/usr/lib/tiger/systems/Linux/2/check_lilo is in tiger 1:3.2.3-10.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 | #!/bin/sh
#
# tiger - A UN*X security checking system
# Copyright (C) 1993 Douglas Lee Schales, David K. Hess, David R. Safford
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Please see the file `COPYING' for the complete copyright notice.
#
# check_lilo: checks permissions on boot loader config files
# grub.conf and lilo.conf
# 10.26.2001
# Paul Telford <paul_telford@hp.com>
# 04.25.2002 Javier Fernandez-Sanguino <jfs@computer.org>
# Expanded to check also if there are passwords in the boot loader
# 07/25/2002 jfs
# Changed TigerInstallDir to .
# Changed -e to -r and 'find' to 'access' in the error msg.
# 10/19/2003 jfs - Applied patch from Ryan Bradetich to work in SuSE systems.
# 11/18/2003 jfs - Fixed typo (Debian bug #221470)
# 01/15/2004 jfs - Fixed dependancies
# 12/27/2004 jfs - Fixed grub.conf naming (Debian bug #286641)
# 03/21/2005 jfs Only run if running on the x86 architecture
# (Debian bug #288737)
# 06/22/2007 jfs Run if on amd64 (Debian bug #412669)
#
#-----------------------------------------------------------------------------
#
TigerInstallDir="/usr/lib/tiger"
#
# Set default base directory.
# Order or preference:
# -B option
# TIGERHOMEDIR environment variable
# TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}
for parm
do
case $parm in
-B) basedir=$2; break;;
esac
done
#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
exit 1
}
. $basedir/config
. $BASEDIR/initdefs
#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
haveallcmds GREP RM UNAME EGREP || exit 1
haveallfiles BASEDIR WORKDIR || exit 1
echo "--CONFIG-- [init003c] $0: Configuration ok..."
exit 0
}
#------------------------------------------------------------------------
haveallcmds GREP RM UNAME EGREP || exit 1
haveallfiles BASEDIR WORKDIR || exit 1
machine=`$UNAME -m`
# Only applies to the x86 or amd64 architectures:
[ -z "`echo $machine | $EGREP 'i.86$|^x86_64$'`" ] && exit 0
echo
echo "# Checking boot loader file permissions..."
found="N"
file=/etc/lilo.conf
if [ -r $file ]
then
found="Y"
getpermit $file |
while read filename rowner rgroup rur ruw rux rgr rgw rgx ror row rox rsuid rsgid rstk
do
if [ $rgr -eq 1 -o $rgw -eq 1 -o $rgx -eq 1 ]
then
message WARN boot01 "" "The configuration file lilo.conf has group permissions"
fi
if [ $ror -eq 1 -o $row -eq 1 -o $rox -eq 1 ]
then
message FAIL boot01 "" "The configuration file lilo.conf has other permissions"
fi
done
# Lilo password checks
if [ -n "`$GREP ^restricted $file`" ] ; then
if [ -z "`$GREP ^password $file`" ] ; then
message WARN boot05 "" "The bootloader is restricted but does not seem to have a password configured."
fi
else
message WARN boot04 "" "The bootloader lilo is not configured with a password"
fi
fi
if [ -r /etc/grub.conf ] ; then
# SuSE uses /etc/grub.conf.
file=/etc/grub.conf
elif [ -r /boot/grub/menu.lst ] ; then
# Debian uses /boot/grub/menu.lst
file=/boot/grub/menu.lst
else
# for other Linux systems
file=/boot/grub/grub.conf
fi
if [ -r "$file" ]
then
found="Y"
getpermit $file |
while read filename rowner rgroup rur ruw rux rgr rgw rgx ror row rox rsuid rsgid rstk
do
if [ $rgr -eq 1 -o $rgw -eq 1 -o $rgx -eq 1 ]
then
message WARN boot02 "" "The configuration file $file has group permissions. Should be 0600"
fi
if [ $ror -eq 1 -o $row -eq 1 -o $rox -eq 1 ]
then
message FAIL boot02 "" "The configuration file $file has world permissions. Should be 0600"
fi
done
# GRUB password checks
if [ -z "`$GREP ^password $file`" ] ; then
message WARN boot06 "" "The Grub bootloader does not have a password configured."
fi
fi
[ "$found" != 'Y' ] && {
message WARN boot03w "" "Could not access LILO's or Grub's configuration file"
}
exit 0
|