unix-privesc-check

#!/bin/sh
# unix-privesc-check - Checks Unix system for simple privilege escalations
# Copyright (C) 2008 pentestmonkey@pentestmonkey.net
#
#
# License
# -------
# This tool may be used for legal purposes only.  Users take full responsibility
# for any actions performed using this tool.  The author accepts no liability
# for damage caused by this tool.  If you do not accept these condition then
# you are prohibited from using this tool.
#
# In all other respects the GPL version 2 applies:
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# You are encouraged to send comments, improvements or suggestions to
# me at pentestmonkey@pentestmonkey.net
#
#
# Description
# -----------
# Auditing tool to check for weak file permissions and other problems that
# may allow local attackers to escalate privileges.
# 
# It is intended to be run by security auditors and pentetration testers 
# against systems they have been engaged to assess, and also by system 
# admnisitrators who want to check for "obvious" misconfigurations.  It 
# can even be run as a cron job so you can check regularly for misconfigurations 
# that might be introduced.
#
# Ensure that you have the appropriate legal permission before running it
# someone else's system.
#
# TODO List
# ---------
# There's still plenty that this script doesn't do...
# - Doesn't work for shell scripts!  These appear as "/bin/sh my.sh" in the process listing. 
#   This script only checks the perms of /bin/sh.  Not what we're after.  :-(
# - Similarly for perl scripts.  Probably python, etc. too.
# - Check /proc/pid/cmdline for absolute path names.  Check security of these (e.g. /etc/snmp/snmpd.conf)
# - Check everything in root's path - how to find root's path?
# - /proc/pid/maps, smaps are readable and lists some shared objects.  We should check these.
# - /proc/pid/fd contain symlinks to all open files (but you can't see other people FDs)
# - check for trust relationships in /etc/hosts.equiv
# - NFS imports / exports / automounter
# - Insecure stuff in /etc/fstab (e.g. allowing users to mount file systems)
# - Inspecting people's PATH.  tricky.  maybe read from /proc/pid/environ, .bashrc, /etc/profile, .bash_profile
# - Check if /etc/init.d/* scripts are readable.  Advise user to audit them if they are.
# - .exrc?
# - X11 trusts, apache passwd files, mysql trusts?
# - Daemons configured in an insecure way: tftpd, sadmind, rexd
# - World writable dirs aren't as bad if the sticky bit is set.  Check for this before reporting vulns.
# - Maybe do a strings of binaries (and their .so's?)
# - Do a better job of parsing cron lines - search for full paths
# - Maybe LDPATHs from /etc/env.d
# - Check if ldd, ld.so.conf changes have broken this script on non-linux systems.
# - Avoid check certain paths e.g. /-/_ clearly isn't a real directory.
# - create some sort of readable report
# - indicate when it's likely a result is a false positive and when it's not.
# - Skip pseudo processes e.g. [usb-storage]
# - File permission on kernel modules
# - Replace calls to echo with a my_echo func.  Should be passed a string and an "importance" value:
#   - my_echo 1 "This is important and should always be printed out"
#   - my_echo 2 "This is less important and should only be printed in verbose mode"
# - We check some files / dirs multiple times.  Slow.  Can we implement a cache?
# - grep for PRIVATE KEY to find private ssh and ssl keys.  Where to grep?
# - check SGID programs

VERSION="1.4"
HOME_DIR_FILES=".netrc .ssh/id_rsa .ssh/id_dsa .rhosts .shosts .my.cnf .ssh/authorized_keys .bash_history .sh_history .forward"
CONFIG_FILES="/etc/passwd /etc/group /etc/master.passwd /etc/inittab /etc/inetd.conf /etc/xinetd.con /etc/xinetd.d/* /etc/contab /etc/fstab /etc/profile /etc/sudoers"
PGDIRS="/usr/local/pgsql/data ~postgres/postgresql/data ~postgres/data ~pgsql/data ~pgsql/pgsql/data /var/lib/postgresql/data /etc/postgresql/8.2/main /var/lib/pgsql/data"

get_owner () {
	GET_OWNER_FILE=$1
	GET_OWNER_RETURN=`ls -lLd "$GET_OWNER_FILE" | awk '{print $3}'`
}

get_group () {
	GET_GROUP_FILE=$1
	GET_GROUP_RETURN=`ls -lLd "$GET_GROUP_FILE" | awk '{print $4}'`
}

usage () {
	echo "unix-privesc-check v$VERSION ( http://pentestmonkey.net/tools/unix-privesc-check )"
	echo
	echo "Usage: unix-privesc-check { standard | detailed }"
	echo
	echo '"standard" mode: Speed-optimised check of lots of security settings.'
	echo 
	echo '"detailed" mode: Same as standard mode, but also checks perms of open file'
	echo '                 handles and called files (e.g. parsed from shell scripts,'
	echo '                 linked .so files).  This mode is slow and prone to false '
	echo '                 positives but might help you find more subtle flaws in 3rd'
	echo '                 party programs.'
	echo
	echo "This script checks file permissions and other settings that could allow"
	echo "local users to escalate privileges."
	echo 
	echo "Use of this script is only permitted on systems which you have been granted" 
	echo "legal permission to perform a security assessment of.  Apart from this "
	echo "condition the GPL v2 applies."
	echo
	echo "Search the output for the word 'WARNING'.  If you don't see it then this"
	echo "script didn't find any problems."
	echo 
}

banner () {
	echo "Starting unix-privesc-check v$VERSION ( http://pentestmonkey.net/tools/unix-privesc-check )"
	echo
	echo "This script checks file permissions and other settings that could allow"
	echo "local users to escalate privileges."
	echo 
	echo "Use of this script is only permitted on systems which you have been granted" 
	echo "legal permission to perform a security assessment of.  Apart from this "
	echo "condition the GPL v2 applies."
	echo
	echo "Search the output below for the word 'WARNING'.  If you don't see it then"
	echo "this script didn't find any problems."
	echo 
}

MODE=$1

if [ ! "$MODE" = "standard" ] && [ ! "$MODE" = "detailed" ]; then
	usage
	exit 0
fi

# Parse any full paths from $1 (config files, progs, dirs).
# Check the permissions on each of these.
check_called_programs () {
	CCP_MESSAGE_STACK=$1
	CCP_FILE=$2
	CCP_USER=$3
	CCP_PATH=$4 # optional

	# Check the perms of the supplied file regardless
	# The caller doesn't want to have to call check_perms as well as check_called_programs
	check_perms "$CCP_MESSAGE_STACK" "$CCP_FILE" "$CCP_USER" "$CCP_PATH"

	# Skip the slow check if we're in quick mode
	if [ "$MODE" = "standard" ]; then
		return 0;
	fi

	# Check if file is text or not
	IS_TEXT=`file "$CCP_FILE" | grep -i text`
	IS_DYNBIN=`file "$CCP_FILE" | grep -i 'dynamically linked'`

	# Process shell scripts (would also work on config files that reference other files)
	if [ ! -z "$IS_TEXT" ]; then
		# Parse full paths from file - ignoring commented lines
		CALLED_FILES=`grep -v '^#' "$CCP_FILE" | sed -e 's/^[^\/]*//' -e 's/["'\'':}$]/\x0a/g' | grep '/' | sed -e 's/[ \*].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`
		for CALLED_FILE in $CALLED_FILES; do
			# echo "$CCP_FILE contains a reference to $CALLED_FILE.  Checking perms."
			check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"
		done
	else
		# Process dynamically linked binaries
		if [ ! -z "$IS_DYNBIN" ]; then
		
			CALLED_FILES=`ldd "$CCP_FILE" 2>/dev/null | grep '/' | sed 's/[^\/]*\//\//' | cut -f 1 -d ' '`
			for CALLED_FILE in $CALLED_FILES; do
				check_perms "$CCP_MESSAGE_STACK $CCP_FILE uses the library $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"
			done
	
			# Strings binary to look for hard-coded config files 
			# or other programs that might be called.
			for CALLED_FILE in `strings "$CCP_FILE" | sed -e 's/^[^\/]*//' -e 's/["'\'':}$]/\x0a/g' | grep '/' | sed -e 's/[ \*].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`; do
				check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"
			done
		fi
	fi
}

# Parse any full paths from $1 (config files, progs, dirs).
# Check the permissions on each of these.
check_called_programs_suid () {
	CCP_FILE=$1
	CCP_PATH=$2 # optional

	get_owner $CCP_FILE; CCP_USER=$GET_OWNER_RETURN
	CCP_MESSAGE_STACK="$CCP_FILE is SUID $CCP_USER."
	LS=`ls -l $CCP_FILE`
	echo "Checking SUID-$CCP_USER program $CCP_FILE: $LS"

	# Don't check perms of executable itself
	# check_perms "$CCP_MESSAGE_STACK" "$CCP_FILE" "$CCP_USER" "$CCP_PATH"

	# Check if file is text or not
	IS_TEXT=`file "$CCP_FILE" | grep -i text`
	IS_DYNBIN=`file "$CCP_FILE" | grep -i 'dynamically linked'`

	# Process shell scripts (would also work on config files that reference other files)
	if [ ! -z "$IS_TEXT" ]; then
		# Skip the slow check if we're in quick mode
		if [ "$MODE" = "standard" ]; then
			return 0;
		fi

		# Parse full paths from file - ignoring commented lines
		CALLED_FILES=`grep -v '^#' "$CCP_FILE" | sed -e 's/^[^\/]*//' -e 's/["'\'':}$]/\x0a/g' | grep '/' | sed -e 's/[ \*].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`
		for CALLED_FILE in $CALLED_FILES; do
			# echo "$CCP_FILE contains a reference to $CALLED_FILE.  Checking perms."
			check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"
		done
	else
		# Process dynamically linked binaries
		if [ ! -z "$IS_DYNBIN" ]; then
		
			CALLED_FILES=`ldd "$CCP_FILE" 2>/dev/null | grep '/' | sed 's/[^\/]*\//\//' | cut -f 1 -d ' '`
			for CALLED_FILE in $CALLED_FILES; do
				check_perms "$CCP_MESSAGE_STACK $CCP_FILE uses the library $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"
			done
	
			# Skip the slow check if we're in quick mode
			if [ "$MODE" = "standard" ]; then
				return 0;
			fi

			# Strings binary to look for hard-coded config files 
			# or other programs that might be called.
			for CALLED_FILE in `strings "$CCP_FILE" | sed -e 's/^[^\/]*//' -e 's/["'\'':}$]/\x0a/g' | grep '/' | sed -e 's/[ \*].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`; do
				check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"
			done
		fi
	fi
}

# Check if $1 can be changed by users who are not $2
check_perms () {
	CP_MESSAGE_STACK=$1
	CHECK_PERMS_FILE=$2
	CHECK_PERMS_USER=$3
	CHECK_PERMS_PATH=$4 # optional

	if [ ! -f "$CHECK_PERMS_FILE" ] && [ ! -d "$CHECK_PERMS_FILE" ] && [ ! -b "$CHECK_PERMS_FILE" ]; then
		CHECK_PERMS_FOUND=0
		if [ ! -z "$CHECK_PERMS_PATH" ]; then 
			# Look for it in the supplied path
			for DIR in `echo "$CHECK_PERMS_PATH" | sed 's/:/ /g'`; do
				if [ -f "$DIR/$CHECK_PERMS_FILE" ]; then
					CHECK_PERMS_FOUND=1
					CHECK_PERMS_FILE="$DIR/$CHECK_PERMS_FILE"
					break
				fi
			done
		fi
	
		#if [ "$CHECK_PERMS_FOUND" = "0" ]; then
		#	echo "ERROR: File $CHECK_PERMS_FILE doesn't exist.  Checking parent path anyway."
		#	# return 0
		# fi
	fi

	C=`echo "$CHECK_PERMS_FILE" | cut -c 1`
	if [ ! "$C" = "/" ]; then
		echo "ERROR: Can't find absolute path for $CHECK_PERMS_FILE.  Skipping."
		return 0
	fi

	echo "    Checking if anyone except $CHECK_PERMS_USER can change $CHECK_PERMS_FILE"

	while [ -n "$CHECK_PERMS_FILE" ]; do
		perms_secure "$CP_MESSAGE_STACK" $CHECK_PERMS_FILE $CHECK_PERMS_USER
		CHECK_PERMS_FILE=`echo $CHECK_PERMS_FILE | sed 's/\/[^\/]*$//'`
	done
}

# Check if $1 can be read by users who are not $2
check_read_perms () {
	CP_MESSAGE_STACK=$1
	CHECK_PERMS_FILE=$2
	CHECK_PERMS_USER=$3

	if [ ! -f "$CHECK_PERMS_FILE" ] && [ ! -b "$CHECK_PERMS_FILE" ]; then
		echo "ERROR: File $CHECK_PERMS_FILE doesn't exist"
		return 0
	fi

	echo "    Checking if anyone except $CHECK_PERMS_USER can read file $CHECK_PERMS_FILE"

	perms_secure_read "$CP_MESSAGE_STACK" "$CHECK_PERMS_FILE" "$CHECK_PERMS_USER"
}

perms_secure_read () {
	PS_MESSAGE_STACK=$1
	PERMS_SECURE_FILE=$2
	PERMS_SECURE_USER=$3

	if [ ! -b "$PERMS_SECURE_FILE" ] && [ ! -f "$PERMS_SECURE_FILE" ] && [ ! -d "$PERMS_SECURE_FILE" ]; then
		echo "ERROR: No such file or directory: $PERMS_SECURE_FILE.  Skipping."
		return 0
	fi

	# Check if owner is different (but ignore root ownership, that's OK)
	only_user_can_read "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USER
	
	# Check group read perm (but ignore root group, that's OK)
	group_can_read "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USER

	# Check world read perm 
	world_can_read "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE
}

perms_secure () {
	PS_MESSAGE_STACK=$1
	PERMS_SECURE_FILE=$2
	PERMS_SECURE_USER=$3

	if [ ! -d "$PERMS_SECURE_FILE" ] && [ ! -f "$PERMS_SECURE_FILE" ] && [ ! -b "$PERMS_SECURE_FILE" ]; then
		# echo "ERROR: No such file or directory: $PERMS_SECURE_FILE.  Skipping."
		return 0
	fi

	# Check if owner is different (but ignore root ownership, that's OK)
	only_user_can_write "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USER
	
	# Check group write perm (but ignore root group, that's OK)
	group_can_write "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USER

	# Check world write perm 
	world_can_write "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE
}

only_user_can_write () {
	O_MESSAGE_STACK=$1
	O_FILE=$2
	O_USER=$3

	# We just need to check the owner really as the owner
	# can always grant themselves write access
	get_owner $O_FILE; O_FILE_USER=$GET_OWNER_RETURN
	if [ ! "$O_USER" = "$O_FILE_USER" ] && [ ! "$O_FILE_USER" = "root" ]; then
		echo "WARNING: $O_MESSAGE_STACK The user $O_FILE_USER can write to $O_FILE"
	fi
}

group_can_write () {
	O_MESSAGE_STACK=$1
	O_FILE=$2
	O_USER=$3 # ignore group write access $3 is only member of group

	get_group $O_FILE; O_FILE_GROUP=$GET_GROUP_RETURN
	P=`ls -lLd $O_FILE | cut -c 6`
	if [ "$P" = "w" ] && [ ! "$O_GROUP" = "root" ]; then
		# check the group actually has some members other than $O_USER
		group_has_other_members "$O_FILE_GROUP" "$O_USER"; # sets OTHER_MEMBERS to 1 or 0
		if [ "$OTHER_MEMBERS" = "1" ]; then
			echo "WARNING: $O_MESSAGE_STACK The group $O_FILE_GROUP can write to $O_FILE"
		fi
	fi
}

group_has_other_members () {
	G_GROUP=$1
	G_USER=$2

	# If LDAP/NIS is being used this script can't check group memberships
	# we therefore assume the worst.
	if [ "$EXT_AUTH" = 1 ]; then
		OTHER_MEMBERS=1
		return 1
	fi

	GROUP_LINE=`grep "^$G_GROUP:" /etc/group`
	MEMBERS=`echo "$GROUP_LINE" | cut -f 4 -d : | sed 's/,/ /g'`

	GID=`echo "$GROUP_LINE" | cut -f 3 -d :`
	EXTRA_MEMBERS=`grep "^[^:]*:[^:]*:[0-9]*:$GID:" /etc/passwd | cut -f 1 -d : | xargs echo`

	for M in $MEMBERS; do
		if [ ! "$M" = "$G_USER" ] && [ ! "$M" = "root" ]; then
			OTHER_MEMBERS=1
			return 1
		fi
	done

	for M in $EXTRA_MEMBERS; do
		if [ ! "$M" = "$G_USER" ] && [ ! "$M" = "root" ]; then
			OTHER_MEMBERS=1
			return 1
		fi
	done

	OTHER_MEMBERS=0
	return 0
}

world_can_write () {
	O_MESSAGE_STACK=$1
	O_FILE=$2

	P=`ls -lLd $O_FILE | cut -c 9`
	S=`ls -lLd $O_FILE | cut -c 10`

	if [ "$P" = "w" ]; then
		if [ "$S" = "t" ]; then
			echo "WARNING: $O_MESSAGE_STACK World write is set for $O_FILE (but sticky bit set)"
		else
			echo "WARNING: $O_MESSAGE_STACK World write is set for $O_FILE"
		fi
	fi
}

only_user_can_read () {
	O_MESSAGE_STACK=$1
	O_FILE=$2
	O_USER=$3

	# We just need to check the owner really as the owner
	# can always grant themselves read access
	get_owner $O_FILE; O_FILE_USER=$GET_OWNER_RETURN
	if [ ! "$O_USER" = "$O_FILE_USER" ] && [ ! "$O_FILE_USER" = "root" ]; then
		echo "WARNING: $O_MESSAGE_STACK The user $O_FILE_USER can read $O_FILE"
	fi
}

group_can_read () {
	O_MESSAGE_STACK=$1
	O_FILE=$2
	O_USER=$3

	get_group $O_FILE; O_FILE_GROUP=$GET_GROUP_RETURN
	P=`ls -lLd $O_FILE | cut -c 5`
	if [ "$P" = "r" ] && [ ! "$O_GROUP" = "root" ]; then
		# check the group actually has some members other than $O_USER
		group_has_other_members "$O_FILE_GROUP" "$O_USER"; # sets OTHER_MEMBERS to 1 or 0
		if [ "$OTHER_MEMBERS" = "1" ]; then
			echo "WARNING: $O_MESSAGE_STACK The group $O_FILE_GROUP can read $O_FILE"
		fi
	fi
}

world_can_read () {
	O_MESSAGE_STACK=$1
	O_FILE=$2

	P=`ls -lLd $O_FILE | cut -c 8`

	if [ "$P" = "w" ]; then
		echo "WARNING: $O_MESSAGE_STACK World read is set for $O_FILE"
	fi
}

section () {
	echo
	echo '############################################'
	echo $1
	echo '############################################'
}

# Guess OS
if [ -x /usr/bin/showrev ]; then
	OS="solaris"
	SHADOW="/etc/shadow"
elif [ -x /usr/sbin/sam -o -x /usr/bin/sam ]; then
	OS="hpux"
	SHADOW="/etc/shadow"
elif [ -f /etc/master.passwd ]; then
	OS="bsd"
	SHADOW="/etc/master.passwd"
else
	OS="linux"
	SHADOW="/etc/shadow"
fi
echo "Assuming the OS is: $OS"
CONFIG_FILES="$CONFIG_FILES $SHADOW"

# Set path so we can access usual directories.  HPUX and some linuxes don't have sbin in the path.
PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin; export PATH

# Check dependent programs are installed
# Assume "which" is installed!
PROGS="ls awk grep cat mount xargs file ldd strings"
for PROG in $PROGS; do
	which $PROG 2>&1 > /dev/null
	if [ ! $? = "0" ]; then
		echo "ERROR: Dependend program '$PROG' is mising.  Can't run.  Sorry!"
		exit 1
	fi
done

banner

section "Recording hostname"
hostname

section "Recording uname"
uname -a

section "Recording Interface IP addresses"
if [ $OS = 'hpux' ]; then
	for IFACE in `lanscan | grep x | awk '{print $5}' 2>/dev/null`; do
		ifconfig $IFACE 2>/dev/null
	done
else
	ifconfig -a
fi

section "Checking if external authentication is allowed in /etc/passwd"
FLAG=`grep '^+:' /etc/passwd`
if [ -n "$FLAG" ]; then
	echo "WARNING: /etc/passwd allows external authentcation:"
	grep '^+:' /etc/passwd
	EXT_AUTH=1
else
	echo "No +:... line found in /etc/passwd"
fi

section "Checking nsswitch.conf for addition authentication methods"
if [ -r "/etc/nsswitch.conf" ]; then
	NIS=`grep '^passwd' /etc/nsswitch.conf  | grep 'nis'`
	if [ -n "$NIS" ]; then
		echo "WARNING: NIS is used for authentication on this system"
		EXT_AUTH=1
	fi
	LDAP=`grep '^passwd' /etc/nsswitch.conf  | grep 'ldap'`
	if [ -n "$LDAP" ]; then
		echo "WARNING: LDAP is used for authentication on this system"
		EXT_AUTH=1
	fi

	if [ -z "$NIS" ] && [ -z "$LDAP" ]; then
		echo "Neither LDAP nor NIS are used for authentication"
	fi
else
	echo "ERROR: File /etc/nsswitch.conf isn't readable.  Skipping checks."
fi

# Check important config files aren't writable
section "Checking for writable config files"
for FILE in $CONFIG_FILES; do
	if [ -f "$FILE" ]; then
		check_perms "$FILE is a critical config file." "$FILE" root
	fi
done

section "Checking if $SHADOW is readable"
check_read_perms "/etc/shadow holds authentication data" $SHADOW root

section "Checking for password hashes in /etc/passwd"
FLAG=`grep -v '^[^:]*:[x\*]*:' /etc/passwd | grep -v '^#'`
if [ -n "$FLAG" ]; then
	echo "WARNING: There seem to be some password hashes in /etc/passwd"
	grep -v '^[^:]*:[x\*]*:' /etc/passwd | grep -v '^#'
	EXT_AUTH=1
else
	echo "No password hashes found in /etc/passwd"
fi

section "Checking account settings"
# Check for something nasty like r00t::0:0::/:/bin/sh in /etc/passwd
# We only need read access to /etc/passwd to be able to check this.
if [ -r "/etc/passwd" ]; then
	OPEN=`grep "^[^:][^:]*::" /etc/passwd | cut -f 1 -d ":"`
	if [ -n "$OPEN" ]; then
		echo "WARNING: The following accounts have no password:"
		grep "^[^:][^:]*::" /etc/passwd | cut -f 1 -d ":"
	fi
fi
if [ -r "$SHADOW" ]; then
	echo "Checking for accounts with no passwords"
	if [ "$OS" = "linux" ]; then
		passwd -S -a | while read LINE
		do
			USER=`echo "$LINE" | awk '{print $1}'`
			STATUS=`echo "$LINE" | awk '{print $2}'`
			if [ "$STATUS" = "NP" ]; then
				echo "WARNING: User $USER doesn't have a password"
			fi
		done
	elif [ "$OS" = "solaris" ]; then
		passwd -s -a | while read LINE
		do
			USER=`echo "$LINE" | awk '{print $1}'`
			STATUS=`echo "$LINE" | awk '{print $2}'`
			if [ "$STATUS" = "NP" ]; then
				echo "WARNING: User $USER doesn't have a password"
			fi
		done
	fi
else
	echo "File $SHADOW isn't readable.  Skipping some checks."
fi

section "Checking library directories from /etc/ld.so.conf"
if [ -f "/etc/ld.so.conf" ] && [ -r "/etc/ld.so.conf" ]; then
	for DIR in `grep '^/' /etc/ld.so.conf`; do
		check_perms "$DIR is in /etc/ld.so.conf." $DIR root
	done

	#FILES=`grep '^include' /etc/ld.so.conf | sed 's/^include *//'`
	#if [ ! -z "$FILES" ]; then
	#	for DIR in `echo $FILES | xargs cat | sort -u`; do
	#	done
	#fi
else
	echo "File /etc/ld.so.conf not present.  Skipping checks."
fi

# Check sudoers if we have permission - needs root normally
section "Checking sudo configuration"
if [ -f "/etc/sudoers" ] && [ -r "/etc/sudoers" ]; then
	echo -----------------
	echo "Checking if sudo is configured"
	SUDO_USERS=`grep -v '^#' /etc/sudoers | grep -v '^[ \t]*$' | grep -v '^[ \t]*Default' | grep =`
	if [ ! -z "$SUDO_USERS" ]; then
		echo "WARNING: Sudo is configured.  Manually check nothing unsafe is allowed:"
		grep -v '^#' /etc/sudoers | grep -v '^[ \t]*$' | grep = | grep -v '^[ \t]*Default'
	fi

	echo -----------------
	echo "Checking sudo users need a password"
	SUDO_NOPASSWD=`grep -v '^#' /etc/sudoers | grep -v '^[ \t]*$' | grep NOPASSWD`
	if [ ! -z "$SUDO_NOPASSWD" ]; then
		echo "WARNING: Some users can use sudo without a password:"
		grep -v '^#' /etc/sudoers | grep -v '^[ \t]*$' | grep NOPASSWD
	fi
else
	echo "File /etc/sudoers not present.  Skipping checks."
fi

section "Checking permissions on swap file(s)"
for SWAP in `swapon -s | grep -v '^Filename' | cut -f 1 -d ' '`; do
	check_perms "$SWAP is used for swap space." $SWAP root	
	check_read_perms "$SWAP is used for swap space." $SWAP root	
done

section "Checking programs run from inittab"
if [ -f "/etc/inittab" ] && [ -r "/etc/inittab" ]; then
	for FILE in `cat /etc/inittab | grep : | grep -v '^#' | cut -f 4 -d : | grep '/' | cut -f 1 -d ' ' | sort -u`; do
		check_called_programs "$FILE is run from /etc/inittab as root." $FILE root
	done
else
	echo "File /etc/inittab not present.  Skipping checks."
fi

section "Checking postgres trust relationships"
for DIR in $PGDIRS; do
	if [ -d "$DIR" ] && [ -r "$DIR/pg_hba.conf" ]; then
		grep -v '^#' "$DIR/pg_hba.conf" | grep -v '^[ \t]*$' | while read LINE
		do
			AUTH=`echo "$LINE" | awk '{print $NF}'`
			if [ "$AUTH" = "trust" ]; then
				PGTRUST=1
				echo "WARNING: Postgres trust configured in $DIR/pg_hba.conf: $LINE"
			fi
		done
	fi
done

PGVER1=`psql -U postgres template1 -c 'select version()' 2>/dev/null | grep version`

if [ -n "$PGVER1" ]; then 
	PGTRUST=1
	echo "WARNING: Can connect to local postgres database as \"postgres\" without a password"
fi

PGVER2=`psql -U pgsql template1 -c 'select version()' 2>/dev/null | grep version`

if [ -n "$PGVER2" ]; then 
	PGTRUST=1
	echo "WARNING: Can connect to local postgres database as \"pgsql\" without a password"
fi

if [ -z "$PGTRUST" ]; then
	echo "No postgres trusts detected"
fi

# Check device files for mounted file systems are secure
# cat /proc/mounts | while read LINE # Doesn't work so well when LVM is used - need to be root
section "Checking permissions on device files for mounted partitions"
if [ "$OS" = "linux" ]; then
	mount | while read LINE
	do
		DEVICE=`echo "$LINE" | awk '{print $1}'`
		FS=`echo "$LINE" | awk '{print $5}'`
		if [ "$FS" = "ext2" ] || [ "$FS" = "ext3" ] ||[  "$FS" = "reiserfs" ]; then
			echo "Checking device $DEVICE"
			check_perms "$DEVICE is a mounted file system." $DEVICE root
		fi
	done
elif [ "$OS" = "bsd" ]; then
	mount | grep ufs | while read LINE
	do
		DEVICE=`echo "$LINE" | awk '{print $1}'`
		echo "Checking device $DEVICE"
		check_perms "$DEVICE is a mounted file system." $DEVICE root
	done
elif [ "$OS" = "solaris" ]; then
	mount | grep xattr | while read LINE
	do
		DEVICE=`echo "$LINE" | awk '{print $3}'`
		if [ ! "$DEVICE" = "swap" ]; then
			echo "Checking device $DEVICE"
			check_perms "$DEVICE is a mounted file system." $DEVICE root
		fi
	done
elif [ "$OS" = "hpux" ]; then
	mount | while read LINE
	do
		DEVICE=`echo "$LINE" | awk '{print $3}'`
		C=`echo $DEVICE | cut -c 1`
		if [ "$C" = "/" ]; then
			echo "Checking device $DEVICE"
			check_perms "$DEVICE is a mounted file system." $DEVICE root
		fi
	done

	NFS=`mount | grep NFS`
	if [ -n "$NFS" ]; then
		echo "WARNING: This system is an NFS client.  Check for nosuid and nodev options."
		mount | grep NFS
	fi
fi

# Check cron jobs if they're readable
# TODO check that cron is actually running
section "Checking cron job programs aren't writable (/etc/crontab)"
CRONDIRS=""
if [ -f "/etc/crontab" ] && [ -r "/etc/crontab" ]; then
	MYPATH=`grep '^PATH=' /etc/crontab | cut -f 2 -d = `
	echo Crontab path is $MYPATH

	# Check if /etc/cron.(hourly|daily|weekly|monthly) are being used
	CRONDIRS=`grep -v '^#' /etc/crontab | grep -v '^[ \t]*$' | grep '[ \t][^ \t][^ \t]*[ \t][ \t]*' | grep run-crons`

	# Process run-parts
	grep -v '^#' /etc/crontab | grep -v '^[ \t]*$' | grep '[ \t][^ \t][^ \t]*[ \t][ \t]*' | grep run-parts | while read LINE
	do
		echo "Processing crontab run-parts entry: $LINE"
		USER=`echo "$LINE" | awk '{print $6}'`
		DIR=`echo "$LINE" | sed 's/.*run-parts[^()&|;\/]*\(\/[^ ]*\).*/\1/'`
		check_perms "$DIR holds cron jobs which are run as $USER." "$DIR" "$USER"
		if [ -d "$DIR" ]; then
			echo "    Checking directory: $DIR"
			for FILE in $DIR/*; do
				FILENAME=`echo "$FILE" | sed 's/.*\///'`
				if [ "$FILENAME" = "*" ]; then 
					echo "    No files in this directory."
					continue
				fi
				check_called_programs "$FILE is run by cron as $USER." "$FILE" "$USER"
			done
		fi
	done

	# TODO bsd'd periodic:
	# 1       3       *       *       *       root    periodic daily
	# 15      4       *       *       6       root    periodic weekly
	# 30      5       1       *       *       root    periodic monthly

	grep -v '^#' /etc/crontab | grep -v '^[ 	]*$' | grep '[ 	][^ 	][^ 	]*[ 	][ 	]*' | while read LINE
	do 
		echo "Processing crontab entry: $LINE"
		USER=`echo "$LINE" | awk '{print $6}'`
		PROG=`echo "$LINE" | awk '{print $7}'`
		check_called_programs "$PROG is run from crontab as $USER." $PROG $USER $MYPATH
	done
else
	echo "File /etc/crontab not present.  Skipping checks."
fi

# Do this if run-crons is run from /etc/crontab
if [ -n "$CRONDIRS" ]; then
	USER=`echo "$CRONDIRS" | awk '{print $6}'`
	section "Checking /etc/cron.(hourly|daily|weekly|monthly)"
	for DIR in hourly daily weekly monthly; do
		if [ -d "/etc/cron.$DIR" ]; then
			echo "    Checking directory: /etc/cron.$DIR"
			for FILE in /etc/cron.$DIR/*; do
				FILENAME=`echo "$FILE" | sed 's/.*\///'`
				if [ "$FILENAME" = "*" ]; then 
					echo "No files in this directory."
					continue
				fi
				check_called_programs "$FILE is run via cron as $USER." "$FILE" $USER
			done
		fi
	done
fi

section "Checking cron job programs aren't writable (/var/spool/cron/crontabs)"
if [ -d "/var/spool/cron/crontabs" ]; then
	for FILE in /var/spool/cron/crontabs/*; do 
		USER=`echo "$FILE" | sed 's/^.*\///'`
		if [ "$USER" = "*" ]; then
			echo "No user crontabs found in /var/spool/cron/crontabs.  Skipping checks."
			continue
		fi
		echo "Processing crontab for $USER: $FILE"
		if [ -r "$FILE" ]; then
			MYPATH=`grep '^PATH=' "$FILE" | cut -f 2 -d = `
			if [ -n "$MYPATH" ]; then
				echo Crontab path is $MYPATH
			fi
			grep -v '^#' "$FILE" | grep -v '^[ \t]*$' | grep '[ \t][^ \t][^ \t]*[ \t][ \t]*' | while read LINE
			do 
				echo "Processing crontab entry: $LINE"
				PROG=`echo "$LINE" | awk '{print $6}'`
				check_called_programs "$PROG is run via cron as $USER." "$PROG" $USER
			done
		else
			echo "ERROR: Can't read file $FILE"
		fi
	done
else
	echo "Directory /var/spool/cron/crontabs is not present.  Skipping checks."
fi

section "Checking cron job programs aren't writable (/var/spool/cron/tabs)"
if [ -d "/var/spool/cron/tabs" ]; then
	for FILE in /var/spool/cron/tabs/*; do 
		USER=`echo "$FILE" | sed 's/^.*\///'`
		if [ "$USER" = "*" ]; then
			echo "No user crontabs found in /var/spool/cron/crontabs.  Skipping checks."
			continue
		fi
		echo "Processing crontab for $USER: $FILE"
		if [ -r "$FILE" ]; then
			MYPATH=`grep '^PATH=' "$FILE" | cut -f 2 -d = `
			if [ -n "$MYPATH" ]; then
				echo Crontab path is $MYPATH
			fi
			grep -v '^#' "$FILE" | grep -v '^[ \t]*$' | grep '[ \t][^ \t][^ \t]*[ \t][ \t]*' | while read LINE
			do 
				echo "Processing crontab entry: $LINE"
				PROG=`echo "$LINE" | awk '{print $6}'`
				check_called_programs "$PROG is run from cron as $USER." $PROG $USER $MYPATH
			done
		else
			echo "ERROR: Can't read file $FILE"
		fi
	done
else
	echo "Directory /var/spool/cron/tabs is not present.  Skipping checks."
fi

# Check programs run from /etc/inetd.conf have secure permissions
# TODO: check inetd is actually running
section "Checking inetd programs aren't writable"
if [ -f /etc/inetd.conf ] && [ -r /etc/inetd.conf ]; then
	grep -v '^#' /etc/inetd.conf | grep -v '^[ \t]*$' | while read LINE
	do 
		USER=`echo $LINE | awk '{print $5}'`
		PROG=`echo $LINE | awk '{print $6}'`  # could be tcpwappers ...
		PROG2=`echo $LINE | awk '{print $7}'` # ... and this is the real prog
		if [ -z "$PROG" ] || [ "$PROG" = "internal" ]; then
			# Not calling an external program
			continue
		fi
		echo Processing inetd line: $LINE
		if [ -f "$PROG" ]; then
			check_called_programs "$PROG is run from inetd as $USER." $PROG $USER
		fi
		if [ -f "$PROG2" ]; then
			check_called_programs "$PROG is run from inetd as $USER." $PROG2 $USER
		fi
	done
else
	echo "File /etc/inetd.conf not present.  Skipping checks."
fi

# Check programs run from /etc/xinetd.d/*
# TODO: check xinetd is actually running
section "Checking xinetd programs aren't writeable"
if [ -d /etc/xinetd.d ]; then
	for FILE in `grep 'disable[ \t]*=[ \t]*no' /etc/xinetd.d/* | cut -f 1 -d :`; do
		echo Processing xinetd service file: $FILE
		PROG=`grep '^[ \t]*server[ \t]*=[ \t]*' $FILE | sed 's/.*server.*=[ \t]*//'`
		USER=`grep '^[ \t]*user[ \t]*=[ \t]*' $FILE | sed 's/.*user.*=[ \t]*//'`
		check_called_programs "$PROG is run from xinetd as $USER." $PROG $USER
	done
else
	echo "Directory /etc/xinetd.d not present.  Skipping checks."
fi

# Check for writable home directories
section "Checking home directories aren't writable"
cat /etc/passwd | grep -v '^#' | while read LINE
do
	echo Processing /etc/passwd line: $LINE
	USER=`echo $LINE | cut -f 1 -d :`
	DIR=`echo $LINE | cut -f 6 -d :`
	SHELL=`echo $LINE | cut -f 7 -d :`
	if [ "$SHELL" = "/sbin/nologin" ] || [ "$SHELL" = "/bin/false" ]; then
		echo "    Skipping user $USER.  They don't have a shell."
	else
		if [ "$DIR" = "/dev/null" ]; then
			echo "    Skipping /dev/null home directory"
		else
			check_perms "$DIR is the home directory of $USER." $DIR $USER
		fi
	fi
done

# Check for readable files in home directories
section "Checking for readable sensitive files in home directories"
cat /etc/passwd | while read LINE
do
	USER=`echo $LINE | cut -f 1 -d :`
	DIR=`echo $LINE | cut -f 6 -d :`
	SHELL=`echo $LINE | cut -f 7 -d :`
	for FILE in $HOME_DIR_FILES; do
		if [ -f "$DIR/$FILE" ]; then
			check_read_perms "$DIR/$FILE is in the home directory of $USER." "$DIR/$FILE" $USER 
		fi
	done
done

section "Checking SUID programs"
if [ "$MODE" = "detailed" ]; then
	for FILE in `find / -type f -perm -04000 2>/dev/null`; do
		check_called_programs_suid $FILE 
	done
else
	echo "Skipping checks of SUID programs (it's slow!).  Run again in 'detailed' mode."
fi

# Check for private SSH keys in home directories
section "Checking for Private SSH Keys home directories"
for HOMEDIR in `cut -f 6 -d : /etc/passwd`; do 
	if [ -d "$HOMEDIR/.ssh" ]; then 
		PRIV_KEYS=`grep -l 'BEGIN [RD]SA PRIVATE KEY' $HOMEDIR/.ssh/* 2>/dev/null`
		if [ -n "$PRIV_KEYS" ]; then 
			for KEY in $PRIV_KEYS; do
				ENC_KEY=`grep -l 'ENCRYPTED' "$KEY" 2>/dev/null`
				if [ -n "$ENC_KEY" ]; then
					echo "WARNING: Encrypted Private SSH Key Found in $KEY"
				else
					echo "WARNING: Unencrypted Private SSH Key Found in $KEY"
				fi
			done
		fi
	fi  
done

# Check for public SSH keys in home directories
section "Checking for Public SSH Keys home directories"
for HOMEDIR in `cut -f 6 -d : /etc/passwd`; do 
	if [ -r "$HOMEDIR/.ssh/authorized_keys" ]; then 
		KEYS=`grep '^ssh-' $HOMEDIR/.ssh/authorized_keys 2>/dev/null`
		if [ -n "$KEYS" ]; then 
			echo "WARNING: Public SSH Key Found in $HOMEDIR/.ssh/authorized_keys"
		fi
	fi  
done

# Check for any SSH agents running on the box
section "Checking for SSH agents"
AGENTS=`ps -ef | grep ssh-agent | grep -v grep`
if [ -n "$AGENTS" ]; then
	echo "WARNING: There are SSH agents running on this system:"
	ps -ef | grep ssh-agent | grep -v grep
	# for PID in `ps aux | grep ssh-agent | grep -v grep | awk '{print $2}'`; do
	for SOCK in `ls /tmp/ssh-*/agent.* 2>/dev/null`; do
		SSH_AUTH_SOCK=$SOCK; export SSH_AUTH_SOCK
		AGENT_KEYS=`ssh-add -l | grep -v 'agent has no identities.' 2>/dev/null`
		if [ -n "$AGENT_KEYS" ]; then
			echo "WARNING: SSH Agent has keys loaded [SSH_AUTH_SOCK=$SSH_AUTH_SOCK]"
			ssh-add -l
		fi
	done
else
	echo "No SSH agents found"
fi

# Check for any GPG agents running on the box
section "Checking for GPG agents"
AGENTS=`ps -ef | grep gpg-agent | grep -v grep`
if [ -n "$AGENTS" ]; then
	echo "WARNING: There are GPG agents running on this system:"
	ps aux | grep gpg-agent | grep -v grep
else
	echo "No GPG agents found"
fi

# Check files in /etc/init.d/* can't be modified by non-root users
section "Checking startup files (init.d / rc.d) aren't writable"
for DIR in /etc/init.d /etc/rc.d /usr/local/etc/rc.d; do
	if [ -d "$DIR" ]; then
		for FILE in $DIR/*; do
	                F=`echo "$FILE" | sed 's/^.*\///'`
	                if [ "$F" = "*" ]; then
	                        echo "No user startup script found in $DIR.  Skipping checks."
	                        continue
	                fi
			echo Processing startup script $FILE
			check_called_programs "$FILE is run by root at startup." $FILE root
		done
	fi
done

section "Checking if running programs are writable"
if [ $OS = "solaris" ]; then
	# use the output of ps command
	ps -ef -o user,comm | while read LINE
	do
		USER=`echo "$LINE" | awk '{print $1}'`
		PROG=`echo "$LINE" | awk '{print $2}'`
		check_called_programs "$PROG is currently running as $USER." "$PROG" "$USER"
	done
elif [ $OS = "bsd" ]; then
	# use the output of ps command
	ps aux | while read LINE
	do
		USER=`echo "$LINE" | awk '{print $1}'`
		PROG=`echo "$LINE" | awk '{print $11}'`
		check_called_programs "$PROG is currently running as $USER." "$PROG" "$USER"
	done
elif [ $OS = "hpux" ]; then
	# use the output of ps command
	ps -ef | while read LINE
	do
		USER=`echo "$LINE" | awk '{print $1}'`
		PROG1=`echo "$LINE" | awk '{print $8}'`
		PROG2=`echo "$LINE" | awk '{print $9}'`
		if [ -f "$PROG1" ]; then
			check_called_programs "$PROG is currently running as $USER." "$PROG1" "$USER"
		fi
		if [ -f "$PROG2" ]; then
			check_called_programs "$PROG is currently running as $USER." "$PROG2" "$USER"
		fi
	done
elif [ $OS = "linux" ]; then
	# use the /proc file system
	for PROCDIR in /proc/[0-9]*; do 
		unset PROGPATH
		PID=`echo $PROCDIR | cut -f 3 -d /`
		echo ------------------------
		echo "PID:           $PID"
		if [ -d "$PROCDIR" ]; then
			if [ -r "$PROCDIR/exe" ]; then
				PROGPATH=`ls -l "$PROCDIR/exe" 2>&1 | sed 's/ (deleted)//' | awk '{print $NF}'`
			else
				if [ -r "$PROCDIR/cmdline" ]; then
					P=`cat $PROCDIR/cmdline | tr "\0" = | cut -f 1 -d = | grep '^/'`
					if [ -z "$P" ]; then
						echo "ERROR: Can't find full path of running program: "`cat $PROCDIR/cmdline`
					else
						PROGPATH=$P
					fi
				else
					echo "ERROR: Can't find full path of running program: "`cat $PROCDIR/cmdline`
					continue
				fi
			fi
			get_owner $PROCDIR; OWNER=$GET_OWNER_RETURN
			echo "Owner:         $OWNER"
		else
			echo "ERROR: Can't find OWNER.  Process has gone."
			continue
		fi
	
		if [ -n "$PROGPATH" ]; then
			get_owner $PROGPATH; PROGOWNER=$GET_OWNER_RETURN
			echo "Program path:  $PROGPATH"
			check_called_programs "$PROGPATH is currently running as $OWNER." $PROGPATH $OWNER
		fi

		if [ "$MODE" == "detailed" ]; then
			for FILE in $PROCDIR/fd/*; do
		                F=`echo "$FILE" | sed 's/^.*\///'`
		                if [ "$F" = "*" ]; then
		                        continue
		                fi
				check_perms "$FILE is an open file descriptor for process $PID running as $OWNER." $FILE $OWNER
			done
		fi
	done
fi