/usr/lib/tiger/systems/Linux/2/check_inittab is in tiger 1:3.2.3-10.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 | #!/bin/sh
#
# tiger - A UN*X security checking system
# Copyright (C) 1993 Douglas Lee Schales, David K. Hess, David R. Safford
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Please see the file `COPYING' for the complete copyright notice.
#
# check_ctrlaltdel: looks for 'ctraltdel' line in /etc/inittab which would
# indicate that users can reboot the system
# 04.25.2001
# Javier Fernandez-Sanguino <jfs@computer.org>
#
# 12/08/2003 - jfs - Improved the check so that it takes into account
# the availability of /etc/shutdown.allow
# (Debian Bug #603199)
# 10/19/2003 - jfs - Fixed check to avoid false positives (Debian Bug #215872)
# 08/09/2003 - jfs - Improved checked (might give false positives if comments
# where used)
# 07/25/2002 - jfs - Changed TigerInstallDir to .
#
#-----------------------------------------------------------------------------
#
TigerInstallDir="/usr/lib/tiger"
#
# Set default base directory.
# Order or preference:
# -B option
# TIGERHOMEDIR environment variable
# TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}
for parm
do
case $parm in
-B) basedir=$2; break;;
esac
done
#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
exit 1
}
. $basedir/config
. $BASEDIR/initdefs
#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
haveallcmds AWK GREP || exit 1
haveallfiles BASEDIR WORKDIR || exit 1
echo "--CONFIG-- [init003c] $0: Configuration ok..."
exit 0
}
#------------------------------------------------------------------------
echo
echo "# Checking for vulnerabilities in inittab configuration..."
haveallcmds AWK GREP || exit 1
haveallfiles BASEDIR WORKDIR || exit 1
if [ -r /etc/inittab ] ; then
$GREP shutdown /etc/inittab | $GREP -v ^# | $AWK -F : '{ print $2, $3, $4'} |
while read runlevels key command
# Inittab is made up of four fields: name, runlevels, key and command
do
if [ $key = "ctrlaltdel" -a -n "`echo $command |$GREP shutdown`" ]
then
restricted="no"
# The command has to use '-a' and /etc/shutdown.allow has
# to exist and contain something to consider this feature
# 'restricted'
[ -n "`echo $command | $GREP -- '-a'`" ] && [ -s "/etc/shutdown.allow" ] && restricted="yes"
if [ "$restricted" = "no" ]; then
message FAIL lin007w "" "Normal users can reboot the system through ctrl+alt+del in runlevels $runlevels"
else
users="`cat /etc/shutdown.allow | $GREP -v ^# | $GREP -v ^$ `"
if [ -n "$users" ] ; then
message INFO lin007w "" "The following users (listed in /etc/shutdown.allow) can reboot the system through ctrl+alt+del in runlevels $runlevels: '$users'"
else
message INFO lin007w "" "Only the root user can reboot the system through ctrl+alt+del in runlevels $runlevels (/etc/shutdown.allow is present but it does not include any user)"
fi
fi
fi
done
fi
|