|
1 #!/bin/bash |
|
2 # |
|
3 # $Id$ |
|
4 # |
|
5 ############################################################################# |
|
6 # Copyright (C) 2005 |
|
7 # |
|
8 # Michiel Broek <mbse@mbse.dds.nl> |
|
9 # Beekmansbos 10 |
|
10 # 1971 BV IJmuiden |
|
11 # the Netherlands |
|
12 # |
|
13 # This file is part of SlackSecCheckSripts. |
|
14 # |
|
15 # This package is free software; you can redistribute it and/or modify it |
|
16 # under the terms of the GNU General Public License as published by the |
|
17 # Free Software Foundation; either version 2, or (at your option) any |
|
18 # later version. |
|
19 # |
|
20 # SlackSecCheckSripts is distributed in the hope that it will be useful, but |
|
21 # WITHOUT ANY WARRANTY; without even the implied warranty of |
|
22 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
|
23 # General Public License for more details. |
|
24 # |
|
25 # You should have received a copy of the GNU General Public License |
|
26 # along with MBSE BBS; see the file COPYING. If not, write to the Free |
|
27 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
|
28 ############################################################################# |
|
29 |
|
30 |
|
31 PATH=/sbin:/usr/sbin:/bin:/usr/bin |
|
32 |
|
33 umask 077 |
|
34 TZ=UTC; export TZ |
|
35 MP=/etc/passwd |
|
36 LANG=C; export LANG |
|
37 |
|
38 SECUREDIR=`mktemp -d /tmp/_securedir.XXXXXX` || exit 1 |
|
39 |
|
40 trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE |
|
41 |
|
42 if ! cd "$SECUREDIR"; then |
|
43 echo "Can not cd to $SECUREDIR". |
|
44 exit 1 |
|
45 fi |
|
46 |
|
47 MPBYPATH=secure1.$$ |
|
48 OUTPUT=secure2.$$ |
|
49 |
|
50 |
|
51 # These are used several times. |
|
52 # |
|
53 awk -F: '{ print $1 " " $6 }' $MP | sort -k2 > $MPBYPATH |
|
54 |
|
55 |
|
56 # Check home directories. Directories should not be owned by someone else |
|
57 # or writeable. |
|
58 # |
|
59 while read uid homedir; do |
|
60 if [ -d ${homedir}/ ] ; then |
|
61 file=`/bin/ls -ld ${homedir}` |
|
62 printf -- "$uid $file\n" |
|
63 fi |
|
64 done < $MPBYPATH | |
|
65 awk '$1 != $4 && $4 != "root" { printf "\tuser %s home directory is owned by %s.\n", $1, $4 } |
|
66 $2 ~ /^.....w/ { printf "\tuser %s home directory %s is group writeable.\n", $1, $10 } |
|
67 $2 ~ /^........w/ { printf "\tuser %s home directory %s is other writeable.\n", $1, $10 }' \ |
|
68 > $OUTPUT |
|
69 if [ -s $OUTPUT ] ; then |
|
70 printf "\nChecking home directories.\n" |
|
71 cat $OUTPUT |
|
72 fi |
|
73 |
|
74 # Files that should not be owned by someone else or readable. |
|
75 list=".Xauthority .netrc .ssh/id_dsa .ssh/id_rsa .ssh/identity" |
|
76 while read uid homedir; do |
|
77 for f in $list ; do |
|
78 file=${homedir}/${f} |
|
79 if [ -f $file ] ; then |
|
80 printf -- "$uid $f `/bin/ls -ld $file`\n" |
|
81 fi |
|
82 done |
|
83 done < $MPBYPATH | |
|
84 awk '$1 != $5 && $5 != "root" { printf "\tuser %s %s file is owned by %s.\n", $1, $2, $5 } |
|
85 $3 ~ /^....r/ { printf "\tuser %s %s file is group readable.\n", $1, $2 } |
|
86 $3 ~ /^.......r/ { printf "\tuser %s %s file is other readable.\n", $1, $2 } |
|
87 $3 ~ /^.....w/ { printf "\tuser %s %s file is group writeable.\n", $1, $2 } |
|
88 $3 ~ /^........w/ { printf "\tuser %s %s file is other writeable.\n", $1, $2 }' \ |
|
89 > $OUTPUT |
|
90 # Files that should not be owned by someone else or writeable. |
|
91 list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \ |
|
92 .cshrc .emacs .exrc .forward .history .klogin .login .logout \ |
|
93 .profile .qmail .rc_history .rhosts .shosts ssh .tcshrc .twmrc \ |
|
94 .xinitrc .xsession .ssh/authorized_keys .ssh/authorized_keys2 \ |
|
95 .ssh/config .ssh/id_dsa.pub .ssh/id_rsa.pub .ssh/identity.pub \ |
|
96 .ssh/known_hosts .ssh/known_hosts2" |
|
97 while read uid homedir; do |
|
98 for f in $list ; do |
|
99 file=${homedir}/${f} |
|
100 if [ -f $file ] ; then |
|
101 printf -- "$uid $f `/bin/ls -ld $file`\n" |
|
102 fi |
|
103 done |
|
104 done < $MPBYPATH | |
|
105 awk '$1 != $5 && $5 != "root" { printf "\tuser %s %s file is owned by %s.\n", $1, $2, $5 } |
|
106 $3 ~ /^.....w/ { printf "\tuser %s %s file is group writeable.\n", $1, $2 } |
|
107 $3 ~ /^........w/ { printf "\tuser %s %s file is other writeable.\n", $1, $2 }' \ |
|
108 >> $OUTPUT |
|
109 if [ -s $OUTPUT ] ; then |
|
110 printf "\nChecking dot files.\n" |
|
111 cat $OUTPUT |
|
112 fi |
|
113 |
|
114 |