#!/usr/bin/ksh # This script is made by Hannu Valtanen and security course 15.11.2001 # Hannu Valtanen Oy # http://valtanen.com # mailto:h@valtanen.com # Use this script at your own risk. umask 077 NB=22 NE=06 FIRST=06 SECOND=18 DIR=/etc/security/audit TEMP=$DIR/temp PERM=$DIR/perm export LANG=C integer STATE=0 trap "rm $DIR/.sec.running;exit 1" 1 2 3 15 18 # Modem ? # Too long root sessions ? # Public and Private Key .sec ? # Shellit ? # File size and Check sum # Number of Prosesses # Uptime # Test file usage() { echo "Usage: $DIR/sec [-r] [-a Address(es)]" 1>&2 exit 1 } new() { for X in $DIR $TEMP $PERM do [ -d $X ] || { mkdir -p $X chown root:security $X chmod 700 $X } done touch $DIR/.sec echo "\ $DIR 0750 root security dir $TEMP 0700 root security dir $PERM 0700 root security dir $PERM/files 0600 root security perm text $PERM/users 0600 root security perm text $PERM/commands 0600 root security perm text / 0755 bin bin dir /etc 0755 root system dir /etc/passwd 0644 root security info text /etc/group 0644 root security info text /etc/hosts 0664 root system info text /etc/hosts.equiv 0644 root system perm text /etc/filesystems 0664 root system info text /etc/resolv.conf 0644 root system perm text /etc/services 0644 root system perm text /etc/inittab 0644 root system perm text /etc/rc 0554 bin bin perm text /etc/rc.net 0554 bin bin perm text /etc/rc.tcpip 0774 root system perm text /etc/rc.nfs 0755 root system perm text /etc/ftpusers 0555 root system info text /etc/inetd.conf 0664 root system perm text /etc/security 0750 root security dir /etc/security/user 0640 root security info text /etc/security/login.cfg 0660 root security perm text /etc/security/limits 0640 root security info text /etc/security/audit/sec 0500 root security perm text /etc/security/failedlogin 0644 root system info data /sbin/rc.boot 0774 root system perm text /usr/sbin/mount 4755 root system exe /usr/bin/chown 0555 root bin exe /usr/bin/chgrp 0555 bin bin exe /usr/bin/chmod 0555 bin bin exe /usr/bin/ksh 0555 bin bin exe /usr/bin/csh 0555 bin bin exe /usr/bin/bsh 0555 bin bin exe /usr/ccs/bin/make 0555 bin bin exe /var/yp 0755 root system dir /var/yp/Makefile 0555 root system exe /var/yp/updaters 0644 root system exe /usr/bin/ypcat 0555 root system exe /usr/bin/ypmatch 0555 root system exe /usr/bin/yppasswd 4555 root security exe /usr/bin/ypservers 0555 root system exe /usr/bin/ypwhich 0555 root system exe" > $PERM/files chmod 0600 $PERM/files chown root:security $PERM/files echo "\ daemon bin sys adm uucp guest nobody lpd lp nuucp invscout nuucp snapp imnadm" > $PERM/users chmod 0600 $PERM/users chown root:security $PERM/users echo "\ sulog info grep ' - ' /var/adm/sulog ipforwarding perm no -a|grep ipforwarding netstat perm netstat -an|grep ' LISTEN$'|awk \'{print \$4}\' SUID perm find / -perm -4000 -type f -user root -exec ls -lde {} \\\\\\\\; SGID perm find / -perm -2000 -type f -group system -exec ls -lde {} \\\\\\\\; rhosts perm find / -name '.rhosts' -exec ls -lde {} \\\\\\\\; netrc perm find / -name '.netrc' -exec ls -lde {} \\\\\\\\; failedlogin info who /etc/security/failedlogin crontab info crontab -l ifconfig perm ifconfig -a" > $PERM/commands chmod 0600 $PERM/commands chown root:security $PERM/commands [ -f /etc/ftpusers ] || touch /etc/ftpusers grep "^ *root *$" /etc/ftpusers >/dev/null 2>&1|| echo "root" >> /etc/ftpusers while read X do grep "^ *$X *$" /etc/ftpusers >/dev/null 2>&1|| echo "$X" >> /etc/ftpusers done < $PERM/users rm $TEMP/* > /dev/null 2>&1 } AT=0 while getopts ':ra' OPTION do case $OPTION in r) rm $DIR/.sec > /dev/null 2>&1;new ;; a) AT=1 ;; *) usage ;; esac done shift OPTIND-1 if [ -f $DIR/.sec.running ] then echo "Other sec is running!" 1>&2 exit 1 fi if ((AT==1)) then (($#>0)) && echo "$DIR/sec $*" | at $FIRST:00 tomorrow exit fi touch $DIR/.sec.running oc() { echo $1|awk ' function x(st,i,s) { if(substr(st,i*3+1,1)==s||substr(st,i*3+1,1)==toupper(s)) a[0]=a[0]+2^(3-i) if(substr(st,i*3-1,1)=="r") a[i]=a[i]+4 if(substr(st,i*3,1)=="w") a[i]=a[i]+2 if(substr(st,i*3+1,1)=="x"||substr(st,i*3+1,1)==s) a[i]=a[i]+1 } { for(y=1;y<=3;y++) if(y==3) x($1,y,"t") else x($1,y,"s") printf("%04d\n",a[0]*1000+a[1]*100+a[2]*10+a[3]) }' } ch() { while read FILE MOD OWNER GROUP JUNK do OK=0 if aclget $FILE|grep enabled > /dev/null 2>&1 then echo "ACL enabled in file $FILE:" aclget $FILE OK=1 fi if (($(oc $(ls -ld $FILE|awk '{print $1}'))!=MOD)) then echo "Wrong permissions in file:" ls -ld $FILE OK=1 fi ls -ld $FILE|awk '{ print $3,$4 }'|read OWN GRO JUNK if [[ "$OWN" != "$OWNER" ]] then echo "Wrong owner in file:" ls -ld $FILE OK=1 fi if [[ "$GRO" != "$GROUP" ]] then echo "Wrong group owner in file:" ls -ld $FILE OK=1 fi if ((OK==1)) then chmod $MOD $FILE chown $OWNER:$GROUP $FILE fi done < $PERM/files while read X do lsuser $X > /dev/null 2>&1 && chuser account_locked='true' login='false' rlogin='false' expires='0101000070' $X done < $PERM/users } z() { if ! $1 -y ALL > $DIR/.sec.tmp.$$ 2>&1 then ((STATE<255)) && STATE=STATE+1 cp -p /etc/passwd $TEMP/passwd cp -p /etc/group $TEMP/group echo "\n$1:" fi if [[ "$1" = "usrck" ]] then cat $DIR/.sec.tmp.$$ | grep -v " is locked.$" else cat $DIR/.sec.tmp.$$ fi } x() { if [ ! -f $DIR/.sec ] then new ch while read FILE MOD OWNER GROUP WHAT TYPE JUNK do [[ "$WHAT" = "dir" ]] && continue [[ "$WHAT" = "perm" && "$TYPE" = "text" ]] && cp -p $FILE $PERM/$(basename $FILE) > /dev/null 2>&1 [[ "$WHAT" = "info" && "$TYPE" = "text" ]] && cp -p $FILE $TEMP/$(basename $FILE) > /dev/null 2>&1 done < $PERM/files while read ID WHAT COMMAND do [[ "$WHAT" = "perm" ]] && eval $COMMAND > $PERM/$ID 2>&1 [[ "$WHAT" = "info" ]] && eval $COMMAND > $TEMP/$ID 2>&1 done < $PERM/commands last > $TEMP/last z pwdck z usrck z grpck rm $DIR/.*.$$ > /dev/null 2>&1 rm $DIR/.sec.running > /dev/null 2>&1 return fi check() { ((STATE<255)) && STATE=STATE+1 echo "\n$FILE has changed:" cat $DIR/.sec.tmp.$$ | grep '^[><] ' | sed 's/^[><] //' } ch while read FILE MOD OWNER GROUP WHAT TYPE JUNK do [[ "$WHAT" = "dir" ]] && continue [[ "$WHAT" = "perm" && "$TYPE" = "text" ]] && if ! diff $FILE $PERM/$(basename $FILE) 2>&1 > $DIR/.sec.tmp.$$ then check fi [[ "$WHAT" = "info" && "$TYPE" = "text" ]] && if ! diff $FILE $TEMP/$(basename $FILE) 2>&1 > $DIR/.sec.tmp.$$ then check cp -p $FILE $TEMP/$(basename $FILE) fi done < $PERM/files while read ID WHAT COMMAND do if [[ "$WHAT" = "perm" ]] then eval $COMMAND > $DIR/.sec.tmp2.$$ 2>&1 if ! diff $DIR/.sec.tmp2.$$ $PERM/$(basename $ID) 2>&1 > $DIR/.sec.tmp.$$ then check fi fi if [[ "$WHAT" = "info" ]] then eval $COMMAND > $DIR/.sec.tmp2.$$ 2>&1 if ! diff $DIR/.sec.tmp2.$$ $TEMP/$(basename $ID) 2>&1 > $DIR/.sec.tmp.$$ then check eval $COMMAND > $TEMP/$ID 2>&1 fi fi done < $PERM/commands z pwdck z usrck z grpck last > $DIR/.last.$$ if ! diff $DIR/.last.$$ $TEMP/last > $DIR/.sec.last.$$ 2>&1 then cat $DIR/.sec.last.$$ | grep '^[><] ' | sed 's/^[><] //' > $DIR/.last.$$ cat $DIR/.last.$$ | awk -v NB=$NB -v NE=$NE ' { if(substr($0,54,2)>=NB && substr($0,54,2)<24) print $0 if(substr($0,54,2)>=0 && substr($0,54,2)$DIR/.sec.last.$$ if (($(wc -c $DIR/.sec.last.$$|awk '{print $1}')>1)) then ((STATE<255)) && STATE=STATE+1 echo "\nNight logins between $NB:00 - $NE:00" cat $DIR/.sec.last.$$ fi last > $DIR/.last fi rm $DIR/.*.$$ > /dev/null 2>&1 rm $DIR/.sec.running > /dev/null 2>&1 return $STATE } ADDRESS="root" (($#>0)) && ADDRESS="$*" if (($(ps | wc -l)==1)) then touch $DIR/.sec.end.$$ x >> $DIR/.sec.end.$$ 2>&1 (($(cat $DIR/.sec.end.$$|wc -l)>0)) && mail $ADDRESS < $DIR/.sec.end.$$ rm $DIR/.sec.end.$$ NOW=$(date '+%H') if ((NOW==FIRST)) then echo "$DIR/sec $ADDRESS" | at $SECOND:00 today else echo "$DIR/sec $ADDRESS" | at $FIRST:00 tomorrow fi fi (($(ps | wc -l)>1)) && x && exit $?