riddle@ut-sally.UUCP (Prentiss Riddle) (01/16/85)
: This is a shar archive. Extract with sh, not csh. echo x - README sed -e 's/^X//' > README << '!RoNnIe!RaYgUn!' XFindsuid is a little utility we dreamt up to watch for potential Trojan horse Xprograms by keeping an eye on our suid and sgid files and telling us when Xthey change unexpectedly. X XWe run it using the following line in crontab: X X 40 3 * * * /etc/findsuid/findsuid >/etc/findsuid/fserror 2>&1 X XIncluded here is the findsuid shell script, a man page, a makefile, and a Xsample "stop" file. X X--- Prentiss Riddle ("Aprendiz de todo, maestro de nada.") X--- {ihnp4,harvard,seismo,gatech,ctvax}!ut-sally!riddle !RoNnIe!RaYgUn! echo x - Makefile sed -e 's/^X//' > Makefile << '!RoNnIe!RaYgUn!' XFSLIB=/etc/findsuid X Xall: X# Do nothing. X Xinstall: X cp findsuid.sh ${FSLIB}/findsuid X chmod 740 ${FSLIB}/findsuid X Xclean: X# Do nothing. !RoNnIe!RaYgUn! echo x - findsuid.8 sed -e 's/^X//' > findsuid.8 << '!RoNnIe!RaYgUn!' X.TH FINDSUID 8L "18 October 1984" X.UC X.SH NAME Xfindsuid \- find changes in setuid and setgid files X.SH SYNOPSIS X.B findsuid X.SH DESCRIPTION X.I Findsuid Xis a Xshell script intended to be run periodically by X.IR cron (8) Xin order Xto spot changes in files with the suid or sgid bits set. X.PP X.I Findsuid Xuses X.IR find (1) Xto search system directories for all files with the 4000 or 2000 permission Xbits set. It then compares these files with the contents of a ``stop file'' Xcontaining X.B "ls -lga" Xoutput for known setuid or setgid programs. XAny additions or changes to this list represent potential security Xproblems, so they are reported by mail to system administrators for further Xinvestigation. X.SH FILES X.nf X/etc/findsuid/stop the ``stop file'' X.fi X.SH "SEE ALSO" Xfind(1), chmod(1), cron(8) X.SH BUGS XThe location of the stop file, the directories to be searched and the Xnames of users to be informed of changes are all defined by shell variables Xin the source. X.PP XKeeping the stop files up to date with changes to all Xthe suid files on more than a couple of hosts is a royal pain! !RoNnIe!RaYgUn! echo x - findsuid.sh sed -e 's/^X//' > findsuid.sh << '!RoNnIe!RaYgUn!' X#! /bin/sh X# X# findsuid 840919 Prentiss Riddle X# X# Shell script intended to be run periodically by cron in order X# to spot changes in files with the suid or sgid bits set. X# X# Findsuid uses find(1) to search the directories in $SEARCH for all X# files with the 4000 or 2000 permission bits set. $STOP is a file X# containing "ls -lga" output for known setuid or setgid programs. X# Any additions or changes to this list represent potential security X# problems, so they are reported to the users named in $INFORM. X# XINFORM="findsuid" XSEARCH="/" XSTOP=/etc/findsuid/stop XTEMPOLD=/tmp/fsold$$ XTEMPCUR=/tmp/fscur$$ XTEMPNEW=/tmp/fsnew$$ XTEMPM=/tmp/fsm$$ X Xumask 077 X# find the setuid programs and sort Xfind $SEARCH \( -perm -4000 -o -perm -2000 \) -exec ls -lga {} \; | \ X sort > $TEMPCUR X# compare with the sorted stop list Xsort <$STOP >$TEMPOLD Xcomm -13 $TEMPOLD $TEMPCUR | sort +8 >$TEMPNEW X# report changes Xif test -s $TEMPNEW; then X echo 'Subject: New setuid or setgid files found on '`hostname`'.' >$TEMPM X echo '' >>$TEMPM X echo 'The following files have their setuid or setgid bits' >>$TEMPM X echo 'set and are not listed in '$STOP >>$TEMPM X echo 'or have changed:' >>$TEMPM X echo '' >>$TEMPM X cat $TEMPNEW >>$TEMPM X /bin/mail $INFORM <$TEMPM X /bin/rm $TEMPM Xfi X/bin/rm $TEMPOLD $TEMPCUR $TEMPNEW !RoNnIe!RaYgUn! echo x - stop.sample sed -e 's/^X//' > stop.sample << '!RoNnIe!RaYgUn!' X-rwsr-xr-x 1 root bin 10240 Jun 13 13:13 /bin/chgrp X-rwsr-xr-x 1 root bin 12288 Jun 13 13:13 /bin/df X-rws--s--- 1 root term 22528 Aug 13 13:13 /bin/login X-rws------ 1 root bin 21504 Jun 13 13:13 /bin/login.old X-rwsr-xr-x 1 root bin 22528 Jun 13 13:13 /bin/mail X-rwsr-xr-x 1 root bin 14336 Jun 13 13:13 /bin/passwd X-rwxr-sr-x 1 root MEM 22528 Jun 13 13:13 /bin/ps X-rwsr-xr-x 1 root bin 16384 Jun 13 13:13 /bin/su X-rwxr-sr-x 1 root MEM 14336 Jun 13 13:13 /etc/dmesg X-rwsr-x--- 1 root operator 29696 Jun 13 13:13 /etc/dump !RoNnIe!RaYgUn! exit