security.d/chk_homedirs

Fri, 26 Dec 2014 10:56:38 +0100

author
Michiel Broek <mbroek@mbse.eu>
date
Fri, 26 Dec 2014 10:56:38 +0100
changeset 21
735fe1b89e5a
parent 17
65656789da08
permissions
-rw-r--r--

Fixed wrong changes display when no real files were different

#!/bin/bash
#
#############################################################################
# Copyright (C) 2005-2013
#   
# Michiel Broek               <mbse at mbse.eu>
#
# This file is part of SlackSecCheckScripts.
#
# This package is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2, or (at your option) any
# later version.
#
# SlackSecCheckScripts is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with MBSE BBS; see the file COPYING.  If not, write to the Free
# Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
#############################################################################


PATH=/sbin:/usr/sbin:/bin:/usr/bin

umask 077
TZ=UTC; export TZ
MP=/etc/passwd
LANG=C; export LANG

SECUREDIR=`mktemp -d /tmp/_securedir.XXXXXX` || exit 1

trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE

if ! cd "$SECUREDIR"; then
        echo "Can not cd to $SECUREDIR".
        exit 1
fi

MPBYPATH=secure1.$$
OUTPUT=secure2.$$


# These are used several times.
#
awk -F: '{ print $1 " " $6 }' $MP | sort -k2 > $MPBYPATH


# Check home directories.  Directories should not be owned by someone else
# or writeable.
#
while read uid homedir; do
    if [ -d ${homedir}/ ] ; then
	file=`/bin/ls -ld ${homedir}/`
	printf -- "$uid $file\n"
    fi
done < $MPBYPATH |
awk '$1 != $4 && $4 != "root" { printf "\tuser %s home directory is owned by %s.\n", $1, $4 }
     $2 ~ /^.....w/ { printf "\tuser %s home directory %s is group writeable.\n", $1, $10 }
     $2 ~ /^........w/ { printf "\tuser %s home directory %s is other writeable.\n", $1, $10 }' \
> $OUTPUT
if [ -s $OUTPUT ] ; then
    printf "\nChecking home directories.\n"
    cat $OUTPUT
fi

# Files that should not be owned by someone else or readable.
list=".Xauthority .netrc .ssh/id_dsa .ssh/id_rsa .ssh/identity"
while read uid homedir; do
    for f in $list ; do
	file=${homedir}/${f}
	if [ -f $file ] ; then
	    printf -- "$uid $f `/bin/ls -ld $file`\n"
	fi
    done
done < $MPBYPATH |
awk '$1 != $5 && $5 != "root" { printf "\tuser %s %s file is owned by %s.\n", $1, $2, $5 }
     $3 ~ /^....r/ { printf "\tuser %s %s file is group readable.\n", $1, $2 }
     $3 ~ /^.......r/ { printf "\tuser %s %s file is other readable.\n", $1, $2 }
     $3 ~ /^.....w/ { printf "\tuser %s %s file is group writeable.\n", $1, $2 }
     $3 ~ /^........w/ { printf "\tuser %s %s file is other writeable.\n", $1, $2 }' \
    > $OUTPUT
# Files that should not be owned by someone else or writeable.
list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \
    .cshrc .emacs .exrc .forward .history .klogin .login .logout \
    .profile .qmail .rc_history .rhosts .shosts ssh .tcshrc .twmrc \
    .xinitrc .xsession .ssh/authorized_keys .ssh/authorized_keys2 \
    .ssh/config .ssh/id_dsa.pub .ssh/id_rsa.pub .ssh/identity.pub \
    .ssh/known_hosts .ssh/known_hosts2"
while read uid homedir; do
    for f in $list ; do
	file=${homedir}/${f}
	if [ -f $file ] ; then
	    printf -- "$uid $f `/bin/ls -ld $file`\n"
	fi
    done
done < $MPBYPATH |
awk '$1 != $5 && $5 != "root" { printf "\tuser %s %s file is owned by %s.\n", $1, $2, $5 }
     $3 ~ /^.....w/ { printf "\tuser %s %s file is group writeable.\n", $1, $2 }
     $3 ~ /^........w/ { printf "\tuser %s %s file is other writeable.\n", $1, $2 }' \
    >> $OUTPUT
if [ -s $OUTPUT ] ; then
    printf "\nChecking dot files.\n"
    cat $OUTPUT
fi

mercurial