summaryrefslogtreecommitdiffstats
path: root/etc/security
blob: bf0094e6bf382f4bd8f459dfedca53975e663462 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#!/bin/sh -
#
#	@(#)security	5.3 (Berkeley) 5/28/91
#	$Id: security,v 1.26 1998/08/11 08:48:54 des Exp $
#
PATH=/sbin:/bin:/usr/bin
LC_ALL=C; export LC_ALL

separator () {
	echo ""
	echo ""
}

host=`hostname -s`
echo "Subject: $host security check output"

LOG=/var/log
TMP=/var/run/_secure.$$

umask 027

echo "checking setuid files and devices:"

# don't have ncheck, but this does the equivalent of the commented out block.
# note that one of the original problem, the possibility of overrunning
# the args to ls, is still here...
#
MP=`mount -t ufs | grep -v " nosuid" | sed 's;/dev/;&r;' | awk '{ print $3 }'`
set $MP
while test $# -ge 1; do
	mount=$1
	shift
	find $mount -xdev -type f \
		\( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
		\( -perm -u+s -or -perm -g+s \)  -print0
done | xargs -0 -n 20 ls -lTd | sort +9 > $TMP

if [ ! -f $LOG/setuid.today ] ; then
	separator
	echo "no $LOG/setuid.today"
	cp $TMP $LOG/setuid.today
fi
if cmp $LOG/setuid.today $TMP >/dev/null; then :; else
	separator
	echo "$host setuid diffs:"
	diff -b $LOG/setuid.today $TMP
	mv $LOG/setuid.today $LOG/setuid.yesterday
	mv $TMP $LOG/setuid.today
fi

separator
echo "checking for uids of 0:"
awk -F: '$3==0 {print $1,$3}' /etc/master.passwd

separator
echo "checking for passwordless accounts:"
awk -F: '$2=="" {print $0}' /etc/master.passwd

# show denied packets
if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > $TMP; then
	if [ ! -f $LOG/ipfw.today ] ; then
		separator
		echo "no $LOG/ipfw.today"
		cp $TMP $LOG/ipfw.today
	fi
	if cmp $LOG/ipfw.today $TMP >/dev/null; then :; else
		separator
	        echo "$host denied packets:"
	        diff -b $LOG/ipfw.today $TMP | egrep "^>"
	        mv $LOG/ipfw.today $LOG/ipfw.yesterday
	        mv $TMP $LOG/ipfw.today
	fi
fi

# show ipfw rules which have reached the log limit
IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
if [ $? -eq 0 ] && [ $IPFW_LOG_LIMIT -ne 0 ]; then
	ipfw -a l | grep " log " | perl -n -e \
		'/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > $TMP
	if [ -s $TMP ]; then
		separator
		echo "ipfw log limit reached:"
		cat $TMP
	fi
fi

# show kernel log messages
if dmesg 2>/dev/null > $TMP; then
	if [ ! -f $LOG/dmesg.today ] ; then
		separator
		echo "no $LOG/dmesg.today"
		cp $TMP $LOG/dmesg.today
	fi
	if cmp $LOG/dmesg.today $TMP >/dev/null 2>&1; then :; else
		separator
	        echo "$host kernel log messages:"
	        diff -b $LOG/dmesg.today $TMP | egrep "^>"
	        mv $LOG/dmesg.today $LOG/dmesg.yesterday
	        mv $TMP $LOG/dmesg.today
	fi
fi

# show login failures
separator
echo "$host login failures:"
grep -i "login failures" $LOG/messages

# show tcp_wrapper warning messages
separator
echo "$host refused connections:"
grep -i "refused connect" $LOG/messages

rm -f $TMP
OpenPOWER on IntegriCloud