} < 20; - } - if (/NFS/) { - next if $seen{$_} < 20; - } - if (/no carrier/) { - next if $seen{$_} < 20; - } - if (/silo overflow/) { - next if $seen{$_} < 20; - } - print $seen{$_},":\t",$_; -} - -print `rm -f oldmsgs.tmp 2>&1; echo $max > oldmsgs 2>&1`; diff --git a/contrib/perl5/eg/scan/scan_passwd b/contrib/perl5/eg/scan/scan_passwd deleted file mode 100644 index 50f6fc8..0000000 --- a/contrib/perl5/eg/scan/scan_passwd +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/perl - -# $RCSfile: scan_passwd,v $$Revision: 4.1 $$Date: 92/08/07 17:20:38 $ - -# This scans passwd file for security holes. - -open(Pass,'/etc/passwd') || die "Can't open passwd file: $!\n"; -# $dotriv = (`date` =~ /^Mon/); -$dotriv = 1; - -while (<Pass>) { - ($login,$pass,$uid,$gid,$gcos,$home,$shell) = split(/:/); - if ($shell eq '') { - print "Short: $_"; - } - next if /^[+]/; - if ($pass eq '') { - if (index(":sync:lpq:+:", ":$login:") < 0) { - print "No pass: $login\t$gcos\n"; - } - } - elsif ($dotriv && crypt($login,substr($pass,0,2)) eq $pass) { - print "Trivial: $login\t$gcos\n"; - } - if ($uid == 0) { - if ($login !~ /^.?root$/ && $pass ne '*') { - print "Extra root: $_"; - } - } -} diff --git a/contrib/perl5/eg/scan/scan_ps b/contrib/perl5/eg/scan/scan_ps deleted file mode 100644 index 18b5cb2..0000000 --- a/contrib/perl5/eg/scan/scan_ps +++ /dev/null @@ -1,32 +0,0 @@ -#!/usr/bin/perl -P - -# $RCSfile: scan_ps,v $$Revision: 4.1 $$Date: 92/08/07 17:20:40 $ - -# This looks for looping processes. - -#if defined(mc300) || defined(mc500) || defined(mc700) -open(Ps, '/bin/ps -el|') || die "scan_ps: can't run ps"; - -while (<Ps>) { - next if /rwhod/; - print if index(' T', substr($_,62,1)) < 0; -} -#else -open(Ps, '/bin/ps auxww|') || die "scan_ps: can't run ps"; - -while (<Ps>) { - next if /dataserver/; - next if /nfsd/; - next if /update/; - next if /ypserv/; - next if /rwhod/; - next if /routed/; - next if /pagedaemon/; -#ifdef vax - ($user,$pid,$cpu,$mem,$sz,$rss,$tt,$stat,$start,$time) = split; -#else - ($user,$pid,$cpu,$mem,$sz,$rss,$tt,$stat,$time) = split; -#endif - print if length($time) > 4; -} -#endif diff --git a/contrib/perl5/eg/scan/scan_sudo b/contrib/perl5/eg/scan/scan_sudo deleted file mode 100644 index 5b143e9..0000000 --- a/contrib/perl5/eg/scan/scan_sudo +++ /dev/null @@ -1,54 +0,0 @@ -#!/usr/bin/perl -P - -# $RCSfile: scan_sudo,v $$Revision: 4.1 $$Date: 92/08/07 17:20:42 $ - -# Analyze the sudo log. - -chdir('/usr/adm/private/memories') || die "Can't cd to memories: $!\n"; - -if (open(Oldsudo,'oldsudo')) { - $maxpos = <Oldsudo>; - close Oldsudo; -} -else { - $maxpos = 0; - `echo 0 >oldsudo`; -} - -unless (open(Sudo, '/usr/adm/sudo.log')) { - print "Somebody removed sudo.log!!!\n" if $maxpos; - exit 0; -} - -($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime, - $blksize,$blocks) = stat(Sudo); - -if ($size < $maxpos) { - $maxpos = 0; - print "Somebody reset sudo.log!!!\n"; -} - -seek(Sudo,$maxpos,0); - -while (<Sudo>) { - s/^.* :[ \t]+//; - s/ipcrm.*/ipcrm/; - s/kill.*/kill/; - unless ($seen{$_}++) { - push(@seen,$_); - } - $last = $_; -} -$max = tell(Sudo); - -open(tmp,'|sort >oldsudo.tmp') || die "Can't create tmp file: $!\n"; -while ($_ = pop(@seen)) { - print tmp $_; -} -close(tmp); -open(tmp,'oldsudo.tmp') || die "Can't reopen tmp file: $!\n"; -while (<tmp>) { - print $seen{$_},":\t",$_; -} - -print `(rm -f oldsudo.tmp; echo $max > oldsudo) 2>&1`; diff --git a/contrib/perl5/eg/scan/scan_suid b/contrib/perl5/eg/scan/scan_suid deleted file mode 100644 index c10aa58..0000000 --- a/contrib/perl5/eg/scan/scan_suid +++ /dev/null @@ -1,84 +0,0 @@ -#!/usr/bin/perl -P - -# $RCSfile: scan_suid,v $$Revision: 4.1 $$Date: 92/08/07 17:20:43 $ - -# Look for new setuid root files. - -chdir '/usr/adm/private/memories' || die "Can't cd to memories: $!\n"; - -($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime, - $blksize,$blocks) = stat('oldsuid'); -if ($nlink) { - $lasttime = $mtime; - $tmp = $ctime - $atime; - if ($tmp <= 0 || $tmp >= 10) { - print "WARNING: somebody has read oldsuid!\n"; - } - $tmp = $ctime - $mtime; - if ($tmp <= 0 || $tmp >= 10) { - print "WARNING: somebody has modified oldsuid!!!\n"; - } -} else { - $lasttime = time - 60 * 60 * 24; # one day ago -} -$thistime = time; - -#if defined(mc300) || defined(mc500) || defined(mc700) -open(Find, 'find / -perm -04000 -print |') || - die "scan_find: can't run find"; -#else -open(Find, 'find / \( -fstype nfs -prune \) -o -perm -04000 -ls |') || - die "scan_find: can't run find"; -#endif - -open(suid, '>newsuid.tmp'); - -while (<Find>) { - -#if defined(mc300) || defined(mc500) || defined(mc700) - $x = `/bin/ls -il $_`; - $_ = $x; - s/^ *//; - ($inode,$perm,$links,$owner,$group,$size,$month,$day,$time,$name) - = split; -#else - s/^ *//; - ($inode,$blocks,$perm,$links,$owner,$group,$size,$month,$day,$time,$name) - = split; -#endif - - if ($perm =~ /[sS]/ && $owner eq 'root') { - ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime, - $blksize,$blocks) = stat($name); - $foo = sprintf("%10s%3s %-8s %-8s%9s %3s %2s %s %s\n", - $perm,$links,$owner,$group,$size,$month,$day,$name,$inode); - print suid $foo; - if ($ctime > $lasttime) { - if ($ctime > $thistime) { - print "Future file: $foo"; - } - else { - $ct .= $foo; - } - } - } -} -close(suid); - -print `sort +7 -8 newsuid.tmp >newsuid 2>&1`; -$foo = `/bin/diff oldsuid newsuid 2>&1`; -print "Differences in suid info:\n",$foo if $foo; -print `mv oldsuid oldoldsuid 2>&1; mv newsuid oldsuid 2>&1`; -print `touch oldsuid 2>&1;sleep 2 2>&1;chmod o+w oldsuid 2>&1`; -print `rm -f newsuid.tmp 2>&1`; - -@ct = split(/\n/,$ct); -$ct = ''; -$* = 1; -while ($#ct >= 0) { - $tmp = shift(@ct); - unless ($foo =~ "^>.*$tmp\n") { $ct .= "$tmp\n"; } -} - -print "Inode changed since last time:\n",$ct if $ct; - diff --git a/contrib/perl5/eg/scan/scanner b/contrib/perl5/eg/scan/scanner deleted file mode 100644 index e73cdc8..0000000 --- a/contrib/perl5/eg/scan/scanner +++ /dev/null @@ -1,87 +0,0 @@ -#!/usr/bin/perl - -# $RCSfile: scanner,v $$Revision: 4.1 $$Date: 92/08/07 17:20:44 $ - -# This runs all the scan_* routines on all the machines in /etc/ghosts. -# We run this every morning at about 6 am: - -# !/bin/sh -# cd /usr/adm/private -# decrypt scanner | perl >scan.out 2>&1 -# mail admin <scan.out - -# Note that the scan_* files should be encrypted with the key "-inquire", and -# scanner should be encrypted somehow so that people can't find that key. -# I leave it up to you to figure out how to unencrypt it before executing. - -$ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin:/usr/ucb:.'; - -$| = 1; # command buffering on stdout - -print "Subject: bizarre happenings\n\n"; - -(chdir '/usr/adm/private') || die "Can't cd to /usr/adm/private: $!\n"; - -if ($#ARGV >= 0) { - @scanlist = @ARGV; -} else { - @scanlist = split(/[ \t\n]+/,`echo scan_*`); -} - -scan: while ($scan = shift(@scanlist)) { - print "\n********** $scan **********\n"; - $showhost++; - - $systype = 'all'; - - open(ghosts, '/etc/ghosts') || die 'No /etc/ghosts file'; - - $one_of_these = ":$systype:"; - if ($systype =~ s/\+/[+]/g) { - $one_of_these =~ s/\+/:/g; - } - - line: while (<ghosts>) { - s/[ \t]*\n//; - if (!$_ || /^#/) { - next line; - } - if (/^([a-zA-Z_0-9]+)=(.+)/) { - $name = $1; $repl = $2; - $repl =~ s/\+/:/g; - $one_of_these =~ s/:$name:/:$repl:/; - next line; - } - @gh = split; - $host = $gh[0]; - if ($showhost) { $showhost = "$host:\t"; } - class: while ($class = pop(gh)) { - if (index($one_of_these,":$class:") >=0) { - $iter = 0; - `exec crypt -inquire <$scan >.x 2>/dev/null`; - unless (open(scan,'.x')) { - print "Can't run $scan: $!\n"; - next scan; - } - $cmd = <scan>; - unless ($cmd =~ s/#!(.*)\n/$1/) { - $cmd = '/usr/bin/perl'; - } - close(scan); - if (open(PIPE,"exec rsh $host '$cmd' <.x|")) { - sleep(5); - unlink '.x'; - while (<PIPE>) { - last if $iter++ > 1000; # must be looping - next if /^[0-9.]+u [0-9.]+s/; - print $showhost,$_; - } - close(PIPE); - } else { - print "(Can't execute rsh: $!)\n"; - } - last class; - } - } - } -} |