#!/bin/csh -f # # Nigel, the Night Watchman # # This script performs nightly security checks. You should run it before # any cleanup or log rotation scripts, or else they might destroy # some evidence of a problem. # # If run with the -reset argument, the database is reset to reflect # the current state of the system, but only *after* performing the # initial check. # # Eric Myers - 20 May 1998 # Department of Physics, University of Michigan, Ann Arbor # Copyright (C) 1998,1999 by Eric Myers, all rights reserved. # @(#) $Id: Nigel,v 2.29 2005/06/21 18:01:33 myers Exp myers $ ####################################################################### # Set the path just to what is needed nothing else. set path=( /usr/local/adm /usr/local/bin /usr/local/gnu/bin /usr/bin /bin ) set path=( $path /usr/bsd ) umask 037 # Initialize: set TMP=/tmp/Nigel.$$ set LOG=/tmp/Nigel.out /bin/rm -f ${LOG} >/dev/null set RCSVERS = \ `echo '$Revision: 2.29 $' | sed -e 's/Revision: //' -e 's/$\(.*\) \$/\1/'` set HOSTNAME = `hostname` set INDENT="pr -o 8 -t " ####### # MAILX is mail/mailx or mush, with -s for subject # set MAILX="mail -s " # NeXT/Linux/Sun if ( -x /usr/bin/mailx ) then # HP-UX uses mailx set MAILX="mailx -s " endif if ( -x /usr/local/bin/mush ) then # mush is prefered set MAILX="mush -s " endif ####### # Find system log files: check for Linux, SunOS, HP-UX, NeXT, etc... set SYSLOGS="" foreach LOGFILE ( /usr/adm/messages /var/log/messages /var/log/syslog \ /var/adm/syslog/syslog.log ) if ( -f $LOGFILE ) set SYSLOGS=( $SYSLOGS $LOGFILE ) end ################################################## ## Command line options: set RESET="" set QUIET="" while ( $#argv > 0 ) switch ( $1 ) case -reset: # Reset the database case -initialize: set RESET="-initialize" breaksw case -q: case -quiet: set QUIET="Y" breaksw default: echo "Unknown argument: $1" echo "Usage: $0:t [-reset]" exit 5 endsw shift end ################################################## ## @(#)* Run tripwire to check for changes to important system files ## (such as back-doors to login and such) # Please use full path names for configuration files names set TWDIR=/usr/local/adm set TWEXE=/usr/local/bin/tripwire set TWCFG=/usr/local/adm/tw.config set TWDBF=/usr/local/adm/databases/tw.db_${HOSTNAME} # Make sure the directory and the executable are usable if ( ! -d $TWDIR ) then echo "${0}: No such directory $TWDIR." goto endtw endif if (! -x $TWEXE ) then echo "${0}: No executable $TWEXE." goto endtw endif # Run the tripwire test cd $TWDIR # go there cp /dev/null $TMP # start a log set TWSTART=`date` $TWEXE -q -c $TWCFG -d $TWDBF >&$TMP set TWEND=`date` # If the output is non-zero, add it to the log if ( ! -z $TMP ) then echo " " >>${LOG} echo "### Tripwire report:" >>${LOG} echo " " >>${LOG} echo "START: $TWSTART" >>${LOG} cat $TMP >>${LOG} echo "ENDED: $TWEND" >>${LOG} echo " " >>${LOG} endif rm -f $TMP ################################################## ## @(#)* If requested, then reset the database ## (but only after finding any differences) if ( "$RESET" != "" ) then cd $TWDIR # go there cp /dev/null $TMP # start a log set TWSTART=`date` $TWEXE -initialize -c $TWCFG >&$TMP set TWEND=`date` cat <>$LOG ### Tripwire database now being reset: EOT if ( ! -z $TMP ) then echo "START: $TWSTART" >>${LOG} grep -vi "No such file" < $TMP | grep -iv "expects to find it" >>${LOG} echo "ENDED: $TWEND" >>${LOG} echo " " >>${LOG} endif rm -f $TMP endif # If the -quiet flag was given then no need to report tw logs if ( "$QUIET" != "" ) cp /dev/null $LOG endtw: ################################################## ## @(#)* Look for UID 0 accounts that are not "root" (or "+") awk -F: '$3 == 0 {print $1}' /etc/passwd |\ egrep -v '^root$' | egrep -v '^\+$' >$TMP if ( ! -z $TMP ) then cat <>$LOG ### Possible Linux break-in: There is an account on this system with UserID number (UID) zero, but it does not have the name "root". This is often a sign that someone has broken into the system to install such an account. The account name is: EOT $INDENT >>$LOG echo " " >>$LOG endif /bin/rm -f $TMP ################################################## ## @(#)* Check that root account has UID 0 set ROOTID=`awk -F: '$1 ~ /^root$/ {print $3}' /etc/passwd ` # Check for root UID != 0 too if ( $ROOTID != "0" ) then cat <>$LOG ### Root accound is not UID 0 It appears that the "root" account does not have UID zero. Some system administrators do this to try to hide the root account, but it's really not very useful -- the Bad Guys will figure it out anyway, and it can actually break some software. Please change it back! EOT endif /bin/rm -f $TMP ################################################## ## @(#)* Look for evidence of common root compromises # # References: CERT IN-99-05 cp /dev/null $TMP # Look for telling messages grep -i "unable to glue" ${SYSLOGS} >>$TMP grep -i "cannot glue" ${SYSLOGS} >>$TMP # Look for references to moof or new user accounts grep moof $SYSLOGS >>$TMP egrep "^moof:|^foom:|^bionic:|^Malk|^doomed|^floryn:" /etc/passwd* >>$TMP if ( -f /etc/shadow ) then egrep "^moof:|^foom:|^bionic:|^Malk|^doomed|^floryn:" /etc/shadow* >>$TMP endif # Look for certain files or directories commonly installed set WATCHLIST=( /tmp/bob /dev/bp /dev/sda69 /var/named/AMDROCKS /var/named/O ) set WATCHLIST=($WATCHLIST /var/log/lpd/.stel /bin/prick /tmp/m /tmp/ramen.tgz ) set WATCHLIST=($WATCHLIST /usr/src/.poop /sbin/asp /usr/sbin/asp ) set WATCHLIST=($WATCHLIST /usr/man/man1/man1/lib/.lib/.x /dev/pts/01 ) set WATCHLIST=($WATCHLIST /dev/.lib /usr/src/.put usr/info/.torn ) set WATCHLIST=($WATCHLIST /var/tmp/.r /var/lib/zlib.pl1 /usr/lib/linux.pid ) set WATCHLIST=($WATCHLIST /var/tmp/sir /dev/pd ) set WATCHLIST=($WATCHLIST /usr/bin/kswaps /usr/bin/scats /usr/man/man8/tty ) foreach FILE ( $WATCHLIST ) if ( -e $FILE ) ls -latR $FILE >>$TMP end if ( ! -z $TMP ) then cat <>$LOG ### Possible Linux break-in: I have found evidence of a possible break-in, probably using a buffer overflow in the Linux sysklogd or amd. Here is what was found: EOT cat $TMP >>$LOG cat <>$LOG You should investigate further to see if there is other evidence of intrusion. For help, see ftp://ftp.cert.org/pub/tech_tips/intruder_detection_checklist EOT endif /bin/rm -f $TMP ################################################## ## @(#)* Mail any results to root if ( -f $LOG && ! -z $LOG ) then (echo "#### Security report for $HOSTNAME from Nigel $RCSVERS"; \ cat $LOG ) | $MAILX "Nightly Security Report for ${HOSTNAME}" root endif ################################################## ## Clean up /bin/rm -f ${LOG} >&/dev/null /bin/rm -f ${TMP} >&/dev/null