|
1 #!/bin/bash |
|
2 # |
|
3 # $Id$ |
|
4 # |
|
5 ############################################################################# |
|
6 # Copyright (C) 2005 |
|
7 # |
|
8 # Michiel Broek <mbse@mbse.dds.nl> |
|
9 # Beekmansbos 10 |
|
10 # 1971 BV IJmuiden |
|
11 # the Netherlands |
|
12 # |
|
13 # This file is part of SlackSecCheckSripts. |
|
14 # |
|
15 # This package is free software; you can redistribute it and/or modify it |
|
16 # under the terms of the GNU General Public License as published by the |
|
17 # Free Software Foundation; either version 2, or (at your option) any |
|
18 # later version. |
|
19 # |
|
20 # SlackSecCheckSripts is distributed in the hope that it will be useful, but |
|
21 # WITHOUT ANY WARRANTY; without even the implied warranty of |
|
22 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
|
23 # General Public License for more details. |
|
24 # |
|
25 # You should have received a copy of the GNU General Public License |
|
26 # along with MBSE BBS; see the file COPYING. If not, write to the Free |
|
27 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
|
28 ############################################################################# |
|
29 |
|
30 |
|
31 PATH=/sbin:/usr/sbin:/bin:/usr/bin |
|
32 |
|
33 umask 077 |
|
34 TZ=UTC; export TZ |
|
35 LANG=C; export LANG |
|
36 |
|
37 max_loginlen=${max_loginlen:-32} |
|
38 |
|
39 MP=/etc/passwd |
|
40 SP=/etc/shadow |
|
41 |
|
42 |
|
43 SECUREDIR=`mktemp -d /tmp/_securedir.XXXXXX` || exit 1 |
|
44 |
|
45 trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE |
|
46 |
|
47 if ! cd "$SECUREDIR"; then |
|
48 echo "Can not cd to $SECUREDIR". |
|
49 exit 1 |
|
50 fi |
|
51 |
|
52 TMP2=secure1.$$ |
|
53 MPBYUID=secure2.$$ |
|
54 COMBINED=secure3.$$ |
|
55 OUTPUT=secure4.$$ |
|
56 |
|
57 # Combine passwd and shadow files. |
|
58 # |
|
59 join -t : -j 1 $MP $SP > $COMBINED |
|
60 |
|
61 |
|
62 # These are used several times. |
|
63 # |
|
64 awk -F: '!/^+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID |
|
65 |
|
66 |
|
67 # Check the master password file syntax. |
|
68 # Usernames may have a $ character at the end for Samba |
|
69 # machine and trust accounts. |
|
70 # |
|
71 awk -v "len=$max_loginlen" ' |
|
72 BEGIN { |
|
73 while ( getline < "/etc/shells" > 0 ) { |
|
74 if ($0 ~ /^\#/ || $0 ~ /^$/ ) |
|
75 continue; |
|
76 shells[$1]++; |
|
77 } |
|
78 FS=":"; |
|
79 } |
|
80 |
|
81 { |
|
82 if ($0 ~ /^[ ]*$/) { |
|
83 printf "\tLine %d is a blank line.\n", NR; |
|
84 next; |
|
85 } |
|
86 if (NF != 15 && ($1 != "+" || NF != 1)) |
|
87 printf "\tLine %d has the wrong number of fields.\n", NR; |
|
88 if ($1 == "+" ) { |
|
89 if (NF != 1 && $3 == 0) |
|
90 printf "\tLine %d includes entries with uid 0.\n", NR; |
|
91 next; |
|
92 } |
|
93 if ($1 !~ /^[A-Za-z0-9]([-A-Za-z0-9]*[A-Za-z0-9\$])*$/) |
|
94 printf "\tLogin %s has non-alphanumeric characters.\n", $1; |
|
95 if (length($1) > len) |
|
96 printf "\tLogin %s has more than "len" characters.\n", $1; |
|
97 if ($7 == "" && $8 !~ /!/ && $8 != "*") |
|
98 printf "\tLogin %s does not have a shell\n", $1; |
|
99 if ($7 != "" && ! shells[$7] && $8 !~ /!/ && $8 != "*") |
|
100 printf "\tLogin %s does not have a valid shell (%s)\n", $1, $7; |
|
101 if ($7 != "" && shells[$7] && ($8 ~ /!/ && $8 = "*")) |
|
102 printf "\tLogin %s account is locked.\n", $1; |
|
103 if ($8 == "") |
|
104 printf "\tLogin %s has no password.\n", $1; |
|
105 if ($9 == "0") |
|
106 printf "\tLogin %s password is expired.\n", $1; |
|
107 if ($3 == 0 && $1 != "root" && $1 != "toor") |
|
108 printf "\tLogin %s has a user id of 0.\n", $1; |
|
109 if ($3 < 0) |
|
110 printf "\tLogin %s has a negative user id.\n", $1; |
|
111 if ($4 < 0) |
|
112 printf "\tLogin %s has a negative group id.\n", $1; |
|
113 }' < $COMBINED > $OUTPUT |
|
114 if [ -s $OUTPUT ] ; then |
|
115 printf "\nChecking the $MP and $SP files:\n" |
|
116 cat $OUTPUT |
|
117 fi |
|
118 |
|
119 awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT |
|
120 if [ -s $OUTPUT ] ; then |
|
121 printf "\n$MP has duplicate user names.\n" |
|
122 column $OUTPUT |
|
123 fi |
|
124 |
|
125 # To not exclude 'toor', a standard duplicate root account, from the duplicate |
|
126 # account test, uncomment the line below (without egrep in it)and comment |
|
127 # out the line (with egrep in it) below it. |
|
128 # |
|
129 #< $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2 |
|
130 < $MPBYUID egrep -v '^toor ' | uniq -d -f 1 | awk '{ print $2 }' > $TMP2 |
|
131 if [ -s $TMP2 ] ; then |
|
132 printf "\n$MP has duplicate user id's.\n" |
|
133 while read uid; do |
|
134 grep -w $uid $MPBYUID |
|
135 done < $TMP2 | column |
|
136 fi |
|
137 |
|
138 |