#!/usr/bin/ksh

# This script is made by Hannu Valtanen and security course 18.6.2001
# Hannu Valtanen Oy
# http://www.valtanen.com

# Use this script at your own risk.



umask 077
NB=22
NE=06
FIRST=06
SECOND=18
DIR=/etc/security/audit
export LANG=C

trap "rm $DIR/.sec.running;exit 1" 1 2 3 15 18

# Modem ?
# Too long root sessions ?
# Public and Private Key .sec ?
# Shellit ?

usage()
{
        echo "Usage: $DIR/sec [-r] [-a Address(es)]" 1>&2
        exit 1
}

AT=0
TEST=0
while getopts ':rat' OPTION
do
        case $OPTION in
                r)      rm $DIR/.sec > /dev/null 2>&1 ;;
                a)      AT=1 ;;
                t)      TEST=1 ;;
                *)      usage ;;
        esac
done
shift OPTIND-1 

if [ -f $DIR/.sec.running ]
then
	echo "Other sec is running!" 1>&2
	exit 1
fi

if ((AT==1))
then
        (($#>0)) && echo "$DIR/sec $*" | at $FIRST:00 tomorrow
        exit
fi

touch $DIR/.sec.running

oc()
{
echo $1|awk '
        function x(st,i,s)
        {
                if(substr(st,i*3+1,1)==s||substr(st,i*3+1,1)==toupper(s)) a[0]=a[0]+2^(3-i) 
                if(substr(st,i*3-1,1)=="r") a[i]=a[i]+4 
                if(substr(st,i*3,1)=="w") a[i]=a[i]+2 
                if(substr(st,i*3+1,1)=="x"||substr(st,i*3+1,1)==s) a[i]=a[i]+1 
        }
        {
                for(y=1;y<=3;y++) if(y==3) x($1,y,"t") 
                        else x($1,y,"s")
                printf("%04d\n",a[0]*1000+a[1]*100+a[2]*10+a[3])
        }'
}

ch()
{
while read FILE MOD JUNK
do
        if aclget $FILE|grep enabled > /dev/null 2>&1
        then
                echo "ACL enabled in file $FILE:"
                aclget $FILE
        fi
        if (($(oc $(ls -ld $FILE|awk '{print $1}'))!=MOD))
        then
                echo "Wrong permissions in file:"
                ls -ld $FILE
        fi
        chmod $MOD $FILE
done << END
$DIR 0750
/etc 0755
/etc/passwd 0644
/etc/group 0644
/etc/hosts 0664
/etc/filesystems 0664
/etc/resolv.conf 0644
/etc/security 0750
/etc/security/user 0640
/etc/security/login.cfg 0660
/etc/security/limits 0640
/usr/sbin/mount 0555
/usr/bin/chown 0555
/usr/bin/chgrp 0555 
/usr/bin/chmod 0555
/usr/bin/ksh 0555
/usr/bin/csh 0555
/usr/bin/bsh 0555
/usr/ccs/bin/make 0555
/var/yp 0755
/var/yp/Makefile 0555
/var/yp/updaters 0644
/usr/bin/ypcat 0555
/usr/bin/ypmatch 0555
/usr/bin/yppasswd 4555
/usr/bin/ypservers 0555
/usr/bin/ypwhich 0555
END

for X in daemon bin sys adm uucp guest nobody lpd nuucp 
do
        chuser account_locked='true' expires='0101000070' $X
done
}

y()
{
if [[ "$4" = "." ]] 
then
	FILE=$DIR/.$(basename $2).
else
	FILE=$DIR/.$(basename $2)
fi

if ! diff $2 $FILE 2>&1 > $DIR/.sec.tmp.$$
then
        ((STATE<255)) && STATE=STATE+1
        echo "\n$1 has changed:"
        cat $DIR/.sec.tmp.$$ | grep '^[><] ' | sed 's/^[><] //'
        [[ "$3" = "cp" ]] && cp $2 $DIR/.$(basename $2)
        [[ "$3" = "rm" ]] && rm $2 
fi
}

x()
{

if [ ! -f $DIR/.sec ]
then
        ch
        touch $DIR/.sec
        touch /etc/ftpusers
        grep "^ *root *$" /etc/ftpusers >/dev/null 2>&1|| echo "root" >> /etc/ftpusers
        cp /etc/passwd $DIR/.passwd
        cp /etc/group $DIR/.group
        cp /etc/inittab $DIR/.inittab
        cp /etc/hosts $DIR/.hosts
        cp /etc/rc.tcpip $DIR/.rc.tcpip
        cp /etc/rc $DIR/.rc
        cp /etc/filesystems $DIR/.filesystems
        cp /etc/hosts.equiv $DIR/.hosts.equiv
	cp /etc/resolv.conf $DIR/.resolv.conf
        grep " - " /var/adm/sulog > $DIR/.sulog
        no -a|grep ipforwarding > $DIR/.ipforwarding
        ifconfig -a > $DIR/.ifconfig
	touch $DIR/.rhosts $DIR/.netrc
	if ((TEST==0))
	then
        	find / -perm -4000 -type f -user root -exec ls -lde {} \; > $DIR/.root 2>/dev/null
 		find / -perm -2000 -type f -group system -exec ls -lde {} \; > $DIR/.system 2>/dev/null
        	find / -name '.rhosts' -exec ls -lde {} \; > $DIR/.rhosts. 2>/dev/null
        	find / -name '.netrc' -exec ls -lde {} \; > $DIR/.netrc. 2>/dev/null
	fi
        who /etc/security/failedlogin > $DIR/.failedlogin
        last > $DIR/.last
        cp /etc/services $DIR/.services
        cp /etc/ftpusers $DIR/.ftpusers
        cp /etc/inetd.conf $DIR/.inetd.conf
        netstat -an|grep " LISTEN$"|awk '{print $4}'> $DIR/.listen
        chmod 400 $DIR/.[!.]*
#        chown root:security $DIR/.[!.]*
fi

integer STATE=0

ch

y /etc/services /etc/services
y /etc/ftpusers /etc/ftpusers 
y /etc/inetd.conf /etc/inetd.conf

y /etc/passwd /etc/passwd cp
y /etc/group /etc/group cp
y /etc/inittab /etc/inittab cp
y /etc/hosts /etc/hosts cp
y /etc/rc.tcpip /etc/rc.tcpip cp
y /etc/rc /etc/rc cp
y /etc/filesystems /etc/filesystems cp
y /etc/hosts.equiv /etc/hosts.equiv cp
y /etc/resolv.conf /etc/resolv.conf cp

who /etc/security/failedlogin > $DIR/failedlogin
y /etc/security/failedlogin $DIR/failedlogin rm
who /etc/security/failedlogin > $DIR/.failedlogin
grep " - " /var/adm/sulog > $DIR/sulog
y /var/adm/sulog $DIR/sulog rm
grep " - " /var/adm/sulog > $DIR/.sulog

no -a|grep ipforwarding > $DIR/ipforwarding
y Ipforwarding $DIR/ipforwarding rm
y ifconfig $DIR/ifconfig rm

if ((TEST==0))
then
	find / -perm -4000 -type f -user root -exec ls -lde {} \; > $DIR/root 2>/dev/null
	y "Root SUID file" $DIR/root rm
	find / -perm -2000 -type f -group system -exec ls -lde {} \; > $DIR/system 2>/dev/null
	y "System SGID file" $DIR/system rm
	find / -name '.rhosts' -exec ls -lde {} \; > $DIR/rhosts 2>/dev/null
	y ".rhosts file" $DIR/rhosts rm .
	find / -name '.netrc' -exec ls -lde {} \; > $DIR/netrc 2>/dev/null
	y ".netrc file" $DIR/netrc rm .
fi

z()
{
if ! $1 -y ALL > $DIR/.sec.tmp.$$ 2>&1
then
        ((STATE<255)) && STATE=STATE+1
        cp /etc/passwd $DIR/.passwd
        cp /etc/group $DIR/.group
        echo "\n$1:"
fi
if [[ "$1" = "usrck" ]] 
then 
        cat $DIR/.sec.tmp.$$ | grep -v " is locked.$"
else
        cat $DIR/.sec.tmp.$$
fi
}

z pwdck
z usrck
z grpck


netstat -an|grep " LISTEN$"|awk '{print $4}'> $DIR/.listen.$$
if ! diff $DIR/.listen $DIR/.listen.$$ 2>&1 > $DIR/.sec.tmp.$$
then
        ((STATE<255)) && STATE=STATE+1
        echo "\nPorts listen has changed:"
        cat $DIR/.sec.tmp.$$ | grep '^[><] ' | sed 's/^[><] //'
	netstat -an|grep " LISTEN$"|awk '{print $4}'> $DIR/.listen
fi

last > $DIR/.last.$$
if ! diff $DIR/.last.$$ $DIR/.last > $DIR/.sec.last.$$ 2>&1
then
        cat $DIR/.sec.last.$$ | grep '^[><] ' | sed 's/^[><] //' > $DIR/.last.$$
        cat $DIR/.last.$$ | awk -v NB=$NB -v NE=$NE '
{ 
        if(substr($0,54,2)>=NB && substr($0,54,2)<24) print $0 
        if(substr($0,54,2)>=0 && substr($0,54,2)<NE) print $0
}'>$DIR/.sec.last.$$
        if (($(wc -c $DIR/.sec.last.$$|awk '{print $1}')>1))
        then
        ((STATE<255)) && STATE=STATE+1
                echo "\nNight logins between $NB:00 - $NE:00"
                cat $DIR/.sec.last.$$
        fi
        last > $DIR/.last
fi

rm $DIR/.*.$$
rm $DIR/.sec.running

return $STATE

}

ADDRESS="root"
(($#>0)) && ADDRESS="$*"
if (($(ps | wc -l)==1))
then
        touch $DIR/.sec.end.$$
        x >> $DIR/.sec.end.$$ 2>&1
        (($(cat $DIR/.sec.end.$$|wc -l)>0)) && mail $ADDRESS < $DIR/.sec.end.$$
        rm $DIR/.sec.end.$$
        NOW=$(date '+%H')
        if ((NOW==FIRST))
        then 
                echo "$DIR/sec $ADDRESS" | at $SECOND:00 today
        else
                echo "$DIR/sec $ADDRESS" | at $FIRST:00 tomorrow
        fi
fi

(($(ps | wc -l)>1)) && x && exit $?