/usr/lib/tiger/scripts/check_passwdformat is in tiger 1:3.2.3-10.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 | #!/bin/sh
#
# tiger - A UN*X security checking system
# Copyright (C) 2002 Javier Fernandez-Sanguino
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Please see the file `COPYING' for the complete copyright notice.
#
# check_passwdformat - jfs - October 2002
#
# 10/13/2002 - check_passwdformat
# This script checks the format of the /etc/passwd file in order to
# determine inconsistencies which indicate an intrusion
# or misconfiguration.
# This script is based on SuSE's and OpenBSD's daily security check.
# 08/08/2003 - jfs - Improved temporary file creation.
# 10/07/2003 - jfs - Delete temporary files created.
# 10/10/2003 - jfs - Improved message and allowed daemon in uid 1 (for
# debian bug #211328). Also added password content
# check and do not warn on lengths for locked users.
# (fixes debian bug 211327). Finally, added missing
# temporary files to removal and safe_temp calls
# 11/19/2003 - jfs - Removed shadow password check (per patch from Ryan
# Bradetich) and added note for other systems (non
# HPUX or Linux)
# 01/15/2004 - jfs - Fixed password definitions (Debian bug #227596) adding
# the sets 'g-Z' 'A-Z' and '.'
# 06/28/2004 - jfs - Modified to avoid duplicate error messages for the same
# stuff in passwd and shadow files
# 12/27/2004 - jfs - Maximum user and group length set to 32 (Debian bug #283446)
# 07/05/2006 - jfs - Fix deprecated syntax with sort. Thanks to Cyril
# Chaboisseau and Adam James for providing a patch (Debian
# bug: #369501)
#
#-----------------------------------------------------------------------------
#
# This is the directory Tiger is installed on
TigerInstallDir="/usr/lib/tiger"
#
# Set default base directory.
# Order or preference:
# -B option
# TIGERHOMEDIR environment variable
# TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}
for parm
do
case $parm in
-B) basedir=$2; break;;
esac
done
#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
exit 1
}
. $basedir/config
. $BASEDIR/initdefs
#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
haveallcmds AWK UNIQ SORT TEE COLUMN GREP CAT JOIN LS RM || exit 1
haveallfiles BASEDIR WORKDIR || exit 1
echo "--CONFIG-- [init003c] $0: Configuration ok..."
exit 0
}
#------------------------------------------------------------------------
echo
echo "# Checking the format of passwd and group files."
# Note /etc/passwd is not checked for since its not on the
# config files.
haveallcmds AWK UNIQ SORT TEE COLUMN GREP CAT JOIN LS RM || exit 1
haveallfiles BASEDIR WORKDIR || exit 1
# message FAIL XXXX0??f "" "MESSAGE TO WRITE IN REPORT"
OUT=$WORKDIR/passwdcheck.$$
USERCHECK=$WORKDIR/usercheck.$$
TMPFILE=$WORKDIR/passwdcheck.tmp.$$
safe_temp $OUT $USERCHECK $TMPFILE ${TMPFILE}-1 ${TMPFILE}-2
trap 'delete $OUT $USERCHECK $TMPFILE ${TMPFILE}-1 ${TMPFILE}-2 ; exit 1' 1 2 3 15
>$USERCHECK
#
# /etc/passwd check
#
PW="/etc/passwd"
[ -r $PW ] && {
$AWK -F: '{
if ($0 ~ /^[ ]*$/) {
printf("Line %d is a blank line.\n", NR);
next;
}
if (NF != 7)
printf("Line %d has the wrong number of fields.\n", NR);
if ($1 ~ /^[+-]$/)
next;
if ($1 == "")
printf("Line %d has an empty login field.\n", NR);
else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_\.-]*$/)
printf("Login %s has non-alphanumeric characters.\n", $1);
# Consider removing this since many recent OS will not have any problems
# with this
if (length($1) > 32)
printf("Login %s has more than 32 characters.\n", $1);
if ($2 == "")
printf("Login %s has no password.\n", $1);
#if ($2 != "" && length($2) != 13 && ($10 ~ /.*sh$/ || $10 == "") &&
# ($2 !~ /^\$[0-9a-f]+\$/)) {
# if (system("test -d "$9" -a ! -r "$9"") == 0)
# printf("Login %s if off but still has valid shell and home directory is unreadable\n\t by root; cannot check for existance of alternate access files.\n", $1);
# else if (system("for file in .ssh .rhosts .shosts .klogin;
# do if test -e "$9"/$file; then if ((ls -ld "$9"/$file | cut -b 2-10 | grep -q r) && (test ! -O "$9"/$file)) ; then exit 1; fi; fi; done"))
# printf("Login %s is off but still has a valid shell and alternate access files in\n\t home directory are still readable.\n",$1);
#}
if ($3 == 0 && $1 != "root")
printf("Login %s has a user id of 0 which should be reserved for root\n", $1);
if ($3 == 1 && $1 != "bin" && $1 != "daemon" )
printf("Login %s has a user id of 1 which should be reserved for bin or daemon\n", $1);
if ($3 < 0)
printf("Login %s has a negative user id.\n", $1);
if ($4 < 0)
printf("Login %s has a negative group id.\n", $1);
if ($4 == 0 && $1 != "root")
printf("Login %s has a group id of 0 which should be reserved for root\n", $1);
if ($4 == 1 && $1 != "bin" && $1 != "daemon" )
printf("Login %s has a group id of 1 which should be reserved for bin or daemon.\n", $1);
}' < $PW >>$USERCHECK
$AWK -F: '{ print $1 }' $PW | $SORT | $UNIQ -d > $OUT
if [ -s "$OUT" ] ; then
message WARN pass001w "" "File $PW has duplicate user names"
$COLUMN "$OUT"
fi
$AWK -F: '{ print $1 " " $3 }' $PW | $SORT -n -k 2 | $TEE ${TMPFILE}-1 |
$UNIQ -d -f 1 | $AWK '{ print $2 }' > ${TMPFILE}-2
if [ -s "${TMPFILE}-2" ] ; then
message WARN pass002w "" "File $PW has duplicate user ids:"
while read uid; do
$GREP -w $uid ${TMPFILE}-1
done < ${TMPFILE}-2 | $COLUMN
fi
}
#
# /etc/shadow check
#
# TODO: Since the shadow password check has been moved to %pass20w
# systems need to be updated to make this check in other scripts
# (in HPUX and Linux it's check_passwdspec)
PW="/etc/shadow"
[ -r $PW ] && {
$AWK -F: '{
if ($0 ~ /^[ ]*$/) {
printf("Line %d is a blank line.\n", NR);
next;
}
if (NF != 9)
printf("Line %d has the wrong number of fields.\n", NR);
if ($1 ~ /^[+-]$/)
next;
if ($1 == "")
printf("Line %d has an empty login field.\n", NR);
else if ($1 !~ /^[A-Za-z0-9][A-Za-z0-9_-]*$/)
printf("Login %s has non-alphanumeric characters.\n", $1);
if (length($1) > 32)
printf("Login %s has more than 32 characters.\n", $1);
if ($2 == "")
printf("Login %s has no password.\n", $1);
if ($2 != "" && length($2) != 13 && length($2) != 34 &&
length($2) != 1 && $2 !~ /^\$[0-9a-zA-Z\.]+\$/ && $2 !~ /^!/ )
printf("Login %s has an unusual password field length.\n", $1);
if ($2 != "" && $2 !~ /^\$[0-9a-f]+\$/ && $2 !~ /^[!*]/ )
printf("Login %s has an unusual password content.\n", $1);
}' < $PW >> "$USERCHECK"
# NOTE: I've found some passwords with '/'. Is this common?
$AWK -F: '{ print $1 }' $PW | $SORT | $UNIQ -d > $OUT
if [ -s "$OUT" ] ; then
message WARN pass001w "" "File $PW has duplicate user names:"
$COLUMN "$OUT"
fi
}
#
# /etc/group checking
#
GRP=/etc/group
[ -r $GRP ] && {
$AWK -F: '{
if ($0 ~ /^[ ]*$/) {
printf("Line %d is a blank line.\n", NR);
next;
}
if ($1 ~ /^[+-]$/)
next;
if (NF != 4)
printf("Line %d has the wrong number of fields.\n", NR);
if ($1 !~ /^[A-za-z0-9][A-za-z0-9_-]*$/)
printf("Group %s has non-alphanumeric characters.\n", $1);
if (length($1) > 32)
printf("Group %s has more than 32 characters.\n", $1);
if ($3 !~ /[0-9]*/)
printf("Login %s has a negative group id.\n", $1);
if (length($4) > 0 && $3 < 3)
printf("Group %s(%s) has got the following members: %s\n", $1, $3, $4);
}' < $GRP > $OUT
if [ -s "$OUT" ] ; then
$CAT "$OUT" |
while read message; do
message FAIL pass009f "" "$message"
done
fi
$AWK -F: '{ print $1 }' $GRP | $SORT | $UNIQ -d > $OUT
if [ -s "$OUT" ] ; then
message WARN pass010w "" "File $GRP has duplicate group ids:"
$COLUMN "$OUT"
fi
}
# Now output the results of the usercheck
# (removing duplicates)
if [ -s "$USERCHECK" ] ; then
$CAT "$USERCHECK" | $SORT | $UNIQ |
while read message; do
message FAIL pass009f "" "$message"
done
fi
delete $OUT $USERCHECK $TMPFILE ${TMPFILE}-1 ${TMPFILE}-2
exit 0
|