summaryrefslogtreecommitdiff
path: root/meta-security/recipes-security/redhat-security/files
diff options
context:
space:
mode:
Diffstat (limited to 'meta-security/recipes-security/redhat-security/files')
-rw-r--r--meta-security/recipes-security/redhat-security/files/find-chroot-py.sh96
-rw-r--r--meta-security/recipes-security/redhat-security/files/find-chroot.sh93
-rw-r--r--meta-security/recipes-security/redhat-security/files/find-elf4tmp.sh84
-rw-r--r--meta-security/recipes-security/redhat-security/files/find-execstack.sh72
-rw-r--r--meta-security/recipes-security/redhat-security/files/find-hidden-exec.sh21
-rw-r--r--meta-security/recipes-security/redhat-security/files/find-nodrop-groups.sh85
-rw-r--r--meta-security/recipes-security/redhat-security/files/find-sh4errors.sh132
-rw-r--r--meta-security/recipes-security/redhat-security/files/find-sh4tmp.sh116
-rw-r--r--meta-security/recipes-security/redhat-security/files/lib-bin-check.sh31
-rw-r--r--meta-security/recipes-security/redhat-security/files/rpm-chksec.sh279
-rw-r--r--meta-security/recipes-security/redhat-security/files/rpm-drop-groups.sh131
-rw-r--r--meta-security/recipes-security/redhat-security/files/selinux-check-devices.sh12
-rw-r--r--meta-security/recipes-security/redhat-security/files/selinux-ls-unconfined.sh19
13 files changed, 1171 insertions, 0 deletions
diff --git a/meta-security/recipes-security/redhat-security/files/find-chroot-py.sh b/meta-security/recipes-security/redhat-security/files/find-chroot-py.sh
new file mode 100644
index 000000000..9996e087c
--- /dev/null
+++ b/meta-security/recipes-security/redhat-security/files/find-chroot-py.sh
@@ -0,0 +1,96 @@
+#!/bin/sh
+#
+# find-chroot-py utility
+# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED.
+# sgrubb@redhat.com
+#
+# This software may be freely redistributed under the terms of the GNU
+# public license.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+# This program looks for python apps that use chroot(2) without using chdir(2)
+#
+# To save to file: ./find-chroot | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt
+
+libdirs="/lib /lib64 /usr/lib /usr/lib64"
+progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec"
+FOUND=0
+
+# First param is which list to use, second is search pattern
+scan () {
+if [ "$1" = "1" ] ; then
+ dirs=$libdirs
+elif [ "$1" = "2" ] ; then
+ dirs=$progdirs
+elif [ "$1" = "3" ] ; then
+ dirs=$3
+fi
+
+for d in $dirs ; do
+ if [ ! -d $d ] ; then
+ continue
+ fi
+ files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null`
+ for f in $files
+ do
+ if [ "$1" = "2" ] ; then
+ testf=`/usr/bin/file $f | egrep 'ython'`
+ if [ x"$testf" = "x" ] ; then
+ continue
+ fi
+ fi
+ syms=`egrep ' os.chroot' $f`
+ if [ x"$syms" != "x" ] ; then
+ syms=`egrep ' os.chdir' $f`
+ if [ x"$syms" = "x" ] ; then
+ if [ $FOUND = 0 ] ; then
+ printf "%-44s%s\n" "FILE" " PACKAGE"
+ FOUND=1
+ fi
+ # Red
+ printf "\033[31m%-44s\033[m" $f
+ #rpm -qf --queryformat "%{NAME}-%{VERSION}" $f
+ rpm -qf --queryformat " %{SOURCERPM}" $f
+ echo
+ else
+ # One last test to see if chdir is within 4
+ # lines of chroot
+ syms=`cat $f | egrep ' os.chroot' -A3 | egrep ' os.chdir'`
+ if [ x"$syms" = "x" ] ; then
+ if [ $FOUND = 0 ] ; then
+ printf "%-44s%s\n" "FILE" " PACKAGE"
+ FOUND=1
+ fi
+ printf "\033[31m%-44s\033[m" $f
+ rpm -qf --queryformat " %{SOURCERPM}" $f
+ echo
+ fi
+ fi
+ fi
+ done
+done
+}
+
+if [ $# -eq 1 ] ; then
+ if [ -d $1 ] ; then
+ scan 3 '*' $1
+ else
+ echo "Input is not a directory"
+ exit 1
+ fi
+else
+ scan 2 '*'
+ scan 1 '*.py'
+fi
+
+if [ $FOUND -eq 0 ] ; then
+ # Nothing to report, just exit
+ echo "No problems found" 1>&2
+ exit 0
+fi
+exit 1
+
+
diff --git a/meta-security/recipes-security/redhat-security/files/find-chroot.sh b/meta-security/recipes-security/redhat-security/files/find-chroot.sh
new file mode 100644
index 000000000..adce7fc8e
--- /dev/null
+++ b/meta-security/recipes-security/redhat-security/files/find-chroot.sh
@@ -0,0 +1,93 @@
+#!/bin/sh
+#
+# find-chroot utility
+# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED.
+# sgrubb@redhat.com
+#
+# This software may be freely redistributed under the terms of the GNU
+# public license.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+# This program looks for apps that use chroot(2) without using chdir(2)
+#
+# To save to file: ./find-chroot | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt
+
+libdirs="/lib /lib64 /usr/lib /usr/lib64"
+progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec"
+FOUND=0
+
+# First param is which list to use, second is search pattern
+scan () {
+if [ "$1" = "1" ] ; then
+ dirs=$libdirs
+elif [ "$1" = "2" ] ; then
+ dirs=$progdirs
+elif [ "$1" = "3" ] ; then
+ dirs=$3
+fi
+
+for d in $dirs ; do
+ if [ ! -d $d ] ; then
+ continue
+ fi
+ files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null`
+ for f in $files
+ do
+ syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' chroot@.*GLIBC'`
+ if [ x"$syms" != "x" ] ; then
+ syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' chdir@.*GLIBC'`
+ if [ x"$syms" = "x" ] ; then
+ if [ $FOUND = 0 ] ; then
+ printf "%-44s%s\n" "FILE" " PACKAGE"
+ FOUND=1
+ fi
+ # Red
+ printf "\033[31m%-44s\033[m" $f
+ #rpm -qf --queryformat "%{NAME}-%{VERSION}" $f
+ rpm -qf --queryformat " %{SOURCERPM}" $f
+ echo
+ else
+ # One last test to see if chdir is within 3
+ # lines of chroot
+ syms=`objdump -d $f | egrep callq | egrep 'chroot@plt' -A2 | egrep 'chroot|chdir'`
+ if [ x"$syms" = "x" ] ; then
+ syms=`echo $f | egrep -v 'libc-2|libc.so'`
+ if [ x"$syms" != "x" ] ; then
+ if [ $FOUND = 0 ] ; then
+ printf "%-44s%s\n" "FILE" "PACKAGE"
+ FOUND=1
+ fi
+ printf "\033[31m%-44s\033[m" $f
+ rpm -qf --queryformat " %{SOURCERPM}" $f
+ echo
+ fi
+ fi
+ fi
+ fi
+ done
+done
+}
+
+if [ $# -eq 1 ] ; then
+ if [ -d $1 ] ; then
+ scan 3 '*' $1
+ else
+ echo "Input is not a directory"
+ exit 1
+ fi
+else
+ scan 2 '*'
+ scan 1 '*.so'
+fi
+
+if [ $FOUND -eq 0 ] ; then
+ # Nothing to report, just exit
+ echo "No problems found" 1>&2
+ exit 0
+fi
+exit 1
+
+
diff --git a/meta-security/recipes-security/redhat-security/files/find-elf4tmp.sh b/meta-security/recipes-security/redhat-security/files/find-elf4tmp.sh
new file mode 100644
index 000000000..3118a70ec
--- /dev/null
+++ b/meta-security/recipes-security/redhat-security/files/find-elf4tmp.sh
@@ -0,0 +1,84 @@
+#!/bin/sh
+# find_elf4tmp utility
+# Copyright (c) 2010-12 Steve Grubb. ALL RIGHTS RESERVED.
+# sgrubb@redhat.com
+#
+# This software may be freely redistributed under the terms of the GNU
+# public license.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+# This script will search a directory and its subdirectories for all elf
+# executables. It will then search for the use of the tmp directory. If it finds
+# this is true, it will then check to see if XXX is being used which would
+# indicate that the path is going to be randomized.
+
+if [ $# -ge 2 ] ; then
+ echo "Usage: find_elf4tmp [directory]" 1>&2
+ exit 1
+fi
+if [ ! -x /usr/bin/strings ] ; then
+ echo "Skipping due to missing /usr/bin/eu-strings utility"
+ exit 1
+fi
+if [ -h /bin ] ; then
+ DIRS="/usr/bin /usr/sbin /usr/libexec /usr/kerberos /usr/games /usr/lib /usr/lib64 /usr/local"
+else
+ DIRS="/bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/kerberos /usr/games /lib /lib64 /usr/lib /usr/lib64 /usr/local"
+fi
+if [ $# -eq 1 ] ; then
+ if [ -d "$1" ] ; then
+ DIRS="$1"
+ else
+ echo "Option passed in was not a directory" 1>&2
+ exit 1
+ fi
+fi
+
+FOUND=0
+for d in $DIRS
+do
+ if [ ! -d $d ] ; then
+ continue
+ fi
+# echo "Scanning files in $d..."
+ for f in `/usr/bin/find $d -type f 2>/dev/null`
+ do
+ # Get just the elf executables
+ testf=`echo $f | /usr/bin/file -n -f - 2>/dev/null | grep ELF`
+ if [ x"$testf" != "x" ] ; then
+ test_res=`/usr/bin/strings $f | /bin/grep '/tmp/' | /bin/egrep -v 'XX|/tmp/$|[ .,:]/tmp/'`
+ if [ x"$test_res" = "x" ] ; then
+ continue
+ fi
+
+ # Do further examination...
+ syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' mkstemp@.*GLIBC| tempnam@.*GLIBC| tmpfile@.*GLIBC'`
+ if [ x"$syms" != "x" ] ; then
+ continue
+ fi
+
+ # Well its a bad one...out with it
+ FOUND=1
+
+ # Get the package
+ RPM=`/bin/rpm -qf --queryformat "%{NAME}-%{VERSION}" $f 2>/dev/null | /bin/grep -v 'not owned' | /usr/bin/sort | /usr/bin/uniq`
+ if [ x"$RPM" = "x" ] ; then
+ RPM="<unowned>"
+ fi
+
+ # For each tmp string, output the line
+ echo $test_res | /usr/bin/tr '\b' '\n' | /usr/bin/awk 'NF >= 1 { printf "%-46s\t%-30s\t%s\n", f, r, $1 }' r=$RPM f=$f
+ fi
+ done
+done
+if [ $FOUND -eq 0 ] ; then
+ # Nothing to report, just exit
+ echo "No problems found" 1>&2
+ exit 0
+fi
+exit 1
+
+
diff --git a/meta-security/recipes-security/redhat-security/files/find-execstack.sh b/meta-security/recipes-security/redhat-security/files/find-execstack.sh
new file mode 100644
index 000000000..85f16de6d
--- /dev/null
+++ b/meta-security/recipes-security/redhat-security/files/find-execstack.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+#
+# find-execstack utility
+# Copyright (c) 2007 Steve Grubb. ALL RIGHTS RESERVED.
+# sgrubb@redhat.com
+#
+# This software may be freely redistributed under the terms of the GNU
+# public license.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+# This program looks for executable stacks
+#
+
+libdirs="/lib /lib64 /usr/lib /usr/lib64"
+progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec"
+FOUND=0
+
+# First param is which list to use, second is search pattern
+scan () {
+if [ "$1" = "1" ] ; then
+ dirs=$libdirs
+elif [ "$1" = "2" ] ; then
+ dirs=$progdirs
+fi
+
+for d in $dirs ; do
+ if [ ! -d $d ] ; then
+ continue
+ fi
+ files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null`
+ for f in $files
+ do
+ FOUND_ONE=0
+ stacks=`/usr/bin/eu-readelf -l $f 2>/dev/null | grep STACK`
+ if [ x"$stacks" != "x" ] ; then
+ perms=`echo $stacks | /bin/awk '{ print $7 }'`
+ if [ x"$perms" != x -a "$perms" != "RW" ] ; then
+ FOUND_ONE=1
+ fi
+ fi
+ old_stacks=`echo $stacks | /bin/grep -v GNU_STACK`
+ if [ x"$old_stacks" != "x" ] ; then
+ FOUND_ONE=1
+ fi
+ heaps=`/usr/bin/eu-readelf -l $f 2>/dev/null | grep GNU_HEAP`
+ if [ x"$heaps" != "x" ] ; then
+ FOUND_ONE=1
+ fi
+ if [ $FOUND_ONE = 1 ] ; then
+ printf "%-42s" $f
+ rpm -qf --queryformat "%{SOURCERPM}" $f
+ echo
+ FOUND=1
+ fi
+ done
+done
+}
+
+scan 1 '*.so'
+scan 2 '*'
+
+if [ $FOUND -eq 0 ] ; then
+ # Nothing to report, just exit
+ echo "No problems found" 1>&2
+ exit 0
+fi
+exit 1
+
+
diff --git a/meta-security/recipes-security/redhat-security/files/find-hidden-exec.sh b/meta-security/recipes-security/redhat-security/files/find-hidden-exec.sh
new file mode 100644
index 000000000..f799fca8f
--- /dev/null
+++ b/meta-security/recipes-security/redhat-security/files/find-hidden-exec.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+#
+# This software may be freely redistributed under the terms of the GNU
+# public license.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+# This program looks for hidden executables
+
+find / -name '.*' -type f -perm /00111 2>/dev/null
+
+# Also need to find hidden dirs and see if anything below it is hidden
+hidden_dirs=`find / -name '.*' -type d 2>/dev/null`
+for d in $hidden_dirs
+do
+ find $d -name '.*' -type f -perm /00111 2>/dev/null
+done
+
diff --git a/meta-security/recipes-security/redhat-security/files/find-nodrop-groups.sh b/meta-security/recipes-security/redhat-security/files/find-nodrop-groups.sh
new file mode 100644
index 000000000..249eacd2f
--- /dev/null
+++ b/meta-security/recipes-security/redhat-security/files/find-nodrop-groups.sh
@@ -0,0 +1,85 @@
+#!/bin/sh
+#
+# find-nodrop-groups utility
+# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED.
+# sgrubb@redhat.com
+#
+# This software may be freely redistributed under the terms of the GNU
+# public license.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+# This program looks for apps that use setgid(2) without using initgroups(3)
+# or setgroups(2).
+#
+# To save to file: ./find-nodrop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt
+
+libdirs="/lib /lib64 /usr/lib /usr/lib64"
+progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec"
+FOUND=0
+
+# First param is which list to use, second is search pattern
+scan () {
+if [ "$1" = "1" ] ; then
+ dirs=$libdirs
+elif [ "$1" = "2" ] ; then
+ dirs=$progdirs
+elif [ "$1" = "3" ] ; then
+ dirs=$3
+fi
+
+for d in $dirs ; do
+ if [ ! -d $d ] ; then
+ continue
+ fi
+ files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null`
+ for f in $files
+ do
+ syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgid@.*GLIBC| setegid@.*GLIBC| setresgid@.*GLIBC'`
+ if [ x"$syms" != "x" ] ; then
+ syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setuid@.*GLIBC| seteuid@.*GLIBC| setresuid@.*GLIBC'`
+ if [ x"$syms" != "x" ] ; then
+ syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgroups@.*GLIBC| initgroups@.*GLIBC'`
+ if [ x"$syms" = "x" ] ; then
+ if [ $FOUND = 0 ] ; then
+ printf "%-44s%s\n" "FILE" "PACKAGE"
+ fi
+ syms=`find $f \( -perm -004000 -o -perm -002000 \) -type f -print`
+ if [ x"$syms" = "x" ] ; then
+ printf "\033[31m%-44s\033[m" $f
+ rpm -qf --queryformat "%{SOURCERPM}" $f
+ echo
+ FOUND=1
+# else
+# printf "\033[33m%-44s\033[m" $f
+ fi
+ #rpm -qf --queryformat "%{NAME}-%{VERSION}" $f
+ fi
+ fi
+ fi
+ done
+done
+}
+
+if [ $# -eq 1 ] ; then
+ if [ -d $1 ] ; then
+ scan 3 '*' $1
+ else
+ echo "Input is not a directory"
+ exit 1
+ fi
+else
+ scan 1 '*.so'
+ scan 2 '*'
+fi
+
+if [ $FOUND -eq 0 ] ; then
+ # Nothing to report, just exit
+ echo "No problems found" 1>&2
+ exit 0
+fi
+exit 1
+
+
diff --git a/meta-security/recipes-security/redhat-security/files/find-sh4errors.sh b/meta-security/recipes-security/redhat-security/files/find-sh4errors.sh
new file mode 100644
index 000000000..0054a6a75
--- /dev/null
+++ b/meta-security/recipes-security/redhat-security/files/find-sh4errors.sh
@@ -0,0 +1,132 @@
+#!/bin/sh
+# find_sh4errors utility
+# Copyright (c) 2004 Steve Grubb. ALL RIGHTS RESERVED.
+# sgrubb@redhat.com
+#
+# This software may be freely redistributed under the terms of the GNU
+# public license.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+# This script will search a directory and its subdirectories for every shell
+# script. It then runs sh -n to see if bash can determine if there are obvious
+# parsing errors. It does have a bug in that bash -n does not take into
+# account someone may program an unconditional exit and then include man page
+# generation information. It also fails to notice the exec command. When you
+# run across files that do either of the above, add it to the KNOWN_BAD list.
+
+if [ $# -ge 2 ] ; then
+ echo "Usage: find_sh4errors [directory]" 1>&2
+ exit 1
+fi
+INTERPRETERS="wish wishx tclsh guile rep itkwish expect /etc/kde/kdm/Xsession /etc/X11/xdm/Xsession /usr/bin/festival perl hfssh"
+SKIP_DIRS="/opt /home /root"
+KNOWN_BAD="/usr/bin/kde-build /usr/bin/cvsversion samples/copifuncs/copi.sendifm1 bashdb bash_completion_test"
+DIR="/"
+if [ $# -eq 1 ] ; then
+ if [ -d "$1" ] ; then
+ DIR="$1"
+ else
+ echo "Option passed in was not a directory" 1>&2
+ exit 1
+ fi
+fi
+tempfile=`mktemp /tmp/sh4.XXXXXX`
+tempfile2=`mktemp /tmp/sh4.XXXXXX`
+if [ -z "$tempfile" -o -z "$tempfile2" ] ; then
+ echo ; echo "Unable to create tempfiles...aborting." 1>&2 ; echo
+ exit 1
+fi
+trap "rm -f $tempfile; rm -f $tempfile2; exit 2" 1 2 3 5 15
+
+# Get executable files
+#echo "Locating executables..."
+/usr/bin/find $DIR -type f -perm /0111 -print >> $tempfile 2>/dev/null
+FOUND=0
+#echo "Refining list to shell scripts..."
+while read f
+do
+ # Get just the shell scripts
+ testf=`echo $f | /usr/bin/file -n -f - | egrep 'ourne|POSIX shell'`
+ if [ x"$testf" != x ] ; then
+ echo $f >> $tempfile2
+ FOUND=1
+ fi
+done < $tempfile
+/bin/rm -f $tempfile
+if [ $FOUND -eq 0 ] ; then
+ # Nothing to report, just exit
+# echo "Examining shell scripts in $DIR"
+# echo "No problems found"
+ /bin/rm -f $tempfile2
+ exit 0
+fi
+#echo "Examining shell scripts in $DIR"
+FOUND=0
+while read i
+do
+ # First see if the script calls an interpreter
+ SKIP=0
+ for lang in $INTERPRETERS
+ do
+ if `/bin/cat "$i" 2>/dev/null | \
+ grep "exec[ \t].*$lang" >/dev/null` ; then
+ SKIP=1
+ break
+ fi
+ done
+
+ if [ $SKIP -eq 1 ] ; then
+ continue
+ fi
+
+ # See if this is in a dir we want to ignore
+ for d in $SKIP_DIRS
+ do
+ if `echo "$i" | /bin/grep "^\$d" >/dev/null`; then
+ SKIP=1
+ break
+ fi
+ done
+
+ if [ $SKIP -eq 1 ] ; then
+ continue
+ fi
+
+ # Don't do the known naughty files
+ for bad in $KNOWN_BAD
+ do
+ if `echo "$i" | /bin/grep "$bad" >/dev/null`; then
+ SKIP=1
+ break
+ fi
+ done
+
+ if [ $SKIP -eq 1 ] ; then
+ continue
+ fi
+
+ # Now examine them for correctness
+ interp=`/usr/bin/head -n 1 "$i" | /bin/awk '{ print $1 }' | \
+ /usr/bin/tr -d '#!'`
+ if [ x"$interp" = "x" -o ! -x "$interp" ] ; then
+ interp="/bin/sh"
+ fi
+ $interp -n "$i" 2>/dev/null
+ if [ $? -ne 0 ] ; then
+ printf "%-44s" "$i"
+ rpm -qf --queryformat "%{NAME}-%{VERSION}" $i
+ echo
+ FOUND=1
+ fi
+done < $tempfile2
+/bin/rm -f $tempfile2
+if [ $FOUND -eq 0 ] ; then
+ # Nothing to report, just exit
+# echo "No problems found"
+ exit 0
+fi
+exit 1
+
diff --git a/meta-security/recipes-security/redhat-security/files/find-sh4tmp.sh b/meta-security/recipes-security/redhat-security/files/find-sh4tmp.sh
new file mode 100644
index 000000000..7fd1af715
--- /dev/null
+++ b/meta-security/recipes-security/redhat-security/files/find-sh4tmp.sh
@@ -0,0 +1,116 @@
+#!/bin/sh
+# find_sh4tmp utility
+# Copyright (c) 2005 Steve Grubb. ALL RIGHTS RESERVED.
+# sgrubb@redhat.com
+#
+# This software may be freely redistributed under the terms of the GNU
+# public license.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+# This script will search a directory and its subdirectories for all shell
+# scripts. It will then search for the use of the tmp directory. If it finds
+# this is true, it will then try to determine if mktemp or something
+# reasonable was used and exclude it. It has a bug in that it does not handle
+# rm -f /tmp/ or mkdir /tmp/ correctly. If you run across files that do that,
+# add them to the KNOWN_BAD list to ignore them.
+
+if [ $# -ge 2 ] ; then
+ echo "Usage: find_sh4tmp [directory]" 1>&2
+ exit 1
+fi
+INTERPRETERS="wish wishx tclsh guile rep itkwish expect /etc/kde/kdm/Xsession /etc/X11/xdm/Xsession /usr/bin/festival perl hfssh"
+SKIP_DIRS="/opt /home /root /mnt /media /dev /proc /selinux /sys /usr/share/doc"
+KNOWN_BAD="kopete_latexconvert.sh cvs2dist fixfiles mysqlbug build/scripts/package/mkspec py-compile rc.sysinit init.d/xfs diff-jars grub-install mailshar vncserver Xsession sysreport cross-build vpkg rcs-to-cvs debug_check_log cvs2vendor tmpwatch ps2epsi mkdumprd xdg-open xdg-mime xdg-email gzexe"
+DIR="/"
+if [ $# -eq 1 ] ; then
+ if [ -d "$1" ] ; then
+ DIR="$1"
+ else
+ echo "Option passed in was not a directory" 1>&2
+ exit 1
+ fi
+fi
+tempfile=`mktemp /tmp/sh4.XXXXXX`
+tempfile2=`mktemp /tmp/sh4.XXXXXX`
+if [ -z "$tempfile" -o -z "$tempfile2" ] ; then
+ echo ; echo "Unable to create tempfiles...aborting." 1>&2 ; echo
+ exit 1
+fi
+trap "rm -f $tempfile; rm -f $tempfile2; exit 2" 1 2 3 5 15
+
+# Get executable files
+#echo "Scanning shell scripts in $DIR..."
+find $DIR -type f -perm /0111 -print >> $tempfile 2>/dev/null
+FOUND=0
+while read f
+do
+ # Get just the shell scripts
+ testf=`echo $f | file -n -f - | egrep 'ourne|POSIX shell'`
+ if [ x"$testf" != x ] ; then
+# FIXME: need to do something to get rid of echo, rm, or mkdir "/tmp/"
+ test_res=`cat $f 2>/dev/null | grep '\/tmp\/' | grep -v 'mktemp' | grep -v '^#'`
+ if [ x"$test_res" = x ] ; then
+ continue
+ fi
+
+ # Do further examination...
+ # First see if the script calls an interpreter
+ SKIP=0
+ for lang in $INTERPRETERS
+ do
+ if `cat "$f" | grep "exec[ \t].*$lang" >/dev/null` ; then
+ SKIP=1
+ break
+ fi
+ done
+
+ if [ $SKIP -eq 1 ] ; then
+ continue
+ fi
+
+ # See if this is in a dir we want to ignore
+ for d in $SKIP_DIRS
+ do
+ if `echo "$f" | grep "^\$d" >/dev/null`; then
+ SKIP=1
+ break
+ fi
+ done
+
+ if [ $SKIP -eq 1 ] ; then
+ continue
+ fi
+
+ # Don't do the known naughty files
+ for bad in $KNOWN_BAD
+ do
+ if `echo "$f" | grep "$bad" >/dev/null`; then
+ SKIP=1
+ break
+ fi
+ done
+
+ if [ $SKIP -eq 1 ] ; then
+ continue
+ fi
+
+ # Well its a bad one...out with it
+ printf "%-44s" $f
+ rpm -qf --queryformat "%{NAME}-%{VERSION}" $f
+ echo
+ FOUND=1
+ fi
+done < $tempfile
+rm -f $tempfile
+if [ $FOUND -eq 0 ] ; then
+ # Nothing to report, just exit
+# echo "No problems found"
+ rm -f $tempfile2
+ exit 0
+fi
+exit 1
+
+
diff --git a/meta-security/recipes-security/redhat-security/files/lib-bin-check.sh b/meta-security/recipes-security/redhat-security/files/lib-bin-check.sh
new file mode 100644
index 000000000..1e2d930b4
--- /dev/null
+++ b/meta-security/recipes-security/redhat-security/files/lib-bin-check.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# This software may be freely redistributed under the terms of the GNU
+# public license.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+found=0
+list=`rpm -qa --queryformat "%{NAME}-%{VERSION}.%{ARCH}\n" | grep '^lib' | egrep -v '\-utils\-|\-bin\-|\-tools\-|\-client\-|libreoffice|\-plugin\-'`
+for p in $list
+do
+ bin=`rpm -ql $p | egrep '^/bin|^/sbin|^/usr/bin|^/usr/sbin' | grep -v '\-config'`
+ if [ "x$bin" != "x" ]; then
+ testf=`echo $bin | /usr/bin/file -n -f - 2>/dev/null | grep ELF`
+ if [ x"$testf" != "x" ] ; then
+ found=1
+ echo "$p could be split into a utils package"
+ fi
+ fi
+done
+
+if [ $found = 0 ]; then
+ echo "No problems found"
+ exit 0
+fi
+
+exit 1
+
+
diff --git a/meta-security/recipes-security/redhat-security/files/rpm-chksec.sh b/meta-security/recipes-security/redhat-security/files/rpm-chksec.sh
new file mode 100644
index 000000000..a0e8bb1a5
--- /dev/null
+++ b/meta-security/recipes-security/redhat-security/files/rpm-chksec.sh
@@ -0,0 +1,279 @@
+#!/bin/sh
+# rpm-chksec
+#
+# Copyright (c) 2011-2013 Steve Grubb. ALL RIGHTS RESERVED.
+# sgrubb@redhat.com
+#
+# This software may be freely redistributed under the terms of the GNU
+# public license.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+# Given an rpm, it will look at each file to check that its compiled with
+# the intended flags to make it more secure. Things that are green are OK.
+# Anything in yellow could be better but is passable. Anything in red needs
+# attention.
+#
+# If the --all option is given, it will generate a list of rpms and then
+# summarize the rpm's state. For yes, then all files are in the expected
+# state. Just one file not compiled with the right flags can turn the
+# answer to no. Re-run passing that package (instead of --all) for the details.
+#
+# To save to file: ./rpm-chksec | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee output.txt
+
+VERSION="0.5.2"
+
+usage () {
+ echo "rpm-chksec [--version|--all|<rpmname>...]"
+ if [ ! -x /usr/bin/filecap ] ; then
+ echo "You need to install libcap-ng-utils to test capabilities"
+ fi
+ if [ $EUID != 0 ] ; then
+ echo "You might need to be root to read some files"
+ fi
+ exit 0
+}
+
+if [ "$1" = "--help" -o $# -eq 0 ] ; then
+ usage
+fi
+if [ "$1" = "--version" ] ; then
+ echo "rpm-chksec $VERSION"
+ exit 0
+fi
+if [ "$1" = "--all" ] ; then
+ MODE="all"
+else
+ MODE="single"
+fi
+
+do_one () {
+if ! rpm -q $1 >/dev/null 2>&1 ; then
+ if [ "$MODE" = "single" ] ; then
+ echo "$1 is not installed"
+ exit 1
+ else
+ echo "not installed"
+ return
+ fi
+fi
+files=`rpm -ql $1`
+
+# Look for daemons, need this for later...
+DAEMON=""
+for f in $files
+do
+ if [ ! -f "$f" ] ; then
+ continue
+ fi
+ if [ `echo "$f" | grep '\/etc\/rc.d\/init.d'` ] ; then
+ n=`basename "$f"`
+ t=`which "$n" 2>/dev/null`
+ if [ x"$t" != "x" ] ; then
+ DAEMON="$DAEMON $t"
+ continue
+ fi
+ t=`which "$n"d 2>/dev/null`
+ if [ x"$t" != "x" ] ; then
+ DAEMON="$DAEMON $t"
+ continue
+ fi
+ t=`cat "$f" 2>/dev/null | grep 'bin' | grep 'exit 5' | grep -v '\$'`
+ if [ x"$t" != "x" ] ; then
+ DAEMON="$DAEMON $t"
+ continue
+ fi
+ if [ "$MODE" = "single" ] ; then
+ echo "Can't find the executable in $f but daemon rules would apply"
+ fi
+ elif [ `echo "$f" | grep '\/lib\/systemd\/'` ] ; then
+ t=`cat "$f" | grep -i '^ExecStart=' | tr '=' ' ' | awk '{ print $2 }'`
+ if [ x"$t" != "x" ] ; then
+ DAEMON="$DAEMON $t"
+ continue
+ fi
+ fi
+done
+
+# Prevent garbled output when doing --all.
+skip_current=0
+
+for f in $files
+do
+ if [ ! -f "$f" ] ; then
+ continue
+ fi
+ # Some packages have files with ~ in them. This avoids it.
+ if ! echo "$f" | grep '^/' >/dev/null ; then
+ continue
+ fi
+ if [ ! -r "$f" ] && [ $EUID != 0 ] ; then
+ if [ $MODE = "single" ] ; then
+ echo "Please re-test $f as the root user"
+ else
+ # Don't print results.
+ skip_current=1
+ echo "Please re-test $1 as the root user"
+ fi
+ continue
+ fi
+ if ! file "$f" | grep -qw 'ELF'; then
+ continue
+ fi
+ RELRO="no"
+ if readelf -l "$f" 2>/dev/null | grep -q 'GNU_RELRO'; then
+ RELRO="partial"
+ fi
+ if readelf -d "$f" 2>/dev/null | grep -q 'BIND_NOW'; then
+ RELRO="full"
+ fi
+ PIE="no"
+ if readelf -h "$f" 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then
+ PIE="DSO"
+ if readelf -d "$f" 2>/dev/null | grep -q '(DEBUG)'; then
+ PIE="yes"
+ fi
+ fi
+ APP=""
+ if [ x"$DAEMON" != "x" ] ; then
+ for d in $DAEMON
+ do
+ if [ "$f" = "$d" ] ; then
+ APP="daemon"
+ break
+ fi
+ done
+ fi
+ if [ x"$APP" = "x" ] ; then
+ # See if this is a library or a setuid app
+ if [ `echo "$f" | grep '\/lib' | grep '\.so'` ] ; then
+ APP="library"
+ elif [ `find "$f" -perm -004000 -type f -print` ] ; then
+ APP="setuid"
+ elif [ `find "$f" -perm -002000 -type f -print` ] ; then
+ APP="setgid"
+ elif [ -x /usr/bin/filecap ] && [ `filecap "$f" 2> /dev/null | wc -w` -gt 0 ] ; then
+ APP="setcap"
+ else
+ syms1=`/usr/bin/readelf -s "$f" 2>/dev/null | egrep ' connect@.*GLIBC| listen@.*GLIBC| accept@.*GLIBC|accept4@.*GLIBC'`
+ syms2=`/usr/bin/readelf -s "$f" 2>/dev/null | egrep ' getaddrinfo@.*GLIBC| getnameinfo@.*GLIBC| getservent@.*GLIBC| getservbyname@.*GLIBC| getservbyport@.*GLIBC|gethostbyname@.*GLIBC| gethostbyname2@.*GLIBC| gethostbyaddr@.*GLIBC| gethostbyaddr2@.*GLIBC'`
+ if [ x"$syms1" != "x" ] ; then
+ if [ x"$syms2" != "x" ] ; then
+ APP="network-ip"
+ else
+ APP="network-local"
+ fi
+ fi
+ fi
+ fi
+ if [ x"$APP" = "x" ] ; then
+ APP="exec"
+ fi
+
+ # OK, ready for the output
+ if [ "$MODE" = "single" ] ; then
+ printf "%-56s %-10s " "$f" $APP
+ if [ "$APP" = "daemon" -o "$APP" = "setuid" -o "$APP" = "setgid" -o "$APP" = "setcap" -o "$APP" = "network-ip" -o "$APP" = "network-local" ] ; then
+ if [ "$RELRO" = "full" ] ; then
+ printf "\033[32m%-7s\033[m " $RELRO
+ elif [ "$RELRO" = "partial" ] ; then
+ printf "\033[33m%-7s\033[m " $RELRO
+ else
+ printf "\033[31m%-7s\033[m " $RELRO
+ fi
+ if [ "$PIE" = "yes" ] ; then
+ printf "\033[32m%-4s\033[m" $PIE
+ else
+ printf "\033[31m%-4s\033[m" $PIE
+ fi
+ elif [ "$APP" = "library" ] ; then
+ if [ "$RELRO" = "full" -o "$RELRO" = "partial" ] ; then
+ printf "\033[32m%-7s\033[m " $RELRO
+ else
+ printf "\033[31m%-7s\033[m " $RELRO
+ fi
+ printf "\033[32m%-4s\033[m" $PIE
+ else
+ # $APP = exec - we want partial relro
+ if [ "$RELRO" = "no" ] ; then
+ printf "\033[31m%-7s\033[m " $RELRO
+ else
+ printf "\033[32m%-7s\033[m " $RELRO
+ fi
+ printf "\033[32m%-4s\033[m" $PIE
+ fi
+ echo
+ else
+ if [ "$APP" = "daemon" -o "$APP" = "setuid" -o "$APP" = "setgid" -o "$APP" = "setcap" -o "$APP" = "network-ip" -o "$APP" = "network-local" ] ; then
+ if [ "$RELRO" = "no" ] ; then
+ RELRO_SUM="no"
+ APP_SUM="$APP"
+ fi
+ if [ "$PIE" = "no" ] ; then
+ PIE_SUM="no"
+ APP_SUM="$APP"
+ fi
+ elif [ "$APP" = "library" ] ; then
+ if [ "$RELRO" = "no" ] ; then
+ RELRO_SUM="no"
+ APP_SUM="$APP"
+ fi
+ # $APP = exec - must have partial or full relro
+ elif [ "$RELRO" = "no" ] ; then
+ RELRO_SUM="no"
+ APP_SUM="$APP"
+ fi
+ fi
+done
+}
+
+if [ "$MODE" = "single" ] ; then
+ printf "%-56s %-10s %-7s %-4s" "FILE" "TYPE" "RELRO" "PIE"
+ echo
+ for i; do
+ f=$(basename $1)
+ # Strip the .rpm extension, if present.
+ do_one ${f%%.rpm}
+ shift
+ done
+ exit 0
+fi
+
+# Skip the kernel as its special
+packages=`rpm -qa | egrep -v 'kernel.|debuginfo.|.noarch|gpg-pubkey' | sort`
+printf "%-50s %-5s %-4s %-14s" "PACKAGE" "RELRO" "PIE" "CLASS"
+echo
+for p in $packages
+do
+ RELRO_SUM="yes"
+ PIE_SUM="yes"
+ APP_SUM=""
+ printf "%-50s " $p
+ do_one $p
+ if [[ $skip_current -eq 1 ]] ; then
+ continue
+ fi
+ if [ "$RELRO_SUM" = "yes" ] ; then
+ printf "\033[32m%-5s\033[m " "$RELRO_SUM"
+ else
+ printf "\033[31m%-5s\033[m " "$RELRO_SUM"
+ fi
+ if [ "$PIE_SUM" = "yes" ] ; then
+ printf "\033[32m%-4s\033[m" "$PIE_SUM"
+ if [ "$RELRO_SUM" = "no" ] ; then
+ printf " %-14s" "$APP_SUM"
+ fi
+ else
+ if [ "$APP_SUM" = "network-local" ] ; then
+ printf "\033[33m%-4s\033[m %-14s" "$PIE_SUM" "$APP_SUM"
+ else
+ printf "\033[31m%-4s\033[m %-14s" "$PIE_SUM" "$APP_SUM"
+ fi
+ fi
+ echo
+done
+exit 0
+
+
diff --git a/meta-security/recipes-security/redhat-security/files/rpm-drop-groups.sh b/meta-security/recipes-security/redhat-security/files/rpm-drop-groups.sh
new file mode 100644
index 000000000..8c757834b
--- /dev/null
+++ b/meta-security/recipes-security/redhat-security/files/rpm-drop-groups.sh
@@ -0,0 +1,131 @@
+#!/bin/sh
+# rpm-drop-groups
+#
+# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED.
+# sgrubb@redhat.com
+#
+# This software may be freely redistributed under the terms of the GNU
+# public license.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+# Given an rpm, it will look at each file to check if it tries to change
+# group and user credentials. If so, it further tries to determine if
+# it also calls setgroups or initgroups. To correctly change groups, the
+# program must drop supplemntal groups. Programs are classified into: n/a
+# meaning no group dropping occurs, yes its done correctly, and no meaning
+# there seems to be a problem.
+#
+# If the --all option is given, it will generate a list of rpms and then
+# summarize the rpm's state. For yes, then all files are in the expected
+# state. Just one program failing can turn the package's summary to no.
+# Re-run passing that package (instead of --all) for the details.
+#
+# To save to file: ./rpm-drop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee output.txt
+
+VERSION="0.1"
+
+usage () {
+ echo "rpm-drop-groups [--all|<rpmname>|--version]"
+ exit 0
+}
+
+if [ "$1" = "--help" -o $# -eq 0 ] ; then
+ usage
+fi
+if [ "$1" = "--version" ] ; then
+ echo "rpm-drop-groups $VERSION"
+ exit 0
+fi
+if [ "$1" = "--all" ] ; then
+ MODE="all"
+else
+ MODE="single"
+fi
+
+do_one () {
+if ! rpm -q $1 >/dev/null 2>&1 ; then
+ if [ "$MODE" = "single" ] ; then
+ echo "$1 is not installed"
+ exit 1
+ else
+ echo "not installed"
+ return
+ fi
+fi
+files=`rpm -ql $1`
+
+for f in $files
+do
+ if [ ! -f $f ] ; then
+ continue
+ fi
+ if ! file $f | grep -q 'ELF'; then
+ continue
+ fi
+
+ CORRECT="n/a"
+ syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgid@.*GLIBC| setegid@.*GLIBC| setresgid@.*GLIBC'`
+ if [ x"$syms" != "x" ] ; then
+ CORRECT="yes"
+ syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setuid@.*GLIBC| seteuid@.*GLIBC| setresuid@.*GLIBC'`
+ if [ x"$syms" != "x" ] ; then
+ syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgroups@.*GLIBC| initgroups@.*GLIBC'`
+ if [ x"$syms" = "x" ] ; then
+ syms=`find $f \( -perm -004000 -o -perm -002000 \) -type f -print`
+ if [ x"$syms" = "x" ] ; then
+ CORRECT="no"
+ fi
+ fi
+ fi
+ fi
+
+ # OK, ready for the output
+ if [ "$MODE" = "single" ] ; then
+ printf "%-60s " $f
+ if [ "$CORRECT" = "yes" ] ; then
+ printf "\033[32m%-7s\033[m " $CORRECT
+ elif [ "$CORRECT" = "no" ] ; then
+ printf "\033[31m%-7s\033[m " $CORRECT
+ else
+ printf "\033[33m%-7s\033[m " $CORRECT
+ fi
+ echo
+ else
+ if [ "$CORRECT" = "no" ] ; then
+ CORRECT_SUM="no"
+ fi
+ fi
+done
+}
+
+if [ "$MODE" = "single" ] ; then
+ printf "%-60s%-7s" "FILE" "CORRECT"
+ echo
+ for i; do
+ do_one $1
+ shift
+ done
+ exit 0
+fi
+
+packages=`rpm -qa --queryformat "%{NAME}.%{ARCH}\n" | sort`
+printf "%-50s %-7s" "PACKAGE" "CORRECT"
+echo
+for p in $packages
+do
+ CORRECT_SUM="yes"
+ printf "%-50s " $p
+ do_one $p
+ if [ "$CORRECT_SUM" = "yes" ] ; then
+ printf "\033[32m%-7s\033[m " $CORRECT_SUM
+ else
+ printf "\033[31m%-7s\033[m " $CORRECT_SUM
+ fi
+ echo
+done
+exit 0
+
+
diff --git a/meta-security/recipes-security/redhat-security/files/selinux-check-devices.sh b/meta-security/recipes-security/redhat-security/files/selinux-check-devices.sh
new file mode 100644
index 000000000..ef996d787
--- /dev/null
+++ b/meta-security/recipes-security/redhat-security/files/selinux-check-devices.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# This software may be freely redistributed under the terms of the GNU
+# public license.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
+
+
diff --git a/meta-security/recipes-security/redhat-security/files/selinux-ls-unconfined.sh b/meta-security/recipes-security/redhat-security/files/selinux-ls-unconfined.sh
new file mode 100644
index 000000000..68684133c
--- /dev/null
+++ b/meta-security/recipes-security/redhat-security/files/selinux-ls-unconfined.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# This software may be freely redistributed under the terms of the GNU
+# public license.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+# This checks for unconfined apps running, initrc and inetd are signs
+# of missing transitions.
+
+pidof xinetd >/dev/null
+if [ $? -eq 0 ] ; then
+ps -eZ | egrep "initrc|inetd" | egrep -v `pidof xinetd` | tr ':' ' ' | awk '{ printf "%s %s\n", $3, $NF }'
+else
+ps -eZ | egrep "initrc" | tr ':' ' ' | awk '{ printf "%s %s\n", $3, $NF }'
+fi
+