2 ################################################################################
5 # Description: Security audit
6 # Author: Andrew DeFaria (defaria@cup.hp.com)
8 # Modifications:Combined security checking scripts from Chip Chapin
9 # (chip@cup.hp.com) and Michael Coulter (coulter@cup.hp.com).
11 # (c) Copyright 1991, Hewlett-Packard Company, all rights reserved.
13 ################################################################################
14 # First source the appserver script
15 if [ -x /app/appserver ]; then
23 crondir=/usr/spool/cron/crontabs
24 atdir=/usr/spool/cron/atjobs
27 crondir=/var/spool/cron/crontabs
28 atdir=/var/spool/cron/atjobs
31 print -u2 "$me: Error: Unknown OS version: $OS"
37 # Determines is $user has a home directory local to this machine
38 first_component=$(print $home | cut -f2 -d/)
39 machine_component=$(print $home | cut -f3 -d/)
40 this_machine=$(uname -n)
42 if [ "$first_component" = "nfs" -o "$first_component" = "net" ]; then
43 if [ $machine_component = $this_machine ]; then
53 function starred_out_checks {
54 print "$me: Warning: Non standard user \"$user\" has \"*\" out password!\n"
55 print "If this user no longer works here you should assign ownership of their"
56 print "files to somebody else then have this user's password entry removed.\n"
57 # If the password is "*", there should not be a .rhosts or hosts.equiv
58 # in the home directory or .forward
59 if [ -d "$home" ]; then
60 if [ -f "$home/.rhosts" ]; then
61 print "$me: Warning: User: $user has a .rhosts file in $home\n"
62 print "You should remove this user's ~/.rhosts file.\n"
65 if [ -f "$home/.forward" ]; then
66 print "$me: Warning: User: $user has a .forward file in $home\n"
67 print "You should remove this user's ~/.forward file.\n"
69 fi # home directory exists
71 # There should not be a crontab or atjob for the user
72 if [ -f $crondir/$user ]; then
73 print "$me: Warning: User: $user has a crontab file in $crondir/$user\n"
74 print "You should remove this user's crontab file.\n"
77 if [ -f $atdir/$user ]; then
78 print "$me: Warning: User: $user has a at file in $atdir/$user\n"
79 print "You should remove this user's at file.\n"
81 } # starred_out_checks
83 function check_users {
84 # This function checks users in the password file.
86 # Parse all the lines in /etc/passwd
88 while read user password uid gid comment home shell rest; do
89 # Check if the user has a local home directory
90 local_user $user $home
93 # Checks for users who shouldn't log-in, i.e. password is "*"
94 if [ $local -eq 1 ]; then # Only check local users
95 if [ "$password" = '*' ]; then
96 if [ "$user" = "adm" -o \
99 "$user" = "daemon" -o \
102 "$user" = "nuucp" -o \
104 "$user" = "root" -o \
105 "$user" = "sync" -o \
106 "$user" = "tftp" -o \
107 "$user" = "uucp" -o \
108 "$user" = "who" ]; then
109 : # Skip some users who should be starred out
114 if [ "$password" = "" ]; then
115 print "$me: Warning: User: $user has a NULL password\n"
116 print "You must assign a proper password to this user.\n"
119 # No wildcards in ~/.rhosts or /etc/host.equiv
120 if [ -f ~/.rhosts -a $local -eq 1 ]; then
121 LINES="$(sed -e '/^#/d' ~/.rhosts | grep -e '+' 2> /dev/null | wc -l)"
122 if [ "$LINES" -ne 0 ]; then
123 print "$me: Warning: User: $user has \"+\" in $home/.rhosts\n"
124 print "This can be fixed by logging on as $user and running:"
125 print "/app/admin/bin/fixrhosts\n"
133 function miscellaneous_checks {
134 # Check for execution by root
136 if [ "$(whoami)" != "root" ]; then
137 print -u2 "$me: Error: This script must be run by root".
141 # Checks that are only done once
143 # Check no wildcards in /etc/host.equiv
144 if [ -f /etc/hosts.equiv ]; then
145 lines="$(sed '/^#/d' /etc/hosts.equiv | grep -e '+' 2> /dev/null | wc -l)"
146 if [ "$lines" -ne 0 ]; then
147 print "$me: Warning: System has \"+\" in /etc/host.equiv\n"
148 print "You should remove this \"+\" from /etc/host.equiv\n"
151 } # miscellaneous_checks
155 /usr/local/etc/admdaemon.dy -clear -secu -mailto root