2 USAGE='USAGE: check_security
4 This script checks for some security problems. It does
5 not fix anything. It only prints messages about possible
8 Author: Michael Coulter
13 PASSWD_FILE=/etc/passwd
15 # Check for execution by root
18 if [ "$WHOAMI" != "root" ]
20 echo "It is recommended that you run this script as root"
23 # Parse all the lines in $PASSWD_FILE
27 cat "$PASSWD_FILE" | while read USER PASSWORD UID GID COMMENT HOME SHELL REST
29 # Checks for users who shouldn't log-in, i.e. PASSWORD is "*"
31 if [ "$PASSWORD" = '*' ]
33 # If the PASSWORD is "*", there should not be a .rhosts or hosts.equiv
34 # in the home directory or .forward
35 if [ -f "${HOME}/.rhosts" ]
37 echo "$USER has a .rhosts file in $HOME"
39 if [ -f "${HOME}/.forward" ]
41 echo "$USER has a .forward file in $HOME"
46 # There should not be a crontab or atjob for the user
48 if [ -f "/usr/spool/cron/crontabs/${USER}" ]
50 echo "$USER has a crontab file in /usr/spool/cron/crontabs"
52 if [ -f "/usr/spool/cron/atjobs/${USER}" ]
54 echo "$USER has a crontab file in /usr/spool/cron/atjobs"
57 fi # End of * password checks
59 if [ "$PASSWORD" = "" ]
61 echo "$USER has a NULL password."
64 # No wildcards in $HOME/.rhosts or /etc/host.equiv
65 LINES="$(sed -e "/^#/d" $HOME/.rhosts | grep "+" 2> /dev/null | wc -l)"
68 echo "$USER has + in $HOME/.rhosts"
72 # read USER PASSWORD UID GID COMMENT HOME SHELL REST
74 # Checks that are only done once
76 # Check no wildcards in /etc/host.equiv
78 LINES="$(grep -- "+" /etc/host.equiv 2> /dev/null | wc -l)"
81 echo "System has + in /etc/host.equiv"
84 if [ ! -f "/usr/adm/inetd.sec" ]
86 echo "No /usr/adm/inetd.sec file. "
89 if [ -f "/etc/hosts.equiv" ]
91 echo "System has a /etc/hosts.equiv file"