Unix security automating script

Fri Mar 23 23:58:45 AEST 1990

I refer back to a UNIX security checking script that I posted a while ago.
There were plenty replies to that one! Thanks for everybody that gave more
ideas. I incorporated most of the ideas into this one.

The idea behind this script is to point out potential security holes in your
system. If anybody has *even more* ideas, please mail to me, or if it isn't
a lot, post it. If enough stuff arrives, I'll post it again.

-------------- Cut here ---------------
# Security checking script.
#
# Hendrik Vermooten, ZEUS software  (No copyright)
#    hendrik at zeusa.UUCP
#    ..!uunet!ddsw1!olsa99!zeusa!hendrik
#
# Thanks for all the tips on passing shell variables to awk scripts.
#
# Originally posted by hendrik at zeusa.UUCP, with help & suggestions from:
#   (There were 4 more: I threw away my mail by mistake! Sorry guys!)
# riacs!rutgers!coat.com!andyb (Andy Behrens)
# uwm!swbatl.SWBT.COM!dwn (David Neill-OKCy Mktg 405-278-4007)
# riacs!rutgers!ux1.cso.uiuc.edu!hugh%slee01 (Hugh Fader)
# Joseph C. Konczal <uunet!mail-gw.ncsl.nist.gov!konczal>
# riacs!rutgers!gouldfr.encore.fr!kstock (Kevin Stock)
# "Michael J. Chinni, SMCAR-CCS-E" <!uunet!PICA.ARMY.MIL!mchinni>
# uunet!ddsw1!olsa99!oct1!cside1!mike (Mike Morris)
# Paul Smee <uunet!bris.ac.uk!P.Smee>
#
# BSD suggestions from:
#   "Michael J. Chinni, SMCAR-CCS-E" <!uunet!PICA.ARMY.MIL!mchinni>
# Change the next line to BSD=1 for BSD systems
BSD=0
# This is the directory where this utility lives:
DIR=/u/security
CRONDIR=/usr/spool/cron/crontabs
UUCPDIR=/usr/lib/uucp
# This line, for skipping NFS directories, didn't work on my (XENIX) system:
# FSTYPE="\( -fstype nfs -prune \) -o "
FSTYPE=""
echo "*** Hendrik's UNIX security check script ***"
date
echo ""
echo "* Logins with super user privileges:"
awk 'BEGIN { FS=":" } { if ($3 == "0" || $3 == "") print $1 }' < /etc/passwd
echo ""
#
echo "* Logins without passwords:"
awk 'BEGIN { FS=":" } { if ($2 == "") print $1 }' < /etc/passwd
# Next line from: Paul Smee <uunet!bris.ac.uk!P.Smee>
awk 'BEGIN { FS=":" } (NF<2) {print "Blank or incomplete entry, line ", NR}' < /etc/passwd
echo ""

# Check changes to passwd file
echo "* Changes to /etc/passwd since `cat $DIR/prevrun`:"
diff /etc/passwd $DIR/passwd
cp /etc/passwd $DIR/passwd
echo "* Changes to /etc/group since `cat $DIR/prevrun`:"
diff /etc/group $DIR/group
cp /etc/group $DIR/group
echo ""

# Check writeability of /etc/passwd
ls -l /etc/passwd | grep -v "^-rw-r--r--" && echo "WARNING: Check this file's access mode!"
ls -l /etc/group | grep -v "^-rw-r--r--" && echo "WARNING: Check this file's access mode!"
ls -l /etc/rc | grep -v "^-rw-r--r--" && echo "WARNING: Check this file's access mode!"
if [ $BSD -eq 1 ]
then
	ls -l /usr/lib/crontab | grep -v "^-rw-------" && echo "WARNING: Check this file's access mode!"
	ls -l /etc/rc.boot | grep -v "^-rw-------" && echo "WARNING: Check this file's access mode!"
	ls -l /etc/rc.local | grep -v "^-rw-------" && echo "WARNING: Check this file's access mode!"
else
	ls -l $CRONDIR/root | grep -v "^-rw-------" && echo "WARNING: Check this file's access mode!"
	if [ -f $CRONDIR/bin ]
		then
			ls -l $CRONDIR/bin | grep -v "^-rw-r--r--" && echo "WARNING: Check this file's access mode!"
		fi
fi

# If someone has changed root or bin crontabs, they can get in.
# Thanks to ddsw1!riacs!rutgers!ux1.cso.uiuc.edu!hugh%slee01 (Hugh Fader)
echo ""
if [ $BSD -eq 1 ]
then
	echo "* Changes to /usr/lib/crontab since `cat $DIR/prevrun`"
	diff /usr/lib/crontab $DIR/crontab
	cp /usr/lib/crontab $DIR/crontab
	echo ""
	echo "* Changes to /etc/rc.boot since `cat $DIR/prevrun`"
	diff /etc/rc.boot $DIR/rc.boot
	cp /etc/rc.boot $DIR/rc.boot
	echo ""
	echo "* Changes to /etc/rc.local since `cat $DIR/prevrun`"
	diff /etc/rc.local $DIR/rc.local
	cp /etc/rc.local $DIR/rc.local
	echo ""
else
# System V
	ls $CRONDIR | sort > $DIR/newcron
	ls $DIR/crons | sort > $DIR/oldcron
	echo "* New crontab files:"
	diff $DIR/oldcron $DIR/newcron | grep "^>"
	echo "* Changes to crontab files:"
	for i in $DIR/crons/*; do
		user=`basename $i`
		diff $i $CRONDIR/$user > $DIR/crondiffs
		if [ $? -ne 0 ]; then
	 		echo "* $user: "
	 		cat $DIR/crondiffs
		fi
	done
	rm $DIR/crondiffs
	rm $DIR/newcron
	rm $DIR/oldcron
	mkdir $DIR/crons 2> /dev/null
	cp $CRONDIR/* $DIR/crons
fi

# Naughty hackers might try to change their uucp access rights:
#
echo ""
echo "* UUCP security:"
if [ -f $UUCPDIR/L.sys ]
	then
		echo "'L.sys' file changes:"
		diff $UUCPDIR/L.sys $DIR/L.sys
		cp $UUCPDIR/L.sys $DIR/L.sys
	fi
if [ -f $UUCPDIR/Systems ]
	then
		echo "'Systems' file changes:"
		diff $UUCPDIR/Systems $DIR/Systems
		cp $UUCPDIR/Systems $DIR/Systems
	fi
if [ -f $UUCPDIR/Permissions ]
	then
		echo "'Permissions' file changes:"
		diff $UUCPDIR/Permissions $DIR/Permissions
		cp $UUCPDIR/Permissions $DIR/Permissions
	fi

#
# It would be nice to have full path names in the next two reports. But how?
# Thanks to ddsw1!riacs!rutgers!ux1.cso.uiuc.edu!hugh%slee01 (Hugh Fader):
# > With the find command that's how. Notice the -fstype clause causes skips
# > over nfs directories. The two finds could probably be combined.
#
echo ""
echo "* Directories that can be written to by everyone:"
ls -lR / | awk '/^d[rwx]......w[x-]/ { print }'
# My find doesn't have the -ls option. If you have, try using:
# find / -ls | awk '/d[rwx]......w[x-]/ { print }'
echo ""
echo "* Directories with search permissions for everyone:"
ls -lR / | awk '/^d[rwx]......w[x-]/ { print }'
# My find doesn't have the -ls option. If you have, try using:
#find / $FSTYPE -ls | awk '/d[rwx]......w[x-]/ { print }'

# Check Set UIDs & GIDs: I left the most important check till last
# Thanks to ddsw1!riacs!rutgers!ux1.cso.uiuc.edu!hugh%slee01 (Hugh Fader):
#   Skips over NFS directories
mv $DIR/setuids $DIR/setuids.prev
find / $FSTYPE \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \; | sort > $DIR/setuids
echo "* Set UID status that have been enabled since `cat $DIR/prevrun`"
diff $DIR/setuids.prev $DIR/setuids | grep "^>"

grep "^-[rwx]......w" $DIR/setuids && echo "* Set UID executeables that are writeable by Other"
grep "^-[rwx]...w" $DIR/setuids && echo "* Set UID executeables that are writeable by the group"

date > $DIR/prevrun
chown root $DIR/*
chmod 600 $DIR/*
chmod 700 $DIR
chmod +x $DIR/$0

# Other checks:
#   Changes to files under /etc/rc.d/*

#   Check only for set UID/GID to bin & root?
-------------- Cut here ---------------

 *** ***     Hendrik Vermooten, ZEUS software
 * o o *     Bang: ..!uunet!ddsw1!olsa99!zeusa!hendrik
O|  I  |O    or hendrik at zeusa.UUCP
 | *** |
 \*****/