To help us administer our systems, we have written a few short scripts (which can go in our standard toolset). The first will search for root-owned files with ACLs and report the filename along with the actual ACL to a log file. If we run this script from cron regularly and examine the log file, we can be sure that no one will hide anything in a file's ACL. The script is cumbersome in the way it finds the ACLs, so it is advisable to run it during a quiet time. The script is as follows:
#!/bin/ksh # shell script called from the root crontab to # search for files owned by root, but with ACLs set # and report them to a log # date=$(date +%d%m%y) aclLog=/usr/local/utils/logs/acl_${date}.log prog=$(basename $0) # for each file with ACLs set write the filename and the # ACL to the log file for file in $(find / -user root -exec ls -ld {} ; | grep '^..........+' | sed 's/^.* //') do echo "$file has the following ACL set:" getfacl $file echo "===================================" done > $aclLog
The above script will only report ACLs on files and directories that belong to root. The sort of thing we would need to look out for is a file whose standard permissions only allow root to update it, but has an ACL set that allows some other user to update it also. The script could be improved by making it report only the files that were a potential threat (to save us from having to search through the log for them).
The second script is based on the examples we saw earlier of using find to report setuid files, but this time we have taken the work away from the administrator. The script looks for setuid files owned by root that are writeable by group or others. If any are found, an email is sent to the root user so the administrator does not need to examine any logs:
#!/bin/ksh # shell script called from the root crontab to # search for setuid files owned by root that are writeable # by group or other # Alert the system administrator of any found by email grpw=$(find / -user root -perm -4000 -type f -exec ls -ld {} ; | grep '^.....w' | sed 's/.* //') othw=$(find / -user root -perm -4000 -type f -exec ls -ld {} ; | grep '^........w' | sed 's/.* //') if [[ ! -z ${grpw} ]] then echo "WARNING - The following files are setuid root and writable by group $grpw" | mail root fi if [[ ! -z ${othw} ]] then echo "WARNING - The following files are setuid root and writable by anyone $grpw" | mail root fi