Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 28 Oct 2000 14:20:45 -0400
From:      Peter Halliday <peter@wslogic.com>
To:        freebsd-current@freebsd.org
Subject:   /etc/security suggestions
Message-ID:  <39FB18FD.C689EC8E@wslogic.com>

next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------1A445F45C3701398F76F6B71
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

I have ported the /etc/security script to Linux, and wanted to mention
some of the changes that I made.  Maybe they will help you in developing
/etc/security.  



-- 
Peter Halliday
Online Application Developer
Whetstone Logic, Inc.       http://www.whetstonelogic.com
icq#75769411           AIM screen name: hoaggelos
--------------1A445F45C3701398F76F6B71
Content-Type: text/plain; charset=us-ascii;
 name="diffs"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="diffs"


@@ -1,14 +1,19 @@
 
 #
 #       @(#)security    5.3 (Berkeley) 5/28/91
 # $FreeBSD: src/etc/security,v 1.36.2.6 2000/09/20 20:16:19 brian Exp $
 #
-PATH=/sbin:/bin:/usr/bin
+#       THIS PRODUCT COMES WITH NO EXPLICIT OR IMPLICIT WARRANTEES OR
+#       GUARANTEES.  THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGE THAT MAY
+#       OCCUR
+VERSION=0.1.0
+PATH=/bin;/usr/bin;/sbin;/usr/sbin
 LC_ALL=C; export LC_ALL
 rc=0
 LOG=/var/log
-TMP=/var/run/_secure.$$
+IFS=' 	
+'
+TMP=`/bin/mktemp /var/run/_secure.XXXXXX`
 
 separator () {
         echo ''
@@ -16,8 +21,7 @@
 }
 
 catmsgs() {
-  [ -f $LOG/messages.0.gz ] && zcat $LOG/messages.0.gz
-  [ -f $LOG/messages.0 ] && cat $LOG/messages.0
+  [ -f $LOG/messages.1 ] && cat $LOG/messages.1
   [ -f $LOG/messages ] && cat $LOG/messages
 }
 
@@ -31,130 +35,165 @@
   esac
 done
 
-yesterday=`date -v-1d "+%b %e "`
+#yesterday=`date -v-1d "+%b %e "`
 
 host=`hostname`
-[ $sflag = FALSE ] && echo "Subject: ${host} security check output"
 
-umask 027
+separator
+echo "security-script $VERSION"
+echo
+echo "THIS PRODUCT COMES WITH NO EXPLICIT OR IMPLICIT WARRANTEES OR GUARANTEES.  THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGE THAT MAY OCCUR."
+
+
+#check roots umask
+if [ "`umask`" != "177" ] ; then
+	separator
+        echo "Root's umask is insecure. Please change it to 177"
+fi
+umask 177
+
 
-echo "checking setuid files and devices:"
 
 # Don't have ncheck, but this does the equivalent of the commented out block.
 # Note that one of the original problems, the possibility of overrunning
 # the args to ls, is still here...
 #
-MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`
+MP=`mount -t ext2,reiserfs,ufs 2>/dev/null | grep -v " nosuid" | awk '{ print $3 }' | sort`
 set ${MP}
 while [ $# -ge 1 ]; do
         mount=$1
         shift
         find $mount -xdev -type f \
                 \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
-                \( -perm -u+s -or -perm -g+s \) -print0
-done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP}
+                \( -perm -u+s -or -perm -g+s \) -print0 2>/dev/null
+done | xargs -0 -n 20 /bin/ls -lid | sort +10 > ${TMP}
 
 if [ ! -f ${LOG}/setuid.today ]; then
         [ $rc -lt 1 ] && rc=1
-        separator
+	separator
+	echo "checking setuid files and devices:"
         echo "no ${LOG}/setuid.today"
-        cp ${TMP} ${LOG}/setuid.today || rc=3
+        cp -f ${TMP} ${LOG}/setuid.today || rc=3
 fi
 
 if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null; then
         [ $rc -lt 1 ] && rc=1
-        separator
+	separator
+	echo "checking setuid files and devices:"
         echo "${host} setuid diffs:"
         diff -w ${LOG}/setuid.today ${TMP}
-        mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3
-        mv ${TMP} ${LOG}/setuid.today || rc=3
+        mv -f ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3
+        mv -f ${TMP} ${LOG}/setuid.today || rc=3
+fi
+
+
+
+
+# Don't have ncheck, but this does the equivalent of the commented out block.
+# Note that one of the original problems, the possibility of overrunning
+# the args to ls, is still here...
+#
+RK=`mount -t ext2,reiserfs,ufs 2>/dev/null | grep -v " nosuid" | awk '{ print $3 }' | sort`
+set ${RK}
+while [ $# -ge 1 ]; do
+        mount=$1
+        shift
+        find $mount -name ".*" 2>/dev/null
+done | sort +10 > ${TMP}
+
+
+if [ ! -f ${LOG}/rootkit.today ]; then
+        [ $rc -lt 1 ] && rc=1
+	separator
+	echo "checking for possible rootkits:"
+        echo "no ${LOG}/rootkit.today"
+        cp -f ${TMP} ${LOG}/rootkit.today || rc=3
+fi
+
+if ! cmp ${LOG}/rootkit.today ${TMP} >/dev/null; then
+        [ $rc -lt 1 ] && rc=1
+	separator
+	echo "checking for possible rootkits:"
+        echo "${host} rootkit diffs:"
+        diff -w ${LOG}/rootkit.today ${TMP}
+        mv -f ${LOG}/rootkit.today ${LOG}/rootkit.yesterday || rc=3
+        mv -f ${TMP} ${LOG}/rootkit.today || rc=3
 fi
 
+
+
 # Show changes in the way filesystems are mounted
 #
 [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
-if mount -p | $cmd > $TMP; then
+if mount | $cmd > $TMP; then
         if [ ! -f $LOG/mount.today ]; then
                 [ $rc -lt 1 ] && rc=1
-                separator
+		separator
+		echo "Checking diffs in mounting of filesystems:"
                 echo "no $LOG/mount.today"
-                cp $TMP $LOG/mount.today || rc=3
+                cp -f $TMP $LOG/mount.today || rc=3
         fi
         if ! cmp $LOG/mount.today $TMP >/dev/null 2>&1; then
                 [ $rc -lt 1 ] && rc=1
-                separator
+		separator
+		echo "Checking diffs in mounting of filesystems:"
                 echo "$host changes in mounted filesystems:"
                 diff -b $LOG/mount.today $TMP
-                mv $LOG/mount.today $LOG/mount.yesterday || rc=3
-                mv $TMP $LOG/mount.today || rc=3
+                mv -f $LOG/mount.today $LOG/mount.yesterday || rc=3
+                mv -f $TMP $LOG/mount.today || rc=3
         fi
 fi
 
 separator
 echo "checking for uids of 0:"
-n=$(awk -F: '$3==0 {print $1,$3}' /etc/master.passwd |
-    tee /dev/stderr |
-    sed -e '/^root 0$/d' -e '/^toor 0$/d' |
-    wc -l)
-[ $n -gt 0 -a $rc -lt 1 ] && rc=1
-
+awk -F: '$3==0 {print $1,$3}' /etc/passwd
+ 
 separator
 echo "checking for passwordless accounts:"
-n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd |
-    tee /dev/stderr | wc -l)
-[ $n -gt 0 -a $rc -lt 1 ] && rc=1
-
+awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/passwd
+ 
 # Show denied packets
 #
-if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
-        if [ ! -f ${LOG}/ipfw.today ]; then
+if /sbin/ipchains -L -v --line-numbers 2>/dev/null | egrep "DENY|REJECT" > ${TMP}; then
+        if [ ! -f ${LOG}/ipchains.today ]; then
                 [ $rc -lt 1 ] && rc=1
-                separator
-                echo "no ${LOG}/ipfw.today"
-                cp ${TMP} ${LOG}/ipfw.today || rc=3
+		separator
+		echo "Checking fire wall rule count:"
+                echo "no ${LOG}/ipchains.today"
+                cp -f ${TMP} ${LOG}/ipchains.today || rc=3
         fi
 
-        if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then
+        if ! cmp ${LOG}/ipchains.today ${TMP} >/dev/null; then
                 [ $rc -lt 1 ] && rc=1
-                separator
-                echo "${host} denied packets:"
-                diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>"
-                mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3
-                mv ${TMP} ${LOG}/ipfw.today || rc=3
+		separator
+		echo "Checking fire wall rule count:"
+                echo "${host} denied or rejected packets:"
+                diff -b ${LOG}/ipchains.today ${TMP} | egrep "^>"
+                mv -f ${LOG}/ipchains.today ${LOG}/ipchains.yesterday || rc=3
+                mv -f ${TMP} ${LOG}/ipchains.today || rc=3
         fi
 fi
 
-# Show ipfw rules which have reached the log limit
-#
-IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
-if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then
-        ipfw -a l | grep " log " | perl -n -e \
-                '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
-        if [ -s "${TMP}" ]; then
-                [ $rc -lt 1 ] && rc=1
-                separator
-                echo "ipfw log limit reached:"
-                cat ${TMP}
-        fi
-fi
 
 # Show kernel log messages
 #
-if dmesg 2>/dev/null > ${TMP}; then
+if /bin/dmesg 2>/dev/null > ${TMP}; then
         if [ ! -f ${LOG}/dmesg.today ]; then
                 [ $rc -lt 1 ] && rc=1
-                separator
+		separator
+		echo "Checking kernal message:"
                 echo "no ${LOG}/dmesg.today"
-                cp ${TMP} ${LOG}/dmesg.today || rc=3
+                cp -f ${TMP} ${LOG}/dmesg.today || rc=3
         fi
 
         if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then
                 [ $rc -lt 1 ] && rc=1
-                separator
+		separator
+		echo "Checking kernal message:"
                 echo "${host} kernel log messages:"
                 diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>"
-                mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3
-                mv ${TMP} ${LOG}/dmesg.today || rc=3
+                mv -f ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3
+                mv -f ${TMP} ${LOG}/dmesg.today || rc=3
         fi
 fi
 
@@ -162,17 +201,85 @@
 #
 separator
 echo "${host} login failures:"
-n=$(catmsgs | grep -i "^$yesterday.*login failure" | tee /dev/stderr | wc -l)
-[ $n -gt 0 -a $rc -lt 1 ] && rc=1
-
+catmsgs | grep -i "failed login" | /usr/bin/tee /dev/stderr
+ 
 # Show tcp_wrapper warning messages
 #
 separator
 echo "${host} refused connections:"
-n=$(catmsgs | grep -i "^$yesterday.*refused connect" | tee /dev/stderr | wc -l)
-[ $n -gt 0 -a $rc -lt 1 ] && rc=1
+catmsgs | grep -i "refused connect" | /usr/bin/tee /dev/stderr
 
-rm -f ${TMP}
+# Show authentication failures
+#
+separator
+echo "${host} authentication failures:"
+catmsgs | grep -i "authentication failure" | /usr/bin/tee /dev/stderr 
 
-exit $rc
+# check for any interfaces in promiscuous mode
+separator
+echo "${host} interfaces in promiscuous mode:"
+catmsgs | grep -i "entered promiscuous mode" | /usr/bin/tee /dev/stderr
+
+# check for sticky-bit on /tmp and exit if not found
+if [ `/bin/ls -ld /tmp | cut -c10` != "t" ] ; then
+        echo "/tmp does not have sticky-bit turned on. Please 'chmod +t /tmp'"
+        exit 1
+fi
+
+
+
+# check for incorrect perm on /etc/cron.d if it exists
+if [ -d /etc/cron.d ] ; then
+        if [ "`/bin/ls -ld /etc/cron.d | cut -c1-10`" != "drwxr-x---" ] ; then
+                separator
+                echo "Permissions too lax on /etc/cron.d. Please 'chmod -R 750 /etc/cron.d"
+        fi
+fi
+
+# check for incorrect perms on /etc/crontab if it exists
+if [ -f /etc/crontab ] ; then
+        if [ "`/bin/ls -l /etc/crontab | cut -c1-10`" != "-rw-r-----" ] ; then
+                separator
+                echo "Permissions too lax on /etc/crontab. Please 'chmod 640 /etc/crontab'"
+        fi
+fi
 
+# check for incorrect perms on /etc/syslog.conf if it exists
+if [ -f /etc/syslog.conf ] ; then
+        if [ "`/bin/ls -l /etc/syslog.conf | cut -c1-10`" != "-rw-------" ] ; then
+                separator
+                echo "Permission too lax on /etc/syslog.conf. Please 'chmod 600 /etc/syslog.conf'"
+        fi
+fi
+
+# check for incorrect perms on /var/log and it's subdirs
+separator
+echo "Please 'chmod 700' the following directories"
+find /var/log -type d ! -perm 0700
+
+# check for incorrect perms on logfiles
+separator
+echo "Please 'chmod 600' the following files"
+find /var/log -type d ! -perm 0600
+
+# check for incorrect perms on /etc/lilo.conf
+if [ -f /etc/lilo.conf ] ; then
+        if [ "`/bin/ls -l /etc/lilo.conf`" != "-rw-------" ] ; then
+                separator
+                echo "Please 'chmod 600 /etc/lilo.conf'"
+        fi
+fi
+
+# check for .rhosts files
+separator
+echo "Checking for .rhosts files"
+find / -name '.rhosts' -print
+
+# check for readable .netrc files
+separator
+echo "Checking for readable .netrc files (chmod 600 to correct)"
+find / -name '.netrc' ! -perm 0600 -print
+
+
+rm -f ${TMP}
+exit $rc

--------------1A445F45C3701398F76F6B71--



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39FB18FD.C689EC8E>