blob: 96ffc288de0f1a789fe1a9b39155e51d67d66a3a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
#!/bin/sh -
#
# @(#)security 5.3 (Berkeley) 5/28/91
# $FreeBSD$
#
PATH=/sbin:/bin:/usr/bin
LC_ALL=C; export LC_ALL
separator () {
echo ''
echo ''
}
yesterday=`date -v-1d "+%b %e "`
host=`hostname`
echo "Subject: ${host} security check output"
LOG=/var/log
TMP=/var/run/_secure.$$
umask 027
echo "checking setuid files and devices:"
# Don't have ncheck, but this does the equivalent of the commented out block.
# Note that one of the original problems, the possibility of overrunning
# the args to ls, is still here...
#
MP=`mount -t ufs | grep -v " nosuid" | sed 's;/dev/;&r;' | awk '{ print $3 }'`
set ${MP}
while [ $# -ge 1 ]; do
mount=$1
shift
find $mount -xdev -type f \
\( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
\( -perm -u+s -or -perm -g+s \) -print0
done | xargs -0 -n 20 ls -lTd | sort +9 > ${TMP}
if [ ! -f ${LOG}/setuid.today ]; then
separator
echo "no ${LOG}/setuid.today"
cp ${TMP} ${LOG}/setuid.today
fi
if cmp ${LOG}/setuid.today ${TMP} >/dev/null; then :; else
separator
echo "${host} setuid diffs:"
diff -b ${LOG}/setuid.today ${TMP}
mv ${LOG}/setuid.today ${LOG}/setuid.yesterday
mv ${TMP} ${LOG}/setuid.today
fi
separator
echo "checking for uids of 0:"
awk -F: '$3==0 {print $1,$3}' /etc/master.passwd
separator
echo "checking for passwordless accounts:"
awk -F: 'NF > 1 && $1 !~ /^[#+]/ && $2=="" {print $0}' /etc/master.passwd
# Show denied packets
#
if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
if [ ! -f ${LOG}/ipfw.today ]; then
separator
echo "no ${LOG}/ipfw.today"
cp ${TMP} ${LOG}/ipfw.today
fi
if cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then :; else
separator
echo "${host} denied packets:"
diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>"
mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday
mv ${TMP} ${LOG}/ipfw.today
fi
fi
# Show ipfw rules which have reached the log limit
#
IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then
ipfw -a l | grep " log " | perl -n -e \
'/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
if [ -s "${TMP}" ]; then
separator
echo "ipfw log limit reached:"
cat ${TMP}
fi
fi
# Show kernel log messages
#
if dmesg 2>/dev/null > ${TMP}; then
if [ ! -f ${LOG}/dmesg.today ]; then
separator
echo "no ${LOG}/dmesg.today"
cp ${TMP} ${LOG}/dmesg.today
fi
if cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then :; else
separator
echo "${host} kernel log messages:"
diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>"
mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday
mv ${TMP} ${LOG}/dmesg.today
fi
fi
# Show login failures
#
separator
echo "${host} login failures:"
zcat -f $LOG/messages.0* $LOG/messages | grep -i "^$yesterday.*login failure"
# Show tcp_wrapper warning messages
#
separator
echo "${host} refused connections:"
zcat -f $LOG/messages.0* $LOG/messages | grep -i "^$yesterday.*refused connect"
rm -f ${TMP}
|