From owner-freebsd-current Sat Oct 28 11:19:14 2000 Delivered-To: freebsd-current@freebsd.org Received: from charles.intelos.net (phalliday.lyn.mvl.intelos.net [216.12.74.29]) by hub.freebsd.org (Postfix) with ESMTP id ABFA637B479 for ; Sat, 28 Oct 2000 11:19:05 -0700 (PDT) Received: from wslogic.com (IDENT:pjh@charles.intelos.net [216.12.74.29]) by charles.intelos.net (8.9.3/8.9.3) with ESMTP id OAA23064 for ; Sat, 28 Oct 2000 14:20:45 -0400 Message-ID: <39FB18FD.C689EC8E@wslogic.com> Date: Sat, 28 Oct 2000 14:20:45 -0400 From: Peter Halliday X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.16-3 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-current@freebsd.org Subject: /etc/security suggestions Content-Type: multipart/mixed; boundary="------------1A445F45C3701398F76F6B71" Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. --------------1A445F45C3701398F76F6B71 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I have ported the /etc/security script to Linux, and wanted to mention some of the changes that I made. Maybe they will help you in developing /etc/security. -- Peter Halliday Online Application Developer Whetstone Logic, Inc. http://www.whetstonelogic.com icq#75769411 AIM screen name: hoaggelos --------------1A445F45C3701398F76F6B71 Content-Type: text/plain; charset=us-ascii; name="diffs" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="diffs" @@ -1,14 +1,19 @@ # # @(#)security 5.3 (Berkeley) 5/28/91 # $FreeBSD: src/etc/security,v 1.36.2.6 2000/09/20 20:16:19 brian Exp $ # -PATH=/sbin:/bin:/usr/bin +# THIS PRODUCT COMES WITH NO EXPLICIT OR IMPLICIT WARRANTEES OR +# GUARANTEES. THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGE THAT MAY +# OCCUR +VERSION=0.1.0 +PATH=/bin;/usr/bin;/sbin;/usr/sbin LC_ALL=C; export LC_ALL rc=0 LOG=/var/log -TMP=/var/run/_secure.$$ +IFS=' +' +TMP=`/bin/mktemp /var/run/_secure.XXXXXX` separator () { echo '' @@ -16,8 +21,7 @@ } catmsgs() { - [ -f $LOG/messages.0.gz ] && zcat $LOG/messages.0.gz - [ -f $LOG/messages.0 ] && cat $LOG/messages.0 + [ -f $LOG/messages.1 ] && cat $LOG/messages.1 [ -f $LOG/messages ] && cat $LOG/messages } @@ -31,130 +35,165 @@ esac done -yesterday=`date -v-1d "+%b %e "` +#yesterday=`date -v-1d "+%b %e "` host=`hostname` -[ $sflag = FALSE ] && echo "Subject: ${host} security check output" -umask 027 +separator +echo "security-script $VERSION" +echo +echo "THIS PRODUCT COMES WITH NO EXPLICIT OR IMPLICIT WARRANTEES OR GUARANTEES. THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGE THAT MAY OCCUR." + + +#check roots umask +if [ "`umask`" != "177" ] ; then + separator + echo "Root's umask is insecure. Please change it to 177" +fi +umask 177 + -echo "checking setuid files and devices:" # Don't have ncheck, but this does the equivalent of the commented out block. # Note that one of the original problems, the possibility of overrunning # the args to ls, is still here... # -MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort` +MP=`mount -t ext2,reiserfs,ufs 2>/dev/null | grep -v " nosuid" | awk '{ print $3 }' | sort` set ${MP} while [ $# -ge 1 ]; do mount=$1 shift find $mount -xdev -type f \ \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ - \( -perm -u+s -or -perm -g+s \) -print0 -done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP} + \( -perm -u+s -or -perm -g+s \) -print0 2>/dev/null +done | xargs -0 -n 20 /bin/ls -lid | sort +10 > ${TMP} if [ ! -f ${LOG}/setuid.today ]; then [ $rc -lt 1 ] && rc=1 - separator + separator + echo "checking setuid files and devices:" echo "no ${LOG}/setuid.today" - cp ${TMP} ${LOG}/setuid.today || rc=3 + cp -f ${TMP} ${LOG}/setuid.today || rc=3 fi if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null; then [ $rc -lt 1 ] && rc=1 - separator + separator + echo "checking setuid files and devices:" echo "${host} setuid diffs:" diff -w ${LOG}/setuid.today ${TMP} - mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3 - mv ${TMP} ${LOG}/setuid.today || rc=3 + mv -f ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3 + mv -f ${TMP} ${LOG}/setuid.today || rc=3 +fi + + + + +# Don't have ncheck, but this does the equivalent of the commented out block. +# Note that one of the original problems, the possibility of overrunning +# the args to ls, is still here... +# +RK=`mount -t ext2,reiserfs,ufs 2>/dev/null | grep -v " nosuid" | awk '{ print $3 }' | sort` +set ${RK} +while [ $# -ge 1 ]; do + mount=$1 + shift + find $mount -name ".*" 2>/dev/null +done | sort +10 > ${TMP} + + +if [ ! -f ${LOG}/rootkit.today ]; then + [ $rc -lt 1 ] && rc=1 + separator + echo "checking for possible rootkits:" + echo "no ${LOG}/rootkit.today" + cp -f ${TMP} ${LOG}/rootkit.today || rc=3 +fi + +if ! cmp ${LOG}/rootkit.today ${TMP} >/dev/null; then + [ $rc -lt 1 ] && rc=1 + separator + echo "checking for possible rootkits:" + echo "${host} rootkit diffs:" + diff -w ${LOG}/rootkit.today ${TMP} + mv -f ${LOG}/rootkit.today ${LOG}/rootkit.yesterday || rc=3 + mv -f ${TMP} ${LOG}/rootkit.today || rc=3 fi + + # Show changes in the way filesystems are mounted # [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat -if mount -p | $cmd > $TMP; then +if mount | $cmd > $TMP; then if [ ! -f $LOG/mount.today ]; then [ $rc -lt 1 ] && rc=1 - separator + separator + echo "Checking diffs in mounting of filesystems:" echo "no $LOG/mount.today" - cp $TMP $LOG/mount.today || rc=3 + cp -f $TMP $LOG/mount.today || rc=3 fi if ! cmp $LOG/mount.today $TMP >/dev/null 2>&1; then [ $rc -lt 1 ] && rc=1 - separator + separator + echo "Checking diffs in mounting of filesystems:" echo "$host changes in mounted filesystems:" diff -b $LOG/mount.today $TMP - mv $LOG/mount.today $LOG/mount.yesterday || rc=3 - mv $TMP $LOG/mount.today || rc=3 + mv -f $LOG/mount.today $LOG/mount.yesterday || rc=3 + mv -f $TMP $LOG/mount.today || rc=3 fi fi separator echo "checking for uids of 0:" -n=$(awk -F: '$3==0 {print $1,$3}' /etc/master.passwd | - tee /dev/stderr | - sed -e '/^root 0$/d' -e '/^toor 0$/d' | - wc -l) -[ $n -gt 0 -a $rc -lt 1 ] && rc=1 - +awk -F: '$3==0 {print $1,$3}' /etc/passwd + separator echo "checking for passwordless accounts:" -n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd | - tee /dev/stderr | wc -l) -[ $n -gt 0 -a $rc -lt 1 ] && rc=1 - +awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/passwd + # Show denied packets # -if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then - if [ ! -f ${LOG}/ipfw.today ]; then +if /sbin/ipchains -L -v --line-numbers 2>/dev/null | egrep "DENY|REJECT" > ${TMP}; then + if [ ! -f ${LOG}/ipchains.today ]; then [ $rc -lt 1 ] && rc=1 - separator - echo "no ${LOG}/ipfw.today" - cp ${TMP} ${LOG}/ipfw.today || rc=3 + separator + echo "Checking fire wall rule count:" + echo "no ${LOG}/ipchains.today" + cp -f ${TMP} ${LOG}/ipchains.today || rc=3 fi - if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then + if ! cmp ${LOG}/ipchains.today ${TMP} >/dev/null; then [ $rc -lt 1 ] && rc=1 - separator - echo "${host} denied packets:" - diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>" - mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3 - mv ${TMP} ${LOG}/ipfw.today || rc=3 + separator + echo "Checking fire wall rule count:" + echo "${host} denied or rejected packets:" + diff -b ${LOG}/ipchains.today ${TMP} | egrep "^>" + mv -f ${LOG}/ipchains.today ${LOG}/ipchains.yesterday || rc=3 + mv -f ${TMP} ${LOG}/ipchains.today || rc=3 fi fi -# Show ipfw rules which have reached the log limit -# -IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null` -if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then - ipfw -a l | grep " log " | perl -n -e \ - '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP} - if [ -s "${TMP}" ]; then - [ $rc -lt 1 ] && rc=1 - separator - echo "ipfw log limit reached:" - cat ${TMP} - fi -fi # Show kernel log messages # -if dmesg 2>/dev/null > ${TMP}; then +if /bin/dmesg 2>/dev/null > ${TMP}; then if [ ! -f ${LOG}/dmesg.today ]; then [ $rc -lt 1 ] && rc=1 - separator + separator + echo "Checking kernal message:" echo "no ${LOG}/dmesg.today" - cp ${TMP} ${LOG}/dmesg.today || rc=3 + cp -f ${TMP} ${LOG}/dmesg.today || rc=3 fi if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then [ $rc -lt 1 ] && rc=1 - separator + separator + echo "Checking kernal message:" echo "${host} kernel log messages:" diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>" - mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3 - mv ${TMP} ${LOG}/dmesg.today || rc=3 + mv -f ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3 + mv -f ${TMP} ${LOG}/dmesg.today || rc=3 fi fi @@ -162,17 +201,85 @@ # separator echo "${host} login failures:" -n=$(catmsgs | grep -i "^$yesterday.*login failure" | tee /dev/stderr | wc -l) -[ $n -gt 0 -a $rc -lt 1 ] && rc=1 - +catmsgs | grep -i "failed login" | /usr/bin/tee /dev/stderr + # Show tcp_wrapper warning messages # separator echo "${host} refused connections:" -n=$(catmsgs | grep -i "^$yesterday.*refused connect" | tee /dev/stderr | wc -l) -[ $n -gt 0 -a $rc -lt 1 ] && rc=1 +catmsgs | grep -i "refused connect" | /usr/bin/tee /dev/stderr -rm -f ${TMP} +# Show authentication failures +# +separator +echo "${host} authentication failures:" +catmsgs | grep -i "authentication failure" | /usr/bin/tee /dev/stderr -exit $rc +# check for any interfaces in promiscuous mode +separator +echo "${host} interfaces in promiscuous mode:" +catmsgs | grep -i "entered promiscuous mode" | /usr/bin/tee /dev/stderr + +# check for sticky-bit on /tmp and exit if not found +if [ `/bin/ls -ld /tmp | cut -c10` != "t" ] ; then + echo "/tmp does not have sticky-bit turned on. Please 'chmod +t /tmp'" + exit 1 +fi + + + +# check for incorrect perm on /etc/cron.d if it exists +if [ -d /etc/cron.d ] ; then + if [ "`/bin/ls -ld /etc/cron.d | cut -c1-10`" != "drwxr-x---" ] ; then + separator + echo "Permissions too lax on /etc/cron.d. Please 'chmod -R 750 /etc/cron.d" + fi +fi + +# check for incorrect perms on /etc/crontab if it exists +if [ -f /etc/crontab ] ; then + if [ "`/bin/ls -l /etc/crontab | cut -c1-10`" != "-rw-r-----" ] ; then + separator + echo "Permissions too lax on /etc/crontab. Please 'chmod 640 /etc/crontab'" + fi +fi +# check for incorrect perms on /etc/syslog.conf if it exists +if [ -f /etc/syslog.conf ] ; then + if [ "`/bin/ls -l /etc/syslog.conf | cut -c1-10`" != "-rw-------" ] ; then + separator + echo "Permission too lax on /etc/syslog.conf. Please 'chmod 600 /etc/syslog.conf'" + fi +fi + +# check for incorrect perms on /var/log and it's subdirs +separator +echo "Please 'chmod 700' the following directories" +find /var/log -type d ! -perm 0700 + +# check for incorrect perms on logfiles +separator +echo "Please 'chmod 600' the following files" +find /var/log -type d ! -perm 0600 + +# check for incorrect perms on /etc/lilo.conf +if [ -f /etc/lilo.conf ] ; then + if [ "`/bin/ls -l /etc/lilo.conf`" != "-rw-------" ] ; then + separator + echo "Please 'chmod 600 /etc/lilo.conf'" + fi +fi + +# check for .rhosts files +separator +echo "Checking for .rhosts files" +find / -name '.rhosts' -print + +# check for readable .netrc files +separator +echo "Checking for readable .netrc files (chmod 600 to correct)" +find / -name '.netrc' ! -perm 0600 -print + + +rm -f ${TMP} +exit $rc --------------1A445F45C3701398F76F6B71-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message