sec_task.ksh
#!/bin/ksh
# sec_task.ksh
# Reports on possible security problems on
# your aix system.
# - Jim
# Create a file listing all the users:
cut -d: -f1 /etc/passwd | sort > /tmp/Users.txt
# Create a file listing all the user IDs:
cut -d: -f3 /etc/passwd | sort -n > /tmp/UserIDs.txt
# Create a list of all the users listed in /etc/group
cut -d: -f4 /etc/group | sort -u > /tmp/UsersInGroup.txt
print
print "CREATING A REPORT OF THE CURRENT SECURITY ON "
print "SYSTEM: $(hostname)"
print "DATE:" $(date "+%A, %B %e, %Y at %T %Z")
print
# 1. All user own their home directories:
print
print "LISTING ALL HOME DIRECTORIES IN /home:"
ls -l /home
print
print "LISTING ALL HOME DIRECTORIES IN /fmd/homedir:"
ls -l /fmd/homedir
# 2. All users' home directories exist:
print
print "THE FOLLOWING IS A LIST OF USERS' HOME DIRECTORIES:"
for USER in $(cat /tmp/Users.txt)
do
print "User: \"$USER\" has a home directory of:"
ls -ld $(grep ^$USER: /etc/passwd | cut -d: -f6)
print
done
# 3. Listing all shells used by users.
print
print
print "ALL THE SHELLS LISTED IN /etc/passwd"
print
cut -d: -f7 /etc/passwd | sort -u
# 4. All users belong to a valid group.
# Find any users who are not in a group.
print
print "PRINTING ANY USERS WHO ARE NOT IN A GROUP."
for USER in $(cat /tmp/Users.txt)
do
if [ ! "$(grep $USER /tmp/UsersInGroup.txt)" ];then
echo "$USER"
fi
done
# 4A. Showing who belongs to each group.
print
print "PRINTING A LIST OF EACH GROUP AND WHO IS IN IT."
print
cat /etc/group | cut -d":" -f1,4 | tr ":" " " | awk '{ print "Group: " $1 "\t\tMembers: " $2 }'
print
# 5. Each user has a unique name and id number.
print
print "SORTED USER ID NUMBERS. ARE THERE REPEATS?"
# Grab the user name and user id from the /etc/passwd.
# Sort them by the ID field.
# cut -d: -f1,3 /etc/passwd | sort -t: +1 -n
# Remove the ":".
# Format the output using awk.
cut -d: -f1,3 /etc/passwd | sort -t: +1 -n | tr ":" " " | awk ' { print "id: "$2 " name: "$1 }'
print
print "SORTED USER ID NAMES. ARE THERE REPEATS?"
cat /tmp/Users.txt
# 6. User' path statements can't be verified.
# 7. root login is restricted to system console.
print
print "DISPLAYING ROOT'S LOGIN CHARACTERISTICS:"
lsuser -f root
# 8. Old accounts are disabled?
print
print "DISPLAYING MAHER'S LOGIN CHARACTERISTICS:"
lsuser -f maher
# 9. Time out for root user. See #7 .
# 10. List permissions on /etc/security/passwd and /etc/security/group
print
print "LISTING PERMISSIONS ON SHADOW PASSWORD AND GROUP"
ls -l /etc/security/passwd
ls -l /ect/security/group
# 11. All password policies in the information security policy are being followed.
# Please see #7 and #8 above for information on how user accounts are set up.
# 12. Check to see if PAM is using a configure file.
# If pam is running, then there will be an entry for
# it in "/usr/lib/security/methods.cfg
echo
echo "IF \"PAM\" IS CONFIGURED, THEN IT WILL HAVE AN ENTRY IN"
echo "/USR/LIB/SECURITY/METHODS.CFG"
echo "DISPLAYING ANY REFERENCE TO PAM IN METHODS.CFG"
grep -i pam /usr/lib/security/methods.cfg
# 13. Displaying the permissions on /etc/sudoers file.
echo
echo "DISPLAYING THE PERMISSION ON THE /etc/sudoers FILE."
ls -l /etc/sudoers
echo
# 14. Displaying the contents of /etc/sudoers file.
echo
echo "DISPLAYING THE CONTENTS OF THE /etc/sudoers FILE."
echo
cat /etc/sudoers
echo
echo "END OF DISPLAYING /etc/sudoers FILE."
echo
# 15. Listing the .forward, .netrc, and .rhost files
print
print "LISTING ALL .forward files."
find / -name .forward -exec ls -l {} \;
print
print "LISTING ALL .netrc files."
find / -name .netrc -exec ls -l {} \;
print
print "LISTING ALL .rhost files."
find / -name .rhost -exec ls -l {} \;
# 16. Checking Home Directories:
print
print "LISTING ALL FILES/DIRECTORIES WITH WORLD WRITE PERMISSIONS."
print "SENDING THE OUTPUT TO /tmp/WWPerm.txt"
find / -ls | awk '{ print $3,$11 }' | grep ^........w | grep -v ^l > /tmp/WWPerm.txt
print
print "LISTING ALL FILES/DIRECTORIES WITH WORLD EXECUTE PERMISSIONS."
print "SENDING THE OUTPUT TO /tmp/WXPerm.txt"
find / -ls | awk '{ print $3,$11 }' | grep ^.........x | grep -v ^l > /tmp/WXPerm.txt
print
print "LISTING ALL FILES/DIRECTORIES WITH WORLD WRITE PERMISSIONS"
print "IN /home AND /fmd/homedir."
print
find /home -ls | awk '{ print $3,$11 }' | grep ^........w | grep -v ^l
find /fmd/homedir -ls | awk '{ print $3,$11 }' | grep ^........w | grep -v ^l
print
print "LISTING ALL FILES/DIRECTORIES WITH WORLD EXECUTE PERMISSIONS"
print "IN /home AND /fmd/homedir."
print
find /home -ls | awk '{ print $3,$11 }' | grep ^.........x | grep -v ^l
find /fmd/homedir -ls | awk '{ print $3,$11 }' | grep ^.........x | grep -v ^l
# Where are the home directories located?
# Listing all home directories.
print
print "LISTING ALL HOME DIRECTORIES."
cat /etc/passwd | sort | awk -F: '{print $1 " HOME DIRECTORY:" $6}'
# 17. Displaying umask (default and root).
print
print "DISPLAYING HOW UMASK IS SET BY THE FILES IN /ETC"
grep umask /etc/*
print
print "DISPLAYING UMASK FOR ROOT"
umask
# 18. Checking Key System files:
# This section is not completed at this time.
# In the grep statements below, the grep -p " "
# will only print files and the directory to which
# they below. It will not print directory names
# that do not have files not owned by root nor bin.
echo
echo "LISTING ALL FILES IN /ETC THAT ARE NOT OWNED BY ROOT NOR BIN."
ls -lR /etc | tr -s " " "" | cut -d" " -f1,3- | egrep -v '(^total|^...........root|^...........bin)' | grep -p " "
echo
echo "LISTING ALL FILES IN /VAR THAT ARE NOT OWNED BY ROOT NOR BIN."
ls -lR /var | tr -s " " "" | cut -d" " -f1,3- | egrep -v '(^total|^...........root|^...........bin)' | grep -p " "
echo
echo "LISTING ALL FILES IN /USR THAT ARE NOT OWNED BY ROOT NOR BIN."
ls -lR /usr | tr -s " " "" | cut -d" " -f1,3- | egrep -v '(^total|^...........root|^...........bin)' | grep -p " "
echo
echo "LISTING ALL FILES IN /SBIN THAT ARE NOT OWNED BY ROOT NOR BIN."
ls -lR /sbin | tr -s " " "" | cut -d" " -f1,3- | egrep -v '(^total|^...........root|^...........bin)' | grep -p " "
echo
echo "LISTING ALL FILES IN /U01/APP/ORACLE NOT OWNED BY ORACLE."
ls -lR /u01/app/oracle | tr -s " " "" | cut -d" " -f1,3- | egrep -v '(^total|^...........oracle)' | grep -p " "
# In the above command, there is a command 'grep -p " "'.
# Without it, the output will display every directory name
# regardless of whether the directory has a file not owned
# by oracle in it or not.
echo
echo "LISTING ALL CHARACTER DEVICE FILES:"
find / -type c -print | grep -v ^./dev | awk '{print "ls -l " $1}' | ksh
echo
echo "LISTING ALL BLOCK DEVICE FILES:"
find / -type b -print | grep -v ^./dev | awk '{print "ls -l " $1}' | ksh
# 19. Is sticky bit set for /tmp:
print
print "CHECKING TO SEE IF STICKY BIT IS SET /tmp and /var/adm:"
ls -ld /tmp /var/adm
# 20. User-created SUID and SGID files are not used.
echo
echo "PRINTING ALL FILES WITH THE STICKY BIT SET FOR USER."
echo
find / -perm -004000 -type f -print | awk '{print "ls -l " $1}' | ksh
echo
echo
echo "PRINTING ALL FILES WITH THE STICKY BIT SET FOR GROUP."
echo
find / -perm -002000 -type f -print | awk '{print "ls -l " $1}' | ksh
# 21. Have uucp and muucp accounts been disable.
# Are their shells set to /bin/false.sh
# -F: in the awk statement means that the field seperator is a ":".
echo
echo
echo " IS THE SHELL FOR UUCP AND NUUCP SET TO FALSE?"
echo
grep uucp /etc/passwd |awk -F: '{print $1 " SHELL: "$7}'
echo
echo
# 22. Start up scripts do not reference a world-writeable program or
# configuration file.
# We are handling this situation by not allowing any world-
# writeable files.
# 23. List permissions for all .profile, .cshrc, .login, and .exrc files.
echo "LISTING PERMISSIONS FOR ALL .profile: "
echo
find / -name .profile -exec ls -l {} \;
echo
echo
echo "LISTING PERMISSIONS FOR ALL .cshrc: "
echo
find / -name .cshrc -exec ls -l {} \;
echo
echo
echo "LISTING PERMISSIONS FOR ALL .login: "
echo
find / -name .login -exec ls -l {} \;
echo
echo
echo "LISTING PERMISSIONS FOR ALL .exrc: "
echo
find / -name .exrc -exec ls -l {} \;
echo
echo
echo "LISTING PERMISSIONS FOR ALL .bashrc: "
echo
find / -name .bashrc -exec ls -l {} \;
echo
echo
### To be done by security team.
# 24. Non-essential services:
# Make sure that rlogin, ftp, and telnet are
# disabled.
echo
echo "THE LINES IN /ETC/INETD.CONF PERTAINING TO STARTING"
echo "RLOGIN, FTP, AND TELNET SHOULD BE COMMENNTED OUT."
echo "BELOW IS THE RESULT OF A GREP OF THE FILE. ARE THE"
echo "VALUES COMMENTED OUT?"
grep rlogin /etc/inetd.conf
grep ftp /etc/inetd.conf
grep telnet /etc/inetd.conf
# Is ssh daemon running?
echo
echo "PERFORMING PS TO SEE IS SSH DAEMON IS RUNNING."
echo "DO YOU SEE A sshd PROCESS LISTED?"
ps -ef | grep -i /usr/sbin/sshd
# Looking for /etc/hosts.equiv.
echo
echo "LOOKING FOR /ETC/HOSTS.EQUIV"
echo "VIA 'ls -l /etc/hosts*'"
ls -l /etc/hosts*
# DISPLAYING THE EXPORTED FILESYSTEMS: "
echo
echo
echo "DISPLAYING EXPORTED FILESYSTEMS: "
exportfs
echo
echo "DISPLAYING THE CONTENTS OF /ETC/EXPORTS"
cat /etc/exports
echo
echo "DO NOT ALLOW ANONYMOUS ACCESS VIA FTP."
echo "CONFIRMATION OF FTP BEING DISABLED IS TESTED ABOVE."
# Is NIS running?
echo
echo "CHECKING TO SEE IF NIS IS RUNNING."
echo "IF IT IS, THEN YOU WILL SEE OUTPUT BELOW FROM A PS."
ps -ef | grep -i yp
# 25. Direct modem access has been disabled.
# The modem will use uucp. Checking netstat
# for a uucp connection.
echo
echo "IS A MODEM CONNECTED TO THE SYSTEM?"
echo "IF SO, NETSTAT WILL REPORT AN UUCP CONNECTION."
echo "GREPPING NETSTAT. DO YOU SEE ANY UUCP CONNECTIONS?"
netstat -a | grep -i uucp
# 26. Checking for FTP being disabled.
echo
echo "CHECKING THAT FTP IS DISABLED WAS PERFORMED ABOVE."
# 27. Status of sendmail.
# Listing the privacy level of sendmai:
echo
echo "LISTING THE PRIVACY LEVEL OF SENDMAIL."
echo "IN /etc/sendmail.cf, THE \"PrivacyOptions\" ARE SET"
echo "TO: $(grep -i PrivacyOptions /etc/sendmail.cf)."
# 28. Checking to see which files are accessed by cron:
echo
/fmd/homedir/scripts/ListingFilesUsedByCron.ksh
# 29. Listing all users' at files:
echo "LISTING ALL OF THE USERS' AT FILES."
cd /var/spool/cron/atjobs
for AT_FILE in $(ls); do
echo "$AT_FILE contains: "
cat $AT_FILE
done
cd /
# 30. Showing the contents of /var/adm/cron
echo
echo "CONTENTS OF /VAR/ADM/CRON"
ls -l /var/adm/cron
# 31. Routed daemon has been disabled.
echo
echo "ROUTED DAEMON SHOULD NOT BE RUNNING."
echo "PERFOMRING ps -ef | grep -i routed"
ps -ef | grep -i routed
# 32. SNMP has been removed.
echo
echo "SHOWING IF SNMP PROCESSES ARE RUNNING VIA \"ps -ef | grep -i
snmp\"."
ps -ef | grep -i snmp
# 33. Where possible, obscure the operating system information.
echo
echo "FTP AND TELNET SHOULD BE DISALBED. THEREFORE,"
echo "NO OPERATING SYSTEM INFORMATION IS VISIBLE VIA THOSE"
echo "METHODS."
echo "SEE ABOVE TO CONFIRM THAT TELNET AND FTP ARE DISABLED."