search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
No empty .Rs/.Re
[netbsd-mini2440.git] / etc / security
blobabfbc0ce936e0f247267d0fbfc4f59f72d6af9d9
1 #!/bin/sh -
2 #
3 # $NetBSD: security,v 1.105 2007/11/23 15:51:27 dholland Exp $
4 # from: @(#)security 8.1 (Berkeley) 6/9/93
5 #
6
7 PATH=/sbin:/usr/sbin:/bin:/usr/bin
8
9 rcvar_manpage='security.conf(5)'
10
11 if [ -f /etc/rc.subr ]; then
12 . /etc/rc.subr
13 else
14 echo "Can't read /etc/rc.subr; aborting."
15 exit 1;
16 fi
17
18 umask 077
19 TZ=UTC; export TZ
20
21 if [ -s /etc/security.conf ]; then
22 . /etc/security.conf
23 fi
24
25 # Set reasonable defaults (if they're not set in security.conf)
26 #
27 backup_dir=${backup_dir:-/var/backups}
28 pkgdb_dir=${pkgdb_dir:-/var/db/pkg}
29 max_loginlen=${max_loginlen:-8}
30 max_grouplen=${max_grouplen:-8}
31 pkg_info=${pkg_info:-/usr/sbin/pkg_info}
32
33 # Other configurable variables
34 #
35 special_files="/etc/mtree/special /etc/mtree/special.local"
36 MP=/etc/master.passwd
37 CHANGELIST=""
38 work_dir=$backup_dir/work
39
40 if [ ! -d "$work_dir" ]; then
41 mkdir -p "$work_dir"
42 fi
43
44 SECUREDIR=$(mktemp -d -t _securedir) || exit 1
45
46 trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE
47
48 if ! cd "$SECUREDIR"; then
49 echo "Can not cd to $SECUREDIR".
50 exit 1
51 fi
52
53 ERR=err.$$
54 TMP1=tmp1.$$
55 TMP2=tmp2.$$
56 MPBYUID=mpbyuid.$$
57 MPBYPATH=mpbypath.$$
58 LIST=list.$$
59 OUTPUT=output.$$
60 LABELS=labels.$$
61 LVM_LABELS=lvm.$$
62 PKGS=pkgs.$$
63 CHANGEFILES=changefiles.$$
64 SPECIALSPEC=specialspec.$$
65
66 # migrate_file old new
67 # Determine if the "${old}" path name needs to be migrated to the
68 # "${new}" path. Also checks if "${old}.current" needs migrating,
69 # and if so, migrate it and possibly "${old}.current,v" and
70 # "${old}.backup".
71 #
72 migrate_file()
73 {
74 _old=$1
75 _new=$2
76 if [ -z "$_old" -o -z "$_new" ]; then
77 err 3 "USAGE: migrate_file old new"
78 fi
79 if [ ! -d "${_new%/*}" ]; then
80 mkdir -p "${_new%/*}"
81 fi
82 if [ -f "${_old}" -a ! -f "${_new}" ]; then
83 echo "==> migrating ${_old}"
84 echo " to ${_new}"
85 mv "${_old}" "${_new}"
86 fi
87 if [ -f "${_old}.current" -a ! -f "${_new}.current" ]; then
88 echo "==> migrating ${_old}.current"
89 echo " to ${_new}.current"
90 mv "${_old}.current" "${_new}.current"
91 if [ -f "${_old}.current,v" -a ! -f "${_new}.current,v" ]; then
92 echo "==> migrating ${_old}.current,v"
93 echo " to ${_new}.current,v"
94 mv "${_old}.current,v" "${_new}.current,v"
95 fi
96 if [ -f "${_old}.backup" -a ! -f "${_new}.backup" ]; then
97 echo "==> migrating ${_old}.backup"
98 echo " to ${_new}.backup"
99 mv "${_old}.backup" "${_new}.backup"
100 fi
101 fi
102 }
103
104
105 # backup_and_diff file printdiff
106 # Determine if file needs backing up, and if so, do it.
107 # If printdiff is yes, display the diffs, otherwise
108 # just print a message saying "[changes omitted]".
109 #
110 backup_and_diff()
111 {
112 _file=$1
113 _printdiff=$2
114 if [ -z "$_file" -o -z "$_printdiff" ]; then
115 err 3 "USAGE: backup_and_diff file printdiff"
116 fi
117 ! checkyesno _printdiff
118 _printdiff=$?
119
120 _old=$backup_dir/${_file##*/}
121 case "$_file" in
122 $work_dir/*)
123 _new=$_file
124 migrate_file "$backup_dir/$_old" "$_new"
125 migrate_file "$_old" "$_new"
126 ;;
127 *)
128 _new=$backup_dir/$_file
129 migrate_file "$_old" "$_new"
130 ;;
131 esac
132 CUR=${_new}.current
133 BACK=${_new}.backup
134 if [ -f $_file ]; then
135 if [ -f $CUR ] ; then
136 if [ "$_printdiff" -ne 0 ]; then
137 diff ${diff_options} $CUR $_file > $OUTPUT
138 else
139 if ! cmp -s $CUR $_file; then
140 echo "[changes omitted]"
141 fi > $OUTPUT
142 fi
143 if [ -s $OUTPUT ] ; then
144 printf \
145 "\n======\n%s diffs (OLD < > NEW)\n======\n" $_file
146 cat $OUTPUT
147 backup_file update $_file $CUR $BACK
148 fi
149 else
150 printf "\n======\n%s added\n======\n" $_file
151 if [ "$_printdiff" -ne 0 ]; then
152 diff ${diff_options} /dev/null $_file
153 else
154 echo "[changes omitted]"
155 fi
156 backup_file add $_file $CUR $BACK
157 fi
158 else
159 if [ -f $CUR ]; then
160 printf "\n======\n%s removed\n======\n" $_file
161 if [ "$_printdiff" -ne 0 ]; then
162 diff ${diff_options} $CUR /dev/null
163 else
164 echo "[changes omitted]"
165 fi
166 backup_file remove $_file $CUR $BACK
167 fi
168 fi
169 }
170
171
172 # These are used several times.
173 #
174 awk -F: '!/^\+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID
175 awk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH
176 for file in $special_files; do
177 [ -s $file ] && cat $file
178 done | mtree -CM -k all > $SPECIALSPEC || exit 1
179
180
181 # Check the master password file syntax.
182 #
183 if checkyesno check_passwd; then
184 # XXX: the sense of permit_star is reversed; the code works as
185 # implemented, but usage needs to be negated.
186 checkyesno check_passwd_permit_star && permit_star=0 || permit_star=1
187 checkyesno check_passwd_permit_nonalpha \
188 && permit_nonalpha=1 || permit_nonalpha=0
189
190 awk -v "len=$max_loginlen" \
191 -v "nowarn_shells_list=$check_passwd_nowarn_shells" \
192 -v "nowarn_users_list=$check_passwd_nowarn_users" \
193 -v "permit_star=$permit_star" \
194 -v "permit_nonalpha=$permit_nonalpha" \
195 '
196 BEGIN {
197 while ( getline < "/etc/shells" > 0 ) {
198 if ($0 ~ /^\#/ || $0 ~ /^$/ )
199 continue;
200 shells[$1]++;
201 }
202 split(nowarn_shells_list, a);
203 for (i in a) nowarn_shells[a[i]]++;
204 split(nowarn_users_list, a);
205 for (i in a) nowarn_users[a[i]]++;
206 uid0_users_list="root toor"
207 split(uid0_users_list, a);
208 for (i in a) uid0_users[a[i]]++;
209 FS=":";
210 }
211
212 {
213 if ($0 ~ /^[ ]*$/) {
214 printf "Line %d is a blank line.\n", NR;
215 next;
216 }
217
218 # NIS compat entry?
219 compatline = $1 ~ "^[\\+-]";
220 if (compatline) {
221 if ($1 == "+" && NF == 1) {
222 next;
223 }
224 sub("^.", "", $1);
225 }
226 if (NF != 10)
227 printf "Line %d has the wrong number of fields.\n", NR;
228 if (compatline) {
229 if ($3 == 0)
230 printf "Line %d includes entries with uid 0.\n",
231 NR;
232 if ($1 == "")
233 next;
234 }
235 if (!permit_nonalpha &&
236 $1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/)
237 printf "Login %s has non-alphanumeric characters.\n",
238 $1;
239 if (length($1) > len)
240 printf "Login %s has more than "len" characters.\n",
241 $1;
242 if ($2 == "" && !compatline && !nowarn_users[$1])
243 printf "Login %s has no password.\n", $1;
244 if (!nowarn_shells[$10] && !nowarn_users[$1]) {
245 if (length($2) != 13 &&
246 length($2) != 20 &&
247 $2 !~ /^\$1/ &&
248 $2 !~ /^\$2/ &&
249 $2 !~ /^\$sha1/ &&
250 $2 != "" &&
251 (permit_star || $2 != "*") &&
252 $2 !~ /^\*[A-z-]+$/ &&
253 $1 != "toor") {
254 if ($10 == "" || shells[$10])
255 printf "Login %s is off but still has "\
256 "a valid shell (%s)\n", $1, $10;
257 } else if (compatline && $10 == "") {
258 # nothing
259 } else if (! shells[$10])
260 printf "Login %s does not have a valid "\
261 "shell (%s)\n", $1, $10;
262 }
263 if ($3 == 0 && !uid0_users[$1] && !nowarn_users[$1])
264 printf "Login %s has a user id of 0.\n", $1;
265 if ($3 != "" && $3 < 0)
266 printf "Login %s has a negative user id.\n", $1;
267 if ($4 != "" && $4 < 0)
268 printf "Login %s has a negative group id.\n", $1;
269 }' < $MP > $OUTPUT
270 if [ -s $OUTPUT ] ; then
271 printf "\nChecking the $MP file:\n"
272 cat $OUTPUT
273 fi
274
275 awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT
276 if [ -s $OUTPUT ] ; then
277 printf "\n$MP has duplicate user names.\n"
278 column $OUTPUT
279 fi
280
281 # To not exclude 'toor', a standard duplicate root account, from the duplicate
282 # account test, uncomment the line below (without egrep in it)and comment
283 # out the line (with egrep in it) below it.
284 #
285 # < $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2
286 < $MPBYUID egrep -v '^toor ' | uniq -d -f 1 | awk '{ print $2 }' > $TMP2
287 if [ -s $TMP2 ] ; then
288 printf "\n$MP has duplicate user id's.\n"
289 while read uid; do
290 grep -w $uid $MPBYUID
291 done < $TMP2 | column
292 fi
293 fi
294
295 # Check the group file syntax.
296 #
297 if checkyesno check_group; then
298 GRP=/etc/group
299 awk -F: -v "len=$max_grouplen" '{
300 if ($0 ~ /^[ ]*$/) {
301 printf "Line %d is a blank line.\n", NR;
302 next;
303 }
304 if (NF != 4 && ($1 != "+" || NF != 1))
305 printf "Line %d has the wrong number of fields.\n", NR;
306 if ($1 == "+" ) {
307 next;
308 }
309 if ($1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/)
310 printf "Group %s has non-alphanumeric characters.\n",
311 $1;
312 if (length($1) > len)
313 printf "Group %s has more than "len" characters.\n", $1;
314 if ($3 !~ /[0-9]*/)
315 printf "Login %s has a negative group id.\n", $1;
316 }' < $GRP > $OUTPUT
317 if [ -s $OUTPUT ] ; then
318 printf "\nChecking the $GRP file:\n"
319 cat $OUTPUT
320 fi
321
322 awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT
323 if [ -s $OUTPUT ] ; then
324 printf "\n$GRP has duplicate group names.\n"
325 column $OUTPUT
326 fi
327 fi
328
329 # Check for root paths, umask values in startup files.
330 # The check for the root paths is problematical -- it's likely to fail
331 # in other environments. Once the shells have been modified to warn
332 # of '.' in the path, the path tests should go away.
333 #
334 if checkyesno check_rootdotfiles; then
335 rhome=~root
336 umaskset=no
337 list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login"
338 for i in $list ; do
339 if [ -f $i ] ; then
340 if egrep '^[ \t]*umask[ \t]+[0-7]+' $i > /dev/null ;
341 then
342 umaskset=yes
343 fi
344 # Double check the umask value itself; ensure that
345 # both the group and other write bits are set.
346 #
347 egrep '^[ \t]*umask[ \t]+[0-7]+' $i |
348 awk '{
349 if ($2 ~ /^.$/ || $2 ~! /[^2367].$/) {
350 print "\tRoot umask is group writable"
351 }
352 if ($2 ~ /[^2367]$/) {
353 print "\tRoot umask is other writable"
354 }
355 }' | sort -u
356 SAVE_PATH=$PATH
357 unset PATH
358 /bin/csh -f -s << end-of-csh > /dev/null 2>&1
359 source $i
360 /bin/ls -ldgT \$path > $TMP1
361 end-of-csh
362 export PATH=$SAVE_PATH
363 awk '{
364 if ($10 ~ /^\.$/) {
365 print "\tThe root path includes .";
366 next;
367 }
368 }
369 $1 ~ /^d....w/ \
370 { print "\tRoot path directory " $10 " is group writable." } \
371 $1 ~ /^d.......w/ \
372 { print "\tRoot path directory " $10 " is other writable." }' \
373 < $TMP1
374 fi
375 done > $OUTPUT
376 if [ $umaskset = "no" -o -s $OUTPUT ] ; then
377 printf "\nChecking root csh paths, umask values:\n$list\n\n"
378 if [ -s $OUTPUT ]; then
379 cat $OUTPUT
380 fi
381 if [ $umaskset = "no" ] ; then
382 printf "\tRoot csh startup files do not set the umask.\n"
383 fi
384 fi
385
386 umaskset=no
387 list="/etc/profile ${rhome}/.profile"
388 for i in $list; do
389 if [ -f $i ] ; then
390 if egrep umask $i > /dev/null ; then
391 umaskset=yes
392 fi
393 egrep umask $i |
394 awk '$2 ~ /^.$/ || $2 ~ /[^2367].$/ \
395 { print "\tRoot umask is group writable" } \
396 $2 ~ /[^2367]$/ \
397 { print "\tRoot umask is other writable" }'
398 SAVE_PATH=$PATH
399 unset PATH
400 /bin/sh << end-of-sh > /dev/null 2>&1
401 . $i
402 list=\`echo \$PATH | /usr/bin/sed -e \
403 's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g'\`
404 /bin/ls -ldgT \$list > $TMP1
405 end-of-sh
406 export PATH=$SAVE_PATH
407 awk '{
408 if ($10 ~ /^\.$/) {
409 print "\tThe root path includes .";
410 next;
411 }
412 }
413 $1 ~ /^d....w/ \
414 { print "\tRoot path directory " $10 " is group writable." } \
415 $1 ~ /^d.......w/ \
416 { print "\tRoot path directory " $10 " is other writable." }' \
417 < $TMP1
418
419 fi
420 done > $OUTPUT
421 if [ $umaskset = "no" -o -s $OUTPUT ] ; then
422 printf "\nChecking root sh paths, umask values:\n$list\n"
423 if [ -s $OUTPUT ]; then
424 cat $OUTPUT
425 fi
426 if [ $umaskset = "no" ] ; then
427 printf "\tRoot sh startup files do not set the umask.\n"
428 fi
429 fi
430 fi
431
432 # Root and uucp should both be in /etc/ftpusers.
433 #
434 if checkyesno check_ftpusers; then
435 list="uucp "`awk '$2 == 0 { print $1 }' $MPBYUID`
436 for i in $list; do
437 if /usr/libexec/ftpd -C $i ; then
438 printf "\t$i is not denied\n"
439 fi
440 done > $OUTPUT
441 if [ -s $OUTPUT ]; then
442 printf "\nChecking the /etc/ftpusers configuration:\n"
443 cat $OUTPUT
444 fi
445 fi
446
447 # Uudecode should not be in the /etc/mail/aliases file.
448 #
449 if checkyesno check_aliases; then
450 for f in /etc/mail/aliases /etc/aliases; do
451 if [ -f $f ] && egrep '^[^#]*(uudecode|decode).*\|' $f; then
452 printf "\nEntry for uudecode in $f file.\n"
453 fi
454 done
455 fi
456
457 # Files that should not have + signs.
458 #
459 if checkyesno check_rhosts; then
460 list="/etc/hosts.equiv /etc/hosts.lpd"
461 for f in $list ; do
462 if [ -f $f ] && egrep '\+' $f > /dev/null ; then
463 printf "\nPlus sign in $f file.\n"
464 fi
465 done
466
467 # Check for special users with .rhosts files. Only root and toor should
468 # have .rhosts files. Also, .rhosts files should not have plus signs.
469 awk -F: '$1 != "root" && $1 != "toor" && \
470 ($3 < 100 || $1 == "ftp" || $1 == "uucp") \
471 { print $1 " " $9 }' $MP |
472 sort -k2 |
473 while read uid homedir; do
474 if [ -f ${homedir}/.rhosts ] ; then
475 rhost=`ls -ldgT ${homedir}/.rhosts`
476 printf -- "$uid: $rhost\n"
477 fi
478 done > $OUTPUT
479 if [ -s $OUTPUT ] ; then
480 printf "\nChecking for special users with .rhosts files.\n"
481 cat $OUTPUT
482 fi
483
484 while read uid homedir; do
485 if [ -f ${homedir}/.rhosts -a -r ${homedir}/.rhosts ] && \
486 cat -f ${homedir}/.rhosts | egrep '\+' > /dev/null ; then
487 printf -- "$uid: + in .rhosts file.\n"
488 fi
489 done < $MPBYPATH > $OUTPUT
490 if [ -s $OUTPUT ] ; then
491 printf "\nChecking .rhosts files syntax.\n"
492 cat $OUTPUT
493 fi
494 fi
495
496 # Check home directories. Directories should not be owned by someone else
497 # or writable.
498 #
499 if checkyesno check_homes; then
500 checkyesno check_homes_permit_usergroups && \
501 permit_usergroups=1 || permit_usergroups=0
502 while read uid homedir; do
503 if [ -d ${homedir}/ ] ; then
504 file=`ls -ldgT ${homedir}`
505 printf -- "$uid $file\n"
506 fi
507 done < $MPBYPATH |
508 awk -v "usergroups=$permit_usergroups" '
509 $1 != $4 && $4 != "root" \
510 { print "user " $1 " home directory is owned by " $4 }
511 $2 ~ /^d....w/ && (!usergroups || $5 != $1) \
512 { print "user " $1 " home directory is group writable" }
513 $2 ~ /^d.......w/ \
514 { print "user " $1 " home directory is other writable" }' \
515 > $OUTPUT
516 if [ -s $OUTPUT ] ; then
517 printf "\nChecking home directories.\n"
518 cat $OUTPUT
519 fi
520
521 # Files that should not be owned by someone else or readable.
522 list=".Xauthority .netrc .ssh/id_dsa .ssh/id_rsa .ssh/identity"
523 while read uid homedir; do
524 for f in $list ; do
525 file=${homedir}/${f}
526 if [ -f $file ] ; then
527 printf -- "$uid $f `ls -ldgT $file`\n"
528 fi
529 done
530 done < $MPBYPATH |
531 awk -v "usergroups=$permit_usergroups" '
532 $1 != $5 && $5 != "root" \
533 { print "user " $1 " " $2 " file is owned by " $5 }
534 $3 ~ /^-...r/ && (!usergroups || $6 != $1) \
535 { print "user " $1 " " $2 " file is group readable" }
536 $3 ~ /^-......r/ \
537 { print "user " $1 " " $2 " file is other readable" }
538 $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
539 { print "user " $1 " " $2 " file is group writable" }
540 $3 ~ /^-.......w/ \
541 { print "user " $1 " " $2 " file is other writable" }' \
542 > $OUTPUT
543
544 # Files that should not be owned by someone else or writable.
545 list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \
546 .cshrc .emacs .exrc .forward .history .k5login .klogin .login \
547 .logout .profile .qmail .rc_history .rhosts .shosts ssh .tcshrc \
548 .twmrc .xinitrc .xsession .ssh/authorized_keys \
549 .ssh/authorized_keys2 .ssh/config .ssh/id_dsa.pub \
550 .ssh/id_rsa.pub .ssh/identity.pub .ssh/known_hosts \
551 .ssh/known_hosts2"
552 while read uid homedir; do
553 for f in $list ; do
554 file=${homedir}/${f}
555 if [ -f $file ] ; then
556 printf -- "$uid $f `ls -ldgT $file`\n"
557 fi
558 done
559 done < $MPBYPATH |
560 awk -v "usergroups=$permit_usergroups" '
561 $1 != $5 && $5 != "root" \
562 { print "user " $1 " " $2 " file is owned by " $5 }
563 $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
564 { print "user " $1 " " $2 " file is group writable" }
565 $3 ~ /^-.......w/ \
566 { print "user " $1 " " $2 " file is other writable" }' \
567 >> $OUTPUT
568 if [ -s $OUTPUT ] ; then
569 printf "\nChecking dot files.\n"
570 cat $OUTPUT
571 fi
572 fi
573
574 # Mailboxes should be owned by user and unreadable.
575 #
576 if checkyesno check_varmail; then
577 ls -lA /var/mail | \
578 awk ' NR == 1 { next; }
579 $9 ~ /^\./ {next; }
580 $3 != $9 {
581 print "user " $9 " mailbox is owned by " $3
582 }
583 $1 != "-rw-------" {
584 print "user " $9 " mailbox is " $1 ", group " $4
585 }' > $OUTPUT
586 if [ -s $OUTPUT ] ; then
587 printf "\nChecking mailbox ownership.\n"
588 cat $OUTPUT
589 fi
590 fi
591
592 # NFS exports shouldn't be globally exported
593 #
594 if checkyesno check_nfs && [ -f /etc/exports ]; then
595 awk '{
596 # ignore comments and blank lines
597 if ($0 ~ /^\#/ || $0 ~ /^$/ )
598 next;
599 # manage line continuation
600 while ($NF ~ /^\\$/) {
601 $NF = "";
602 line = $0 "";
603 getline;
604 $0 = line $0 "";
605 }
606
607 delete dir;
608 readonly = ndir = 0;
609 for (i = 1; i <= NF; ++i) {
610 if ($i ~ /^\//) dir[ndir++] = $i;
611 else if ($i ~ /^-/) {
612 if ($i ~ /^-(ro|o)$/) readonly = 1;
613 if ($i ~ /^-network/) next;
614 }
615 else next;
616 }
617 if (readonly)
618 for (item in dir)
619 rodir[nrodir++] = dir[item];
620 else
621 for (item in dir)
622 rwdir[nrwdir++] = dir[item];
623
624 }
625
626 END {
627 if (nrodir) {
628 printf("Globally exported file system%s, read-only:\n",
629 nrodir > 1 ? "s" : "");
630 for (item in rodir)
631 printf("\t%s\n", rodir[item]);
632 }
633 if (nrwdir) {
634 printf("Globally exported file system%s, read-write:\n",
635 nrwdir > 1 ? "s" : "");
636 for (item in rwdir)
637 printf("\t%s\n", rwdir[item]);
638 }
639 }' < /etc/exports > $OUTPUT
640 if [ -s $OUTPUT ] ; then
641 printf "\nChecking for globally exported file systems.\n"
642 cat $OUTPUT
643 fi
644 fi
645
646 # Display any changes in setuid files and devices.
647 #
648 if checkyesno check_devices; then
649 > $ERR
650 (
651
652 # Convert check_devices_ignore_fstypes="foo !bar bax"
653 # into "-fstype foo -o ! -fstype bar -o -fstype bax"
654 # and check_devices_ignore_paths="/foo !/bar /bax"
655 # into " -path /foo -o ! -path /bar -o -path /bax"
656 #
657 ignexpr=$(\
658 echo $check_devices_ignore_fstypes | \
659 sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -fstype \2/g' ; \
660 echo $check_devices_ignore_paths | \
661 sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -path \2/g' \
662 )
663
664 # Massage the expression into ( $ignexpr ) -a -prune -o
665 if [ -n "${ignexpr}" ]; then
666 ignexpr=$(\
667 echo $ignexpr | \
668 sed -e 's/^-o /( /' \
669 -e 's/$/ ) -a -prune -o/' \
670 )
671 fi
672
673 find / $ignexpr \
674 \( \( -perm -u+s -a ! -type d \) -o \
675 \( -perm -g+s -a ! -type d \) -o \
676 -type b -o -type c \) -print0 | \
677 xargs -0 ls -ldgTq | sort +9 > $LIST
678
679 ) 2> $OUTPUT
680
681 # Display any errors that occurred during system file walk.
682 if [ -s $OUTPUT ] ; then
683 printf "Setuid/device find errors:\n" >> $ERR
684 cat $OUTPUT >> $ERR
685 printf "\n" >> $ERR
686 fi
687
688 # Display any changes in the setuid file list.
689 egrep -v '^[bc]' $LIST > $TMP1
690 if [ -s $TMP1 ] ; then
691 # Check to make sure uudecode isn't setuid.
692 if grep -w uudecode $TMP1 > /dev/null ; then
693 printf "\nUudecode is setuid.\n" >> $ERR
694 fi
695
696 file=$work_dir/setuid
697 migrate_file "$backup_dir/setuid" "$file"
698 CUR=${file}.current
699 BACK=${file}.backup
700 if [ -s $CUR ] ; then
701 if cmp -s $CUR $TMP1 ; then
702 :
703 else
704 > $TMP2
705 join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
706 if [ -s $OUTPUT ] ; then
707 printf "Setuid additions:\n" >> $ERR
708 tee -a $TMP2 < $OUTPUT >> $ERR
709 printf "\n" >> $ERR
710 fi
711
712 join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
713 if [ -s $OUTPUT ] ; then
714 printf "Setuid deletions:\n" >> $ERR
715 tee -a $TMP2 < $OUTPUT >> $ERR
716 printf "\n" >> $ERR
717 fi
718
719 sort -k10 $TMP2 $CUR $TMP1 | \
720 sed -e 's/[ ][ ]*/ /g' | \
721 uniq -u > $OUTPUT
722 if [ -s $OUTPUT ] ; then
723 printf "Setuid changes:\n" >> $ERR
724 column -t $OUTPUT >> $ERR
725 printf "\n" >> $ERR
726 fi
727
728 backup_file update $TMP1 $CUR $BACK
729 fi
730 else
731 printf "Setuid additions:\n" >> $ERR
732 column -t $TMP1 >> $ERR
733 printf "\n" >> $ERR
734 backup_file add $TMP1 $CUR $BACK
735 fi
736 fi
737
738 # Check for block and character disk devices that are readable or
739 # writable or not owned by root.operator.
740 >$TMP1
741 DISKLIST="ccd ch hk hp ld md ra raid rb rd rl rx \
742 sd se ss uk up vnd wd xd xy"
743 # DISKLIST="$DISKLIST ct mt st wt"
744 for i in $DISKLIST; do
745 egrep "^b.*/${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1
746 egrep "^c.*/r${i}[0-9][0-9]*[a-p]$" $LIST >> $TMP1
747 done
748
749 awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \
750 { printf "Disk %s is user %s, group %s, permissions %s.\n", \
751 $11, $3, $4, $1; }' < $TMP1 > $OUTPUT
752 if [ -s $OUTPUT ] ; then
753 printf "\nChecking disk ownership and permissions.\n" >> $ERR
754 cat $OUTPUT >> $ERR
755 printf "\n" >> $ERR
756 fi
757
758 # Display any changes in the device file list.
759 egrep '^[bc]' $LIST | sort -k11 > $TMP1
760 if [ -s $TMP1 ] ; then
761 file=$work_dir/device
762 migrate_file "$backup_dir/device" "$file"
763 CUR=${file}.current
764 BACK=${file}.backup
765
766 if [ -s $CUR ] ; then
767 if cmp -s $CUR $TMP1 ; then
768 :
769 else
770 > $TMP2
771 join -111 -211 -v2 $CUR $TMP1 > $OUTPUT
772 if [ -s $OUTPUT ] ; then
773 printf "Device additions:\n" >> $ERR
774 tee -a $TMP2 < $OUTPUT >> $ERR
775 printf "\n" >> $ERR
776 fi
777
778 join -111 -211 -v1 $CUR $TMP1 > $OUTPUT
779 if [ -s $OUTPUT ] ; then
780 printf "Device deletions:\n" >> $ERR
781 tee -a $TMP2 < $OUTPUT >> $ERR
782 printf "\n" >> $ERR
783 fi
784
785 # Report any block device change. Ignore
786 # character devices, only the name is
787 # significant.
788 cat $TMP2 $CUR $TMP1 | \
789 sed -e '/^c/d' | \
790 sort -k11 | \
791 sed -e 's/[ ][ ]*/ /g' | \
792 uniq -u > $OUTPUT
793 if [ -s $OUTPUT ] ; then
794 printf "Block device changes:\n" >> $ERR
795 column -t $OUTPUT >> $ERR
796 printf "\n" >> $ERR
797 fi
798
799 backup_file update $TMP1 $CUR $BACK
800 fi
801 else
802 printf "Device additions:\n" >> $ERR
803 column -t $TMP1 >> $ERR
804 printf "\n" >> $ERR
805 backup_file add $TMP1 $CUR $BACK >> $ERR
806 fi
807 fi
808 if [ -s $ERR ] ; then
809 printf "\nChecking setuid files and devices:\n"
810 cat $ERR
811 printf "\n"
812 fi
813 fi
814
815 # Check special files.
816 # Check system binaries.
817 #
818 # Create the mtree tree specifications using:
819 # mtree -cx -pDIR -kmd5,uid,gid,mode,nlink,size,link,time > DIR.secure
820 # chown root:wheel DIR.secure
821 # chmod u+r,go= DIR.secure
822 #
823 # Note, this is not complete protection against Trojan horsed binaries, as
824 # the hacker can modify the tree specification to match the replaced binary.
825 # For details on really protecting yourself against modified binaries, see
826 # the mtree(8) manual page.
827 #
828 if checkyesno check_mtree; then
829 if checkyesno check_mtree_follow_symlinks; then
830 check_mtree_flags="-L"
831 else
832 check_mtree_flags=""
833 fi
834 mtree -e -l -p / $check_mtree_flags -f $SPECIALSPEC 3>&1 >$OUTPUT 2>&3 |
835 grep -v '^mtree: dev/tty: Device not configured$' >&2
836 if [ -s $OUTPUT ]; then
837 printf "\nChecking special files and directories.\n"
838 cat $OUTPUT
839 fi
840
841 for file in /etc/mtree/*.secure; do
842 [ $file = '/etc/mtree/*.secure' ] && continue
843 tree=`sed -n -e '3s/.* //p' -e 3q $file`
844 mtree $check_mtree_flags -f $file -p $tree > $TMP1
845 if [ -s $TMP1 ]; then
846 printf "\nChecking $tree:\n"
847 cat $TMP1
848 fi
849 done > $OUTPUT
850 if [ -s $OUTPUT ]; then
851 printf "\nChecking system binaries:\n"
852 cat $OUTPUT
853 fi
854 fi
855
856 # Backup disklabels of available disks
857 #
858 if checkyesno check_disklabels; then
859 # migrate old disklabels
860 for file in `ls -1d $backup_dir/$backup_dir/disklabel.* \
861 $backup_dir/disklabel.* 2>/dev/null`; do
862 migrate_file "$file" "$work_dir/${file##*/}"
863 done
864
865 # generate list of old disklabels, fdisks & wedges and remove them
866 ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* 2>/dev/null |
867 egrep -v '\.(backup|current)(,v)?$' > $LABELS
868 xargs rm < $LABELS
869
870 # generate disklabels of all disks excluding: cd dk fd md st
871 disks=`iostat -x | awk 'NR > 1 && $1 !~ /^[cfm]d|dk|st|nfs/ { print $1; }'`
872 for i in $disks; do
873 disklabel $i > "$work_dir/disklabel.$i" 2>/dev/null
874 done
875
876 # if fdisk is available, generate fdisks for: ed ld sd wd
877 if [ -x /sbin/fdisk ]; then
878 disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d/ { print $1; }'`
879 for i in $disks; do
880 /sbin/fdisk $i > "$work_dir/fdisk.$i" 2>/dev/null
881 done
882 fi
883
884 # if dkctl is available, generate dkctl listwedges for: ed ld sd wd cgd ofdisk ra rl raid
885 if [ -x /sbin/dkctl ]; then
886 disks=`iostat -x| awk 'NR > 1 && $1 ~ /^[elsw]d|cgd|ofdisk|r[al]|raid/ { print $1; }'`
887 for i in $disks; do
888 /sbin/dkctl $i listwedges > "$work_dir/wedges.$i" 2>/dev/null
889 done
890 fi
891
892 # append list of new disklabels, fdisks and wedges
893 ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* 2>/dev/null |
894 egrep -v '\.(backup|current)(,v)?$' >> $LABELS
895 CHANGELIST="$LABELS $CHANGELIST"
896 fi
897
898 if checkyesno check_lvm; then
899
900 # generate list of existing LVM elements Physical Volumes, Volume Groups and Logical Volumes.
901 if [ -x /sbin/lvm ]; then
902 lvm pvdisplay -m >"$work_dir/lvm.pv" 2>/dev/null
903 lvm vgdisplay -m >"$work_dir/lvm.vg" 2>/dev/null
904 lvm lvdisplay -m >"$work_dir/lvm.lv" 2>/dev/null
905 fi
906 ls -1d $work_dir/lvm.* 2>/dev/null |
907 egrep -v '\.(backup|current)(,v)?$'>> $LVM_LABELS
908 CHANGELIST="$CHANGELIST $LVM_LABELS"
909 fi
910
911 # Check for changes in the list of installed pkgs
912 #
913 if checkyesno check_pkgs && [ -d $pkgdb_dir ]; then
914 pkgs=$work_dir/pkgs
915 migrate_file "$backup_dir/pkgs" "$pkgs"
916 ( cd $pkgdb_dir
917 $pkg_info | sort
918 echo ""
919 find . \( -name +REQUIRED_BY -o -name +CONTENTS \) -print0 |
920 xargs -0 ls -ldgTq | sort -t. +1 | sed -e 's, \./, ,'
921 ) > $pkgs
922 echo "$pkgs" > $PKGS
923 CHANGELIST="$PKGS $CHANGELIST"
924 fi
925
926 # List of files that get backed up and checked for any modifications.
927 # Any changes cause the files to rotate.
928 #
929 if checkyesno check_changelist ; then
930 mtree -D -k type -f $SPECIALSPEC -E exclude |
931 sed '/^type=file/!d ; s/type=file \.//' | unvis > $CHANGEFILES
932
933 (
934 # Add other files which might dynamically exist:
935 # /etc/ifconfig.*
936 # /etc/raid*.conf
937 # /etc/rc.d/*
938 # /etc/rc.conf.d/*
939 #
940 echo "/etc/ifconfig.*"
941 echo "/etc/raid*.conf"
942 echo "/etc/rc.d/*"
943 echo "/etc/rc.conf.d/*"
944 echo "/etc/lvm/backup/*"
945 echo "/etc/lvm/archive/*"
946
947 # Add /etc/changelist
948 #
949 if [ -s /etc/changelist ]; then
950 grep -v '^#' /etc/changelist
951 fi
952 ) | while read file; do
953 case "$file" in
954 *[\*\?\[]*) # If changelist line is a glob ...
955 # ... expand possible backup files
956 #
957 ls -1d $(echo $backup_dir/${file}.current) 2>/dev/null \
958 | sed "s,^$backup_dir/,, ; s,\.current$,,"
959
960 # ... expand possible files
961 #
962 ls -1d $(echo $file) 2>/dev/null
963 ;;
964 *)
965 # Otherwise, just print the filename
966 echo $file
967 ;;
968 esac
969 done >> $CHANGEFILES
970 CHANGELIST="$CHANGEFILES $CHANGELIST"
971 fi
972
973 # Special case backups, including the master password file and
974 # ssh private host keys. The normal backup mechanisms for
975 # $check_changelist (see below) also print out the actual file
976 # differences and we don't want to do that for these files
977 #
978 echo $MP > $TMP1 # always add /etc/master.passwd
979 mtree -D -k type -f $SPECIALSPEC -I nodiff |
980 sed '/^type=file/!d ; s/type=file \.//' | unvis >> $TMP1
981 grep -v '^$' $TMP1 | sort -u > $TMP2
982
983 while read file; do
984 backup_and_diff "$file" no
985 done < $TMP2
986
987
988 if [ -n "$CHANGELIST" ]; then
989 grep -h -v '^$' $CHANGELIST | sort -u > $TMP1
990 comm -23 $TMP1 $TMP2 | while read file; do
991 backup_and_diff "$file" yes
992 done
993 fi
994
995 if [ -f /etc/security.local ]; then
996 . /etc/security.local > $OUTPUT 2>&1
997 if [ -s $OUTPUT ] ; then
998 printf "\nRunning /etc/security.local:\n"
999 cat $OUTPUT
1000 fi
1001 fi
NetBSD on the FriendlyARM MINI2440