-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathgen_fix
More file actions
169 lines (148 loc) · 3.21 KB
/
gen_fix
File metadata and controls
169 lines (148 loc) · 3.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
#
# gen_fix
#
# An awk program to generate fixes (e.g. shell commands) for the
# warning messages that cops outputs. Code structure stolen liberally
# from the carp.anlz program (heck, I wrote that too -- I can do that :-))
#
#
# IMPORTANT - exception list!
#
# Be very careful of regular expressions and other awk stuff...
# ()'s, *'s, ?'s, /'s, etc. are all trouble. Backquote if in doubt.
#
# Sample:
# (Brave... or stupid?)
# /_World_ writable!/ {next}
#
# Hassled by mail warning?
/Warning! \/usr\/spool\/mail is _World_ writable!/ {next}
# Kill off password, YP, etc. messages... face it, nothing can be done
# with this stuff safely in a stupid shell script:
/Password file/ {next}
/Group file/ {next}
#
# START THE CHECKING/FIXING
#
# do the weird writable/readable things first:
/Directory.*_World_ writable/ {
print "chmod o-w " $3
next
}
/Root executed File/ {
print "chmod o-w " $5
next
}
/File.*_World_ writable/ {
print "chmod o-w " $3
next
}
/_World_ writable/ {
print "chmod o-w " $2
next
}
/group writable/ {
print "chmod g-w " $2
next
}
/_World_ readable/ {
print "chmod o-r " $2
next
}
/group readable/ {
print "chmod g-r " $2
next
}
/is SUID!/ {
print "chmod o-s " $2
next
}
/is SGID!/ {
print "chmod g-s " $2
next
}
/A "+" entry in/ {
# Lots of different approaches to use. I'll just Nuke it.
print "# Nuke the hosts.equiv file:"
print "mv /etc/hosts.equiv /etc/hosts.equiv.old"
print ""
next
}
# /tftp is enabled on/ { next }
# /rexd is enabled in/ {
/XXXXXXXXX/ {
# better ideas? I'll sed it out, then echo that you should
# restart inetd.
inetd=$NF
new_inetd = "/usr/tmp/inetd.conf"
print "# can we modify inetd.conf?"
print "sed '/^rexd/d'", inetd " > ", new_inetd
# has anything changed? If so, change; if not, leave quietly.
print "if test -s", new_inetd " -a -n `/bin/cmp " inetd, new_inetd "` ; then"
print "\t/bin/mv " inetd, inetd ".old"
print "\t/bin/mv " new_inetd, inetd
print "\tfi"
print "echo Restart inetd with the new configuration file"
print ""
next
}
/User.*home directory.*is mode/ {
print "# User's home dirs should be mode 711:"
print "chmod 711 " $6
print ""
next
}
/User.*:.*is mode/ {
print "# User's dot files should be mode 600:"
print "chmod 600 " $4
print ""
next
}
/should be mode 555/ {
print "# ftp's home dir should be 555"
print "chmod " $2 " 555"
print ""
next
}
/should be be empty/ {
print "# nuke ftp's rhosts file:"
print "mv " $2, $2 ".old"
print ""
next
}
/should be in/ {
print "# add " $2 " to /etc/ftpusers"
print "echo " $2 " >> /etc/ftpusers"
print ""
next
}
/should exist/ {
print "# create an ftpusers file:"
print "touch /etc/ftpusers"
print ""
next
}
/should be owned by.*or/ {
print "# " $2 " should be owned by " $7
print "chown " $7, $2
print ""
next
}
/Incorrect permissions on "ls" in/ {
print "# ls should be 111"
print "chmod " substr($NF,1,length($NF)-1) "/ls 111"
print ""
next
}
/Incorrect permissions on "passwd" in/ {
print "# passwd should be 444"
print "chmod " substr($NF,1,length($NF)-1) "/passwd 444"
print ""
next
}
/Incorrect permissions on "group" in/ {
print "# group should be 444"
print "chmod " substr($NF,1,length($NF)-1) "/group 444"
print ""
next
}