+#! /bin/ksh
+USAGE='USAGE: check_security
+
+ This script checks for some security problems. It does
+ not fix anything. It only prints messages about possible
+ problems.
+
+ Author: Michael Coulter
+'
+
+# Set parameters
+
+ PASSWD_FILE=/etc/passwd
+
+# Check for execution by root
+
+ WHOAMI=$(whoami)
+ if [ "$WHOAMI" != "root" ]
+ then
+ echo "It is recommended that you run this script as root"
+ fi
+
+# Parse all the lines in $PASSWD_FILE
+
+ OLD_IFS="$IFS"
+ IFS=":"
+ cat "$PASSWD_FILE" | while read USER PASSWORD UID GID COMMENT HOME SHELL REST
+ do
+ # Checks for users who shouldn't log-in, i.e. PASSWORD is "*"
+
+ if [ "$PASSWORD" = '*' ]
+ then
+ # If the PASSWORD is "*", there should not be a .rhosts or hosts.equiv
+ # in the home directory or .forward
+ if [ -f "${HOME}/.rhosts" ]
+ then
+ echo "$USER has a .rhosts file in $HOME"
+ fi
+ if [ -f "${HOME}/.forward" ]
+ then
+ echo "$USER has a .forward file in $HOME"
+ fi
+
+
+
+ # There should not be a crontab or atjob for the user
+
+ if [ -f "/usr/spool/cron/crontabs/${USER}" ]
+ then
+ echo "$USER has a crontab file in /usr/spool/cron/crontabs"
+ fi
+ if [ -f "/usr/spool/cron/atjobs/${USER}" ]
+ then
+ echo "$USER has a crontab file in /usr/spool/cron/atjobs"
+ fi
+
+ fi # End of * password checks
+
+ if [ "$PASSWORD" = "" ]
+ then
+ echo "$USER has a NULL password."
+ fi
+
+ # No wildcards in $HOME/.rhosts or /etc/host.equiv
+ LINES="$(sed -e "/^#/d" $HOME/.rhosts | grep "+" 2> /dev/null | wc -l)"
+ if [ "$LINES" -ne 0 ]
+ then
+ echo "$USER has + in $HOME/.rhosts"
+ fi
+
+ done
+ # read USER PASSWORD UID GID COMMENT HOME SHELL REST
+
+# Checks that are only done once
+
+# Check no wildcards in /etc/host.equiv
+
+ LINES="$(grep -- "+" /etc/host.equiv 2> /dev/null | wc -l)"
+ if [ "$LINES" -ne 0 ]
+ then
+ echo "System has + in /etc/host.equiv"
+ fi
+
+ if [ ! -f "/usr/adm/inetd.sec" ]
+ then
+ echo "No /usr/adm/inetd.sec file. "
+ fi
+
+ if [ -f "/etc/hosts.equiv" ]
+ then
+ echo "System has a /etc/hosts.equiv file"
+ fi
+