tiger 1:3.2.3-10 / usr / lib / tiger / scripts / check_finddeleted

This file is indexed.

/usr/lib/tiger/scripts/check_finddeleted is in tiger 1:3.2.3-10.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
#!/bin/sh
#
#     tiger - A UN*X security checking system
#     Copyright (C) 2002 Javier Fernandez-Sanguino
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2, or (at your option)
#    any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#     Please see the file `COPYING' for the complete copyright notice.
#
# check_findeleted - 16 April 2003
#
# This script will check if deleted files are being used by any process
# in the current system. This is somewhat usual behaviour for some applications
# but it might also be an indication of:
#  a) an intruder launching processes and then deleting its files so that
#     the admin does not notice it.
#  b) servers which have been patched after an updated but have not been
#     restarted and are, thus, using removed library files and are still
#     vulnerable.
#
# DATE 	NAME 	DESCRIPTION_OF_CHANGES
# 03/01/2004 - jfs - Fix error in lsof temporary file creation
#              (Debian bug #235951)
# 02/25/2004 - jfs - Fix error in safe_temp call
# 02/24/2004 - jfs - Do not operate over 'CHR' file types to avoid false
#              positives (Closes Debian bug #232704). 
#              Reduce verbosity by joining multiple messages into a
#              single one (Closes Debian Bug #231148)
#              Also simplify calls to improve performance.
# 09/13/2003 - jfs - Applied patch from Nicholas François to fix an error
#              which might allow some rogue processes to slip by
# 08/08/2003 - jfs - Avoided race conditions.
# 04/16/2002 - jfs - First version based on Brian Hatch's articles
#              (http://www.hackinglinuxexposed.com/articles/20020507.html)
# 04/17/2002 - jfs - Use safe delete() instead of $RM
#
#-----------------------------------------------------------------------------
#
# TODO:
# - Consider generating one message per command instead of per file
#   (better for reporting but worst for the .ignore mechanism)
#
# NOTES:
#
# A generic way to remove these messages for a given directory 
# DIR of PROGRAM would be:
#
# Program PROGRAM .* is using a deleted file: .*DIR.*
#
# Add that line to your configuration's tiger.ignore file and the
# messages will not appear in the reports.
# 
# Just for reference, there are a number of services that run with deleted
# files frequently, this includes (in Linux) things like gconfd-2,
# MozillaFirebird (stuff under  the user's .phoenix dir) and
# some applications that make use of /dev/null or /dev/console
# (I don't know why lsof flags those as "deleted", but they have been removed
# from the script)
#
#-----------------------------------------------------------------------------
#
# This is the directory Tiger is installed on
TigerInstallDir="/usr/lib/tiger"

#
# Set default base directory.
# Order or preference:
#      -B option
#      TIGERHOMEDIR environment variable
#      TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}

for parm
do
   case $parm in
   -B) basedir=$2; break;;
   esac
done

#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
  echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
  exit 1
}

. $basedir/config

. $BASEDIR/initdefs
#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
  haveallcmds GREP CAT LSOF PS CUT SORT AWK || exit 1
  haveallfiles BASEDIR WORKDIR || exit 1
  haveallvars TESTLINK HOSTNAME || exit 1
  
  echo "--CONFIG-- [init003c] $0: Configuration ok..."
  exit 0
}

#------------------------------------------------------------------------
echo
echo "# Performing check of deleted files used by processes..."

haveallcmds GREP CAT LSOF PS CUT SORT AWK || exit 1
haveallfiles BASEDIR WORKDIR || exit 1


safe_temp "$WORKDIR/deleted.$$" "$WORKDIR/lsof.$$"
trap 'delete $WORKDIR/deleted.$$ $WORKDIR/lsof.$$ ; exit 1' 1 2 3 15

# TODO: Use Lsof's -f option to only recover the data
# we need and also to provide some more data useful for us
# (such as PPID)
$LSOF -n  >>$WORKDIR/lsof.$$
# It can be deleted if name includes (deleted) or
# TYPE = DEL
$CAT $WORKDIR/lsof.$$ | $GREP "(deleted)" >>$WORKDIR/deleted.$$
$CAT $WORKDIR/lsof.$$ | $GREP "DEL" >>$WORKDIR/deleted.$$
delete $WORKDIR/lsof.$$

$CAT $WORKDIR/deleted.$$ | $SORT -u |
while read command npid user fd type device node name
# Note: Remove CHR file types also since this leads to false positives
# (i.e. /dev/null)
do
# It can be deleted if name includes (deleted) or
# TYPE = DEL, but SYSV or CHR 'files' are not considered
	if [ -n "`echo $name | $GREP \"(deleted)\"`" -a "$type" != "CHR" ] || [ -z "`echo $name | $GREP SYSV`" -a "$type" = "DEL" ] ; then
		 ppid=`$PS -p $npid -o pid,ppid | $GREP -v PID |$AWK '{print $2}'`
		 if [ -n "$ppid" ] ; then
			 pname=`$PS -p $ppid -o pid,cmd | $GREP -v PID | $AWK '{print $2}'`
		 fi
		 mtype="WARN"
		 mval="kis012w"
		 pmessage="Program $command (pid $npid, parent $ppid) is using a deleted file: '$name'"
		# TODO: This lsof calls should probably be possible
		# using the lsof file created previously, doing so
		# might avoid false positives or errors
		# (if proceses disappear)
		listenport=`$LSOF -np $npid | $GREP \(LISTEN\) |  $SORT -u | $CUT -d : -f 2 | $AWK '{printf "%s ", $1}'`
		if [ -n "$ppid" ] ; then
			listenpport=`$LSOF -np $ppid | $GREP \(LISTEN\) |  $SORT -u | $CUT -d : -f 2 | $AWK '{printf "%s, ", $1}'`
		fi
		# TODO:
		# There can be servers either in the same process or
		# its children. This code has to be improved in
		# order to make it possible to better report that fact.
		# It currently does _not_ check children processes properly
		if [ -n "$listenport" ]; then
			mtype="FAIL"
			mval="kis011f"
			pmessage="$pmessage and is a a server listening on port(s) $listenport"
		fi 
		if [ -n "$listenpport" ]; then
			mtype="FAIL"
			mval="kis011f"
			pmessage="$pmessage and its parent process $pname is a server listening on port(s) $listenpport"
		fi
		 message $mtype $mval "" "$pmessage."
	fi
done

delete $WORKDIR/deleted.$$


exit 0

APT Browse - Built by Thomas Orozco.