diff options
Diffstat (limited to 'meta-security/recipes-security/redhat-security')
14 files changed, 1211 insertions, 0 deletions
diff --git a/meta-security/recipes-security/redhat-security/files/find-chroot-py.sh b/meta-security/recipes-security/redhat-security/files/find-chroot-py.sh new file mode 100644 index 000000000..9996e087c --- /dev/null +++ b/meta-security/recipes-security/redhat-security/files/find-chroot-py.sh @@ -0,0 +1,96 @@ +#!/bin/sh +# +# find-chroot-py utility +# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED. +# sgrubb@redhat.com +# +# This software may be freely redistributed under the terms of the GNU +# public license. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +# This program looks for python apps that use chroot(2) without using chdir(2) +# +# To save to file: ./find-chroot | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt + +libdirs="/lib /lib64 /usr/lib /usr/lib64" +progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec" +FOUND=0 + +# First param is which list to use, second is search pattern +scan () { +if [ "$1" = "1" ] ; then + dirs=$libdirs +elif [ "$1" = "2" ] ; then + dirs=$progdirs +elif [ "$1" = "3" ] ; then + dirs=$3 +fi + +for d in $dirs ; do + if [ ! -d $d ] ; then + continue + fi + files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null` + for f in $files + do + if [ "$1" = "2" ] ; then + testf=`/usr/bin/file $f | egrep 'ython'` + if [ x"$testf" = "x" ] ; then + continue + fi + fi + syms=`egrep ' os.chroot' $f` + if [ x"$syms" != "x" ] ; then + syms=`egrep ' os.chdir' $f` + if [ x"$syms" = "x" ] ; then + if [ $FOUND = 0 ] ; then + printf "%-44s%s\n" "FILE" " PACKAGE" + FOUND=1 + fi + # Red + printf "\033[31m%-44s\033[m" $f + #rpm -qf --queryformat "%{NAME}-%{VERSION}" $f + rpm -qf --queryformat " %{SOURCERPM}" $f + echo + else + # One last test to see if chdir is within 4 + # lines of chroot + syms=`cat $f | egrep ' os.chroot' -A3 | egrep ' os.chdir'` + if [ x"$syms" = "x" ] ; then + if [ $FOUND = 0 ] ; then + printf "%-44s%s\n" "FILE" " PACKAGE" + FOUND=1 + fi + printf "\033[31m%-44s\033[m" $f + rpm -qf --queryformat " %{SOURCERPM}" $f + echo + fi + fi + fi + done +done +} + +if [ $# -eq 1 ] ; then + if [ -d $1 ] ; then + scan 3 '*' $1 + else + echo "Input is not a directory" + exit 1 + fi +else + scan 2 '*' + scan 1 '*.py' +fi + +if [ $FOUND -eq 0 ] ; then + # Nothing to report, just exit + echo "No problems found" 1>&2 + exit 0 +fi +exit 1 + + diff --git a/meta-security/recipes-security/redhat-security/files/find-chroot.sh b/meta-security/recipes-security/redhat-security/files/find-chroot.sh new file mode 100644 index 000000000..adce7fc8e --- /dev/null +++ b/meta-security/recipes-security/redhat-security/files/find-chroot.sh @@ -0,0 +1,93 @@ +#!/bin/sh +# +# find-chroot utility +# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED. +# sgrubb@redhat.com +# +# This software may be freely redistributed under the terms of the GNU +# public license. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +# This program looks for apps that use chroot(2) without using chdir(2) +# +# To save to file: ./find-chroot | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt + +libdirs="/lib /lib64 /usr/lib /usr/lib64" +progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec" +FOUND=0 + +# First param is which list to use, second is search pattern +scan () { +if [ "$1" = "1" ] ; then + dirs=$libdirs +elif [ "$1" = "2" ] ; then + dirs=$progdirs +elif [ "$1" = "3" ] ; then + dirs=$3 +fi + +for d in $dirs ; do + if [ ! -d $d ] ; then + continue + fi + files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null` + for f in $files + do + syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' chroot@.*GLIBC'` + if [ x"$syms" != "x" ] ; then + syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' chdir@.*GLIBC'` + if [ x"$syms" = "x" ] ; then + if [ $FOUND = 0 ] ; then + printf "%-44s%s\n" "FILE" " PACKAGE" + FOUND=1 + fi + # Red + printf "\033[31m%-44s\033[m" $f + #rpm -qf --queryformat "%{NAME}-%{VERSION}" $f + rpm -qf --queryformat " %{SOURCERPM}" $f + echo + else + # One last test to see if chdir is within 3 + # lines of chroot + syms=`objdump -d $f | egrep callq | egrep 'chroot@plt' -A2 | egrep 'chroot|chdir'` + if [ x"$syms" = "x" ] ; then + syms=`echo $f | egrep -v 'libc-2|libc.so'` + if [ x"$syms" != "x" ] ; then + if [ $FOUND = 0 ] ; then + printf "%-44s%s\n" "FILE" "PACKAGE" + FOUND=1 + fi + printf "\033[31m%-44s\033[m" $f + rpm -qf --queryformat " %{SOURCERPM}" $f + echo + fi + fi + fi + fi + done +done +} + +if [ $# -eq 1 ] ; then + if [ -d $1 ] ; then + scan 3 '*' $1 + else + echo "Input is not a directory" + exit 1 + fi +else + scan 2 '*' + scan 1 '*.so' +fi + +if [ $FOUND -eq 0 ] ; then + # Nothing to report, just exit + echo "No problems found" 1>&2 + exit 0 +fi +exit 1 + + diff --git a/meta-security/recipes-security/redhat-security/files/find-elf4tmp.sh b/meta-security/recipes-security/redhat-security/files/find-elf4tmp.sh new file mode 100644 index 000000000..3118a70ec --- /dev/null +++ b/meta-security/recipes-security/redhat-security/files/find-elf4tmp.sh @@ -0,0 +1,84 @@ +#!/bin/sh +# find_elf4tmp utility +# Copyright (c) 2010-12 Steve Grubb. ALL RIGHTS RESERVED. +# sgrubb@redhat.com +# +# This software may be freely redistributed under the terms of the GNU +# public license. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +# This script will search a directory and its subdirectories for all elf +# executables. It will then search for the use of the tmp directory. If it finds +# this is true, it will then check to see if XXX is being used which would +# indicate that the path is going to be randomized. + +if [ $# -ge 2 ] ; then + echo "Usage: find_elf4tmp [directory]" 1>&2 + exit 1 +fi +if [ ! -x /usr/bin/strings ] ; then + echo "Skipping due to missing /usr/bin/eu-strings utility" + exit 1 +fi +if [ -h /bin ] ; then + DIRS="/usr/bin /usr/sbin /usr/libexec /usr/kerberos /usr/games /usr/lib /usr/lib64 /usr/local" +else + DIRS="/bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/kerberos /usr/games /lib /lib64 /usr/lib /usr/lib64 /usr/local" +fi +if [ $# -eq 1 ] ; then + if [ -d "$1" ] ; then + DIRS="$1" + else + echo "Option passed in was not a directory" 1>&2 + exit 1 + fi +fi + +FOUND=0 +for d in $DIRS +do + if [ ! -d $d ] ; then + continue + fi +# echo "Scanning files in $d..." + for f in `/usr/bin/find $d -type f 2>/dev/null` + do + # Get just the elf executables + testf=`echo $f | /usr/bin/file -n -f - 2>/dev/null | grep ELF` + if [ x"$testf" != "x" ] ; then + test_res=`/usr/bin/strings $f | /bin/grep '/tmp/' | /bin/egrep -v 'XX|/tmp/$|[ .,:]/tmp/'` + if [ x"$test_res" = "x" ] ; then + continue + fi + + # Do further examination... + syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' mkstemp@.*GLIBC| tempnam@.*GLIBC| tmpfile@.*GLIBC'` + if [ x"$syms" != "x" ] ; then + continue + fi + + # Well its a bad one...out with it + FOUND=1 + + # Get the package + RPM=`/bin/rpm -qf --queryformat "%{NAME}-%{VERSION}" $f 2>/dev/null | /bin/grep -v 'not owned' | /usr/bin/sort | /usr/bin/uniq` + if [ x"$RPM" = "x" ] ; then + RPM="<unowned>" + fi + + # For each tmp string, output the line + echo $test_res | /usr/bin/tr '\b' '\n' | /usr/bin/awk 'NF >= 1 { printf "%-46s\t%-30s\t%s\n", f, r, $1 }' r=$RPM f=$f + fi + done +done +if [ $FOUND -eq 0 ] ; then + # Nothing to report, just exit + echo "No problems found" 1>&2 + exit 0 +fi +exit 1 + + diff --git a/meta-security/recipes-security/redhat-security/files/find-execstack.sh b/meta-security/recipes-security/redhat-security/files/find-execstack.sh new file mode 100644 index 000000000..85f16de6d --- /dev/null +++ b/meta-security/recipes-security/redhat-security/files/find-execstack.sh @@ -0,0 +1,72 @@ +#!/bin/sh +# +# find-execstack utility +# Copyright (c) 2007 Steve Grubb. ALL RIGHTS RESERVED. +# sgrubb@redhat.com +# +# This software may be freely redistributed under the terms of the GNU +# public license. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +# This program looks for executable stacks +# + +libdirs="/lib /lib64 /usr/lib /usr/lib64" +progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec" +FOUND=0 + +# First param is which list to use, second is search pattern +scan () { +if [ "$1" = "1" ] ; then + dirs=$libdirs +elif [ "$1" = "2" ] ; then + dirs=$progdirs +fi + +for d in $dirs ; do + if [ ! -d $d ] ; then + continue + fi + files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null` + for f in $files + do + FOUND_ONE=0 + stacks=`/usr/bin/eu-readelf -l $f 2>/dev/null | grep STACK` + if [ x"$stacks" != "x" ] ; then + perms=`echo $stacks | /bin/awk '{ print $7 }'` + if [ x"$perms" != x -a "$perms" != "RW" ] ; then + FOUND_ONE=1 + fi + fi + old_stacks=`echo $stacks | /bin/grep -v GNU_STACK` + if [ x"$old_stacks" != "x" ] ; then + FOUND_ONE=1 + fi + heaps=`/usr/bin/eu-readelf -l $f 2>/dev/null | grep GNU_HEAP` + if [ x"$heaps" != "x" ] ; then + FOUND_ONE=1 + fi + if [ $FOUND_ONE = 1 ] ; then + printf "%-42s" $f + rpm -qf --queryformat "%{SOURCERPM}" $f + echo + FOUND=1 + fi + done +done +} + +scan 1 '*.so' +scan 2 '*' + +if [ $FOUND -eq 0 ] ; then + # Nothing to report, just exit + echo "No problems found" 1>&2 + exit 0 +fi +exit 1 + + diff --git a/meta-security/recipes-security/redhat-security/files/find-hidden-exec.sh b/meta-security/recipes-security/redhat-security/files/find-hidden-exec.sh new file mode 100644 index 000000000..f799fca8f --- /dev/null +++ b/meta-security/recipes-security/redhat-security/files/find-hidden-exec.sh @@ -0,0 +1,21 @@ +#!/bin/sh +# +# +# This software may be freely redistributed under the terms of the GNU +# public license. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +# This program looks for hidden executables + +find / -name '.*' -type f -perm /00111 2>/dev/null + +# Also need to find hidden dirs and see if anything below it is hidden +hidden_dirs=`find / -name '.*' -type d 2>/dev/null` +for d in $hidden_dirs +do + find $d -name '.*' -type f -perm /00111 2>/dev/null +done + diff --git a/meta-security/recipes-security/redhat-security/files/find-nodrop-groups.sh b/meta-security/recipes-security/redhat-security/files/find-nodrop-groups.sh new file mode 100644 index 000000000..249eacd2f --- /dev/null +++ b/meta-security/recipes-security/redhat-security/files/find-nodrop-groups.sh @@ -0,0 +1,85 @@ +#!/bin/sh +# +# find-nodrop-groups utility +# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED. +# sgrubb@redhat.com +# +# This software may be freely redistributed under the terms of the GNU +# public license. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +# This program looks for apps that use setgid(2) without using initgroups(3) +# or setgroups(2). +# +# To save to file: ./find-nodrop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt + +libdirs="/lib /lib64 /usr/lib /usr/lib64" +progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec" +FOUND=0 + +# First param is which list to use, second is search pattern +scan () { +if [ "$1" = "1" ] ; then + dirs=$libdirs +elif [ "$1" = "2" ] ; then + dirs=$progdirs +elif [ "$1" = "3" ] ; then + dirs=$3 +fi + +for d in $dirs ; do + if [ ! -d $d ] ; then + continue + fi + files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null` + for f in $files + do + syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgid@.*GLIBC| setegid@.*GLIBC| setresgid@.*GLIBC'` + if [ x"$syms" != "x" ] ; then + syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setuid@.*GLIBC| seteuid@.*GLIBC| setresuid@.*GLIBC'` + if [ x"$syms" != "x" ] ; then + syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgroups@.*GLIBC| initgroups@.*GLIBC'` + if [ x"$syms" = "x" ] ; then + if [ $FOUND = 0 ] ; then + printf "%-44s%s\n" "FILE" "PACKAGE" + fi + syms=`find $f \( -perm -004000 -o -perm -002000 \) -type f -print` + if [ x"$syms" = "x" ] ; then + printf "\033[31m%-44s\033[m" $f + rpm -qf --queryformat "%{SOURCERPM}" $f + echo + FOUND=1 +# else +# printf "\033[33m%-44s\033[m" $f + fi + #rpm -qf --queryformat "%{NAME}-%{VERSION}" $f + fi + fi + fi + done +done +} + +if [ $# -eq 1 ] ; then + if [ -d $1 ] ; then + scan 3 '*' $1 + else + echo "Input is not a directory" + exit 1 + fi +else + scan 1 '*.so' + scan 2 '*' +fi + +if [ $FOUND -eq 0 ] ; then + # Nothing to report, just exit + echo "No problems found" 1>&2 + exit 0 +fi +exit 1 + + diff --git a/meta-security/recipes-security/redhat-security/files/find-sh4errors.sh b/meta-security/recipes-security/redhat-security/files/find-sh4errors.sh new file mode 100644 index 000000000..0054a6a75 --- /dev/null +++ b/meta-security/recipes-security/redhat-security/files/find-sh4errors.sh @@ -0,0 +1,132 @@ +#!/bin/sh +# find_sh4errors utility +# Copyright (c) 2004 Steve Grubb. ALL RIGHTS RESERVED. +# sgrubb@redhat.com +# +# This software may be freely redistributed under the terms of the GNU +# public license. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +# This script will search a directory and its subdirectories for every shell +# script. It then runs sh -n to see if bash can determine if there are obvious +# parsing errors. It does have a bug in that bash -n does not take into +# account someone may program an unconditional exit and then include man page +# generation information. It also fails to notice the exec command. When you +# run across files that do either of the above, add it to the KNOWN_BAD list. + +if [ $# -ge 2 ] ; then + echo "Usage: find_sh4errors [directory]" 1>&2 + exit 1 +fi +INTERPRETERS="wish wishx tclsh guile rep itkwish expect /etc/kde/kdm/Xsession /etc/X11/xdm/Xsession /usr/bin/festival perl hfssh" +SKIP_DIRS="/opt /home /root" +KNOWN_BAD="/usr/bin/kde-build /usr/bin/cvsversion samples/copifuncs/copi.sendifm1 bashdb bash_completion_test" +DIR="/" +if [ $# -eq 1 ] ; then + if [ -d "$1" ] ; then + DIR="$1" + else + echo "Option passed in was not a directory" 1>&2 + exit 1 + fi +fi +tempfile=`mktemp /tmp/sh4.XXXXXX` +tempfile2=`mktemp /tmp/sh4.XXXXXX` +if [ -z "$tempfile" -o -z "$tempfile2" ] ; then + echo ; echo "Unable to create tempfiles...aborting." 1>&2 ; echo + exit 1 +fi +trap "rm -f $tempfile; rm -f $tempfile2; exit 2" 1 2 3 5 15 + +# Get executable files +#echo "Locating executables..." +/usr/bin/find $DIR -type f -perm /0111 -print >> $tempfile 2>/dev/null +FOUND=0 +#echo "Refining list to shell scripts..." +while read f +do + # Get just the shell scripts + testf=`echo $f | /usr/bin/file -n -f - | egrep 'ourne|POSIX shell'` + if [ x"$testf" != x ] ; then + echo $f >> $tempfile2 + FOUND=1 + fi +done < $tempfile +/bin/rm -f $tempfile +if [ $FOUND -eq 0 ] ; then + # Nothing to report, just exit +# echo "Examining shell scripts in $DIR" +# echo "No problems found" + /bin/rm -f $tempfile2 + exit 0 +fi +#echo "Examining shell scripts in $DIR" +FOUND=0 +while read i +do + # First see if the script calls an interpreter + SKIP=0 + for lang in $INTERPRETERS + do + if `/bin/cat "$i" 2>/dev/null | \ + grep "exec[ \t].*$lang" >/dev/null` ; then + SKIP=1 + break + fi + done + + if [ $SKIP -eq 1 ] ; then + continue + fi + + # See if this is in a dir we want to ignore + for d in $SKIP_DIRS + do + if `echo "$i" | /bin/grep "^\$d" >/dev/null`; then + SKIP=1 + break + fi + done + + if [ $SKIP -eq 1 ] ; then + continue + fi + + # Don't do the known naughty files + for bad in $KNOWN_BAD + do + if `echo "$i" | /bin/grep "$bad" >/dev/null`; then + SKIP=1 + break + fi + done + + if [ $SKIP -eq 1 ] ; then + continue + fi + + # Now examine them for correctness + interp=`/usr/bin/head -n 1 "$i" | /bin/awk '{ print $1 }' | \ + /usr/bin/tr -d '#!'` + if [ x"$interp" = "x" -o ! -x "$interp" ] ; then + interp="/bin/sh" + fi + $interp -n "$i" 2>/dev/null + if [ $? -ne 0 ] ; then + printf "%-44s" "$i" + rpm -qf --queryformat "%{NAME}-%{VERSION}" $i + echo + FOUND=1 + fi +done < $tempfile2 +/bin/rm -f $tempfile2 +if [ $FOUND -eq 0 ] ; then + # Nothing to report, just exit +# echo "No problems found" + exit 0 +fi +exit 1 + diff --git a/meta-security/recipes-security/redhat-security/files/find-sh4tmp.sh b/meta-security/recipes-security/redhat-security/files/find-sh4tmp.sh new file mode 100644 index 000000000..7fd1af715 --- /dev/null +++ b/meta-security/recipes-security/redhat-security/files/find-sh4tmp.sh @@ -0,0 +1,116 @@ +#!/bin/sh +# find_sh4tmp utility +# Copyright (c) 2005 Steve Grubb. ALL RIGHTS RESERVED. +# sgrubb@redhat.com +# +# This software may be freely redistributed under the terms of the GNU +# public license. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +# This script will search a directory and its subdirectories for all shell +# scripts. It will then search for the use of the tmp directory. If it finds +# this is true, it will then try to determine if mktemp or something +# reasonable was used and exclude it. It has a bug in that it does not handle +# rm -f /tmp/ or mkdir /tmp/ correctly. If you run across files that do that, +# add them to the KNOWN_BAD list to ignore them. + +if [ $# -ge 2 ] ; then + echo "Usage: find_sh4tmp [directory]" 1>&2 + exit 1 +fi +INTERPRETERS="wish wishx tclsh guile rep itkwish expect /etc/kde/kdm/Xsession /etc/X11/xdm/Xsession /usr/bin/festival perl hfssh" +SKIP_DIRS="/opt /home /root /mnt /media /dev /proc /selinux /sys /usr/share/doc" +KNOWN_BAD="kopete_latexconvert.sh cvs2dist fixfiles mysqlbug build/scripts/package/mkspec py-compile rc.sysinit init.d/xfs diff-jars grub-install mailshar vncserver Xsession sysreport cross-build vpkg rcs-to-cvs debug_check_log cvs2vendor tmpwatch ps2epsi mkdumprd xdg-open xdg-mime xdg-email gzexe" +DIR="/" +if [ $# -eq 1 ] ; then + if [ -d "$1" ] ; then + DIR="$1" + else + echo "Option passed in was not a directory" 1>&2 + exit 1 + fi +fi +tempfile=`mktemp /tmp/sh4.XXXXXX` +tempfile2=`mktemp /tmp/sh4.XXXXXX` +if [ -z "$tempfile" -o -z "$tempfile2" ] ; then + echo ; echo "Unable to create tempfiles...aborting." 1>&2 ; echo + exit 1 +fi +trap "rm -f $tempfile; rm -f $tempfile2; exit 2" 1 2 3 5 15 + +# Get executable files +#echo "Scanning shell scripts in $DIR..." +find $DIR -type f -perm /0111 -print >> $tempfile 2>/dev/null +FOUND=0 +while read f +do + # Get just the shell scripts + testf=`echo $f | file -n -f - | egrep 'ourne|POSIX shell'` + if [ x"$testf" != x ] ; then +# FIXME: need to do something to get rid of echo, rm, or mkdir "/tmp/" + test_res=`cat $f 2>/dev/null | grep '\/tmp\/' | grep -v 'mktemp' | grep -v '^#'` + if [ x"$test_res" = x ] ; then + continue + fi + + # Do further examination... + # First see if the script calls an interpreter + SKIP=0 + for lang in $INTERPRETERS + do + if `cat "$f" | grep "exec[ \t].*$lang" >/dev/null` ; then + SKIP=1 + break + fi + done + + if [ $SKIP -eq 1 ] ; then + continue + fi + + # See if this is in a dir we want to ignore + for d in $SKIP_DIRS + do + if `echo "$f" | grep "^\$d" >/dev/null`; then + SKIP=1 + break + fi + done + + if [ $SKIP -eq 1 ] ; then + continue + fi + + # Don't do the known naughty files + for bad in $KNOWN_BAD + do + if `echo "$f" | grep "$bad" >/dev/null`; then + SKIP=1 + break + fi + done + + if [ $SKIP -eq 1 ] ; then + continue + fi + + # Well its a bad one...out with it + printf "%-44s" $f + rpm -qf --queryformat "%{NAME}-%{VERSION}" $f + echo + FOUND=1 + fi +done < $tempfile +rm -f $tempfile +if [ $FOUND -eq 0 ] ; then + # Nothing to report, just exit +# echo "No problems found" + rm -f $tempfile2 + exit 0 +fi +exit 1 + + diff --git a/meta-security/recipes-security/redhat-security/files/lib-bin-check.sh b/meta-security/recipes-security/redhat-security/files/lib-bin-check.sh new file mode 100644 index 000000000..1e2d930b4 --- /dev/null +++ b/meta-security/recipes-security/redhat-security/files/lib-bin-check.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# This software may be freely redistributed under the terms of the GNU +# public license. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +found=0 +list=`rpm -qa --queryformat "%{NAME}-%{VERSION}.%{ARCH}\n" | grep '^lib' | egrep -v '\-utils\-|\-bin\-|\-tools\-|\-client\-|libreoffice|\-plugin\-'` +for p in $list +do + bin=`rpm -ql $p | egrep '^/bin|^/sbin|^/usr/bin|^/usr/sbin' | grep -v '\-config'` + if [ "x$bin" != "x" ]; then + testf=`echo $bin | /usr/bin/file -n -f - 2>/dev/null | grep ELF` + if [ x"$testf" != "x" ] ; then + found=1 + echo "$p could be split into a utils package" + fi + fi +done + +if [ $found = 0 ]; then + echo "No problems found" + exit 0 +fi + +exit 1 + + diff --git a/meta-security/recipes-security/redhat-security/files/rpm-chksec.sh b/meta-security/recipes-security/redhat-security/files/rpm-chksec.sh new file mode 100644 index 000000000..a0e8bb1a5 --- /dev/null +++ b/meta-security/recipes-security/redhat-security/files/rpm-chksec.sh @@ -0,0 +1,279 @@ +#!/bin/sh +# rpm-chksec +# +# Copyright (c) 2011-2013 Steve Grubb. ALL RIGHTS RESERVED. +# sgrubb@redhat.com +# +# This software may be freely redistributed under the terms of the GNU +# public license. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +# Given an rpm, it will look at each file to check that its compiled with +# the intended flags to make it more secure. Things that are green are OK. +# Anything in yellow could be better but is passable. Anything in red needs +# attention. +# +# If the --all option is given, it will generate a list of rpms and then +# summarize the rpm's state. For yes, then all files are in the expected +# state. Just one file not compiled with the right flags can turn the +# answer to no. Re-run passing that package (instead of --all) for the details. +# +# To save to file: ./rpm-chksec | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee output.txt + +VERSION="0.5.2" + +usage () { + echo "rpm-chksec [--version|--all|<rpmname>...]" + if [ ! -x /usr/bin/filecap ] ; then + echo "You need to install libcap-ng-utils to test capabilities" + fi + if [ $EUID != 0 ] ; then + echo "You might need to be root to read some files" + fi + exit 0 +} + +if [ "$1" = "--help" -o $# -eq 0 ] ; then + usage +fi +if [ "$1" = "--version" ] ; then + echo "rpm-chksec $VERSION" + exit 0 +fi +if [ "$1" = "--all" ] ; then + MODE="all" +else + MODE="single" +fi + +do_one () { +if ! rpm -q $1 >/dev/null 2>&1 ; then + if [ "$MODE" = "single" ] ; then + echo "$1 is not installed" + exit 1 + else + echo "not installed" + return + fi +fi +files=`rpm -ql $1` + +# Look for daemons, need this for later... +DAEMON="" +for f in $files +do + if [ ! -f "$f" ] ; then + continue + fi + if [ `echo "$f" | grep '\/etc\/rc.d\/init.d'` ] ; then + n=`basename "$f"` + t=`which "$n" 2>/dev/null` + if [ x"$t" != "x" ] ; then + DAEMON="$DAEMON $t" + continue + fi + t=`which "$n"d 2>/dev/null` + if [ x"$t" != "x" ] ; then + DAEMON="$DAEMON $t" + continue + fi + t=`cat "$f" 2>/dev/null | grep 'bin' | grep 'exit 5' | grep -v '\$'` + if [ x"$t" != "x" ] ; then + DAEMON="$DAEMON $t" + continue + fi + if [ "$MODE" = "single" ] ; then + echo "Can't find the executable in $f but daemon rules would apply" + fi + elif [ `echo "$f" | grep '\/lib\/systemd\/'` ] ; then + t=`cat "$f" | grep -i '^ExecStart=' | tr '=' ' ' | awk '{ print $2 }'` + if [ x"$t" != "x" ] ; then + DAEMON="$DAEMON $t" + continue + fi + fi +done + +# Prevent garbled output when doing --all. +skip_current=0 + +for f in $files +do + if [ ! -f "$f" ] ; then + continue + fi + # Some packages have files with ~ in them. This avoids it. + if ! echo "$f" | grep '^/' >/dev/null ; then + continue + fi + if [ ! -r "$f" ] && [ $EUID != 0 ] ; then + if [ $MODE = "single" ] ; then + echo "Please re-test $f as the root user" + else + # Don't print results. + skip_current=1 + echo "Please re-test $1 as the root user" + fi + continue + fi + if ! file "$f" | grep -qw 'ELF'; then + continue + fi + RELRO="no" + if readelf -l "$f" 2>/dev/null | grep -q 'GNU_RELRO'; then + RELRO="partial" + fi + if readelf -d "$f" 2>/dev/null | grep -q 'BIND_NOW'; then + RELRO="full" + fi + PIE="no" + if readelf -h "$f" 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then + PIE="DSO" + if readelf -d "$f" 2>/dev/null | grep -q '(DEBUG)'; then + PIE="yes" + fi + fi + APP="" + if [ x"$DAEMON" != "x" ] ; then + for d in $DAEMON + do + if [ "$f" = "$d" ] ; then + APP="daemon" + break + fi + done + fi + if [ x"$APP" = "x" ] ; then + # See if this is a library or a setuid app + if [ `echo "$f" | grep '\/lib' | grep '\.so'` ] ; then + APP="library" + elif [ `find "$f" -perm -004000 -type f -print` ] ; then + APP="setuid" + elif [ `find "$f" -perm -002000 -type f -print` ] ; then + APP="setgid" + elif [ -x /usr/bin/filecap ] && [ `filecap "$f" 2> /dev/null | wc -w` -gt 0 ] ; then + APP="setcap" + else + syms1=`/usr/bin/readelf -s "$f" 2>/dev/null | egrep ' connect@.*GLIBC| listen@.*GLIBC| accept@.*GLIBC|accept4@.*GLIBC'` + syms2=`/usr/bin/readelf -s "$f" 2>/dev/null | egrep ' getaddrinfo@.*GLIBC| getnameinfo@.*GLIBC| getservent@.*GLIBC| getservbyname@.*GLIBC| getservbyport@.*GLIBC|gethostbyname@.*GLIBC| gethostbyname2@.*GLIBC| gethostbyaddr@.*GLIBC| gethostbyaddr2@.*GLIBC'` + if [ x"$syms1" != "x" ] ; then + if [ x"$syms2" != "x" ] ; then + APP="network-ip" + else + APP="network-local" + fi + fi + fi + fi + if [ x"$APP" = "x" ] ; then + APP="exec" + fi + + # OK, ready for the output + if [ "$MODE" = "single" ] ; then + printf "%-56s %-10s " "$f" $APP + if [ "$APP" = "daemon" -o "$APP" = "setuid" -o "$APP" = "setgid" -o "$APP" = "setcap" -o "$APP" = "network-ip" -o "$APP" = "network-local" ] ; then + if [ "$RELRO" = "full" ] ; then + printf "\033[32m%-7s\033[m " $RELRO + elif [ "$RELRO" = "partial" ] ; then + printf "\033[33m%-7s\033[m " $RELRO + else + printf "\033[31m%-7s\033[m " $RELRO + fi + if [ "$PIE" = "yes" ] ; then + printf "\033[32m%-4s\033[m" $PIE + else + printf "\033[31m%-4s\033[m" $PIE + fi + elif [ "$APP" = "library" ] ; then + if [ "$RELRO" = "full" -o "$RELRO" = "partial" ] ; then + printf "\033[32m%-7s\033[m " $RELRO + else + printf "\033[31m%-7s\033[m " $RELRO + fi + printf "\033[32m%-4s\033[m" $PIE + else + # $APP = exec - we want partial relro + if [ "$RELRO" = "no" ] ; then + printf "\033[31m%-7s\033[m " $RELRO + else + printf "\033[32m%-7s\033[m " $RELRO + fi + printf "\033[32m%-4s\033[m" $PIE + fi + echo + else + if [ "$APP" = "daemon" -o "$APP" = "setuid" -o "$APP" = "setgid" -o "$APP" = "setcap" -o "$APP" = "network-ip" -o "$APP" = "network-local" ] ; then + if [ "$RELRO" = "no" ] ; then + RELRO_SUM="no" + APP_SUM="$APP" + fi + if [ "$PIE" = "no" ] ; then + PIE_SUM="no" + APP_SUM="$APP" + fi + elif [ "$APP" = "library" ] ; then + if [ "$RELRO" = "no" ] ; then + RELRO_SUM="no" + APP_SUM="$APP" + fi + # $APP = exec - must have partial or full relro + elif [ "$RELRO" = "no" ] ; then + RELRO_SUM="no" + APP_SUM="$APP" + fi + fi +done +} + +if [ "$MODE" = "single" ] ; then + printf "%-56s %-10s %-7s %-4s" "FILE" "TYPE" "RELRO" "PIE" + echo + for i; do + f=$(basename $1) + # Strip the .rpm extension, if present. + do_one ${f%%.rpm} + shift + done + exit 0 +fi + +# Skip the kernel as its special +packages=`rpm -qa | egrep -v 'kernel.|debuginfo.|.noarch|gpg-pubkey' | sort` +printf "%-50s %-5s %-4s %-14s" "PACKAGE" "RELRO" "PIE" "CLASS" +echo +for p in $packages +do + RELRO_SUM="yes" + PIE_SUM="yes" + APP_SUM="" + printf "%-50s " $p + do_one $p + if [[ $skip_current -eq 1 ]] ; then + continue + fi + if [ "$RELRO_SUM" = "yes" ] ; then + printf "\033[32m%-5s\033[m " "$RELRO_SUM" + else + printf "\033[31m%-5s\033[m " "$RELRO_SUM" + fi + if [ "$PIE_SUM" = "yes" ] ; then + printf "\033[32m%-4s\033[m" "$PIE_SUM" + if [ "$RELRO_SUM" = "no" ] ; then + printf " %-14s" "$APP_SUM" + fi + else + if [ "$APP_SUM" = "network-local" ] ; then + printf "\033[33m%-4s\033[m %-14s" "$PIE_SUM" "$APP_SUM" + else + printf "\033[31m%-4s\033[m %-14s" "$PIE_SUM" "$APP_SUM" + fi + fi + echo +done +exit 0 + + diff --git a/meta-security/recipes-security/redhat-security/files/rpm-drop-groups.sh b/meta-security/recipes-security/redhat-security/files/rpm-drop-groups.sh new file mode 100644 index 000000000..8c757834b --- /dev/null +++ b/meta-security/recipes-security/redhat-security/files/rpm-drop-groups.sh @@ -0,0 +1,131 @@ +#!/bin/sh +# rpm-drop-groups +# +# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED. +# sgrubb@redhat.com +# +# This software may be freely redistributed under the terms of the GNU +# public license. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +# Given an rpm, it will look at each file to check if it tries to change +# group and user credentials. If so, it further tries to determine if +# it also calls setgroups or initgroups. To correctly change groups, the +# program must drop supplemntal groups. Programs are classified into: n/a +# meaning no group dropping occurs, yes its done correctly, and no meaning +# there seems to be a problem. +# +# If the --all option is given, it will generate a list of rpms and then +# summarize the rpm's state. For yes, then all files are in the expected +# state. Just one program failing can turn the package's summary to no. +# Re-run passing that package (instead of --all) for the details. +# +# To save to file: ./rpm-drop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee output.txt + +VERSION="0.1" + +usage () { + echo "rpm-drop-groups [--all|<rpmname>|--version]" + exit 0 +} + +if [ "$1" = "--help" -o $# -eq 0 ] ; then + usage +fi +if [ "$1" = "--version" ] ; then + echo "rpm-drop-groups $VERSION" + exit 0 +fi +if [ "$1" = "--all" ] ; then + MODE="all" +else + MODE="single" +fi + +do_one () { +if ! rpm -q $1 >/dev/null 2>&1 ; then + if [ "$MODE" = "single" ] ; then + echo "$1 is not installed" + exit 1 + else + echo "not installed" + return + fi +fi +files=`rpm -ql $1` + +for f in $files +do + if [ ! -f $f ] ; then + continue + fi + if ! file $f | grep -q 'ELF'; then + continue + fi + + CORRECT="n/a" + syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgid@.*GLIBC| setegid@.*GLIBC| setresgid@.*GLIBC'` + if [ x"$syms" != "x" ] ; then + CORRECT="yes" + syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setuid@.*GLIBC| seteuid@.*GLIBC| setresuid@.*GLIBC'` + if [ x"$syms" != "x" ] ; then + syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgroups@.*GLIBC| initgroups@.*GLIBC'` + if [ x"$syms" = "x" ] ; then + syms=`find $f \( -perm -004000 -o -perm -002000 \) -type f -print` + if [ x"$syms" = "x" ] ; then + CORRECT="no" + fi + fi + fi + fi + + # OK, ready for the output + if [ "$MODE" = "single" ] ; then + printf "%-60s " $f + if [ "$CORRECT" = "yes" ] ; then + printf "\033[32m%-7s\033[m " $CORRECT + elif [ "$CORRECT" = "no" ] ; then + printf "\033[31m%-7s\033[m " $CORRECT + else + printf "\033[33m%-7s\033[m " $CORRECT + fi + echo + else + if [ "$CORRECT" = "no" ] ; then + CORRECT_SUM="no" + fi + fi +done +} + +if [ "$MODE" = "single" ] ; then + printf "%-60s%-7s" "FILE" "CORRECT" + echo + for i; do + do_one $1 + shift + done + exit 0 +fi + +packages=`rpm -qa --queryformat "%{NAME}.%{ARCH}\n" | sort` +printf "%-50s %-7s" "PACKAGE" "CORRECT" +echo +for p in $packages +do + CORRECT_SUM="yes" + printf "%-50s " $p + do_one $p + if [ "$CORRECT_SUM" = "yes" ] ; then + printf "\033[32m%-7s\033[m " $CORRECT_SUM + else + printf "\033[31m%-7s\033[m " $CORRECT_SUM + fi + echo +done +exit 0 + + diff --git a/meta-security/recipes-security/redhat-security/files/selinux-check-devices.sh b/meta-security/recipes-security/redhat-security/files/selinux-check-devices.sh new file mode 100644 index 000000000..ef996d787 --- /dev/null +++ b/meta-security/recipes-security/redhat-security/files/selinux-check-devices.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +# This software may be freely redistributed under the terms of the GNU +# public license. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" + + diff --git a/meta-security/recipes-security/redhat-security/files/selinux-ls-unconfined.sh b/meta-security/recipes-security/redhat-security/files/selinux-ls-unconfined.sh new file mode 100644 index 000000000..68684133c --- /dev/null +++ b/meta-security/recipes-security/redhat-security/files/selinux-ls-unconfined.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# This software may be freely redistributed under the terms of the GNU +# public license. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +# This checks for unconfined apps running, initrc and inetd are signs +# of missing transitions. + +pidof xinetd >/dev/null +if [ $? -eq 0 ] ; then +ps -eZ | egrep "initrc|inetd" | egrep -v `pidof xinetd` | tr ':' ' ' | awk '{ printf "%s %s\n", $3, $NF }' +else +ps -eZ | egrep "initrc" | tr ':' ' ' | awk '{ printf "%s %s\n", $3, $NF }' +fi + diff --git a/meta-security/recipes-security/redhat-security/redhat-security_1.0.bb b/meta-security/recipes-security/redhat-security/redhat-security_1.0.bb new file mode 100644 index 000000000..56f734cb3 --- /dev/null +++ b/meta-security/recipes-security/redhat-security/redhat-security_1.0.bb @@ -0,0 +1,40 @@ +SUMMARY = "redhat security tools" +DESCRIPTION = "Tools used by redhat linux distribution for security checks" +SECTION = "security" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" + +SRC_URI = "file://find-chroot-py.sh \ + file://find-chroot.sh \ + file://find-elf4tmp.sh \ + file://find-execstack.sh \ + file://find-hidden-exec.sh \ + file://find-nodrop-groups.sh \ + file://find-sh4errors.sh \ + file://find-sh4tmp.sh \ + file://lib-bin-check.sh \ + file://rpm-chksec.sh \ + file://rpm-drop-groups.sh \ + file://selinux-check-devices.sh \ + file://selinux-ls-unconfined.sh" + +S = "${WORKDIR}" + +do_install() { + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}/find-chroot-py.sh ${D}${bindir} + install -m 0755 ${WORKDIR}/find-chroot.sh ${D}${bindir} + install -m 0755 ${WORKDIR}/find-elf4tmp.sh ${D}${bindir} + install -m 0755 ${WORKDIR}/find-execstack.sh ${D}${bindir} + install -m 0755 ${WORKDIR}/find-hidden-exec.sh ${D}${bindir} + install -m 0755 ${WORKDIR}/find-nodrop-groups.sh ${D}${bindir} + install -m 0755 ${WORKDIR}/find-sh4errors.sh ${D}${bindir} + install -m 0755 ${WORKDIR}/find-sh4tmp.sh ${D}${bindir} + install -m 0755 ${WORKDIR}/lib-bin-check.sh ${D}${bindir} + install -m 0755 ${WORKDIR}/rpm-chksec.sh ${D}${bindir} + install -m 0755 ${WORKDIR}/rpm-drop-groups.sh ${D}${bindir} + install -m 0755 ${WORKDIR}/selinux-check-devices.sh ${D}${bindir} + install -m 0755 ${WORKDIR}/selinux-ls-unconfined.sh ${D}${bindir} +} + +RDEPENDS_${PN} = "file libcap-ng procps findutils" |