Purpose (top, intro, usage, examples)

Document Index / Related Documentation

Introduction (top, intro, usage, examples)

The following scripts and files under /usr/local/adm [pkg/permchk] are used:

File                    Function
----                    --------
bin/permchk             platform independent driver/reporting script
bin/permchk_os          platform configuration script
bin/process-setuid      platform independent validation script
bin/process-setuid_os   platform configuration script
etc/sguid.list          registered suid|sgid binaries

The process-setuid script runs on a node and can:

• Compare current sguid binaries against a registered sguid.list.
• Update registered list with current mode and ownership of sguid binaries.
• Swap file mode and ownership to vendor default (old) in registered sguid.list.
• Swap file mode and ownership to ARSC values (new) in registered sguid.list.

The permchk script is a driver script launching 'process-setuid compare new' on a collection of managed systems using push, dsh, or pdsh and emailing a report of anomalies. Typically permchk entries are added to crontab/sysmon on either admin1 or the platform management server (csmberg, csmflyer, mn1sm, ...).

Usage Summary (top, intro, usage, examples)

The sguid.list file has the following format:

  #OS  ARCH OldMode OldOwn OldGrp NewMode NewOwn NewGrp  Size Sum-r FILENAME [#Comment]
  #--  ---- ------- ------ ------ ------- ------ ------  ---- ----- --------
  sys  web7 .       .      .      4755    root   sys    13728 20626 /usr/bin/atq
  5.8  Sun  .       .      .      4755    root   sys    13728 32898 /usr/bin/atq
  5.10 Sun  .       .      .      4755    root   sys    19108 31463 /usr/bin/atq
  msk  h.*  .       .      .      4755    root   root   14123 17208 /bin/atq

1. OS: either operating system version or "sys" for a host specific entry
2. ARCH: either platform architecture or a hostname if OS is "sys"
3. OldMode: octal mode of file as shipped or "." if unchanged by ARSC
4. OldOwn: username of file as shipped or "." if unchanged by ARSC
5. OldGrp: group of file as shipped or "." if unchanged by ARSC
6. NewMode: ARSC registered octal mode of file
7. NewOwn: ARSC registered username of file
8. NewGrp: ARSC registered group of files
9. Size: size in bytes of file, or:
   • "+" to indicate size and sum can be ignored
   • "-" to indicate file does not exist (use for "sys" entries)
   • "." to accept current size when "update new" specified
   • "!" to indicate file is a regular expression
10. Sum-r: the "sum -r" (uals -yr) of the file or "+", "-", or "."
11. FILENAME: full path of the binary or file
12. #Comment: optional comment

• Only the first applicable configuration line per file is used; e.g., always specify "sys" entries above platform generic entries.
• The OS and ARCH fields are determined within the process-setuid_os script based on 'uname -rsn' values.
  For Linux, typically:
  • the first three fields of 'uname -r' will identify OS
  • either hostname or a sub-field of 'uname -r' determin ARCH
  • RHEL systems tend to be identified as ARCH "ELsmp"
  • SuSE/SLES systems tend to be identified as ARCH "smp"
  • Fedora systems tend to be identified as ARCH "FC#smp"
  • Special systems, such as nelchina require explicit recognition in process-setuid_os
• Lines beginning with "#" are comments and blank lines are ignored.

The process-setuid script maintains information about suid and sgid files:

admin1: process-setuid --help

Usage: process-setuid_os [-options] command setting

command:
  compare    # compares current with old or new settings
  update     # records  current as old or new settings (to stdout)
  convert    # converts file from size only to size and checksum
  swap       # swaps current settings with old or new (requires sudo)

setting:
  new        # site-defined settings
  old        # original (vendor-defined) settings

Options:
  -l list    # specify sguid.list,    current: /usr/local/adm/etc/sguid.list
  -v         # verbose ('set -x')
  -h         # this information

• The compare option is used for routine (daily|weekly) checks to identify new files or incorrect mode|owner|sum of registered files.
• The update option is used to rebuild the registered list (after review) following upgrades or application of patch sets.
• The convert option is for special purposes only and gets rewritten as sguid.list syntax has undergone changes.
• The swap option can be used to regress mode|ownership to vendor shipped values prior to an upgrade the reset to ARSC registered values afterward. This process should be followed to identify for review any suid changes from the vendor with the upgrade.

• Details:
  • Comparison results are reported to STDERR.
  • Comparisons are always done no matter which command is used.
  • Comparisons with swap are against the OPPOSITE old/new value since it is assumed swapping occurs from-old-to-new or new-to-old.
  • An updated sguid.list is written to STDOUT with update|convert.
  • With swap files will have mode/owner/group changed, this requires sudo and can be dangerous.
  • Directories with suid|sgid bits are NOT reported.
  • New files with suid|sgid and no execute mode bit are reported as 'info:'.
  • Other new suid|sgid files with execute mode (user|group|other) are reported (STDERR) and written to STDOUT with update.
  • Duplicate configuration file entries are reported as 'warn:'.

• Program Flow:
  • Invoke process-setuid_os for platform specific settings
  • Generate current settings of all registered files by piping sguid.list filenames into:
    'sudo uals --input -Ud --fields tmogsr'
  • Generate list of all suid|sgid|acl files in registered filesystems via:
    'sudo uals --type f -URA --or --acl --mode 7000 --fields tf --mount'
  • Read configuration file line-by-line:
    • parse line and verify data on line
    • if comment or not applicable for this system:
      • update: output line
      • next line
    • if line is duplicate and warn and next line
    • if registered file:
      • if found mark so not reported as new
      • if not found issue warning about missing file
    • if size|sum registered as "." accept current size|sum
    • if size registered as "+" ignore size|sum else validate size and sum
    • validate mode and ownership
    • update: output settings
    • swap: change file settings
  • update: output any new files
  • if no differences exit(0) else exit(#differences)

The permchk reports sguid anomalies on a collection of systems:

admin1: permchk --help

Usage: permchk_os [-options] platform

Options:
  -a address # email address,      current: 
  -p select  # push|dsh selection, current: 
  -d date    # results re-report,  current: 
  -b bindir  # binary directory,   current: /usr/local/adm/bin
  -l list    # sguid.list file,    current: /usr/local/adm/etc/sguid.list
  -r         # sort by node not errror
  -s         # squash whitespace in report
  -v         # verbose ('set -x')
  -h         # this information

The platform may be:
  sun, ibm, iceberg, iceflyer, midnight, nelchina,
  lnxwkst, lnxmisc, or linux

• Generally added to sysmon crontab on management systems, can be manually invoked.
• Sends email as defined in permchk_os or as specified with '-a'.
• Logs to /var/local/output/permchk:
  • platform.errlog.YYYYmmdd.HHMMSS - unexpected script errors
  • platform.output.YYYYmmdd.HHMMSS - formatted output for email
  • platform.result.YYYYmmdd.HHMMSS - collected results from process-setuid

• Program Flow:
  • Invoke permchk_os for platform specific settings
  • Delete any logs older than 30 days
  • Issue push|dsh|pdsh to execute process-setuid writing to *.result.*
  • Sort *.result.* (default by filename and anomaly)
  • Filter out information to ignore as defined by $FLTE|$FLTO from permchk_os (such as 'info:' lines)
  • Report up to 3 hosts with the same anomaly on same file then display a count
  • Summarize anomalies and send email to address from permchk_os

Examples (top, intro, usage, examples)

admin1: process-setuid compare new
# Find:  / /usr /var /export/home /export/software /tmp
current  mode:     0755       is not new     4511   for: /usr/bin/lpstat
info: Skipping variable size missing file: /etc/init.d/web
info: Using 'admin1' not '5.10 Sun' for: /opt/SUNWsamfs/bin/archive
info: Using 'admin1' not '5.10 Sun' for: /usr/bin/showrev
info: Skipping variable size missing file: /export/software/adm/pkg/ftptools/CheckFTP
Warn: Missing file: /var/local/CF/linux/usr/sbin/sendmail.sendmail/sendmail.sendmail.template
New file:   4511  root   root    27728  31031 /var/local/CF/linux/usr/bin/passwd/passwd.balboa
New file:   4511  root   root    27728  12646 /var/local/CF/linux/usr/bin/passwd/passwd.cortez
New file:   4511  root   lp      27504  57968 /usr/bin/lpstat.bak

admin1: grep STDERR process-setuid | sed -e 's/^[ {  ]*printf(STDERR[  ]*//'
"Warn: Skipping duplicate entry found for: $FILENAME\n");
"Warn: Skipping '%s' after os entry '%s': $FILENAME\n",
"info: Using '%s' not '%s %s' for: $FILENAME\n",
"Warn: Missing file: $FILENAME\n");
"info: Skipping variable size missing file: $FILENAME\n");
"current sum-r: %8s %5s is not $SETTING %8s %5s: $FILENAME\n",
"current  size: %8s %5s is not $SETTING %8s %5s: $FILENAME\n",
"current  mode: %8s       is not $SETTING %8s   for: $FILENAME\n",   $CURRENT_MODE, $OLD_MODE);
"current owner: %-8s       is not $SETTING %-8s   for: $FILENAME\n", $CURRENTOWNER, $OLDOWNER);
"current group: %-8s       is not $SETTING %-8s   for: $FILENAME\n", $CURRENTGROUP, $OLDGROUP);
"current  mode: %8s       is not $SETTING %8s   for: $FILENAME\n",   $CURRENT_MODE, $NEW_MODE);
"current owner: %-8s       is not $SETTING %-8s   for: $FILENAME\n", $CURRENTOWNER, $NEWOWNER);
"current group: %-8s       is not $SETTING %-8s   for: $FILENAME\n", $CURRENTGROUP, $NEWGROUP);
"Warn: Missing file: $SGUIDFILENAME\n");
"New file:     %-5s %-8s %-8s %8d %6d %s\n",
"info: non-executable: %-5s %-8s %-8s %8d %6d %s\n",