#!/usr/bin/ksh # This script is made by Hannu Valtanen and security course 6.6.2001 # Hannu Valtanen Oy # http://www.valtanen.com # Use this script at your own risk. SYSTEM=$(uname -n) AWK=/usr/xpg4/bin/awk umask 077 NB=22 # Night Time Begin NE=06 # Night Time End FIRST=06 # Eka ajo SECOND=18 # Toka ajo DIR=/etc/security/audit trap "rm $DIR/.sec.running;exit 1" 2 3 15 # Modem ? # Too long root sessions ? # Public and Private Key .sec ? usage() { echo "Usage: $DIR/sec [-t] [-r] [-a Address(es)]" 1>&2 echo " $DIR/sec -t (Without find)" 1>&2 echo " $DIR/sec -r (Take a new picture)" 1>&2 echo " $DIR/sec -a security@trust.com (Send report to mail address)" 1>&2 exit 1 } AT=0 TEST=0 while getopts ':rat' OPTION do case $OPTION in r) rm $DIR/.sec > /dev/null 2>&1 ;; a) AT=1 ;; t) TEST=1 ;; *) usage ;; esac done shift OPTIND-1 if [ -f $DIR/.sec.running ] then echo "Other sec is running!" 1>&2 exit 1 fi if ((AT==1)) then (($#>0)) && echo "$DIR/sec $*" | at $FIRST:00 tomorrow exit fi touch $DIR/.sec.running oc() { echo $1|$AWK ' function x(st,i,s) { if(substr(st,i*3+1,1)==s||substr(st,i*3+1,1)==toupper(s)) a[0]=a[0]+2^(3-i) if(substr(st,i*3-1,1)=="r") a[i]=a[i]+4 if(substr(st,i*3,1)=="w") a[i]=a[i]+2 if(substr(st,i*3+1,1)=="x"||substr(st,i*3+1,1)==s) a[i]=a[i]+1 } { for(y=1;y<=3;y++) if(y==3) x($1,y,"t") else x($1,y,"s") printf("%04d\n",a[0]*1000+a[1]*100+a[2]*10+a[3]) }' } ch() { while read FILE MOD JUNK do if ls -ld $FILE > /dev/null 2>&1 |grep "^..........+"> /dev/null 2>&1 then echo "ACL enabled in file $FILE:" getfacl $FILE fi if (($(oc $(ls -ld $FILE|$AWK '{print $1}'))!=MOD)) then echo "Wrong permissions in file:" ls -ld $FILE fi [ -f "$FILE" ] && chmod $MOD $FILE done << END /etc/passwd 0644 /etc/group 0644 /etc/inet/hosts 0444 /etc/shadow 0400 /usr/sbin/mount 0555 /usr/bin/chown 0555 /usr/bin/chgrp 0555 /usr/bin/chmod 0555 /usr/bin/ksh 0555 /usr/bin/csh 0555 /usr/ccs/bin/make 0555 /var/yp 0755 /var/yp/Makefile 0555 /var/yp/updaters 0644 /usr/bin/ypcat 0555 /usr/bin/ypmatch 0555 /usr/bin/yppasswd 6555 /usr/bin/ypwhich 0555 /usr/bin/ypservers 0555 END for X in daemon bin sys adm lp smtp uucp listen nobody lpd nuucp noaccess nobody4 do : # usermod -e '01/01/70' $X done } y() { if [[ "$4" = "." ]] then FILE=$DIR/.$(basename $2). else FILE=$DIR/.$(basename $2) fi if ! diff $2 $FILE 2>&1 > $DIR/.sec.tmp.$$ then ((STATE<255)) && STATE=STATE+1 echo "\n$1 has changed:" cat $DIR/.sec.tmp.$$ | grep '^[><] ' | sed 's/^[><] //' [[ "$3" = "cp" ]] && cp $2 $DIR/.$(basename $2) [[ "$3" = "rm" ]] && rm $2 fi } x() { if [ ! -f $DIR/.sec ] then ch touch $DIR/.sec touch /etc/ftpusers grep "^ *root *$" /etc/ftpusers >/dev/null 2>&1|| echo "root" >> /etc/ftpusers cp /etc/passwd $DIR/.passwd cp /etc/group $DIR/.group cp /etc/inittab $DIR/.inittab cp /etc/pam.conf $DIR/.pam.conf cp /etc/inet/hosts $DIR/.hosts cp /etc/hosts.equiv $DIR/.hosts.equiv grep " - " /var/adm/sulog > $DIR/.sulog ndd /dev/ip ip_forwarding > $DIR/.ipforwarding touch $DIR/.rhosts if ((TEST==0)) then find / -local -perm -4000 -type f -exec ls -ld {} \; > $DIR/.suid 2>/dev/null find / -local -perm -2000 -type f -exec ls -ld {} \; > $DIR/.sgid 2>/dev/null find / -local -type c -exec ls -ld {} \; > $DIR/.dev 2>/dev/null find / -local -name '.rhosts' -exec ls -ld {} \; > $DIR/.rhosts. 2>/dev/null fi touch /var/adm/lastlogin cp /var/adm/loginlog $DIR/.loginlog last > $DIR/.last cp /etc/default/su $DIR/.su cp /etc/default/login $DIR/.login cp /etc/services $DIR/.services cp /etc/ftpusers $DIR/.ftpusers cp /etc/inetd.conf $DIR/.inetd.conf mount | $AWK '{print $1,$2,$3,$4}' > $DIR/.mount # netstat -af inet|grep " LISTEN$"> $DIR/.listen chmod 400 $DIR/.[!.]* chown root:adm $DIR/.[!.]* fi integer STATE=0 ch y /etc/services /etc/services y /etc/ftpusers /etc/ftpusers y /etc/inetd.conf /etc/inetd.conf y /etc/pam.conf /etc/pam.conf y /etc/passwd /etc/passwd cp y /etc/group /etc/group cp y /etc/inittab /etc/inittab cp y /etc/hosts /etc/hosts cp y /etc/hosts.equiv /etc/hosts.equiv cp if logins -d > /dev/null 2>&1 then echo "Duplicate User IDs:" logins -d fi if logins -p > /dev/null 2>&1 then echo "Accounts With No Password:" logins -p fi mount | $AWK '{print $1,$2,$3,$4}' > $DIR/mount y mount $DIR/mount cp cp /var/adm/loginlog $DIR/loginlog y /var/adm/loginlog $DIR/loginlog cp grep " - " /var/adm/sulog > $DIR/sulog y /var/adm/sulog $DIR/sulog cp ndd /dev/ip ip_forwarding > $DIR/ipforwarding y Ipforwarding $DIR/ipforwarding rm if ((TEST==0)) then find / -local -perm -4000 -type f -exec ls -ld {} \; > $DIR/suid 2>/dev/null y "Root SUID file" $DIR/suid rm find / -local -perm -2000 -type f -exec ls -ld {} \; > $DIR/sgid 2>/dev/null y "System SGID file" $DIR/sgid rm find / -local -type c -exec ls -ld {} \; > $DIR/dev 2>/dev/null y "Device file" $DIR/dev rm find / -local -name '.rhosts' -exec ls -ld {} \; > $DIR/rhosts 2>/dev/null y ".rhosts file" $DIR/rhosts rm . fi # netstat -af inet|grep " LISTEN$"> $DIR/.listen.$$ # if ! diff $DIR/.listen $DIR/.listen.$$ 2>&1 > $DIR/.sec.tmp.$$ # then # ((STATE<255)) && STATE=STATE+1 # echo "\nPorts listen has changed:" # cat $DIR/.sec.tmp.$$ | grep '^[><] ' | sed 's/^[><] //' # fi last > $DIR/.last.$$ if ! diff $DIR/.last.$$ $DIR/.last > $DIR/.sec.last.$$ 2>&1 then cat $DIR/.sec.last.$$ | grep '^[><] ' | sed 's/^[><] //' > $DIR/.last.$$ cat $DIR/.last.$$ | $AWK -v NB=$NB -v NE=$NE ' { if(substr($0,54,2)>=NB && substr($0,54,2)<24) print $0 if(substr($0,54,2)>=0 && substr($0,54,2)$DIR/.sec.last.$$ if (($(wc -c $DIR/.sec.last.$$|$AWK '{print $1}')>1)) then ((STATE<255)) && STATE=STATE+1 echo "\nNight logins between $NB:00 - $NE:00" cat $DIR/.sec.last.$$ fi last > $DIR/.last fi rm $DIR/.*.$$ rm $DIR/.sec.running return $STATE } ADDRESS="root" (($#>0)) && ADDRESS="$*" if (($(ps | wc -l|$AWK '{print $1}')==1)) then touch $DIR/.sec.end.$$ x >> $DIR/.sec.end.$$ 2>&1 (($(cat $DIR/.sec.end.$$|wc -l)>0)) && mail $ADDRESS < $DIR/.sec.end.$$ rm $DIR/.sec.end.$$ NOW=$(date '+%H') if ((NOW==FIRST)) then echo "$DIR/sec $ADDRESS" | at $SECOND:00 today else echo "$DIR/sec $ADDRESS" | at $FIRST:00 tomorrow fi fi (($(ps | wc -l|$AWK '{print $1}')>1)) && x && exit $?