diff options
author | Andrei Dinu <andrei.adrianx.dinu@intel.com> | 2013-06-17 17:24:38 +0300 |
---|---|---|
committer | Andrei Dinu <andrei.adrianx.dinu@intel.com> | 2013-06-17 17:24:38 +0300 |
commit | 60d90b25631471e8193b3069c6a520ccf7c82008 (patch) | |
tree | e413ea3904059ff52a4539aeff358518fa0ae327 /recipes-security/redhat-security | |
download | meta-security-60d90b25631471e8193b3069c6a520ccf7c82008.tar.gz |
meta-security : initial commit
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
Diffstat (limited to 'recipes-security/redhat-security')
14 files changed, 1209 insertions, 0 deletions
diff --git a/recipes-security/redhat-security/files/find-chroot-py.sh b/recipes-security/redhat-security/files/find-chroot-py.sh new file mode 100644 index 0000000..9996e08 --- /dev/null +++ b/recipes-security/redhat-security/files/find-chroot-py.sh | |||
@@ -0,0 +1,96 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | # find-chroot-py utility | ||
4 | # Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED. | ||
5 | # sgrubb@redhat.com | ||
6 | # | ||
7 | # This software may be freely redistributed under the terms of the GNU | ||
8 | # public license. | ||
9 | # | ||
10 | # You should have received a copy of the GNU General Public License | ||
11 | # along with this program; if not, write to the Free Software | ||
12 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
13 | # | ||
14 | # This program looks for python apps that use chroot(2) without using chdir(2) | ||
15 | # | ||
16 | # To save to file: ./find-chroot | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt | ||
17 | |||
18 | libdirs="/lib /lib64 /usr/lib /usr/lib64" | ||
19 | progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec" | ||
20 | FOUND=0 | ||
21 | |||
22 | # First param is which list to use, second is search pattern | ||
23 | scan () { | ||
24 | if [ "$1" = "1" ] ; then | ||
25 | dirs=$libdirs | ||
26 | elif [ "$1" = "2" ] ; then | ||
27 | dirs=$progdirs | ||
28 | elif [ "$1" = "3" ] ; then | ||
29 | dirs=$3 | ||
30 | fi | ||
31 | |||
32 | for d in $dirs ; do | ||
33 | if [ ! -d $d ] ; then | ||
34 | continue | ||
35 | fi | ||
36 | files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null` | ||
37 | for f in $files | ||
38 | do | ||
39 | if [ "$1" = "2" ] ; then | ||
40 | testf=`/usr/bin/file $f | egrep 'ython'` | ||
41 | if [ x"$testf" = "x" ] ; then | ||
42 | continue | ||
43 | fi | ||
44 | fi | ||
45 | syms=`egrep ' os.chroot' $f` | ||
46 | if [ x"$syms" != "x" ] ; then | ||
47 | syms=`egrep ' os.chdir' $f` | ||
48 | if [ x"$syms" = "x" ] ; then | ||
49 | if [ $FOUND = 0 ] ; then | ||
50 | printf "%-44s%s\n" "FILE" " PACKAGE" | ||
51 | FOUND=1 | ||
52 | fi | ||
53 | # Red | ||
54 | printf "\033[31m%-44s\033[m" $f | ||
55 | #rpm -qf --queryformat "%{NAME}-%{VERSION}" $f | ||
56 | rpm -qf --queryformat " %{SOURCERPM}" $f | ||
57 | echo | ||
58 | else | ||
59 | # One last test to see if chdir is within 4 | ||
60 | # lines of chroot | ||
61 | syms=`cat $f | egrep ' os.chroot' -A3 | egrep ' os.chdir'` | ||
62 | if [ x"$syms" = "x" ] ; then | ||
63 | if [ $FOUND = 0 ] ; then | ||
64 | printf "%-44s%s\n" "FILE" " PACKAGE" | ||
65 | FOUND=1 | ||
66 | fi | ||
67 | printf "\033[31m%-44s\033[m" $f | ||
68 | rpm -qf --queryformat " %{SOURCERPM}" $f | ||
69 | echo | ||
70 | fi | ||
71 | fi | ||
72 | fi | ||
73 | done | ||
74 | done | ||
75 | } | ||
76 | |||
77 | if [ $# -eq 1 ] ; then | ||
78 | if [ -d $1 ] ; then | ||
79 | scan 3 '*' $1 | ||
80 | else | ||
81 | echo "Input is not a directory" | ||
82 | exit 1 | ||
83 | fi | ||
84 | else | ||
85 | scan 2 '*' | ||
86 | scan 1 '*.py' | ||
87 | fi | ||
88 | |||
89 | if [ $FOUND -eq 0 ] ; then | ||
90 | # Nothing to report, just exit | ||
91 | echo "No problems found" 1>&2 | ||
92 | exit 0 | ||
93 | fi | ||
94 | exit 1 | ||
95 | |||
96 | |||
diff --git a/recipes-security/redhat-security/files/find-chroot.sh b/recipes-security/redhat-security/files/find-chroot.sh new file mode 100644 index 0000000..adce7fc --- /dev/null +++ b/recipes-security/redhat-security/files/find-chroot.sh | |||
@@ -0,0 +1,93 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | # find-chroot utility | ||
4 | # Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED. | ||
5 | # sgrubb@redhat.com | ||
6 | # | ||
7 | # This software may be freely redistributed under the terms of the GNU | ||
8 | # public license. | ||
9 | # | ||
10 | # You should have received a copy of the GNU General Public License | ||
11 | # along with this program; if not, write to the Free Software | ||
12 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
13 | # | ||
14 | # This program looks for apps that use chroot(2) without using chdir(2) | ||
15 | # | ||
16 | # To save to file: ./find-chroot | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt | ||
17 | |||
18 | libdirs="/lib /lib64 /usr/lib /usr/lib64" | ||
19 | progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec" | ||
20 | FOUND=0 | ||
21 | |||
22 | # First param is which list to use, second is search pattern | ||
23 | scan () { | ||
24 | if [ "$1" = "1" ] ; then | ||
25 | dirs=$libdirs | ||
26 | elif [ "$1" = "2" ] ; then | ||
27 | dirs=$progdirs | ||
28 | elif [ "$1" = "3" ] ; then | ||
29 | dirs=$3 | ||
30 | fi | ||
31 | |||
32 | for d in $dirs ; do | ||
33 | if [ ! -d $d ] ; then | ||
34 | continue | ||
35 | fi | ||
36 | files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null` | ||
37 | for f in $files | ||
38 | do | ||
39 | syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' chroot@.*GLIBC'` | ||
40 | if [ x"$syms" != "x" ] ; then | ||
41 | syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' chdir@.*GLIBC'` | ||
42 | if [ x"$syms" = "x" ] ; then | ||
43 | if [ $FOUND = 0 ] ; then | ||
44 | printf "%-44s%s\n" "FILE" " PACKAGE" | ||
45 | FOUND=1 | ||
46 | fi | ||
47 | # Red | ||
48 | printf "\033[31m%-44s\033[m" $f | ||
49 | #rpm -qf --queryformat "%{NAME}-%{VERSION}" $f | ||
50 | rpm -qf --queryformat " %{SOURCERPM}" $f | ||
51 | echo | ||
52 | else | ||
53 | # One last test to see if chdir is within 3 | ||
54 | # lines of chroot | ||
55 | syms=`objdump -d $f | egrep callq | egrep 'chroot@plt' -A2 | egrep 'chroot|chdir'` | ||
56 | if [ x"$syms" = "x" ] ; then | ||
57 | syms=`echo $f | egrep -v 'libc-2|libc.so'` | ||
58 | if [ x"$syms" != "x" ] ; then | ||
59 | if [ $FOUND = 0 ] ; then | ||
60 | printf "%-44s%s\n" "FILE" "PACKAGE" | ||
61 | FOUND=1 | ||
62 | fi | ||
63 | printf "\033[31m%-44s\033[m" $f | ||
64 | rpm -qf --queryformat " %{SOURCERPM}" $f | ||
65 | echo | ||
66 | fi | ||
67 | fi | ||
68 | fi | ||
69 | fi | ||
70 | done | ||
71 | done | ||
72 | } | ||
73 | |||
74 | if [ $# -eq 1 ] ; then | ||
75 | if [ -d $1 ] ; then | ||
76 | scan 3 '*' $1 | ||
77 | else | ||
78 | echo "Input is not a directory" | ||
79 | exit 1 | ||
80 | fi | ||
81 | else | ||
82 | scan 2 '*' | ||
83 | scan 1 '*.so' | ||
84 | fi | ||
85 | |||
86 | if [ $FOUND -eq 0 ] ; then | ||
87 | # Nothing to report, just exit | ||
88 | echo "No problems found" 1>&2 | ||
89 | exit 0 | ||
90 | fi | ||
91 | exit 1 | ||
92 | |||
93 | |||
diff --git a/recipes-security/redhat-security/files/find-elf4tmp.sh b/recipes-security/redhat-security/files/find-elf4tmp.sh new file mode 100644 index 0000000..8f39baa --- /dev/null +++ b/recipes-security/redhat-security/files/find-elf4tmp.sh | |||
@@ -0,0 +1,84 @@ | |||
1 | #!/bin/sh | ||
2 | # find_elf4tmp utility | ||
3 | # Copyright (c) 2010-12 Steve Grubb. ALL RIGHTS RESERVED. | ||
4 | # sgrubb@redhat.com | ||
5 | # | ||
6 | # This software may be freely redistributed under the terms of the GNU | ||
7 | # public license. | ||
8 | # | ||
9 | # You should have received a copy of the GNU General Public License | ||
10 | # along with this program; if not, write to the Free Software | ||
11 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
12 | |||
13 | # This script will search a directory and its subdirectories for all elf | ||
14 | # executables. It will then search for the use of the tmp directory. If it finds | ||
15 | # this is true, it will then check to see if XXX is being used which would | ||
16 | # indicate that the path is going to be randomized. | ||
17 | |||
18 | if [ $# -ge 2 ] ; then | ||
19 | echo "Usage: find_elf4tmp [directory]" 1>&2 | ||
20 | exit 1 | ||
21 | fi | ||
22 | if [ ! -x /usr/bin/eu-strings ] ; then | ||
23 | echo "Skipping due to missing /usr/bin/eu-strings utility" | ||
24 | exit 1 | ||
25 | fi | ||
26 | if [ -h /bin ] ; then | ||
27 | DIRS="/usr/bin /usr/sbin /usr/libexec /usr/kerberos /usr/games /usr/lib /usr/lib64 /usr/local" | ||
28 | else | ||
29 | DIRS="/bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/kerberos /usr/games /lib /lib64 /usr/lib /usr/lib64 /usr/local" | ||
30 | fi | ||
31 | if [ $# -eq 1 ] ; then | ||
32 | if [ -d "$1" ] ; then | ||
33 | DIRS="$1" | ||
34 | else | ||
35 | echo "Option passed in was not a directory" 1>&2 | ||
36 | exit 1 | ||
37 | fi | ||
38 | fi | ||
39 | |||
40 | FOUND=0 | ||
41 | for d in $DIRS | ||
42 | do | ||
43 | if [ ! -d $d ] ; then | ||
44 | continue | ||
45 | fi | ||
46 | # echo "Scanning files in $d..." | ||
47 | for f in `/usr/bin/find $d -type f 2>/dev/null` | ||
48 | do | ||
49 | # Get just the elf executables | ||
50 | testf=`echo $f | /usr/bin/file -n -f - 2>/dev/null | grep ELF` | ||
51 | if [ x"$testf" != "x" ] ; then | ||
52 | test_res=`/usr/bin/eu-strings $f | /bin/grep '/tmp/' | /bin/egrep -v 'XX|/tmp/$|[ .,:]/tmp/'` | ||
53 | if [ x"$test_res" = "x" ] ; then | ||
54 | continue | ||
55 | fi | ||
56 | |||
57 | # Do further examination... | ||
58 | syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' mkstemp@.*GLIBC| tempnam@.*GLIBC| tmpfile@.*GLIBC'` | ||
59 | if [ x"$syms" != "x" ] ; then | ||
60 | continue | ||
61 | fi | ||
62 | |||
63 | # Well its a bad one...out with it | ||
64 | FOUND=1 | ||
65 | |||
66 | # Get the package | ||
67 | RPM=`/bin/rpm -qf --queryformat "%{NAME}-%{VERSION}" $f 2>/dev/null | /bin/grep -v 'not owned' | /bin/sort | /usr/bin/uniq` | ||
68 | if [ x"$RPM" = "x" ] ; then | ||
69 | RPM="<unowned>" | ||
70 | fi | ||
71 | |||
72 | # For each tmp string, output the line | ||
73 | echo $test_res | /usr/bin/tr '\b' '\n' | /bin/awk 'NF >= 1 { printf "%-46s\t%-30s\t%s\n", f, r, $1 }' r=$RPM f=$f | ||
74 | fi | ||
75 | done | ||
76 | done | ||
77 | if [ $FOUND -eq 0 ] ; then | ||
78 | # Nothing to report, just exit | ||
79 | echo "No problems found" 1>&2 | ||
80 | exit 0 | ||
81 | fi | ||
82 | exit 1 | ||
83 | |||
84 | |||
diff --git a/recipes-security/redhat-security/files/find-execstack.sh b/recipes-security/redhat-security/files/find-execstack.sh new file mode 100644 index 0000000..85f16de --- /dev/null +++ b/recipes-security/redhat-security/files/find-execstack.sh | |||
@@ -0,0 +1,72 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | # find-execstack utility | ||
4 | # Copyright (c) 2007 Steve Grubb. ALL RIGHTS RESERVED. | ||
5 | # sgrubb@redhat.com | ||
6 | # | ||
7 | # This software may be freely redistributed under the terms of the GNU | ||
8 | # public license. | ||
9 | # | ||
10 | # You should have received a copy of the GNU General Public License | ||
11 | # along with this program; if not, write to the Free Software | ||
12 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
13 | # | ||
14 | # This program looks for executable stacks | ||
15 | # | ||
16 | |||
17 | libdirs="/lib /lib64 /usr/lib /usr/lib64" | ||
18 | progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec" | ||
19 | FOUND=0 | ||
20 | |||
21 | # First param is which list to use, second is search pattern | ||
22 | scan () { | ||
23 | if [ "$1" = "1" ] ; then | ||
24 | dirs=$libdirs | ||
25 | elif [ "$1" = "2" ] ; then | ||
26 | dirs=$progdirs | ||
27 | fi | ||
28 | |||
29 | for d in $dirs ; do | ||
30 | if [ ! -d $d ] ; then | ||
31 | continue | ||
32 | fi | ||
33 | files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null` | ||
34 | for f in $files | ||
35 | do | ||
36 | FOUND_ONE=0 | ||
37 | stacks=`/usr/bin/eu-readelf -l $f 2>/dev/null | grep STACK` | ||
38 | if [ x"$stacks" != "x" ] ; then | ||
39 | perms=`echo $stacks | /bin/awk '{ print $7 }'` | ||
40 | if [ x"$perms" != x -a "$perms" != "RW" ] ; then | ||
41 | FOUND_ONE=1 | ||
42 | fi | ||
43 | fi | ||
44 | old_stacks=`echo $stacks | /bin/grep -v GNU_STACK` | ||
45 | if [ x"$old_stacks" != "x" ] ; then | ||
46 | FOUND_ONE=1 | ||
47 | fi | ||
48 | heaps=`/usr/bin/eu-readelf -l $f 2>/dev/null | grep GNU_HEAP` | ||
49 | if [ x"$heaps" != "x" ] ; then | ||
50 | FOUND_ONE=1 | ||
51 | fi | ||
52 | if [ $FOUND_ONE = 1 ] ; then | ||
53 | printf "%-42s" $f | ||
54 | rpm -qf --queryformat "%{SOURCERPM}" $f | ||
55 | echo | ||
56 | FOUND=1 | ||
57 | fi | ||
58 | done | ||
59 | done | ||
60 | } | ||
61 | |||
62 | scan 1 '*.so' | ||
63 | scan 2 '*' | ||
64 | |||
65 | if [ $FOUND -eq 0 ] ; then | ||
66 | # Nothing to report, just exit | ||
67 | echo "No problems found" 1>&2 | ||
68 | exit 0 | ||
69 | fi | ||
70 | exit 1 | ||
71 | |||
72 | |||
diff --git a/recipes-security/redhat-security/files/find-hidden-exec.sh b/recipes-security/redhat-security/files/find-hidden-exec.sh new file mode 100644 index 0000000..f799fca --- /dev/null +++ b/recipes-security/redhat-security/files/find-hidden-exec.sh | |||
@@ -0,0 +1,21 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | # | ||
4 | # This software may be freely redistributed under the terms of the GNU | ||
5 | # public license. | ||
6 | # | ||
7 | # You should have received a copy of the GNU General Public License | ||
8 | # along with this program; if not, write to the Free Software | ||
9 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
10 | # | ||
11 | # This program looks for hidden executables | ||
12 | |||
13 | find / -name '.*' -type f -perm /00111 2>/dev/null | ||
14 | |||
15 | # Also need to find hidden dirs and see if anything below it is hidden | ||
16 | hidden_dirs=`find / -name '.*' -type d 2>/dev/null` | ||
17 | for d in $hidden_dirs | ||
18 | do | ||
19 | find $d -name '.*' -type f -perm /00111 2>/dev/null | ||
20 | done | ||
21 | |||
diff --git a/recipes-security/redhat-security/files/find-nodrop-groups.sh b/recipes-security/redhat-security/files/find-nodrop-groups.sh new file mode 100644 index 0000000..249eacd --- /dev/null +++ b/recipes-security/redhat-security/files/find-nodrop-groups.sh | |||
@@ -0,0 +1,85 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | # find-nodrop-groups utility | ||
4 | # Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED. | ||
5 | # sgrubb@redhat.com | ||
6 | # | ||
7 | # This software may be freely redistributed under the terms of the GNU | ||
8 | # public license. | ||
9 | # | ||
10 | # You should have received a copy of the GNU General Public License | ||
11 | # along with this program; if not, write to the Free Software | ||
12 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
13 | # | ||
14 | # This program looks for apps that use setgid(2) without using initgroups(3) | ||
15 | # or setgroups(2). | ||
16 | # | ||
17 | # To save to file: ./find-nodrop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt | ||
18 | |||
19 | libdirs="/lib /lib64 /usr/lib /usr/lib64" | ||
20 | progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec" | ||
21 | FOUND=0 | ||
22 | |||
23 | # First param is which list to use, second is search pattern | ||
24 | scan () { | ||
25 | if [ "$1" = "1" ] ; then | ||
26 | dirs=$libdirs | ||
27 | elif [ "$1" = "2" ] ; then | ||
28 | dirs=$progdirs | ||
29 | elif [ "$1" = "3" ] ; then | ||
30 | dirs=$3 | ||
31 | fi | ||
32 | |||
33 | for d in $dirs ; do | ||
34 | if [ ! -d $d ] ; then | ||
35 | continue | ||
36 | fi | ||
37 | files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null` | ||
38 | for f in $files | ||
39 | do | ||
40 | syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgid@.*GLIBC| setegid@.*GLIBC| setresgid@.*GLIBC'` | ||
41 | if [ x"$syms" != "x" ] ; then | ||
42 | syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setuid@.*GLIBC| seteuid@.*GLIBC| setresuid@.*GLIBC'` | ||
43 | if [ x"$syms" != "x" ] ; then | ||
44 | syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgroups@.*GLIBC| initgroups@.*GLIBC'` | ||
45 | if [ x"$syms" = "x" ] ; then | ||
46 | if [ $FOUND = 0 ] ; then | ||
47 | printf "%-44s%s\n" "FILE" "PACKAGE" | ||
48 | fi | ||
49 | syms=`find $f \( -perm -004000 -o -perm -002000 \) -type f -print` | ||
50 | if [ x"$syms" = "x" ] ; then | ||
51 | printf "\033[31m%-44s\033[m" $f | ||
52 | rpm -qf --queryformat "%{SOURCERPM}" $f | ||
53 | echo | ||
54 | FOUND=1 | ||
55 | # else | ||
56 | # printf "\033[33m%-44s\033[m" $f | ||
57 | fi | ||
58 | #rpm -qf --queryformat "%{NAME}-%{VERSION}" $f | ||
59 | fi | ||
60 | fi | ||
61 | fi | ||
62 | done | ||
63 | done | ||
64 | } | ||
65 | |||
66 | if [ $# -eq 1 ] ; then | ||
67 | if [ -d $1 ] ; then | ||
68 | scan 3 '*' $1 | ||
69 | else | ||
70 | echo "Input is not a directory" | ||
71 | exit 1 | ||
72 | fi | ||
73 | else | ||
74 | scan 1 '*.so' | ||
75 | scan 2 '*' | ||
76 | fi | ||
77 | |||
78 | if [ $FOUND -eq 0 ] ; then | ||
79 | # Nothing to report, just exit | ||
80 | echo "No problems found" 1>&2 | ||
81 | exit 0 | ||
82 | fi | ||
83 | exit 1 | ||
84 | |||
85 | |||
diff --git a/recipes-security/redhat-security/files/find-sh4errors.sh b/recipes-security/redhat-security/files/find-sh4errors.sh new file mode 100644 index 0000000..0054a6a --- /dev/null +++ b/recipes-security/redhat-security/files/find-sh4errors.sh | |||
@@ -0,0 +1,132 @@ | |||
1 | #!/bin/sh | ||
2 | # find_sh4errors utility | ||
3 | # Copyright (c) 2004 Steve Grubb. ALL RIGHTS RESERVED. | ||
4 | # sgrubb@redhat.com | ||
5 | # | ||
6 | # This software may be freely redistributed under the terms of the GNU | ||
7 | # public license. | ||
8 | # | ||
9 | # You should have received a copy of the GNU General Public License | ||
10 | # along with this program; if not, write to the Free Software | ||
11 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
12 | |||
13 | # This script will search a directory and its subdirectories for every shell | ||
14 | # script. It then runs sh -n to see if bash can determine if there are obvious | ||
15 | # parsing errors. It does have a bug in that bash -n does not take into | ||
16 | # account someone may program an unconditional exit and then include man page | ||
17 | # generation information. It also fails to notice the exec command. When you | ||
18 | # run across files that do either of the above, add it to the KNOWN_BAD list. | ||
19 | |||
20 | if [ $# -ge 2 ] ; then | ||
21 | echo "Usage: find_sh4errors [directory]" 1>&2 | ||
22 | exit 1 | ||
23 | fi | ||
24 | INTERPRETERS="wish wishx tclsh guile rep itkwish expect /etc/kde/kdm/Xsession /etc/X11/xdm/Xsession /usr/bin/festival perl hfssh" | ||
25 | SKIP_DIRS="/opt /home /root" | ||
26 | KNOWN_BAD="/usr/bin/kde-build /usr/bin/cvsversion samples/copifuncs/copi.sendifm1 bashdb bash_completion_test" | ||
27 | DIR="/" | ||
28 | if [ $# -eq 1 ] ; then | ||
29 | if [ -d "$1" ] ; then | ||
30 | DIR="$1" | ||
31 | else | ||
32 | echo "Option passed in was not a directory" 1>&2 | ||
33 | exit 1 | ||
34 | fi | ||
35 | fi | ||
36 | tempfile=`mktemp /tmp/sh4.XXXXXX` | ||
37 | tempfile2=`mktemp /tmp/sh4.XXXXXX` | ||
38 | if [ -z "$tempfile" -o -z "$tempfile2" ] ; then | ||
39 | echo ; echo "Unable to create tempfiles...aborting." 1>&2 ; echo | ||
40 | exit 1 | ||
41 | fi | ||
42 | trap "rm -f $tempfile; rm -f $tempfile2; exit 2" 1 2 3 5 15 | ||
43 | |||
44 | # Get executable files | ||
45 | #echo "Locating executables..." | ||
46 | /usr/bin/find $DIR -type f -perm /0111 -print >> $tempfile 2>/dev/null | ||
47 | FOUND=0 | ||
48 | #echo "Refining list to shell scripts..." | ||
49 | while read f | ||
50 | do | ||
51 | # Get just the shell scripts | ||
52 | testf=`echo $f | /usr/bin/file -n -f - | egrep 'ourne|POSIX shell'` | ||
53 | if [ x"$testf" != x ] ; then | ||
54 | echo $f >> $tempfile2 | ||
55 | FOUND=1 | ||
56 | fi | ||
57 | done < $tempfile | ||
58 | /bin/rm -f $tempfile | ||
59 | if [ $FOUND -eq 0 ] ; then | ||
60 | # Nothing to report, just exit | ||
61 | # echo "Examining shell scripts in $DIR" | ||
62 | # echo "No problems found" | ||
63 | /bin/rm -f $tempfile2 | ||
64 | exit 0 | ||
65 | fi | ||
66 | #echo "Examining shell scripts in $DIR" | ||
67 | FOUND=0 | ||
68 | while read i | ||
69 | do | ||
70 | # First see if the script calls an interpreter | ||
71 | SKIP=0 | ||
72 | for lang in $INTERPRETERS | ||
73 | do | ||
74 | if `/bin/cat "$i" 2>/dev/null | \ | ||
75 | grep "exec[ \t].*$lang" >/dev/null` ; then | ||
76 | SKIP=1 | ||
77 | break | ||
78 | fi | ||
79 | done | ||
80 | |||
81 | if [ $SKIP -eq 1 ] ; then | ||
82 | continue | ||
83 | fi | ||
84 | |||
85 | # See if this is in a dir we want to ignore | ||
86 | for d in $SKIP_DIRS | ||
87 | do | ||
88 | if `echo "$i" | /bin/grep "^\$d" >/dev/null`; then | ||
89 | SKIP=1 | ||
90 | break | ||
91 | fi | ||
92 | done | ||
93 | |||
94 | if [ $SKIP -eq 1 ] ; then | ||
95 | continue | ||
96 | fi | ||
97 | |||
98 | # Don't do the known naughty files | ||
99 | for bad in $KNOWN_BAD | ||
100 | do | ||
101 | if `echo "$i" | /bin/grep "$bad" >/dev/null`; then | ||
102 | SKIP=1 | ||
103 | break | ||
104 | fi | ||
105 | done | ||
106 | |||
107 | if [ $SKIP -eq 1 ] ; then | ||
108 | continue | ||
109 | fi | ||
110 | |||
111 | # Now examine them for correctness | ||
112 | interp=`/usr/bin/head -n 1 "$i" | /bin/awk '{ print $1 }' | \ | ||
113 | /usr/bin/tr -d '#!'` | ||
114 | if [ x"$interp" = "x" -o ! -x "$interp" ] ; then | ||
115 | interp="/bin/sh" | ||
116 | fi | ||
117 | $interp -n "$i" 2>/dev/null | ||
118 | if [ $? -ne 0 ] ; then | ||
119 | printf "%-44s" "$i" | ||
120 | rpm -qf --queryformat "%{NAME}-%{VERSION}" $i | ||
121 | echo | ||
122 | FOUND=1 | ||
123 | fi | ||
124 | done < $tempfile2 | ||
125 | /bin/rm -f $tempfile2 | ||
126 | if [ $FOUND -eq 0 ] ; then | ||
127 | # Nothing to report, just exit | ||
128 | # echo "No problems found" | ||
129 | exit 0 | ||
130 | fi | ||
131 | exit 1 | ||
132 | |||
diff --git a/recipes-security/redhat-security/files/find-sh4tmp.sh b/recipes-security/redhat-security/files/find-sh4tmp.sh new file mode 100644 index 0000000..7fd1af7 --- /dev/null +++ b/recipes-security/redhat-security/files/find-sh4tmp.sh | |||
@@ -0,0 +1,116 @@ | |||
1 | #!/bin/sh | ||
2 | # find_sh4tmp utility | ||
3 | # Copyright (c) 2005 Steve Grubb. ALL RIGHTS RESERVED. | ||
4 | # sgrubb@redhat.com | ||
5 | # | ||
6 | # This software may be freely redistributed under the terms of the GNU | ||
7 | # public license. | ||
8 | # | ||
9 | # You should have received a copy of the GNU General Public License | ||
10 | # along with this program; if not, write to the Free Software | ||
11 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
12 | |||
13 | # This script will search a directory and its subdirectories for all shell | ||
14 | # scripts. It will then search for the use of the tmp directory. If it finds | ||
15 | # this is true, it will then try to determine if mktemp or something | ||
16 | # reasonable was used and exclude it. It has a bug in that it does not handle | ||
17 | # rm -f /tmp/ or mkdir /tmp/ correctly. If you run across files that do that, | ||
18 | # add them to the KNOWN_BAD list to ignore them. | ||
19 | |||
20 | if [ $# -ge 2 ] ; then | ||
21 | echo "Usage: find_sh4tmp [directory]" 1>&2 | ||
22 | exit 1 | ||
23 | fi | ||
24 | INTERPRETERS="wish wishx tclsh guile rep itkwish expect /etc/kde/kdm/Xsession /etc/X11/xdm/Xsession /usr/bin/festival perl hfssh" | ||
25 | SKIP_DIRS="/opt /home /root /mnt /media /dev /proc /selinux /sys /usr/share/doc" | ||
26 | KNOWN_BAD="kopete_latexconvert.sh cvs2dist fixfiles mysqlbug build/scripts/package/mkspec py-compile rc.sysinit init.d/xfs diff-jars grub-install mailshar vncserver Xsession sysreport cross-build vpkg rcs-to-cvs debug_check_log cvs2vendor tmpwatch ps2epsi mkdumprd xdg-open xdg-mime xdg-email gzexe" | ||
27 | DIR="/" | ||
28 | if [ $# -eq 1 ] ; then | ||
29 | if [ -d "$1" ] ; then | ||
30 | DIR="$1" | ||
31 | else | ||
32 | echo "Option passed in was not a directory" 1>&2 | ||
33 | exit 1 | ||
34 | fi | ||
35 | fi | ||
36 | tempfile=`mktemp /tmp/sh4.XXXXXX` | ||
37 | tempfile2=`mktemp /tmp/sh4.XXXXXX` | ||
38 | if [ -z "$tempfile" -o -z "$tempfile2" ] ; then | ||
39 | echo ; echo "Unable to create tempfiles...aborting." 1>&2 ; echo | ||
40 | exit 1 | ||
41 | fi | ||
42 | trap "rm -f $tempfile; rm -f $tempfile2; exit 2" 1 2 3 5 15 | ||
43 | |||
44 | # Get executable files | ||
45 | #echo "Scanning shell scripts in $DIR..." | ||
46 | find $DIR -type f -perm /0111 -print >> $tempfile 2>/dev/null | ||
47 | FOUND=0 | ||
48 | while read f | ||
49 | do | ||
50 | # Get just the shell scripts | ||
51 | testf=`echo $f | file -n -f - | egrep 'ourne|POSIX shell'` | ||
52 | if [ x"$testf" != x ] ; then | ||
53 | # FIXME: need to do something to get rid of echo, rm, or mkdir "/tmp/" | ||
54 | test_res=`cat $f 2>/dev/null | grep '\/tmp\/' | grep -v 'mktemp' | grep -v '^#'` | ||
55 | if [ x"$test_res" = x ] ; then | ||
56 | continue | ||
57 | fi | ||
58 | |||
59 | # Do further examination... | ||
60 | # First see if the script calls an interpreter | ||
61 | SKIP=0 | ||
62 | for lang in $INTERPRETERS | ||
63 | do | ||
64 | if `cat "$f" | grep "exec[ \t].*$lang" >/dev/null` ; then | ||
65 | SKIP=1 | ||
66 | break | ||
67 | fi | ||
68 | done | ||
69 | |||
70 | if [ $SKIP -eq 1 ] ; then | ||
71 | continue | ||
72 | fi | ||
73 | |||
74 | # See if this is in a dir we want to ignore | ||
75 | for d in $SKIP_DIRS | ||
76 | do | ||
77 | if `echo "$f" | grep "^\$d" >/dev/null`; then | ||
78 | SKIP=1 | ||
79 | break | ||
80 | fi | ||
81 | done | ||
82 | |||
83 | if [ $SKIP -eq 1 ] ; then | ||
84 | continue | ||
85 | fi | ||
86 | |||
87 | # Don't do the known naughty files | ||
88 | for bad in $KNOWN_BAD | ||
89 | do | ||
90 | if `echo "$f" | grep "$bad" >/dev/null`; then | ||
91 | SKIP=1 | ||
92 | break | ||
93 | fi | ||
94 | done | ||
95 | |||
96 | if [ $SKIP -eq 1 ] ; then | ||
97 | continue | ||
98 | fi | ||
99 | |||
100 | # Well its a bad one...out with it | ||
101 | printf "%-44s" $f | ||
102 | rpm -qf --queryformat "%{NAME}-%{VERSION}" $f | ||
103 | echo | ||
104 | FOUND=1 | ||
105 | fi | ||
106 | done < $tempfile | ||
107 | rm -f $tempfile | ||
108 | if [ $FOUND -eq 0 ] ; then | ||
109 | # Nothing to report, just exit | ||
110 | # echo "No problems found" | ||
111 | rm -f $tempfile2 | ||
112 | exit 0 | ||
113 | fi | ||
114 | exit 1 | ||
115 | |||
116 | |||
diff --git a/recipes-security/redhat-security/files/lib-bin-check.sh b/recipes-security/redhat-security/files/lib-bin-check.sh new file mode 100644 index 0000000..1e2d930 --- /dev/null +++ b/recipes-security/redhat-security/files/lib-bin-check.sh | |||
@@ -0,0 +1,31 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | # This software may be freely redistributed under the terms of the GNU | ||
4 | # public license. | ||
5 | # | ||
6 | # You should have received a copy of the GNU General Public License | ||
7 | # along with this program; if not, write to the Free Software | ||
8 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
9 | |||
10 | found=0 | ||
11 | list=`rpm -qa --queryformat "%{NAME}-%{VERSION}.%{ARCH}\n" | grep '^lib' | egrep -v '\-utils\-|\-bin\-|\-tools\-|\-client\-|libreoffice|\-plugin\-'` | ||
12 | for p in $list | ||
13 | do | ||
14 | bin=`rpm -ql $p | egrep '^/bin|^/sbin|^/usr/bin|^/usr/sbin' | grep -v '\-config'` | ||
15 | if [ "x$bin" != "x" ]; then | ||
16 | testf=`echo $bin | /usr/bin/file -n -f - 2>/dev/null | grep ELF` | ||
17 | if [ x"$testf" != "x" ] ; then | ||
18 | found=1 | ||
19 | echo "$p could be split into a utils package" | ||
20 | fi | ||
21 | fi | ||
22 | done | ||
23 | |||
24 | if [ $found = 0 ]; then | ||
25 | echo "No problems found" | ||
26 | exit 0 | ||
27 | fi | ||
28 | |||
29 | exit 1 | ||
30 | |||
31 | |||
diff --git a/recipes-security/redhat-security/files/rpm-chksec.sh b/recipes-security/redhat-security/files/rpm-chksec.sh new file mode 100644 index 0000000..983c218 --- /dev/null +++ b/recipes-security/redhat-security/files/rpm-chksec.sh | |||
@@ -0,0 +1,279 @@ | |||
1 | #!/bin/sh | ||
2 | # rpm-chksec | ||
3 | # | ||
4 | # Copyright (c) 2011-2013 Steve Grubb. ALL RIGHTS RESERVED. | ||
5 | # sgrubb@redhat.com | ||
6 | # | ||
7 | # This software may be freely redistributed under the terms of the GNU | ||
8 | # public license. | ||
9 | # | ||
10 | # You should have received a copy of the GNU General Public License | ||
11 | # along with this program; if not, write to the Free Software | ||
12 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
13 | # | ||
14 | # Given an rpm, it will look at each file to check that its compiled with | ||
15 | # the intended flags to make it more secure. Things that are green are OK. | ||
16 | # Anything in yellow could be better but is passable. Anything in red needs | ||
17 | # attention. | ||
18 | # | ||
19 | # If the --all option is given, it will generate a list of rpms and then | ||
20 | # summarize the rpm's state. For yes, then all files are in the expected | ||
21 | # state. Just one file not compiled with the right flags can turn the | ||
22 | # answer to no. Re-run passing that package (instead of --all) for the details. | ||
23 | # | ||
24 | # To save to file: ./rpm-chksec | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee output.txt | ||
25 | |||
26 | VERSION="0.5.2" | ||
27 | |||
28 | usage () { | ||
29 | echo "rpm-chksec [--version|--all|<rpmname>...]" | ||
30 | if [ ! -x /usr/bin/filecap ] ; then | ||
31 | echo "You need to install libcap-ng-utils to test capabilities" | ||
32 | fi | ||
33 | if [ $EUID != 0 ] ; then | ||
34 | echo "You might need to be root to read some files" | ||
35 | fi | ||
36 | exit 0 | ||
37 | } | ||
38 | |||
39 | if [ "$1" = "--help" -o $# -eq 0 ] ; then | ||
40 | usage | ||
41 | fi | ||
42 | if [ "$1" = "--version" ] ; then | ||
43 | echo "rpm-chksec $VERSION" | ||
44 | exit 0 | ||
45 | fi | ||
46 | if [ "$1" = "--all" ] ; then | ||
47 | MODE="all" | ||
48 | else | ||
49 | MODE="single" | ||
50 | fi | ||
51 | |||
52 | do_one () { | ||
53 | if ! rpm -q $1 >/dev/null 2>&1 ; then | ||
54 | if [ "$MODE" = "single" ] ; then | ||
55 | echo "$1 is not installed" | ||
56 | exit 1 | ||
57 | else | ||
58 | echo "not installed" | ||
59 | return | ||
60 | fi | ||
61 | fi | ||
62 | files=`rpm -ql $1` | ||
63 | |||
64 | # Look for daemons, need this for later... | ||
65 | DAEMON="" | ||
66 | for f in $files | ||
67 | do | ||
68 | if [ ! -f "$f" ] ; then | ||
69 | continue | ||
70 | fi | ||
71 | if [ `echo "$f" | grep '\/etc\/rc.d\/init.d'` ] ; then | ||
72 | n=`basename "$f"` | ||
73 | t=`which "$n" 2>/dev/null` | ||
74 | if [ x"$t" != "x" ] ; then | ||
75 | DAEMON="$DAEMON $t" | ||
76 | continue | ||
77 | fi | ||
78 | t=`which "$n"d 2>/dev/null` | ||
79 | if [ x"$t" != "x" ] ; then | ||
80 | DAEMON="$DAEMON $t" | ||
81 | continue | ||
82 | fi | ||
83 | t=`cat "$f" 2>/dev/null | grep 'bin' | grep 'exit 5' | grep -v '\$'` | ||
84 | if [ x"$t" != "x" ] ; then | ||
85 | DAEMON="$DAEMON $t" | ||
86 | continue | ||
87 | fi | ||
88 | if [ "$MODE" = "single" ] ; then | ||
89 | echo "Can't find the executable in $f but daemon rules would apply" | ||
90 | fi | ||
91 | elif [ `echo "$f" | grep '\/lib\/systemd\/'` ] ; then | ||
92 | t=`cat "$f" | grep -i '^ExecStart=' | tr '=' ' ' | awk '{ print $2 }'` | ||
93 | if [ x"$t" != "x" ] ; then | ||
94 | DAEMON="$DAEMON $t" | ||
95 | continue | ||
96 | fi | ||
97 | fi | ||
98 | done | ||
99 | |||
100 | # Prevent garbled output when doing --all. | ||
101 | skip_current=0 | ||
102 | |||
103 | for f in $files | ||
104 | do | ||
105 | if [ ! -f "$f" ] ; then | ||
106 | continue | ||
107 | fi | ||
108 | # Some packages have files with ~ in them. This avoids it. | ||
109 | if ! echo "$f" | grep '^/' >/dev/null ; then | ||
110 | continue | ||
111 | fi | ||
112 | if [ ! -r "$f" ] && [ $EUID != 0 ] ; then | ||
113 | if [ $MODE = "single" ] ; then | ||
114 | echo "Please re-test $f as the root user" | ||
115 | else | ||
116 | # Don't print results. | ||
117 | skip_current=1 | ||
118 | echo "Please re-test $1 as the root user" | ||
119 | fi | ||
120 | continue | ||
121 | fi | ||
122 | if ! file "$f" | grep -qw 'ELF'; then | ||
123 | continue | ||
124 | fi | ||
125 | RELRO="no" | ||
126 | if readelf -l "$f" 2>/dev/null | grep -q 'GNU_RELRO'; then | ||
127 | RELRO="partial" | ||
128 | fi | ||
129 | if readelf -d "$f" 2>/dev/null | grep -q 'BIND_NOW'; then | ||
130 | RELRO="full" | ||
131 | fi | ||
132 | PIE="no" | ||
133 | if readelf -h "$f" 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then | ||
134 | PIE="DSO" | ||
135 | if readelf -d "$f" 2>/dev/null | grep -q '(DEBUG)'; then | ||
136 | PIE="yes" | ||
137 | fi | ||
138 | fi | ||
139 | APP="" | ||
140 | if [ x"$DAEMON" != "x" ] ; then | ||
141 | for d in $DAEMON | ||
142 | do | ||
143 | if [ "$f" = "$d" ] ; then | ||
144 | APP="daemon" | ||
145 | break | ||
146 | fi | ||
147 | done | ||
148 | fi | ||
149 | if [ x"$APP" = "x" ] ; then | ||
150 | # See if this is a library or a setuid app | ||
151 | if [ `echo "$f" | grep '\/lib' | grep '\.so'` ] ; then | ||
152 | APP="library" | ||
153 | elif [ `find "$f" -perm -004000 -type f -print` ] ; then | ||
154 | APP="setuid" | ||
155 | elif [ `find "$f" -perm -002000 -type f -print` ] ; then | ||
156 | APP="setgid" | ||
157 | elif [ -x /usr/bin/filecap ] && [ `filecap "$f" 2> /dev/null | wc -w` -gt 0 ] ; then | ||
158 | APP="setcap" | ||
159 | else | ||
160 | syms1=`/usr/bin/readelf -s "$f" 2>/dev/null | egrep ' connect@.*GLIBC| listen@.*GLIBC| accept@.*GLIBC|accept4@.*GLIBC'` | ||
161 | syms2=`/usr/bin/readelf -s "$f" 2>/dev/null | egrep ' getaddrinfo@.*GLIBC| getnameinfo@.*GLIBC| getservent@.*GLIBC| getservbyname@.*GLIBC| getservbyport@.*GLIBC|gethostbyname@.*GLIBC| gethostbyname2@.*GLIBC| gethostbyaddr@.*GLIBC| gethostbyaddr2@.*GLIBC'` | ||
162 | if [ x"$syms1" != "x" ] ; then | ||
163 | if [ x"$syms2" != "x" ] ; then | ||
164 | APP="network-ip" | ||
165 | else | ||
166 | APP="network-local" | ||
167 | fi | ||
168 | fi | ||
169 | fi | ||
170 | fi | ||
171 | if [ x"$APP" = "x" ] ; then | ||
172 | APP="exec" | ||
173 | fi | ||
174 | |||
175 | # OK, ready for the output | ||
176 | if [ "$MODE" = "single" ] ; then | ||
177 | printf "%-56s %-10s " "$f" $APP | ||
178 | if [ "$APP" = "daemon" -o "$APP" = "setuid" -o "$APP" = "setgid" -o "$APP" = "setcap" -o "$APP" = "network-ip" -o "$APP" = "network-local" ] ; then | ||
179 | if [ "$RELRO" = "full" ] ; then | ||
180 | printf "\033[32m%-7s\033[m " $RELRO | ||
181 | elif [ "$RELRO" = "partial" ] ; then | ||
182 | printf "\033[33m%-7s\033[m " $RELRO | ||
183 | else | ||
184 | printf "\033[31m%-7s\033[m " $RELRO | ||
185 | fi | ||
186 | if [ "$PIE" = "yes" ] ; then | ||
187 | printf "\033[32m%-4s\033[m" $PIE | ||
188 | else | ||
189 | printf "\033[31m%-4s\033[m" $PIE | ||
190 | fi | ||
191 | elif [ "$APP" = "library" ] ; then | ||
192 | if [ "$RELRO" = "full" -o "$RELRO" = "partial" ] ; then | ||
193 | printf "\033[32m%-7s\033[m " $RELRO | ||
194 | else | ||
195 | printf "\033[31m%-7s\033[m " $RELRO | ||
196 | fi | ||
197 | printf "\033[32m%-4s\033[m" $PIE | ||
198 | else | ||
199 | # $APP = exec - we want partial relro | ||
200 | if [ "$RELRO" = "no" ] ; then | ||
201 | printf "\033[31m%-7s\033[m " $RELRO | ||
202 | else | ||
203 | printf "\033[32m%-7s\033[m " $RELRO | ||
204 | fi | ||
205 | printf "\033[32m%-4s\033[m" $PIE | ||
206 | fi | ||
207 | echo | ||
208 | else | ||
209 | if [ "$APP" = "daemon" -o "$APP" = "setuid" -o "$APP" = "setgid" -o "$APP" = "setcap" -o "$APP" = "network-ip" -o "$APP" = "network-local" ] ; then | ||
210 | if [ "$RELRO" = "no" ] ; then | ||
211 | RELRO_SUM="no" | ||
212 | APP_SUM="$APP" | ||
213 | fi | ||
214 | if [ "$PIE" = "no" ] ; then | ||
215 | PIE_SUM="no" | ||
216 | APP_SUM="$APP" | ||
217 | fi | ||
218 | elif [ "$APP" = "library" ] ; then | ||
219 | if [ "$RELRO" = "no" ] ; then | ||
220 | RELRO_SUM="no" | ||
221 | APP_SUM="$APP" | ||
222 | fi | ||
223 | # $APP = exec - must have partial or full relro | ||
224 | elif [ "$RELRO" = "no" ] ; then | ||
225 | RELRO_SUM="no" | ||
226 | APP_SUM="$APP" | ||
227 | fi | ||
228 | fi | ||
229 | done | ||
230 | } | ||
231 | |||
232 | if [ "$MODE" = "single" ] ; then | ||
233 | printf "%-56s %-10s %-7s %-4s" "FILE" "TYPE" "RELRO" "PIE" | ||
234 | echo | ||
235 | for i; do | ||
236 | f=$(basename $1) | ||
237 | # Strip the .rpm extension, if present. | ||
238 | do_one ${f%%.rpm} | ||
239 | shift | ||
240 | done | ||
241 | exit 0 | ||
242 | fi | ||
243 | |||
244 | # Skip the kernel as its special | ||
245 | packages=`rpm -qa --queryformat "%{NAME}.%{ARCH}\n" | egrep -v 'kernel.|debuginfo.|.noarch|gpg-pubkey' | sort` | ||
246 | printf "%-50s %-5s %-4s %-14s" "PACKAGE" "RELRO" "PIE" "CLASS" | ||
247 | echo | ||
248 | for p in $packages | ||
249 | do | ||
250 | RELRO_SUM="yes" | ||
251 | PIE_SUM="yes" | ||
252 | APP_SUM="" | ||
253 | printf "%-50s " $p | ||
254 | do_one $p | ||
255 | if [[ $skip_current -eq 1 ]] ; then | ||
256 | continue | ||
257 | fi | ||
258 | if [ "$RELRO_SUM" = "yes" ] ; then | ||
259 | printf "\033[32m%-5s\033[m " "$RELRO_SUM" | ||
260 | else | ||
261 | printf "\033[31m%-5s\033[m " "$RELRO_SUM" | ||
262 | fi | ||
263 | if [ "$PIE_SUM" = "yes" ] ; then | ||
264 | printf "\033[32m%-4s\033[m" "$PIE_SUM" | ||
265 | if [ "$RELRO_SUM" = "no" ] ; then | ||
266 | printf " %-14s" "$APP_SUM" | ||
267 | fi | ||
268 | else | ||
269 | if [ "$APP_SUM" = "network-local" ] ; then | ||
270 | printf "\033[33m%-4s\033[m %-14s" "$PIE_SUM" "$APP_SUM" | ||
271 | else | ||
272 | printf "\033[31m%-4s\033[m %-14s" "$PIE_SUM" "$APP_SUM" | ||
273 | fi | ||
274 | fi | ||
275 | echo | ||
276 | done | ||
277 | exit 0 | ||
278 | |||
279 | |||
diff --git a/recipes-security/redhat-security/files/rpm-drop-groups.sh b/recipes-security/redhat-security/files/rpm-drop-groups.sh new file mode 100644 index 0000000..8c75783 --- /dev/null +++ b/recipes-security/redhat-security/files/rpm-drop-groups.sh | |||
@@ -0,0 +1,131 @@ | |||
1 | #!/bin/sh | ||
2 | # rpm-drop-groups | ||
3 | # | ||
4 | # Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED. | ||
5 | # sgrubb@redhat.com | ||
6 | # | ||
7 | # This software may be freely redistributed under the terms of the GNU | ||
8 | # public license. | ||
9 | # | ||
10 | # You should have received a copy of the GNU General Public License | ||
11 | # along with this program; if not, write to the Free Software | ||
12 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
13 | # | ||
14 | # Given an rpm, it will look at each file to check if it tries to change | ||
15 | # group and user credentials. If so, it further tries to determine if | ||
16 | # it also calls setgroups or initgroups. To correctly change groups, the | ||
17 | # program must drop supplemntal groups. Programs are classified into: n/a | ||
18 | # meaning no group dropping occurs, yes its done correctly, and no meaning | ||
19 | # there seems to be a problem. | ||
20 | # | ||
21 | # If the --all option is given, it will generate a list of rpms and then | ||
22 | # summarize the rpm's state. For yes, then all files are in the expected | ||
23 | # state. Just one program failing can turn the package's summary to no. | ||
24 | # Re-run passing that package (instead of --all) for the details. | ||
25 | # | ||
26 | # To save to file: ./rpm-drop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee output.txt | ||
27 | |||
28 | VERSION="0.1" | ||
29 | |||
30 | usage () { | ||
31 | echo "rpm-drop-groups [--all|<rpmname>|--version]" | ||
32 | exit 0 | ||
33 | } | ||
34 | |||
35 | if [ "$1" = "--help" -o $# -eq 0 ] ; then | ||
36 | usage | ||
37 | fi | ||
38 | if [ "$1" = "--version" ] ; then | ||
39 | echo "rpm-drop-groups $VERSION" | ||
40 | exit 0 | ||
41 | fi | ||
42 | if [ "$1" = "--all" ] ; then | ||
43 | MODE="all" | ||
44 | else | ||
45 | MODE="single" | ||
46 | fi | ||
47 | |||
48 | do_one () { | ||
49 | if ! rpm -q $1 >/dev/null 2>&1 ; then | ||
50 | if [ "$MODE" = "single" ] ; then | ||
51 | echo "$1 is not installed" | ||
52 | exit 1 | ||
53 | else | ||
54 | echo "not installed" | ||
55 | return | ||
56 | fi | ||
57 | fi | ||
58 | files=`rpm -ql $1` | ||
59 | |||
60 | for f in $files | ||
61 | do | ||
62 | if [ ! -f $f ] ; then | ||
63 | continue | ||
64 | fi | ||
65 | if ! file $f | grep -q 'ELF'; then | ||
66 | continue | ||
67 | fi | ||
68 | |||
69 | CORRECT="n/a" | ||
70 | syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgid@.*GLIBC| setegid@.*GLIBC| setresgid@.*GLIBC'` | ||
71 | if [ x"$syms" != "x" ] ; then | ||
72 | CORRECT="yes" | ||
73 | syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setuid@.*GLIBC| seteuid@.*GLIBC| setresuid@.*GLIBC'` | ||
74 | if [ x"$syms" != "x" ] ; then | ||
75 | syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgroups@.*GLIBC| initgroups@.*GLIBC'` | ||
76 | if [ x"$syms" = "x" ] ; then | ||
77 | syms=`find $f \( -perm -004000 -o -perm -002000 \) -type f -print` | ||
78 | if [ x"$syms" = "x" ] ; then | ||
79 | CORRECT="no" | ||
80 | fi | ||
81 | fi | ||
82 | fi | ||
83 | fi | ||
84 | |||
85 | # OK, ready for the output | ||
86 | if [ "$MODE" = "single" ] ; then | ||
87 | printf "%-60s " $f | ||
88 | if [ "$CORRECT" = "yes" ] ; then | ||
89 | printf "\033[32m%-7s\033[m " $CORRECT | ||
90 | elif [ "$CORRECT" = "no" ] ; then | ||
91 | printf "\033[31m%-7s\033[m " $CORRECT | ||
92 | else | ||
93 | printf "\033[33m%-7s\033[m " $CORRECT | ||
94 | fi | ||
95 | echo | ||
96 | else | ||
97 | if [ "$CORRECT" = "no" ] ; then | ||
98 | CORRECT_SUM="no" | ||
99 | fi | ||
100 | fi | ||
101 | done | ||
102 | } | ||
103 | |||
104 | if [ "$MODE" = "single" ] ; then | ||
105 | printf "%-60s%-7s" "FILE" "CORRECT" | ||
106 | echo | ||
107 | for i; do | ||
108 | do_one $1 | ||
109 | shift | ||
110 | done | ||
111 | exit 0 | ||
112 | fi | ||
113 | |||
114 | packages=`rpm -qa --queryformat "%{NAME}.%{ARCH}\n" | sort` | ||
115 | printf "%-50s %-7s" "PACKAGE" "CORRECT" | ||
116 | echo | ||
117 | for p in $packages | ||
118 | do | ||
119 | CORRECT_SUM="yes" | ||
120 | printf "%-50s " $p | ||
121 | do_one $p | ||
122 | if [ "$CORRECT_SUM" = "yes" ] ; then | ||
123 | printf "\033[32m%-7s\033[m " $CORRECT_SUM | ||
124 | else | ||
125 | printf "\033[31m%-7s\033[m " $CORRECT_SUM | ||
126 | fi | ||
127 | echo | ||
128 | done | ||
129 | exit 0 | ||
130 | |||
131 | |||
diff --git a/recipes-security/redhat-security/files/selinux-check-devices.sh b/recipes-security/redhat-security/files/selinux-check-devices.sh new file mode 100644 index 0000000..ef996d7 --- /dev/null +++ b/recipes-security/redhat-security/files/selinux-check-devices.sh | |||
@@ -0,0 +1,12 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | # This software may be freely redistributed under the terms of the GNU | ||
4 | # public license. | ||
5 | # | ||
6 | # You should have received a copy of the GNU General Public License | ||
7 | # along with this program; if not, write to the Free Software | ||
8 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
9 | |||
10 | find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" | ||
11 | |||
12 | |||
diff --git a/recipes-security/redhat-security/files/selinux-ls-unconfined.sh b/recipes-security/redhat-security/files/selinux-ls-unconfined.sh new file mode 100644 index 0000000..6868413 --- /dev/null +++ b/recipes-security/redhat-security/files/selinux-ls-unconfined.sh | |||
@@ -0,0 +1,19 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | # This software may be freely redistributed under the terms of the GNU | ||
4 | # public license. | ||
5 | # | ||
6 | # You should have received a copy of the GNU General Public License | ||
7 | # along with this program; if not, write to the Free Software | ||
8 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
9 | |||
10 | # This checks for unconfined apps running, initrc and inetd are signs | ||
11 | # of missing transitions. | ||
12 | |||
13 | pidof xinetd >/dev/null | ||
14 | if [ $? -eq 0 ] ; then | ||
15 | ps -eZ | egrep "initrc|inetd" | egrep -v `pidof xinetd` | tr ':' ' ' | awk '{ printf "%s %s\n", $3, $NF }' | ||
16 | else | ||
17 | ps -eZ | egrep "initrc" | tr ':' ' ' | awk '{ printf "%s %s\n", $3, $NF }' | ||
18 | fi | ||
19 | |||
diff --git a/recipes-security/redhat-security/redhat-security_1.0.bb b/recipes-security/redhat-security/redhat-security_1.0.bb new file mode 100644 index 0000000..edab390 --- /dev/null +++ b/recipes-security/redhat-security/redhat-security_1.0.bb | |||
@@ -0,0 +1,38 @@ | |||
1 | DESCRIPTION = "Tools used by redhat linux distribution for security checks" | ||
2 | SECTION = "security" | ||
3 | LICENSE = "GPLv2" | ||
4 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" | ||
5 | PR = "r0" | ||
6 | |||
7 | SRC_URI = "file://find-chroot-py.sh \ | ||
8 | file://find-chroot.sh \ | ||
9 | file://find-elf4tmp.sh \ | ||
10 | file://find-execstack.sh \ | ||
11 | file://find-hidden-exec.sh \ | ||
12 | file://find-nodrop-groups.sh \ | ||
13 | file://find-sh4errors.sh \ | ||
14 | file://find-sh4tmp.sh \ | ||
15 | file://lib-bin-check.sh \ | ||
16 | file://rpm-chksec.sh \ | ||
17 | file://rpm-drop-groups.sh \ | ||
18 | file://selinux-check-devices.sh \ | ||
19 | file://selinux-ls-unconfined.sh" | ||
20 | |||
21 | S = "${WORKDIR}" | ||
22 | |||
23 | do_install() { | ||
24 | install -d ${D}${bindir} | ||
25 | install -m 0755 ${WORKDIR}/find-chroot-py.sh ${D}${bindir} | ||
26 | install -m 0755 ${WORKDIR}/find-chroot.sh ${D}${bindir} | ||
27 | install -m 0755 ${WORKDIR}/find-elf4tmp.sh ${D}${bindir} | ||
28 | install -m 0755 ${WORKDIR}/find-execstack.sh ${D}${bindir} | ||
29 | install -m 0755 ${WORKDIR}/find-hidden-exec.sh ${D}${bindir} | ||
30 | install -m 0755 ${WORKDIR}/find-nodrop-groups.sh ${D}${bindir} | ||
31 | install -m 0755 ${WORKDIR}/find-sh4errors.sh ${D}${bindir} | ||
32 | install -m 0755 ${WORKDIR}/find-sh4tmp.sh ${D}${bindir} | ||
33 | install -m 0755 ${WORKDIR}/lib-bin-check.sh ${D}${bindir} | ||
34 | install -m 0755 ${WORKDIR}/rpm-chksec.sh ${D}${bindir} | ||
35 | install -m 0755 ${WORKDIR}/rpm-drop-groups.sh ${D}${bindir} | ||
36 | install -m 0755 ${WORKDIR}/selinux-check-devices.sh ${D}${bindir} | ||
37 | install -m 0755 ${WORKDIR}/selinux-ls-unconfined.sh ${D}${bindir} | ||
38 | } | ||