mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-28 12:07:10 +01:00
808a36ef65
This will make a number of things easier in the future, as well as (finally!) avoiding the Id-smashing problem which has plagued developers for so long. Boy, I'm glad we're not using sup anymore. This update would have been insane otherwise.
88 lines
2.0 KiB
Bash
88 lines
2.0 KiB
Bash
#!/bin/sh -
|
|
#
|
|
# @(#)security 5.3 (Berkeley) 5/28/91
|
|
# $FreeBSD$
|
|
#
|
|
PATH=/sbin:/bin:/usr/bin
|
|
LC_ALL=C; export LC_ALL
|
|
|
|
separator () {
|
|
echo ""
|
|
echo ""
|
|
}
|
|
|
|
host=`hostname -s`
|
|
echo "Subject: $host security check output"
|
|
|
|
LOG=/var/log
|
|
TMP=/var/run/_secure.$$
|
|
|
|
umask 027
|
|
|
|
echo "checking setuid files and devices:"
|
|
|
|
# don't have ncheck, but this does the equivalent of the commented out block.
|
|
# note that one of the original problem, the possibility of overrunning
|
|
# the args to ls, is still here...
|
|
#
|
|
MP=`mount -t ufs | grep -v " nosuid" | sed 's;/dev/;&r;' | awk '{ print $3 }'`
|
|
set $MP
|
|
while test $# -ge 1; do
|
|
mount=$1
|
|
shift
|
|
find -X $mount -xdev -type f \
|
|
\( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
|
|
\( -perm -u+s -or -perm -g+s \) | sort
|
|
done | xargs -n 20 ls -lgTd > $TMP
|
|
|
|
if [ ! -f $LOG/setuid.today ] ; then
|
|
separator
|
|
echo "no $LOG/setuid.today"
|
|
cp $TMP $LOG/setuid.today
|
|
fi
|
|
if cmp $LOG/setuid.today $TMP >/dev/null; then :; else
|
|
separator
|
|
echo "$host setuid diffs:"
|
|
diff -b $LOG/setuid.today $TMP
|
|
mv $LOG/setuid.today $LOG/setuid.yesterday
|
|
mv $TMP $LOG/setuid.today
|
|
fi
|
|
|
|
separator
|
|
echo "checking for uids of 0:"
|
|
awk 'BEGIN {FS=":"} $3=="0" {print $1,$3}' /etc/master.passwd
|
|
|
|
# show denied packets
|
|
if ipfw -a l 2>/dev/null | egrep "deny|reject" > $TMP; then
|
|
if [ ! -f $LOG/ipfw.today ] ; then
|
|
separator
|
|
echo "no $LOG/ipfw.today"
|
|
cp $TMP $LOG/ipfw.today
|
|
fi
|
|
if cmp $LOG/ipfw.today $TMP >/dev/null; then :; else
|
|
separator
|
|
echo "$host denied packets:"
|
|
diff -b $LOG/ipfw.today $TMP | egrep "^>"
|
|
mv $LOG/ipfw.today $LOG/ipfw.yesterday
|
|
mv $TMP $LOG/ipfw.today
|
|
fi
|
|
fi
|
|
|
|
# show kernel log messages
|
|
if dmesg 2>/dev/null > $TMP; then
|
|
if [ ! -f $LOG/dmesg.today ] ; then
|
|
separator
|
|
echo "no $LOG/dmesg.today"
|
|
cp $TMP $LOG/dmesg.today
|
|
fi
|
|
if cmp $LOG/dmesg.today $TMP >/dev/null; then :; else
|
|
separator
|
|
echo "$host kernel log messages:"
|
|
diff -b $LOG/dmesg.today $TMP | egrep "^>"
|
|
mv $LOG/dmesg.today $LOG/dmesg.yesterday
|
|
mv $TMP $LOG/dmesg.today
|
|
fi
|
|
fi
|
|
|
|
rm -f $TMP
|