Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- # unix-privesc-check - Checks Unix system for simple privilege escalations
- # Copyright (C) 2008 pentestmonkey@pentestmonkey.net
- #
- #
- # License
- # -------
- # This tool may be used for legal purposes only. Users take full responsibility
- # for any actions performed using this tool. The author accepts no liability
- # for damage caused by this tool. If you do not accept these condition then
- # you are prohibited from using this tool.
- #
- # In all other respects the GPL version 2 applies:
- #
- # This program is free software; you can redistribute it and/or modify
- # it under the terms of the GNU General Public License version 2 as
- # published by the Free Software Foundation.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License along
- # with this program; if not, write to the Free Software Foundation, Inc.,
- # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # You are encouraged to send comments, improvements or suggestions to
- # me at pentestmonkey@pentestmonkey.net
- #
- #
- # Description
- # -----------
- # Auditing tool to check for weak file permissions and other problems that
- # may allow local attackers to escalate privileges.
- #
- # It is intended to be run by security auditors and pentetration testers
- # against systems they have been engaged to assess, and also by system
- # admnisitrators who want to check for "obvious" misconfigurations. It
- # can even be run as a cron job so you can check regularly for misconfigurations
- # that might be introduced.
- #
- # Ensure that you have the appropriate legal permission before running it
- # someone else's system.
- #
- # TODO List
- # ---------
- # There's still plenty that this script doesn't do...
- # - Doesn't work for shell scripts! These appear as "/bin/sh my.sh" in the process listing.
- # This script only checks the perms of /bin/sh. Not what we're after. :-(
- # - Similarly for perl scripts. Probably python, etc. too.
- # - Check /proc/pid/cmdline for absolute path names. Check security of these (e.g. /etc/snmp/snmpd.conf)
- # - Check everything in root's path - how to find root's path?
- # - /proc/pid/maps, smaps are readable and lists some shared objects. We should check these.
- # - /proc/pid/fd contain symlinks to all open files (but you can't see other people FDs)
- # - check for trust relationships in /etc/hosts.equiv
- # - NFS imports / exports / automounter
- # - Insecure stuff in /etc/fstab (e.g. allowing users to mount file systems)
- # - Inspecting people's PATH. tricky. maybe read from /proc/pid/environ, .bashrc, /etc/profile, .bash_profile
- # - Check if /etc/init.d/* scripts are readable. Advise user to audit them if they are.
- # - .exrc?
- # - X11 trusts, apache passwd files, mysql trusts?
- # - Daemons configured in an insecure way: tftpd, sadmind, rexd
- # - World writable dirs aren't as bad if the sticky bit is set. Check for this before reporting vulns.
- # - Maybe do a strings of binaries (and their .so's?)
- # - Do a better job of parsing cron lines - search for full paths
- # - Maybe LDPATHs from /etc/env.d
- # - Check if ldd, ld.so.conf changes have broken this script on non-linux systems.
- # - Avoid check certain paths e.g. /-/_ clearly isn't a real directory.
- # - create some sort of readable report
- # - indicate when it's likely a result is a false positive and when it's not.
- # - Skip pseudo processes e.g. [usb-storage]
- # - File permission on kernel modules
- # - Replace calls to echo with a my_echo func. Should be passed a string and an "importance" value:
- # - my_echo 1 "This is important and should always be printed out"
- # - my_echo 2 "This is less important and should only be printed in verbose mode"
- # - We check some files / dirs multiple times. Slow. Can we implement a cache?
- # - grep for PRIVATE KEY to find private ssh and ssl keys. Where to grep?
- # - check SGID programs
- VERSION="1.4"
- HOME_DIR_FILES=".netrc .ssh/id_rsa .ssh/id_dsa .rhosts .shosts .my.cnf .ssh/authorized_keys .bash_history .sh_history .forward"
- CONFIG_FILES="/etc/passwd /etc/group /etc/master.passwd /etc/inittab /etc/inetd.conf /etc/xinetd.con /etc/xinetd.d/* /etc/contab /etc/fstab /etc/profile /etc/sudoers"
- PGDIRS="/usr/local/pgsql/data ~postgres/postgresql/data ~postgres/data ~pgsql/data ~pgsql/pgsql/data /var/lib/postgresql/data /etc/postgresql/8.2/main /var/lib/pgsql/data"
- get_owner () {
- GET_OWNER_FILE=$1
- GET_OWNER_RETURN=`ls -lLd "$GET_OWNER_FILE" | awk '{print $3}'`
- }
- get_group () {
- GET_GROUP_FILE=$1
- GET_GROUP_RETURN=`ls -lLd "$GET_GROUP_FILE" | awk '{print $4}'`
- }
- usage () {
- echo "unix-privesc-check v$VERSION ( http://pentestmonkey.net/tools/unix-privesc-check )"
- echo
- echo "Usage: unix-privesc-check { standard | detailed }"
- echo
- echo '"standard" mode: Speed-optimised check of lots of security settings.'
- echo
- echo '"detailed" mode: Same as standard mode, but also checks perms of open file'
- echo ' handles and called files (e.g. parsed from shell scripts,'
- echo ' linked .so files). This mode is slow and prone to false '
- echo ' positives but might help you find more subtle flaws in 3rd'
- echo ' party programs.'
- echo
- echo "This script checks file permissions and other settings that could allow"
- echo "local users to escalate privileges."
- echo
- echo "Use of this script is only permitted on systems which you have been granted"
- echo "legal permission to perform a security assessment of. Apart from this "
- echo "condition the GPL v2 applies."
- echo
- echo "Search the output for the word 'WARNING'. If you don't see it then this"
- echo "script didn't find any problems."
- echo
- }
- banner () {
- echo "Starting unix-privesc-check v$VERSION ( http://pentestmonkey.net/tools/unix-privesc-check )"
- echo
- echo "This script checks file permissions and other settings that could allow"
- echo "local users to escalate privileges."
- echo
- echo "Use of this script is only permitted on systems which you have been granted"
- echo "legal permission to perform a security assessment of. Apart from this "
- echo "condition the GPL v2 applies."
- echo
- echo "Search the output below for the word 'WARNING'. If you don't see it then"
- echo "this script didn't find any problems."
- echo
- }
- MODE=$1
- if [ ! "$MODE" = "standard" ] && [ ! "$MODE" = "detailed" ]; then
- usage
- exit 0
- fi
- # Parse any full paths from $1 (config files, progs, dirs).
- # Check the permissions on each of these.
- check_called_programs () {
- CCP_MESSAGE_STACK=$1
- CCP_FILE=$2
- CCP_USER=$3
- CCP_PATH=$4 # optional
- # Check the perms of the supplied file regardless
- # The caller doesn't want to have to call check_perms as well as check_called_programs
- check_perms "$CCP_MESSAGE_STACK" "$CCP_FILE" "$CCP_USER" "$CCP_PATH"
- # Skip the slow check if we're in quick mode
- if [ "$MODE" = "standard" ]; then
- return 0;
- fi
- # Check if file is text or not
- IS_TEXT=`file "$CCP_FILE" | grep -i text`
- IS_DYNBIN=`file "$CCP_FILE" | grep -i 'dynamically linked'`
- # Process shell scripts (would also work on config files that reference other files)
- if [ ! -z "$IS_TEXT" ]; then
- # Parse full paths from file - ignoring commented lines
- CALLED_FILES=`grep -v '^#' "$CCP_FILE" | sed -e 's/^[^\/]*//' -e 's/["'\'':}$]/\x0a/g' | grep '/' | sed -e 's/[ \*].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`
- for CALLED_FILE in $CALLED_FILES; do
- # echo "$CCP_FILE contains a reference to $CALLED_FILE. Checking perms."
- check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"
- done
- else
- # Process dynamically linked binaries
- if [ ! -z "$IS_DYNBIN" ]; then
- CALLED_FILES=`ldd "$CCP_FILE" 2>/dev/null | grep '/' | sed 's/[^\/]*\//\//' | cut -f 1 -d ' '`
- for CALLED_FILE in $CALLED_FILES; do
- check_perms "$CCP_MESSAGE_STACK $CCP_FILE uses the library $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"
- done
- # Strings binary to look for hard-coded config files
- # or other programs that might be called.
- for CALLED_FILE in `strings "$CCP_FILE" | sed -e 's/^[^\/]*//' -e 's/["'\'':}$]/\x0a/g' | grep '/' | sed -e 's/[ \*].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`; do
- check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"
- done
- fi
- fi
- }
- # Parse any full paths from $1 (config files, progs, dirs).
- # Check the permissions on each of these.
- check_called_programs_suid () {
- CCP_FILE=$1
- CCP_PATH=$2 # optional
- get_owner $CCP_FILE; CCP_USER=$GET_OWNER_RETURN
- CCP_MESSAGE_STACK="$CCP_FILE is SUID $CCP_USER."
- LS=`ls -l $CCP_FILE`
- echo "Checking SUID-$CCP_USER program $CCP_FILE: $LS"
- # Don't check perms of executable itself
- # check_perms "$CCP_MESSAGE_STACK" "$CCP_FILE" "$CCP_USER" "$CCP_PATH"
- # Check if file is text or not
- IS_TEXT=`file "$CCP_FILE" | grep -i text`
- IS_DYNBIN=`file "$CCP_FILE" | grep -i 'dynamically linked'`
- # Process shell scripts (would also work on config files that reference other files)
- if [ ! -z "$IS_TEXT" ]; then
- # Skip the slow check if we're in quick mode
- if [ "$MODE" = "standard" ]; then
- return 0;
- fi
- # Parse full paths from file - ignoring commented lines
- CALLED_FILES=`grep -v '^#' "$CCP_FILE" | sed -e 's/^[^\/]*//' -e 's/["'\'':}$]/\x0a/g' | grep '/' | sed -e 's/[ \*].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`
- for CALLED_FILE in $CALLED_FILES; do
- # echo "$CCP_FILE contains a reference to $CALLED_FILE. Checking perms."
- check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"
- done
- else
- # Process dynamically linked binaries
- if [ ! -z "$IS_DYNBIN" ]; then
- CALLED_FILES=`ldd "$CCP_FILE" 2>/dev/null | grep '/' | sed 's/[^\/]*\//\//' | cut -f 1 -d ' '`
- for CALLED_FILE in $CALLED_FILES; do
- check_perms "$CCP_MESSAGE_STACK $CCP_FILE uses the library $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"
- done
- # Skip the slow check if we're in quick mode
- if [ "$MODE" = "standard" ]; then
- return 0;
- fi
- # Strings binary to look for hard-coded config files
- # or other programs that might be called.
- for CALLED_FILE in `strings "$CCP_FILE" | sed -e 's/^[^\/]*//' -e 's/["'\'':}$]/\x0a/g' | grep '/' | sed -e 's/[ \*].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`; do
- check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"
- done
- fi
- fi
- }
- # Check if $1 can be changed by users who are not $2
- check_perms () {
- CP_MESSAGE_STACK=$1
- CHECK_PERMS_FILE=$2
- CHECK_PERMS_USER=$3
- CHECK_PERMS_PATH=$4 # optional
- if [ ! -f "$CHECK_PERMS_FILE" ] && [ ! -d "$CHECK_PERMS_FILE" ] && [ ! -b "$CHECK_PERMS_FILE" ]; then
- CHECK_PERMS_FOUND=0
- if [ ! -z "$CHECK_PERMS_PATH" ]; then
- # Look for it in the supplied path
- for DIR in `echo "$CHECK_PERMS_PATH" | sed 's/:/ /g'`; do
- if [ -f "$DIR/$CHECK_PERMS_FILE" ]; then
- CHECK_PERMS_FOUND=1
- CHECK_PERMS_FILE="$DIR/$CHECK_PERMS_FILE"
- break
- fi
- done
- fi
- #if [ "$CHECK_PERMS_FOUND" = "0" ]; then
- # echo "ERROR: File $CHECK_PERMS_FILE doesn't exist. Checking parent path anyway."
- # # return 0
- # fi
- fi
- C=`echo "$CHECK_PERMS_FILE" | cut -c 1`
- if [ ! "$C" = "/" ]; then
- echo "ERROR: Can't find absolute path for $CHECK_PERMS_FILE. Skipping."
- return 0
- fi
- echo " Checking if anyone except $CHECK_PERMS_USER can change $CHECK_PERMS_FILE"
- while [ -n "$CHECK_PERMS_FILE" ]; do
- perms_secure "$CP_MESSAGE_STACK" $CHECK_PERMS_FILE $CHECK_PERMS_USER
- CHECK_PERMS_FILE=`echo $CHECK_PERMS_FILE | sed 's/\/[^\/]*$//'`
- done
- }
- # Check if $1 can be read by users who are not $2
- check_read_perms () {
- CP_MESSAGE_STACK=$1
- CHECK_PERMS_FILE=$2
- CHECK_PERMS_USER=$3
- if [ ! -f "$CHECK_PERMS_FILE" ] && [ ! -b "$CHECK_PERMS_FILE" ]; then
- echo "ERROR: File $CHECK_PERMS_FILE doesn't exist"
- return 0
- fi
- echo " Checking if anyone except $CHECK_PERMS_USER can read file $CHECK_PERMS_FILE"
- perms_secure_read "$CP_MESSAGE_STACK" "$CHECK_PERMS_FILE" "$CHECK_PERMS_USER"
- }
- perms_secure_read () {
- PS_MESSAGE_STACK=$1
- PERMS_SECURE_FILE=$2
- PERMS_SECURE_USER=$3
- if [ ! -b "$PERMS_SECURE_FILE" ] && [ ! -f "$PERMS_SECURE_FILE" ] && [ ! -d "$PERMS_SECURE_FILE" ]; then
- echo "ERROR: No such file or directory: $PERMS_SECURE_FILE. Skipping."
- return 0
- fi
- # Check if owner is different (but ignore root ownership, that's OK)
- only_user_can_read "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USER
- # Check group read perm (but ignore root group, that's OK)
- group_can_read "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USER
- # Check world read perm
- world_can_read "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE
- }
- perms_secure () {
- PS_MESSAGE_STACK=$1
- PERMS_SECURE_FILE=$2
- PERMS_SECURE_USER=$3
- if [ ! -d "$PERMS_SECURE_FILE" ] && [ ! -f "$PERMS_SECURE_FILE" ] && [ ! -b "$PERMS_SECURE_FILE" ]; then
- # echo "ERROR: No such file or directory: $PERMS_SECURE_FILE. Skipping."
- return 0
- fi
- # Check if owner is different (but ignore root ownership, that's OK)
- only_user_can_write "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USER
- # Check group write perm (but ignore root group, that's OK)
- group_can_write "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USER
- # Check world write perm
- world_can_write "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE
- }
- only_user_can_write () {
- O_MESSAGE_STACK=$1
- O_FILE=$2
- O_USER=$3
- # We just need to check the owner really as the owner
- # can always grant themselves write access
- get_owner $O_FILE; O_FILE_USER=$GET_OWNER_RETURN
- if [ ! "$O_USER" = "$O_FILE_USER" ] && [ ! "$O_FILE_USER" = "root" ]; then
- echo "WARNING: $O_MESSAGE_STACK The user $O_FILE_USER can write to $O_FILE"
- fi
- }
- group_can_write () {
- O_MESSAGE_STACK=$1
- O_FILE=$2
- O_USER=$3 # ignore group write access $3 is only member of group
- get_group $O_FILE; O_FILE_GROUP=$GET_GROUP_RETURN
- P=`ls -lLd $O_FILE | cut -c 6`
- if [ "$P" = "w" ] && [ ! "$O_GROUP" = "root" ]; then
- # check the group actually has some members other than $O_USER
- group_has_other_members "$O_FILE_GROUP" "$O_USER"; # sets OTHER_MEMBERS to 1 or 0
- if [ "$OTHER_MEMBERS" = "1" ]; then
- echo "WARNING: $O_MESSAGE_STACK The group $O_FILE_GROUP can write to $O_FILE"
- fi
- fi
- }
- group_has_other_members () {
- G_GROUP=$1
- G_USER=$2
- # If LDAP/NIS is being used this script can't check group memberships
- # we therefore assume the worst.
- if [ "$EXT_AUTH" = 1 ]; then
- OTHER_MEMBERS=1
- return 1
- fi
- GROUP_LINE=`grep "^$G_GROUP:" /etc/group`
- MEMBERS=`echo "$GROUP_LINE" | cut -f 4 -d : | sed 's/,/ /g'`
- GID=`echo "$GROUP_LINE" | cut -f 3 -d :`
- EXTRA_MEMBERS=`grep "^[^:]*:[^:]*:[0-9]*:$GID:" /etc/passwd | cut -f 1 -d : | xargs echo`
- for M in $MEMBERS; do
- if [ ! "$M" = "$G_USER" ] && [ ! "$M" = "root" ]; then
- OTHER_MEMBERS=1
- return 1
- fi
- done
- for M in $EXTRA_MEMBERS; do
- if [ ! "$M" = "$G_USER" ] && [ ! "$M" = "root" ]; then
- OTHER_MEMBERS=1
- return 1
- fi
- done
- OTHER_MEMBERS=0
- return 0
- }
- world_can_write () {
- O_MESSAGE_STACK=$1
- O_FILE=$2
- P=`ls -lLd $O_FILE | cut -c 9`
- S=`ls -lLd $O_FILE | cut -c 10`
- if [ "$P" = "w" ]; then
- if [ "$S" = "t" ]; then
- echo "WARNING: $O_MESSAGE_STACK World write is set for $O_FILE (but sticky bit set)"
- else
- echo "WARNING: $O_MESSAGE_STACK World write is set for $O_FILE"
- fi
- fi
- }
- only_user_can_read () {
- O_MESSAGE_STACK=$1
- O_FILE=$2
- O_USER=$3
- # We just need to check the owner really as the owner
- # can always grant themselves read access
- get_owner $O_FILE; O_FILE_USER=$GET_OWNER_RETURN
- if [ ! "$O_USER" = "$O_FILE_USER" ] && [ ! "$O_FILE_USER" = "root" ]; then
- echo "WARNING: $O_MESSAGE_STACK The user $O_FILE_USER can read $O_FILE"
- fi
- }
- group_can_read () {
- O_MESSAGE_STACK=$1
- O_FILE=$2
- O_USER=$3
- get_group $O_FILE; O_FILE_GROUP=$GET_GROUP_RETURN
- P=`ls -lLd $O_FILE | cut -c 5`
- if [ "$P" = "r" ] && [ ! "$O_GROUP" = "root" ]; then
- # check the group actually has some members other than $O_USER
- group_has_other_members "$O_FILE_GROUP" "$O_USER"; # sets OTHER_MEMBERS to 1 or 0
- if [ "$OTHER_MEMBERS" = "1" ]; then
- echo "WARNING: $O_MESSAGE_STACK The group $O_FILE_GROUP can read $O_FILE"
- fi
- fi
- }
- world_can_read () {
- O_MESSAGE_STACK=$1
- O_FILE=$2
- P=`ls -lLd $O_FILE | cut -c 8`
- if [ "$P" = "w" ]; then
- echo "WARNING: $O_MESSAGE_STACK World read is set for $O_FILE"
- fi
- }
- section () {
- echo
- echo '############################################'
- echo $1
- echo '############################################'
- }
- # Guess OS
- if [ -x /usr/bin/showrev ]; then
- OS="solaris"
- SHADOW="/etc/shadow"
- elif [ -x /usr/sbin/sam -o -x /usr/bin/sam ]; then
- OS="hpux"
- SHADOW="/etc/shadow"
- elif [ -f /etc/master.passwd ]; then
- OS="bsd"
- SHADOW="/etc/master.passwd"
- else
- OS="linux"
- SHADOW="/etc/shadow"
- fi
- echo "Assuming the OS is: $OS"
- CONFIG_FILES="$CONFIG_FILES $SHADOW"
- # Set path so we can access usual directories. HPUX and some linuxes don't have sbin in the path.
- PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin; export PATH
- # Check dependent programs are installed
- # Assume "which" is installed!
- PROGS="ls awk grep cat mount xargs file ldd strings"
- for PROG in $PROGS; do
- which $PROG 2>&1 > /dev/null
- if [ ! $? = "0" ]; then
- echo "ERROR: Dependend program '$PROG' is mising. Can't run. Sorry!"
- exit 1
- fi
- done
- banner
- section "Recording hostname"
- hostname
- section "Recording uname"
- uname -a
- section "Recording Interface IP addresses"
- if [ $OS = 'hpux' ]; then
- for IFACE in `lanscan | grep x | awk '{print $5}' 2>/dev/null`; do
- ifconfig $IFACE 2>/dev/null
- done
- else
- ifconfig -a
- fi
- section "Checking if external authentication is allowed in /etc/passwd"
- FLAG=`grep '^+:' /etc/passwd`
- if [ -n "$FLAG" ]; then
- echo "WARNING: /etc/passwd allows external authentcation:"
- grep '^+:' /etc/passwd
- EXT_AUTH=1
- else
- echo "No +:... line found in /etc/passwd"
- fi
- section "Checking nsswitch.conf for addition authentication methods"
- if [ -r "/etc/nsswitch.conf" ]; then
- NIS=`grep '^passwd' /etc/nsswitch.conf | grep 'nis'`
- if [ -n "$NIS" ]; then
- echo "WARNING: NIS is used for authentication on this system"
- EXT_AUTH=1
- fi
- LDAP=`grep '^passwd' /etc/nsswitch.conf | grep 'ldap'`
- if [ -n "$LDAP" ]; then
- echo "WARNING: LDAP is used for authentication on this system"
- EXT_AUTH=1
- fi
- if [ -z "$NIS" ] && [ -z "$LDAP" ]; then
- echo "Neither LDAP nor NIS are used for authentication"
- fi
- else
- echo "ERROR: File /etc/nsswitch.conf isn't readable. Skipping checks."
- fi
- # Check important config files aren't writable
- section "Checking for writable config files"
- for FILE in $CONFIG_FILES; do
- if [ -f "$FILE" ]; then
- check_perms "$FILE is a critical config file." "$FILE" root
- fi
- done
- section "Checking if $SHADOW is readable"
- check_read_perms "/etc/shadow holds authentication data" $SHADOW root
- section "Checking for password hashes in /etc/passwd"
- FLAG=`grep -v '^[^:]*:[x\*]*:' /etc/passwd | grep -v '^#'`
- if [ -n "$FLAG" ]; then
- echo "WARNING: There seem to be some password hashes in /etc/passwd"
- grep -v '^[^:]*:[x\*]*:' /etc/passwd | grep -v '^#'
- EXT_AUTH=1
- else
- echo "No password hashes found in /etc/passwd"
- fi
- section "Checking account settings"
- # Check for something nasty like r00t::0:0::/:/bin/sh in /etc/passwd
- # We only need read access to /etc/passwd to be able to check this.
- if [ -r "/etc/passwd" ]; then
- OPEN=`grep "^[^:][^:]*::" /etc/passwd | cut -f 1 -d ":"`
- if [ -n "$OPEN" ]; then
- echo "WARNING: The following accounts have no password:"
- grep "^[^:][^:]*::" /etc/passwd | cut -f 1 -d ":"
- fi
- fi
- if [ -r "$SHADOW" ]; then
- echo "Checking for accounts with no passwords"
- if [ "$OS" = "linux" ]; then
- passwd -S -a | while read LINE
- do
- USER=`echo "$LINE" | awk '{print $1}'`
- STATUS=`echo "$LINE" | awk '{print $2}'`
- if [ "$STATUS" = "NP" ]; then
- echo "WARNING: User $USER doesn't have a password"
- fi
- done
- elif [ "$OS" = "solaris" ]; then
- passwd -s -a | while read LINE
- do
- USER=`echo "$LINE" | awk '{print $1}'`
- STATUS=`echo "$LINE" | awk '{print $2}'`
- if [ "$STATUS" = "NP" ]; then
- echo "WARNING: User $USER doesn't have a password"
- fi
- done
- fi
- else
- echo "File $SHADOW isn't readable. Skipping some checks."
- fi
- section "Checking library directories from /etc/ld.so.conf"
- if [ -f "/etc/ld.so.conf" ] && [ -r "/etc/ld.so.conf" ]; then
- for DIR in `grep '^/' /etc/ld.so.conf`; do
- check_perms "$DIR is in /etc/ld.so.conf." $DIR root
- done
- #FILES=`grep '^include' /etc/ld.so.conf | sed 's/^include *//'`
- #if [ ! -z "$FILES" ]; then
- # for DIR in `echo $FILES | xargs cat | sort -u`; do
- # done
- #fi
- else
- echo "File /etc/ld.so.conf not present. Skipping checks."
- fi
- # Check sudoers if we have permission - needs root normally
- section "Checking sudo configuration"
- if [ -f "/etc/sudoers" ] && [ -r "/etc/sudoers" ]; then
- echo -----------------
- echo "Checking if sudo is configured"
- SUDO_USERS=`grep -v '^#' /etc/sudoers | grep -v '^[ \t]*$' | grep -v '^[ \t]*Default' | grep =`
- if [ ! -z "$SUDO_USERS" ]; then
- echo "WARNING: Sudo is configured. Manually check nothing unsafe is allowed:"
- grep -v '^#' /etc/sudoers | grep -v '^[ \t]*$' | grep = | grep -v '^[ \t]*Default'
- fi
- echo -----------------
- echo "Checking sudo users need a password"
- SUDO_NOPASSWD=`grep -v '^#' /etc/sudoers | grep -v '^[ \t]*$' | grep NOPASSWD`
- if [ ! -z "$SUDO_NOPASSWD" ]; then
- echo "WARNING: Some users can use sudo without a password:"
- grep -v '^#' /etc/sudoers | grep -v '^[ \t]*$' | grep NOPASSWD
- fi
- else
- echo "File /etc/sudoers not present. Skipping checks."
- fi
- section "Checking permissions on swap file(s)"
- for SWAP in `swapon -s | grep -v '^Filename' | cut -f 1 -d ' '`; do
- check_perms "$SWAP is used for swap space." $SWAP root
- check_read_perms "$SWAP is used for swap space." $SWAP root
- done
- section "Checking programs run from inittab"
- if [ -f "/etc/inittab" ] && [ -r "/etc/inittab" ]; then
- for FILE in `cat /etc/inittab | grep : | grep -v '^#' | cut -f 4 -d : | grep '/' | cut -f 1 -d ' ' | sort -u`; do
- check_called_programs "$FILE is run from /etc/inittab as root." $FILE root
- done
- else
- echo "File /etc/inittab not present. Skipping checks."
- fi
- section "Checking postgres trust relationships"
- for DIR in $PGDIRS; do
- if [ -d "$DIR" ] && [ -r "$DIR/pg_hba.conf" ]; then
- grep -v '^#' "$DIR/pg_hba.conf" | grep -v '^[ \t]*$' | while read LINE
- do
- AUTH=`echo "$LINE" | awk '{print $NF}'`
- if [ "$AUTH" = "trust" ]; then
- PGTRUST=1
- echo "WARNING: Postgres trust configured in $DIR/pg_hba.conf: $LINE"
- fi
- done
- fi
- done
- PGVER1=`psql -U postgres template1 -c 'select version()' 2>/dev/null | grep version`
- if [ -n "$PGVER1" ]; then
- PGTRUST=1
- echo "WARNING: Can connect to local postgres database as \"postgres\" without a password"
- fi
- PGVER2=`psql -U pgsql template1 -c 'select version()' 2>/dev/null | grep version`
- if [ -n "$PGVER2" ]; then
- PGTRUST=1
- echo "WARNING: Can connect to local postgres database as \"pgsql\" without a password"
- fi
- if [ -z "$PGTRUST" ]; then
- echo "No postgres trusts detected"
- fi
- # Check device files for mounted file systems are secure
- # cat /proc/mounts | while read LINE # Doesn't work so well when LVM is used - need to be root
- section "Checking permissions on device files for mounted partitions"
- if [ "$OS" = "linux" ]; then
- mount | while read LINE
- do
- DEVICE=`echo "$LINE" | awk '{print $1}'`
- FS=`echo "$LINE" | awk '{print $5}'`
- if [ "$FS" = "ext2" ] || [ "$FS" = "ext3" ] ||[ "$FS" = "reiserfs" ]; then
- echo "Checking device $DEVICE"
- check_perms "$DEVICE is a mounted file system." $DEVICE root
- fi
- done
- elif [ "$OS" = "bsd" ]; then
- mount | grep ufs | while read LINE
- do
- DEVICE=`echo "$LINE" | awk '{print $1}'`
- echo "Checking device $DEVICE"
- check_perms "$DEVICE is a mounted file system." $DEVICE root
- done
- elif [ "$OS" = "solaris" ]; then
- mount | grep xattr | while read LINE
- do
- DEVICE=`echo "$LINE" | awk '{print $3}'`
- if [ ! "$DEVICE" = "swap" ]; then
- echo "Checking device $DEVICE"
- check_perms "$DEVICE is a mounted file system." $DEVICE root
- fi
- done
- elif [ "$OS" = "hpux" ]; then
- mount | while read LINE
- do
- DEVICE=`echo "$LINE" | awk '{print $3}'`
- C=`echo $DEVICE | cut -c 1`
- if [ "$C" = "/" ]; then
- echo "Checking device $DEVICE"
- check_perms "$DEVICE is a mounted file system." $DEVICE root
- fi
- done
- NFS=`mount | grep NFS`
- if [ -n "$NFS" ]; then
- echo "WARNING: This system is an NFS client. Check for nosuid and nodev options."
- mount | grep NFS
- fi
- fi
- # Check cron jobs if they're readable
- # TODO check that cron is actually running
- section "Checking cron job programs aren't writable (/etc/crontab)"
- CRONDIRS=""
- if [ -f "/etc/crontab" ] && [ -r "/etc/crontab" ]; then
- MYPATH=`grep '^PATH=' /etc/crontab | cut -f 2 -d = `
- echo Crontab path is $MYPATH
- # Check if /etc/cron.(hourly|daily|weekly|monthly) are being used
- CRONDIRS=`grep -v '^#' /etc/crontab | grep -v '^[ \t]*$' | grep '[ \t][^ \t][^ \t]*[ \t][ \t]*' | grep run-crons`
- # Process run-parts
- grep -v '^#' /etc/crontab | grep -v '^[ \t]*$' | grep '[ \t][^ \t][^ \t]*[ \t][ \t]*' | grep run-parts | while read LINE
- do
- echo "Processing crontab run-parts entry: $LINE"
- USER=`echo "$LINE" | awk '{print $6}'`
- DIR=`echo "$LINE" | sed 's/.*run-parts[^()&|;\/]*\(\/[^ ]*\).*/\1/'`
- check_perms "$DIR holds cron jobs which are run as $USER." "$DIR" "$USER"
- if [ -d "$DIR" ]; then
- echo " Checking directory: $DIR"
- for FILE in $DIR/*; do
- FILENAME=`echo "$FILE" | sed 's/.*\///'`
- if [ "$FILENAME" = "*" ]; then
- echo " No files in this directory."
- continue
- fi
- check_called_programs "$FILE is run by cron as $USER." "$FILE" "$USER"
- done
- fi
- done
- # TODO bsd'd periodic:
- # 1 3 * * * root periodic daily
- # 15 4 * * 6 root periodic weekly
- # 30 5 1 * * root periodic monthly
- grep -v '^#' /etc/crontab | grep -v '^[ ]*$' | grep '[ ][^ ][^ ]*[ ][ ]*' | while read LINE
- do
- echo "Processing crontab entry: $LINE"
- USER=`echo "$LINE" | awk '{print $6}'`
- PROG=`echo "$LINE" | awk '{print $7}'`
- check_called_programs "$PROG is run from crontab as $USER." $PROG $USER $MYPATH
- done
- else
- echo "File /etc/crontab not present. Skipping checks."
- fi
- # Do this if run-crons is run from /etc/crontab
- if [ -n "$CRONDIRS" ]; then
- USER=`echo "$CRONDIRS" | awk '{print $6}'`
- section "Checking /etc/cron.(hourly|daily|weekly|monthly)"
- for DIR in hourly daily weekly monthly; do
- if [ -d "/etc/cron.$DIR" ]; then
- echo " Checking directory: /etc/cron.$DIR"
- for FILE in /etc/cron.$DIR/*; do
- FILENAME=`echo "$FILE" | sed 's/.*\///'`
- if [ "$FILENAME" = "*" ]; then
- echo "No files in this directory."
- continue
- fi
- check_called_programs "$FILE is run via cron as $USER." "$FILE" $USER
- done
- fi
- done
- fi
- section "Checking cron job programs aren't writable (/var/spool/cron/crontabs)"
- if [ -d "/var/spool/cron/crontabs" ]; then
- for FILE in /var/spool/cron/crontabs/*; do
- USER=`echo "$FILE" | sed 's/^.*\///'`
- if [ "$USER" = "*" ]; then
- echo "No user crontabs found in /var/spool/cron/crontabs. Skipping checks."
- continue
- fi
- echo "Processing crontab for $USER: $FILE"
- if [ -r "$FILE" ]; then
- MYPATH=`grep '^PATH=' "$FILE" | cut -f 2 -d = `
- if [ -n "$MYPATH" ]; then
- echo Crontab path is $MYPATH
- fi
- grep -v '^#' "$FILE" | grep -v '^[ \t]*$' | grep '[ \t][^ \t][^ \t]*[ \t][ \t]*' | while read LINE
- do
- echo "Processing crontab entry: $LINE"
- PROG=`echo "$LINE" | awk '{print $6}'`
- check_called_programs "$PROG is run via cron as $USER." "$PROG" $USER
- done
- else
- echo "ERROR: Can't read file $FILE"
- fi
- done
- else
- echo "Directory /var/spool/cron/crontabs is not present. Skipping checks."
- fi
- section "Checking cron job programs aren't writable (/var/spool/cron/tabs)"
- if [ -d "/var/spool/cron/tabs" ]; then
- for FILE in /var/spool/cron/tabs/*; do
- USER=`echo "$FILE" | sed 's/^.*\///'`
- if [ "$USER" = "*" ]; then
- echo "No user crontabs found in /var/spool/cron/crontabs. Skipping checks."
- continue
- fi
- echo "Processing crontab for $USER: $FILE"
- if [ -r "$FILE" ]; then
- MYPATH=`grep '^PATH=' "$FILE" | cut -f 2 -d = `
- if [ -n "$MYPATH" ]; then
- echo Crontab path is $MYPATH
- fi
- grep -v '^#' "$FILE" | grep -v '^[ \t]*$' | grep '[ \t][^ \t][^ \t]*[ \t][ \t]*' | while read LINE
- do
- echo "Processing crontab entry: $LINE"
- PROG=`echo "$LINE" | awk '{print $6}'`
- check_called_programs "$PROG is run from cron as $USER." $PROG $USER $MYPATH
- done
- else
- echo "ERROR: Can't read file $FILE"
- fi
- done
- else
- echo "Directory /var/spool/cron/tabs is not present. Skipping checks."
- fi
- # Check programs run from /etc/inetd.conf have secure permissions
- # TODO: check inetd is actually running
- section "Checking inetd programs aren't writable"
- if [ -f /etc/inetd.conf ] && [ -r /etc/inetd.conf ]; then
- grep -v '^#' /etc/inetd.conf | grep -v '^[ \t]*$' | while read LINE
- do
- USER=`echo $LINE | awk '{print $5}'`
- PROG=`echo $LINE | awk '{print $6}'` # could be tcpwappers ...
- PROG2=`echo $LINE | awk '{print $7}'` # ... and this is the real prog
- if [ -z "$PROG" ] || [ "$PROG" = "internal" ]; then
- # Not calling an external program
- continue
- fi
- echo Processing inetd line: $LINE
- if [ -f "$PROG" ]; then
- check_called_programs "$PROG is run from inetd as $USER." $PROG $USER
- fi
- if [ -f "$PROG2" ]; then
- check_called_programs "$PROG is run from inetd as $USER." $PROG2 $USER
- fi
- done
- else
- echo "File /etc/inetd.conf not present. Skipping checks."
- fi
- # Check programs run from /etc/xinetd.d/*
- # TODO: check xinetd is actually running
- section "Checking xinetd programs aren't writeable"
- if [ -d /etc/xinetd.d ]; then
- for FILE in `grep 'disable[ \t]*=[ \t]*no' /etc/xinetd.d/* | cut -f 1 -d :`; do
- echo Processing xinetd service file: $FILE
- PROG=`grep '^[ \t]*server[ \t]*=[ \t]*' $FILE | sed 's/.*server.*=[ \t]*//'`
- USER=`grep '^[ \t]*user[ \t]*=[ \t]*' $FILE | sed 's/.*user.*=[ \t]*//'`
- check_called_programs "$PROG is run from xinetd as $USER." $PROG $USER
- done
- else
- echo "Directory /etc/xinetd.d not present. Skipping checks."
- fi
- # Check for writable home directories
- section "Checking home directories aren't writable"
- cat /etc/passwd | grep -v '^#' | while read LINE
- do
- echo Processing /etc/passwd line: $LINE
- USER=`echo $LINE | cut -f 1 -d :`
- DIR=`echo $LINE | cut -f 6 -d :`
- SHELL=`echo $LINE | cut -f 7 -d :`
- if [ "$SHELL" = "/sbin/nologin" ] || [ "$SHELL" = "/bin/false" ]; then
- echo " Skipping user $USER. They don't have a shell."
- else
- if [ "$DIR" = "/dev/null" ]; then
- echo " Skipping /dev/null home directory"
- else
- check_perms "$DIR is the home directory of $USER." $DIR $USER
- fi
- fi
- done
- # Check for readable files in home directories
- section "Checking for readable sensitive files in home directories"
- cat /etc/passwd | while read LINE
- do
- USER=`echo $LINE | cut -f 1 -d :`
- DIR=`echo $LINE | cut -f 6 -d :`
- SHELL=`echo $LINE | cut -f 7 -d :`
- for FILE in $HOME_DIR_FILES; do
- if [ -f "$DIR/$FILE" ]; then
- check_read_perms "$DIR/$FILE is in the home directory of $USER." "$DIR/$FILE" $USER
- fi
- done
- done
- section "Checking SUID programs"
- if [ "$MODE" = "detailed" ]; then
- for FILE in `find / -type f -perm -04000 2>/dev/null`; do
- check_called_programs_suid $FILE
- done
- else
- echo "Skipping checks of SUID programs (it's slow!). Run again in 'detailed' mode."
- fi
- # Check for private SSH keys in home directories
- section "Checking for Private SSH Keys home directories"
- for HOMEDIR in `cut -f 6 -d : /etc/passwd`; do
- if [ -d "$HOMEDIR/.ssh" ]; then
- PRIV_KEYS=`grep -l 'BEGIN [RD]SA PRIVATE KEY' $HOMEDIR/.ssh/* 2>/dev/null`
- if [ -n "$PRIV_KEYS" ]; then
- for KEY in $PRIV_KEYS; do
- ENC_KEY=`grep -l 'ENCRYPTED' "$KEY" 2>/dev/null`
- if [ -n "$ENC_KEY" ]; then
- echo "WARNING: Encrypted Private SSH Key Found in $KEY"
- else
- echo "WARNING: Unencrypted Private SSH Key Found in $KEY"
- fi
- done
- fi
- fi
- done
- # Check for public SSH keys in home directories
- section "Checking for Public SSH Keys home directories"
- for HOMEDIR in `cut -f 6 -d : /etc/passwd`; do
- if [ -r "$HOMEDIR/.ssh/authorized_keys" ]; then
- KEYS=`grep '^ssh-' $HOMEDIR/.ssh/authorized_keys 2>/dev/null`
- if [ -n "$KEYS" ]; then
- echo "WARNING: Public SSH Key Found in $HOMEDIR/.ssh/authorized_keys"
- fi
- fi
- done
- # Check for any SSH agents running on the box
- section "Checking for SSH agents"
- AGENTS=`ps -ef | grep ssh-agent | grep -v grep`
- if [ -n "$AGENTS" ]; then
- echo "WARNING: There are SSH agents running on this system:"
- ps -ef | grep ssh-agent | grep -v grep
- # for PID in `ps aux | grep ssh-agent | grep -v grep | awk '{print $2}'`; do
- for SOCK in `ls /tmp/ssh-*/agent.* 2>/dev/null`; do
- SSH_AUTH_SOCK=$SOCK; export SSH_AUTH_SOCK
- AGENT_KEYS=`ssh-add -l | grep -v 'agent has no identities.' 2>/dev/null`
- if [ -n "$AGENT_KEYS" ]; then
- echo "WARNING: SSH Agent has keys loaded [SSH_AUTH_SOCK=$SSH_AUTH_SOCK]"
- ssh-add -l
- fi
- done
- else
- echo "No SSH agents found"
- fi
- # Check for any GPG agents running on the box
- section "Checking for GPG agents"
- AGENTS=`ps -ef | grep gpg-agent | grep -v grep`
- if [ -n "$AGENTS" ]; then
- echo "WARNING: There are GPG agents running on this system:"
- ps aux | grep gpg-agent | grep -v grep
- else
- echo "No GPG agents found"
- fi
- # Check files in /etc/init.d/* can't be modified by non-root users
- section "Checking startup files (init.d / rc.d) aren't writable"
- for DIR in /etc/init.d /etc/rc.d /usr/local/etc/rc.d; do
- if [ -d "$DIR" ]; then
- for FILE in $DIR/*; do
- F=`echo "$FILE" | sed 's/^.*\///'`
- if [ "$F" = "*" ]; then
- echo "No user startup script found in $DIR. Skipping checks."
- continue
- fi
- echo Processing startup script $FILE
- check_called_programs "$FILE is run by root at startup." $FILE root
- done
- fi
- done
- section "Checking if running programs are writable"
- if [ $OS = "solaris" ]; then
- # use the output of ps command
- ps -ef -o user,comm | while read LINE
- do
- USER=`echo "$LINE" | awk '{print $1}'`
- PROG=`echo "$LINE" | awk '{print $2}'`
- check_called_programs "$PROG is currently running as $USER." "$PROG" "$USER"
- done
- elif [ $OS = "bsd" ]; then
- # use the output of ps command
- ps aux | while read LINE
- do
- USER=`echo "$LINE" | awk '{print $1}'`
- PROG=`echo "$LINE" | awk '{print $11}'`
- check_called_programs "$PROG is currently running as $USER." "$PROG" "$USER"
- done
- elif [ $OS = "hpux" ]; then
- # use the output of ps command
- ps -ef | while read LINE
- do
- USER=`echo "$LINE" | awk '{print $1}'`
- PROG1=`echo "$LINE" | awk '{print $8}'`
- PROG2=`echo "$LINE" | awk '{print $9}'`
- if [ -f "$PROG1" ]; then
- check_called_programs "$PROG is currently running as $USER." "$PROG1" "$USER"
- fi
- if [ -f "$PROG2" ]; then
- check_called_programs "$PROG is currently running as $USER." "$PROG2" "$USER"
- fi
- done
- elif [ $OS = "linux" ]; then
- # use the /proc file system
- for PROCDIR in /proc/[0-9]*; do
- unset PROGPATH
- PID=`echo $PROCDIR | cut -f 3 -d /`
- echo ------------------------
- echo "PID: $PID"
- if [ -d "$PROCDIR" ]; then
- if [ -r "$PROCDIR/exe" ]; then
- PROGPATH=`ls -l "$PROCDIR/exe" 2>&1 | sed 's/ (deleted)//' | awk '{print $NF}'`
- else
- if [ -r "$PROCDIR/cmdline" ]; then
- P=`cat $PROCDIR/cmdline | tr "\0" = | cut -f 1 -d = | grep '^/'`
- if [ -z "$P" ]; then
- echo "ERROR: Can't find full path of running program: "`cat $PROCDIR/cmdline`
- else
- PROGPATH=$P
- fi
- else
- echo "ERROR: Can't find full path of running program: "`cat $PROCDIR/cmdline`
- continue
- fi
- fi
- get_owner $PROCDIR; OWNER=$GET_OWNER_RETURN
- echo "Owner: $OWNER"
- else
- echo "ERROR: Can't find OWNER. Process has gone."
- continue
- fi
- if [ -n "$PROGPATH" ]; then
- get_owner $PROGPATH; PROGOWNER=$GET_OWNER_RETURN
- echo "Program path: $PROGPATH"
- check_called_programs "$PROGPATH is currently running as $OWNER." $PROGPATH $OWNER
- fi
- if [ "$MODE" == "detailed" ]; then
- for FILE in $PROCDIR/fd/*; do
- F=`echo "$FILE" | sed 's/^.*\///'`
- if [ "$F" = "*" ]; then
- continue
- fi
- check_perms "$FILE is an open file descriptor for process $PID running as $OWNER." $FILE $OWNER
- done
- fi
- done
- fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement