diff options
| author | Dave Cobbley <david.j.cobbley@linux.intel.com> | 2018-08-14 20:05:37 +0300 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-08-23 04:26:31 +0300 |
| commit | eb8dc40360f0cfef56fb6947cc817a547d6d9bc6 (patch) | |
| tree | de291a73dc37168da6370e2cf16c347d1eba9df8 /import-layers/meta-security/recipes-security/redhat-security/files | |
| parent | 9c3cf826d853102535ead04cebc2d6023eff3032 (diff) | |
| download | openbmc-eb8dc40360f0cfef56fb6947cc817a547d6d9bc6.tar.xz | |
[Subtree] Removing import-layers directory
As part of the move to subtrees, need to bring all the import layers
content to the top level.
Change-Id: I4a163d10898cbc6e11c27f776f60e1a470049d8f
Signed-off-by: Dave Cobbley <david.j.cobbley@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'import-layers/meta-security/recipes-security/redhat-security/files')
13 files changed, 0 insertions, 1171 deletions
diff --git a/import-layers/meta-security/recipes-security/redhat-security/files/find-chroot-py.sh b/import-layers/meta-security/recipes-security/redhat-security/files/find-chroot-py.sh deleted file mode 100644 index 9996e087c..000000000 --- a/import-layers/meta-security/recipes-security/redhat-security/files/find-chroot-py.sh +++ /dev/null @@ -1,96 +0,0 @@ -#!/bin/sh -# -# find-chroot-py utility -# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED. -# sgrubb@redhat.com -# -# This software may be freely redistributed under the terms of the GNU -# public license. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -# -# This program looks for python apps that use chroot(2) without using chdir(2) -# -# To save to file: ./find-chroot | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt - -libdirs="/lib /lib64 /usr/lib /usr/lib64" -progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec" -FOUND=0 - -# First param is which list to use, second is search pattern -scan () { -if [ "$1" = "1" ] ; then - dirs=$libdirs -elif [ "$1" = "2" ] ; then - dirs=$progdirs -elif [ "$1" = "3" ] ; then - dirs=$3 -fi - -for d in $dirs ; do - if [ ! -d $d ] ; then - continue - fi - files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null` - for f in $files - do - if [ "$1" = "2" ] ; then - testf=`/usr/bin/file $f | egrep 'ython'` - if [ x"$testf" = "x" ] ; then - continue - fi - fi - syms=`egrep ' os.chroot' $f` - if [ x"$syms" != "x" ] ; then - syms=`egrep ' os.chdir' $f` - if [ x"$syms" = "x" ] ; then - if [ $FOUND = 0 ] ; then - printf "%-44s%s\n" "FILE" " PACKAGE" - FOUND=1 - fi - # Red - printf "\033[31m%-44s\033[m" $f - #rpm -qf --queryformat "%{NAME}-%{VERSION}" $f - rpm -qf --queryformat " %{SOURCERPM}" $f - echo - else - # One last test to see if chdir is within 4 - # lines of chroot - syms=`cat $f | egrep ' os.chroot' -A3 | egrep ' os.chdir'` - if [ x"$syms" = "x" ] ; then - if [ $FOUND = 0 ] ; then - printf "%-44s%s\n" "FILE" " PACKAGE" - FOUND=1 - fi - printf "\033[31m%-44s\033[m" $f - rpm -qf --queryformat " %{SOURCERPM}" $f - echo - fi - fi - fi - done -done -} - -if [ $# -eq 1 ] ; then - if [ -d $1 ] ; then - scan 3 '*' $1 - else - echo "Input is not a directory" - exit 1 - fi -else - scan 2 '*' - scan 1 '*.py' -fi - -if [ $FOUND -eq 0 ] ; then - # Nothing to report, just exit - echo "No problems found" 1>&2 - exit 0 -fi -exit 1 - - diff --git a/import-layers/meta-security/recipes-security/redhat-security/files/find-chroot.sh b/import-layers/meta-security/recipes-security/redhat-security/files/find-chroot.sh deleted file mode 100644 index adce7fc8e..000000000 --- a/import-layers/meta-security/recipes-security/redhat-security/files/find-chroot.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/sh -# -# find-chroot utility -# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED. -# sgrubb@redhat.com -# -# This software may be freely redistributed under the terms of the GNU -# public license. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -# -# This program looks for apps that use chroot(2) without using chdir(2) -# -# To save to file: ./find-chroot | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt - -libdirs="/lib /lib64 /usr/lib /usr/lib64" -progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec" -FOUND=0 - -# First param is which list to use, second is search pattern -scan () { -if [ "$1" = "1" ] ; then - dirs=$libdirs -elif [ "$1" = "2" ] ; then - dirs=$progdirs -elif [ "$1" = "3" ] ; then - dirs=$3 -fi - -for d in $dirs ; do - if [ ! -d $d ] ; then - continue - fi - files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null` - for f in $files - do - syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' chroot@.*GLIBC'` - if [ x"$syms" != "x" ] ; then - syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' chdir@.*GLIBC'` - if [ x"$syms" = "x" ] ; then - if [ $FOUND = 0 ] ; then - printf "%-44s%s\n" "FILE" " PACKAGE" - FOUND=1 - fi - # Red - printf "\033[31m%-44s\033[m" $f - #rpm -qf --queryformat "%{NAME}-%{VERSION}" $f - rpm -qf --queryformat " %{SOURCERPM}" $f - echo - else - # One last test to see if chdir is within 3 - # lines of chroot - syms=`objdump -d $f | egrep callq | egrep 'chroot@plt' -A2 | egrep 'chroot|chdir'` - if [ x"$syms" = "x" ] ; then - syms=`echo $f | egrep -v 'libc-2|libc.so'` - if [ x"$syms" != "x" ] ; then - if [ $FOUND = 0 ] ; then - printf "%-44s%s\n" "FILE" "PACKAGE" - FOUND=1 - fi - printf "\033[31m%-44s\033[m" $f - rpm -qf --queryformat " %{SOURCERPM}" $f - echo - fi - fi - fi - fi - done -done -} - -if [ $# -eq 1 ] ; then - if [ -d $1 ] ; then - scan 3 '*' $1 - else - echo "Input is not a directory" - exit 1 - fi -else - scan 2 '*' - scan 1 '*.so' -fi - -if [ $FOUND -eq 0 ] ; then - # Nothing to report, just exit - echo "No problems found" 1>&2 - exit 0 -fi -exit 1 - - diff --git a/import-layers/meta-security/recipes-security/redhat-security/files/find-elf4tmp.sh b/import-layers/meta-security/recipes-security/redhat-security/files/find-elf4tmp.sh deleted file mode 100644 index 3118a70ec..000000000 --- a/import-layers/meta-security/recipes-security/redhat-security/files/find-elf4tmp.sh +++ /dev/null @@ -1,84 +0,0 @@ -#!/bin/sh -# find_elf4tmp utility -# Copyright (c) 2010-12 Steve Grubb. ALL RIGHTS RESERVED. -# sgrubb@redhat.com -# -# This software may be freely redistributed under the terms of the GNU -# public license. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - -# This script will search a directory and its subdirectories for all elf -# executables. It will then search for the use of the tmp directory. If it finds -# this is true, it will then check to see if XXX is being used which would -# indicate that the path is going to be randomized. - -if [ $# -ge 2 ] ; then - echo "Usage: find_elf4tmp [directory]" 1>&2 - exit 1 -fi -if [ ! -x /usr/bin/strings ] ; then - echo "Skipping due to missing /usr/bin/eu-strings utility" - exit 1 -fi -if [ -h /bin ] ; then - DIRS="/usr/bin /usr/sbin /usr/libexec /usr/kerberos /usr/games /usr/lib /usr/lib64 /usr/local" -else - DIRS="/bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/kerberos /usr/games /lib /lib64 /usr/lib /usr/lib64 /usr/local" -fi -if [ $# -eq 1 ] ; then - if [ -d "$1" ] ; then - DIRS="$1" - else - echo "Option passed in was not a directory" 1>&2 - exit 1 - fi -fi - -FOUND=0 -for d in $DIRS -do - if [ ! -d $d ] ; then - continue - fi -# echo "Scanning files in $d..." - for f in `/usr/bin/find $d -type f 2>/dev/null` - do - # Get just the elf executables - testf=`echo $f | /usr/bin/file -n -f - 2>/dev/null | grep ELF` - if [ x"$testf" != "x" ] ; then - test_res=`/usr/bin/strings $f | /bin/grep '/tmp/' | /bin/egrep -v 'XX|/tmp/$|[ .,:]/tmp/'` - if [ x"$test_res" = "x" ] ; then - continue - fi - - # Do further examination... - syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' mkstemp@.*GLIBC| tempnam@.*GLIBC| tmpfile@.*GLIBC'` - if [ x"$syms" != "x" ] ; then - continue - fi - - # Well its a bad one...out with it - FOUND=1 - - # Get the package - RPM=`/bin/rpm -qf --queryformat "%{NAME}-%{VERSION}" $f 2>/dev/null | /bin/grep -v 'not owned' | /usr/bin/sort | /usr/bin/uniq` - if [ x"$RPM" = "x" ] ; then - RPM="<unowned>" - fi - - # For each tmp string, output the line - echo $test_res | /usr/bin/tr '\b' '\n' | /usr/bin/awk 'NF >= 1 { printf "%-46s\t%-30s\t%s\n", f, r, $1 }' r=$RPM f=$f - fi - done -done -if [ $FOUND -eq 0 ] ; then - # Nothing to report, just exit - echo "No problems found" 1>&2 - exit 0 -fi -exit 1 - - diff --git a/import-layers/meta-security/recipes-security/redhat-security/files/find-execstack.sh b/import-layers/meta-security/recipes-security/redhat-security/files/find-execstack.sh deleted file mode 100644 index 85f16de6d..000000000 --- a/import-layers/meta-security/recipes-security/redhat-security/files/find-execstack.sh +++ /dev/null @@ -1,72 +0,0 @@ -#!/bin/sh -# -# find-execstack utility -# Copyright (c) 2007 Steve Grubb. ALL RIGHTS RESERVED. -# sgrubb@redhat.com -# -# This software may be freely redistributed under the terms of the GNU -# public license. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -# -# This program looks for executable stacks -# - -libdirs="/lib /lib64 /usr/lib /usr/lib64" -progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec" -FOUND=0 - -# First param is which list to use, second is search pattern -scan () { -if [ "$1" = "1" ] ; then - dirs=$libdirs -elif [ "$1" = "2" ] ; then - dirs=$progdirs -fi - -for d in $dirs ; do - if [ ! -d $d ] ; then - continue - fi - files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null` - for f in $files - do - FOUND_ONE=0 - stacks=`/usr/bin/eu-readelf -l $f 2>/dev/null | grep STACK` - if [ x"$stacks" != "x" ] ; then - perms=`echo $stacks | /bin/awk '{ print $7 }'` - if [ x"$perms" != x -a "$perms" != "RW" ] ; then - FOUND_ONE=1 - fi - fi - old_stacks=`echo $stacks | /bin/grep -v GNU_STACK` - if [ x"$old_stacks" != "x" ] ; then - FOUND_ONE=1 - fi - heaps=`/usr/bin/eu-readelf -l $f 2>/dev/null | grep GNU_HEAP` - if [ x"$heaps" != "x" ] ; then - FOUND_ONE=1 - fi - if [ $FOUND_ONE = 1 ] ; then - printf "%-42s" $f - rpm -qf --queryformat "%{SOURCERPM}" $f - echo - FOUND=1 - fi - done -done -} - -scan 1 '*.so' -scan 2 '*' - -if [ $FOUND -eq 0 ] ; then - # Nothing to report, just exit - echo "No problems found" 1>&2 - exit 0 -fi -exit 1 - - diff --git a/import-layers/meta-security/recipes-security/redhat-security/files/find-hidden-exec.sh b/import-layers/meta-security/recipes-security/redhat-security/files/find-hidden-exec.sh deleted file mode 100644 index f799fca8f..000000000 --- a/import-layers/meta-security/recipes-security/redhat-security/files/find-hidden-exec.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh -# -# -# This software may be freely redistributed under the terms of the GNU -# public license. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -# -# This program looks for hidden executables - -find / -name '.*' -type f -perm /00111 2>/dev/null - -# Also need to find hidden dirs and see if anything below it is hidden -hidden_dirs=`find / -name '.*' -type d 2>/dev/null` -for d in $hidden_dirs -do - find $d -name '.*' -type f -perm /00111 2>/dev/null -done - diff --git a/import-layers/meta-security/recipes-security/redhat-security/files/find-nodrop-groups.sh b/import-layers/meta-security/recipes-security/redhat-security/files/find-nodrop-groups.sh deleted file mode 100644 index 249eacd2f..000000000 --- a/import-layers/meta-security/recipes-security/redhat-security/files/find-nodrop-groups.sh +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/sh -# -# find-nodrop-groups utility -# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED. -# sgrubb@redhat.com -# -# This software may be freely redistributed under the terms of the GNU -# public license. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -# -# This program looks for apps that use setgid(2) without using initgroups(3) -# or setgroups(2). -# -# To save to file: ./find-nodrop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt - -libdirs="/lib /lib64 /usr/lib /usr/lib64" -progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec" -FOUND=0 - -# First param is which list to use, second is search pattern -scan () { -if [ "$1" = "1" ] ; then - dirs=$libdirs -elif [ "$1" = "2" ] ; then - dirs=$progdirs -elif [ "$1" = "3" ] ; then - dirs=$3 -fi - -for d in $dirs ; do - if [ ! -d $d ] ; then - continue - fi - files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null` - for f in $files - do - syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgid@.*GLIBC| setegid@.*GLIBC| setresgid@.*GLIBC'` - if [ x"$syms" != "x" ] ; then - syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setuid@.*GLIBC| seteuid@.*GLIBC| setresuid@.*GLIBC'` - if [ x"$syms" != "x" ] ; then - syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgroups@.*GLIBC| initgroups@.*GLIBC'` - if [ x"$syms" = "x" ] ; then - if [ $FOUND = 0 ] ; then - printf "%-44s%s\n" "FILE" "PACKAGE" - fi - syms=`find $f \( -perm -004000 -o -perm -002000 \) -type f -print` - if [ x"$syms" = "x" ] ; then - printf "\033[31m%-44s\033[m" $f - rpm -qf --queryformat "%{SOURCERPM}" $f - echo - FOUND=1 -# else -# printf "\033[33m%-44s\033[m" $f - fi - #rpm -qf --queryformat "%{NAME}-%{VERSION}" $f - fi - fi - fi - done -done -} - -if [ $# -eq 1 ] ; then - if [ -d $1 ] ; then - scan 3 '*' $1 - else - echo "Input is not a directory" - exit 1 - fi -else - scan 1 '*.so' - scan 2 '*' -fi - -if [ $FOUND -eq 0 ] ; then - # Nothing to report, just exit - echo "No problems found" 1>&2 - exit 0 -fi -exit 1 - - diff --git a/import-layers/meta-security/recipes-security/redhat-security/files/find-sh4errors.sh b/import-layers/meta-security/recipes-security/redhat-security/files/find-sh4errors.sh deleted file mode 100644 index 0054a6a75..000000000 --- a/import-layers/meta-security/recipes-security/redhat-security/files/find-sh4errors.sh +++ /dev/null @@ -1,132 +0,0 @@ -#!/bin/sh -# find_sh4errors utility -# Copyright (c) 2004 Steve Grubb. ALL RIGHTS RESERVED. -# sgrubb@redhat.com -# -# This software may be freely redistributed under the terms of the GNU -# public license. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - -# This script will search a directory and its subdirectories for every shell -# script. It then runs sh -n to see if bash can determine if there are obvious -# parsing errors. It does have a bug in that bash -n does not take into -# account someone may program an unconditional exit and then include man page -# generation information. It also fails to notice the exec command. When you -# run across files that do either of the above, add it to the KNOWN_BAD list. - -if [ $# -ge 2 ] ; then - echo "Usage: find_sh4errors [directory]" 1>&2 - exit 1 -fi -INTERPRETERS="wish wishx tclsh guile rep itkwish expect /etc/kde/kdm/Xsession /etc/X11/xdm/Xsession /usr/bin/festival perl hfssh" -SKIP_DIRS="/opt /home /root" -KNOWN_BAD="/usr/bin/kde-build /usr/bin/cvsversion samples/copifuncs/copi.sendifm1 bashdb bash_completion_test" -DIR="/" -if [ $# -eq 1 ] ; then - if [ -d "$1" ] ; then - DIR="$1" - else - echo "Option passed in was not a directory" 1>&2 - exit 1 - fi -fi -tempfile=`mktemp /tmp/sh4.XXXXXX` -tempfile2=`mktemp /tmp/sh4.XXXXXX` -if [ -z "$tempfile" -o -z "$tempfile2" ] ; then - echo ; echo "Unable to create tempfiles...aborting." 1>&2 ; echo - exit 1 -fi -trap "rm -f $tempfile; rm -f $tempfile2; exit 2" 1 2 3 5 15 - -# Get executable files -#echo "Locating executables..." -/usr/bin/find $DIR -type f -perm /0111 -print >> $tempfile 2>/dev/null -FOUND=0 -#echo "Refining list to shell scripts..." -while read f -do - # Get just the shell scripts - testf=`echo $f | /usr/bin/file -n -f - | egrep 'ourne|POSIX shell'` - if [ x"$testf" != x ] ; then - echo $f >> $tempfile2 - FOUND=1 - fi -done < $tempfile -/bin/rm -f $tempfile -if [ $FOUND -eq 0 ] ; then - # Nothing to report, just exit -# echo "Examining shell scripts in $DIR" -# echo "No problems found" - /bin/rm -f $tempfile2 - exit 0 -fi -#echo "Examining shell scripts in $DIR" -FOUND=0 -while read i -do - # First see if the script calls an interpreter - SKIP=0 - for lang in $INTERPRETERS - do - if `/bin/cat "$i" 2>/dev/null | \ - grep "exec[ \t].*$lang" >/dev/null` ; then - SKIP=1 - break - fi - done - - if [ $SKIP -eq 1 ] ; then - continue - fi - - # See if this is in a dir we want to ignore - for d in $SKIP_DIRS - do - if `echo "$i" | /bin/grep "^\$d" >/dev/null`; then - SKIP=1 - break - fi - done - - if [ $SKIP -eq 1 ] ; then - continue - fi - - # Don't do the known naughty files - for bad in $KNOWN_BAD - do - if `echo "$i" | /bin/grep "$bad" >/dev/null`; then - SKIP=1 - break - fi - done - - if [ $SKIP -eq 1 ] ; then - continue - fi - - # Now examine them for correctness - interp=`/usr/bin/head -n 1 "$i" | /bin/awk '{ print $1 }' | \ - /usr/bin/tr -d '#!'` - if [ x"$interp" = "x" -o ! -x "$interp" ] ; then - interp="/bin/sh" - fi - $interp -n "$i" 2>/dev/null - if [ $? -ne 0 ] ; then - printf "%-44s" "$i" - rpm -qf --queryformat "%{NAME}-%{VERSION}" $i - echo - FOUND=1 - fi -done < $tempfile2 -/bin/rm -f $tempfile2 -if [ $FOUND -eq 0 ] ; then - # Nothing to report, just exit -# echo "No problems found" - exit 0 -fi -exit 1 - diff --git a/import-layers/meta-security/recipes-security/redhat-security/files/find-sh4tmp.sh b/import-layers/meta-security/recipes-security/redhat-security/files/find-sh4tmp.sh deleted file mode 100644 index 7fd1af715..000000000 --- a/import-layers/meta-security/recipes-security/redhat-security/files/find-sh4tmp.sh +++ /dev/null @@ -1,116 +0,0 @@ -#!/bin/sh -# find_sh4tmp utility -# Copyright (c) 2005 Steve Grubb. ALL RIGHTS RESERVED. -# sgrubb@redhat.com -# -# This software may be freely redistributed under the terms of the GNU -# public license. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - -# This script will search a directory and its subdirectories for all shell -# scripts. It will then search for the use of the tmp directory. If it finds -# this is true, it will then try to determine if mktemp or something -# reasonable was used and exclude it. It has a bug in that it does not handle -# rm -f /tmp/ or mkdir /tmp/ correctly. If you run across files that do that, -# add them to the KNOWN_BAD list to ignore them. - -if [ $# -ge 2 ] ; then - echo "Usage: find_sh4tmp [directory]" 1>&2 - exit 1 -fi -INTERPRETERS="wish wishx tclsh guile rep itkwish expect /etc/kde/kdm/Xsession /etc/X11/xdm/Xsession /usr/bin/festival perl hfssh" -SKIP_DIRS="/opt /home /root /mnt /media /dev /proc /selinux /sys /usr/share/doc" -KNOWN_BAD="kopete_latexconvert.sh cvs2dist fixfiles mysqlbug build/scripts/package/mkspec py-compile rc.sysinit init.d/xfs diff-jars grub-install mailshar vncserver Xsession sysreport cross-build vpkg rcs-to-cvs debug_check_log cvs2vendor tmpwatch ps2epsi mkdumprd xdg-open xdg-mime xdg-email gzexe" -DIR="/" -if [ $# -eq 1 ] ; then - if [ -d "$1" ] ; then - DIR="$1" - else - echo "Option passed in was not a directory" 1>&2 - exit 1 - fi -fi -tempfile=`mktemp /tmp/sh4.XXXXXX` -tempfile2=`mktemp /tmp/sh4.XXXXXX` -if [ -z "$tempfile" -o -z "$tempfile2" ] ; then - echo ; echo "Unable to create tempfiles...aborting." 1>&2 ; echo - exit 1 -fi -trap "rm -f $tempfile; rm -f $tempfile2; exit 2" 1 2 3 5 15 - -# Get executable files -#echo "Scanning shell scripts in $DIR..." -find $DIR -type f -perm /0111 -print >> $tempfile 2>/dev/null -FOUND=0 -while read f -do - # Get just the shell scripts - testf=`echo $f | file -n -f - | egrep 'ourne|POSIX shell'` - if [ x"$testf" != x ] ; then -# FIXME: need to do something to get rid of echo, rm, or mkdir "/tmp/" - test_res=`cat $f 2>/dev/null | grep '\/tmp\/' | grep -v 'mktemp' | grep -v '^#'` - if [ x"$test_res" = x ] ; then - continue - fi - - # Do further examination... - # First see if the script calls an interpreter - SKIP=0 - for lang in $INTERPRETERS - do - if `cat "$f" | grep "exec[ \t].*$lang" >/dev/null` ; then - SKIP=1 - break - fi - done - - if [ $SKIP -eq 1 ] ; then - continue - fi - - # See if this is in a dir we want to ignore - for d in $SKIP_DIRS - do - if `echo "$f" | grep "^\$d" >/dev/null`; then - SKIP=1 - break - fi - done - - if [ $SKIP -eq 1 ] ; then - continue - fi - - # Don't do the known naughty files - for bad in $KNOWN_BAD - do - if `echo "$f" | grep "$bad" >/dev/null`; then - SKIP=1 - break - fi - done - - if [ $SKIP -eq 1 ] ; then - continue - fi - - # Well its a bad one...out with it - printf "%-44s" $f - rpm -qf --queryformat "%{NAME}-%{VERSION}" $f - echo - FOUND=1 - fi -done < $tempfile -rm -f $tempfile -if [ $FOUND -eq 0 ] ; then - # Nothing to report, just exit -# echo "No problems found" - rm -f $tempfile2 - exit 0 -fi -exit 1 - - diff --git a/import-layers/meta-security/recipes-security/redhat-security/files/lib-bin-check.sh b/import-layers/meta-security/recipes-security/redhat-security/files/lib-bin-check.sh deleted file mode 100644 index 1e2d930b4..000000000 --- a/import-layers/meta-security/recipes-security/redhat-security/files/lib-bin-check.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh - -# This software may be freely redistributed under the terms of the GNU -# public license. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - -found=0 -list=`rpm -qa --queryformat "%{NAME}-%{VERSION}.%{ARCH}\n" | grep '^lib' | egrep -v '\-utils\-|\-bin\-|\-tools\-|\-client\-|libreoffice|\-plugin\-'` -for p in $list -do - bin=`rpm -ql $p | egrep '^/bin|^/sbin|^/usr/bin|^/usr/sbin' | grep -v '\-config'` - if [ "x$bin" != "x" ]; then - testf=`echo $bin | /usr/bin/file -n -f - 2>/dev/null | grep ELF` - if [ x"$testf" != "x" ] ; then - found=1 - echo "$p could be split into a utils package" - fi - fi -done - -if [ $found = 0 ]; then - echo "No problems found" - exit 0 -fi - -exit 1 - - diff --git a/import-layers/meta-security/recipes-security/redhat-security/files/rpm-chksec.sh b/import-layers/meta-security/recipes-security/redhat-security/files/rpm-chksec.sh deleted file mode 100644 index a0e8bb1a5..000000000 --- a/import-layers/meta-security/recipes-security/redhat-security/files/rpm-chksec.sh +++ /dev/null @@ -1,279 +0,0 @@ -#!/bin/sh -# rpm-chksec -# -# Copyright (c) 2011-2013 Steve Grubb. ALL RIGHTS RESERVED. -# sgrubb@redhat.com -# -# This software may be freely redistributed under the terms of the GNU -# public license. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -# -# Given an rpm, it will look at each file to check that its compiled with -# the intended flags to make it more secure. Things that are green are OK. -# Anything in yellow could be better but is passable. Anything in red needs -# attention. -# -# If the --all option is given, it will generate a list of rpms and then -# summarize the rpm's state. For yes, then all files are in the expected -# state. Just one file not compiled with the right flags can turn the -# answer to no. Re-run passing that package (instead of --all) for the details. -# -# To save to file: ./rpm-chksec | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee output.txt - -VERSION="0.5.2" - -usage () { - echo "rpm-chksec [--version|--all|<rpmname>...]" - if [ ! -x /usr/bin/filecap ] ; then - echo "You need to install libcap-ng-utils to test capabilities" - fi - if [ $EUID != 0 ] ; then - echo "You might need to be root to read some files" - fi - exit 0 -} - -if [ "$1" = "--help" -o $# -eq 0 ] ; then - usage -fi -if [ "$1" = "--version" ] ; then - echo "rpm-chksec $VERSION" - exit 0 -fi -if [ "$1" = "--all" ] ; then - MODE="all" -else - MODE="single" -fi - -do_one () { -if ! rpm -q $1 >/dev/null 2>&1 ; then - if [ "$MODE" = "single" ] ; then - echo "$1 is not installed" - exit 1 - else - echo "not installed" - return - fi -fi -files=`rpm -ql $1` - -# Look for daemons, need this for later... -DAEMON="" -for f in $files -do - if [ ! -f "$f" ] ; then - continue - fi - if [ `echo "$f" | grep '\/etc\/rc.d\/init.d'` ] ; then - n=`basename "$f"` - t=`which "$n" 2>/dev/null` - if [ x"$t" != "x" ] ; then - DAEMON="$DAEMON $t" - continue - fi - t=`which "$n"d 2>/dev/null` - if [ x"$t" != "x" ] ; then - DAEMON="$DAEMON $t" - continue - fi - t=`cat "$f" 2>/dev/null | grep 'bin' | grep 'exit 5' | grep -v '\$'` - if [ x"$t" != "x" ] ; then - DAEMON="$DAEMON $t" - continue - fi - if [ "$MODE" = "single" ] ; then - echo "Can't find the executable in $f but daemon rules would apply" - fi - elif [ `echo "$f" | grep '\/lib\/systemd\/'` ] ; then - t=`cat "$f" | grep -i '^ExecStart=' | tr '=' ' ' | awk '{ print $2 }'` - if [ x"$t" != "x" ] ; then - DAEMON="$DAEMON $t" - continue - fi - fi -done - -# Prevent garbled output when doing --all. -skip_current=0 - -for f in $files -do - if [ ! -f "$f" ] ; then - continue - fi - # Some packages have files with ~ in them. This avoids it. - if ! echo "$f" | grep '^/' >/dev/null ; then - continue - fi - if [ ! -r "$f" ] && [ $EUID != 0 ] ; then - if [ $MODE = "single" ] ; then - echo "Please re-test $f as the root user" - else - # Don't print results. - skip_current=1 - echo "Please re-test $1 as the root user" - fi - continue - fi - if ! file "$f" | grep -qw 'ELF'; then - continue - fi - RELRO="no" - if readelf -l "$f" 2>/dev/null | grep -q 'GNU_RELRO'; then - RELRO="partial" - fi - if readelf -d "$f" 2>/dev/null | grep -q 'BIND_NOW'; then - RELRO="full" - fi - PIE="no" - if readelf -h "$f" 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then - PIE="DSO" - if readelf -d "$f" 2>/dev/null | grep -q '(DEBUG)'; then - PIE="yes" - fi - fi - APP="" - if [ x"$DAEMON" != "x" ] ; then - for d in $DAEMON - do - if [ "$f" = "$d" ] ; then - APP="daemon" - break - fi - done - fi - if [ x"$APP" = "x" ] ; then - # See if this is a library or a setuid app - if [ `echo "$f" | grep '\/lib' | grep '\.so'` ] ; then - APP="library" - elif [ `find "$f" -perm -004000 -type f -print` ] ; then - APP="setuid" - elif [ `find "$f" -perm -002000 -type f -print` ] ; then - APP="setgid" - elif [ -x /usr/bin/filecap ] && [ `filecap "$f" 2> /dev/null | wc -w` -gt 0 ] ; then - APP="setcap" - else - syms1=`/usr/bin/readelf -s "$f" 2>/dev/null | egrep ' connect@.*GLIBC| listen@.*GLIBC| accept@.*GLIBC|accept4@.*GLIBC'` - syms2=`/usr/bin/readelf -s "$f" 2>/dev/null | egrep ' getaddrinfo@.*GLIBC| getnameinfo@.*GLIBC| getservent@.*GLIBC| getservbyname@.*GLIBC| getservbyport@.*GLIBC|gethostbyname@.*GLIBC| gethostbyname2@.*GLIBC| gethostbyaddr@.*GLIBC| gethostbyaddr2@.*GLIBC'` - if [ x"$syms1" != "x" ] ; then - if [ x"$syms2" != "x" ] ; then - APP="network-ip" - else - APP="network-local" - fi - fi - fi - fi - if [ x"$APP" = "x" ] ; then - APP="exec" - fi - - # OK, ready for the output - if [ "$MODE" = "single" ] ; then - printf "%-56s %-10s " "$f" $APP - if [ "$APP" = "daemon" -o "$APP" = "setuid" -o "$APP" = "setgid" -o "$APP" = "setcap" -o "$APP" = "network-ip" -o "$APP" = "network-local" ] ; then - if [ "$RELRO" = "full" ] ; then - printf "\033[32m%-7s\033[m " $RELRO - elif [ "$RELRO" = "partial" ] ; then - printf "\033[33m%-7s\033[m " $RELRO - else - printf "\033[31m%-7s\033[m " $RELRO - fi - if [ "$PIE" = "yes" ] ; then - printf "\033[32m%-4s\033[m" $PIE - else - printf "\033[31m%-4s\033[m" $PIE - fi - elif [ "$APP" = "library" ] ; then - if [ "$RELRO" = "full" -o "$RELRO" = "partial" ] ; then - printf "\033[32m%-7s\033[m " $RELRO - else - printf "\033[31m%-7s\033[m " $RELRO - fi - printf "\033[32m%-4s\033[m" $PIE - else - # $APP = exec - we want partial relro - if [ "$RELRO" = "no" ] ; then - printf "\033[31m%-7s\033[m " $RELRO - else - printf "\033[32m%-7s\033[m " $RELRO - fi - printf "\033[32m%-4s\033[m" $PIE - fi - echo - else - if [ "$APP" = "daemon" -o "$APP" = "setuid" -o "$APP" = "setgid" -o "$APP" = "setcap" -o "$APP" = "network-ip" -o "$APP" = "network-local" ] ; then - if [ "$RELRO" = "no" ] ; then - RELRO_SUM="no" - APP_SUM="$APP" - fi - if [ "$PIE" = "no" ] ; then - PIE_SUM="no" - APP_SUM="$APP" - fi - elif [ "$APP" = "library" ] ; then - if [ "$RELRO" = "no" ] ; then - RELRO_SUM="no" - APP_SUM="$APP" - fi - # $APP = exec - must have partial or full relro - elif [ "$RELRO" = "no" ] ; then - RELRO_SUM="no" - APP_SUM="$APP" - fi - fi -done -} - -if [ "$MODE" = "single" ] ; then - printf "%-56s %-10s %-7s %-4s" "FILE" "TYPE" "RELRO" "PIE" - echo - for i; do - f=$(basename $1) - # Strip the .rpm extension, if present. - do_one ${f%%.rpm} - shift - done - exit 0 -fi - -# Skip the kernel as its special -packages=`rpm -qa | egrep -v 'kernel.|debuginfo.|.noarch|gpg-pubkey' | sort` -printf "%-50s %-5s %-4s %-14s" "PACKAGE" "RELRO" "PIE" "CLASS" -echo -for p in $packages -do - RELRO_SUM="yes" - PIE_SUM="yes" - APP_SUM="" - printf "%-50s " $p - do_one $p - if [[ $skip_current -eq 1 ]] ; then - continue - fi - if [ "$RELRO_SUM" = "yes" ] ; then - printf "\033[32m%-5s\033[m " "$RELRO_SUM" - else - printf "\033[31m%-5s\033[m " "$RELRO_SUM" - fi - if [ "$PIE_SUM" = "yes" ] ; then - printf "\033[32m%-4s\033[m" "$PIE_SUM" - if [ "$RELRO_SUM" = "no" ] ; then - printf " %-14s" "$APP_SUM" - fi - else - if [ "$APP_SUM" = "network-local" ] ; then - printf "\033[33m%-4s\033[m %-14s" "$PIE_SUM" "$APP_SUM" - else - printf "\033[31m%-4s\033[m %-14s" "$PIE_SUM" "$APP_SUM" - fi - fi - echo -done -exit 0 - - diff --git a/import-layers/meta-security/recipes-security/redhat-security/files/rpm-drop-groups.sh b/import-layers/meta-security/recipes-security/redhat-security/files/rpm-drop-groups.sh deleted file mode 100644 index 8c757834b..000000000 --- a/import-layers/meta-security/recipes-security/redhat-security/files/rpm-drop-groups.sh +++ /dev/null @@ -1,131 +0,0 @@ -#!/bin/sh -# rpm-drop-groups -# -# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED. -# sgrubb@redhat.com -# -# This software may be freely redistributed under the terms of the GNU -# public license. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -# -# Given an rpm, it will look at each file to check if it tries to change -# group and user credentials. If so, it further tries to determine if -# it also calls setgroups or initgroups. To correctly change groups, the -# program must drop supplemntal groups. Programs are classified into: n/a -# meaning no group dropping occurs, yes its done correctly, and no meaning -# there seems to be a problem. -# -# If the --all option is given, it will generate a list of rpms and then -# summarize the rpm's state. For yes, then all files are in the expected -# state. Just one program failing can turn the package's summary to no. -# Re-run passing that package (instead of --all) for the details. -# -# To save to file: ./rpm-drop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee output.txt - -VERSION="0.1" - -usage () { - echo "rpm-drop-groups [--all|<rpmname>|--version]" - exit 0 -} - -if [ "$1" = "--help" -o $# -eq 0 ] ; then - usage -fi -if [ "$1" = "--version" ] ; then - echo "rpm-drop-groups $VERSION" - exit 0 -fi -if [ "$1" = "--all" ] ; then - MODE="all" -else - MODE="single" -fi - -do_one () { -if ! rpm -q $1 >/dev/null 2>&1 ; then - if [ "$MODE" = "single" ] ; then - echo "$1 is not installed" - exit 1 - else - echo "not installed" - return - fi -fi -files=`rpm -ql $1` - -for f in $files -do - if [ ! -f $f ] ; then - continue - fi - if ! file $f | grep -q 'ELF'; then - continue - fi - - CORRECT="n/a" - syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgid@.*GLIBC| setegid@.*GLIBC| setresgid@.*GLIBC'` - if [ x"$syms" != "x" ] ; then - CORRECT="yes" - syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setuid@.*GLIBC| seteuid@.*GLIBC| setresuid@.*GLIBC'` - if [ x"$syms" != "x" ] ; then - syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgroups@.*GLIBC| initgroups@.*GLIBC'` - if [ x"$syms" = "x" ] ; then - syms=`find $f \( -perm -004000 -o -perm -002000 \) -type f -print` - if [ x"$syms" = "x" ] ; then - CORRECT="no" - fi - fi - fi - fi - - # OK, ready for the output - if [ "$MODE" = "single" ] ; then - printf "%-60s " $f - if [ "$CORRECT" = "yes" ] ; then - printf "\033[32m%-7s\033[m " $CORRECT - elif [ "$CORRECT" = "no" ] ; then - printf "\033[31m%-7s\033[m " $CORRECT - else - printf "\033[33m%-7s\033[m " $CORRECT - fi - echo - else - if [ "$CORRECT" = "no" ] ; then - CORRECT_SUM="no" - fi - fi -done -} - -if [ "$MODE" = "single" ] ; then - printf "%-60s%-7s" "FILE" "CORRECT" - echo - for i; do - do_one $1 - shift - done - exit 0 -fi - -packages=`rpm -qa --queryformat "%{NAME}.%{ARCH}\n" | sort` -printf "%-50s %-7s" "PACKAGE" "CORRECT" -echo -for p in $packages -do - CORRECT_SUM="yes" - printf "%-50s " $p - do_one $p - if [ "$CORRECT_SUM" = "yes" ] ; then - printf "\033[32m%-7s\033[m " $CORRECT_SUM - else - printf "\033[31m%-7s\033[m " $CORRECT_SUM - fi - echo -done -exit 0 - - diff --git a/import-layers/meta-security/recipes-security/redhat-security/files/selinux-check-devices.sh b/import-layers/meta-security/recipes-security/redhat-security/files/selinux-check-devices.sh deleted file mode 100644 index ef996d787..000000000 --- a/import-layers/meta-security/recipes-security/redhat-security/files/selinux-check-devices.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh - -# This software may be freely redistributed under the terms of the GNU -# public license. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - -find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" - - diff --git a/import-layers/meta-security/recipes-security/redhat-security/files/selinux-ls-unconfined.sh b/import-layers/meta-security/recipes-security/redhat-security/files/selinux-ls-unconfined.sh deleted file mode 100644 index 68684133c..000000000 --- a/import-layers/meta-security/recipes-security/redhat-security/files/selinux-ls-unconfined.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh - -# This software may be freely redistributed under the terms of the GNU -# public license. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - -# This checks for unconfined apps running, initrc and inetd are signs -# of missing transitions. - -pidof xinetd >/dev/null -if [ $? -eq 0 ] ; then -ps -eZ | egrep "initrc|inetd" | egrep -v `pidof xinetd` | tr ':' ' ' | awk '{ printf "%s %s\n", $3, $NF }' -else -ps -eZ | egrep "initrc" | tr ':' ' ' | awk '{ printf "%s %s\n", $3, $NF }' -fi - |