diff options
| author | Andrei Dinu <andrei.adrianx.dinu@intel.com> | 2013-06-17 17:24:38 +0300 |
|---|---|---|
| committer | Andrei Dinu <andrei.adrianx.dinu@intel.com> | 2013-06-17 17:24:38 +0300 |
| commit | 60d90b25631471e8193b3069c6a520ccf7c82008 (patch) | |
| tree | e413ea3904059ff52a4539aeff358518fa0ae327 /recipes-security/redhat-security | |
| download | meta-security-60d90b25631471e8193b3069c6a520ccf7c82008.tar.gz | |
meta-security : initial commit
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
Diffstat (limited to 'recipes-security/redhat-security')
14 files changed, 1209 insertions, 0 deletions
diff --git a/recipes-security/redhat-security/files/find-chroot-py.sh b/recipes-security/redhat-security/files/find-chroot-py.sh new file mode 100644 index 0000000..9996e08 --- /dev/null +++ b/recipes-security/redhat-security/files/find-chroot-py.sh | |||
| @@ -0,0 +1,96 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | # | ||
| 3 | # find-chroot-py utility | ||
| 4 | # Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED. | ||
| 5 | # sgrubb@redhat.com | ||
| 6 | # | ||
| 7 | # This software may be freely redistributed under the terms of the GNU | ||
| 8 | # public license. | ||
| 9 | # | ||
| 10 | # You should have received a copy of the GNU General Public License | ||
| 11 | # along with this program; if not, write to the Free Software | ||
| 12 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
| 13 | # | ||
| 14 | # This program looks for python apps that use chroot(2) without using chdir(2) | ||
| 15 | # | ||
| 16 | # To save to file: ./find-chroot | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt | ||
| 17 | |||
| 18 | libdirs="/lib /lib64 /usr/lib /usr/lib64" | ||
| 19 | progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec" | ||
| 20 | FOUND=0 | ||
| 21 | |||
| 22 | # First param is which list to use, second is search pattern | ||
| 23 | scan () { | ||
| 24 | if [ "$1" = "1" ] ; then | ||
| 25 | dirs=$libdirs | ||
| 26 | elif [ "$1" = "2" ] ; then | ||
| 27 | dirs=$progdirs | ||
| 28 | elif [ "$1" = "3" ] ; then | ||
| 29 | dirs=$3 | ||
| 30 | fi | ||
| 31 | |||
| 32 | for d in $dirs ; do | ||
| 33 | if [ ! -d $d ] ; then | ||
| 34 | continue | ||
| 35 | fi | ||
| 36 | files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null` | ||
| 37 | for f in $files | ||
| 38 | do | ||
| 39 | if [ "$1" = "2" ] ; then | ||
| 40 | testf=`/usr/bin/file $f | egrep 'ython'` | ||
| 41 | if [ x"$testf" = "x" ] ; then | ||
| 42 | continue | ||
| 43 | fi | ||
| 44 | fi | ||
| 45 | syms=`egrep ' os.chroot' $f` | ||
| 46 | if [ x"$syms" != "x" ] ; then | ||
| 47 | syms=`egrep ' os.chdir' $f` | ||
| 48 | if [ x"$syms" = "x" ] ; then | ||
| 49 | if [ $FOUND = 0 ] ; then | ||
| 50 | printf "%-44s%s\n" "FILE" " PACKAGE" | ||
| 51 | FOUND=1 | ||
| 52 | fi | ||
| 53 | # Red | ||
| 54 | printf "\033[31m%-44s\033[m" $f | ||
| 55 | #rpm -qf --queryformat "%{NAME}-%{VERSION}" $f | ||
| 56 | rpm -qf --queryformat " %{SOURCERPM}" $f | ||
| 57 | echo | ||
| 58 | else | ||
| 59 | # One last test to see if chdir is within 4 | ||
| 60 | # lines of chroot | ||
| 61 | syms=`cat $f | egrep ' os.chroot' -A3 | egrep ' os.chdir'` | ||
| 62 | if [ x"$syms" = "x" ] ; then | ||
| 63 | if [ $FOUND = 0 ] ; then | ||
| 64 | printf "%-44s%s\n" "FILE" " PACKAGE" | ||
| 65 | FOUND=1 | ||
| 66 | fi | ||
| 67 | printf "\033[31m%-44s\033[m" $f | ||
| 68 | rpm -qf --queryformat " %{SOURCERPM}" $f | ||
| 69 | echo | ||
| 70 | fi | ||
| 71 | fi | ||
| 72 | fi | ||
| 73 | done | ||
| 74 | done | ||
| 75 | } | ||
| 76 | |||
| 77 | if [ $# -eq 1 ] ; then | ||
| 78 | if [ -d $1 ] ; then | ||
| 79 | scan 3 '*' $1 | ||
| 80 | else | ||
| 81 | echo "Input is not a directory" | ||
| 82 | exit 1 | ||
| 83 | fi | ||
| 84 | else | ||
| 85 | scan 2 '*' | ||
| 86 | scan 1 '*.py' | ||
| 87 | fi | ||
| 88 | |||
| 89 | if [ $FOUND -eq 0 ] ; then | ||
| 90 | # Nothing to report, just exit | ||
| 91 | echo "No problems found" 1>&2 | ||
| 92 | exit 0 | ||
| 93 | fi | ||
| 94 | exit 1 | ||
| 95 | |||
| 96 | |||
diff --git a/recipes-security/redhat-security/files/find-chroot.sh b/recipes-security/redhat-security/files/find-chroot.sh new file mode 100644 index 0000000..adce7fc --- /dev/null +++ b/recipes-security/redhat-security/files/find-chroot.sh | |||
| @@ -0,0 +1,93 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | # | ||
| 3 | # find-chroot utility | ||
| 4 | # Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED. | ||
| 5 | # sgrubb@redhat.com | ||
| 6 | # | ||
| 7 | # This software may be freely redistributed under the terms of the GNU | ||
| 8 | # public license. | ||
| 9 | # | ||
| 10 | # You should have received a copy of the GNU General Public License | ||
| 11 | # along with this program; if not, write to the Free Software | ||
| 12 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
| 13 | # | ||
| 14 | # This program looks for apps that use chroot(2) without using chdir(2) | ||
| 15 | # | ||
| 16 | # To save to file: ./find-chroot | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt | ||
| 17 | |||
| 18 | libdirs="/lib /lib64 /usr/lib /usr/lib64" | ||
| 19 | progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec" | ||
| 20 | FOUND=0 | ||
| 21 | |||
| 22 | # First param is which list to use, second is search pattern | ||
| 23 | scan () { | ||
| 24 | if [ "$1" = "1" ] ; then | ||
| 25 | dirs=$libdirs | ||
| 26 | elif [ "$1" = "2" ] ; then | ||
| 27 | dirs=$progdirs | ||
| 28 | elif [ "$1" = "3" ] ; then | ||
| 29 | dirs=$3 | ||
| 30 | fi | ||
| 31 | |||
| 32 | for d in $dirs ; do | ||
| 33 | if [ ! -d $d ] ; then | ||
| 34 | continue | ||
| 35 | fi | ||
| 36 | files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null` | ||
| 37 | for f in $files | ||
| 38 | do | ||
| 39 | syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' chroot@.*GLIBC'` | ||
| 40 | if [ x"$syms" != "x" ] ; then | ||
| 41 | syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' chdir@.*GLIBC'` | ||
| 42 | if [ x"$syms" = "x" ] ; then | ||
| 43 | if [ $FOUND = 0 ] ; then | ||
| 44 | printf "%-44s%s\n" "FILE" " PACKAGE" | ||
| 45 | FOUND=1 | ||
| 46 | fi | ||
| 47 | # Red | ||
| 48 | printf "\033[31m%-44s\033[m" $f | ||
| 49 | #rpm -qf --queryformat "%{NAME}-%{VERSION}" $f | ||
| 50 | rpm -qf --queryformat " %{SOURCERPM}" $f | ||
| 51 | echo | ||
| 52 | else | ||
| 53 | # One last test to see if chdir is within 3 | ||
| 54 | # lines of chroot | ||
| 55 | syms=`objdump -d $f | egrep callq | egrep 'chroot@plt' -A2 | egrep 'chroot|chdir'` | ||
| 56 | if [ x"$syms" = "x" ] ; then | ||
| 57 | syms=`echo $f | egrep -v 'libc-2|libc.so'` | ||
| 58 | if [ x"$syms" != "x" ] ; then | ||
| 59 | if [ $FOUND = 0 ] ; then | ||
| 60 | printf "%-44s%s\n" "FILE" "PACKAGE" | ||
| 61 | FOUND=1 | ||
| 62 | fi | ||
| 63 | printf "\033[31m%-44s\033[m" $f | ||
| 64 | rpm -qf --queryformat " %{SOURCERPM}" $f | ||
| 65 | echo | ||
| 66 | fi | ||
| 67 | fi | ||
| 68 | fi | ||
| 69 | fi | ||
| 70 | done | ||
| 71 | done | ||
| 72 | } | ||
| 73 | |||
| 74 | if [ $# -eq 1 ] ; then | ||
| 75 | if [ -d $1 ] ; then | ||
| 76 | scan 3 '*' $1 | ||
| 77 | else | ||
| 78 | echo "Input is not a directory" | ||
| 79 | exit 1 | ||
| 80 | fi | ||
| 81 | else | ||
| 82 | scan 2 '*' | ||
| 83 | scan 1 '*.so' | ||
| 84 | fi | ||
| 85 | |||
| 86 | if [ $FOUND -eq 0 ] ; then | ||
| 87 | # Nothing to report, just exit | ||
| 88 | echo "No problems found" 1>&2 | ||
| 89 | exit 0 | ||
| 90 | fi | ||
| 91 | exit 1 | ||
| 92 | |||
| 93 | |||
diff --git a/recipes-security/redhat-security/files/find-elf4tmp.sh b/recipes-security/redhat-security/files/find-elf4tmp.sh new file mode 100644 index 0000000..8f39baa --- /dev/null +++ b/recipes-security/redhat-security/files/find-elf4tmp.sh | |||
| @@ -0,0 +1,84 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | # find_elf4tmp utility | ||
| 3 | # Copyright (c) 2010-12 Steve Grubb. ALL RIGHTS RESERVED. | ||
| 4 | # sgrubb@redhat.com | ||
| 5 | # | ||
| 6 | # This software may be freely redistributed under the terms of the GNU | ||
| 7 | # public license. | ||
| 8 | # | ||
| 9 | # You should have received a copy of the GNU General Public License | ||
| 10 | # along with this program; if not, write to the Free Software | ||
| 11 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
| 12 | |||
| 13 | # This script will search a directory and its subdirectories for all elf | ||
| 14 | # executables. It will then search for the use of the tmp directory. If it finds | ||
| 15 | # this is true, it will then check to see if XXX is being used which would | ||
| 16 | # indicate that the path is going to be randomized. | ||
| 17 | |||
| 18 | if [ $# -ge 2 ] ; then | ||
| 19 | echo "Usage: find_elf4tmp [directory]" 1>&2 | ||
| 20 | exit 1 | ||
| 21 | fi | ||
| 22 | if [ ! -x /usr/bin/eu-strings ] ; then | ||
| 23 | echo "Skipping due to missing /usr/bin/eu-strings utility" | ||
| 24 | exit 1 | ||
| 25 | fi | ||
| 26 | if [ -h /bin ] ; then | ||
| 27 | DIRS="/usr/bin /usr/sbin /usr/libexec /usr/kerberos /usr/games /usr/lib /usr/lib64 /usr/local" | ||
| 28 | else | ||
| 29 | DIRS="/bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/kerberos /usr/games /lib /lib64 /usr/lib /usr/lib64 /usr/local" | ||
| 30 | fi | ||
| 31 | if [ $# -eq 1 ] ; then | ||
| 32 | if [ -d "$1" ] ; then | ||
| 33 | DIRS="$1" | ||
| 34 | else | ||
| 35 | echo "Option passed in was not a directory" 1>&2 | ||
| 36 | exit 1 | ||
| 37 | fi | ||
| 38 | fi | ||
| 39 | |||
| 40 | FOUND=0 | ||
| 41 | for d in $DIRS | ||
| 42 | do | ||
| 43 | if [ ! -d $d ] ; then | ||
| 44 | continue | ||
| 45 | fi | ||
| 46 | # echo "Scanning files in $d..." | ||
| 47 | for f in `/usr/bin/find $d -type f 2>/dev/null` | ||
| 48 | do | ||
| 49 | # Get just the elf executables | ||
| 50 | testf=`echo $f | /usr/bin/file -n -f - 2>/dev/null | grep ELF` | ||
| 51 | if [ x"$testf" != "x" ] ; then | ||
| 52 | test_res=`/usr/bin/eu-strings $f | /bin/grep '/tmp/' | /bin/egrep -v 'XX|/tmp/$|[ .,:]/tmp/'` | ||
| 53 | if [ x"$test_res" = "x" ] ; then | ||
| 54 | continue | ||
| 55 | fi | ||
| 56 | |||
| 57 | # Do further examination... | ||
| 58 | syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' mkstemp@.*GLIBC| tempnam@.*GLIBC| tmpfile@.*GLIBC'` | ||
| 59 | if [ x"$syms" != "x" ] ; then | ||
| 60 | continue | ||
| 61 | fi | ||
| 62 | |||
| 63 | # Well its a bad one...out with it | ||
| 64 | FOUND=1 | ||
| 65 | |||
| 66 | # Get the package | ||
| 67 | RPM=`/bin/rpm -qf --queryformat "%{NAME}-%{VERSION}" $f 2>/dev/null | /bin/grep -v 'not owned' | /bin/sort | /usr/bin/uniq` | ||
| 68 | if [ x"$RPM" = "x" ] ; then | ||
| 69 | RPM="<unowned>" | ||
| 70 | fi | ||
| 71 | |||
| 72 | # For each tmp string, output the line | ||
| 73 | echo $test_res | /usr/bin/tr '\b' '\n' | /bin/awk 'NF >= 1 { printf "%-46s\t%-30s\t%s\n", f, r, $1 }' r=$RPM f=$f | ||
| 74 | fi | ||
| 75 | done | ||
| 76 | done | ||
| 77 | if [ $FOUND -eq 0 ] ; then | ||
| 78 | # Nothing to report, just exit | ||
| 79 | echo "No problems found" 1>&2 | ||
| 80 | exit 0 | ||
| 81 | fi | ||
| 82 | exit 1 | ||
| 83 | |||
| 84 | |||
diff --git a/recipes-security/redhat-security/files/find-execstack.sh b/recipes-security/redhat-security/files/find-execstack.sh new file mode 100644 index 0000000..85f16de --- /dev/null +++ b/recipes-security/redhat-security/files/find-execstack.sh | |||
| @@ -0,0 +1,72 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | # | ||
| 3 | # find-execstack utility | ||
| 4 | # Copyright (c) 2007 Steve Grubb. ALL RIGHTS RESERVED. | ||
| 5 | # sgrubb@redhat.com | ||
| 6 | # | ||
| 7 | # This software may be freely redistributed under the terms of the GNU | ||
| 8 | # public license. | ||
| 9 | # | ||
| 10 | # You should have received a copy of the GNU General Public License | ||
| 11 | # along with this program; if not, write to the Free Software | ||
| 12 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
| 13 | # | ||
| 14 | # This program looks for executable stacks | ||
| 15 | # | ||
| 16 | |||
| 17 | libdirs="/lib /lib64 /usr/lib /usr/lib64" | ||
| 18 | progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec" | ||
| 19 | FOUND=0 | ||
| 20 | |||
| 21 | # First param is which list to use, second is search pattern | ||
| 22 | scan () { | ||
| 23 | if [ "$1" = "1" ] ; then | ||
| 24 | dirs=$libdirs | ||
| 25 | elif [ "$1" = "2" ] ; then | ||
| 26 | dirs=$progdirs | ||
| 27 | fi | ||
| 28 | |||
| 29 | for d in $dirs ; do | ||
| 30 | if [ ! -d $d ] ; then | ||
| 31 | continue | ||
| 32 | fi | ||
| 33 | files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null` | ||
| 34 | for f in $files | ||
| 35 | do | ||
| 36 | FOUND_ONE=0 | ||
| 37 | stacks=`/usr/bin/eu-readelf -l $f 2>/dev/null | grep STACK` | ||
| 38 | if [ x"$stacks" != "x" ] ; then | ||
| 39 | perms=`echo $stacks | /bin/awk '{ print $7 }'` | ||
| 40 | if [ x"$perms" != x -a "$perms" != "RW" ] ; then | ||
| 41 | FOUND_ONE=1 | ||
| 42 | fi | ||
| 43 | fi | ||
| 44 | old_stacks=`echo $stacks | /bin/grep -v GNU_STACK` | ||
| 45 | if [ x"$old_stacks" != "x" ] ; then | ||
| 46 | FOUND_ONE=1 | ||
| 47 | fi | ||
| 48 | heaps=`/usr/bin/eu-readelf -l $f 2>/dev/null | grep GNU_HEAP` | ||
| 49 | if [ x"$heaps" != "x" ] ; then | ||
| 50 | FOUND_ONE=1 | ||
| 51 | fi | ||
| 52 | if [ $FOUND_ONE = 1 ] ; then | ||
| 53 | printf "%-42s" $f | ||
| 54 | rpm -qf --queryformat "%{SOURCERPM}" $f | ||
| 55 | echo | ||
| 56 | FOUND=1 | ||
| 57 | fi | ||
| 58 | done | ||
| 59 | done | ||
| 60 | } | ||
| 61 | |||
| 62 | scan 1 '*.so' | ||
| 63 | scan 2 '*' | ||
| 64 | |||
| 65 | if [ $FOUND -eq 0 ] ; then | ||
| 66 | # Nothing to report, just exit | ||
| 67 | echo "No problems found" 1>&2 | ||
| 68 | exit 0 | ||
| 69 | fi | ||
| 70 | exit 1 | ||
| 71 | |||
| 72 | |||
diff --git a/recipes-security/redhat-security/files/find-hidden-exec.sh b/recipes-security/redhat-security/files/find-hidden-exec.sh new file mode 100644 index 0000000..f799fca --- /dev/null +++ b/recipes-security/redhat-security/files/find-hidden-exec.sh | |||
| @@ -0,0 +1,21 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | # | ||
| 3 | # | ||
| 4 | # This software may be freely redistributed under the terms of the GNU | ||
| 5 | # public license. | ||
| 6 | # | ||
| 7 | # You should have received a copy of the GNU General Public License | ||
| 8 | # along with this program; if not, write to the Free Software | ||
| 9 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
| 10 | # | ||
| 11 | # This program looks for hidden executables | ||
| 12 | |||
| 13 | find / -name '.*' -type f -perm /00111 2>/dev/null | ||
| 14 | |||
| 15 | # Also need to find hidden dirs and see if anything below it is hidden | ||
| 16 | hidden_dirs=`find / -name '.*' -type d 2>/dev/null` | ||
| 17 | for d in $hidden_dirs | ||
| 18 | do | ||
| 19 | find $d -name '.*' -type f -perm /00111 2>/dev/null | ||
| 20 | done | ||
| 21 | |||
diff --git a/recipes-security/redhat-security/files/find-nodrop-groups.sh b/recipes-security/redhat-security/files/find-nodrop-groups.sh new file mode 100644 index 0000000..249eacd --- /dev/null +++ b/recipes-security/redhat-security/files/find-nodrop-groups.sh | |||
| @@ -0,0 +1,85 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | # | ||
| 3 | # find-nodrop-groups utility | ||
| 4 | # Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED. | ||
| 5 | # sgrubb@redhat.com | ||
| 6 | # | ||
| 7 | # This software may be freely redistributed under the terms of the GNU | ||
| 8 | # public license. | ||
| 9 | # | ||
| 10 | # You should have received a copy of the GNU General Public License | ||
| 11 | # along with this program; if not, write to the Free Software | ||
| 12 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
| 13 | # | ||
| 14 | # This program looks for apps that use setgid(2) without using initgroups(3) | ||
| 15 | # or setgroups(2). | ||
| 16 | # | ||
| 17 | # To save to file: ./find-nodrop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt | ||
| 18 | |||
| 19 | libdirs="/lib /lib64 /usr/lib /usr/lib64" | ||
| 20 | progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec" | ||
| 21 | FOUND=0 | ||
| 22 | |||
| 23 | # First param is which list to use, second is search pattern | ||
| 24 | scan () { | ||
| 25 | if [ "$1" = "1" ] ; then | ||
| 26 | dirs=$libdirs | ||
| 27 | elif [ "$1" = "2" ] ; then | ||
| 28 | dirs=$progdirs | ||
| 29 | elif [ "$1" = "3" ] ; then | ||
| 30 | dirs=$3 | ||
| 31 | fi | ||
| 32 | |||
| 33 | for d in $dirs ; do | ||
| 34 | if [ ! -d $d ] ; then | ||
| 35 | continue | ||
| 36 | fi | ||
| 37 | files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null` | ||
| 38 | for f in $files | ||
| 39 | do | ||
| 40 | syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgid@.*GLIBC| setegid@.*GLIBC| setresgid@.*GLIBC'` | ||
| 41 | if [ x"$syms" != "x" ] ; then | ||
| 42 | syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setuid@.*GLIBC| seteuid@.*GLIBC| setresuid@.*GLIBC'` | ||
| 43 | if [ x"$syms" != "x" ] ; then | ||
| 44 | syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgroups@.*GLIBC| initgroups@.*GLIBC'` | ||
| 45 | if [ x"$syms" = "x" ] ; then | ||
| 46 | if [ $FOUND = 0 ] ; then | ||
| 47 | printf "%-44s%s\n" "FILE" "PACKAGE" | ||
| 48 | fi | ||
| 49 | syms=`find $f \( -perm -004000 -o -perm -002000 \) -type f -print` | ||
| 50 | if [ x"$syms" = "x" ] ; then | ||
| 51 | printf "\033[31m%-44s\033[m" $f | ||
| 52 | rpm -qf --queryformat "%{SOURCERPM}" $f | ||
| 53 | echo | ||
| 54 | FOUND=1 | ||
| 55 | # else | ||
| 56 | # printf "\033[33m%-44s\033[m" $f | ||
| 57 | fi | ||
| 58 | #rpm -qf --queryformat "%{NAME}-%{VERSION}" $f | ||
| 59 | fi | ||
| 60 | fi | ||
| 61 | fi | ||
| 62 | done | ||
| 63 | done | ||
| 64 | } | ||
| 65 | |||
| 66 | if [ $# -eq 1 ] ; then | ||
| 67 | if [ -d $1 ] ; then | ||
| 68 | scan 3 '*' $1 | ||
| 69 | else | ||
| 70 | echo "Input is not a directory" | ||
| 71 | exit 1 | ||
| 72 | fi | ||
| 73 | else | ||
| 74 | scan 1 '*.so' | ||
| 75 | scan 2 '*' | ||
| 76 | fi | ||
| 77 | |||
| 78 | if [ $FOUND -eq 0 ] ; then | ||
| 79 | # Nothing to report, just exit | ||
| 80 | echo "No problems found" 1>&2 | ||
| 81 | exit 0 | ||
| 82 | fi | ||
| 83 | exit 1 | ||
| 84 | |||
| 85 | |||
diff --git a/recipes-security/redhat-security/files/find-sh4errors.sh b/recipes-security/redhat-security/files/find-sh4errors.sh new file mode 100644 index 0000000..0054a6a --- /dev/null +++ b/recipes-security/redhat-security/files/find-sh4errors.sh | |||
| @@ -0,0 +1,132 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | # find_sh4errors utility | ||
| 3 | # Copyright (c) 2004 Steve Grubb. ALL RIGHTS RESERVED. | ||
| 4 | # sgrubb@redhat.com | ||
| 5 | # | ||
| 6 | # This software may be freely redistributed under the terms of the GNU | ||
| 7 | # public license. | ||
| 8 | # | ||
| 9 | # You should have received a copy of the GNU General Public License | ||
| 10 | # along with this program; if not, write to the Free Software | ||
| 11 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
| 12 | |||
| 13 | # This script will search a directory and its subdirectories for every shell | ||
| 14 | # script. It then runs sh -n to see if bash can determine if there are obvious | ||
| 15 | # parsing errors. It does have a bug in that bash -n does not take into | ||
| 16 | # account someone may program an unconditional exit and then include man page | ||
| 17 | # generation information. It also fails to notice the exec command. When you | ||
| 18 | # run across files that do either of the above, add it to the KNOWN_BAD list. | ||
| 19 | |||
| 20 | if [ $# -ge 2 ] ; then | ||
| 21 | echo "Usage: find_sh4errors [directory]" 1>&2 | ||
| 22 | exit 1 | ||
| 23 | fi | ||
| 24 | INTERPRETERS="wish wishx tclsh guile rep itkwish expect /etc/kde/kdm/Xsession /etc/X11/xdm/Xsession /usr/bin/festival perl hfssh" | ||
| 25 | SKIP_DIRS="/opt /home /root" | ||
| 26 | KNOWN_BAD="/usr/bin/kde-build /usr/bin/cvsversion samples/copifuncs/copi.sendifm1 bashdb bash_completion_test" | ||
| 27 | DIR="/" | ||
| 28 | if [ $# -eq 1 ] ; then | ||
| 29 | if [ -d "$1" ] ; then | ||
| 30 | DIR="$1" | ||
| 31 | else | ||
| 32 | echo "Option passed in was not a directory" 1>&2 | ||
| 33 | exit 1 | ||
| 34 | fi | ||
| 35 | fi | ||
| 36 | tempfile=`mktemp /tmp/sh4.XXXXXX` | ||
| 37 | tempfile2=`mktemp /tmp/sh4.XXXXXX` | ||
| 38 | if [ -z "$tempfile" -o -z "$tempfile2" ] ; then | ||
| 39 | echo ; echo "Unable to create tempfiles...aborting." 1>&2 ; echo | ||
| 40 | exit 1 | ||
| 41 | fi | ||
| 42 | trap "rm -f $tempfile; rm -f $tempfile2; exit 2" 1 2 3 5 15 | ||
| 43 | |||
| 44 | # Get executable files | ||
| 45 | #echo "Locating executables..." | ||
| 46 | /usr/bin/find $DIR -type f -perm /0111 -print >> $tempfile 2>/dev/null | ||
| 47 | FOUND=0 | ||
| 48 | #echo "Refining list to shell scripts..." | ||
| 49 | while read f | ||
| 50 | do | ||
| 51 | # Get just the shell scripts | ||
| 52 | testf=`echo $f | /usr/bin/file -n -f - | egrep 'ourne|POSIX shell'` | ||
| 53 | if [ x"$testf" != x ] ; then | ||
| 54 | echo $f >> $tempfile2 | ||
| 55 | FOUND=1 | ||
| 56 | fi | ||
| 57 | done < $tempfile | ||
| 58 | /bin/rm -f $tempfile | ||
| 59 | if [ $FOUND -eq 0 ] ; then | ||
| 60 | # Nothing to report, just exit | ||
| 61 | # echo "Examining shell scripts in $DIR" | ||
| 62 | # echo "No problems found" | ||
| 63 | /bin/rm -f $tempfile2 | ||
| 64 | exit 0 | ||
| 65 | fi | ||
| 66 | #echo "Examining shell scripts in $DIR" | ||
| 67 | FOUND=0 | ||
| 68 | while read i | ||
| 69 | do | ||
| 70 | # First see if the script calls an interpreter | ||
| 71 | SKIP=0 | ||
| 72 | for lang in $INTERPRETERS | ||
| 73 | do | ||
| 74 | if `/bin/cat "$i" 2>/dev/null | \ | ||
| 75 | grep "exec[ \t].*$lang" >/dev/null` ; then | ||
| 76 | SKIP=1 | ||
| 77 | break | ||
| 78 | fi | ||
| 79 | done | ||
| 80 | |||
| 81 | if [ $SKIP -eq 1 ] ; then | ||
| 82 | continue | ||
| 83 | fi | ||
| 84 | |||
| 85 | # See if this is in a dir we want to ignore | ||
| 86 | for d in $SKIP_DIRS | ||
| 87 | do | ||
| 88 | if `echo "$i" | /bin/grep "^\$d" >/dev/null`; then | ||
| 89 | SKIP=1 | ||
| 90 | break | ||
| 91 | fi | ||
| 92 | done | ||
| 93 | |||
| 94 | if [ $SKIP -eq 1 ] ; then | ||
| 95 | continue | ||
| 96 | fi | ||
| 97 | |||
| 98 | # Don't do the known naughty files | ||
| 99 | for bad in $KNOWN_BAD | ||
| 100 | do | ||
| 101 | if `echo "$i" | /bin/grep "$bad" >/dev/null`; then | ||
| 102 | SKIP=1 | ||
| 103 | break | ||
| 104 | fi | ||
| 105 | done | ||
| 106 | |||
| 107 | if [ $SKIP -eq 1 ] ; then | ||
| 108 | continue | ||
| 109 | fi | ||
| 110 | |||
| 111 | # Now examine them for correctness | ||
| 112 | interp=`/usr/bin/head -n 1 "$i" | /bin/awk '{ print $1 }' | \ | ||
| 113 | /usr/bin/tr -d '#!'` | ||
| 114 | if [ x"$interp" = "x" -o ! -x "$interp" ] ; then | ||
| 115 | interp="/bin/sh" | ||
| 116 | fi | ||
| 117 | $interp -n "$i" 2>/dev/null | ||
| 118 | if [ $? -ne 0 ] ; then | ||
| 119 | printf "%-44s" "$i" | ||
| 120 | rpm -qf --queryformat "%{NAME}-%{VERSION}" $i | ||
| 121 | echo | ||
| 122 | FOUND=1 | ||
| 123 | fi | ||
| 124 | done < $tempfile2 | ||
| 125 | /bin/rm -f $tempfile2 | ||
| 126 | if [ $FOUND -eq 0 ] ; then | ||
| 127 | # Nothing to report, just exit | ||
| 128 | # echo "No problems found" | ||
| 129 | exit 0 | ||
| 130 | fi | ||
| 131 | exit 1 | ||
| 132 | |||
diff --git a/recipes-security/redhat-security/files/find-sh4tmp.sh b/recipes-security/redhat-security/files/find-sh4tmp.sh new file mode 100644 index 0000000..7fd1af7 --- /dev/null +++ b/recipes-security/redhat-security/files/find-sh4tmp.sh | |||
| @@ -0,0 +1,116 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | # find_sh4tmp utility | ||
| 3 | # Copyright (c) 2005 Steve Grubb. ALL RIGHTS RESERVED. | ||
| 4 | # sgrubb@redhat.com | ||
| 5 | # | ||
| 6 | # This software may be freely redistributed under the terms of the GNU | ||
| 7 | # public license. | ||
| 8 | # | ||
| 9 | # You should have received a copy of the GNU General Public License | ||
| 10 | # along with this program; if not, write to the Free Software | ||
| 11 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
| 12 | |||
| 13 | # This script will search a directory and its subdirectories for all shell | ||
| 14 | # scripts. It will then search for the use of the tmp directory. If it finds | ||
| 15 | # this is true, it will then try to determine if mktemp or something | ||
| 16 | # reasonable was used and exclude it. It has a bug in that it does not handle | ||
| 17 | # rm -f /tmp/ or mkdir /tmp/ correctly. If you run across files that do that, | ||
| 18 | # add them to the KNOWN_BAD list to ignore them. | ||
| 19 | |||
| 20 | if [ $# -ge 2 ] ; then | ||
| 21 | echo "Usage: find_sh4tmp [directory]" 1>&2 | ||
| 22 | exit 1 | ||
| 23 | fi | ||
| 24 | INTERPRETERS="wish wishx tclsh guile rep itkwish expect /etc/kde/kdm/Xsession /etc/X11/xdm/Xsession /usr/bin/festival perl hfssh" | ||
| 25 | SKIP_DIRS="/opt /home /root /mnt /media /dev /proc /selinux /sys /usr/share/doc" | ||
| 26 | KNOWN_BAD="kopete_latexconvert.sh cvs2dist fixfiles mysqlbug build/scripts/package/mkspec py-compile rc.sysinit init.d/xfs diff-jars grub-install mailshar vncserver Xsession sysreport cross-build vpkg rcs-to-cvs debug_check_log cvs2vendor tmpwatch ps2epsi mkdumprd xdg-open xdg-mime xdg-email gzexe" | ||
| 27 | DIR="/" | ||
| 28 | if [ $# -eq 1 ] ; then | ||
| 29 | if [ -d "$1" ] ; then | ||
| 30 | DIR="$1" | ||
| 31 | else | ||
| 32 | echo "Option passed in was not a directory" 1>&2 | ||
| 33 | exit 1 | ||
| 34 | fi | ||
| 35 | fi | ||
| 36 | tempfile=`mktemp /tmp/sh4.XXXXXX` | ||
| 37 | tempfile2=`mktemp /tmp/sh4.XXXXXX` | ||
| 38 | if [ -z "$tempfile" -o -z "$tempfile2" ] ; then | ||
| 39 | echo ; echo "Unable to create tempfiles...aborting." 1>&2 ; echo | ||
| 40 | exit 1 | ||
| 41 | fi | ||
| 42 | trap "rm -f $tempfile; rm -f $tempfile2; exit 2" 1 2 3 5 15 | ||
| 43 | |||
| 44 | # Get executable files | ||
| 45 | #echo "Scanning shell scripts in $DIR..." | ||
| 46 | find $DIR -type f -perm /0111 -print >> $tempfile 2>/dev/null | ||
| 47 | FOUND=0 | ||
| 48 | while read f | ||
| 49 | do | ||
| 50 | # Get just the shell scripts | ||
| 51 | testf=`echo $f | file -n -f - | egrep 'ourne|POSIX shell'` | ||
| 52 | if [ x"$testf" != x ] ; then | ||
| 53 | # FIXME: need to do something to get rid of echo, rm, or mkdir "/tmp/" | ||
| 54 | test_res=`cat $f 2>/dev/null | grep '\/tmp\/' | grep -v 'mktemp' | grep -v '^#'` | ||
| 55 | if [ x"$test_res" = x ] ; then | ||
| 56 | continue | ||
| 57 | fi | ||
| 58 | |||
| 59 | # Do further examination... | ||
| 60 | # First see if the script calls an interpreter | ||
| 61 | SKIP=0 | ||
| 62 | for lang in $INTERPRETERS | ||
| 63 | do | ||
| 64 | if `cat "$f" | grep "exec[ \t].*$lang" >/dev/null` ; then | ||
| 65 | SKIP=1 | ||
| 66 | break | ||
| 67 | fi | ||
| 68 | done | ||
| 69 | |||
| 70 | if [ $SKIP -eq 1 ] ; then | ||
| 71 | continue | ||
| 72 | fi | ||
| 73 | |||
| 74 | # See if this is in a dir we want to ignore | ||
| 75 | for d in $SKIP_DIRS | ||
| 76 | do | ||
| 77 | if `echo "$f" | grep "^\$d" >/dev/null`; then | ||
| 78 | SKIP=1 | ||
| 79 | break | ||
| 80 | fi | ||
| 81 | done | ||
| 82 | |||
| 83 | if [ $SKIP -eq 1 ] ; then | ||
| 84 | continue | ||
| 85 | fi | ||
| 86 | |||
| 87 | # Don't do the known naughty files | ||
| 88 | for bad in $KNOWN_BAD | ||
| 89 | do | ||
| 90 | if `echo "$f" | grep "$bad" >/dev/null`; then | ||
| 91 | SKIP=1 | ||
| 92 | break | ||
| 93 | fi | ||
| 94 | done | ||
| 95 | |||
| 96 | if [ $SKIP -eq 1 ] ; then | ||
| 97 | continue | ||
| 98 | fi | ||
| 99 | |||
| 100 | # Well its a bad one...out with it | ||
| 101 | printf "%-44s" $f | ||
| 102 | rpm -qf --queryformat "%{NAME}-%{VERSION}" $f | ||
| 103 | echo | ||
| 104 | FOUND=1 | ||
| 105 | fi | ||
| 106 | done < $tempfile | ||
| 107 | rm -f $tempfile | ||
| 108 | if [ $FOUND -eq 0 ] ; then | ||
| 109 | # Nothing to report, just exit | ||
| 110 | # echo "No problems found" | ||
| 111 | rm -f $tempfile2 | ||
| 112 | exit 0 | ||
| 113 | fi | ||
| 114 | exit 1 | ||
| 115 | |||
| 116 | |||
diff --git a/recipes-security/redhat-security/files/lib-bin-check.sh b/recipes-security/redhat-security/files/lib-bin-check.sh new file mode 100644 index 0000000..1e2d930 --- /dev/null +++ b/recipes-security/redhat-security/files/lib-bin-check.sh | |||
| @@ -0,0 +1,31 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | |||
| 3 | # This software may be freely redistributed under the terms of the GNU | ||
| 4 | # public license. | ||
| 5 | # | ||
| 6 | # You should have received a copy of the GNU General Public License | ||
| 7 | # along with this program; if not, write to the Free Software | ||
| 8 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
| 9 | |||
| 10 | found=0 | ||
| 11 | list=`rpm -qa --queryformat "%{NAME}-%{VERSION}.%{ARCH}\n" | grep '^lib' | egrep -v '\-utils\-|\-bin\-|\-tools\-|\-client\-|libreoffice|\-plugin\-'` | ||
| 12 | for p in $list | ||
| 13 | do | ||
| 14 | bin=`rpm -ql $p | egrep '^/bin|^/sbin|^/usr/bin|^/usr/sbin' | grep -v '\-config'` | ||
| 15 | if [ "x$bin" != "x" ]; then | ||
| 16 | testf=`echo $bin | /usr/bin/file -n -f - 2>/dev/null | grep ELF` | ||
| 17 | if [ x"$testf" != "x" ] ; then | ||
| 18 | found=1 | ||
| 19 | echo "$p could be split into a utils package" | ||
| 20 | fi | ||
| 21 | fi | ||
| 22 | done | ||
| 23 | |||
| 24 | if [ $found = 0 ]; then | ||
| 25 | echo "No problems found" | ||
| 26 | exit 0 | ||
| 27 | fi | ||
| 28 | |||
| 29 | exit 1 | ||
| 30 | |||
| 31 | |||
diff --git a/recipes-security/redhat-security/files/rpm-chksec.sh b/recipes-security/redhat-security/files/rpm-chksec.sh new file mode 100644 index 0000000..983c218 --- /dev/null +++ b/recipes-security/redhat-security/files/rpm-chksec.sh | |||
| @@ -0,0 +1,279 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | # rpm-chksec | ||
| 3 | # | ||
| 4 | # Copyright (c) 2011-2013 Steve Grubb. ALL RIGHTS RESERVED. | ||
| 5 | # sgrubb@redhat.com | ||
| 6 | # | ||
| 7 | # This software may be freely redistributed under the terms of the GNU | ||
| 8 | # public license. | ||
| 9 | # | ||
| 10 | # You should have received a copy of the GNU General Public License | ||
| 11 | # along with this program; if not, write to the Free Software | ||
| 12 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
| 13 | # | ||
| 14 | # Given an rpm, it will look at each file to check that its compiled with | ||
| 15 | # the intended flags to make it more secure. Things that are green are OK. | ||
| 16 | # Anything in yellow could be better but is passable. Anything in red needs | ||
| 17 | # attention. | ||
| 18 | # | ||
| 19 | # If the --all option is given, it will generate a list of rpms and then | ||
| 20 | # summarize the rpm's state. For yes, then all files are in the expected | ||
| 21 | # state. Just one file not compiled with the right flags can turn the | ||
| 22 | # answer to no. Re-run passing that package (instead of --all) for the details. | ||
| 23 | # | ||
| 24 | # To save to file: ./rpm-chksec | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee output.txt | ||
| 25 | |||
| 26 | VERSION="0.5.2" | ||
| 27 | |||
| 28 | usage () { | ||
| 29 | echo "rpm-chksec [--version|--all|<rpmname>...]" | ||
| 30 | if [ ! -x /usr/bin/filecap ] ; then | ||
| 31 | echo "You need to install libcap-ng-utils to test capabilities" | ||
| 32 | fi | ||
| 33 | if [ $EUID != 0 ] ; then | ||
| 34 | echo "You might need to be root to read some files" | ||
| 35 | fi | ||
| 36 | exit 0 | ||
| 37 | } | ||
| 38 | |||
| 39 | if [ "$1" = "--help" -o $# -eq 0 ] ; then | ||
| 40 | usage | ||
| 41 | fi | ||
| 42 | if [ "$1" = "--version" ] ; then | ||
| 43 | echo "rpm-chksec $VERSION" | ||
| 44 | exit 0 | ||
| 45 | fi | ||
| 46 | if [ "$1" = "--all" ] ; then | ||
| 47 | MODE="all" | ||
| 48 | else | ||
| 49 | MODE="single" | ||
| 50 | fi | ||
| 51 | |||
| 52 | do_one () { | ||
| 53 | if ! rpm -q $1 >/dev/null 2>&1 ; then | ||
| 54 | if [ "$MODE" = "single" ] ; then | ||
| 55 | echo "$1 is not installed" | ||
| 56 | exit 1 | ||
| 57 | else | ||
| 58 | echo "not installed" | ||
| 59 | return | ||
| 60 | fi | ||
| 61 | fi | ||
| 62 | files=`rpm -ql $1` | ||
| 63 | |||
| 64 | # Look for daemons, need this for later... | ||
| 65 | DAEMON="" | ||
| 66 | for f in $files | ||
| 67 | do | ||
| 68 | if [ ! -f "$f" ] ; then | ||
| 69 | continue | ||
| 70 | fi | ||
| 71 | if [ `echo "$f" | grep '\/etc\/rc.d\/init.d'` ] ; then | ||
| 72 | n=`basename "$f"` | ||
| 73 | t=`which "$n" 2>/dev/null` | ||
| 74 | if [ x"$t" != "x" ] ; then | ||
| 75 | DAEMON="$DAEMON $t" | ||
| 76 | continue | ||
| 77 | fi | ||
| 78 | t=`which "$n"d 2>/dev/null` | ||
| 79 | if [ x"$t" != "x" ] ; then | ||
| 80 | DAEMON="$DAEMON $t" | ||
| 81 | continue | ||
| 82 | fi | ||
| 83 | t=`cat "$f" 2>/dev/null | grep 'bin' | grep 'exit 5' | grep -v '\$'` | ||
| 84 | if [ x"$t" != "x" ] ; then | ||
| 85 | DAEMON="$DAEMON $t" | ||
| 86 | continue | ||
| 87 | fi | ||
| 88 | if [ "$MODE" = "single" ] ; then | ||
| 89 | echo "Can't find the executable in $f but daemon rules would apply" | ||
| 90 | fi | ||
| 91 | elif [ `echo "$f" | grep '\/lib\/systemd\/'` ] ; then | ||
| 92 | t=`cat "$f" | grep -i '^ExecStart=' | tr '=' ' ' | awk '{ print $2 }'` | ||
| 93 | if [ x"$t" != "x" ] ; then | ||
| 94 | DAEMON="$DAEMON $t" | ||
| 95 | continue | ||
| 96 | fi | ||
| 97 | fi | ||
| 98 | done | ||
| 99 | |||
| 100 | # Prevent garbled output when doing --all. | ||
| 101 | skip_current=0 | ||
| 102 | |||
| 103 | for f in $files | ||
| 104 | do | ||
| 105 | if [ ! -f "$f" ] ; then | ||
| 106 | continue | ||
| 107 | fi | ||
| 108 | # Some packages have files with ~ in them. This avoids it. | ||
| 109 | if ! echo "$f" | grep '^/' >/dev/null ; then | ||
| 110 | continue | ||
| 111 | fi | ||
| 112 | if [ ! -r "$f" ] && [ $EUID != 0 ] ; then | ||
| 113 | if [ $MODE = "single" ] ; then | ||
| 114 | echo "Please re-test $f as the root user" | ||
| 115 | else | ||
| 116 | # Don't print results. | ||
| 117 | skip_current=1 | ||
| 118 | echo "Please re-test $1 as the root user" | ||
| 119 | fi | ||
| 120 | continue | ||
| 121 | fi | ||
| 122 | if ! file "$f" | grep -qw 'ELF'; then | ||
| 123 | continue | ||
| 124 | fi | ||
| 125 | RELRO="no" | ||
| 126 | if readelf -l "$f" 2>/dev/null | grep -q 'GNU_RELRO'; then | ||
| 127 | RELRO="partial" | ||
| 128 | fi | ||
| 129 | if readelf -d "$f" 2>/dev/null | grep -q 'BIND_NOW'; then | ||
| 130 | RELRO="full" | ||
| 131 | fi | ||
| 132 | PIE="no" | ||
| 133 | if readelf -h "$f" 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then | ||
| 134 | PIE="DSO" | ||
| 135 | if readelf -d "$f" 2>/dev/null | grep -q '(DEBUG)'; then | ||
| 136 | PIE="yes" | ||
| 137 | fi | ||
| 138 | fi | ||
| 139 | APP="" | ||
| 140 | if [ x"$DAEMON" != "x" ] ; then | ||
| 141 | for d in $DAEMON | ||
| 142 | do | ||
| 143 | if [ "$f" = "$d" ] ; then | ||
| 144 | APP="daemon" | ||
| 145 | break | ||
| 146 | fi | ||
| 147 | done | ||
| 148 | fi | ||
| 149 | if [ x"$APP" = "x" ] ; then | ||
| 150 | # See if this is a library or a setuid app | ||
| 151 | if [ `echo "$f" | grep '\/lib' | grep '\.so'` ] ; then | ||
| 152 | APP="library" | ||
| 153 | elif [ `find "$f" -perm -004000 -type f -print` ] ; then | ||
| 154 | APP="setuid" | ||
| 155 | elif [ `find "$f" -perm -002000 -type f -print` ] ; then | ||
| 156 | APP="setgid" | ||
| 157 | elif [ -x /usr/bin/filecap ] && [ `filecap "$f" 2> /dev/null | wc -w` -gt 0 ] ; then | ||
| 158 | APP="setcap" | ||
| 159 | else | ||
| 160 | syms1=`/usr/bin/readelf -s "$f" 2>/dev/null | egrep ' connect@.*GLIBC| listen@.*GLIBC| accept@.*GLIBC|accept4@.*GLIBC'` | ||
| 161 | syms2=`/usr/bin/readelf -s "$f" 2>/dev/null | egrep ' getaddrinfo@.*GLIBC| getnameinfo@.*GLIBC| getservent@.*GLIBC| getservbyname@.*GLIBC| getservbyport@.*GLIBC|gethostbyname@.*GLIBC| gethostbyname2@.*GLIBC| gethostbyaddr@.*GLIBC| gethostbyaddr2@.*GLIBC'` | ||
| 162 | if [ x"$syms1" != "x" ] ; then | ||
| 163 | if [ x"$syms2" != "x" ] ; then | ||
| 164 | APP="network-ip" | ||
| 165 | else | ||
| 166 | APP="network-local" | ||
| 167 | fi | ||
| 168 | fi | ||
| 169 | fi | ||
| 170 | fi | ||
| 171 | if [ x"$APP" = "x" ] ; then | ||
| 172 | APP="exec" | ||
| 173 | fi | ||
| 174 | |||
| 175 | # OK, ready for the output | ||
| 176 | if [ "$MODE" = "single" ] ; then | ||
| 177 | printf "%-56s %-10s " "$f" $APP | ||
| 178 | if [ "$APP" = "daemon" -o "$APP" = "setuid" -o "$APP" = "setgid" -o "$APP" = "setcap" -o "$APP" = "network-ip" -o "$APP" = "network-local" ] ; then | ||
| 179 | if [ "$RELRO" = "full" ] ; then | ||
| 180 | printf "\033[32m%-7s\033[m " $RELRO | ||
| 181 | elif [ "$RELRO" = "partial" ] ; then | ||
| 182 | printf "\033[33m%-7s\033[m " $RELRO | ||
| 183 | else | ||
| 184 | printf "\033[31m%-7s\033[m " $RELRO | ||
| 185 | fi | ||
| 186 | if [ "$PIE" = "yes" ] ; then | ||
| 187 | printf "\033[32m%-4s\033[m" $PIE | ||
| 188 | else | ||
| 189 | printf "\033[31m%-4s\033[m" $PIE | ||
| 190 | fi | ||
| 191 | elif [ "$APP" = "library" ] ; then | ||
| 192 | if [ "$RELRO" = "full" -o "$RELRO" = "partial" ] ; then | ||
| 193 | printf "\033[32m%-7s\033[m " $RELRO | ||
| 194 | else | ||
| 195 | printf "\033[31m%-7s\033[m " $RELRO | ||
| 196 | fi | ||
| 197 | printf "\033[32m%-4s\033[m" $PIE | ||
| 198 | else | ||
| 199 | # $APP = exec - we want partial relro | ||
| 200 | if [ "$RELRO" = "no" ] ; then | ||
| 201 | printf "\033[31m%-7s\033[m " $RELRO | ||
| 202 | else | ||
| 203 | printf "\033[32m%-7s\033[m " $RELRO | ||
| 204 | fi | ||
| 205 | printf "\033[32m%-4s\033[m" $PIE | ||
| 206 | fi | ||
| 207 | echo | ||
| 208 | else | ||
| 209 | if [ "$APP" = "daemon" -o "$APP" = "setuid" -o "$APP" = "setgid" -o "$APP" = "setcap" -o "$APP" = "network-ip" -o "$APP" = "network-local" ] ; then | ||
| 210 | if [ "$RELRO" = "no" ] ; then | ||
| 211 | RELRO_SUM="no" | ||
| 212 | APP_SUM="$APP" | ||
| 213 | fi | ||
| 214 | if [ "$PIE" = "no" ] ; then | ||
| 215 | PIE_SUM="no" | ||
| 216 | APP_SUM="$APP" | ||
| 217 | fi | ||
| 218 | elif [ "$APP" = "library" ] ; then | ||
| 219 | if [ "$RELRO" = "no" ] ; then | ||
| 220 | RELRO_SUM="no" | ||
| 221 | APP_SUM="$APP" | ||
| 222 | fi | ||
| 223 | # $APP = exec - must have partial or full relro | ||
| 224 | elif [ "$RELRO" = "no" ] ; then | ||
| 225 | RELRO_SUM="no" | ||
| 226 | APP_SUM="$APP" | ||
| 227 | fi | ||
| 228 | fi | ||
| 229 | done | ||
| 230 | } | ||
| 231 | |||
| 232 | if [ "$MODE" = "single" ] ; then | ||
| 233 | printf "%-56s %-10s %-7s %-4s" "FILE" "TYPE" "RELRO" "PIE" | ||
| 234 | echo | ||
| 235 | for i; do | ||
| 236 | f=$(basename $1) | ||
| 237 | # Strip the .rpm extension, if present. | ||
| 238 | do_one ${f%%.rpm} | ||
| 239 | shift | ||
| 240 | done | ||
| 241 | exit 0 | ||
| 242 | fi | ||
| 243 | |||
| 244 | # Skip the kernel as its special | ||
| 245 | packages=`rpm -qa --queryformat "%{NAME}.%{ARCH}\n" | egrep -v 'kernel.|debuginfo.|.noarch|gpg-pubkey' | sort` | ||
| 246 | printf "%-50s %-5s %-4s %-14s" "PACKAGE" "RELRO" "PIE" "CLASS" | ||
| 247 | echo | ||
| 248 | for p in $packages | ||
| 249 | do | ||
| 250 | RELRO_SUM="yes" | ||
| 251 | PIE_SUM="yes" | ||
| 252 | APP_SUM="" | ||
| 253 | printf "%-50s " $p | ||
| 254 | do_one $p | ||
| 255 | if [[ $skip_current -eq 1 ]] ; then | ||
| 256 | continue | ||
| 257 | fi | ||
| 258 | if [ "$RELRO_SUM" = "yes" ] ; then | ||
| 259 | printf "\033[32m%-5s\033[m " "$RELRO_SUM" | ||
| 260 | else | ||
| 261 | printf "\033[31m%-5s\033[m " "$RELRO_SUM" | ||
| 262 | fi | ||
| 263 | if [ "$PIE_SUM" = "yes" ] ; then | ||
| 264 | printf "\033[32m%-4s\033[m" "$PIE_SUM" | ||
| 265 | if [ "$RELRO_SUM" = "no" ] ; then | ||
| 266 | printf " %-14s" "$APP_SUM" | ||
| 267 | fi | ||
| 268 | else | ||
| 269 | if [ "$APP_SUM" = "network-local" ] ; then | ||
| 270 | printf "\033[33m%-4s\033[m %-14s" "$PIE_SUM" "$APP_SUM" | ||
| 271 | else | ||
| 272 | printf "\033[31m%-4s\033[m %-14s" "$PIE_SUM" "$APP_SUM" | ||
| 273 | fi | ||
| 274 | fi | ||
| 275 | echo | ||
| 276 | done | ||
| 277 | exit 0 | ||
| 278 | |||
| 279 | |||
diff --git a/recipes-security/redhat-security/files/rpm-drop-groups.sh b/recipes-security/redhat-security/files/rpm-drop-groups.sh new file mode 100644 index 0000000..8c75783 --- /dev/null +++ b/recipes-security/redhat-security/files/rpm-drop-groups.sh | |||
| @@ -0,0 +1,131 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | # rpm-drop-groups | ||
| 3 | # | ||
| 4 | # Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED. | ||
| 5 | # sgrubb@redhat.com | ||
| 6 | # | ||
| 7 | # This software may be freely redistributed under the terms of the GNU | ||
| 8 | # public license. | ||
| 9 | # | ||
| 10 | # You should have received a copy of the GNU General Public License | ||
| 11 | # along with this program; if not, write to the Free Software | ||
| 12 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
| 13 | # | ||
| 14 | # Given an rpm, it will look at each file to check if it tries to change | ||
| 15 | # group and user credentials. If so, it further tries to determine if | ||
| 16 | # it also calls setgroups or initgroups. To correctly change groups, the | ||
| 17 | # program must drop supplemntal groups. Programs are classified into: n/a | ||
| 18 | # meaning no group dropping occurs, yes its done correctly, and no meaning | ||
| 19 | # there seems to be a problem. | ||
| 20 | # | ||
| 21 | # If the --all option is given, it will generate a list of rpms and then | ||
| 22 | # summarize the rpm's state. For yes, then all files are in the expected | ||
| 23 | # state. Just one program failing can turn the package's summary to no. | ||
| 24 | # Re-run passing that package (instead of --all) for the details. | ||
| 25 | # | ||
| 26 | # To save to file: ./rpm-drop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee output.txt | ||
| 27 | |||
| 28 | VERSION="0.1" | ||
| 29 | |||
| 30 | usage () { | ||
| 31 | echo "rpm-drop-groups [--all|<rpmname>|--version]" | ||
| 32 | exit 0 | ||
| 33 | } | ||
| 34 | |||
| 35 | if [ "$1" = "--help" -o $# -eq 0 ] ; then | ||
| 36 | usage | ||
| 37 | fi | ||
| 38 | if [ "$1" = "--version" ] ; then | ||
| 39 | echo "rpm-drop-groups $VERSION" | ||
| 40 | exit 0 | ||
| 41 | fi | ||
| 42 | if [ "$1" = "--all" ] ; then | ||
| 43 | MODE="all" | ||
| 44 | else | ||
| 45 | MODE="single" | ||
| 46 | fi | ||
| 47 | |||
| 48 | do_one () { | ||
| 49 | if ! rpm -q $1 >/dev/null 2>&1 ; then | ||
| 50 | if [ "$MODE" = "single" ] ; then | ||
| 51 | echo "$1 is not installed" | ||
| 52 | exit 1 | ||
| 53 | else | ||
| 54 | echo "not installed" | ||
| 55 | return | ||
| 56 | fi | ||
| 57 | fi | ||
| 58 | files=`rpm -ql $1` | ||
| 59 | |||
| 60 | for f in $files | ||
| 61 | do | ||
| 62 | if [ ! -f $f ] ; then | ||
| 63 | continue | ||
| 64 | fi | ||
| 65 | if ! file $f | grep -q 'ELF'; then | ||
| 66 | continue | ||
| 67 | fi | ||
| 68 | |||
| 69 | CORRECT="n/a" | ||
| 70 | syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgid@.*GLIBC| setegid@.*GLIBC| setresgid@.*GLIBC'` | ||
| 71 | if [ x"$syms" != "x" ] ; then | ||
| 72 | CORRECT="yes" | ||
| 73 | syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setuid@.*GLIBC| seteuid@.*GLIBC| setresuid@.*GLIBC'` | ||
| 74 | if [ x"$syms" != "x" ] ; then | ||
| 75 | syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgroups@.*GLIBC| initgroups@.*GLIBC'` | ||
| 76 | if [ x"$syms" = "x" ] ; then | ||
| 77 | syms=`find $f \( -perm -004000 -o -perm -002000 \) -type f -print` | ||
| 78 | if [ x"$syms" = "x" ] ; then | ||
| 79 | CORRECT="no" | ||
| 80 | fi | ||
| 81 | fi | ||
| 82 | fi | ||
| 83 | fi | ||
| 84 | |||
| 85 | # OK, ready for the output | ||
| 86 | if [ "$MODE" = "single" ] ; then | ||
| 87 | printf "%-60s " $f | ||
| 88 | if [ "$CORRECT" = "yes" ] ; then | ||
| 89 | printf "\033[32m%-7s\033[m " $CORRECT | ||
| 90 | elif [ "$CORRECT" = "no" ] ; then | ||
| 91 | printf "\033[31m%-7s\033[m " $CORRECT | ||
| 92 | else | ||
| 93 | printf "\033[33m%-7s\033[m " $CORRECT | ||
| 94 | fi | ||
| 95 | echo | ||
| 96 | else | ||
| 97 | if [ "$CORRECT" = "no" ] ; then | ||
| 98 | CORRECT_SUM="no" | ||
| 99 | fi | ||
| 100 | fi | ||
| 101 | done | ||
| 102 | } | ||
| 103 | |||
| 104 | if [ "$MODE" = "single" ] ; then | ||
| 105 | printf "%-60s%-7s" "FILE" "CORRECT" | ||
| 106 | echo | ||
| 107 | for i; do | ||
| 108 | do_one $1 | ||
| 109 | shift | ||
| 110 | done | ||
| 111 | exit 0 | ||
| 112 | fi | ||
| 113 | |||
| 114 | packages=`rpm -qa --queryformat "%{NAME}.%{ARCH}\n" | sort` | ||
| 115 | printf "%-50s %-7s" "PACKAGE" "CORRECT" | ||
| 116 | echo | ||
| 117 | for p in $packages | ||
| 118 | do | ||
| 119 | CORRECT_SUM="yes" | ||
| 120 | printf "%-50s " $p | ||
| 121 | do_one $p | ||
| 122 | if [ "$CORRECT_SUM" = "yes" ] ; then | ||
| 123 | printf "\033[32m%-7s\033[m " $CORRECT_SUM | ||
| 124 | else | ||
| 125 | printf "\033[31m%-7s\033[m " $CORRECT_SUM | ||
| 126 | fi | ||
| 127 | echo | ||
| 128 | done | ||
| 129 | exit 0 | ||
| 130 | |||
| 131 | |||
diff --git a/recipes-security/redhat-security/files/selinux-check-devices.sh b/recipes-security/redhat-security/files/selinux-check-devices.sh new file mode 100644 index 0000000..ef996d7 --- /dev/null +++ b/recipes-security/redhat-security/files/selinux-check-devices.sh | |||
| @@ -0,0 +1,12 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | |||
| 3 | # This software may be freely redistributed under the terms of the GNU | ||
| 4 | # public license. | ||
| 5 | # | ||
| 6 | # You should have received a copy of the GNU General Public License | ||
| 7 | # along with this program; if not, write to the Free Software | ||
| 8 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
| 9 | |||
| 10 | find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" | ||
| 11 | |||
| 12 | |||
diff --git a/recipes-security/redhat-security/files/selinux-ls-unconfined.sh b/recipes-security/redhat-security/files/selinux-ls-unconfined.sh new file mode 100644 index 0000000..6868413 --- /dev/null +++ b/recipes-security/redhat-security/files/selinux-ls-unconfined.sh | |||
| @@ -0,0 +1,19 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | |||
| 3 | # This software may be freely redistributed under the terms of the GNU | ||
| 4 | # public license. | ||
| 5 | # | ||
| 6 | # You should have received a copy of the GNU General Public License | ||
| 7 | # along with this program; if not, write to the Free Software | ||
| 8 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | ||
| 9 | |||
| 10 | # This checks for unconfined apps running, initrc and inetd are signs | ||
| 11 | # of missing transitions. | ||
| 12 | |||
| 13 | pidof xinetd >/dev/null | ||
| 14 | if [ $? -eq 0 ] ; then | ||
| 15 | ps -eZ | egrep "initrc|inetd" | egrep -v `pidof xinetd` | tr ':' ' ' | awk '{ printf "%s %s\n", $3, $NF }' | ||
| 16 | else | ||
| 17 | ps -eZ | egrep "initrc" | tr ':' ' ' | awk '{ printf "%s %s\n", $3, $NF }' | ||
| 18 | fi | ||
| 19 | |||
diff --git a/recipes-security/redhat-security/redhat-security_1.0.bb b/recipes-security/redhat-security/redhat-security_1.0.bb new file mode 100644 index 0000000..edab390 --- /dev/null +++ b/recipes-security/redhat-security/redhat-security_1.0.bb | |||
| @@ -0,0 +1,38 @@ | |||
| 1 | DESCRIPTION = "Tools used by redhat linux distribution for security checks" | ||
| 2 | SECTION = "security" | ||
| 3 | LICENSE = "GPLv2" | ||
| 4 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" | ||
| 5 | PR = "r0" | ||
| 6 | |||
| 7 | SRC_URI = "file://find-chroot-py.sh \ | ||
| 8 | file://find-chroot.sh \ | ||
| 9 | file://find-elf4tmp.sh \ | ||
| 10 | file://find-execstack.sh \ | ||
| 11 | file://find-hidden-exec.sh \ | ||
| 12 | file://find-nodrop-groups.sh \ | ||
| 13 | file://find-sh4errors.sh \ | ||
| 14 | file://find-sh4tmp.sh \ | ||
| 15 | file://lib-bin-check.sh \ | ||
| 16 | file://rpm-chksec.sh \ | ||
| 17 | file://rpm-drop-groups.sh \ | ||
| 18 | file://selinux-check-devices.sh \ | ||
| 19 | file://selinux-ls-unconfined.sh" | ||
| 20 | |||
| 21 | S = "${WORKDIR}" | ||
| 22 | |||
| 23 | do_install() { | ||
| 24 | install -d ${D}${bindir} | ||
| 25 | install -m 0755 ${WORKDIR}/find-chroot-py.sh ${D}${bindir} | ||
| 26 | install -m 0755 ${WORKDIR}/find-chroot.sh ${D}${bindir} | ||
| 27 | install -m 0755 ${WORKDIR}/find-elf4tmp.sh ${D}${bindir} | ||
| 28 | install -m 0755 ${WORKDIR}/find-execstack.sh ${D}${bindir} | ||
| 29 | install -m 0755 ${WORKDIR}/find-hidden-exec.sh ${D}${bindir} | ||
| 30 | install -m 0755 ${WORKDIR}/find-nodrop-groups.sh ${D}${bindir} | ||
| 31 | install -m 0755 ${WORKDIR}/find-sh4errors.sh ${D}${bindir} | ||
| 32 | install -m 0755 ${WORKDIR}/find-sh4tmp.sh ${D}${bindir} | ||
| 33 | install -m 0755 ${WORKDIR}/lib-bin-check.sh ${D}${bindir} | ||
| 34 | install -m 0755 ${WORKDIR}/rpm-chksec.sh ${D}${bindir} | ||
| 35 | install -m 0755 ${WORKDIR}/rpm-drop-groups.sh ${D}${bindir} | ||
| 36 | install -m 0755 ${WORKDIR}/selinux-check-devices.sh ${D}${bindir} | ||
| 37 | install -m 0755 ${WORKDIR}/selinux-ls-unconfined.sh ${D}${bindir} | ||
| 38 | } | ||
