Index: scripts/check_xinetd =================================================================== RCS file: /usr/local/taracvs/tiger-3.2/scripts/check_xinetd,v retrieving revision 1.3 diff -u -p -r1.3 check_xinetd --- scripts/check_xinetd 21 Oct 2003 16:45:45 -0000 1.3 +++ scripts/check_xinetd 23 Oct 2003 07:40:07 -0000 @@ -80,40 +80,132 @@ done } #------------------------------------------------------------------------ -haveallcmds GREP AWK LS || exit 1 +haveallcmds LS || exit 1 haveallfiles BASEDIR || exit 1 echo echo "# Performing check of 'xinetd' related services..." -check_xinetconfig() +# Set the default location for xinetd.conf if not specified. +[ -z "$XINETDCONF" ] && XINETDCONF="/etc/xinetd.conf" + +check_file_perms() { - xinetd_dir="$1" - $LS $xinetd_dir | - while read file + getpermit $1 | + while read _namefile _owner _group ur uw ux gr gw gx or ow ox suid sgid stk do - if [ "`$GREP -i 'disable' "$xinetd_dir/$file" | $AWK '{print $NF}'`" = "no" ] ; - then - service=`$GREP -w 'server' $file | $GREP '=' | $AWK '{print $NF}'` - message INFO xnet002i "Service $file is enabled using: $service." - else - message INFO xnet002i "Service $file is disabled." - fi + eval "case $_owner in + $Tiger_ROOT_PATH_OK_Owners) + ;; + *) + message FAIL inet020f \"\" \"$_namefile does not have proper ownership (owned by $_owner).\" + ;; + esac" + + [ "$ur$uw$ux$gr$gw$gx$or$ow$ox" != '110000000' ] && \ + message WARN inet017w "" "$_namefile permissions are not 600." + + eval "case $_group in + $Tiger_ROOT_PATH_OK_Group_Write) + gw=0 + esac" + + [ "$gw" != '0' ] && \ + message WARN inet018w "" "$_namefile has non-administrative group ($_group) write access." + + [ "$ow" != '0' ] && \ + message ALERT inet019a "" "$_namefile public write access." done } -[ -z "$XINETDCONF" ] && XINETDCONF="/etc/xinetd.conf" +parse_service_block() +{ + service=$1 + enabled='Y' + proto='all' + + while read line + do + [[ $line = flags* ]] && { + [[ $line = *DISABLE* ]] && enabled='N' + continue + } + + [[ $line = disable* ]] && { + [ ${line#* } = 'yes' ] && enabled='N' + continue + } + + [[ $line = protocol* ]] && { + proto=`echo ${line#*=}` + } + + [[ $line = *} ]] && break + done + + if [ "$service" = 'rexd' -a $enabled = 'Y' ]; then + message FAIL inet006f "" "'rexd' service is enabled, consider disabling it." + elif [ "$service" = 'exec' -a $enabled = 'Y' ]; then + message FAIL inet006f "" "'$service' service is enabled, consider disabling it." + elif [ "$service" = 'sysstat' -a $enabled = 'Y' ]; then + message WARN inet012w "" "'sysstat' service is enabled, consider disabling it." + elif [ "$service" = 'netstat' -a $enabled = 'Y' ]; then + message WARN inet013w "" "'netstat' service is enabled, consider disabling it." + elif [ "$service" = 'telnet' -a $enabled = 'Y' ]; then + message WARN inet098w "" "The 'telnet' server is enabled, consider using ssh instead." + elif [ "$service" = 'ftp' -a $enabled = 'Y' ]; then + message WARN inet098w "" "The 'ftp' server is enabled, consider using ssh/sftp instead." + elif [ "$service" = 'login' -a $enabled = 'Y' ]; then + message WARN inet098w "" "The 'login' server is enabled, consider using ssh/sftp instead." + elif [ "$service" = 'shell' -a $enabled = 'Y' ]; then + message WARN inet098w "" "The 'rsh' server is enabled, consider using ssh/sftp instead." + elif [ "$service" = 'tftp' -a $enabled = 'Y' ]; then + message WARN inet022w "" "The 'tftpd' server is enabled, consider disabling it" + elif [ "$service" = 'finger' -a $enabled = 'Y' ]; then + message WARN inet023w "" "The 'finger' server is enabled, consider disabling it" + elif [ "$service" = 'rusers' -a $enabled = 'Y' ]; then + message WARN inet024w "" "The 'rusers' server is enabled, consider disabling it" + elif [ "$service" = 'echo' -a $proto = 'udp' -a $enabled = 'Y' ]; then + message WARN inet025w "" "The 'echo' udp server is enabled, consider disabling it" + elif [ "$service" = 'chargen' -a $proto = 'udp' -a $enabled = 'Y' ]; then + message WARN inet025w "" "The 'chargen' udp server is enabled, consider disabling it" + fi +} + +parse_file() +{ + while read line + do + [[ $line = \#* || _$line = _ ]] && continue + [[ $line = includedir* ]] && [ $1 = $XINETDCONF ] && { + dirs="$dirs ${line#* }" + continue + } + + [[ $line = service* ]] && { + parse_service_block ${line#* } + continue + } + done < $1 +} + +# Does the XINETDCONF file exist? +[ ! -r "$XINETDCONF" ] && exit 0 + +check_file_perms $XINETDCONF +parse_file $XINETDCONF -if [ -r "$XINETDCONF" ] ; -then - $GREP 'includedir' $XINETDCONF | $AWK '{print $NF}' | - while read xinetd_directory +for dir in $dirs +do + [ ! -d "$dir/" ] && { + message FAIL xnet002f "The directory ($dir) included by $XINETDCONF is not a directory." + continue + } + + $LS $dir/ | + while read path do - if [ -d "$xinetd_directory" ] - then - check_xinetconfig $xinetd_directory - else - message FAIL xnet002f "The location included in $XINETDCONF is not a directory" - fi + check_file_perms $dir/$path + parse_file $dir/$path done -fi +done