#!/bin/sh - # # @(#)security 5.3 (Berkeley) 5/28/91 # $Id$ # PATH=/sbin:/bin:/usr/bin LC_ALL=C; export LC_ALL separator () { echo "" echo "" } host=`hostname -s` echo "Subject: $host security check output" LOG=/var/log TMP=/var/run/_secure.$$ umask 027 echo "checking setuid files and devices:" # don't have ncheck, but this does the equivalent of the commented out block. # note that one of the original problem, the possibility of overrunning # the args to ls, is still here... # MP=`mount -t ufs | grep -v " nosuid" | sed 's;/dev/;&r;' | awk '{ print $3 }'` set $MP while test $# -ge 1; do mount=$1 shift find -X $mount -xdev -type f \ \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ \( -perm -u+s -or -perm -g+s \) | sort done | xargs -n 20 ls -lgTd > $TMP if [ ! -f $LOG/setuid.today ] ; then separator echo "no $LOG/setuid.today" cp $TMP $LOG/setuid.today fi if cmp $LOG/setuid.today $TMP >/dev/null; then :; else separator echo "$host setuid diffs:" diff -b $LOG/setuid.today $TMP mv $LOG/setuid.today $LOG/setuid.yesterday mv $TMP $LOG/setuid.today fi separator echo "checking for uids of 0:" awk 'BEGIN {FS=":"} $3=="0" {print $1,$3}' /etc/master.passwd # show denied packets if ipfw -a l 2>/dev/null | egrep "deny|reject" > $TMP; then if [ ! -f $LOG/ipfw.today ] ; then separator echo "no $LOG/ipfw.today" cp $TMP $LOG/ipfw.today fi if cmp $LOG/ipfw.today $TMP >/dev/null; then :; else separator echo "$host denied packets:" diff -b $LOG/ipfw.today $TMP | egrep "^>" mv $LOG/ipfw.today $LOG/ipfw.yesterday mv $TMP $LOG/ipfw.today fi fi # show kernel log messages if dmesg 2>/dev/null > $TMP; then if [ ! -f $LOG/dmesg.today ] ; then separator echo "no $LOG/dmesg.today" cp $TMP $LOG/dmesg.today fi if cmp $LOG/dmesg.today $TMP >/dev/null; then :; else separator echo "$host kernel log messages:" diff -b $LOG/dmesg.today $TMP | egrep "^>" mv $LOG/dmesg.today $LOG/dmesg.yesterday mv $TMP $LOG/dmesg.today fi fi rm -f $TMP