Fri, 26 Dec 2014 11:43:45 +0100
Added a Makefile, version 0.22
5 | 1 | #!/bin/bash |
2 | # | |
3 | ############################################################################# | |
17
65656789da08
Removed uptime script, changed passwd test, minimized sensors output, bumped to version 0.18
Michiel Broek <mbroek@mbse.eu>
parents:
14
diff
changeset
|
4 | # Copyright (C) 2005-2013 |
5 | 5 | # |
17
65656789da08
Removed uptime script, changed passwd test, minimized sensors output, bumped to version 0.18
Michiel Broek <mbroek@mbse.eu>
parents:
14
diff
changeset
|
6 | # Michiel Broek <mbse at mbse.eu> |
5 | 7 | # |
14
59e07bba67cc
Fixed spelling error, updated address
Michiel Broek <mbse@mbse.eu>
parents:
13
diff
changeset
|
8 | # This file is part of SlackSecCheckScripts. |
5 | 9 | # |
10 | # This package is free software; you can redistribute it and/or modify it | |
11 | # under the terms of the GNU General Public License as published by the | |
12 | # Free Software Foundation; either version 2, or (at your option) any | |
13 | # later version. | |
14 | # | |
14
59e07bba67cc
Fixed spelling error, updated address
Michiel Broek <mbse@mbse.eu>
parents:
13
diff
changeset
|
15 | # SlackSecCheckScripts is distributed in the hope that it will be useful, but |
5 | 16 | # WITHOUT ANY WARRANTY; without even the implied warranty of |
17 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | # General Public License for more details. | |
19 | # | |
20 | # You should have received a copy of the GNU General Public License | |
21 | # along with MBSE BBS; see the file COPYING. If not, write to the Free | |
22 | # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. | |
23 | ############################################################################# | |
24 | ||
25 | ||
26 | PATH=/sbin:/usr/sbin:/bin:/usr/bin | |
27 | ||
28 | umask 077 | |
29 | TZ=UTC; export TZ | |
30 | LANG=C; export LANG | |
31 | ||
32 | max_loginlen=${max_loginlen:-32} | |
33 | ||
34 | MP=/etc/passwd | |
35 | SP=/etc/shadow | |
36 | ||
37 | ||
38 | SECUREDIR=`mktemp -d /tmp/_securedir.XXXXXX` || exit 1 | |
39 | ||
40 | trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE | |
41 | ||
42 | if ! cd "$SECUREDIR"; then | |
43 | echo "Can not cd to $SECUREDIR". | |
44 | exit 1 | |
45 | fi | |
46 | ||
47 | TMP2=secure1.$$ | |
48 | MPBYUID=secure2.$$ | |
49 | COMBINED=secure3.$$ | |
50 | OUTPUT=secure4.$$ | |
51 | ||
9 | 52 | |
5 | 53 | # Combine passwd and shadow files. |
54 | # | |
9 | 55 | JOPT=$( join --help | grep "\--nocheck-order") |
56 | if [ -z "$JOPT" ]; then | |
57 | join -t : -j 1 $MP $SP > $COMBINED | |
58 | else | |
59 | join --nocheck-order -t : -j 1 $MP $SP > $COMBINED | |
60 | fi | |
5 | 61 | |
62 | ||
63 | # These are used several times. | |
64 | # | |
65 | awk -F: '!/^+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID | |
66 | ||
67 | ||
68 | # Check the master password file syntax. | |
69 | # Usernames may have a $ character at the end for Samba | |
70 | # machine and trust accounts. | |
71 | # | |
72 | awk -v "len=$max_loginlen" ' | |
73 | BEGIN { | |
74 | while ( getline < "/etc/shells" > 0 ) { | |
75 | if ($0 ~ /^\#/ || $0 ~ /^$/ ) | |
76 | continue; | |
77 | shells[$1]++; | |
78 | } | |
79 | FS=":"; | |
80 | } | |
81 | ||
82 | { | |
83 | if ($0 ~ /^[ ]*$/) { | |
84 | printf "\tLine %d is a blank line.\n", NR; | |
85 | next; | |
86 | } | |
87 | if (NF != 15 && ($1 != "+" || NF != 1)) | |
88 | printf "\tLine %d has the wrong number of fields.\n", NR; | |
89 | if ($1 == "+" ) { | |
90 | if (NF != 1 && $3 == 0) | |
91 | printf "\tLine %d includes entries with uid 0.\n", NR; | |
92 | next; | |
93 | } | |
13 | 94 | if ($1 !~ /^[A-Za-z0-9]([-A-Za-z0-9_]*[A-Za-z0-9\$])*$/) |
5 | 95 | printf "\tLogin %s has non-alphanumeric characters.\n", $1; |
96 | if (length($1) > len) | |
97 | printf "\tLogin %s has more than "len" characters.\n", $1; | |
98 | if ($7 == "" && $8 !~ /!/ && $8 != "*") | |
99 | printf "\tLogin %s does not have a shell\n", $1; | |
100 | if ($7 != "" && ! shells[$7] && $8 !~ /!/ && $8 != "*") | |
101 | printf "\tLogin %s does not have a valid shell (%s)\n", $1, $7; | |
17
65656789da08
Removed uptime script, changed passwd test, minimized sensors output, bumped to version 0.18
Michiel Broek <mbroek@mbse.eu>
parents:
14
diff
changeset
|
102 | if ($7 != "" && shells[$7] && ($8 ~ /!/ && $8 = "*") && ($4 == 100)) |
5 | 103 | printf "\tLogin %s account is locked.\n", $1; |
104 | if ($8 == "") | |
105 | printf "\tLogin %s has no password.\n", $1; | |
106 | if ($9 == "0") | |
107 | printf "\tLogin %s password is expired.\n", $1; | |
108 | if ($3 == 0 && $1 != "root" && $1 != "toor") | |
109 | printf "\tLogin %s has a user id of 0.\n", $1; | |
110 | if ($3 < 0) | |
111 | printf "\tLogin %s has a negative user id.\n", $1; | |
112 | if ($4 < 0) | |
113 | printf "\tLogin %s has a negative group id.\n", $1; | |
114 | }' < $COMBINED > $OUTPUT | |
115 | if [ -s $OUTPUT ] ; then | |
116 | printf "\nChecking the $MP and $SP files:\n" | |
117 | cat $OUTPUT | |
118 | fi | |
119 | ||
120 | awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT | |
121 | if [ -s $OUTPUT ] ; then | |
122 | printf "\n$MP has duplicate user names.\n" | |
123 | column $OUTPUT | |
124 | fi | |
125 | ||
126 | # To not exclude 'toor', a standard duplicate root account, from the duplicate | |
127 | # account test, uncomment the line below (without egrep in it)and comment | |
128 | # out the line (with egrep in it) below it. | |
129 | # | |
130 | #< $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2 | |
131 | < $MPBYUID egrep -v '^toor ' | uniq -d -f 1 | awk '{ print $2 }' > $TMP2 | |
132 | if [ -s $TMP2 ] ; then | |
133 | printf "\n$MP has duplicate user id's.\n" | |
134 | while read uid; do | |
135 | grep -w $uid $MPBYUID | |
136 | done < $TMP2 | column | |
137 | fi | |
138 | ||
139 |