From owner-freebsd-questions@FreeBSD.ORG Fri Jul 25 14:13:04 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E5BD37B401 for ; Fri, 25 Jul 2003 14:13:04 -0700 (PDT) Received: from ns.pro.sk (proxy.pro.sk [195.80.161.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 799CC43FBF for ; Fri, 25 Jul 2003 14:13:02 -0700 (PDT) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.11.3/8.11.3) with SMTP id h6PLD0E87777 for ; Fri, 25 Jul 2003 23:13:01 +0200 (CEST) (envelope-from prosa@pro.sk) Message-ID: <02fd01c352f1$76e7bb00$3501a8c0@pro.sk> From: "Peter Rosa" To: "freebsd-questions" Date: Fri, 25 Jul 2003 23:12:32 +0200 Organization: PRO, s.r.o. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Subject: Fw: Problem with periodically done scripts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2003 21:13:04 -0000 > Well, I have tried it. When I type exactly the same command > awk -F: '$3==0 {print $1,$3}' /etc/master.passwd | tee /dev/stderr | sed -e > '/^root 0$/d' -e '/^toor 0$/d' | wc -l > at prompt, it works well. So the error must be around [ -gt 0 -a -lt 1 ] && > rc==1 > > Of course, I *have* /etc/master.passwd. > > The whole /etc/security script follows: > #!/bin/sh - > > PATH=/sbin:/bin:/usr/bin > LC_ALL=C; export LC_ALL > rc=0 > LOG=/var/log > TMP=/var/run/_secure.$$ > > separator () { > echo '' > echo '' > } > > catmsgs() { > find $LOG -name 'messages.*' -mtime -2 | > sort -t. -r -n +1 -2 | > xargs zcat -f > [ -f $LOG/messages ] && cat $LOG/messages > } > > sflag=FALSE ignore= > while getopts ams c > do > case "$c" in > a) ignore="$ignore|^amd:";; > m) ignore="$ignore|^mfs:";; > s) sflag=TRUE;; > esac > done > > yesterday=`date -v-1d "+%b %e "` > > host=`hostname` > [ $sflag = FALSE ] && echo "Subject: ${host} security check output" > > umask 027 > > echo 'Checking setuid files and devices:' > > # Don't have ncheck, but this does the equivalent of the commented out > block. > # Note that one of the original problems, the possibility of overrunning > # the args to ls, is still here... > # > MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort` > set ${MP} > while [ $# -ge 1 ]; do > mount=$1 > shift > find $mount -xdev -type f \ > \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ > \( -perm -u+s -or -perm -g+s \) -print0 > done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP} > > if [ ! -f ${LOG}/setuid.today ]; then > [ $rc -lt 1 ] && rc=1 > separator > echo "No ${LOG}/setuid.today" > cp ${TMP} ${LOG}/setuid.today || rc=3 > fi > > if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null; then > [ $rc -lt 1 ] && rc=1 > separator > echo "${host} setuid diffs:" > diff -w ${LOG}/setuid.today ${TMP} > mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3 > mv ${TMP} ${LOG}/setuid.today || rc=3 > fi > > # Show changes in the way filesystems are mounted > # > [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat > if mount -p | $cmd > $TMP; then > if [ ! -f $LOG/mount.today ]; then > [ $rc -lt 1 ] && rc=1 > separator > echo "No $LOG/mount.today" > cp $TMP $LOG/mount.today || rc=3 > fi > if ! cmp $LOG/mount.today $TMP >/dev/null 2>&1; then > [ $rc -lt 1 ] && rc=1 > separator > echo "$host changes in mounted filesystems:" > diff -b $LOG/mount.today $TMP > mv $LOG/mount.today $LOG/mount.yesterday || rc=3 > mv $TMP $LOG/mount.today || rc=3 > fi > fi > > separator > echo 'Checking for uids of 0:' > n=$(awk -F: '$3==0 {print $1,$3}' /etc/master.passwd | > tee /dev/stderr | > sed -e '/^root 0$/d' -e '/^toor 0$/d' | > wc -l) > [ $n -gt 0 -a $rc -lt 1 ] && rc=1 > > separator > echo 'Checking for passwordless accounts:' > n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' > /etc/master.passwd | > tee /dev/stderr | wc -l) > [ $n -gt 0 -a $rc -lt 1 ] && rc=1 > > # Show denied packets > # > if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then > if [ ! -f ${LOG}/ipfw.today ]; then > [ $rc -lt 1 ] && rc=1 > separator > echo "No ${LOG}/ipfw.today" > cp ${TMP} ${LOG}/ipfw.today || rc=3 > fi > > if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then > [ $rc -lt 1 ] && rc=1 > separator > echo "${host} denied packets:" > diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>" > mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3 > mv ${TMP} ${LOG}/ipfw.today || rc=3 > fi > fi > > # Show ipfw rules which have reached the log limit > # > IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null` > if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then > ipfw -a l | grep " log " | perl -n -e \ > '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP} > if [ -s "${TMP}" ]; then > [ $rc -lt 1 ] && rc=1 > separator > echo 'ipfw log limit reached:' > cat ${TMP} > fi > fi > > # Show kernel log messages > # > if dmesg 2>/dev/null > ${TMP}; then > if [ ! -f ${LOG}/dmesg.today ]; then > [ $rc -lt 1 ] && rc=1 > separator > echo "No ${LOG}/dmesg.today" > cp ${TMP} ${LOG}/dmesg.today || rc=3 > fi > > if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then > [ $rc -lt 1 ] && rc=1 > separator > echo "${host} kernel log messages:" > diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>" > mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3 > mv ${TMP} ${LOG}/dmesg.today || rc=3 > fi > fi > > # Show login failures > # > separator > echo "${host} login failures:" > n=$(catmsgs | grep -i "^$yesterday.*login failure" | tee /dev/stderr | > wc -l) > [ $n -gt 0 -a $rc -lt 1 ] && rc=1 > > # Show tcp_wrapper warning messages > # > separator > echo "${host} refused connections:" > n=$(catmsgs | grep -i "^$yesterday.*refused connect" | tee /dev/stderr | > wc -l) > [ $n -gt 0 -a $rc -lt 1 ] && rc=1 > > # Show denied secondary bind transfer attempts > # > separator > echo "$host checking for denied secondary zone transfers:" > n=$(catmsgs | grep -i -E "denied (AXFR|IXFR) from" | tee /dev/stderr | > wc -l) > [ $n -gt 0 -a $rc -lt 1 ] && rc=1 > > rm -f ${TMP} > > exit $rc > # -------------------------------------------------------------------------- > - > > > Peter Rosa > > ----- Original Message ----- > From: "Lowell Gilbert" > To: > Sent: Friday, July 25, 2003 10:54 PM > Subject: Re: Problem with periodically done scripts > > > > "Peter Rosa" writes: > > > > > > > From: "Peter Rosa" > > > > > To: > > > > > Cc: "freebsd-questions" > > > > > Sent: Friday, July 25, 2003 6:59 PM > > > > > Subject: Re: Problem with periodically done scripts > > > > > > > > > > > > > > > > Here is complete listing. Do you have any idea ? > > > > > > > > > > > > + echo Checking for uids of 0: > > > > > > Checking for uids of 0: > > > > > > + awk -F: $3==0 {print $1,$3} /etc/master.passwd > > > > > > + tee /dev/stderr > > > > > > root 0 > > > > > > toor 0 > > > > > > + sed -e /^root 0$/d -e /^toor 0$/d > > > > > > + wc -l > > > > > > + n= > > > > > > + [ -gt 0 -a -lt 1 ] > > > > 'n' isn't getting set at all. > > > > Try the awk script by hand, and see what happens. > > [You do *have* an /etc/master.passwd, right?] > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > >