Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- ######################################################################
- # PWC unix interrogation script nextgen
- # Written by: anindya, rcrum
- #
- #
- # $Id: secng.sh,v 2.1 2006-05-08 15:23:40 jbausch Exp $
- # $Author: jbausch $
- # $Date: 2006-05-08 15:23:40 $
- ######################################################################
- # Complete list of functions:
- ######################################################################
- #
- # usage () {
- # print_version () {
- # dump_global_opts () {
- # print_separator () {
- # print_flag_header () {
- # get_file () {
- # check_os () {
- # do_intro () {
- # do_outro () {
- # do_setup_output_files () {
- # do_chmod () {
- # do_file_cleanup () {
- # do_tar () {
- # do_xchecks () {
- # do_ftpchecks () {
- # do_sendmailchecks () {
- # do_nfschecks () {
- # do_bindchecks () {
- # do_sshchecks () {
- # do_net_checks () {
- # do_uname () {
- # do_accts_no_pass () {
- # do_uid_zero () {
- # do_fs_checks () {
- # do_cron_checks () {
- # do_log_checks () {
- # do_users_files_check () {
- # do_dmesg () {
- # do_general_checks () {
- # do_nis_check () {
- # do_nisplus_check () {
- # do_key_dirs_listing () {
- # do_finds () {
- # do_os_modules () {
- # do_custom_dir () {
- #
- ######################################################################
- #
- # function definitions
- #
- ######################################################################
- # function to print usage
- ######################################################################
- usage () {
- ${ECHO} ""
- ${ECHO} "Usage: $0 [options]"
- ${ECHO} ""
- ${ECHO} "[-debug|-nodebug] Toggle DEBUG [default=off]"
- ${ECHO} "[-conftar|-noconftar] Toggle DO_CONFIGTAR [default=off]"
- ${ECHO} "[-tar|-notar] Toggle DO_TAR [default=on]"
- ${ECHO} "[-users|-nousers] Toggle DO_SEARCH_USERS [default=on]"
- ${ECHO} "[-nis|-nonis] Toggle DO_NIS [default=on]"
- ${ECHO} "[-nisusers] Toggle DO_NIS_SEARCH_USERS [default=off]"
- ${ECHO} "[-nisplus|-nonisplus] Toggle DO_NISPLUS [default=on]"
- ${ECHO} "[-nisplususers] Toggle DO_NISPLUS_SEARCH_USERS [default=off]"
- ${ECHO} "[-finds|-nofinds] Toggle DO_ALLFINDS [default=on]"
- ${ECHO} "[-keydirs|-nokeydirs] Toggle DO_KEY_DIRS_LISTING [default=on]"
- ${ECHO} "[-osmods|-noosmods] Toggle DO_OS_MODULES [default=on]"
- ${ECHO} "[-noshadow] Turn OFF DO_GET_SHADOWFILE [default=on]"
- ${ECHO} "[-bind] Turn ON DO_BIND [default=off]"
- ${ECHO} "[-custom] Turn ON Custom Dir Checks [default=off]"
- ${ECHO} "[-v|-version] Print $0 version and exit"
- ${ECHO} "[-h|-help] Print this usage message"
- ${ECHO} ""
- ${ECHO} "Example: $0 -debug -tar -nonis -nonisplus -nofinds"
- ${ECHO} ""
- ${ECHO} "This command turns on debugging, creates an output tarball"
- ${ECHO} "turns off the nis and nis+ checks"
- ${ECHO} "and turns off the setuid/setgid/ww find comands"
- ${ECHO} ""
- ${ECHO} "Also see etc/global.rc for detailed info on flags"
- }
- ######################################################################
- # function to print version
- ######################################################################
- print_version () {
- VERSION=`${GREP} Id $0 |${GREP} "^#"|${AWK} '{print $4}'`
- ${ECHO} "$0 version ${VERSION}"
- }
- ######################################################################
- # function to dump all global variables called from main
- ######################################################################
- dump_global_opts () {
- ${ECHO} "Dumping global variables to output file" >>${OUTFILE}
- ${ECHO} "<DEBUGGLOBALOPTS>" >>${TAGS_OUT}
- print_separator outfile
- # export all variables
- for i in ${GLOBALOPTS}
- do
- export $i
- done
- case "${OS}" in
- 'Linux'|'AIX'|'FreeBSD'|'OpenBSD'|'NetBSD'|'OSF1'|'HP-UX'|'SCO_SV')
- ${AWK} ' BEGIN { for (env in ENVIRON) print env "=" ENVIRON[env] }'|${SORT} |${TEE} ${TAGS_OUT} >>${OUTFILE}
- ;;
- 'Solaris')
- ${NAWK} ' BEGIN { for (env in ENVIRON) print env "=" ENVIRON[env] }'|${SORT} |${TEE} ${TAGS_OUT} >>${OUTFILE}
- ;;
- 'Sol9')
- ${NAWK} ' BEGIN { for (env in ENVIRON) print env "=" ENVIRON[env] }'|${SORT} |${TEE} ${TAGS_OUT} >>${OUTFILE}
- ;;
- 'Sol10')
- ${NAWK} ' BEGIN { for (env in ENVIRON) print env "=" ENVIRON[env] }'|${SORT} |${TEE} ${TAGS_OUT} >>${OUTFILE}
- ;;
- *)
- ${AWK} ' BEGIN { for (env in ENVIRON) print env "=" ENVIRON[env] }' |${SORT} |${TEE} ${TAGS_OUT} >>${OUTFILE}
- ${NAWK} ' BEGIN { for (env in ENVIRON) print env "=" ENVIRON[env] }' |${SORT} |${TEE} ${TAGS_OUT} >>${OUTFILE}
- ;;
- esac
- print_separator outfile
- ${ECHO} "Script VERSION is:" |${TEE} ${TAGS_OUT} >>${OUTFILE}
- print_version |${TEE} ${TAGS_OUT} >>${OUTFILE}
- print_separator outfile
- ${ECHO} "</DEBUG-GLOBALOPTS>" >>${TAGS_OUT}
- }
- ######################################################################
- # function to print out a nice line to separate output, called from many func
- ######################################################################
- print_separator () {
- case "$1" in
- 'stdout')
- ${ECHO} '===================================================='
- ;;
- 'outfile')
- case "$2" in
- 'userfiles')
- ${ECHO} '====================================================' >>${USER_FILE_OUT}
- ;;
- 'logs')
- ${ECHO} '====================================================' >>${LOG_FILE_OUT}
- ;;
- 'keydirs')
- ${ECHO} '====================================================' >>${KEYDIRS_OUT}
- ;;
- 'mods')
- ${ECHO} '====================================================' >>${MODS_OUT}
- ;;
- 'custdirs')
- ${ECHO} '====================================================' >>${CUSTDIRS_OUT}
- ;;
- 'tagsout')
- ${ECHO} '**************************' >>${TAGS_OUT}
- ;;
- *)
- ${ECHO} '====================================================' >>${OUTFILE}
- ;;
- esac
- ;;
- *)
- ${ECHO} "Argument must be stdout or outfile."
- ;;
- esac
- }
- ####################################################################
- # print_flag_header
- # $1 must be stdout or outfile
- # $2 must be userfiles/logs/keydirs/mods/custdir or main
- # $3 is either BEGIN or END
- # $4 is the text to be printed, a flag such
- # as DO_ACCTNOPASS or module name
- ####################################################################
- print_flag_header () {
- case "$1" in
- 'stdout')
- print_separator stdout
- ${ECHO} "DEBUG: $2 $3 $4 $5"
- print_separator stdout
- ;;
- 'outfile')
- case "$2" in
- 'userfiles')
- print_separator outfile userfiles
- ${ECHO} "USERFILES_$3: $4">>${USER_FILE_OUT}
- print_separator outfile userfiles
- ;;
- 'logs')
- print_separator outfile logs
- ${ECHO} "LOGS_$3: $4">>${LOG_FILE_OUT}
- print_separator outfile logs
- ;;
- 'keydirs')
- print_separator outfile keydirs
- ${ECHO} "KEYDIRS_$3: $4">>${KEYDIRS_OUT}
- print_separator outfile keydirs
- ;;
- 'mods')
- print_separator outfile mods
- ${ECHO} "MODULE_$3: $4">>${MODS_OUT}
- print_separator outfile mods
- ;;
- 'main')
- print_separator outfile
- ${ECHO} "CHECK_$3: $4">>${OUTFILE}
- print_separator outfile
- #added for TAG support, not used yet
- #${ECHO} "<CHECK_$3: $4" >>${TAGS_OUT}
- ;;
- 'custdirs')
- print_separator outfile custdirs
- ${ECHO} "CUSTDIRS_$3: $4">>${CUSTDIRS_OUT}
- print_separator outfile custdirs
- ;;
- *)
- ${ECHO} "Arguments: [userfiles|logs|keydirs|mods|main|custdirs]"
- ;;
- esac
- ;;
- *)
- ${ECHO} "Argument must be stdout or outfile."
- ;;
- esac
- }
- ####################################################################
- ####################################################################
- # function to check for existence of a file , then cat it to outfile
- # takes filename as an argument, called from many diff functions
- ####################################################################
- get_file () {
- # check to make sure we were passed some args
- if [ $# = 0 ]; then
- ${ECHO} "get_file(): no file specified."
- ${ECHO} "get_file(): no file specified." >>${ERRFILE}
- return
- fi
- target=$1;
- name="";
- case "$2" in
- 'userfiles')
- OUT=${USER_FILE_OUT}
- ;;
- 'mods')
- OUT=${MODS_OUT}
- ;;
- *)
- OUT=${OUTFILE}
- ;;
- esac
- if ( ${TEST} -f ${target} ) then
- print_separator outfile $2
- name=`${BASENAME} ${target}|${TR} '[a-z]' '[A-Z]'`
- ${ECHO} "[FILE]: ${name}" >>${OUT}
- ${ECHO} "<FILE TAG=\"${name}\"" >>${TAGS_OUT}
- #only perform ls -l once
- DO_LS_ONCE=`${LS} -l ${target}`
- ${ECHO} "${DO_LS_ONCE}" >>${OUT} 2>>${ERRFILE}
- ${ECHO} "LS=\"${DO_LS_ONCE}\">" >>${TAGS_OUT}
- # if the file is a symlink to another file,
- # dereference the link also.
- if ( ${TEST} -L ${target} ) then
- ${LS} -lL ${target} >>${OUT} 2>>${ERRFILE} >>${TAGS_OUT}
- fi
- print_separator outfile $2
- if [ "${DO_CONFIGTAR}" = "0" ]; then
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Grabbing ${target}"
- }
- ${CAT} ${target} >> ${OUT} 2>>${ERRFILE}
- # Added line to capture in TAGS file
- ${CAT} ${target} >>${TAGS_OUT} 2>>${ERRFILE}
- print_separator outfile $2
- ${ECHO} "</FILE>" >>${TAGS_OUT}
- ${ECHO} '' >> ${OUT}
- elif ( [ "${DO_CONFIGTAR}" = "1" ] && [ -d "${SYSDIR}" ] ); then
- # get path to duplicate under SYSDIR
- pathtotarget=`${DIRNAME} ${target}`
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Copying ${target}"
- }
- # if file is /etc/rc2.d/S99sendmail it creates SYSDIR/etc/rc2.d
- ${MKDIR} -p ${SYSDIR}/${pathtotarget} 2>>${ERRFILE}
- # copy the file over
- ${CP} -p ${target} ${SYSDIR}/${pathtotarget} 2>>${ERRFILE}
- else
- ${MKDIR} -p ${SYSDIR} 2>${ERRFILE}
- # get path to duplicate under SYSDIR
- pathtotarget=`${DIRNAME} ${target}`
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Copying ${target}"
- }
- # if file is /etc/rc2.d/S99sendmail it creates SYSDIR/etc/rc2.d
- ${MKDIR} -p ${SYSDIR}/${pathtotarget} 2>>${ERRFILE}
- # copy the file over
- ${CP} -p ${target} ${SYSDIR}/${pathtotarget} 2>>${ERRFILE}
- fi
- else
- name=`${BASENAME} ${target}|${TR} '[a-z]' '[A-Z]'`
- print_separator outfile $2
- ${ECHO} "[FILE]: ${name} <NOT FOUND>" >> ${OUT}
- ${ECHO} "<FILE TAG=\"${name}\"> NOT FOUND </FILE>" >>${TAGS_OUT}
- print_separator outfile $2
- fi
- }
- ######################################################################
- # function check_os, called from main
- # Determine OS first to get binary paths
- # Ignore errors here
- #
- ######################################################################
- check_os () {
- # get operating system name
- OS=`/usr/bin/uname -s 2>>/dev/null`
- [ "x${OS}" = "x" ] && {
- OS=`/bin/uname -s 2>>/dev/null`
- }
- # get operating system release version
- OS_RELEASE=`/usr/bin/uname -r 2>>/dev/null`
- [ "x${OS_RELEASE}" = "x" ] && {
- OS_RELEASE=`/bin/uname -r 2>>/dev/null`
- }
- # export these values for use elsewhere
- export OS OS_RELEASE
- case "${OS}" in
- 'Linux')
- OS_CONF=${LINUX_CONF}
- MODULES=${LINUX_MODS}
- ;;
- 'SunOS')
- RELEASE=`/bin/uname -r | /usr/bin/cut -c1`
- if ( /usr/bin/test "${RELEASE}" = "5" ) then
- # added for sol9
- SUBRELEASE=`/bin/uname -r | /usr/bin/cut -c3-4 `
- if ( /usr/bin/test "${SUBRELEASE}" = "9" ) then
- OS="Sol9"
- #echo "System type is Solaris9"
- OS_CONF=${SOL9_CONF}
- MODULES=${SOL9_MODS}
- # added for sol10
- elif ( /usr/bin/test "${SUBRELEASE}" = "10" ) then
- OS="Sol10"
- #echo "System type is Solaris10"
- OS_CONF=${SOL10_CONF}
- MODULES=${SOL10_MODS}
- else
- OS="Solaris"
- #echo "System type is Solaris6-8"
- OS_CONF=${SOLARIS_CONF}
- MODULES=${SOLARIS_MODS}
- fi
- else
- #echo "System type is SunOS"
- OS_CONF=${SUNOS_CONF}
- MODULES=${SUNOS_MODS}
- fi
- ;;
- 'BSD/OS')
- #echo "System type is BSD"
- # im afraid this will not work for now
- OS_CONF=${BSD_CONF}
- MODULES=${BSD_MODS}
- ;;
- 'FreeBSD'|'OpenBSD'|'NetBSD')
- #echo "System type is BSD"
- OS_CONF=${BSD_CONF}
- MODULES=${BSD_MODS}
- ;;
- 'AIX')
- #echo "System type is AIX"
- OS_CONF=${AIX_CONF}
- MODULES=${AIX_MODS}
- ;;
- 'HP-UX')
- echo "System type is HP-UX"
- OS_CONF=${HPUX_CONF}
- MODULES=${HPUX_MODS}
- ;;
- 'SCO_SV')
- #echo "System type is SCO"
- OS_CONF=${SCO_CONF}
- MODULES=${SCO_MODS}
- ;;
- 'OSF1'|'osf1')
- #echo "System type is DEC OSF1"
- OS_CONF=${OSF1_CONF}
- MODULES=${OSF1_MODS}
- ;;
- *)
- echo "WARNING!!! Unknown OS. Absolute pathnames will NOT be used."
- echo "Press Ctrl-C to exit or wait 15 seconds to continue."
- echo ""
- sleep 15
- OS_CONF=${GENERIC_CONF}
- ;;
- esac
- # source the appropriate config file
- if [ "${DEBUG}" != 0 ]; then
- echo "DEBUG: Using OS configuration file: ${OS_CONF}"
- fi
- if [ -f ${OS_CONF} ]; then
- . ${OS_CONF}
- else
- echo "${OS_CONF} not found! Quitting."
- exit 1;
- fi
- return;
- } # end check_os
- ####################################################################
- # function to print out start banner and copyright, called from main
- ####################################################################
- do_intro () {
- print_separator stdout
- ${ECHO} "${COPYRIGHT}"
- print_separator stdout
- print_version
- print_separator stdout
- ${ECHO} "Beginning Security Profile on ${HOSTNAME}"
- ${ECHO} " Start time - `date`"
- print_separator stdout
- # write the start to the logfile
- print_separator outfile
- # print the script version at the top
- print_version >>${OUTFILE}
- print_separator outfile
- ${ECHO} "Beginning Security Profile on ${HOSTNAME}" >>${OUTFILE}
- ${ECHO} " Start time - `date`" >>${OUTFILE}
- print_separator outfile
- # write the start of the logfile in fancy support
- ${ECHO} "<SECNG_VERSION>" >>${TAGS_OUT}
- ${ECHO} "${VERSION}" >>${TAGS_OUT}
- ${ECHO} "</SECNG_VERSION>" >>${TAGS_OUT}
- ${ECHO} "<HOSTNAME>" >>${TAGS_OUT}
- ${ECHO} "${HOSTNAME}" >>${TAGS_OUT}
- ${ECHO} "</HOSTNAME>" >>${TAGS_OUT}
- ${ECHO} "<STARTTIME>" >>${TAGS_OUT}
- ${ECHO} "`date`" >>${TAGS_OUT}
- ${ECHO} "</STARTTIME>" >>${TAGS_OUT}
- }
- ####################################################################
- # function to print out end banner, called from main
- ####################################################################
- do_outro () {
- print_separator stdout
- ${ECHO} "Finished Security Profile on ${HOSTNAME}"
- ${ECHO} "End time - `date`"
- print_separator stdout
- print_separator outfile
- ${ECHO} "<ENDTIME>" >> ${TAGS_OUT}
- ${ECHO} "Finished Security Profile on ${HOSTNAME}" >>${OUTFILE}
- ${ECHO} "End time - `date`" |${TEE} ${TAGS_OUT} >> ${OUTFILE}
- ${ECHO} "</ENDTIME>" >> ${TAGS_OUT}
- print_separator outfile
- ${ECHO} '' >> ${OUTFILE}
- }
- ######################################################################
- # function to name output files, called from main
- ######################################################################
- do_setup_output_files () {
- HOSTNAME=`${HOST_CMD}`
- if (${TEST} x${HOSTNAME} = x) then
- HOSTNAME="unknown"
- fi
- # filename definitions
- OUTFILE="${OUTDIR}/${HOSTNAME}.`date +%Y%m%d`"
- TARFILE="${OUTFILE}.tar"
- ERRFILE="${OUTFILE}.errors"
- SETUID_OUT=${OUTFILE}.setUID
- SETGID_OUT=${OUTFILE}.setGID
- WW_OUT=${OUTFILE}.ww
- USER_FILE_OUT=${OUTFILE}.userfiles
- LOG_FILE_OUT=${OUTFILE}.logs
- KEYDIRS_OUT=${OUTFILE}.keydirs
- MODS_OUT=${OUTFILE}.osmodules
- SYSDIR=${OUTFILE}.configs
- CUSTDIRS_OUT=${OUTFILE}.custom
- TAGS_OUT=${OUTFILE}.tags
- if [ "${DEBUG}" != 0 ]; then
- ${ECHO} ''
- ${ECHO} "DEBUG: OUTFILE is ${OUTFILE}"
- ${ECHO} "DEBUG: TARFILE is ${TARFILE}"
- ${ECHO} "DEBUG: ERRFILE is ${ERRFILE}"
- ${ECHO} "DEBUG: SETUID_OUT is ${SETUID_OUT}"
- ${ECHO} "DEBUG: SETGID_OUT is ${SETGID_OUT}"
- ${ECHO} "DEBUG: WW_OUT is ${WW_OUT}"
- ${ECHO} "DEBUG: USER_FILE_OUT is ${USER_FILE_OUT}"
- ${ECHO} "DEBUG: LOG_FILE_OUT is ${LOG_FILE_OUT}"
- ${ECHO} "DEBUG: KEYDIRS_OUT is ${KEYDIRS_OUT}"
- ${ECHO} "DEBUG: MODS_OUT is ${MODS_OUT}"
- ${ECHO} "DEBUG: SYSDIR is ${SYSDIR}"
- ${ECHO} "DEBUG: CUSTDIRS_OUT is ${CUSTDIRS_OUT}"
- ${ECHO} "DEBUG: TAGS_OUT is ${TAGS_OUT}"
- ${ECHO} ''
- fi
- return;
- }
- ####################################################################
- # function to do housekeeping, remove old output files
- # if they exist. Give operator an opportunity to abort., called from main
- ####################################################################
- do_file_cleanup () {
- if ([ -f ${OUTFILE} ] || [ -f ${TARFILE} ] || [ -f ${TARFILE}.gz ]) then
- ${ECHO} ""
- print_separator stdout
- ${ECHO} ""
- ${ECHO} "WARNING!!! WARNING!!! WARNING!!! WARNING!!! WARNING!!!"
- ${ECHO} ""
- ${ECHO} "${OUTFILE} (or a tarred version) already exists."
- ${ECHO} "Press Ctrl-C to exit or wait to delete the existing files."
- ${ECHO} ""
- ${ECHO} "WARNING!!! WARNING!!! WARNING!!! WARNING!!! WARNING!!!"
- ${ECHO} ""
- print_separator stdout
- sleep 5
- for i in ${OUTFILE} ${TARFILE} ${TARFILE}.gz ${ERRFILE} ${SETUID_OUT} ${SETGID_OUT} ${WW_OUT} ${USER_FILE_OUT} ${LOG_FILE_OUT} ${KEYDIRS_OUT} ${MODS_OUT} $CUSTDIRS_OUT} ${TAGS_OUT}
- do
- if [ "${DEBUG}" != "0" ] ; then
- echo "DEBUG: Removing $i"
- fi
- /bin/rm -f $i
- done
- if [ "${DEBUG}" != "0" ] ; then
- echo "DEBUG: Removing ${SYSDIR}"
- fi
- rm -rf ${SYSDIR}
- fi
- # create output files make sure its writable
- [ \! -d ${OUTDIR} ] && {
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: ${OUTDIR} doesn't exist. Creating."
- }
- ${MKDIR} ${OUTDIR}
- }
- ${TOUCH} ${OUTFILE}
- ${TOUCH} ${ERRFILE}
- [ \! -w ${OUTFILE} ] && {
- ${ECHO} "Error creating output file."
- ${ECHO} "Program is terminating."
- exit
- }
- }
- ####################################################################
- # function to change output file permissions, just in
- # case the default UMASK is set insecure, called from main
- # This check does a chmod 700 output/servname.*
- # Added 8/2005
- ####################################################################
- do_chmod () {
- if [ -f "${CHMOD}" ]; then
- # Change Permission on Output files, just in case
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Changing secng output files to 700"
- }
- for i in ${OUTFILE} ${ERRFILE} ${SETUID_OUT} ${SETGID_OUT} ${WW_OUT} ${USER_FILE_OUT} ${LOG_FILE_OUT} ${KEYDIRS_OUT} ${MODS_OUT} ${CUSTDIRS_OUT} ${TAGS_OUT}
- do
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Changing permissions on file $i"
- }
- chmod -f 600 $i
- done
- else
- ${ECHO} "${CHMOD} not found. Please correct path to tar in .rc file."
- exit 1
- fi
- }
- ####################################################################
- # function to tar up output files, called from main
- ####################################################################
- do_tar () {
- if [ -f "${TAR}" ]; then
- # add all the output files to the tarball
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Adding all output files to ${TARFILE}"
- }
- if [ -f "${TARFILE}" ]; then
- # tarfile exists, so use TAROPT1
- ${TAR} ${TAROPT1} ${TARFILE} ${OUTDIR}/* 2>>${ERRFILE}
- # secure tar file from bad UMASK perms
- ${CHMOD} -f 600 ${TARFILE} 2>>${ERRFILE}
- else
- # tarfile doesnt exist, create using TAROPT
- ${TAR} ${TAROPT} ${TARFILE} ${OUTDIR}/* 2>>${ERRFILE}
- # secure tar file from bad UMASK perms
- ${CHMOD} -f 600 ${TARFILE} 2>>${ERRFILE}
- fi
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Removing original output files."
- }
- for i in ${OUTFILE} ${ERRFILE} ${SETUID_OUT} ${SETGID_OUT} ${WW_OUT} ${USER_FILE_OUT} ${LOG_FILE_OUT} ${KEYDIRS_OUT} ${MODS_OUT} ${CUSTDIRS_OUT} ${TAGS_OUT}
- do
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Removing file $i"
- }
- rm -f $i
- done
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Removing dir ${SYSDIR}"
- }
- rm -rf ${SYSDIR}
- if [ "${HAVE_GZIP}" != "0" ]; then
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Compressing ${TARFILE} with ${GZIPBIN}"
- }
- ${GZIPBIN} ${TARFILE}
- fi
- else
- ${ECHO} "${TAR} not found. Please correct path to tar in .rc file."
- exit 1
- fi
- }
- ###################################################################
- # function to do x windows check,
- # called from do_net_checks
- ###################################################################
- do_xchecks () {
- ${ECHO} "Checking X settings..."
- ${ECHO} "<XCHECK>" >>${TAGS_OUT}
- print_separator outfile
- ${ECHO} "Checking X settings..." >> ${OUTFILE}
- ${ECHO} "Command: ${XHOST}" >> ${OUTFILE}
- print_separator outfile
- ${ECHO} '' >> ${OUTFILE}
- ${XHOST} |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} "</XCHECK>" >>${TAGS_OUT}
- for i in ${X_FILES}
- do
- get_file $i
- done
- ${ECHO} '' >> ${OUTFILE}
- }
- ###################################################################
- # function to do ftp checks, called from do_net_checks
- ###################################################################
- do_ftpchecks () {
- # FTP Checks
- ${ECHO} "Checking ftp settings..."
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "<FTP_SERVER>" >>${TAGS_OUT}
- # Get the ~ftp directory
- DIRS="`${AWK} -F: '($1 == "ftp") {print $6}' /etc/passwd`"
- if (${TEST} x${DIRS} = x) then
- ${ECHO} "No ftp user found.\n" |${TEE} ${TAGS_OUT} >> ${OUTFILE}
- # ftp files to search
- LIST="${FTP_FILES}"
- else
- ${LS} -lLd ${DIRS} |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "${DIRS}:" >> ${OUTFILE}
- ${LS} -la ${DIRS} |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' >> ${OUTFILE}
- ${LS} -lR ${DIRS}/bin ${DIRS}/usr/bin ${DIRS}/sbin |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' >> ${OUTFILE}
- # ftp files to search
- LIST="${DIRS}/etc/passwd ${DIRS}/etc/group ${FTP_FILES}"
- fi
- # grab FTP-related files regardless of whether ftp user
- # exists or not
- for FILE in ${LIST}
- do
- get_file ${FILE}
- done
- ${ECHO} "</FTP_SERVER>" >>${TAGS_OUT}
- }
- ###################################################################
- # function to do sendmail checks, called from do_net_checks
- ###################################################################
- do_sendmailchecks () {
- # Sendmail Checks
- ${ECHO} "Checking sendmail settings..."
- ${ECHO} "<SENDMAIL>" >>${TAGS_OUT}
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} '' >> ${OUTFILE}
- # sendmail files to search
- LIST="${SENDMAIL_FILES}"
- # grab sendmail-related files
- for FILE in ${LIST}
- do
- get_file ${FILE}
- done
- ${ECHO} "</SENDMAIL>" >>${TAGS_OUT}
- }
- ###################################################################
- # function to do nfs checks, pretty minimal for now,
- # called from do_net_checks
- ###################################################################
- do_nfschecks () {
- ${ECHO} "Checking NFS exports..."
- ${ECHO} "Checking NFS exports..." >> ${OUTFILE}
- ${ECHO} "<NFS_EXPORTS>" >>${TAGS_OUT}
- ${ECHO} "Command: ${SHOWMOUNT} -e" >> ${OUTFILE}
- print_separator outfile
- ${ECHO} '' >> ${OUTFILE}
- ${SHOWMOUNT} -e |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} >> ${OUTFILE}
- #Now get some NFS files
- ${ECHO} "Checking NFS files..."
- for i in ${NFS_FILES}
- do
- get_file $i
- done
- ${ECHO} "</NFS_EXPORTS>" >>${TAGS_OUT}
- }
- ###################################################################
- # function to do bind checks, called from do_net_checks
- ###################################################################
- do_bindchecks () {
- # named config checks
- ${ECHO} "Looking for bind configs..."
- ${ECHO} "Looking for bind configs..." >> ${OUTFILE}
- ${ECHO} "<BIND>" >>${TAGS_OUT}
- print_separator outfile
- [ -d ${BIND_CONF_DIR} ] && {
- case ${BIND_VERSION} in
- '4')
- BIND_CONF=${BIND_CONF_DIR}/named.boot
- ;;
- '8')
- BIND_CONF=${BIND_CONF_DIR}/named.conf
- ;;
- '9')
- BIND_CONF=${BIND_CONF_DIR}/named.conf
- ;;
- *)
- ${ECHO} "version must be 4, 8 or 9"
- ;;
- esac
- # grab the conf file
- get_file ${BIND_CONF}
- # grab named version header
- ${ECHO} "NAMED Version...." >> ${OUTFILE}
- ${ECHO} "<BIND_VER>" >>${TAGS_OUT}
- ${NAMED_LOCATION} -v |${TEE} ${TAGS_OUT} >> ${OUTFILE}
- print_separator outfile
- ${ECHO} "</BIND_VER>" >>${TAGS_OUT}
- # now get zone files
- [ -d ${BIND_ZONEFILES_DIR} ] && {
- for zone in `ls ${BIND_ZONEFILES_DIR}`
- do
- get_file ${BIND_ZONEFILES_DIR}/${zone}
- done
- }
- }
- ${ECHO} "</BIND>" >>${TAGS_OUT}
- }
- ###################################################################
- # function to do ssh checks, called from do_net_checks
- ###################################################################
- do_sshchecks () {
- # ssh config checks
- ${ECHO} "Looking for global ssh configs..."
- ${ECHO} "<SSHVERSION>" >>${TAGS_OUT}
- print_separator outfile
- ${ECHO} "Looking for global ssh configs..." >> ${OUTFILE}
- ${ECHO} "Checking ssh version..."
- ${SSHBIN} -V |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${OUTFILE}
- print_separator outfile
- ${ECHO} "</SSHVERSION>" >>${TAGS_OUT}
- ${ECHO} '' >> ${OUTFILE}
- if [ -d ${SSHDIR} ]; then
- case ${SSH_VERSION} in
- '1') LIST=${GLOBAL_SSH_FILES_V1}
- ;;
- '2') LIST=${GLOBAL_SSH_FILES_V2}
- ;;
- *)
- ${ECHO} 'No ssh version specified' >> ${ERRFILE}
- ;;
- esac
- for conf in ${LIST}
- do
- if ( ${TEST} -f ${conf} ) then
- get_file ${conf}
- fi
- done
- else
- ${ECHO} "${SSHDIR} does not exist. Please edit ${GLOBALCONF}."
- ${ECHO} "${SSHDIR} does not exist. Please edit ${GLOBALCONF}." >> ${OUTFILE}
- fi
- }
- ###################################################################
- # function to do all networking checks, called from main script
- #
- # also checks several flags:
- # 1) DO_IFCONFIG
- # 2) DO_NETSTAT_NR
- # 3) DO_ARP
- # 4) DO_NETSTAT_A
- # 5) DO_RPCINFO
- # 6) DO_GET_NET_CONFIGS
- # 7) DO_XCHECKS
- # 8) DO_FTP
- # 9) DO_NFS
- # 10) DO_BIND
- # 11) DO_SSH
- # 12) DO_SENDMAIL
- ###################################################################
- do_net_checks () {
- # Network configuration
- ${ECHO} "Checking network configuration settings..."
- ${ECHO} "<NETCHECKS>" >>${TAGS_OUT}
- print_separator stdout
- ### Ifconfig checks #####
- ${ECHO} "<IFCONFIG>" >>${TAGS_OUT}
- if [ "${DO_IFCONFIG}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_IFCONFIG
- case "${OS}" in
- 'HP-UX')
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "Running LANSCAN then IFCONFIG on each int" >> ${OUTFILE}
- for i in `${LANSCAN}|${GREP} lan|${AWK} '{print $5}'`
- do
- ${IFCONFIG} $i |${TEE} ${TAGS_OUT} >>${OUTFILE}
- done
- ;;
- *)
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "Using ${IFCONFIG} -a" >> ${OUTFILE}
- ${ECHO} '' >> ${OUTFILE}
- ${IFCONFIG} -a |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ;;
- esac
- print_flag_header outfile main END DO_IFCONFIG
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_IFCONFIG
- ${ECHO} "skipped" >>${TAGS_OUT}
- fi
- ${ECHO} "</IFCONFIG>" >>${TAGS_OUT}
- #### Routing Table and Interfaces #####
- ${ECHO} "<NETSTAT_NR>" >>${TAGS_OUT}
- if [ "${DO_NETSTAT_NR}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_NETSTAT_NR
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "Command: ${NETSTAT} -rn" >> ${OUTFILE}
- ${ECHO} '' >> ${OUTFILE}
- ${NETSTAT} -rn |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' >> ${OUTFILE}
- print_flag_header outfile main END DO_NETSTAT_NR
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_NETSTAT_NR
- ${ECHO} "skipped" >>${TAGS_OUT}
- fi
- ${ECHO} "</NETSTAT_NR>" >>${TAGS_OUT}
- #ARP Table
- ${ECHO} "<ARP_TABLE>" >>${TAGS_OUT}
- if [ "${DO_ARP}" != "0" ]; then
- ${ECHO} "Listing arp Table..."
- print_flag_header outfile main BEGIN DO_ARP
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "Command: ${ARP} -a" >> ${OUTFILE}
- ${ECHO} '' >> ${OUTFILE}
- ${ARP} -a |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' >> ${OUTFILE}
- print_flag_header outfile main END DO_ARP
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_ARP
- ${ECHO} "skipped" >>${TAGS_OUT}
- fi
- ${ECHO} "</ARP_TABLE>" >>${TAGS_OUT}
- # Active Services
- ${ECHO} "<NETSTAT_A>" >>${TAGS_OUT}
- if [ "${DO_NETSTAT_A}" != "0" ]; then
- ${ECHO} "Determining active services..."
- print_flag_header outfile main BEGIN DO_NETSTAT_A
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "Command: ${NETSTAT} -a | ${GREP} LISTEN" >> ${OUTFILE}
- ${ECHO} '' >> ${OUTFILE}
- ${NETSTAT} -a | ${GREP} LISTEN |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' >> ${OUTFILE}
- print_flag_header outfile main END DO_NETSTAT_A
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_NETSTAT_A
- ${ECHO} "skipped" >>${TAGS_OUT}
- fi
- ${ECHO} "</NETSTAT_A>" >>${TAGS_OUT}
- #rpcinfo
- ${ECHO} "<RPCINFO>" >>${TAGS_OUT}
- if [ "${DO_RPCINFO}" != "0" ]; then
- ${ECHO} "Listing rpcinfo..."
- print_flag_header outfile main BEGIN DO_RPCINFO
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "Command: ${RPCINFO} -p" >> ${OUTFILE}
- ${ECHO} '' >> ${OUTFILE}
- ${RPCINFO} -p |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' >> ${OUTFILE}
- print_flag_header outfile main END DO_RPCINFO
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_RPCINFO
- ${ECHO} "skipped" >>${TAGS_OUT}
- fi
- ${ECHO} "</RPCINFO>" >>${TAGS_OUT}
- # Get Basic Files
- if [ "${DO_GET_NET_CONFIGS}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_GET_NET_CONFIGS
- ${ECHO} "Getting basic networking files.."
- ${ECHO} "Getting basic networking files.." >>${OUTFILE}
- print_separator outfile
- # get the rest
- for i in ${NET_CONFIGS}
- do
- get_file $i
- done
- print_flag_header outfile main END DO_GET_NET_CONFIGS
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_GET_NET_CONFIGS
- fi
- # Do XCHECKS
- if [ "${DO_XCHECKS}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_XCHECKS
- do_xchecks
- print_flag_header outfile main END DO_XCHECKS
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_XCHECKS
- fi
- # DO FTP
- if [ "${DO_FTP}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_FTP
- do_ftpchecks
- print_flag_header outfile main END DO_FTP
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_FTP
- ${ECHO} "skipped" >>${TAGS_OUT}
- fi
- # DO NFS CHECKS
- if [ "${DO_NFS}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_NFS
- do_nfschecks
- print_flag_header outfile main END DO_NFS
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_NFS
- ${ECHO} "skipped" >>${TAGS_OUT}
- fi
- # DO BIND CHECKS
- if [ "${DO_BIND}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_BIND
- do_bindchecks
- print_flag_header outfile main END DO_BIND
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_BIND
- ${ECHO} "skipped" >>${TAGS_OUT}
- fi
- # DO_SSH
- if [ "${DO_SSH}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_SSH
- do_sshchecks
- print_flag_header outfile main END DO_SSH
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_SSH
- ${ECHO} "skipped" >>${TAGS_OUT}
- fi
- # DO Sendmail Checks
- if [ "${DO_SENDMAIL}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_SENDMAIL
- do_sendmailchecks
- print_flag_header outfile main END DO_SENDMAIL
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_SENDMAIL
- ${ECHO} "skipped" >>${TAGS_OUT}
- fi
- print_separator stdout
- ${ECHO} "</NETCHECKS>" >>${TAGS_OUT}
- }
- ###################################################################
- # function to do uname -a, called from do_general_checks
- ###################################################################
- do_uname () {
- # do generic ident of OS
- ${ECHO} "Identify vendor and version of OS..."
- print_separator stdout
- ${UNAME} -a
- print_separator stdout
- print_separator outfile
- ${ECHO} "Identify vendor and version of OS..." >> ${OUTFILE}
- ${ECHO} "<UNAME>" >>${TAGS_OUT}
- ${ECHO} "Command: ${UNAME} -a" >> ${OUTFILE}
- print_separator outfile
- ${UNAME} -a |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- print_separator outfile
- ${ECHO} "</UNAME>" >>${TAGS_OUT}
- }
- ####################################################################
- # function to check for accounts with no password, called from do_
- # general_checks
- ####################################################################
- do_accts_no_pass () {
- ${ECHO} "Checking for accounts with no password."
- ${ECHO} "<ACCTS_NO_PASS>" >> ${TAGS_OUT}
- if [ "${OS}" != "AIX" ]; then
- if ( ${TEST} -f ${SHADOWFILE} ) then
- ${AWK} -- 'BEGIN { FS = ":" } ($2 == "") {print}' ${SHADOWFILE} |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- else
- ${AWK} -- 'BEGIN { FS = ":" } ($2 == "") {print}' /etc/passwd |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- fi
- else
- # Added ver 2.0 for AIX check, Troy Frost contributed
- # TROY AIX
- ${ECHO} "This is AIX, running custom AIX check looking for blank passwords"
- ${AWK} -- '{
- if (/:/) {
- act=substr($1,0,(length $1) -1);
- getline;
- if((!/password/) || (!$3)) {
- print act " has a blank password";
- }
- }
- }' /etc/security/passwd |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- fi
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "</ACCTS_NO_PASS>" >> ${TAGS_OUT}
- }
- ###################################################################
- # function to check for UID 0 accounts, called from do_general_checks
- ####################################################################
- do_uid_zero () {
- ${ECHO} "Checking for UID 0 accounts..."
- ${ECHO} "<UID0>" >> ${TAGS_OUT}
- if [ "${OS}" != "AIX" ]; then
- #Use awk to find users with third field in password file equal to 0
- ${AWK} -- 'BEGIN { FS = ":" } ($3 == 0) {print}' /etc/passwd |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- else
- #Use awk on AIX to find users with third field in password file equal to 0
- ${AWK} -- 'BEGIN { FS = ":" } ($3 == 0) {print}' /etc/passwd |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- fi
- #${ECHO} '' >> ${OUTFILE}
- ${ECHO} "</UID0>" >> ${TAGS_OUT}
- }
- ###################################################################
- # function to do basic filesystem checks, called from do_general_checks
- ####################################################################
- do_fs_checks () {
- ${ECHO} "Gathering information on the filesystem..."
- #print_separator outfile
- #${ECHO} "Gathering information on the filesystem..." >> ${OUTFILE}
- #print_separator outfile
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "Using '${DF}':" >> ${OUTFILE}
- ${ECHO} "<DF>" >> ${TAGS_OUT}
- ${DF} |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} "</DF>" >> ${TAGS_OUT}
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "Using '${SHOWMOUNT} -a':" >> ${OUTFILE}
- ${ECHO} "<SHOWMOUNT>" >> ${TAGS_OUT}
- ${SHOWMOUNT} -a |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "</SHOWMOUNT>" >> ${TAGS_OUT}
- ${ECHO} "Using '${MOUNT}':" >> ${OUTFILE}
- ${ECHO} "<MOUNT>" >> ${TAGS_OUT}
- ${MOUNT} |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "</MOUNT>" >> ${TAGS_OUT}
- }
- ###################################################################
- # function to check crontabs, called from do_general_checks
- ###################################################################
- do_cron_checks () {
- #Check crontab files
- ${ECHO} "Checking crontab files..."
- ${ECHO} "<CRONTAB>" >> ${TAGS_OUT}
- # get the cron files
- for i in ${CRON_FILES}
- do
- get_file $i
- done
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "</CRONTAB>" >> ${TAGS_OUT}
- ${ECHO} "Checking permissions on ${CRONDIR}" >>${OUTFILE}
- ${ECHO} "<CRONPERMS>" >>${TAGS_OUT}
- [ -d ${CRONDIR} ] && {
- DIRS=${CRONDIR}
- for dname in ${DIRS}
- do
- ${LS} -lLd ${dname} |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' |${TEE} ${TAGS_OUT} >> ${OUTFILE}
- for fname in `${LS} ${dname}`
- do
- if ( ${TEST} -f ${dname}/${fname} ) then
- ${LS} -l ${dname}/${fname} |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' |${TEE} ${TAGS_OUT} >> ${OUTFILE}
- get_file ${dname}/${fname}
- ${ECHO} '' |${TEE} ${TAGS_OUT} >> ${OUTFILE}
- fi #End test
- done #End for fname
- done #End for dname
- }
- ${ECHO} '' |${TEE} ${TAGS_OUT} >> ${OUTFILE}
- ${ECHO} "</CRONPERMS>" >>${TAGS_OUT}
- }
- ###################################################################
- # function to get last 50 lines in logfile, called from do_general_checks
- ###################################################################
- do_log_checks () {
- # Log information
- ${ECHO} "Displaying log information..."
- ${ECHO} '' >> ${LOG_FILE_OUT}
- # grab log info
- for log in ${LOG_FILES}
- do
- if ( ${TEST} -f ${log} ) then
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Checking ${log}"
- }
- print_separator outfile logs
- ${ECHO} "<LOG=\"${log}\" LS=\"" >> ${TAGS_OUT}
- ${ECHO} "[FILE]: ${log}" >> ${LOG_FILE_OUT}
- ${LS} -l ${log} |${TEE} ${TAGS_OUT} >> ${LOG_FILE_OUT} 2>>${ERRFILE}
- ${ECHO} "\">" >> ${TAGS_OUT}
- # if its a symlink, deref the symlink too
- if ( ${TEST} -L ${log} ) then
- ${LS} -lL ${log} |${TEE} ${TAGS_OUT} >> ${LOG_FILE_OUT} 2>>${ERRFILE}
- fi
- print_separator outfile logs
- ${TAIL} -100 ${log} |${TEE} ${TAGS_OUT} >> ${LOG_FILE_OUT} 2>>${ERRFILE}
- print_separator outfile logs
- ${ECHO} "</LOG>" >> ${TAGS_OUT}
- fi
- done
- ${ECHO} '' >> ${LOG_FILE_OUT}
- # Review the last login time of each user
- ${ECHO} "Checking the last login time of each user..."
- print_separator outfile logs
- ${ECHO} "Checking the last login time of each user..." >> ${LOG_FILE_OUT}
- print_separator outfile logs
- ${ECHO} '' >> ${LOG_FILE_OUT}
- ${ECHO} "<LASTLOGIN>" >> ${TAGS_OUT}
- ${ECHO} "Using: ${CUT} -d: -f1 /etc/passwd | ${XARGS} ${FINGER} -m" >> ${LOG_FILE_OUT}
- print_flag_header outfile logs BEGIN DO_FINGER
- ${CUT} -d: -f1 /etc/passwd | ${XARGS} ${FINGER} -m |${TEE} ${TAGS_OUT} >> ${LOG_FILE_OUT} 2>>${ERRFILE}
- ${ECHO} "</LASTLOGIN>" >> ${TAGS_OUT}
- print_flag_header outfile logs END DO_FINGER
- ${ECHO} '' >> ${LOG_FILE_OUT}
- ${ECHO} "Displaying last 100 logins..." >> ${LOG_FILE_OUT}
- ${ECHO} '' >> ${LOG_FILE_OUT}
- ${ECHO} "<LAST100-LOGINS>" >> ${TAGS_OUT}
- ${ECHO} "Using: ${LAST} -100" >> ${LOG_FILE_OUT}
- print_flag_header outfile logs BEGIN DO_LAST
- if (${TEST} ${OS} = 'SCO_SV') then
- ${LAST} -n 100 |${TEE} ${TAGS_OUT} >> ${LOG_FILE_OUT} 2>>${ERRFILE}
- else
- ${LAST} -100 |${TEE} ${TAGS_OUT} >> ${LOG_FILE_OUT} 2>>${ERRFILE}
- fi
- print_flag_header outfile logs END DO_LAST
- ${ECHO} '' >> ${LOG_FILE_OUT}
- ${ECHO} "</LAST100-LOGINS>" >> ${TAGS_OUT}
- }
- ###################################################################
- # function to get files from user home directories
- # such as .rhosts, .netrc, etc, called from do_general_checks
- ###################################################################
- do_users_files_check () {
- #Find user's .netrc, .rhosts, .profile, and other configuration files
- print_separator stdout
- ${ECHO} "Finding user configuration files such as .rhosts, .netrc, etc..."
- print_separator stdout
- print_separator outfile userfiles
- ${ECHO} "Finding user configuration files such as .rhosts, .netrc, etc..." >> ${USER_FILE_OUT}
- ${ECHO} "Finding user configuration files such as .rhosts, .netrc, etc..." >> ${OUTFILE}
- ${ECHO} "Please see ${USER_FILE_OUT} for detailed output." >> ${OUTFILE}
- print_separator outfile userfiles
- ${ECHO} '' >> ${USER_FILE_OUT}
- # process ssh options, set up list of files to look at
- if ( ${TEST} "${DO_SSH}" = "1" ) then
- if ( ${TEST} "${SSH_VERSION}" = "1" ) then
- LIST="${USER_FILES} ${USER_SSH_FILES_V1}"
- elif ( ${TEST} "${SSH_VERSION}" = "2" ) then
- LIST="${USER_FILES} ${USER_SSH_FILES_V2}"
- fi
- else
- LIST="${USER_FILES}"
- fi
- # figure out whether to search user directories only
- # or just root directories
- if ( ${TEST} "${DO_SEARCH_ROOTONLY}" = "1" ) then
- DIRS="/ /root"
- else
- DIRS="`${AWK} -F\: '{print $6}' /etc/passwd|${SORT}|${UNIQ}`"
- # if NIS search users check is enabled, traverse all user directories
- # in NIS passwd map as well.
- if ( ( ${TEST} "${DO_NIS_SEARCH_USERS}" = "1" ) &&
- ( ${TEST} "${DO_NIS}" = "1" ) ) then
- NISDIRS="`${YPCAT} passwd|${AWK} -F\: '{print $6}' |${SORT}|${UNIQ}`"
- DIRS="${DIRS} ${NISDIRS}"
- # if NISPLUS search users check is enabled, traverse all user directories
- # in NISPLUS passwd map as well. Not sure if this works.
- elif ( ( ${TEST} "DO_NISPLUS_SEARCH_USERS" = "1" ) &&
- ( ${TEST} "DO_NISPLUS" = "1" ) ) then
- NISPLUSDIRS="`${NISCAT} passwd.org_dir|${AWK} -F\: '{print $6}' |${SORT}|${UNIQ}`"
- DIRS="${DIRS} ${NISPLUSDIRS}"
- fi
- fi
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Searching these dirs:"
- ${ECHO} "DEBUG: ${DIRS}"
- ${ECHO} "DEBUG: Searching for these files:"
- ${ECHO} "DEBUG: ${LIST}"
- }
- for dname in ${DIRS}
- do
- ${ECHO} '' >> ${USER_FILE_OUT}
- ${LS} -lLd ${dname} >> ${USER_FILE_OUT} 2>>${ERRFILE}
- for fname in ${LIST}
- do
- if [ -f "${dname}/${fname}" ]; then
- ${ECHO} '' >> ${USER_FILE_OUT}
- get_file ${dname}/${fname} userfiles
- ${ECHO} '' >> ${USER_FILE_OUT}
- else
- ${ECHO} "${dname}/${fname} <NOT FOUND>" >>${USER_FILE_OUT}
- fi #End test
- done #End for fname
- done #End for dname
- }
- ###################################################################
- # function to do dmesg, special check for DMESG_FILE
- ###################################################################
- do_dmesg () {
- ${ECHO} "Displaying dmesg..."
- ${ECHO} "<DMESG>" >>${TAGS_OUT}
- #print_separator outfile
- #${ECHO} "Displaying dmesg..." >> ${OUTFILE}
- #${ECHO} "Command: ${DMESG}" >> ${OUTFILE}
- #print_separator outfile
- ${ECHO} '' >> ${OUTFILE}
- ${DMESG} |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' >> ${OUTFILE}
- # now get DMESG_FILE if it exists, mostly bsd-ism
- if [ "x${DMESG_FILE}" != "x" ]; then
- get_file ${DMESG_FILE}
- fi
- ${ECHO} "</DMESG>" >>${TAGS_OUT}
- }
- ###################################################################
- # function do_general_checks, called from main script
- #
- # This function does many generic checks, it checks the
- # flags for each of the options, and run the
- # appropriate routine , some have subflags
- #
- # 1) DO_GET_GEN_CONFIGS
- # 2) DO_ACCTSNOPASS
- # 3) DO_UIDZERO
- # 4) DO_UMASK
- # 5) DO_UPTIME
- # 6) DO_PS
- # 7) DO_WHO
- # 8) DO_FS_CHECKS
- # 9) DO_CRON
- # 10) DO_LOG
- # 11) DO_DMESG
- ###################################################################
- do_general_checks () {
- ${ECHO} "Running through general checks."
- print_separator stdout
- if [ "${DO_GET_GEN_CONFIGS}" != "0" ]; then
- ${ECHO} "Grabbing general configuration files..."
- print_flag_header outfile main BEGIN DO_GET_GEN_CONFIGS
- # if -noshadow on command line,
- # don't grab the shadow file
- if [ "${DO_GET_SHADOWFILE}" != "0" ]; then
- # first get shadowfile
- get_file ${SHADOWFILE}
- elif [ "${DO_GET_SHADOWFILE}" = "0" ]; then
- # Let us record if client disable shadow checks
- ${ECHO} "<SHADOW>Check was manually disabled</SHADOW>" >>${TAGS_OUT}
- elif [ "${DEBUG}" != "0" ]; then
- ${ECHO} "DEBUG: Skipping shadow file: ${SHADOWFILE}"
- ${ECHO} "<SHADOW>Check was manually disabled</SHADOW>" >>${TAGS_OUT}
- fi
- # get the rest
- for i in ${GEN_CONFIGS}
- do
- get_file $i
- done
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_GET_GEN_CONFIGS
- fi # end do_get_gen_configs
- print_flag_header outfile main END DO_GET_GEN_CONFIGS
- # check for accounts with no password
- if [ "${DO_ACCTSNOPASS}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_ACCTSNOPASS
- do_accts_no_pass
- print_flag_header outfile main END DO_ACCTSNOPASS
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_ACCTSNOPASS
- fi
- # check for uid zero accounts
- if [ "${DO_UIDZERO}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_UIDZERO
- do_uid_zero
- print_flag_header outfile main END DO_UIDZERO
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_UIDZERO
- fi
- # umask information
- #umask is a built-in shell command so no path is required
- if [ "${DO_UMASK}" != "0" ]; then
- ${ECHO} "Root's umask information..."
- print_flag_header outfile main BEGIN DO_UMASK
- ${ECHO} "<UMASK>" >>${TAGS_OUT}
- umask |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} "</UMASK>" >>${TAGS_OUT}
- print_flag_header outfile main END DO_UMASK
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_UMASK
- ${ECHO} "<UMASK>Manually Disabled</UMASK>" >>${TAGS_OUT}
- fi
- # uptime
- if [ "${DO_UPTIME}" != "0" ]; then
- ${ECHO} "Getting uptime..."
- print_flag_header outfile main BEGIN DO_UPTIME
- ${ECHO} "<UPTIME>" >>${TAGS_OUT}
- ${UPTIME} |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} "</UPTIME>" >>${TAGS_OUT}
- print_flag_header outfile main END DO_UPTIME
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_UPTIME
- ${ECHO} "<UPTIME>Manually Disabled</UPTIME>" >>${TAGS_OUT}
- fi
- # display running processes
- if [ "${DO_PS}" != "0" ]; then
- ${ECHO} "Listing currently running processes..."
- print_flag_header outfile main BEGIN DO_PS
- ${ECHO} "<PS>" >>${TAGS_OUT}
- ${PS} |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} "</PS>" >>${TAGS_OUT}
- print_flag_header outfile main END DO_PS
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_PS
- ${ECHO} "<PS>Manually Disabled</PS>" >>${TAGS_OUT}
- fi
- # List users who are currently online
- if [ "${DO_WHO}" != "0" ]; then
- ${ECHO} "Listing users who are currently online..."
- print_flag_header outfile main BEGIN DO_WHO
- ${ECHO} "<WHO>" >>${TAGS_OUT}
- $W |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' |${TEE} ${TAGS_OUT} >> ${OUTFILE}
- ${WHO} |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} "</WHO>" >>${TAGS_OUT}
- print_flag_header outfile main END DO_WHO
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_WHO
- ${ECHO} "<WHO>Manually Disabled</WHO>" >>${TAGS_OUT}
- fi
- # do fs checks
- if [ "${DO_FS_CHECKS}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_FS_CHECKS
- do_fs_checks
- print_flag_header outfile main END DO_FS_CHECKS
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_FS_CHECKS
- ${ECHO} "<FS_CHECKS>Manually Disabled</FS_CHECKS>" >>${TAGS_OUT}
- fi
- # do cron checks
- if [ "${DO_CRON}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_CRON
- do_cron_checks
- print_flag_header outfile main END DO_CRON
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_CRON
- ${ECHO} "<CRON_CHECKS>Manually Disabled</CRON_CHECKS>" >>${TAGS_OUT}
- fi
- # do log checks
- if [ "${DO_LOG}" != "0" ]; then
- print_flag_header outfile logs BEGIN DO_LOG
- do_log_checks
- print_flag_header outfile logs END DO_LOG
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_LOG
- ${ECHO} "<DO_LOG>Manually Disabled</DO_LOG>" >>${TAGS_OUT}
- fi
- if [ "${DO_DMESG}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_DMESG
- do_dmesg
- print_flag_header outfile main END DO_DMESG
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_DMESG
- ${ECHO} "<DMESG>Manually Disabled</DMESG>" >>${TAGS_OUT}
- fi
- print_separator stdout
- }
- ###################################################################
- # function to do basic nis checks, called from main script
- ###################################################################
- do_nis_check () {
- print_separator stdout
- ${ECHO} "NIS Checks..."
- ${ECHO} "<NIS_CHECK>" >>${TAGS_OUT}
- print_separator stdout
- #${ECHO} "Command: ${YPWHICH} and others" >> ${OUTFILE}
- NISMASTER=`${YPWHICH} 2>>${ERRFILE}`
- if (${TEST} x${NISMASTER} = x) then
- # Not using NIS
- ${ECHO} "This host does not appear to be running NIS."
- print_separator stdout
- ${ECHO} "This host does not appear to be running NIS" |${TEE} ${TAGS_OUT} >> ${OUTFILE}
- else
- # Perform NIS tests
- print_separator outfile
- ${ECHO} "<NIS_MASTER>" >>${TAGS_OUT}
- ${ECHO} "NIS Master is ${NISMASTER}" |${TEE} ${TAGS_OUT} >> ${OUTFILE}
- ${ECHO} "</NIS_MASTER>" >>${TAGS_OUT}
- print_separator outfile
- ${ECHO} "<NIS_DOMAIN>" >>${TAGS_OUT}
- ${ECHO} "Checking NIS domainname" >> ${OUTFILE}
- ${ECHO} '' >> ${OUTFILE}
- ${DOMAINNAME} |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- print_separator outfile
- ${ECHO} "</NIS_DOMAIN>" >>${TAGS_OUT}
- ${ECHO} "Executing ${YPCAT} on NIS passwd file." >> ${OUTFILE}
- ${ECHO} '' >> ${OUTFILE}
- # We can't tar it out, so we have to put it in the output file
- # Sort it so we can look for duplicate UIDs
- ${ECHO} "<NIS_PASSWD>" >>${TAGS_OUT}
- ${YPCAT} ${NIS_PASSWD} | ${SORT} -n -t: +2 - |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "</NIS_PASSWD>" >>${TAGS_OUT}
- ${ECHO} "Listing all NIS accounts with a possible empty password." >> ${OUTFILE}
- print_separator outfile
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "<NIS_PASSWD_NOPASS>" >>${TAGS_OUT}
- ${YPCAT} ${NIS_PASSWD} | ${AWK} -- 'BEGIN { FS = ":" } ($2 == "") {print}' |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "</NIS_PASSWD_NOPASS>" >>${TAGS_OUT}
- ${ECHO} "Listing all NIS accounts with possible root access." >> ${OUTFILE}
- print_separator outfile
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "<NIS_PASSWD_UID0>" >>${TAGS_OUT}
- ${YPCAT} ${NIS_PASSWD} | ${AWK} -- 'BEGIN { FS = ":" } ($3 == 0) {print}' |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "</NIS_PASSWD_UID0>" >>${TAGS_OUT}
- # get all possible map names
- ${ECHO} "<NIS_MAPS_NUM>" >>${TAGS_OUT}
- NIS_MAPS=`${YPWHICH} -m |${AWK} '{print $1}'|${SORT}|${UNIQ}`
- TOTAL_NIS_MAPS=`${YPWHICH} -m |${AWK} '{print $1}'|${SORT}|${UNIQ}|${WC} -l`
- print_separator outfile
- echo "Number of NIS maps found: ${TOTAL_NIS_MAPS}" |${TEE} ${TAGS_OUT} >>${OUTFILE} 2>>${ERRFILE}
- print_separator outfile
- ${ECHO} "</NIS_MAPS_NUM>" >>${TAGS_OUT}
- echo "Number of NIS maps found: ${TOTAL_NIS_MAPS}"
- print_separator stdout
- # grab all NIS maps
- for map in ${NIS_MAPS}
- do
- ${ECHO} "<NIS_MAP_${map}>" >>${TAGS_OUT}
- ${ECHO} "==> Executing ${YPCAT} on NIS map: ${map}" >> ${OUTFILE}
- ${ECHO} "==> Grabbing NIS map: ${map}"
- ${ECHO} '' >> ${OUTFILE}
- ${YPCAT} ${map} |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "</NIS_MAP_${map}>" >>${TAGS_OUT}
- done
- fi
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "</NIS_CHECK>" >>${TAGS_OUT}
- }
- ###################################################################
- # functions to do nis plus checks, called from main script
- ###################################################################
- do_nisplus_check () {
- print_separator stdout
- ${ECHO} "NIS+ Checks..."
- ${ECHO} "<NIS_PLUS_CHECK>" >>${TAGS_OUT}
- print_separator stdout
- print_separator outfile
- ${ECHO} "NIS+ Checks..." >> ${OUTFILE}
- ${ECHO} "Command: ${NISDEFAULTS} and others" >> ${OUTFILE}
- print_separator outfile
- ${ECHO} '' >> ${OUTFILE}
- #TODO: Find better check - There is probably a better NIS+ check.
- NISDOMAIN=`${NISDEFAULTS} -d 2>>${ERRFILE}`
- if (${TEST} x${NISDOMAIN} = x) then
- # Not using NIS+
- ${ECHO} "This host does not appear to be running NIS+"
- print_separator stdout
- ${ECHO} "This host does not appear to be running NIS+" |${TEE} ${TAGS_OUT} >> ${OUTFILE}
- else
- # Perform NIS+ tests
- ${ECHO} "NIS+ Domain is ${NISDOMAIN}" |${TEE} ${TAGS_OUT} >> ${OUTFILE}
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "Executing ${NISCAT} on NIS+ passwd file." >> ${OUTFILE}
- ${ECHO} '' >> ${OUTFILE}
- # We can't tar it out, so we have to put it in the output file
- # Sort it so we can look for duplicate UIDs
- ${NISCAT} passwd.org_dir | ${SORT} -n -t: +2 - |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' >> ${OUTFILE}
- #TODO: Put in password checks for NIS+
- ${ECHO} "Executing ${NISCAT} on NIS+ hosts file." >> ${OUTFILE}
- ${ECHO} '' >> ${OUTFILE}
- ${NISCAT} hosts.org_dir |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} '' >> ${OUTFILE}
- #TODO: Verfity if it is group or groups
- ${ECHO} "Executing ${NISCAT} on NIS+ group file." >> ${OUTFILE}
- ${ECHO} '' >> ${OUTFILE}
- ${NISCAT} group.org_dir |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- fi
- ${ECHO} '' >> ${OUTFILE}
- ${ECHO} "</NIS_PLUS_CHECK>" >>${TAGS_OUT}
- }
- ###################################################################
- # function to do listing of permissions on key directories
- ###################################################################
- do_key_dirs_listing () {
- #Find permissions on a bunch of directories
- print_separator stdout
- ${ECHO} "Listing permissions on key directories..."
- print_separator stdout
- ${ECHO} "Listing permissions on key directories..." >> ${OUTFILE}
- ${ECHO} "Please see ${KEYDIRS_OUT} for detailed output." >> ${OUTFILE}
- ${ECHO} '' >> ${KEYDIRS_OUT}
- ${ECHO} "<KEYDIRS>" >>${TAGS_OUT}
- if [ "${DO_KEY_DIRS_ETCONLY}" = "0" ]; then
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Directories to be examined are:"
- ${ECHO} "DEBUG: ${KEY_DIRS}"
- }
- for dname in ${KEY_DIRS}
- do
- [ -d ${dname} ] && {
- print_separator outfile keydirs
- ${ECHO} "<KEYDIRS-${dname}>" >>${TAGS_OUT}
- ${ECHO} "${dname}:" |${TEE} ${TAGS_OUT} >> ${KEYDIRS_OUT}
- if (${TEST} ${dname} = "/etc") then
- ${LS} -alR /etc |${TEE} ${TAGS_OUT} >> ${KEYDIRS_OUT} 2>>${ERRFILE}
- else
- ${LS} -al ${dname} |${TEE} ${TAGS_OUT} >> ${KEYDIRS_OUT} 2>>${ERRFILE}
- ${ECHO} '' >> ${KEYDIRS_OUT}
- fi
- ${ECHO} "</KEYDIRS-${dname}>" >>${TAGS_OUT}
- }
- done
- else
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Directories to be examined are:"
- ${ECHO} "DEBUG: /etc"
- }
- print_separator outfile keydirs
- ${ECHO} "/etc:" >> ${KEYDIRS_OUT}
- ${LS} -alR /etc >> ${KEYDIRS_OUT} 2>>${ERRFILE}
- ${ECHO} '' >> ${KEYDIRS_OUT}
- ${ECHO} "</KEYDIRS>" >>${TAGS_OUT}
- fi
- }
- ####################################################################
- # function to do finds for setuid, setgid, and ww
- ####################################################################
- do_finds () {
- case "$1" in
- 'setuid')
- FINDOUTFILE=${SETUID_OUT}
- FINDOPTS=${FINDOPTSUID}
- ;;
- 'setgid')
- FINDOUTFILE=${SETGID_OUT}
- FINDOPTS=${FINDOPTSGID}
- ;;
- 'ww')
- FINDOUTFILE=${WW_OUT}
- FINDOPTS=${FINDOPTSWW}
- ;;
- *)
- ${ECHO} "supply an argument of setuid, setgid or www."
- exit 1;
- ;;
- esac
- # touch output file
- ${TOUCH} ${FINDOUTFILE}
- if [ "x${FINDOPTS}" = "x" ]; then
- ${ECHO} "Critical Error. FINDOPTS is not defined for this OS."
- ${ECHO} "Please define FINDOPTSUID, FINDOPTSGID, and FINDOPTSWW"
- ${ECHO} "in ${OS_CONF} and re-run the script."
- exit 1;
- fi
- ${ECHO} "Looking for $1 files... (Please be patient)"
- ${ECHO} "<FIND_$1>" >> ${TAGS_OUT}
- print_separator stdout
- ${ECHO} "Looking for $1 files..." >> ${OUTFILE}
- print_separator outfile
- # if FSTAB is defined, then lets parse it and loop
- # through the filesystems, makes our file easier.
- if [ "x${FSTAB}" != "x" ]; then
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "FSTAB is defined: ${FSTAB}"
- }
- # unfortunately for us, a few OS put the mount
- # point someplace other than $2, notably solaris.
- case "${OS}" in
- 'Solaris')
- for fs in `${AWK} '! /(nfs|proc|swap)/ && ! /^#/ {print $3}' ${FSTAB}`
- do
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Running find command on ${fs}"
- ${ECHO} "DEBUG: ${FINDOPTS} \\;"
- }
- ${FIND} ${fs} ${FINDOPTS} \; |${TEE} ${TAGS_OUT} >>${FINDOUTFILE} 2>>${ERRFILE}
- done
- ;;
- 'Sol10')
- for fs in `${AWK} '! /(nfs|proc|swap)/ && ! /^#/ {print $3}' ${FSTAB}`
- do
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Running find command on ${fs}"
- ${ECHO} "DEBUG: ${FINDOPTS} \\;"
- }
- ${FIND} ${fs} ${FINDOPTS} \; |${TEE} ${TAGS_OUT} >>${FINDOUTFILE} 2>>${ERRFILE}
- done
- ;;
- 'Sol9')
- for fs in `${AWK} '! /(nfs|proc|swap)/ && ! /^#/ {print $3}' ${FSTAB}`
- do
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Running find command on ${fs}"
- ${ECHO} "DEBUG: ${FINDOPTS} \\;"
- }
- ${FIND} ${fs} ${FINDOPTS} \; |${TEE} ${TAGS_OUT} >>${FINDOUTFILE} 2>>${ERRFILE}
- done
- ;;
- *)
- for fs in `${AWK} '! /(nfs|proc|swap)/ && ! /^#/ {print $2}' ${FSTAB}`
- do
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Running find command on ${fs}"
- ${ECHO} "DEBUG: ${FINDOPTS} \\;"
- }
- ${FIND} ${fs} ${FINDOPTS} \; |${TEE} ${TAGS_OUT} >>${FINDOUTFILE} 2>>${ERRFILE}
- done
- ;;
- esac
- else
- # fstab is not defined, for AIX/SCO_SV we parse output
- # of df -k command to find the filesystems to do our finds
- # on. Otherwise we just do a brute force find on /.
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: FSTAB is NOT DEFINED for this OS."
- ${ECHO} "DEBUG: FSTAB is NOT DEFINED for this OS." >>${OUTFILE}
- }
- case "${OS}" in
- 'AIX')
- for fs in `${DF} -k |${AWK} '! /(nfs|proc|swap)/ {print $7}'|${GREP} -v Mounted`
- do
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Running find command on ${fs}"
- ${ECHO} "DEBUG: ${FINDOPTS} \\;"
- }
- ${FIND} ${fs} ${FINDOPTS} \; |${TEE} ${TAGS_OUT} >>${FINDOUTFILE} 2>>${ERRFILE}
- done
- ;;
- 'SCO_SV')
- for fs in `${DF} -k |${AWK} '! /(nfs|proc|swap)/ {print $1}'`
- do
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Running find command on ${fs}"
- ${ECHO} "DEBUG: ${FINDOPTS} \\;"
- }
- ${FIND} ${fs} ${FINDOPTS} \; |${TEE} ${TAGS_OUT} >>${FINDOUTFILE} 2>>${ERRFILE}
- done
- ;;
- *)
- # run the brute force find
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: FSTAB is NOT DEFINED for this OS."
- ${ECHO} "DEBUG: Output file: ${FINDOUTFILE}"
- ${ECHO} "DEBUG: Running find command with these arguments:"
- ${ECHO} "DEBUG: ${FINDOPTS} \\;"
- }
- ${FIND} / ${FINDOPTS} \; |${TEE} ${TAGS_OUT} >>${FINDOUTFILE} 2>>${ERRFILE}
- esac
- fi
- ${ECHO} "</FIND_$1>" >> ${TAGS_OUT}
- # get number of setuid/setgid/ww files, send to logfile
- ${ECHO} "<FIND_$1_NUM>" >> ${TAGS_OUT}
- ${ECHO} "`${WC} -l ${FINDOUTFILE} | ${AWK} '{print $1}'` $1 files found." |${TEE} ${TAGS_OUT} >> ${OUTFILE} 2>>${ERRFILE}
- ${ECHO} "</FIND_$1_NUM>" >> ${TAGS_OUT}
- ${ECHO} "Please see ${FINDOUTFILE} for detailed output." >> ${OUTFILE}
- print_separator outfile
- return;
- }
- ###################################################################
- # function to do listing of permissions on custom defined directories
- # really only used for those special occasions.
- # Dirs are defined in /etc/global.rc (Look for CUSTOM_DIRS"
- # Also, you will need to turn this on with the -custom switch
- ###################################################################
- do_custom_dir () {
- #Find permissions on a bunch of directories
- print_separator stdout
- ${ECHO} "Listing permissions on custom directories..."
- ${ECHO} "<CUSTOM_DIRS>" >> ${TAGS_OUT}
- print_separator stdout
- ${ECHO} "Listing permissions on custom directories..." >> ${OUTFILE}
- ${ECHO} "Please see ${CUSTDIRS_OUT} for detailed output." >> ${OUTFILE}
- ${ECHO} '' >> ${CUSTDIRS_OUT}
- [ "${DEBUG}" != "0" ] && {
- ${ECHO} "DEBUG: Directories to be examined are:"
- ${ECHO} "DEBUG: ${CUSTOM_DIRS}"
- }
- print_separator outfile custdirs
- ${LS} -alR ${CUSTOM_DIRS} |${TEE} ${TAGS_OUT} >> ${CUSTDIRS_OUT} 2>>${ERRFILE}
- ${ECHO} '' >> ${CUSTDIRS_OUT}
- ${ECHO} "</CUSTOM_DIRS>" >> ${TAGS_OUT}
- }
- ###################################################################
- # function to do OS specific stuff, called from main script
- ###################################################################
- do_os_modules () {
- # get all the MODULES
- print_separator stdout
- ${ECHO} "Running OS-specific checks for ${OS}"
- ${ECHO} "<OS_MODULES>" >> ${TAGS_OUT}
- print_separator stdout
- # find number of modules
- NUMMODS=`${LS} ${MODULES} |${GREP} -v CVS|${WC} -l`
- print_separator outfile
- ${ECHO} "${NUMMODS} registered modules for ${OS}" >>${OUTFILE}
- print_separator outfile
- ${ECHO} "Please see ${MODS_OUT} for detailed output." >>${OUTFILE}
- if [ -d ${MODULES} ]; then
- if [ "${NUMMODS}" != "0" ]; then
- for mod in `${LS} ${MODULES} |${GREP} -v CVS`
- do
- print_flag_header outfile mods BEGIN ${mod}
- . ${MODULES}/${mod}
- print_flag_header outfile mods END ${mod}
- done
- else
- ${ECHO} "No modules registered for this OS! Skipping OS-specific checks."
- ${ECHO} "No modules registered for this OS! Skipping OS-specific checks." >>${MODS_OUT}
- fi
- else
- ${ECHO} "${MODULES} directory not found. Skipping OS-specific checks."
- ${ECHO} "${MODULES} directory not found. Skipping OS-specific checks." >>${MODS_OUT}
- fi
- ${ECHO} "</OS_MODULES>" >> ${TAGS_OUT}
- }
- ###################################################################
- #
- # main script
- #
- ####################################################################
- # location of conf directory
- CONFDIR=etc
- GLOBALCONF=${CONFDIR}/global.rc
- # read global configuration file
- if [ -f ${GLOBALCONF} ]; then
- . ${GLOBALCONF}
- else
- echo "Cannot find global config file ${GLOBALCONF}. Quitting."
- exit 1
- fi
- # first get the OS version and source the appropriate config file
- check_os
- # process command line arguments
- while ${TEST} $# != 0
- do
- case "$1" in
- -debug) DEBUG=1 ;;
- -nodebug) DEBUG=0 ;;
- -tar) DO_TAR=1 ;;
- -notar) DO_TAR=0 ;;
- -bind) DO_BIND=1 ;;
- -conftar) DO_CONFIGTAR=1 ;;
- -noconftar) DO_CONFIGTAR=0 ;;
- -noshadow) DO_GET_SHADOWFILE=0 ;;
- -users) DO_SEARCH_USERS=1 ;;
- -nousers) DO_SEARCH_USERS=0
- DO_NIS_SEARCH_USERS=0
- DO_NISPLUS_SEARCH_USERS=0
- ;;
- -nis) DO_NIS=1 ;;
- -nisusers) DO_NIS_SEARCH_USERS=1 ;;
- -nonis) DO_NIS=0
- DO_NIS_SEARCH_USERS=0
- ;;
- -nisplus) DO_NISPLUS=1 ;;
- -nisplususers) DO_NISPLUS_SEARCH_USERS=1 ;;
- -nonisplus) DO_NISPLUS=0
- DO_NISPLUS_SEARCH_USERS=0
- ;;
- -finds) DO_ALLFINDS=1 ;;
- -nofinds) DO_ALLFINDS=0 ;;
- -keydirs) DO_KEY_DIRS_LISTING=1 ;;
- -nokeydirs) DO_KEY_DIRS_LISTING=0 ;;
- -osmods) DO_OS_MODULES=1 ;;
- -noosmods) DO_OS_MODULES=0 ;;
- -custom) DO_CUSTOM_DIRS=1 ;;
- -v|-version) print_version ; exit 1 ;;
- -h|-help) usage ; exit 1 ;;
- *) usage ; exit 1 ;;
- esac
- shift
- done
- # setup the output filenames
- do_setup_output_files
- # do file cleanup if script has been run before on this host
- do_file_cleanup
- # begin
- do_intro
- # moved uname check here from do_gen_checks because it is
- # mandatory
- do_uname
- if [ "${DEBUG}" != "0" ]; then
- dump_global_opts
- fi
- ################################
- # This is the generic section for all OSes
- # More flags are tested in do_general_checks
- # and do_net_checks
- ################################
- if [ "${DO_GEN_CHECKS}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_GEN_CHECKS
- do_general_checks
- print_flag_header outfile main END DO_GEN_CHECKS
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_GEN_CHECKS
- fi
- # do user files check, can be time consuming if you have a lot
- # of users, esp automounted ones
- if [ "${DO_SEARCH_USERS}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_SEARCH_USERS
- print_flag_header outfile userfiles BEGIN DO_SEARCH_USERS
- do_users_files_check
- print_flag_header outfile userfiles END DO_SEARCH_USERS
- print_flag_header outfile main END DO_SEARCH_USERS
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_SEARCH_USERS
- fi
- # listing on key dirs
- if [ "${DO_KEY_DIRS_LISTING}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_KEY_DIRS_LISTING
- print_flag_header outfile keydirs BEGIN DO_KEY_DIRS_LISTING
- do_key_dirs_listing
- print_flag_header outfile keydirs END DO_KEY_DIRS_LISTING
- print_flag_header outfile main END DO_KEY_DIRS_LISTING
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_KEY_DIRS_LISTING
- fi
- # do net checks
- if [ "${DO_NET_CHECKS}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_NET_CHECKS
- do_net_checks
- print_flag_header outfile main END DO_NET_CHECKS
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_NET_CHECKS
- fi
- # do nis check
- if [ "${DO_NIS}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_NIS
- do_nis_check
- print_flag_header outfile main END DO_NIS
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_NIS
- fi
- # do nis+ check
- if [ "${DO_NISPLUS}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_NISPLUS
- do_nisplus_check
- print_flag_header outfile main END DO_NISPLUS
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_NISPLUS
- fi
- # do finds, check flags
- if [ "${DO_ALLFINDS}" != "0" ]; then
- if [ "${DO_SETUID}" != "0" ]; then
- do_finds setuid
- fi
- if [ "${DO_SETGID}" != "0" ]; then
- do_finds setgid
- fi
- if [ "${DO_WW}" != "0" ]; then
- do_finds ww
- fi
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_ALLFINDS
- fi
- # do custom dirs listings - not for the faint of heart
- if [ "${DO_CUSTOM_DIRS}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_CUSTOM_DIRS_LISTING
- print_flag_header outfile custdirs BEGIN DO_CUSTOM_DIRS
- do_custom_dir
- print_flag_header outfile custdirs END DO_CUST_DIRS
- print_flag_header outfile main END DO_CUSTOM_DIRS
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_CUSTOM_DIRS
- fi
- # do os-specific checks
- if [ "${DO_OS_MODULES}" != "0" ]; then
- print_flag_header outfile main BEGIN DO_OS_MODULES
- do_os_modules
- print_flag_header outfile main END DO_OS_MODULES
- elif [ "${DEBUG}" != "0" ]; then
- print_flag_header stdout SKIP DO_OS_MODULES
- fi
- # secure output files, just in case UMASK permissions are insecure
- do_chmod
- # wrap up
- do_outro
- # tar up all output files if they want
- if [ "${DO_TAR}" != "0" ]; then
- do_tar
- fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement