#!/usr/bin/ksh # This script is made by Hannu Valtanen and security course 26.5.2000 # Hannu Valtanen Oy # http://www.valtanen.com # Use this script at your own risk. umask 077 NB=22 NE=06 FIRST=06 SECOND=18 export LANG=C # Modem ? # Too long root sessions ? usage() { echo "Usage: /etc/security/audit/sec [-r] [-a] [Address(es)]" 1>&2 exit 1 } AT=0 while getopts ':ra' OPTION do case $OPTION in r) rm /etc/security/audit/.sec > /dev/null 2>&1 ;; a) AT=1 ;; *) usage ;; esac done shift OPTIND-1 if ((AT==1)) then (($#>0)) && echo "/etc/security/audit/sec $*" | at $FIRST:00 tomorrow exit fi oc() { echo $1|awk ' function x(st,i,s) { if(substr(st,i*3+1,1)==s||substr(st,i*3+1,1)==toupper(s)) a[0]=a[0]+2^(3-i) if(substr(st,i*3-1,1)=="r") a[i]=a[i]+4 if(substr(st,i*3,1)=="w") a[i]=a[i]+2 if(substr(st,i*3+1,1)=="x"||substr(st,i*3+1,1)==s) a[i]=a[i]+1 } { for(y=1;y<=3;y++) if(y==3) x($1,y,"t") else x($1,y,"s") printf("%04d\n",a[0]*1000+a[1]*100+a[2]*10+a[3]) }' } ch() { while read FILE MOD JUNK do if aclget $FILE|grep enabled > /dev/null 2>&1 then echo "ACL enabled in file $FILE:" aclget $FILE fi if (($(oc $(ls -ld $FILE|awk '{print $1}'))!=MOD)) then echo "Wrong permissions in file:" ls -ld $FILE fi chmod $MOD $FILE done << END /etc/passwd 0644 /etc/group 0644 /etc/security 0750 /etc/security/audit 0750 /etc/security/user 0640 /etc/security/login.cfg 0660 /etc/security/limits 0640 /usr/sbin/mount 0555 /usr/bin/chown 0555 /usr/bin/chgrp 0555 /usr/bin/chmod 0555 /usr/bin/ksh 0555 /usr/bin/csh 0555 /usr/bin/bsh 0555 END for X in daemon bin sys adm uucp guest nobody lpd nuucp do chuser account_locked='true' expires='0101000070' $X done } x() { if [ ! -f /etc/security/audit/.sec ] then ch touch /etc/security/audit/.sec touch /etc/ftpusers cp /etc/passwd /etc/security/audit/.passwd cp /etc/inittab /etc/security/audit/.inittab grep " - " /var/adm/sulog > /etc/security/audit/.sulog no -a|grep ipforwarding > /etc/security/audit/.ipforwarding find / -perm -4000 -type f -user root -exec ls -lde {} \; > /etc/security/audit/.root 2>/dev/null find / -perm -2000 -type f -group system -exec ls -lde {} \; > /etc/security/audit/.system 2>/dev/null find / -name '.rhosts' -exec ls -lde {} \; > /etc/security/audit/.rhosts. 2>/dev/null find / -name '.netrc' -exec ls -lde {} \; > /etc/security/audit/.netrc. 2>/dev/null cp /etc/security/failedlogin /etc/security/audit/.failedlogin last > /etc/security/audit/.last cp /etc/services /etc/security/audit/.services cp /etc/ftpusers /etc/security/audit/.ftpusers cp /etc/inetd.conf /etc/security/audit/.inetd.conf # netstat -af inet|grep " LISTEN$"> /etc/security/audit/.listen chmod 400 /etc/security/audit/.[!.]* chown root:security /etc/security/audit/.[!.]* fi integer STATE=0 ch if ! diff /etc/passwd /etc/security/audit/.passwd 2>&1 > /etc/security/audit/.sec.tmp.$$ then ((STATE<255)) && STATE=STATE+1 echo "\n/etc/passwd has changed:" cat /etc/security/audit/.sec.tmp.$$ | grep '^[><] ' | sed 's/^[><] //' cp /etc/passwd /etc/security/audit/.passwd fi grep " - " /var/adm/sulog > /etc/security/audit/.sulog.$$ if ! diff /etc/security/audit/.sulog.$$ /etc/security/audit/.sulog 2>&1 > /etc/security/audit/.sec.tmp.$$ then ((STATE<255)) && STATE=STATE+1 echo "\n/var/adm/sulog has changed:" cat /etc/security/audit/.sec.tmp.$$ | grep '^[><] ' | sed 's/^[><] //' grep " - " /var/adm/sulog > /etc/security/audit/.sulog fi if ! diff /etc/inittab /etc/security/audit/.inittab 2>&1 > /etc/security/audit/.sec.tmp.$$ then ((STATE<255)) && STATE=STATE+1 echo "\n/etc/inittab has changed:" cat /etc/security/audit/.sec.tmp.$$ | grep '^[><] ' | sed 's/^[><] //' cp /etc/inittab /etc/security/audit/.inittab fi no -a|grep ipforwarding > /etc/security/audit/.ipforwarding.$$ if ! diff /etc/security/audit/.ipforwarding /etc/security/audit/.ipforwarding.$$ 2>&1 > /etc/security/audit/.sec.tmp.$$ then ((STATE<255)) && STATE=STATE+1 echo "\n/etc/Ipforwarding has changed:" cat /etc/security/audit/.sec.tmp.$$ | grep '^[><] ' | sed 's/^[><] //' fi find / -perm -4000 -type f -user root -exec ls -lde {} \; > /etc/security/audit/.root.$$ 2>/dev/null find / -perm -2000 -type f -group system -exec ls -lde {} \; >> /etc/security/audit/.system.$$ 2>/dev/null find / -name '.rhosts' -exec ls -lde {} \; >> /etc/security/audit/.rhosts.$$ 2>/dev/null find / -name '.netrc' -exec ls -lde {} \; >> /etc/security/audit/.netrc.$$ 2>/dev/null if ! diff /etc/security/audit/.root /etc/security/audit/.root.$$ 2>&1 > /etc/security/audit/.sec.tmp.$$ then ((STATE<255)) && STATE=STATE+1 echo "\nRoot SUID file has changed:" cat /etc/security/audit/.sec.tmp.$$ | grep '^[><] ' | sed 's/^[><] //' fi if ! diff /etc/security/audit/.system /etc/security/audit/.system.$$ 2>&1 > /etc/security/audit/.sec.tmp.$$ then ((STATE<255)) && STATE=STATE+1 echo "\nSystem SGID file has changed:" cat /etc/security/audit/.sec.tmp.$$ | grep '^[><] ' | sed 's/^[><] //' fi if ! diff /etc/security/audit/.rhosts. /etc/security/audit/.rhosts.$$ 2>&1 > /etc/security/audit/.sec.tmp.$$ then ((STATE<255)) && STATE=STATE+1 echo "\.rhosts file has changed:" cat /etc/security/audit/.sec.tmp.$$ | grep '^[><] ' | sed 's/^[><] //' fi if ! diff /etc/security/audit/.netrc. /etc/security/audit/.netrc.$$ 2>&1 > /etc/security/audit/.sec.tmp.$$ then ((STATE<255)) && STATE=STATE+1 echo "\.netrc file has changed:" cat /etc/security/audit/.sec.tmp.$$ | grep '^[><] ' | sed 's/^[><] //' fi if ! pwdck -y ALL > /etc/security/audit/.sec.tmp.$$ 2>&1 then ((STATE<255)) && STATE=STATE+1 echo "\npwdck:" fi cat /etc/security/audit/.sec.tmp.$$ if ! usrck -y ALL > /etc/security/audit/.sec.tmp.$$ 2>&1 then ((STATE<255)) && STATE=STATE+1 echo "\nusrck:" fi cat /etc/security/audit/.sec.tmp.$$ | grep -v " is locked.$" if ! grpck -y ALL > /etc/security/audit/.sec.tmp.$$ 2>&1 then ((STATE<255)) && STATE=STATE+1 echo "\ngrpck:" fi cat /etc/security/audit/.sec.tmp.$$ if ! diff /etc/security/audit/.services /etc/services 2>&1 > /etc/security/audit/.sec.tmp.$$ then ((STATE<255)) && STATE=STATE+1 echo "\n/etc/services has changed:" cat /etc/security/audit/.sec.tmp.$$ | grep '^[><] ' | sed 's/^[><] //' fi who /etc/security/audit/.failedlogin > /etc/security/audit/.sec.tmpy.$$ who /etc/security/failedlogin > /etc/security/audit/.sec.tmpx.$$ if ! diff /etc/security/audit/.sec.tmpx.$$ /etc/security/audit/.sec.tmpy.$$ 2>&1 > /etc/security/audit/.sec.tmp.$$ then ((STATE<255)) && STATE=STATE+1 echo "\n/etc/security/failedlogin has changed:" cat /etc/security/audit/.sec.tmp.$$ | grep '^[><] ' | sed 's/^[><] //' cp /etc/security/failedlogin /etc/security/audit/.failedlogin fi if ! diff /etc/security/audit/.ftpusers /etc/ftpusers 2>&1 > /etc/security/audit/.sec.tmp.$$ then ((STATE<255)) && STATE=STATE+1 echo "\n/etc/ftpusers has changed:" cat /etc/security/audit/.sec.tmp.$$ | grep '^[><] ' | sed 's/^[><] //' fi if ! diff /etc/security/audit/.inetd.conf /etc/inetd.conf 2>&1 > /etc/security/audit/.sec.tmp.$$ then ((STATE<255)) && STATE=STATE+1 echo "\n/etc/inetd.conf has changed:" cat /etc/security/audit/.sec.tmp.$$ | grep '^[><] ' | sed 's/^[><] //' fi # netstat -af inet|grep " LISTEN$"> /etc/security/audit/.listen.$$ # if ! diff /etc/security/audit/.listen /etc/security/audit/.listen.$$ 2>&1 > /etc/security/audit/.sec.tmp.$$ # then # ((STATE<255)) && STATE=STATE+1 # echo "\nPorts listen has changed:" # cat /etc/security/audit/.sec.tmp.$$ | grep '^[><] ' | sed 's/^[><] //' # fi last > /etc/security/audit/.last.$$ if ! diff /etc/security/audit/.last.$$ /etc/security/audit/.last > /etc/security/audit/.sec.last.$$ 2>&1 then cat /etc/security/audit/.sec.last.$$ | grep '^[><] ' | sed 's/^[><] //' > /etc/security/audit/.last.$$ cat /etc/security/audit/.last.$$ | awk -v NB=$NB '{ if(substr($0,54,2)>=NB) print $0 }'>/etc/security/audit/.sec.last.$$ cat /etc/security/audit/.last.$$ | awk -v NE=$NE '{ if(substr($0,54,2)>/etc/security/audit/.sec.last.$$ if (($(wc -c /etc/security/audit/.sec.last.$$|awk '{print $1}')>1)) then ((STATE<255)) && STATE=STATE+1 echo "\nNight logins between $NB:00 - $NE:00" cat /etc/security/audit/.sec.last.$$ fi last > /etc/security/audit/.last fi rm /etc/security/audit/.*.$$ return $STATE } ADDRESS="root" (($#>0)) && ADDRESS="$*" if (($(ps | wc -l)==1)) then SENDMAIL=0 touch /etc/security/audit/.sec.end.$$ x >> /etc/security/audit/.sec.end.$$ 2>&1 if ! ps -ef|grep -v grep|grep sendmail > /dev/null 2>&1 then startsrc -s'sendmail' -a'-bd -q30m' SENDMAIL=1 fi (($(cat /etc/security/audit/.sec.end.$$|wc -l)>0)) && mail $ADDRESS < /etc/security/audit/.sec.end.$$ ((SENDMAIL==1)) && stopsrc -s sendmail rm /etc/security/audit/.sec.end.$$ NOW=$(date '+%H') if ((NOW==FIRST)) then echo "/etc/security/audit/sec $ADDRESS" | at $SECOND:00 today else echo "/etc/security/audit/sec $ADDRESS" | at $FIRST:00 tomorrow fi fi (($(ps | wc -l)>1)) && x && exit $?