freebsd-src/etc/security

#!/bin/sh -
#
#	@(#)security	5.3 (Berkeley) 5/28/91
# $FreeBSD$
#
PATH=/sbin:/bin:/usr/bin
LC_ALL=C; export LC_ALL

separator () {
	echo ''
	echo ''
}

sflag=FALSE ignore=
while getopts ams c
do
  case "$c" in
    a) ignore="$ignore|^amd:";;
    m) ignore="$ignore|^mfs:";;
    s) sflag=TRUE;;
  esac
done

yesterday=`date -v-1d "+%b %e "`

host=`hostname`
[ $sflag = FALSE ] && echo "Subject: ${host} security check output"

LOG=/var/log
TMP=/var/run/_secure.$$

umask 027

echo "checking setuid files and devices:"

# Don't have ncheck, but this does the equivalent of the commented out block.
# Note that one of the original problems, the possibility of overrunning
# the args to ls, is still here...
#
MP=`mount -t ufs | grep -v " nosuid" | sed 's;/dev/;&r;' | awk '{ print $3 }'`
set ${MP}
while [ $# -ge 1 ]; do
	mount=$1
	shift
	find $mount -xdev -type f \
		\( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
		\( -perm -u+s -or -perm -g+s \) -print0
done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP}

if [ ! -f ${LOG}/setuid.today ]; then
	separator
	echo "no ${LOG}/setuid.today"
	cp ${TMP} ${LOG}/setuid.today
fi

if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null; then
	separator
	echo "${host} setuid diffs:"
	diff -b ${LOG}/setuid.today ${TMP}
	mv ${LOG}/setuid.today ${LOG}/setuid.yesterday
	mv ${TMP} ${LOG}/setuid.today
fi

# Show changes in the way filesystems are mounted
#
[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
if mount -p | $cmd > $TMP; then
	if [ ! -f $LOG/mount.today ]; then
		separator
		echo "no $LOG/mount.today"
		cp $TMP $LOG/mount.today
	fi
	if ! cmp $LOG/mount.today $TMP >/dev/null 2>&1; then
		separator
		echo "$host changes in mounted filesystems:"
		diff -b $LOG/mount.today $TMP
		mv $LOG/mount.today $LOG/mount.yesterday
		mv $TMP $LOG/mount.today
	fi
fi

separator
echo "checking for uids of 0:"
awk -F: '$3==0 {print $1,$3}' /etc/master.passwd

separator
echo "checking for passwordless accounts:"
awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd

# Show denied packets
#
if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
	if [ ! -f ${LOG}/ipfw.today ]; then
		separator
		echo "no ${LOG}/ipfw.today"
		cp ${TMP} ${LOG}/ipfw.today
	fi

	if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then
		separator
		echo "${host} denied packets:"
		diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>"
		mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday
		mv ${TMP} ${LOG}/ipfw.today
	fi
fi

# Show ipfw rules which have reached the log limit
#
IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then
	ipfw -a l | grep " log " | perl -n -e \
		'/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
	if [ -s "${TMP}" ]; then
		separator
		echo "ipfw log limit reached:"
		cat ${TMP}
	fi
fi

# Show kernel log messages
#
if dmesg 2>/dev/null > ${TMP}; then
	if [ ! -f ${LOG}/dmesg.today ]; then
		separator
		echo "no ${LOG}/dmesg.today"
		cp ${TMP} ${LOG}/dmesg.today
	fi

	if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then
		separator
		echo "${host} kernel log messages:"
		diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>"
		mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday
		mv ${TMP} ${LOG}/dmesg.today
	fi
fi

# Show login failures
#
separator
echo "${host} login failures:"
zcat -f $LOG/messages.0* $LOG/messages | grep -i "^$yesterday.*login failure"

# Show tcp_wrapper warning messages
#
separator
echo "${host} refused connections:"
zcat -f $LOG/messages.0* $LOG/messages | grep -i "^$yesterday.*refused connect"

rm -f ${TMP}