forked from vpereira/seccheck
-
Notifications
You must be signed in to change notification settings - Fork 0
/
security-daily.sh
executable file
·103 lines (78 loc) · 2.19 KB
/
security-daily.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#!/bin/sh
####
#
# SuSE daily security check v2.0 by Marc Heuse <marc@suse.de>
#
# most code was ripped from the OpenBSD /etc/security script ;-)
#
####
#
# TODO: maybe directory writable checks for jobs run in crontab
#
MY_DIR=$(dirname $(readlink -f $0))
. $MY_DIR/basic.inc
. $MY_DIR/helper.inc
. $MY_DIR/security_daily_helper.inc
. $MY_DIR/user_group_password_helper.inc
set_tmpdir "security-daily.sh"
trap 'rm -rf $TMPDIR; exit 1' 0 1 2 3 13 15
LOG="$TMPDIR/security.log"
ERR="$TMPDIR/security.err"
OUT="$TMPDIR/security.out"
TMP1="$TMPDIR/security.tmp1"
TMP2="$TMPDIR/security.tmp2"
# /etc/passwd check
check_passwd
# /etc/shadow check
check_shadow
# /etc/group checking
check_group
# checking root's login scrips for secure path and umask
check_root_login_scripts
# Misc. file checks
# root/uucp/bin/daemon etc. should be in /etc/ftpusers.
check_ftpusers
# executables should not be in the /etc/aliases file.
no_exec_in_etcaliases
# Files that should not have + signs.
check_no_plus
# .rhosts check
check_rhosts
# Check home directories. Directories should not be owned by someone else
# or writeable.
check_home_directories_owners
# Files that should not be owned by someone else or writeable.
check_special_files_owner
# Mailboxes should be owned by user and unreadable.
check_mailboxes_owned_by_user_and_unreadable
# File systems should not be globally exported.
check_for_globally_exported_fs
# check remote and local devices
check_promisc
# list loaded modules
list_loaded_kernel_modules
# nfs mounts with missing nosuid
nfs_mounted_with_missing_nosuid
# display programs with bound sockets
display_programs_with_bound_sockets
# ASLR should be enabled per default. it randomizes the heap, stack and load addresses of dynamically linked
#libraries.
check_ASLR_enabled
# to avoid kernel internal address to be leaked via log files
# kernel internal address are useful for exploit writers
check_leak_kernel_internal_addresses
# check xinetd running services
check_xinetd_services
# check systemd running services
check_systemd_services
# check changes on sysctl
check_sysctl
# check if sysctl security options are set
check_specifics_sysctl
####
#
# Cleaning up
#
rm -rf "$TMPDIR"
exit 0
# END OF SCRIPT