/usr/lib/tiger/scripts/check_sendmail is in tiger 1:3.2.3-10.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 | #!/bin/sh
#
# tiger - A UN*X security checking system
# Copyright (C) 1993 Douglas Lee Schales, David K. Hess, David R. Safford
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Please see the file `COPYING' for the complete copyright notice.
#
# check_sendmail - 06/14/93
#
# 05/18/2002 jfs Added check on banner (based on Titan's modules/smtpbanner.sh)
# 05/01/2003 jfs Added notes on behaviour, this check will only run if
# SENDMAILCF exists (after all, it's a sendmail-only check).
# Fixed dependancies.
# 11/18/2003 jfs Fixed sintax problem which AIX choked on.
# Noticed by Dale Martin.
#
#-----------------------------------------------------------------------------
#
TigerInstallDir="/usr/lib/tiger"
#
# Set default base directory.
# Order or preference:
# -B option
# TIGERHOMEDIR environment variable
# TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}
for parm
do
case $parm in
-B) basedir=$2; break;;
esac
done
#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
exit 1
}
. $basedir/config
. $BASEDIR/initdefs
#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
haveallcmds SENDMAILS AWK LS SED STRINGS || exit 1
haveallfiles SENDMAILCF BASEDIR WORKDIR || exit 1
haveallvars TESTLINK HOSTNAME || exit 1
echo "--CONFIG-- [init003c] $0: Configuration ok..."
exit 0
}
#------------------------------------------------------------------------
echo
echo "# Checking sendmail..."
haveallcmds STRINGS GREP SED AWK SORT LS || exit 1
haveallfiles SENDMAILCF BASEDIR WORKDIR || exit 1
check_date()
{
mailer="$1"
# TODO: Doing 'strings' on the mailer will not work as advertised
# and might return false positives/negatives. Also, many mailers
# might provide a /usr/sbin/sendmail which contains that string
# (exim, for example, does).
if [ -r "$mailer" ]; then
$STRINGS $mailer |
$GREP '[0-9][0-9]/[0-9][0-9]/[0-9][0-9]' |
$SED -e 's%^.* *\([0-9][0-9]*/[0-9][0-9]*/[0-9][0-9]*\).*$%\1%' |
$AWK -F/ '{
month=$1;
day=$2;
year=$3;
if(month > 12){
year=$1;
month=$2;
day=$3;
}
if(year<100)
year += 1900;
if(year<10)
year += 2000;
printf("%04d %02d %02d\n", year, month, day);
}' |
$SORT -r |
$SED -e 1q | {
read year month day
if [ ! -z $year ]
then
[ "$year" -lt 1993 -o \( "$year" -eq 1993 -a "$month" -lt 10 \) ] && {
message WARN misc010w "" "$mailer appears to be older than November 1993 (apparent date $month/$day/$year), and may contain a security vulnerability."
}
fi
}
else
message ERROR misc012e "" "Can not read $mailer. Test skipped."
fi
}
{
if [ -r "$SENDMAILCF" ]; then
$GREP '^Mprog' $SENDMAILCF |
$SED -e 's/^.*P=\([^, ]*\).*$/\1/'
else
echo "/bin/sh"
fi
} |
{
read progmailer
usingsmrsh=0
case "$progmailer" in
*/smrsh) usingsmrsh=1;;
esac
if [ "$usingsmrsh" = 0 ]; then
for mailer in $SENDMAILS
do
[ -f "$mailer" ] && check_date "$mailer"
done
else
$STRINGS $progmailer |
$GREP '/[-a-zA-Z0-9_.][-a-zA-Z0-9_./]*' |
$GREP -v '/.*:/.*' |
$SED -e 's/[^-a-zA-Z0-9_./]/ /g' |
$AWK '{
for(i=1;i<=NF;i++)
if(substr($i,1,1) == "/")
print $i;
}' |
$GREP '^/[-/a-zA-Z0-9_.]*$' |
$GREP -v /bin/sh |
while read path
do
[ -d "$path" ] && {
$LS "$path" |
while read file
do
case "$file" in
sh|csh|perl|uudecode|sed|grep|awk|cat|ksh|bash|tcsh) {
message WARN misc011w "" "Executable \`$file' in 'smrsh' directory \`$path' may create a vulnerability"
}
;;
esac
done
}
done
fi
}
if [ -r "$SENDMAILCF" ]; then
version="`$GREP \"^O\ SmtpGreetingMessage=\$j\ Sendmail\ \$v\/\$Z\;\ \$b\" $SENDMAILCF`"
[ -n "$version" ] &&
message WARN netw019w "" "Sendmail avertises its version in $SENDMAILCF, current line: $version"
fi
exit 0
|