sysconf.sh revision 7c478bd95313f5f23a4c958a745db2134aa03244
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License, Version 1.0 only
# (the "License"). You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
# Copyright 1990-2002 Sun Microsystems, Inc. All Rights Reserved.
#
#
#ident "%Z%%M% %I% %E% SMI"
# sysconf - performs checks (and fixes) on various system configuration
# files (tables). See the ### MAIN ### section (at the end of
# this file) for a list of the system files examined.
SU=false
then
SU=true
fi
########## FUNCTIONS ##########
archive()
# usage: archive [-perm] pathname_to_be_archived
# if -perm, saves the permission instead of the content of file
{
then
return # no op
fi
if [ "$1" = "-perm" ]
then
change_perm=true
shift
fi
pathname=$1
if [ ! -s $pathname ]
then
# no file to archive
return
fi
then
else
fi
if [ $? -ne 0 ]
then
echo;echo "Cannot archive $pathname. Task skipped!"
exit 1
fi
}
{
then
return
fi
if [ $? -ne 0 ]
then
echo "Warning! Root login allowed at any terminal."
then
echo "Ask an authorized administrator to fix this."
else
echo "Changing $etc_default_login to allow root login \c"
echo "only at the console terminal."
$ED - $etc_default_login <<- !
a
.
w
q
!
fi
fi
}
{
if [ ! -s $etc_hosts_equiv ]
then
return
fi
if [ $? -ne 0 ]
then
return
fi
echo
echo "Warning! $etc_hosts_equiv constains a line with a single +"
echo "This makes every known host a trusted host, and is therefore"
echo "not recommended for system security."
then
# good enough
return
fi
then
echo
echo "Ask an authorized administrator to fix this problem."
return
fi
$ED - $etc_hosts_equiv <<- !
g/^+$/d
w
q
!
echo
echo "Deleted that entry in $etc_hosts_equiv."
return
}
# fix entry in /etc/inetd.conf
{
ENTRY=$1
if [ $? -ne 0 ]
then
return
fi
if [ "$2" = "SECURE" ]
then
then
return
fi
fi
then
echo
echo "Warning! in.tftpd is not started securely in /etc/inetd.conf."
echo
then
echo "Ask an authorized administrator to fix this."
return
fi
$ED - /etc/inetd.conf <<- !
w
q
!
echo "Entry fixed: in.tftpd started with -s option in /tftpboot home directory"
return
fi
echo
echo "Warning! ${ENTRY} has poor authentication mechanism"
echo "not recommended on a secure system. ($inetd_conf)"
echo
then
echo "Ask an authorized administrator to fix this."
return
fi
$ED - /etc/inetd.conf <<- !
g/^${ENTRY}/s/^/#/
w
q
!
# end ED
echo "Entry fixed. ${ENTRY} entry is commented out."
}
{
if [ "${ASETSECLEVEL}" = "high" ]
then
fi
}
{
if [ $? -ne 0 ]
then
return
fi
if [ $? -ne 0 ]
then
return
fi
echo
echo "Warning! The uucp decode alias in $etc_aliases is not\c"
echo " recommended for system security."
then
return
fi
then
echo
echo "Ask an authorized administrator to fix this."
return
fi
$ED - $etc_aliases <<- !
w
q
!
# end ED
echo
echo "Decode alias has been commented out."
}
fix_utmp()
{
if [ $? -eq 0 ]
then
echo
echo "recommended for system security."
fi
if [ $? -eq 0 ]
then
echo
echo "recommended for system security."
fi
then
return
fi
then
echo
echo "Ask an authorized administrator to fix this."
return
fi
echo
}
{
if [ -s /.rhosts ]
then
echo
echo "Warning! The use of /.rhosts file is not recommended for\c"
echo " system security."
then
then
echo
echo "Ask an authorized administrator to fix this."
return
fi
echo
echo "Moved aside to /.rhosts.asetbak."
fi
fi
}
# Check world-readable/writable devices in vfstab.
{
{print $1}' $vfstab`
do
if $IS_READABLE $dev
then
echo
echo "Warning! $dev is readable by world."
then
then
if [ $? -ne 0 ]
then
echo
echo "Had problem fixing $dev"
else
echo
echo "World readability has been removed from $dev."
fi
else
echo
echo "Ask an authorized administrator to fix this."
fi
fi
fi
if $IS_WRITABLE $dev
then
echo
echo "Warning! $dev is writable by world."
then
then
if [ $? -ne 0 ]
then
echo
echo "Had problem fixing $dev"
else
echo
echo "World writability has been removed from $dev."
fi
else
echo
echo "Ask an authorized administrator to fix this."
fi
fi
fi
done
}
# check unrestricted exportation of file systems.
{
if [ -s $exports ]
then
$AWK '{ \
while(getline >0) \
if ($0 !~ /^#/ && $0 !~ /-o/ && $0 != "") { \
printf("\nWarning! Shared resources file (/etc/dfs/dfstab) , line %d, file system exported with no restrictions:\n\t%s\n", NR, $0) \
} \
}' ${exports}
fi
}
{
then
return
fi
if [ $? -eq 0 ]
then
return
fi
echo
echo "Warning! $ftpusers should contain root at high security level."
then
echo
echo "Root entry has been appended in $ftpusers."
else
echo
echo "Ask an authorized administrator to fix this."
fi
}
########## MAIN ##########
if [ "$DOWNGRADE" = "true" ]
then
fi
echo
echo "*** Begin System Scripts Check ***"
#echo
#echo
#echo "checking hosts.equiv for NIS entry"
#echo
#echo "checking inetd_conf for non-secure mode daemons"
#echo
#echo
#echo
#echo "checking /.rhosts file"
#echo
#echo "checking mounted partitions permissions"
#echo
#echo "checking exported partitions access permissions"
#echo
echo
echo "*** End System Scripts Check ***"