#!/bin/sh -- # Really perl eval 'exec perl -S $0 ${1+"$@"} 2>/dev/null' if 0; # Program: NCR-MP-RAS-check.pl # Description: Basic Operations Acceptance Testing for NCR MP-RAS servers # Results are displayed on stdout or redirected to a file # Usage: NCR-MP-RAS-check.pl [-h] # # -h Print this help message # # Version: 2007061701 # Last Update: 29 May 2006 # Designed by: Dusan U. Baljevic (dusan.baljevic@ieee.org) # Coded by: Dusan U. Baljevic (dusan.baljevic@ieee.org) # # Copyright 2007-2015 Dusan Baljevic # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # # Perl script NCR-MP-RAS-check.pl is a modest attempt to automate basic # tasks when running Operations Acceptance Testing (OAT) for a server # that is about to be commissioned or checked. # # The script tries to capture most critical information about an NCR MP-RAS # server and highlights potential configuration or system problems. # # The script has been developed over several hectic days, so errors # (although not planned) might exist. Please use with care. # # My goals were: # # A) Simplicity to do basic checks on NCR MP-RAS servers; # B) Portability; # C) Standard Perl interperter (very few modules - optional); # D) Many new features; # F) No temporary files; # G) No repeated runs of similar commands; # H) Not to replace more comprehensive debugging tools but # provide a quick summary of server status; # I) Usefullness of results, not their formatting on the screen; # # Like all scripts and programs, this one will continue to # change as our needs change. # # Define important environment variables # $ENV{'PATH'} = "/bin:/sbin:/usr/sbin:/usr/bin:/usr/ccs/bin:/usr/lbin"; $ENV{'PATH'} = "$ENV{PATH}:/etc:/usr/local/bin:/usr/local/sbin:/usr/ucblib"; $ENV{'PATH'} = "$ENV{PATH}:/etc/fidl/sbin:/etc/fidl:/etc/fidl/bin"; $ENV{'PATH'} = "$ENV{PATH}:/var/opt/ncrcm/bin:/opt/VRTS/bin:/etc/vx/bin"; $ENV{'PATH'} = "$ENV{PATH}:/applic/samba/bin:/opt/adept/bin:/opt/samba/bin"; $ENV{'PATH'} = "$ENV{PATH}:/opt/shc:/opt/hwmgr/bin:/usr/ucb:/opt/ncrhttp/bin"; $ENV{'PATH'} = "$ENV{PATH}:/opt/omni/bin:/opt/lprng/sbin:/opt/plc/bin"; $ENV{'PATH'} = "$ENV{PATH}:/usr/bin/motif:/basedir/bin"; # # Make the script safer # $ENV{'SHELL'} = '/bin/sh' if $ENV{'SHELL'} ne ''; $ENV{'IFS'} = '' if $ENV{'IFS'} ne ''; # # Global variables # my @Passnumarr = (); my @Grnumarr = (); my $MSGFILE = '/var/adm/messages'; my $CRFILE = '/var/spool/cron/crontabs/root'; my $WARNSTR = 'WARN'; my $ERRSTR = 'FAIL'; my $NOTESTR = 'NOTE'; my $INFOSTR = 'INFO'; my $PASSSTR = 'PASS'; my $Secure_SYSLOGD = 0; my $VXFS_FLAG = 0; my $fidl = 0; my $OMNI_FLAG = 0; my $ncrcm = 0; my $mifno = 0; my $CSTM_FLAG = 0; my @SWAPARRAY = (); my $FSTAB = '/etc/vfstab'; my $DEVICETAB = '/etc/device.tab'; my $MNTTAB = '/etc/mnttab'; my $rawrootdev = '/dev/rroot'; # my $tswapall = 0; my $CPU_IDLE_THRESHOLD = 15; # my $SAVECRASH = '/etc/default/dump'; my $dumpnodes = '/etc/dumpnodes'; my $dumpmem = 0; # # VXVM my $VXCONF = '/sbin/init.d/vxvm-sysboot'; my $VXCONFIG = 0; # # SNMP configs my $SNMPAconf = '/etc/inet/snmpd.conf'; my $SNMPpeers = '/etc/inet/snmpd.peers'; my $SNMPcomm = '/etc/inet/snmpd.comm'; my $SNMPtrap = '/etc/inet/snmpd.trap'; my $SNMP_FLAG = 0; # # HIDS configs my $aide_conf1 = "/usr/local/etc/aide.conf"; my $aide_conf2 = "/opt/local/etc/aide.conf"; my $aide_conf3 = "/etc/aide.conf"; # # Check directories sticky-bit my @Stickyarr = ( "/tmp", "/var/tmp" ); my $MinBootSize = 18; # Boot disks should be 18 GB minimum my $bings = 0; my $Seen = q{}; my @bootara = (); my $standboot = '/stand/boot'; # # Password checks my $uidno = 0; my $Shadow = '/etc/shadow'; # # Login messages my $ISSUE = '/etc/issue'; my $MOTD = '/etc/motd'; # # Inetd configs my $INETD = "/etc/inetd.conf"; my $hostequiv = "/etc/hosts.equiv"; my $Shells = "/etc/shells"; # # Network my $NDDCONF = "/etc/default/sdf"; my @NDset = (); # my $NAMED = '/etc/resolv.conf'; my $DNSCONF = '/etc/named.conf'; my $SVCCONF = '/usr/ucblib/service.switch'; my $HOSTS = '/etc/hosts'; # my $FTP_FLAG = 0; my $ftpacc = '/etc/inet/ftpaccess'; my $ftpusers = '/etc/inet/ftpusers'; my $ftphosts = '/etc/inet/ftphosts'; my $rv = 0; my $FOREGROUND_FLAG = 0; my @LANarray = (); my @Alllanscan = (); my $ESMD_FLAG = 0; my @NFSarr = (); # # Where to start SUID/SGID file search # my @directories_to_search = ("/"); # my $VM_FLAG = 0; my $shealth = 0; my $cpucount = 0; my $passno = 0; my $SECPATCH_FLAG = 0; my $STAND_FLAG = 0; my $NTP_REST_FLAG = 0; my $IDS_FLAG = 0; my $LICENSE = 0; my @licdaemon = (); my $NISPLUS_FLAG = 0; my $THRESHOLD_MAXUPRC_FLAG = 256; my $LPSCHED = 0; my $NSADMIN = 0; my $LPSTAND = 0; my $LOCALHOST_FLAG = 0; my $MNT_FLAG = 0; my $swapdeviceno = 0; my $Minswapdevno = 1; my $SECPATHAG = 0; my $warnings = 0; my @FCarray = (); my @klu = (); my @unc = (); my @DNSRUN = (); my @allprocesses = (); my @ntpdaemon = (); my @nfsdaemon = (); my $securepath = 0; my $secureshell = 0; my $autopath = 0; my $apacount = 0; my $parset = 0; my $PASSFILE = '/etc/passwd'; my $DefMTU = 1500; my $OS_Standard = 'GDIS South Pacific Standard Unix Build'; # # In Australia, Daylight Savings Time normally changes # between 0200 and 0300 hours respectively # my $DSTbegin = 2; my $DSTend = 3; # # Array of accounts that should be disabled for FTP access # my @FTPdisable = ( "root", "adm", "sys", "daemon" ); # # Bundles that are most critical # my @SWmust = ( "NetBackup", "PerfView", "SSH", "System Support Features", "adpxspt", "RAID Manager", "Disk Array Extentions", "System Health Check", "System Diagnostics", "UNIX System", "fidl", "dtc", "vxfs", "ncrcm", "Data Protector", "OmniBack", "Adaptive Disk Error Prediction", "Package Plus", "VxFS Advanced", ); sub Usage { $CMD = `basename $0`; chomp($CMD); Prusage(); } sub Prusage { print </dev/null`; $fqdn =~ s/Name:\s+//g; $fqdn =~ s/^\s+//g; } if ( !"$Hostname" ) { $VH = `uname -a 2>&1`; ( $System, $Hostname, $Maj, undef, $Hardware, undef ) = split( /\s+/, $VH ); $Version = $Maj; ( $Major, $Minor, $Patch ) = split( /\./, $Maj ); } if ("fqdn") { chomp($fqdn); $fqdn =~ s/^\s+//g; } else { $fqdn = "N/A"; } # # Do not allow to run as unprivileged user # #if ( $> != 0 ) { # print "\t$ERRSTR The OAT should be run with root privileges\n"; # exit(1); #} # # Get current local time # ( $Sec, $Min, $Hour, $DayOfMonth, $Month, $Year, $DayOfWeek, $DayofYear, $IsDST ) = localtime; my $EPOCHTIME = timelocal( $Sec, $Min, $Hour, $DayOfMonth, $Month, $Year ); # # Localtime returns January..December as 0..11 # $Month--; $Realmonth = ( Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec )[$Month]; $Year = $Year + 1900; $Weekday = ( Sun, Mon, Tue, Wed, Thu, Fri, Sat )[$DayOfWeek]; if ( open( MATT, "machinetype |" ) ) { while () { next if ( grep( /^#/, $_ ) ); next if ( grep( /^$/, $_ ) ); if ( grep( /Boot:/, $_ ) ) { ( undef, $Bootvalue ) = split( /:/, $_ ); $Bootvalue =~ s/^\s+//g; chomp($Bootvalue); } push(@Model, $_); } close(MATT); } else { print "\t$ERRSTR Cannot open $standboot\n"; @Model = "N/A"; $warnings++; } rawpscheck(); $runlevel = `who -r | awk '/run-level/ {print \$3}' 2>&1`; chomp($runlevel); $uptime = `uptime`; $uptime =~ s/^\s+//g; chomp($uptime); my $wtmpfile = '/var/adm/wtmp'; my $etcutmp = '/etc/utmp'; if ( !"$uptime" ) { print "\t$WARNSTR $wtmpfile or $etcutmp possibly corrupted\n"; $warnings++; $uptime = "Unknown (check manually)"; } # # Get system's volume manager details # $vxcheck = `vxinfo 2>&1 | egrep "ERROR|not found"`; if ("$vxcheck") { $Diskmgr = "N/A"; $Diskmgrcnt = "Zero"; $Diskmgrno = 0; } else { if ( "$VM_FLAG" > 0 ) { $Diskmgr = "Veritas Volume Manager (VxVM) and Logical Volume Manager (LVM)"; $Diskmgrcnt = "DUAL Volume Manager Environment"; $Diskmgrno = 2; } else { $Diskmgr = "N/A"; $Diskmgrcnt = "Zero"; $Diskmgrno = 0; } } sub print_header { my $lline = shift; $len_lline = length($lline); print "\n\n$lline\n"; printf "_" x $len_lline; print "\n"; } $Stand = "/stand/unix"; if ("$Stand") { $ARCH = `file $Stand | sed -e 's/^.* - //g'`; chomp($ARCH); ( undef, undef, $KERNEL_BITS, undef ) = split( /\s+/, $ARCH ); } if ( !"$ARCH" ) { $ARCH = "Unknown"; } sub SYS_INFO { print "HOSTNAME $Hostname FQDN $fqdn MODEL @Model UNAME -A $System $Hostname $Maj $Version $Hardware ARCH $ARCH RUN LEVEL $runlevel KERNEL MODE $KERNEL_BITS VOLUME MANAGER COUNT $Diskmgrcnt VOLUME MANAGER $Diskmgr UPTIME $uptime\n"; } # # Subroutine to test open TCP ports # sub openport { my $addr = $REMOTE = $_[0]; my $port = $_[1]; $port = getservbyname( $port, 'tcp' ) if $port =~ /\D/; my $proto = getprotobyname('tcp'); if ( socket( S, PF_INET, SOCK_STREAM, $proto ) ) { $sockaddr = 'S n a4 x8'; if ( connect( S, pack( $sockaddr, AF_INET, $port, $addr ) ) ) { select(S); $| = 1; select(STDOUT); $a = ; print $a; print S "quit"; close(S); } else { "Unable to connect: $!"; } } else { print "\t$INFOSTR Cannot open socket $port @ $addr\n"; } } # # Subroutine to test open UDP ports # sub openudpport { my $addr = $REMOTE = $_[0]; my $port = $_[1]; $port = getservbyname( $port, 'udp' ) if $port =~ /\D/; my $proto = getprotobyname('udp'); if ( socket( S, PF_INET, SOCK_STREAM, $proto ) ) { $sockaddr = 'S n a4 x8'; if ( connect( S, pack( $sockaddr, AF_INET, $port, $addr ) ) ) { select(S); $| = 1; select(STDOUT); $a = ; print $a; print S "quit"; close(S); } else { "Unable to connect: $!"; } } else { print "\t$INFOSTR Cannot open socket $port @ $addr\n"; } } # # Subroutine to check boot devices # sub bootdev { print_header("CHECKING CURRENT BOOT DEVICE"); $loadcfg = '/stand/loadconfig'; if ( !-s "$loadcfg" ) { print "\t$WARNSTR Load configuration file $loadcfg empty or missing\n"; $warnings++; } else { print "\t$PASSSTR Load configuration file $loadcfg\n"; @loadconfig = `awk '! /^#/ {print}' $loadcfg`; print @loadconfig; } $unixk = '/stand/unix'; if ( !-s "$unixk" ) { print "\n\t$WARNSTR Unix kernel $unixk empty or missing\n"; $warnings++; } else { print "\n\t$PASSSTR Unix kernel $unixk exists\n"; } if ( "$Bootvalue" eq "N/A" ) { print "\n\t$INFOSTR Boot disk setup not applicable for this hardware\n"; } elsif ( "$Bootvalue" eq "Any" ) { print "\n\t$INFOSTR Unrestricted boot disk setup (any disk)\n"; } else { print "\n\t$INFOSTR Restricted boot disk setup (fixed disk)\n"; @setbootprim = `setboot -p -l $rawrootdev`; @setbootsec = `setboot -s -l $rawrootdev`; if ("@setbootprim") { print "\t$PASSSTR Primary boot device\n"; print "@setbootprim"; } else { print "\t$WARNSTR Cannot list primary boot device\n"; $warnings++; } if ("@setbootsec") { print "\t$PASSSTR Alternate boot device\n"; print "@setbootsec"; } else { print "\t$WARNSTR Cannot list alternate boot device\n"; $warnings++; } } } # # Subroutine to check boot volumes # sub bootcheck { print_header "CHECKING DISKS"; if ( open( FF, "awk '! /^#/ && ! /awk/ {print}' $standboot |" ) ) { print "\t$INFOSTR Configuration file $standboot\n"; while () { print $_; } close(FF); } else { print "\t$ERRSTR Cannot open $standboot\n"; $warnings++; } @diskls = `ls /dev/rdsk/*s0 2>/dev/null`; chomp(@diskls); foreach $fix ( @diskls ) { chomp($fix); if ( "$fidl" > 0 ) { @fidlls = `fidl -q -d $fix 2>/dev/null`; if ("@fidlls") { print "\n\t$INFOSTR Disk $fix\n"; print @fidlls; } else { print "\n\t$INFOSTR Disk $fix not active\n"; } } } @tapels = `ls /dev/rmt/*s0`; chomp(@tapels); foreach $tix ( sort @tapels ) { chomp($tix); @tapehw = `hwdcstat -d $tix 2>/dev/null`; @tcm = `tcm -d $tix -i 2>/dev/null`; if ("@tapehw") { print "\n\t$INFOSTR Tape drive $tix\n"; print @tapehw; print "\n"; print @tcm; } else { print "\n\t$INFOSTR Tape drive $tix not active\n"; } } } # # Subroutine to check crash # sub crashcheck { print_header "CHECKING CRASH CONFIGURATION AND POWERFAIL STRATEGY"; if ( open( FROM, "cat $SAVECRASH |" ) ) { print "\t$INFOSTR Configuration file $SAVECRASH\n"; while () { next if ( grep( /^#/, $_ ) ); next if ( grep( /^$/, $_ ) ); print $_; } close(FROM); } else { print "\t$WARNSTR Cannot open $SAVECRASH\n"; $warnings++; } print "\n"; if ( open( DFROM, "cat $dumpnodes |" ) ) { print "\t$INFOSTR Configuration file $dumpnodes\n"; while () { next if ( grep( /^#/, $_ ) ); next if ( grep( /^$/, $_ ) ); print $_; } close(DFROM); } else { print "\t$WARNSTR Cannot open $dumpnodes\n"; $warnings++; } $dumpconfig = `dumpconfig -m`; if ( "$dumpconfig" == 0 ) { print "\n\t$INFOSTR Dump configuration is sufficient\n"; } else { print "\n\t$WARNSTR Dump configuration is not sufficient\n"; } print "\n"; if ( open( FROM, "fdump -l |" ) ) { print "\t$INFOSTR Fdump status\n"; while () { print $_; } close(FROM); } else { print "\t$WARNSTR Cannot run fdump\n"; $warnings++; } } # # Subroutine to check file system free disk space and inodes # sub space { print_header "CHECKING FILE SYSTEMS SPACE AND INODES MINIMUM 10% FREE"; $THRESHOLD = 90; $mingood = 100 - $THRESHOLD; @dfspace = `dfspace 2>/dev/null`; if ("\@dfspace") { print "\t$INFOSTR File system usage\n"; print @dfspace; } if ("$MEM_MBYTE") { $fs_crash = $MEM_MBYTE / 2; } else { $fs_crash = 4000; } print "\n"; # # Associative array of minimum file system sizing in MBytes # (as set in the GDIS South Pacific Unix Standard Build) # %OSARRAY = ( "/", "400", "/stand", "400", "/tmp", "1000", "/home", "500", "/usr", "1200", "/var", "1000", "/var/tmp", "400", "/opt", "1500" ); open( CC, "df -kt |" ) || die "Cannot run df\n"; while () { chomp; next if ( grep( /^$/, $_ ) ); next if ( grep( /mounted on/, $_ ) ); @ckarr = split( /\s+/, $_ ); $zzz = scalar @ckarr; next if ( $zzz == 1 ); ( $fs, $allocated, $used, $avail, $pcused, $ffs ) = split( /\s+/, $_ ); push( @MAU, $ffs ); if ( "$ffs" eq "/stand" ) { $STAND_FLAG++; } # # Check each file system for lost+found # @Nonfsarr = ( '/proc', '/stats', '/dev/fd' ); $lfdir = "lost+found"; if ( !grep( /\Q$ffs\E/, @Nonfsarr ) ) { if ( !-d "$ffs/$lfdir" ) { print "\t$WARNSTR File system missing or corrupt $ffs/$lfdir\n"; $warnings++; } else { print "\t$PASSSTR File system has valid $ffs/$lfdir\n"; } } if ( %OSARRAY->{$ffs} ) { $deffs_size = %OSARRAY->{$ffs}; $allocMB = int( $allocated / 1024 ); if ( "$allocMB" < "$deffs_size" ) { print "\t$WARNSTR F/S size for $ffs is less than "; print "recommended in $OS_Standard\n"; print "\t($allocMB MB while minimum is $deffs_size MB)\n"; $warnings++; } else { print "\t$PASSSTR F/S size for $ffs as "; print "recommended in $OS_Standard\n"; print "\t($allocMB MB while minimum is $deffs_size MB)\n"; } } if ( open( CCT, "/usr/ucb/df -i $ffs |" ) ) { while () { chomp; next if ( grep( /^$/, $_ ) ); next if ( grep( /Mounted on/, $_ ) ); ( $fs, $iused, $iavail, $inodepcused, $ffs ) = split( /\s+/, $_ ); } close(CCT); } $pcused =~ s/%//g; $inodepcused =~ s/%//g; if ( $pcused > $THRESHOLD ) { print "\t$WARNSTR File system $ffs has less than $mingood% "; print "free disk space ($pcused% used)\n"; $warnings++; } else { print "\t$PASSSTR File system $ffs has more than $mingood% "; print "free disk space ($pcused% used)\n"; } if ( $inodepcused > $THRESHOLD ) { print "\t$WARNSTR File system $ffs has less than $mingood% "; print "free inodes ($inodepcused% used)\n\n"; $warnings++; } else { print "\t$PASSSTR File system $ffs has more than $mingood% "; print "free inodes ($inodepcused% used)\n\n"; } } close(CC); print_header "CHECKING FILE SYSTEMS NAMING STRUCTURE AS PER STANDARDS"; @VVM = keys(%OSARRAY); if ("@VVM") { foreach $i ( sort @VVM ) { if ( !( grep( /^$i$/, @MAU ) ) ) { print "\t$WARNSTR File system $i does not exist as per $OS_Standard\n"; $warnings++; } } } else { print "\t$PASSSTR All O/S file system defined as per $OS_Standard\n"; } } # # Subroutine to check LAN cards # sub lan { print_header("CHECKING LAN CARD STATUS"); if ( open( CC, "ifconfig -a |" ) ) { print "\t$INFOSTR Network interfaces\n"; while () { print $_; } close(CC); } else { print "\t$WARNSTR Cannot run ifconfig\n"; $warnings++; } if ( open( CC, "ildconfig -a |" ) ) { print "\n\t$INFOSTR ILD adapter information\n"; while () { print $_; } close(CC); } else { print "\n\t$WARNSTR Cannot run ildconfig\n"; $warnings++; } } # # Subroutine to check installed software bundles # sub swcheck { print_header("CHECKING INSTALLED SOFTWARE PACKAGES"); print "\t$NOTESTR Some applications might be installed without packages\n"; print "\t$NOTESTR Please check them manually\n\n"; @SWarray = `pkginfo`; if ("@SWarray") { print @SWarray; } else { print "\t$ERRSTR Package listing is empty or corrupt\n"; $warnings++; } print "\n"; foreach $a (@SWmust) { if ( grep( /$a/i, @SWarray ) ) { print "\t$PASSSTR $a installed\n"; if ( ( $a eq "SSH" ) || ( $a eq "Secure Shell" ) ) { $secureshell++; } elsif ( $a eq "OmniBack" ) { $OMNI_FLAG = 1; } elsif ( $a eq "Data Protector" ) { $OMNI_FLAG = 1; } elsif ( $a eq "fidl" ) { $fidl++; } elsif ( $a eq "ncrcm" ) { $ncrcm++; } elsif ( $a eq "System Health Check" ) { $shealth++; } elsif ( $a eq "vxfs" ) { $VXFS_FLAG++; } } else { if ( ( $a eq "SSH" ) || ( $a eq "Secure Shell" ) ) { $warnings++; } elsif ( $a eq "ncrcm" ) { print "\t$WARNSTR NCR Cluster not installed\n"; $warnings++; } elsif ( $a eq "vxfs" ) { print "\t$WARNSTR OnlineJFS not installed\n"; $warnings++; } else { print "\t$WARNSTR $a not installed\n"; $warnings++; } } } if ( "$secureshell" == 0 ) { print "\t$ERRSTR Secure Shell (SSH) not installed\n"; } print_header("CHECKING INSTALLED COMPILERS"); @CCcomp = `cc -V 2>&1`; if ("@CCcomp") { print @CCcomp; } print "\n"; @Perlcomp = `perl -v`; if ("@Perlcomp") { print @Perlcomp; } } # # Subroutine to check installed patch bundles # sub patch { print_header("CHECKING INSTALLED PATCHES"); @lsbundle = `pkginfo -l`; if ("@lsbundle") { print @lsbundle; } } # # Subroutine to check privileged account # sub rootacc { print_header("CHECKING PRIVILEGED ACCOUNT"); $umsk = sprintf "%lo", umask; $Rootdir = "/root"; if ( $umsk == "022" ) { print "\t$PASSSTR Umask for root set to 022\n"; } else { print "\t$INFOSTR Umask set to $umsk (minimum recommended is 022)\n"; $warnings++; } $roothome = `awk -F: '/^root:/ && ! /awk/ {print \$6}' $PASSFILE`; chomp($roothome); if ( "$roothome" ne "$Rootdir" ) { print "\t$WARNSTR Root home directory $roothome, not $Rootdir\n"; $warnings++; } else { print "\t$PASSSTR Root home directory correct ($Rootdir)\n"; } if ( !stat $Rootdir || !-d $Rootdir ) { print "\t$WARNSTR $Rootdir directory not valid\n"; $warnings++; } $file_perms = ( stat $roothome )[2] & 0777; $oct_perms = sprintf "%lo", $file_perms; if ( $oct_perms != "700" ) { print "\t$WARNSTR Root home directory permissions not 700 ($oct_perms)\n"; $warnings++; } else { print "\t$PASSSTR Root home directory permissions correct ($oct_perms)\n"; } $rho = "$roothome/.rhosts"; if ( -s "$rho" ) { print "\n\t$WARNSTR File $rho exists\n"; @rhosts = `cat $rho`; print @rhosts; } $sectty = "/etc/default/login"; if ( -f "$sectty" && -s "$sectty" ) { print "\n\t$PASSSTR $sectty exists\n"; if ( open( CC, "awk '! /^#/ && ! /awk/ {print}' $sectty |" ) ) { while () { next if ( grep( /^$/, $_ ) ); print $_; $CONSOLE_FLAG++; } } else { print "\t$ERRSTR Cannot open $sectty\n"; $warnings++; } close(CC); } else { print "\n\t$WARNSTR $sectty not installed\n"; $warnings++; } print "\n"; if ( $CONSOLE_FLAG > 0 ) { if ( grep( /^CONSOLE/, $_ ) ) { print "\t$PASSSTR Root access configured in $sectty\n"; } else { print "\t$ERRSTR Root access not configured in $sectty\n"; $warnings++; } } $sulog = "/var/adm/sulog"; if ( -s "$sulog" ) { @SUent = `egrep -i root $sulog`; if ("@SUent") { print "\n\t$INFOSTR Recent su(1) entries in $sulog\n"; print @SUent; } } } # # Subroutine to check NTP # sub ntp_check { print_header("CHECKING NTP SERVICES"); if ("@ntpdaemon") { print "\t$PASSSTR Network Time Protocol daemon running\n"; open( CC, "ntpq -n -c peers |" ) || die "Cannot run ntpq"; while () { next if ( grep( /^$/, $_ ) ); next if ( grep( /offset/, $_ ) ); next if ( grep( /===/, $_ ) ); $_ =~ s/^\s+//g; ( $remote, $refid, $st, $tm, $when, $poll, $reach, $delay, $offset, $displ ) = split( /\s+/, $_ ); $reach =~ s/^\s+//g; $remote =~ s/\*//g; $remote =~ s/\+//g; if ( $reach == 0 ) { print "\t$ERRSTR NTP server $remote not reachable\n"; } elsif ( $reach == 377 ) { print "\t$PASSSTR NTP server $remote reachable and synchronised "; print "(stratum $st, status $reach)\n"; } else { print "\t$PASSSTR NTP server $remote reachable but not fully "; print "synchronised (stratum $st, status $reach)\n"; } } close(CC); $ntpconf = "/etc/inet/ntp.conf"; if ( -s "$ntpconf" ) { print "\n\t$PASSSTR $ntpconf exists\n"; if ( open( NTPC, "awk '! /^#/ && ! /awk/ {print}' $ntpconf |" ) ) { while () { $_ =~ s/^\s+//g; print $_; if ( grep( /restrict/, $_ ) ) { $NTP_REST_FLAG++; } } } close(NTPC); if ( $NTP_REST_FLAG == 0 ) { print "\n\t$WARNSTR Network Time Protocol not restricted in $ntpconf\n"; $warnings++; } else { print "\n\t$PASSSTR Network Time Protocol restricted in $ntpconf\n"; } } else { print "\n\t$ERRSTR Cannot open $ntpconf\n"; $warnings++; } } else { print "\t$ERRSTR Network Time Protocol not running\n"; $warnings++; } } # # Subroutine to check NFS # sub nfs_check { print_header("CHECKING NETWORK FILE SYSTEM (NFS)"); $nfscount = 0; if ("@nfsdaemon") { if ( "$MNT_FLAG" == 0 ) { if ( open( CC, "mount | egrep -i nfs |" ) ) { while () { next if ( grep( /^$/, $_ ) ); ( $lfs, undef, $remfs, $state, undef ) = split( /\s+/, $_ ); chomp($lfs); push( @NFSarr, $lfs ); $nfscount++; if ( grep( /soft/, $state ) ) { print "$WARNSTR There are NFS mounts that are not soft mounted\n"; print "\t\t$_\n"; } } } else { print "$WARNSTR Cannot run mount command\n"; $warnings++; } close(CC); } } if ( $nfscount > 0 ) { print "\t$WARNSTR There are NFS mounts\n"; } else { print "\t$PASSSTR There are no NFS mounts\n"; } $exportfs = "/etc/dfs/dfstab"; if ( -s "$exportfs" ) { print "\n\t$NOTESTR $exportfs exists\n"; @efs = `awk '! /^#/ {print}' $exportfs | nawk NF`; if ("@efs") { print "\t$NOTESTR $exportfs status\n"; print @efs; } else { print "\n\t$NOTESTR $exportfs empty\n"; } } else { print "\n\t$NOTESTR $exportfs not set up\n"; } @dfshares = `dfshares`; if ("@dfshares") { print "\n\t$INFOSTR Local and remote shares\n"; print @dfshares; } } # # Subroutine to check mounted file systems # sub CHECK_MOUNTED_FILESYSTEMS { $initt = "/etc/inittab"; if ( open( ZK, "nawk NF $initt |" ) ) { while () { next if ( grep( /^$/, $_ ) ); next if ( grep( /^#/, $_ ) ); $_ =~ s/#.*$//g; $_ =~ s/^\s+//g; if ( grep( /vxenablef/, $_ ) ) { ( undef, undef, undef, $vxe ) = split( /:/, $_ ); if ("$vxe") { chomp($vxe); $vxe =~ s/^\s+//g; ( $vxcom, undef ) = split( /\s+/, $vxe ); @vxl = `$vxcom`; } } push( @initarr, $_ ); } close(ZK); } else { print "\t$WARNSTR Cannot open $initt\n"; $warnings++; } if ("@initarr") { print_header("CHECKING INITTAB"); print @initarr; } print_header("CHECKING ALL FSTAB FILE SYSTEMS MOUNTED AND VALID"); my $fswarnings; if ( !-s "$MNTTAB" ) { print "\t$ERRSTR File $MNTTAB empty\n"; $MNT_FLAG = 1; $warnings++; } else { if ( open( MM, "mount | awk '{print $1}' | sort |" ) ) { while () { next if ( grep( /^$/, $_ ) ); ( $fsreal, undef ) = split( /\s+/, $_ ); push( @Mounted, $_ ); push( @fss, $fsreal ); } close(MM); } else { print "\t$ERRSTR Cannot run mount command\n"; $warnings++; } } print "\n\t$NOTESTR $FSTAB contents\n"; open( VV, "awk '! /awk/ && ! /^#/ {print}' $FSTAB | sort |" ) || die "Cannot check $FSTAB\n"; while () { next if ( grep( /^$/, $_ ) ); print $_; if ( grep( /swap/, $_ ) ) { print "\n"; $swapdeviceno++; next; } next if ( grep( /nfs/, $_ ) ); ( $v0, $v1, $v2, $v3, $passnofs, $v4, $v5 ) = split( /\s+/, $_ ); if ( !grep( /$v2/, @Mounted ) ) { print "\t$WARNSTR File system $v2 listed in $FSTAB but not mounted\n"; $warnings++; $fswarnings++; } if ( "$v2" eq "/tmp" ) { if ( grep( /nolog/, $v5 ) ) { print "\t$PASSSTR File system $v2 mounted with \"nolog\" mount logging\n"; } else { print "\t$WARNSTR File system $v2 not mounted with \"nolog\" mount logging\n"; $warnings++; } } if ( "$passnofs" == 0 ) { print "\t$ERRSTR File system $v2 check pass number set to zero\n"; $warnings++; } else { print "\t$PASSSTR File system $v2 check pass number not set to zero\n"; } push( @Fstabed, $v2 ); if ( $v3 ne "vxfs" ) { print "\t$INFOSTR File system $v2 not VxFS\n\n"; next if ( grep( /\/stand/, $v2 ) ); $warnings++; $vxfscount++; } else { if ( $VXFS_FLAG > 0 ) { print "\t$INFOSTR Checking defragmentation of file system $v2\n"; @defrag = `fsadm -F vxfs -D $v2 2>/dev/null | nawk NF`; if ("@defrag") { print "@defrag\n"; } } } } close(VV); if ( $swapdeviceno < $Minswapdevno ) { print "\t$INFOSTR Less than recommended number of swap devices (minimum $Minswapdevno)\n"; } else { print "\t$PASSSTR Recommended number of swap devices (minimum $Minswapdevno)\n"; } foreach $c (@fss) { if ( !grep( /$c/, @Fstabed ) ) { print "\n\t$WARNSTR File system $c mounted but not listed in $FSTAB\n"; $warnings++; $fswarnings++; } } if ( "$fswarnings" > 0 ) { print "\n\t$WARNSTR Some file systems not mounted correctly\n"; } else { print "\n\t$PASSSTR All file systems mounted correctly\n"; } print_header("CHECKING NON VXFS FILE SYSTEMS"); if ( "$vxfscount" > 0 ) { print "\t$WARNSTR Some file systems not vxfs (/stand not checked)\n"; } else { print "\t$PASSSTR All file systems vxfs (/stand not checked)\n"; } print "\t$NOTESTR Non fstab mounts may be cluster/automount related\n"; } # # Subroutine to check system auditing # sub audsys { print_header("CHECKING SYSTEM AUDITING (AUDSYS)"); open( FROM, "audsys 2>&1 |" ) || die "Cannot run audsys"; while () { next if ( grep( /^$/, $_ ) ); $_ =~ s/^\s+//g; if ( grep( /currently off/, $_ ) ) { print "\t$WARNSTR System auditing not configured\n"; $warnings++; } elsif ( grep( /cannot open and lock/, $_ ) ) { print "\t$WARNSTR System auditing not configured\n"; $warnings++; } else { print $_; } } close(FROM); } # # Is /dev/null a special device? # sub checknull { print_header("CHECKING DEVICE FILE $confdev"); @Confarray = ('/dev/null', '/dev/zero', '/dev/mem', '/dev/kmem'); foreach $Confdev (@Confarray) { if ( -c "$Confdev" ) { print "\t$PASSSTR $Confdev is character device file\n"; } else { print "\t$ERRSTR $Confdev is not character device or does not exist\n"; $warnings++; } } } # # Subroutine to check kernel parameters # sub checkkernel { print_header("CHECKING KERNEL PARAMETERS"); open( FROM, "sysdef |" ) || die "Cannot run sysdef\n"; { print "\n\t$INFOSTR Sysdef status\n"; while () { $_ =~ s/^\s+//g; print $_; } } close(FROM); $quicktune = '/etc/conf/cf.d/quicktune.cfg'; if ( -s $quicktune ) { @qck = `nawk NF $quicktune`; if ("@qck") { print "\n\t$INFOSTR Configuration file $quicktune\n"; print @qck; } else { print "\n\t$WARNSTR Confguration file $quicktune not used\n"; } } @kcmod = `getconf`; if ("@kcmod") { print "\n\t$INFOSTR Kernel configuration\n"; print @kcmod; } else { print "\n\t$WARNSTR Kernel configuration cannot be listed\n"; } @modadm = `modadmin -S`; if ("@modadm") { print "\n\t$INFOSTR Loaded modules\n"; print @modadm; } else { print "\n\t$WARNSTR Loaded modules cannot be listed\n"; } } # # Subroutine to check various daemons # sub basic_daemons { print_header("CHECKING CRITICAL DAEMONS"); @Dmust = ( "inetd", "sshd", "syslogd", "cron" ); if ( grep( /VxVM/, "$Diskmgr" ) ) { push( @Dmust, "vxconfigd", "vxfsd", "vxiod", "vxnotify" ); } @Nott = ( "automount", "in.snmpd", "routed", "gated", "dtlogin", "ypserv", "ypbind", "dtrc", "xdm", "xinit", "mifsmuxd", "rpc.rwalld", "rpc.sprayd", "sendmail", "rpc.rusersd", "xdaemon", "X386", ); $ssd = "/etc/default/syslogd"; $netd = "/etc/netconfig"; foreach $x (@Nott) { $ckd = grep( /\b$x\b/i, @allprocesses ); if ("$ckd") { print "\t$WARNSTR Daemon $x running (recommendation is to "; print "disable it)\n"; $warnings++; } else { print "\t$PASSSTR Daemon $x not running\n"; } } foreach $a (@Dmust) { @cky = grep( /$a/, @allprocesses ); if ("@cky") { print "\t$PASSSTR Daemon $a running\n"; if ( "$a" eq "syslogd" ) { if ( open( FROM, "awk '! /^#/ {print}' $ssd 2>/dev/null |" ) ) { while () { chomp; next if ( grep( /^$/, $_ ) ); if ( grep( /SYSLOGDOPTS=/, $_ ) ) { print "\t$PASSSTR Daemon flags for $a set up "; print "correctly in $ssd (flag -N)\n"; $Secure_SYSLOGD = 1; } else { print "\t$WARNSTR Daemon flags for $a not set up "; print "correctly in $ssd (flag -N)\n"; $warnings++; } } close(FROM); } else { print "\t$WARNSTR Configuration file missing ($ssd)\n"; } if ( grep( /\-y/, @cky ) ) { print "\t$WARNSTR Daemon $a running without year logging "; print "(flag -y not defined)\n"; $warnings++; } else { print "\t$PASSSTR Daemon $a not running with year logging "; print "(flag -y defined)\n"; } } if ( "$a" eq "netd" ) { open( FROM, "awk '! /^#/ && ! /awk/ {print}' $netd |" ) || die "Cannot open $netd\n"; print "\t$INFOSTR Network configuration file $netd\n"; while () { next if ( grep( /^$/, $_ ) ); print $_; } close(FROM); } } else { print "\t$WARNSTR Daemon $a not running\n"; $warnings++; } } } # # Subroutine to check root's crontab # sub ROOT_CRON { print_header("CHECKING ROOT CRON TASKS"); @CRarr = `nawk NF $CRFILE | awk '! /^#/ {print}'`; if ("@CRarr") { print "\t$PASSSTR Crontab for root exists\n"; print @CRarr; } else { print "\t$INFOSTR Crontab for root does not exist\n"; } print "\n\t$INFOSTR In Australia, Daylight Savings Time normally changes "; print "at 0200 and 0300 hours respectively\n"; print "\t$INFOSTR Change variables \$DSTbegin and \$DSTend for other regions\n"; foreach $cronjob (@CRarr) { ( undef, $hourrun, undef ) = split( /\s+/, $cronjob ); if ( $hourrun eq "*" ) { print "\n\t$INFOSTR Following task might be affected by Daylight Savings Time changes\n"; print $cronjob; } if ( grep( /,/, $hourrun ) ) { @hourarr = split( /,/, $hourrun ); foreach $finhour (@hourarr) { if ( ( int($finhour) == $DSTbegin ) || ( int($finhour) == $DSTend ) ) { print "\n\t$INFOSTR Following task might be affected by Daylight Savings Time changes\n"; print $cronjob; } } } if ( grep( /-/, $hourrun ) ) { ( $fromhour, $tohour ) = split( /-/, $hourrun ); if ( ( int($fromhour) <= $DSTbegin ) && ( int($tohour) >= $DSTend ) ) { print "\n\t$INFOSTR Following task might be affected by Daylight Savings Time changes\n"; print $cronjob; } } } } # # Subroutine to check cron ACLs # sub cron_access { print_header("CHECKING CRON ACCESS LIST"); $CRON_DENY = "/etc/cron.d/cron.deny"; $CRON_ALLOW = "/etc/cron.d/cron.allow"; $AT_DENY = "/etc/cron.d/at.deny"; $AT_ALLOW = "/etc/cron.d/at.allow"; if ( open( CD, "cat $CRON_DENY 2>/dev/null|" ) ) { print "\t$INFOSTR $CRON_DENY:\n"; while () { next if ( grep( /^#/, $_ ) ); next if ( grep( /^$/, $_ ) ); $_ =~ s/^\s+//g; print $_; } close(CD); } else { print "\t$ERRSTR Cannot open $CRON_DENY\n"; $warnings++; } if ( open( CA, "cat $CRON_ALLOW 2>/dev/null|" ) ) { print "\n\t$INFOSTR $CRON_ALLOW:\n"; while () { next if ( grep( /^$/, $_ ) ); next if ( grep( /^#/, $_ ) ); $_ =~ s/^\s+//g; print $_; } close(CA); } else { print "\n\t$ERRSTR Cannot open $CRON_ALLOW\n"; $warnings++; } if ( open( AD, "cat $AT_DENY 2>/dev/null |" ) ) { print "\n\t$INFOSTR $AT_DENY:\n"; while () { next if ( grep( /^$/, $_ ) ); next if ( grep( /^#/, $_ ) ); $_ =~ s/^\s+//g; print $_; } close(AD); } else { print "\n\t$ERRSTR Cannot open $AT_DENY\n"; $warnings++; } if ( open( AA, "cat $AT_ALLOW 2>/dev/null |" ) ) { print "\n\t$INFOSTR $AT_ALLOW:\n"; while () { next if ( grep( /^$/, $_ ) ); next if ( grep( /^#/, $_ ) ); $_ =~ s/^\s+//g; print $_; } close(AA); } else { print "\n\t$ERRSTR Cannot open $AT_ALLOW\n"; $warnings++; } } # # Subroutine to check device configuration # sub DEVSTAT { print_header("CHECKING DEVICE STATUS"); if ( open( IS, "devstat -F -i |" ) ) { while () { push( @Alldevs, $_ ); } close(IS); } if ("@Alldevs") { print @Alldevs; } else { print "\t$ERRSTR Hardware scan failed\n"; $warnings++; } @dmicmd = `dmicmd listall`; if ("@dmicmd") { print "\n\t$INFOSTR DMI service layer listing\n"; print @dmicmd; } @scsidrv = `awk '! /^#/ {print} /etc/conf/sdevice.d/SCSI'`; if ("@scsidrv") { print "\n\t$INFOSTR SCSI driver listing\n"; print @scsidrv; } $bustype = `bustype`; print "\n\t$INFOSTR Bus type\n"; print $bustype; print_header("CHECKING CLUSTERING"); if ( "$ncrcm" > 0 ) { $ncrcf1 = '/var/opt/ncrdlm/lkmgr.conf'; @ncrpr1 = `cat $ncrcf1`; if ("@ncrpr1") { print "\n\t$INFOSTR Cluster configuration file $ncrcf1\n"; print @ncrpr1; } @NCRfarr = ( '/var/opt/ncrcm/.rhosts', '/var/opt/ncrcm/.profile' ); foreach $ncrfy (@NCRfarr) { if ( -s "$ncrfy" ) { @ncrly = `nawk NF $ncrfy`; if ("@ncrly") { print "\n\t$INFOSTR Cluster configuration file $ncrfy\n"; print @ncrly; } else { print "\t$INFOSTR Cluster configuration file $ncrfy not in use\n"; } } } } else { print "\n\t$INFOSTR Clustering not configured\n"; } } # # Subroutine to check basic performance # sub PERFORMANCE_BASICS { print_header("CHECKING BASIC PERFORMANCE"); @USED = `sar -A`; if ("@USED") { print @USED; } @dispclass = `dispadmin -l | nawk NF`; if ("@dispclass") { print "\n\t$INFOSTR Defined classes\n"; print @dispclass; } } # # Subroutine to check syslog # sub SYSLOG_LOGGING { print_header("CHECKING SYSLOG OPERATIONAL"); $DDate = rand(); $LOGSTR = "AUTOMATED TEST MESSAGE $DDate FOR OAT. PLEASE IGNORE"; $syslog_conf = "/etc/syslog.conf"; if ( -s "$syslog_conf" ) { if ( open( SYSD, "awk '! /^#/ {print}' $syslog_conf |" ) ) { print "\t$INFOSTR File $syslog_conf\n"; while () { next if ( grep( /^$/, $_ ) ); if ( grep( /debug/, $_ ) ) { ( undef, $RSYSLOG ) = split( /\s+/, $_ ); chomp($RSYSLOG); } print $_; } } else { print "\n\t$WARNSTR Cannot open $syslog_conf\n"; $warnings++; } close(SYSD); } system("logger $LOGSTR"); if ( -s "$RSYSLOG" ) { $SYSLOG = $RSYSLOG; print "\n\t$INFOSTR Expected logging in $SYSLOG\n"; $See = `egrep "$LOGSTR" $SYSLOG`; if ("$See") { print "\n\t$PASSSTR System logger messages successful\n"; } else { print "\n\t$ERRSTR System logger messages failed\n"; $warnings++; } } @logfind = `errpt`; if (@logfind) { print "\n\t$INFOSTR Recent syslog entries of interest\n"; print @logfind; } $btmplog = "/var/adm/btmp"; if ( -s "$btmplog" ) { @btmp = `lastb 2>/dev/null | nawk NF`; if (@btmp) { print "\n\t$INFOSTR Recent unsuccessful login attempts\n"; print @btmp; } } else { print "\n\t$WARNSTR Bad login attempts not logged in $btmplog\n"; $warnings++; } } # # Subroutine to check Unix password and group databases # sub pwdbcheck { print_header("CHECKING UNIX PASSWORD AND GROUP DATABASES"); ( $pdev, $pino, $pmode, $pnlink, $puid, $pgid, $prdev, $psize, $patime, $pmtime, $pctime, $pblksize, $pblocks ) = stat($PASSFILE); if ( "$pnlink" > 1 ) { print "\t$WARNSTR $PASSFILE has $pnlink hard links\n"; $warnings++; } else { print "\t$PASSSTR $PASSFILE has one hard link only\n"; } $pfile_perms = $pmode & 0777; $poct_perms = sprintf "%lo", $pfile_perms; if ( "$pblocks" == 0 ) { print "\n\t$WARNSTR $PASSFILE empty\n"; $warnings++; } else { print "\n\t$PASSSTR $PASSFILE not empty\n"; } if ( "$puid" == 0 ) { print "\n\t$PASSSTR $PASSFILE owned by UID $puid\n"; } else { print "\n\t$WARNSTR $PASSFILE not owned by UID 0 ($puid)\n"; $warnings++; } if ( "$pgid" == 3 ) { print "\n\t$PASSSTR $PASSFILE owned by GID $pgid\n"; } else { print "\n\t$WARNSTR $PASSFILE not owned by GID 3 ($pgid)\n"; $warnings++; } if ( $poct_perms != "444" ) { print "\n\t$WARNSTR $PASSFILE permissions not 444 ($poct_perms)\n"; $warnings++; } else { print "\n\t$PASSSTR $PASSFILE permissions correct ($poct_perms)\n"; } if ( -T "$PASSFILE" ) { print "\n\t$PASSSTR $PASSFILE is plain ASCII file\n"; } else { print "\n\t$WARNSTR $PASSFILE not plain ASCII file\n"; $warnings++; } if ( !-s "$Shadow" ) { print "\n\t$ERRSTR Shadow password database not used\n"; $warnings++; print "\n\t$WARNSTR Standard password database used\n\n"; } else { print "\n\t$PASSSTR Shadow password database used\n"; print "\t$PASSSTR Enhanced password database used\n\n"; if ( open( Shad, "cat $Shadow |" ) ) { print "\t$INFOSTR File $Shadow\n"; while () { print $_; } close(Shad); } else { print "\t$WARNSTR Cannot open $Shadow\n"; $warnings++; } } @passck = `pwck 2>&1 | nawk NF`; @grpck = `grpck 2>&1 | nawk NF`; @loginsnp = `logins -p 2>&1 | nawk NF`; @passsa = `passwd -sa | nawk NF`; $defp = '/etc/default/passwd'; @defpasscfg = `awk '! /^#/ {print}' $defp`; if (@defpasscfg) { print "\n\t$INFOSTR Default password configuration file $defp\n"; print @defpasscfg; } if (@passsa) { print "\n\t$INFOSTR Password file status\n"; print @passsa; } print "\n\t$INFOSTR Pwck(1) verification\n"; if (@passck) { print @passck; } else { print "\t$PASSSTR Pwck clean\n\n"; } print "\n\t$INFOSTR Grpck(1) verification\n"; if (@grpck) { print @grpck; } else { print "\t$PASSSTR Grpck clean\n\n"; } if (@loginsnp) { print "\n\t$INFOSTR Logins with empty passwords\n"; print @loginsnp; } else { print "\n\t$PASSSTR No logins with empty passwords\n\n"; } $nisflag = 0; $lastlogindir = '/var/adm/lastlogin'; while ( @entry = getpwent ) { $passno++; push( @Passnumarr, $entry[2] ); if ( $entry[2] == 0 ) { print "\t$INFOSTR Username $entry[0] has UID 0\n\n"; $uidno++; } if ( !-f "$lastlogindir/$entry[0]" ) { print "\t$WARNSTR Username $entry[0] without lastlogin logging\n\n"; $warnings++; } if ( grep( /^\+/, @entry ) ) { $nisflag++; } push( @PassWdarr, "@entry\n" ); } while ( @grentry = getgrent ) { push( @Grarr, "@grentry\n" ); push( @Grnumarr, $grentry[2] ); } if ( $nisflag > 0 ) { print "\t$WARNSTR There are \"+:\" entries in password file\n\n"; $warnings++; } else { print "\t$PASSSTR No \"+:\" entries in password file\n\n"; } if ( $uidno > 1 ) { print "\t$WARNSTR Multiple usernames with UID 0\n\n"; $warnings++; } else { print "\t$PASSSTR No multiple usernames with UID 0\n\n"; } if ("@PassWdarr") { print "\t$INFOSTR Entries in Unix password file\n"; print @PassWdarr; } if ("@Grarr") { print "\n\t$INFOSTR Entries in Unix group file\n"; print @Grarr; } print_header("CHECKING DEFAULT PRIVILEGES"); $privdef = '/etc/security/tcb/privs'; if ( -s "$privdef" ) { @privcat = `cat $privdef`; print @privcat; } else { print "\n\t$INFOSTR Privileges file $privdef empty or non-existent\n"; $warnings++; } } # # Subroutine to check superdaemon inetd setup # sub inetdchk { print_header("CHECKING INTERNET SERVICES"); if ( -s "$INETD" ) { if ( open( I, "awk '! /^#/ {print}' $INETD |" ) ) { print "\t$INFOSTR Active services in $INETD\n"; while () { next if ( grep( /^$/, $_ ) ); print $_; chomp; if ( grep( /^ftp/, $_ ) ) { $FTP_FLAG++; } } print "\n"; if ( $FTP_FLAG > 0 ) { if ( !-s "$ftpusers" ) { print "\n\t$ERRSTR FTP configuration file $ftpusers missing\n"; $warnings++; } else { if ( open( FTPU, "awk '! /^#/ {print} $ftpusers |" ) ) { print "\t$INFOSTR Users in $ftpusers\n"; while () { next if ( grep( /^$/, $_ ) ); print $_; push( @ftpDisArr, $_ ); } close(FTPU); print "\n"; foreach $ftpusr (@FTPdisable) { if ( grep( /\b$ftpusr\b/, @ftpDisArr ) ) { print "\t$PASSSTR FTP access disabled for $ftpusr in $ftpusers\n"; } else { print "\t$ERRSTR FTP access allowed for $ftpusr in $ftpusers\n"; $warnings++; } } } else { print "\t$ERRSTR Cannot open $ftpusers\n"; $warnings++; } } if ( !-s "$ftpacc" ) { print "\n\t$ERRSTR FTP configuration file $ftpacc missing\n"; $warnings++; } else { if ( open( FTPA, "awk '! /^#/ {print}' $ftpacc |" ) ) { print "\n\t$INFOSTR Configuration file $ftpacc\n"; while () { next if ( grep( /^$/, $_ ) ); print $_; } close(FTPA); } else { print "\n\t$WARNSTR Cannot open $ftpacc\n"; $warnings++; } } if ( !-s "$ftphosts" ) { print "\n\t$ERRSTR FTP configuration file $ftphosts missing\n"; $warnings++; } else { if ( open( FTPH, "awk '! /^#' {print}' $ftphosts |" ) ) { print "\n\t$INFOSTR Configuration file $ftphosts\n"; while () { next if ( grep( /^$/, $_ ) ); print $_; } close(FTPH); } else { print "\n\t$WARNSTR Cannot open $ftphosts\n"; $warnings++; } } } } close(I); } else { print "\t$ERRSTR Cannot open $INETD\n"; $warnings++; } if ( -s "$hostequiv" ) { @heq = `awk '! /^#/ {print}' $hostequiv | nawk NF 2>/dev/null`; if ("@heq") { print "\n\t$WARNSTR $hostequiv enabled\n"; print @heq; } else { print "\n\t$PASSSTR $hostequiv disabled\n"; } } else { print "\n\t$PASSSTR $hostequiv does not exist or is empty\n"; } if ( -s "$Shells" ) { if ( open( SHL, "awk '! /^#/ {print}' $Shells 2>/dev/null |" ) ) { print "\n\t$INFOSTR Active Shells in $Shells\n"; while () { next if ( grep( /^$/, $_ ) ); $_ =~ s/^\s+//g; print $_; } close(SHL); } else { print "\n\t$INFOSTR $Shells not in use\n"; $warnings++; } } } # # Subroutine to check defined protocols and services # sub protchk { print_header("CHECKING DEFINED SERVICES AND PROTOCOLS"); $SERVICES = "/etc/services"; $PROTOCOLS = "/etc/protocols"; $ETHERS = "/etc/ethers"; if ( -s "$SERVICES" ) { if ( open( SE, "cat $SERVICES |" ) ) { print "\t$INFOSTR Active services in $SERVICES\n"; while () { next if ( grep( /^#/, $_ ) ); next if ( grep( /^$/, $_ ) ); $_ =~ s/^\s+//g; print $_; } close(SE); } else { print "\t$ERRSTR Cannot open $SERVICES\n"; $warnings++; } } else { print "\t$INFOSTR File $SERVICES missing\n"; } if ( -s "$PROTOCOLS" ) { if ( open( PR, "cat $PROTOCOLS |" ) ) { print "\n\t$INFOSTR Active services in $PROTOCOLS\n"; while () { next if ( grep( /^$/, $_ ) ); next if ( grep( /^#/, $_ ) ); $_ =~ s/^\s+//g; print $_; } close(PR); } else { print "\n\t$ERRSTR Cannot open $PROTOCOLS\n"; $warnings++; } } else { print "\n\t$INFOSTR File $PROTOCOLS missing\n"; } if ( -s "$ETHERS" ) { if ( open( ET, "cat $ETHERS |" ) ) { print "\n\t$INFOSTR Active hosts in $ETHERS\n"; while () { next if ( grep( /^$/, $_ ) ); next if ( grep( /^#/, $_ ) ); $_ =~ s/^\s+//g; print $_; } close(ET); } else { print "\n\t$INFOSTR $ETHERS not in use\n"; } } else { print "\n\t$INFOSTR File $ETHERS missing\n"; } } # # Subroutine to check SMTP setup # sub smtpchk { print_header("CHECKING EMAIL SERVICES"); $SMTPD = "/usr/ucblib/sendmail.cf"; if ( -s "$SMTPD" ) { if ( open( ALI, "cat $SMTPD |" ) ) { print "\t$INFOSTR Sendmail configuration file $SMTPD\n"; while () { next if ( grep( /^#/, $_ ) ); next if ( grep( /^$/, $_ ) ); print $_; } } close(ALI); $RELAY = `awk '/^DS/ && ! /awk/ {print}' $SMTPD 2>&1`; chomp($RELAY); $RELAY =~ s/^DS//g; $RELAY =~ s/DS//g; @PRIVACY = `awk '/PrivacyOptions/ && ! /awk/ {print}' $SMTPD 2>&1`; } if ("@PRIVACY") { if ( ( grep( /noexpn/, @PRIVACY ) ) && ( grep( /novrfy/, @PRIVACY ) ) ) { print "\n\t$INFOSTR Sendmail privacy options defined\n"; } else { print "\n\t$WARNSTR Sendmail privacy options not defined\n"; } print @PRIVACY; } if ("$RELAY") { print "\t$PASSSTR SMTP Smart Host defined\n"; print "\t$RELAY\n"; } else { print "\t$ERRSTR SMTP Smart Host not defined\n"; $warnings++; } @mailqcheck = `sendmail -bp | egrep -vi empty`; if ("@mailqcheck") { print "\n\t$WARNSTR Mail queue not empty\n"; print "\t$INFOSTR Mail queue status\n"; print @mailqcheck; } else { print "\n\t$PASSSTR Mail queue empty\n"; } @mailstat = `/usr/ucb/mailstats 2>&1`; if ( grep( /No such/, @mailstat ) ) { print "\n\t$WARNSTR Sendmail statistics not defined\n"; print @mailstat; $warnings++; } else { print "\n\t$INFOSTR Sendmail statistics\n"; print @mailstat; } @mailstat = `mailstats 2>&1`; if ( grep( /No such/, @mailstat ) ) { print "\n\t$WARNSTR SVR4 email statistics not defined\n"; print @mailstat; $warnings++; } else { print "\n\t$INFOSTR SVR4 email statistics\n"; print @mailstat; } $alin = "/etc/mail/names"; if ( open( ALI, "cat $alin |" ) ) { print "\n\t$INFOSTR SVR4 email aliases in $alin\n"; while () { next if ( grep( /^#/, $_ ) ); next if ( grep( /^$/, $_ ) ); $_ =~ s/^\s+//g; print $_; } close(ALI); } else { print "\n\t$ERRSTR Cannot open SVR4 email aliases $alin\n"; $warnings++; } $alis = "/usr/ucblib/aliases"; if ( open( ALI, "cat $alis |" ) ) { print "\n\t$INFOSTR Sendmail email aliases in $alis\n"; while () { next if ( grep( /^#/, $_ ) ); next if ( grep( /^$/, $_ ) ); $_ =~ s/^\s+//g; print $_; } close(ALI); } else { print "\n\t$ERRSTR Cannot open Sendmail email aliases $alis\n"; $warnings++; } @mailboxsearch = ("/var/mail"); } # # Subroutine to check RPC # sub rpcchk { print_header("CHECKING REMOTE PROCEDURE CALLS"); my @rpcinfo = `rpcinfo -p 2>/dev/null`; if ("@rpcinfo") { print "\t$INFOSTR RPC status\n"; print @rpcinfo; } else { print "\t$INFOSTR RPC seemingly not used\n"; } } # # Subroutine to check DNS # sub dnschk { print_header("CHECKING DOMAIN NAME SERVICES"); if ( !"@DNSRUN" ) { print "\t$INFOSTR DNS server (named) not running\n"; } else { print "\t$INFOSTR DNS server (named) running\n"; print "\n\t$INFOSTR Checking $DNSCONF\n"; open( XY, "awk '! /^#/ {print}' $DNSCONF | nawk NF |" ) || die "Cannot open $DNSCONF\n"; while () { print $_; } close(XY); } print "\n\t$INFOSTR Hostname resolve configuration\n"; if ( open( HI, "awk '! /^#/ {print}' $SVCCONF | nawk NF |" ) ) { while () { print $_; } close(HI); } else { print "\t$WARNSTR Cannot open $SVCCONF\n"; } print "\n\t$INFOSTR DNS resolver configuration ($NAMED):\n"; if ( open( I, "awk '! /^#/ {print}' $NAMED | nawk NF |" ) ) { while () { print $_; } close(I); } else { print "\t$WARNSTR Cannot open $NAMED\n"; } $lhentry = "127.0.0.1"; if ( -s "$HOSTS" ) { print "\n\t$INFOSTR Configuration file $HOSTS exists\n"; if ( open( HO, "awk '! /^#/ {print}' $HOSTS | nawk NF |" ) ) { while () { print $_; if ( grep( /\$lhentry/, $_ ) ) { $LOCALHOST_FLAG++; } } } else { "\n\t$ERRSTR Cannot open $HOSTS\n"; } close(HO); } else { print "\n\t$ERRSTR Configuration file $HOSTS does not exist\n"; $warnings++; } if ( $LOCALHOST_FLAG == 0 ) { print "\n\t$PASSSTR Valid entry for localhost ($lhentry) in $HOSTS\n"; } else { print "\n\t$ERRSTR No entry for localhost ($lhentry) in $HOSTS\n"; $warnings++; } } # # Subroutine to check NIS/YP # sub nischk { print_header("CHECKING NETWORK INFORMATION SERVICES (NIS/YP)"); $domname = `domainname | nawk NF`; if ("$domname") { @ypwhich = `ypwhich 2>/dev/null`; if ("@ypwhich") { print "\t$INFOSTR NIS domain $domname (bound to @ypwhich)"; $secnets = "/var/yp/securenets"; $secservers = "/var/yp/secureservers"; if ( -s "$secnets" ) { @sn = `awk '! /^#/ {print}' $secnets 2>/dev/null`; if ("@sn") { print "\t$INFOSTR File $secnets"; print @sn; } else { print "\t$INFOSTR File $secnets not set"; $warnings++; } } else { print "\t$INFOSTR File $secnets does not exist"; $warnings++; } if ( -s "$secservers" ) { @sn1 = `awk '! /^#/ {print}' $secservers 2>/dev/null`; if ("@sn1") { print "\t$INFOSTR File $secservers"; print @sn1; } else { print "\t$INFOSTR File $secservers not set"; $warnings++; } } else { print "\t$INFOSTR File $secservers does not exist"; $warnings++; } } else { print "\t$INFOSTR NIS not active\n"; } } else { print "\t$INFOSTR NIS not set\n"; } } # # Subroutine to check RAM and swap # sub swapcheck { print_header("CHECKING MEMORY AND SWAP"); $MEM1 = `awk -F= '/^total real memory/ {print \$2}' /etc/.osm`; chomp($MEM1); $MEM1 =~ s/^\s+//g; if ("$MEM1") { $MEM_BYTE1 = int( $MEM1 / ( 1024 * 1024 ) ); } $MEMSIZE = `memsize 2>/dev/null`; chomp($MEMSIZE); if ("$MEMSIZE") { $MEM_BYTE2 = int( $MEMSIZE / ( 1024 * 1024 ) ); } my $MEM_MBYTE = $MEM_BYTE1 || $MEM_BYTE2 || ""; if ( "$MEM_MBYTE" ) { print "\t$INFOSTR Memory size is $MEM_MBYTE MB\n"; } else { print "\t$INFOSTR Cannot calculate memory size\n"; } open( MX, "swap -l |" ) || die "Cannot run swap\n"; while () { print $_; $swapdeviceno++; next if ( grep( /blocks/, $_ ) ); if ( grep( /^\/dev/, $_ ) ) { chomp; ( $swappath, $swapdev, $swaplow, $tswapdef, $tswapfree ) = split( /\s+/, $_ ); $tswap1 += $tswapdef; } } close(MX); $tswap = int( $tswap1 / ( 2 * 1024 ) ); # # Minimum swap size (as per Unix Standard Build) # $minswap = 2048; if ( $tswap < $minswap ) { print "\n\t$WARNSTR Swap space is less than minimum "; print "(Swap=$tswap MB, minumum=$minswap MB)\n"; $warnings++; } if ( $MEM_MBYTE >= 4096 ) { if ( $tswap < ($MEM_MBYTE) ) { $warnings++; print "\n\t$WARNSTR Swap space is less than RAM "; } else { print "\n\t$PASSSTR Swap space is at least RAM "; } print "(Memory=$MEM_MBYTE MB, Swap=$tswap MB)\n"; } else { if ( $tswap < ( 2 * $MEM_MBYTE ) ) { $warnings++; print "\n\t$WARNSTR Swap space is less than DOUBLE RAM "; } else { print "\n\t$PASSSTR Swap space is at least DOUBLE RAM "; } print "(Memory=$MEM_MBYTE MB, Swap=$tswap MB)\n"; } } # # Subroutine to check login banners # sub motd { print_header("CHECKING LOGIN BANNERS"); if ( -s "$ISSUE" ) { print "\t$PASSSTR Login banner $ISSUE exists\n"; $sst = `egrep "Release|HP" $ISSUE`; if ("$sst") { print "\t$WARNSTR Login banner $ISSUE possibly not customised "; print "(please check it)\n"; $warnings++; } } else { print "\t$WARNSTR Login banner $ISSUE does not exist\n"; $warnings++; } if ( -s "$MOTD" ) { print "\n\t$PASSSTR Login banner $MOTD exists\n"; $ssm = `egrep "Release|HP" $MOTD`; if ("$ssm") { print "\n\t$WARNSTR Login banner $MOTD possibly not customised "; print "(please check it)\n"; $warnings++; } } else { print "\n\t$WARNSTR Login banner $MOTD does not exist\n"; $warnings++; } } # # Subroutine to check SAN configuration # sub SANchk { print_header("CHECKING SAN CONFIGURATION (IF APPLICABLE)"); @LAD = `lad 2>/dev/null`; if ("@LAD") { print "\t$INFOSTR Disk array logical units\n"; print @LAD; } else { print "\t$INFOSTR No disk array logical units detected\n"; } @SPMGR = `spmgr display 2>/dev/null`; @XPINFO = `xpinfo 2>/dev/null| egrep -v "Scanning|No disk"| nawk NF`; @ARRAYDSP = `arraydsp -i 2>/dev/null`; @EMC = `syminq 2>/dev/null`; @INTRAID = `irconcheck 2>/dev/null | egrep -vi "No Internal RAID adapters found"`; @ARMDSP = `armdsp -i 2>/dev/null | nawk NF`; $ARRFLAG = 0; if ("@SPMGR") { print "\n\t$INFOSTR EVA SAN seemingly connected\n"; print @SPMGR; $ARRFLAG++; } if ("@XPINFO") { print "\n\t$INFOSTR XP SAN seemingly connected\n"; print @XPINFO; $ARRFLAG++; } if ("@ARRAYDSP") { print "\n\t$INFOSTR AutoRAID seemingly connected\n"; print @ARRAYDSP; $ARRFLAG++; } if ("@EMC") { print "\n\t$INFOSTR EMC Symmetrix seemingly connected\n"; print @EMC; $ARRFLAG++; } if ("@INTRAID") { print "\n\t$INFOSTR Internal RAID adapters seemingly connected\n"; print @INTRAID; } if ("@ARMDSP") { print "\n\n\t$INFOSTR Virtual Array seemingly connected\n"; print @ARMDSP; foreach $armline (@ARMDSP) { chomp($armline); if ( grep( /Alias Name:/, $armline ) ) { ( undef, $ARMALIAS ) = split( /:/, $armline ); if ("$ARMALIAS") { @FULLARM = `armdsp -L $ARMALIAS 2>/dev/null`; if ("@FULLARM") { print "\t$INFOSTR Virtual Array configuration\n"; print @FULLARM; } } } } } if ( $ARRFLAG == 0 ) { print "\t$INFOSTR It seems no SAN connected or their support toolkits not installed correctly\n"; } if ("@FCarray") { print "\n\t$INFOSTR Fcmsutil status\n"; foreach $fa (@FCarray) { chomp($fa); $fa =~ s/^\s+//g; $fa =~ s/CLAIMED.*//g; $fa =~ s/\s+$//g; ( undef, $instance, $fcpath, $ddriv, undef ) = split( /\s+/, $fa ); $fulfcpath = "/dev/${ddriv}${instance}"; print "\t$INFOSTR fcmsutil $fulfcpath\n"; @printfc = `fcmsutil $fulfcpath 2>&1`; print "@printfc"; } } if ( "$autopath" == 1 ) { print "\n\t$INFOSTR AutoPath seemingly installed\n"; @autop = `autopath display all | nawk NF`; print @autop; } } # # Subroutine to check VxVM # sub VXVM_CHECK { print_header("CHECKING VXVM STATUS"); if ( -s "$VXCONF" ) { if ( open( VXC, "awk '/^opts=/ {print}' $VXCONF |" ) ) { while () { next if ( grep( /^#/, $_ ) ); next if ( grep( /^$/, $_ ) ); $_ =~ s/#.*$//g; ( undef, $Vxopts ) = split( /=/, $_ ); $Vxopts =~ s/\"//g; } close(VXC); if ("$Vxopts") { print "\t$PASSSTR VxVM logging defined in $VXCONF\n"; print "\t$Vxopts\n"; } else { print "\t$WARNSTR VxVM logging not defined in $VXCONF\n"; $warnings++; } } else { print "\t$WARNSTR Cannot open $VXCONF\n"; $warnings++; } } else { print "\t$WARNSTR Cannot open $VXCONF\n"; $warnings++; } open( VXD, "vxdisk list |" ) || die "Cannot run vxdisk\n"; print "\t$INFOSTR Vxdisk:\n"; while () { next if ( grep( /^$/, $_ ) ); if ( grep( /online/, $_ ) ) { print "\t$INFOSTR Disk under VxVM management\n"; print $_; } else { print "\t$WARNSTR Non-VxVM disk\n"; print $_; } } close(VXD); if ( open( DUB, "vxdg free |" ) ) { print "\t$INFOSTR Vxdg free:\n"; while () { next if ( grep( /^$/, $_ ) ); print $_; } close(DUB); } else { print "\t$WARNSTR Cannot run vxdg\n"; $warnings++; } if ( open( MP, "vxprint -htvq |" ) ) { print "\t$INFOSTR vxprint:\n"; while () { next if ( grep( /^$/, $_ ) ); if ( grep( /MAINT|ERR|OFF/i, $_ ) ) { print "\t$WARNSTR Check VxVM error\n"; $warnings++; } print $_; } close(MP); } else { print "\t$WARNSTR Cannot run vxprint\n"; $warnings++; } @vxtask = `vxtask list`; if ("@vxtask") { print "\t$INFOSTR VxVM task status\n"; print @vxtask; } } # # Subroutine to check LAN # sub lancheck { print_header("CHECKING NETWORK SETUP"); if ("@LANarray") { print "\t$INFOSTR LAN devices configured\n"; print @LANarray; } print "\n"; $lanok = 0; open( LAN, "netstat -rn |" ) || die "Cannot run netstat"; while () { $_ =~ s/^\s+//g; if ( grep( /default/i, $_ ) ) { print "\n\t$PASSSTR Default static route defined\n"; ( undef, $gwip, undef, undef, undef, undef ) = split( /\s+/, $_ ); chomp($gwip); $lanok++; } print $_; } if ( $lanok == 0 ) { print "\n\t$WARNSTR Default static route missing\n"; $warnings++; } $SDFCONF = '/etc/inet/sdf'; if ( -s "$SDFCONF" ) { if ( open( NC, "cat $SDFCONF |" ) ) { while () { next if grep( /^#/, $_ ); next if grep( /^$/, $_ ); push( @NDset, $_ ); } close(NC); if ("@NDset") { print "\n\t$INFOSTR Customised network parameters in $NDDCONF\n"; print @NDset; } else { print "\n\t$INFOSTR No customised network parameters in $SDFCONF\n"; } } else { print "\n\t$WARNSTR Cannot open $SDFCONF\n"; } } else { print "\t$INFOSTR $SDFCONF empty\n"; } @neti = `netstat -a`; if ("@neti") { print "\n\t$INFOSTR Active connections\n"; print @neti; } if ( open( NETN, "netstat -in |" ) ) { print "\n\t$INFOSTR Network errors and collisions\n"; while () { $_ =~ s/^\s+//g; print $_; next if ( grep( /Mtu/, $_ ) ); ( $Lname, $Lmtu, $Lnet, $Laddr, $Lipkt, $Lierr, $Lopkt, $Loerr, $Lcoll ) = split( /\s+/, $_ ); if ( grep( /lan/, $Lname ) ) { if ( "$Lmtu" == $DefMTU ) { print "\t$PASSSTR Interface $Lname has default MTU ($DefMTU)\n"; } else { print "\t$WARNSTR Interface $Lname has non-default MTU ($Lmtu instead of $DefMTU)\n"; $warnings++; } } if ( "$Lcoll" > 0 ) { print "\t$WARNSTR Collisions on interface $Lname\n"; $warnings++; } else { print "\t$PASSSTR No collisions on interface $Lname\n"; } if ( "$Lierr" > 0 ) { print "\t$WARNSTR Input errors on interface $Lname\n"; $warnings++; } else { print "\t$PASSSTR No input errors on interface $Lname\n"; } if ( "$Loerr" > 0 ) { print "\t$WARNSTR Output errors on interface $Lname\n\n"; $warnings++; } else { print "\t$PASSSTR No output errors on interface $Lname\n\n"; } } close(NETN); } } # # Subroutine to check Unix systems accounting # sub sachk { print_header("CHECKING UNIX SYSTEM ACCOUNTING"); $accholidays = "/etc/acct/holidays"; $UXSA = "/var/adm/sa"; $accnomb = 0; if ( !-d "$UXSA" ) { print "\t$WARNSTR System accounting directory $UXSA missing\n"; $warnings++; } else { print "\t$PASSSTR System accounting directory $UXSA exists\n"; opendir( SSDIR, "$UXSA" ) || die "Cannot open directory $UXSA\n"; while ( $fileux = readdir(SSDIR) ) { next if ( $fileux eq ".." || $fileux eq "." ); $accnomb++; ( $dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks ) = stat($fileux); } closedir(SSDIR); } if ( $accnomb == 0 ) { print "\t$WARNSTR System accounting not running\n"; $warnings++; } else { print "\t$PASSSTR System accounting seemingly running\n"; $UXSA = "/var/adm/sa"; $accnomb = 0; opendir( SSDIR, "$UXSA" ) || die "Cannot open directory $UXSA\n"; while ( $fileux = readdir(SSDIR) ) { next if ( $fileux eq ".." || $fileux eq "." ); $accnomb++; $finalsa = $fileux; } closedir(SSDIR); ( $dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks ) = stat("$UXSA/$finalsa"); $DAYCK = 7; $HOWOLD = 24 * 3600 * $DAYCK; # 24 hours x 3600 minutes x 7 days if ( ( $EPOCHTIME - $mtime ) > $HOWOLD ) { print "\t$WARNSTR System accounting last ran more than $DAYCK "; print "days ago\n"; $warnings++; } $holflag = `awk ' ! /^\\*/ && /$Year/ {print}' $accholidays`; if ("$holflag") { print "\t$PASSSTR File $accholidays defined for year $Year\n"; } else { print "\t$WARNSTR File $accholidays not defined for year $Year\n"; } } } # # Subroutine to check timezone # sub timezone_info { print_header("CHECKING TIMEZONE"); if ( "$IsDST" == 1 ) { print "\t$INFOSTR Daylight Savings Time set to $IsDST (currently active)\n"; } elsif ( "$IsDST" == 0 ) { print "\t$INFOSTR Daylight Savings Time set to $IsDST (currently not active)\n"; } else { print "\t$INFOSTR Daylight Savings Time undefined\n"; } $tzcur = $ENV{'TZ'}; $tzfile = "/etc/TIMEZONE"; if ("$tzcur") { print "\t$INFOSTR Server is in timezone $tzcur\n"; } if ( -s "$tzfile" ) { if ( open( TZZ, "nawk NF $tzfile |" ) ) { print "\n\t$INFOSTR Timezone configuration file $tzfile\n"; while () { next if ( grep( /^$/, $_ ) ); next if ( grep( /^#/, $_ ) ); print $_; } } close(TZZ); } } # # Subroutine to check Samba # sub samba_info { print_header("CHECKING SAMBA"); @SAMBAarr = `smbstatus 2>/dev/null | awk '! /not found/ {print}' | nawk NF`; if ("@SAMBAarr") { print "\t$INFOSTR Samba seemingly installed\n"; print @SAMBAarr; @SAMBAconf = `testparm -s 2>/dev/null | awk '! /not found/ {print}' | nawk NF`; if ("@SAMBAconf") { print @SAMBAconf; } } else { print "\t$INFOSTR Samba seemingly not active\n"; } } # # Subroutine to check standard Unix printing # sub lp_info { print_header("CHECKING STANDARD UNIX PRINTING"); @CUPSlp = `lpinfo -v 2>/dev/null | nawk '! /not found/ {print}'`; @LPRnglp = `checkpc -V 2>/dev/null | nawk '! /not found/ {print}'`; if ("@CUPSlp") { print "\t$INFOSTR CUPS printing seemingly installed\n"; print @CUPSlp; $LPSTAND++; } if ("@LPRnglp") { print "\t$INFOSTR LPRng printing seemingly installed\n"; print @LPRnglp; $LPSTAND++; } if ( "$LPSTAND" == 0 ) { print "\t$INFOSTR Standard LP printing seemingly installed\n"; } if ( "$LPSCHED" > 0 ) { @LParr = `lpstat -a`; if ("@LParr") { print "\t$INFOSTR Printing seemingly active\n"; print @LParr; @LPque = `lpstat -o`; if ("@LPque") { print "\t$INFOSTR Printing queues\n"; print @LPque; } } else { print "\t$INFOSTR Printing enabled but queues not defined\n"; } } else { print "\t$INFOSTR Printing seemingly not active\n"; } } # # Subroutine to check cleanup of /tmp at boot # sub tmpcleanupcheck { print_header("CHECKING /tmp CLEANUP AT BOOT"); $TMPCLEAN = '/etc/init.d/RMTMPFILES'; if ( open( ZROM, "cat $TMPCLEAN |" ) ) { print "\t$INFOSTR File system /tmp cleaned up at boot\n"; while () { next if ( grep( /^#/, $_ ) ); next if ( grep( /^$/, $_ ) ); print $_; } close(ZROM); } else { print "\t$WARNSTR Cannot open $TMPCLEAN (File system /tmp cleaning not specified at boot)\n"; } } # # Subroutine to check vendor backup configuration # sub vendorbck { print_header("CHECKING BACKUPS (IF APPLICABLE)"); $mvfs = '/etc/default/mvfs'; @defmvfs = `nawk NF $mvfs | awk '! /^#/ {print}'`; if ("@defmvfs") { print "\t$INFOSTR Default $mvfs configuration\n"; print @defmvfs; } else { print "\t$INFOSTR Configuration file $mvfs empty or non-existent\n"; } $Backupfs = '/etc/Backup'; @bckfs = `nawk NF $Backupfs`; if ("@bckfs") { print "\n\t$INFOSTR Default $Backupfs configuration\n"; print @bckfs; } else { print "\n\t$INFOSTR Configuration file $Backupfs empty or non-existent\n"; } $Ignorefs = '/etc/Ignore'; @ignorefs = `nawk NF $Ignorefs`; if ("@ignorefs") { print "\n\t$INFOSTR Default $Ignorefs configuration\n"; print @ignorefs; } else { print "\n\t$INFOSTR Configuration file $Ignorefs empty or non-existent\n"; } print "\n"; $NETBCKDIR = q{}; $NETBCKDIR1 = "/usr/openv"; $NETBCKDIR2 = "/opt/openv"; if ( -d "$NETBCKDIR1" ) { $NETBCKDIR = $NETBCKDIR1; } elsif ( -d "$NETBCKDIR2" ) { $NETBCKDIR = $NETBCKDIR2; } else { print "\t$INFOSTR NetBackup seemingly not installed\n"; } if ("$NETBCKDIR") { $NETBCKVER = "$NETBCKDIR/netbackup/version"; $NETBCKCONF = "$NETBCKDIR/netbackup/bp.conf"; if ( -s "$NETBCKCONF" ) { if ( open( CRM, "awk NF $NETBCKCONF |" ) ) { print "\t$INFOSTR NetBackup seemingly installed\n"; print "\t$INFOSTR NetBackup configuration file $NETBCKCONF\n"; while () { next if ( grep( /^$/, $_ ) ); next if ( grep( /^#/, $_ ) ); print $_; } } close(CRM); } if ( -s "$NETBCKVER" ) { if ( open( BRM, "awk NF $NETBCKVER |" ) ) { print "\t$INFOSTR NetBackup version\n"; while () { next if ( grep( /^$/, $_ ) ); next if ( grep( /^#/, $_ ) ); print $_; } } close(BRM); } else { $NETBCKVM = "$NETBCKDIR/volmgr/bin/vmoprcmd"; if ( -x "$NETBCKVM" ) { if ( open( XV, "$NETBCKVM |" ) ) { print "\n\t$INFOSTR NetBackup Server seemingly running\n"; while () { next if ( grep( /^$/, $_ ) ); print $_; } } close(XV); } else { print "\n\t$INFOSTR NetBackup Server seemingly not running\n"; } $NETBCKMM = "$NETBCKDIR/volmgr/bin/mmcrawl"; if ( -x "$NETBCKMM" ) { @mmck = `$NETBCKMM 2>&1 | nawk NF`; if (@mmck) { print "\n\t$INFOSTR NetBackup consistency check\n"; print @mmck; } } } } if ( $OMNI_FLAG == 1 ) { print "\n\t$INFOSTR Data Protector seemingly installed\n"; $OMNICC = "/opt/omni/bin/omnicellinfo"; if ( -x "$OMNICC" ) { @dpck = `$OMNICC -cell 2>&1 | nawk NF`; if (@dpck) { print "\n\t$INFOSTR Data Protector configuration status\n"; print @dpck; } } $OMNICC1 = "/opt/omni/bin/omnicc"; if ( -x "$OMNICC1" ) { @dpck1 = `$OMNICC1 2>&1 | nawk NF`; if (@dpck1) { print "\n\t$INFOSTR Data Protector client configuration status\n"; print @dpck1; } } } else { print "\n\t$INFOSTR Data Protector seemingly not installed\n"; } } # # Subroutine to check global PATH # sub pathcheck { print_header("CHECKING GLOBAL ENVIRONMENT VARIABLES"); $pathf = "/etc/profile"; if ( -s "$pathf" ) { @listpath = `cat $pathf | nawk '! /^#/ {print}'`; if ("@listpath") { print "\t$INFOSTR Configuration file $pathf\n"; print @listpath; } } else { print "\t$INFOSTR Global $pathf seemingly not installed\n"; } } # # Subroutine to check LOCALE # sub localecheck { print_header("CHECKING LOCALES"); @alllocales = `locale -a`; if ("@alllocales") { print "\t$INFOSTR Available locales\n"; print @alllocales; } @loccur = `locale`; if ("@loccur") { print "\n\t$INFOSTR Current system-wide LOCALE\n"; print @loccur; } } # Is the IP address valid # For example, 300.201.33.12 is INVALID # sub CheckIP { my $ip = shift; my ( $addrs, $rev_ip ); ( $addrs = inet_aton($ip) ) and ( $rev_ip = inet_ntoa($addrs) ); return ( defined($addrs) and defined($rev_ip) and $ip eq $rev_ip ); } # # Subroutine to check drivers # sub lsdevcheck { print_header("CHECKING HARDWARE CONFIGURATION"); my @lsdevls = `prtconf`; if ("@lsdevls") { print @lsdevls; } else { print "\t$ERRSTR Prtconf failed\n"; } $dktab = '/etc/dktab'; if ( -s "$dktab" ) { my @dktb = `cat $dktab`; if ("@dktb") { print "\n\t$INFOSTR Virtual disk configuration file $dktab\n"; print @dktb; } } else { print "\n\t$INFOSTR Virtual disk configuration seemingly not in use\n"; } $rsmtab = '/etc/rsmtab'; if ( -s "$rsmtab" ) { my @rstb = `cat $rsmtab`; if ("@rstb") { print "\n\t$INFOSTR Replicated Storage Manager configuration file $rsmtab\n"; print @rstb; } } else { print "\n\t$INFOSTR Replicated Storage Manager seemingly not in use\n"; } my @osm = `cat /etc/.osm`; if ("@osm") { print "\n\t$INFOSTR Configuration file /etc/.osm\n"; print @osm; } $ttymon = '/etc/default/ttymon'; my @ttm = `awk '! /^#/ {print}' $ttymon`; if ("@ttm") { print "\n\t$INFOSTR Configuration file $ttymon\n"; print @ttm; } else { print "\n\t$INFOSTR Configuration file $ttymon not in use\n"; } $compmifdir = '/etc/smi/mif'; if ( opendir( MIFDIR, "$compmifdir" ) ) { while ( $fileuxm = readdir(MIFDIR) ) { next if ( $fileuxm eq ".." || $fileuxm eq "." ); $mifno++; if ( -s "$fileuxm" ) { my @prmif = `cat $fileuxm`; print "\n\t$INFOSTR Component MIF file $fileuxm\n"; print @prmif; } } closedir(MIFDIR); } if ( $mifno == 0 ) { print "\n\t$INFOSTR Component MIF not in use\n"; } $adept = '/etc/default/adept'; my @adpt = `awk '! /^#/ {print}' $adept`; if ( "@adpt" ) { print "\n\t$INFOSTR Adaptive Disk Error Prediction configuration file $adept\n"; print @adpt; my @adptsumm = `showData`; if ( "@adptsumm" ) { print "\n\t$INFOSTR Adaptive Disk Error Prediction showData\n"; print @adptsumm; } } else { print "\n\t$INFOSTR Adaptive Disk Error Prediction configuration file $adept not in use\n"; } $sactab = '/etc/saf/_sactab'; my @sftab = `awk '! /^#/ {print}' $sactab`; if ("@sftab") { print "\n\t$INFOSTR Configuration file $sactab\n"; print @sftab; } else { print "\n\t$INFOSTR Configuration file $sactab not in use\n"; } $pmtab = '/etc/saf/pmtag/_pmtab'; my @pmt = `awk '! /^#/ {print}' $pmtab`; if ("@pmt") { print "\n\t$INFOSTR Configuration file $pmtab\n"; print @pmt; } else { print "\n\t$INFOSTR Configuration file $pmtab not in use\n"; } $ttydefs = '/etc/ttydefs'; my @ttdef = `awk '! /^#/ {print}' $ttydefs | nawk NF`; if ("@ttdef") { print "\n\t$INFOSTR Configuration file $ttydefs\n"; print @ttdef; } else { print "\n\t$INFOSTR Configuration file $ttydefs not in use\n"; } $ttytype = '/etc/ttytype'; my @ttyd = `awk '! /^#/ {print}' $ttytype | nawk NF`; if ("@ttyd") { print "\n\t$INFOSTR Configuration file $ttytype\n"; print @ttyd; } else { print "\n\t$INFOSTR Configuration file $ttytype not in use\n"; } $dialups = '/etc/dialups'; my @dialdef = `awk '! /^#/ {print}' $dialups | nawk NF`; if ("@dialdef") { print "\n\t$INFOSTR Configuration file $dialups\n"; print @dialdef; $dpass = '/etc/d_passwd'; my @dpss = `awk '! /^#/ {print}' $dpass | nawk NF`; if ("@dpss") { print "\n\t$INFOSTR Dial-up password file $dpass\n"; print @dpss; } } else { print "\n\t$INFOSTR Configuration file $dialups not in use\n"; } @uustat = `uustat`; if ("@uustat") { print "\n\t$INFOSTR UUCP statistics\n"; print @uustat; } else { print "\n\t$INFOSTR UUCP disabled\n"; } } # # Subroutine to check shared memory and semaphores # sub IPCScheck { @ipcsstat = `ipcs -a 2>/dev/null`; if ("@ipcsstat") { print_header("CHECKING INTERPROCESS COMMUNICATION FACILITIES"); print @ipcsstat; } @pbind = `pbind -q`; if ("@pbind") { print_header("CHECKING PROCESS BINDINGS"); print @pbind; } } # # Subroutine to check disk quotas # sub QUOTAcheck { print_header("CHECKING FILE SYSTEM QUOTAS"); @quotastat = `quotacheck -a 2>/dev/null | nawk '! /no quotas|Permission den/ {print}'`; if ("@quotastat") { print "\t$INFOSTR Quotas seemingly active\n"; print @quotastat; } else { print "\t$INFOSTR Quotas not active\n"; } } # # Subroutine to check ulimits # sub ULIMITcheck { print_header("CHECKING ULIMIT"); @ulimitstat = `ulimit -a 2>/dev/null`; if ("@ulimitstat") { print @ulimitstat; } else { print "\t$INFOSTR Cannot check ulimits\n"; } } # # Get system's CPU number # sub CPUcheck { print_header("CHECKING CPU STATUS"); @CPU_no = `pinfo -v 2>&1`; print "@CPU_no"; } # # System's healthcheck bundle # sub HEALTHcheck { if ( $shealth > 0 ) { print_header("CHECKING HEALTH STATUS"); @SHC = `shc`; if ("@SHC") { print "\t$INFOSTR SHC summary\n"; print "@SHC"; } } } # # Check sticky bit on common directories # sub STICKYcheck { print_header("CHECKING SKICKY BIT ON SHARED DIRECTORIES"); foreach $commdir (@Stickyarr) { if ( !-d "$commdir" ) { print "\t$ERRSTR Directory $commdir does not exist\n"; $warnings++; if ( "$commdir" eq "/var/tmp" ) { print "\t$WARNSTR Without $commdir, tools like vi(1) and swinstall(1) will fail\n"; } } else { if ( -k $commdir ) { print "\t$PASSSTR Directory $commdir has sticky bit\n"; } else { print "\t$WARNSTR Directory $commdir does not have sticky bit\n"; $warnings++; } } } } # # Subroutine to check Host Intrusion Detection System (HIDS) # sub HIDScheck { print_header("CHECKING HOST INTRUSION DETECTION SYSTEM"); if ( -s "$aide_conf1" ) { $aide_conf = $aide_conf1; } elsif ( -s "$aide_conf2" ) { $aide_conf = $aide_conf2; } elsif ( -s "$aide_conf3" ) { $aide_conf = $aide_conf3; } else { $aide_conf = ""; } if ( -s "$aide_conf" ) { @aidecheck = `awk '! /^#/ {print}' $aide_conf | nawk NF`; if ("@aidecheck") { print "\t$INFOSTR AIDE seemingly configured\n"; print @aidecheck; @aidev = `aide -v 2>&1 | egrep -v "command not found"`; if ("@aidev") { print "\t$INFOSTR AIDE seemingly configured\n"; print @aidev; } } } else { print "\t$INFOSTR AIDE seemingly not configured\n"; } @twcheck = `twadmin --print-cfgfile 2>/dev/null`; if ("@twcheck") { print "\n\t$INFOSTR Tripwire seemingly configured\n"; print @twcheck; } else { print "\n\t$INFOSTR Tripwire seemingly not configured\n"; } } # # Subroutine to check active processes # sub rawpscheck { if ( open( KM, "ps -ef |" ) ) { while () { if ( grep( /ldapclientd/, $_ ) ) { $LDAPCLIENT++; } elsif ( grep( /ncrcm/, $_ ) ) { $ncrcm++; } elsif ( grep( /ns-slapd/, $_ ) ) { $LDAPSERVER++; push( @ldapdaemon, $_ ); } elsif ( grep( /ns-admin/, $_ ) ) { $NSADMIN++; push( @ldapdaemon, $_ ); } elsif ( grep( /lmgrd|netlsd|i4lmd/, $_ ) ) { $LICENSE++; push( @licdaemon, $_ ); } elsif ( grep( /spagent/, $_ ) ) { $SECPATHAG++; } elsif ( grep( /lpsched/, $_ ) ) { $LPSCHED++; } elsif ( grep( /named/, $_ ) ) { push( @DNSRUN, $_ ); } elsif ( grep( /ntpd/, $_ ) ) { push( @ntpdaemon, $_ ); } elsif ( grep( /nfsd/, $_ ) ) { push( @nfsdaemon, $_ ); } push( @allprocesses, $_ ); } } else { print "\t$ERRSTR Cannot run ps (process list)\n"; } close(KM); } # # Subroutine to check active processes # sub pscheck { print_header("CHECKING ACTIVE UNIX PROCESSES"); if ("@allprocesses") { print @allprocesses; } } # # Subroutine to list RC scripts # sub RCcheck { print_header("CHECKING RC SCRIPTS"); @RCarray = ( '/etc/rc.d', '/etc/rc1.d', '/etc/rc2.d', '/etc/rc3.d' ); foreach $RCdir (@RCarray) { if ( -d "$RCdir" ) { @RClist = `ls -1 $RCdir`; if ("@RClist") { print "\t$INFOSTR $RCdir listing\n"; print @RClist; } else { print "\t$INFOSTR $RCdir empty\n"; } } else { print "\t$WARNSTR Directory $RCdir does not exist\n"; $warnings++; } print "\n"; } } # # Subroutine to check SNMP # sub SNMPcheck { print_header("CHECKING SNMP"); @Slist = `snmpstat`; if ("@Slist") { print "\t$INFOSTR SNMP statistics\n"; print @Slist; } else { print "\t$INFOSTR SNMP disabled\n"; } if ( -s "$SNMPAconf" ) { if ( open( SN, "cat $SNMPAconf |" ) ) { print "\n\t$INFOSTR Active services in SNMP file $SNMPAconf\n"; while () { next if ( grep( /^#/, $_ ) ); next if ( grep( /^$/, $_ ) ); print $_; } } } else { print "\n\t$INFOSTR SNMP Agent file $SNMPAconf not defined\n"; } close(SN); if ( -s "$SNMPcomm" ) { if ( open( SN, "cat $SNMPcomm |" ) ) { print "\n\t$INFOSTR Active services in SNMP comm file $SNMPcomm\n"; while () { next if ( grep( /^#/, $_ ) ); next if ( grep( /^$/, $_ ) ); print $_; } } } else { print "\n\t$INFOSTR SNMP comm file $SNMPcomm not defined\n"; } close(SN); if ( -s "$SNMPtrap" ) { if ( open( SN, "cat $SNMPtrap |" ) ) { print "\n\t$INFOSTR Active services in SNMP trap file $SNMPtrap\n"; while () { next if ( grep( /^#/, $_ ) ); next if ( grep( /^$/, $_ ) ); print $_; } } } else { print "\n\t$INFOSTR SNMP trap file $SNMPtrap not defined\n"; } close(SN); if ( -s "$SNMPpeers" ) { if ( open( SN, "cat $SNMPpeers |" ) ) { print "\n\t$INFOSTR Active services in SNMP peers file $SNMPpeers\n"; while () { next if ( grep( /^#/, $_ ) ); next if ( grep( /^$/, $_ ) ); print $_; } } } else { print "\n\t$INFOSTR SNMP peers file $SNMPpeers not defined\n"; } close(SN); } sub LIC_CHECK { print_header("CHECKING LICENSING"); $licfile = '/var/netls/nodelock'; if ( -s "$licfile" ) { print "\t$INFOSTR Licensing file $licfile exist\n"; @GCW = `cat $licfile`; print @GCW; } else { print "\t$WARNSTR Licensing file $licfile does not exist\n"; } } SYS_INFO(); if ( "$ENV{'DISPLAY'}" ne '' ) { print "\n\t$INFOSTR Environment variable DISPLAY set\n"; print "$ENV{'DISPLAY'}\n"; } sub devtabcheck { if ( open( DVV, "cat $DEVICETAB |" ) ) { print_header("CHECKING $DEVICETAB"); while () { next if ( grep( /^$/, $_ ) ); next if ( grep( /^#/, $_ ) ); print $_; } close(DVV); } else { print "\t$INFOSTR Cannot open $DEVICETAB\n"; } } crashcheck(); DEVSTAT(); swcheck(); pscheck(); LIC_CHECK(); bootcheck(); pathcheck(); rootacc(); basic_daemons(); swapcheck(); patch(); space(); #VXVM_CHECK(); bootdev(); lancheck(); #audsys(); lan(); pwdbcheck(); nfs_check(); ntp_check(); dnschk(); STICKYcheck(); checknull(); smtpchk(); ROOT_CRON(); CPUcheck(); inetdchk(); rpcchk(); motd(); RCcheck(); nischk(); timezone_info(); sachk(); lp_info(); CHECK_MOUNTED_FILESYSTEMS(); protchk(); vendorbck(); samba_info(); SYSLOG_LOGGING(); PERFORMANCE_BASICS(); ULIMITcheck(); localecheck(); lsdevcheck(); QUOTAcheck(); IPCScheck(); HIDScheck(); HEALTHcheck(); checkkernel(); SNMPcheck(); cron_access(); SANchk(); tmpcleanupcheck(); devtabcheck(); print "\n\nSUMMARY: The Operations Acceptance Testing (OAT) assessment reported $warnings warnings. It is strongly recommended to go through them and evaluate the need to address them. "; exit(0);