HardenedBSD/etc/security

#!/bin/sh -
#
#	@(#)security	5.3 (Berkeley) 5/28/91
#	$Id: security,v 1.9 1995/09/15 00:22:31 ache Exp $
#
PATH=/sbin:/bin:/usr/bin
LC_ALL=C; export LC_ALL

host=`hostname -s`
echo "Subject: $host security check output"

LOG=/var/log
TMP=/tmp/_secure.$$

umask 027

echo "checking setuid files and devices:"

# don't have ncheck, but this does the equivalent of the commented out block.
# note that one of the original problem, the possibility of overrunning
# the args to ls, is still here...
#
MP=`mount -t ufs | sed 's;/dev/;&r;' | awk '{ print $3 }'`
set $MP
while test $# -ge 1; do
	mount=$1
	shift
	find -X $mount -xdev -type f \
		\( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
		\( -perm -u+s -or -perm -g+s \) -or \
		\( -type c -or -type b \) \
	| sort
# exclude date/time info for devices
done |  xargs -n 20 ls -lgTd | expand | \
	sed 's/\(^[cb].*, *[0-9x]*\).*\( \/.*\)$/\1\2/' \
> $TMP

if [ ! -f $LOG/setuid.today ] ; then
	echo "no $LOG/setuid.today"
	cp $TMP $LOG/setuid.today
fi
if cmp $LOG/setuid.today $TMP >/dev/null; then :; else
	echo "$host setuid/device diffs:"
	diff -b $LOG/setuid.today $TMP
	mv $LOG/setuid.today $LOG/setuid.yesterday
	mv $TMP $LOG/setuid.today
fi
rm -f $TMP

echo ""
echo ""
echo "checking for uids of 0:"
awk 'BEGIN {FS=":"} $3=="0" {print $1,$3}' /etc/master.passwd
Initial import of 386BSD 0.1 othersrc/etc 1993-06-20 15:41:45 +02:00			`#!/bin/sh -`
			`#`
			`# @(#)security 5.3 (Berkeley) 5/28/91`
Use -X to be xargs-friendly Check devices too, follow original BSD intention Find only executable files with s-bits, close PR bin/1022 Reset locale to C to have equal results in any case 1996-04-18 12:34:07 +02:00			`# $Id: security,v 1.9 1995/09/15 00:22:31 ache Exp $`
Initial import of 386BSD 0.1 othersrc/etc 1993-06-20 15:41:45 +02:00			`#`
			`PATH=/sbin:/bin:/usr/bin`
Use -X to be xargs-friendly Check devices too, follow original BSD intention Find only executable files with s-bits, close PR bin/1022 Reset locale to C to have equal results in any case 1996-04-18 12:34:07 +02:00			`LC_ALL=C; export LC_ALL`
Initial import of 386BSD 0.1 othersrc/etc 1993-06-20 15:41:45 +02:00
			host=`hostname -s`
			`echo "Subject: $host security check output"`

			`LOG=/var/log`
			`TMP=/tmp/_secure.$$`

Fixed so that it scans for set uid/gid files. From Rich Murphy and NetBSD, plus some tid bits from me. 1993-09-07 01:12:04 +02:00			`umask 027`

Initial import of 386BSD 0.1 othersrc/etc 1993-06-20 15:41:45 +02:00			`echo "checking setuid files and devices:"`
Fixed so that it scans for set uid/gid files. From Rich Murphy and NetBSD, plus some tid bits from me. 1993-09-07 01:12:04 +02:00
			`# don't have ncheck, but this does the equivalent of the commented out block.`
			`# note that one of the original problem, the possibility of overrunning`
			`# the args to ls, is still here...`
			`#`
Reworked the search for suid sgid programs to be more like the original and only to run find on local file systems. It now works and no longer gets the error from sort 1993-10-25 21:13:16 +01:00			MP=`mount -t ufs \| sed 's;/dev/;&r;' \| awk '{ print $3 }'`
			`set $MP`
From: rich@lamprey.UTMB.EDU (Rich Murphey) Subject: Re: daily insecurity output (fwd) \|From: rgrimes@agora.rain.com (Rodney Grimes) \| \|This is from the new /etc/security script. I no longer get the segmentation \|violation, but now the arg list is too long, some /bin/sh program want to \|fix the current /etc/security ls command so that it is a pipe insteal of \|a back quoted arg? \| \|> checking setuid files and devices: \|> /etc/security: ls: argument list too long This uses xargs instead. My slip line's down so I can't check it in at the moment. Rich 1994-01-22 11:54:13 +01:00			`while test $# -ge 1; do`
Reworked the search for suid sgid programs to be more like the original and only to run find on local file systems. It now works and no longer gets the error from sort 1993-10-25 21:13:16 +01:00			`mount=$1`
			`shift`
Use -X to be xargs-friendly Check devices too, follow original BSD intention Find only executable files with s-bits, close PR bin/1022 Reset locale to C to have equal results in any case 1996-04-18 12:34:07 +02:00			`find -X $mount -xdev -type f \`
			`\( -perm -u+x -or -perm -g+x -or -perm -o+x \) \`
			`\( -perm -u+s -or -perm -g+s \) -or \`
			`\( -type c -or -type b \) \`
			`\| sort`
			`# exclude date/time info for devices`
			`done \| xargs -n 20 ls -lgTd \| expand \| \`
			`sed 's/\(^[cb]., [0-9x]\).\( \/.*\)$/\1\2/' \`
			`> $TMP`
Initial import of 386BSD 0.1 othersrc/etc 1993-06-20 15:41:45 +02:00
If no $LOG/setuid.today exists (f.e. first time to run), put warning and make it, all following commands fails in old case 1995-09-15 02:22:31 +02:00			`if [ ! -f $LOG/setuid.today ] ; then`
			`echo "no $LOG/setuid.today"`
			`cp $TMP $LOG/setuid.today`
			`fi`
Initial import of 386BSD 0.1 othersrc/etc 1993-06-20 15:41:45 +02:00			`if cmp $LOG/setuid.today $TMP >/dev/null; then :; else`
			`echo "$host setuid/device diffs:"`
Use -b for diff, ls produce different number of spaces 1995-05-27 03:37:44 +02:00			`diff -b $LOG/setuid.today $TMP`
Initial import of 386BSD 0.1 othersrc/etc 1993-06-20 15:41:45 +02:00			`mv $LOG/setuid.today $LOG/setuid.yesterday`
			`mv $TMP $LOG/setuid.today`
			`fi`
			`rm -f $TMP`

			`echo ""`
			`echo ""`
			`echo "checking for uids of 0:"`
			`awk 'BEGIN {FS=":"} $3=="0" {print $1,$3}' /etc/master.passwd`