#!/bin/sh - # # @(#)security 5.3 (Berkeley) 5/28/91 # $FreeBSD$ # PATH=/sbin:/bin:/usr/bin LC_ALL=C; export LC_ALL separator () { echo "" echo "" } host=`hostname` echo "Subject: ${host} security check output" LOG=/var/log TMP=/var/run/_secure.$$ umask 027 echo "checking setuid files and devices:" # don't have ncheck, but this does the equivalent of the commented out block. # note that one of the original problem, the possibility of overrunning # the args to ls, is still here... # MP=`mount -t ufs | grep -v " nosuid" | sed 's;/dev/;&r;' | awk '{ print $3 }'` set ${MP} while test $# -ge 1; do mount=$1 shift find $mount -xdev -type f \ \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ \( -perm -u+s -or -perm -g+s \) -print0 done | xargs -0 -n 20 ls -lTd | sort +9 > ${TMP} if [ ! -f ${LOG}/setuid.today ] ; then separator echo "no ${LOG}/setuid.today" cp ${TMP} ${LOG}/setuid.today fi if cmp ${LOG}/setuid.today ${TMP} >/dev/null; then :; else separator echo "${host} setuid diffs:" diff -b ${LOG}/setuid.today ${TMP} mv ${LOG}/setuid.today ${LOG}/setuid.yesterday mv ${TMP} ${LOG}/setuid.today fi separator echo "checking for uids of 0:" awk -F: '$3==0 {print $1,$3}' /etc/master.passwd separator echo "checking for passwordless accounts:" awk -F: '$1 !~ /^\+/ && $2=="" {print $0}' /etc/master.passwd # show denied packets if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then if [ ! -f ${LOG}/ipfw.today ] ; then separator echo "no ${LOG}/ipfw.today" cp ${TMP} ${LOG}/ipfw.today fi if cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then :; else separator echo "${host} denied packets:" diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>" mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday mv ${TMP} ${LOG}/ipfw.today fi fi # show ipfw rules which have reached the log limit IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null` if [ $? -eq 0 ] && [ ${IPFW_LOG_LIMIT} -ne 0 ]; then ipfw -a l | grep " log " | perl -n -e \ '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP} if [ -s ${TMP} ]; then separator echo "ipfw log limit reached:" cat ${TMP} fi fi # show kernel log messages if dmesg 2>/dev/null > ${TMP}; then if [ ! -f ${LOG}/dmesg.today ] ; then separator echo "no ${LOG}/dmesg.today" cp ${TMP} ${LOG}/dmesg.today fi if cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then :; else separator echo "${host} kernel log messages:" diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>" mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday mv ${TMP} ${LOG}/dmesg.today fi fi # show login failures separator echo "${host} login failures:" grep -i "login failure" ${LOG}/messages # show tcp_wrapper warning messages separator echo "${host} refused connections:" grep -i "refused connect" ${LOG}/messages rm -f ${TMP}