#!/bin/sh
#
#     tiger - A UN*X security checking system
#     Copyright (C) 1993 Douglas Lee Schales, David K. Hess, David R. Safford
#
#     Please see the file `COPYING' for the complete copyright notice.
#
# check_known - 06/14/93
#
# 04/27/93 dls "1's complement" check of /bin/login added
# 06/06/93 dls Moved 1's complement check to SunOS 4.x specific
#
#-----------------------------------------------------------------------------
#
TigerInstallDir='.'

#
# Set default base directory.
# Order or preference:
#      -B option
#      TIGERHOMEDIR environment variable
#      TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}

for parm
do
   case $parm in
   -B) basedir=$2; break;;
   esac
done

#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
  echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
  exit 1
}

. $basedir/config

. $BASEDIR/initdefs

#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
  haveallcmds AWK CAT CC EGREP FIND GET_MOUNTS LS RM SED SGREP STRINGS TR || exit 1
  haveallfiles BASEDIR WORKDIR || exit 1
  haveallvars TESTLINK HOSTNAME
  
  echo "--CONFIG-- [init003c] $0: Configuration ok..."
  exit 0
}

#------------------------------------------------------------------------
echo
echo "# Checking for known intrusion signs..."

haveallcmds LS CAT || exit 1
haveallfiles BASEDIR WORKDIR || exit 1

{
  file_list="/usr/spool/uucppublic/.hushlogin /usr/spool/secretmail/.l /tmp/a
/usr/spool/secretmail/.log /usr/spool/secretmail/.tty
/usr/spool/secretmail/.lock /usr/tmp/.log /usr/spool/uucp/.sys
/usr/uucp/.sys /var/crash/... /usr/etc/.getwd /var/crash/.getwd /usr/kvm/... /dev/.tty /dev/.test"

  for file in $file_LIST
  do
    [ -s "$file" ] && {
      if [ -d "$file" ]; then
	message ALERT kis001a "" "$file is a directory."
	$LS -AlR "$file"
	echo
      else 
	message ALERT kis002a "" "$file is not zero-length."
	$CAT "$file"
	echo
      fi
    }
  done

  haveallcmds EGREP FIND && {
    for serverdir in /tmp/.X11-unix /tmp/.NeWS-unix
    do
      [ -d "$serverdir" ] && {
	nonsocket=`$FIND $serverdir/ ! -type s -a ! -type p -print |
	$EGREP -v '^'"$serverdir"'/$'`

	[ -n "$nonsocket" ] && {
	  message ALERT kis003a "" "$serverdir contains files other than window server sockets:"
	  $LS -alR "$serverdir"
  	  echo
	}
      }
    done
  }
  
  haveallcmds GET_MOUNTS AWK FIND SED TR && {
    $GET_MOUNTS local |
    $AWK '{
      if($1 == "/")
        print "/lost+found";
      else
        print $1 "/lost+found";
    }' |
    while read dir
    do
      [ -d "$dir" ] && {
	cd "$dir"
	files=`$FIND . -print | $SED -e 's%^./%%' -e '/^.$/d' -e '/^..$/d'`
	alertfiles=`echo "$files" |
	            $TR ' ' '\012' |
	            $SED -e 's%^#\{1\}[0-9][0-9.]*$%%g'
	`
	if [ -n "$alertfiles" ]; then
	  message WARN kis004w "" "$dir contains possible non-fsck files:"
	  $LS -alR $alertfiles
	  echo
	elif [ -n "$files" ]; then
	  message WARN kis004w "Files: $alertfiles" "$dir is not empty:"
	fi
      }
    done
  }

  haveallcmds STRINGS SGREP && {
    $STRINGS - /bin/login > $WORKDIR/login.str.$$
    $SGREP 'back' $WORKDIR/login.str.$$ && {
      message ALERT kis005a "" "/bin/login may contain backdoor login"
    }
    $SGREP 'BACK' $WORKDIR/login.str.$$ && {
      message ALERT kis005a "" "/bin/login may contain backdoor login"
    }
    delete $WORKDIR/login.str.$$
  }

  [ -n "$TESTSUID" -a $TESTEXEC "$TESTSUID" ] && {
    $TESTSUID ||
    message ALERT kis007a "" "The setuid(2) system call is compromised."
  }

  haveallcmds AWK LS TAIL &&
  haveallfiles BASEDIR MAILSPOOL WORKDIR && (
    echo
    echo "# Performing check of files in system mail spool..."

    cd $MAILSPOOL

    $LS -al |
    $TAIL +2 |
    $AWK '{print $3, $NF}' |
    while read owner file
    do
      [ "$file" != '.' -a "$file" != '..' -a "$file" != ':saved' -a "$owner" != "$file" ] &&
      message WARN kis008w "" "File \"$file\" in the mail spool, owned by \`$owner'."
    done
  )
} |
$OUTPUTMETHOD
#
exit 0
#
exit 0
#
exit 0
