#!/bin/sh # # Copyright 1990, 1991 Sun Microsystems, Inc. All Rights Reserved. # # #ident "@(#)tune.sh 1.3 94/11/18 SMI" # # Tune attributes on system object # # This script is intended to set system object attributes # to values more appropriate for security-conscious environments. # # -p : preview flag archive=${ASETDIR}/archives/tune.arch.$PREV_ASETSECLEVEL mychmod() { tmode=$1 file=$2 sbits=`expr $tmode : ".*\(.\)..."` sgbit=0 if [ "$sbits" != "" ] then sticky=`expr $sbits % 2` sbits=`expr $sbits / 2` sgbit=`expr $sbits % 2` subit=`expr $sbits / 2` if [ $sgbit -eq 1 -a $subit -eq 1 ] then return 1 fi fi $CHMOD $tmode $file if [ -d $file -a $sgbit -eq 1 ] then $CHMOD g+s $file fi return 0 } echo echo "*** Begin Tune Task ***" if [ $UID -ne 0 ] then echo echo "You are not authorized to change system object attributes." echo "Task Skipped!" exit fi if [ $# -gt 0 -a "$1" = "-p" ] then echo echo "... just previewing - objects attributes not changed" echo CHMOD="echo chmod" CHOWN="echo chown" CHGRP="echo chgrp" fi if [ "$DOWNGRADE" = "true" ] then $ASETDIR/tasks/tune.restore # exit $? fi echo echo "... setting attributes on the system objects defined in" echo " ${ASETDIR}/masters/tune.${ASETSECLEVEL}" if [ "$PREV_ASETSECLEVEL" != "$ASETSECLEVEL" ] then # we know we are not downgrading, so we must be upgrading. need_archive="true" echo "# This file contains original settings of files or" > $archive echo "# directories that have been changed by ASET." >> $archive echo >> $archive else need_archive="false" fi if [ ! -s ${ASETDIR}/masters/tune.${ASETSECLEVEL} ] then echo echo "tune.task: master file not found: \c" echo "${ASETDIR}/masters/tune.${ASETSECLEVEL}" exit fi while read path mode user group type junk do # Skip comments and white lines if [ "$path" = "#" ] then continue; elif [ "$path" = "" ] then continue; fi # Warn and skip lines without all the required fields if [ "$type" = "" ] then echo echo "Warning: bad entry:" echo "$path $mode $user $group $type" continue; fi # Warn and skip lines with too many fields if [ "$junk" != "" ] then echo echo "Warning: bad entry:" echo "$path $mode $user $group $type $junk" continue; fi for file in $path do # # If the object does not exist on this system then skip it. # if [ ! -d "$file" -a ! -f "$file" ] then continue; fi # If a "?" is found in the mode, user, group field, that # field is treated as a don't-care and ignored. # # If the object is a symbolic link then do not chmod(1) it. # old_attr=`$FILE_ATTR $file` changed=false if [ "$type" != "symlink" -a "$mode" != "?" ] then newmode=`$MINMODE $file $mode` if [ $? -eq 0 ] then if mychmod "$newmode" "$file" then changed=true fi fi fi if [ "$user" != "?" -a \ "$user" != `echo $old_attr | $AWK '{print $3}'` ] then $CHOWN "$user" "$file" changed=true fi if [ "$group" != "?" -a \ "$group" != `echo $old_attr | $AWK '{print $4}'` ] then $CHGRP "$group" "$file" changed=true fi if [ "$need_archive" = "true" -a "$changed" = "true" ] then echo $file $old_attr >> $archive fi done # for loop done < ${ASETDIR}/masters/tune.${ASETSECLEVEL} # while loop echo echo "*** End Tune Task ***" aset/tasks/tune.restore010070000000000000002000000073760636304617000153330ustar00rootbin00000400000016#!/bin/sh # # # Copyright 1990, 1991 Sun Microsystems, Inc. All Rights Reserved. # # #ident "@(#)tune.restore.sh 1.5 94/12/07 SMI" # This script reverses file attributes changed by tune.task back # to what they used to be according to the archive file - STR_TO_MODE=${ASETDIR}/util/str_to_mode FILE_ATTR=${ASETDIR}/util/file_attr AWK=/bin/awk LS=/bin/ls export STR_TO_MODE FILE_ATTR AWK LS # name of this script myname=`expr $0 : ".*/\(.*\)" \| $0` # -p option is for previewing the changes. usage="$myname [-p]" fail() { echo echo "$myname failed:" echo $* exit 1 } not_lower() # usage: not_lower level1 level2 # return: 0 if level1 is not lower than level2 (higher or equal) # 1 if lower { level1=$1 level2=$2 case $level1 in null) if [ "$level2" = "null" ] then return 0 fi;; low) if [ "$level2" = "null" -o "$level2" = "low" ] then return 0 fi;; med) if [ "$level2" != "high" ] then return 0 fi;; high) return 0;; esac return 1 } between_levels() # usage: between_levels level1 level2 # prints all the levels in between (inclusively) level1 and level2 # from the highest down. # level1 is assumed to be not lower than level2. { level1=$1 level2=$2 if not_lower $level1 $level2 then l=$level1 echo "$l \c" while [ "$l" != "$level2" ] do case $l in high) l=med;; med) l=low;; low) l=null;; esac echo "$l \c" done echo fi } CHOWN=/usr/bin/chown CHMOD=/bin/chmod CHGRP=/bin/chgrp echo echo "Beginning $myname..." echo "(This may take a while.)" if [ "$ASETDIR" = "" ] then fail "ASETDIR variable undefined." fi if [ $UID -ne 0 ] then fail "Permission denied." fi if [ $# -gt 0 ] then if [ "$1" = "-p" ] then echo echo "Performing preview only ..." CHOWN="echo chown " CHMOD="echo chmod " CHGRP="echo chgrp " else echo $usage exit 1 fi fi export CHOWN CHMOD CHGRP LEVELS=`between_levels $PREV_ASETSECLEVEL $ASETSECLEVEL` export LEVELS arch_files="" for i in $LEVELS do arch_files="$ASETDIR/archives/tune.arch.$i $arch_files" done if [ "$arch_files" != "" ] then arch_files=`/bin/ls -t $arch_files 2> /dev/null` fi for arch in $arch_files do while read path junkpath mode user group type junk do # Skip comments and white lines if [ "$path" = "#" ] then continue; elif [ "$path" = "" ] then continue; fi # Warn and skip lines without all the required fields if [ "$type" = "" ] then echo echo "Warning: bad entry:" echo "$path $mode $user $group $type" continue; fi # Warn and skip lines with too many fields if [ "$junk" != "" ] then echo echo "Warning: bad entry:" echo "$path $mode $user $group $type $junk" continue; fi # # If the object does not exist on this system then skip it. # if [ ! -d "$path" -a ! -f "$path" ] then echo echo "Warning! $path does not exist - skipped." continue; fi old_attr=`$FILE_ATTR $path` if [ "$type" != "symlink" -a \ "$mode" != `echo $old_attr | $AWK '{print $2}'` ] then if [ "$type" = "directory" ] then $CHMOD g-s "$path" fi $CHMOD "$mode" "$path" fi if [ "$user" != `echo $old_attr | $AWK '{print $3}'` ] then $CHOWN "$user" "$path" fi if [ "$group" != `echo $old_attr | $AWK '{print $4}'` ] then $CHGRP "$group" "$path" fi done < $arch # while loop done # for loop echo echo "$myname completed." aset/tasks/usrgrp010070000000000000002000000203540636304616500142130ustar00rootbin00000400000016#!/bin/sh # # Copyright 1990, 1991 Sun Microsystems, Inc. All Rights Reserved. # # #ident "@(#)usrgrp.sh 1.3 94/11/22 SMI" # This script performs checking on password and group files and # reports anything that can be a problem in terms of integrity # and security. etc_passwd=/etc/passwd etc_shadow=/etc/shadow yp_passwdbuf=${TMP}/yp_passwd.$$ passwdbuf=${TMP}/passwdbuf.$$ etc_group=/etc/group yp_groupbuf=${TMP}/yp_group.$$ groupbuf=${TMP}/groupbuf.$$ ########## FUNCTIONS ########## archive() { passwd_arch=${ASETDIR}/archives/passwd.arch.$PREV_ASETSECLEVEL group_arch=${ASETDIR}/archives/group.arch.$PREV_ASETSECLEVEL shadow_arch=${ASETDIR}/archives/shadow.arch.$PREV_ASETSECLEVEL $CP $etc_passwd $passwd_arch if [ $? -ne 0 ] then echo echo "Warning! Could not archive $etc_passwd to $passwd_arch." return 1 fi $CP $etc_group $group_arch if [ $? -ne 0 ] then echo echo "Warning! Could not archive $etc_group to $group_arch." return 1 fi $CP $etc_shadow $shadow_arch if [ $? -ne 0 ] then echo echo "Warning! Could not archive $etc_shadow to $shadow_arch." return 1 fi return 0 } check_dup_id() # check duplicate user id's in password file; # report them unless allowed by UID_ALIASES file. # usage: check_dup_id passwd_file { nouidalias=false if [ "$UID_ALIASES" = "" ] then nouidalias=true elif [ ! -s $UID_ALIASES ] then nouidalias=true fi $AWK -F: '{print $3, $1}' $1 | $SORT > ${TMP}/pwsort.$$ $AWK '{print $1}' ${TMP}/pwsort.$$ | $UNIQ -d > ${TMP}/dupuids.$$ while read uid uname do if fgrep -x -e $uid ${TMP}/dupuids.$$ > /dev/null then if [ "$nouidalias" = "true" ] then echo echo "Warning! Duplicate uid: $uid $uname" else result=`$AWK -F= '($1==uid) { \ for (i=2; i<=NF; i++) { \ if ($i==uname) { \ print uname; \ break; \ } \ } \ }' uid=$uid uname=$uname $UID_ALIASES` if [ "$result" = "" ] then echo echo "Warning! Duplicate uid: $uid $uname" fi fi fi done < ${TMP}/pwsort.$$ $RM -f ${TMP}/pwsort.$$ ${TMP}/dupuids.$$ } do_passwd() # Check on the password file passed in. # -f flag: fix where possible. # Usage: do_passwd [-f] passwd_file { if [ "$1" = "-f" ] then should_fix=true passwd_file=$2 else should_fix=false passwd_file=$1 fi echo echo "Checking $passwd_file ..." # check duplicate user names result=`$AWK -F: '{print $1}' $passwd_file | $SORT | $UNIQ -d` if [ "$result" ] then echo echo "Warning! Duplicate user name(s) found in $passwd_file:" echo "\t$result" fi # check duplicate user ids check_dup_id $passwd_file # other format checks $AWK -f ${ASETDIR}/tasks/pwchk.awk $passwd_file # check nobody entry if $GREP -s '^nobody:.*:-2' $passwd_file then echo echo "Bad entry for user nobody in $passwd_f