#!/bin/sh
#SYSTEMS: Solaris
MSG="# Checking cron security..."
SYSTEM=`uname -s`
######Solaris######
if [ "$SYSTEM" = "SunOS" ]; then
  echo ""; echo "$MSG"
  #This script:
  #checks for CRONLOG=YES in /etc/default/cron
  #checks that the /var/cron directory group and other mode bits are off.
  #checks that /etc/cron.d/logchecker is rotating the log files at 0.5, 1 or 2MB file size.
  #checks cron.allow, cron.deny, at.allow and at.deny for proper settings
  #
  CRONLOGDIR="/var/cron"
  CRONDFILE="/etc/default/cron"
  CRONLCHK="/etc/cron.d/logchecker"
  #
  #Check whether cron logging is enabled. Take no chances, there
  #must be exactly ONE CRONLOG= line which must be CRONLOG=YES
    if [ -r "$CRONDFILE" ] && \
       [ "`grep -cs '^CRONLOG=YES' $CRONDFILE`" -eq 1 ] && \
       [ "`grep -cs '^[^#]*CRONLOG=' $CRONDFILE`" -eq 1 ]; then 
         echo "\c"
    else
	 echo "--INFO-- [CRON001i] CRONLOG entry not found or misconfigured in $CRONDFILE."
    fi

  #Check the perms of the cron log dir

    if [ -d "$CRONLOGDIR" ] && \
      ls -dl $CRONLOGDIR | awk '{print $1}' | cut -c5-10 | grep '\-\-\-\-\-\-' > /dev/null 2>&1
    then
      echo >/dev/null  #NOP
    else
      echo "--WARN-- [CRON002w] $CRONLOGDIR permissions are not secure."
    fi

  #Check whether the cron log files will be rotated when exceeding 0.5, 1 or 2MB
  #one can find sometime sites with log files > 100MB

  if [ -r "$CRONLCHK" ]; then
    if [ "`grep "LIMIT=4096" $CRONLCHK`" ] || [ "`grep "LIMIT=1024" $CRONLCHK`" ] || [ "`grep "LIMIT=2048" $CRONLCHK`" ]; then 
      echo "\c"
    else
      echo "--INFO-- [CRON003i] $CRONLCHK LIMIT parameter not at a reasonable level."
    fi
  fi
fi
######Common######
if [ "$SYSTEM" = "SunOS" -o "$SYSTEM" = "Linux" ]; then
  if [ "$SYSTEM" = "SunOS" ]; then
    CRONALLOW=/etc/cron.d/cron.allow
    CRONDENY=/etc/cron.d/cron.deny
    ATALLOW=/etc/cron.d/at.allow
    ATDENY=/etc/cron.d/at.deny
  fi
  if [ "$SYSTEM" = "Linux" ]; then
    echo ""; echo "$MSG"
    CRONALLOW=/etc/cron.allow
    CRONDENY=/etc/cron.deny
    ATALLOW=/etc/at.allow
    ATDENY=/etc/at.deny
  fi
  #
  if [ -f $CRONDENY ]; then
    if [ -f $CRONALLOW ]; then
      echo "--WARN-- [CRON004w] The cron.deny AND cron.allow files exist."
    else
      echo "--WARN-- [CRON004w] The cron.deny file exists but no cron.allow file exists."
    fi
  else
    if [ -s $CRONALLOW ]; then
      ROOT=`grep "root" $CRONALLOW`
      USER=`grep -v "root" $CRONALLOW`
      if [ "$ROOT" != "root" ]; then  #root is in cron.allow - a good thing!
        echo "--WARN-- [CRON004w] A cron.allow file exists and does not contain root."
      fi
      if [ "$USER" != "" ]; then  #Users other than root are in cron.allow - maybe not good!
        echo "--WARN-- [CRON004w] A cron.allow file exists and contains users other than root."
      fi
    fi
  fi
  #
  if [ -f $ATDENY ]; then
    if [ -f $ATALLOW ]; then
      echo "--WARN-- [CRON005w] The at.deny AND at.allow files exist."
    else
      echo "--WARN-- [CRON005w] The at.deny file exists but no at.allow file exists."
    fi
  else
    if [ -f $ATALLOW ]; then
      ROOT=`grep "root" $ATALLOW`
      USER=`grep -v "root" $ATALLOW`
      if [ "$ROOT" != "root" ]; then  #root is not in at.allow
        echo "--WARN-- [CRON005w] A at.allow file exists and does not contain root."
      fi
      if [ "$USER" != "" ]; then  #Users other than root are in at.allow - maybe not good!
        echo "--WARN-- [CRON005w] A at.allow file exists and contains users other than root."
      fi
    fi
  fi
  if [ "$SYSTEM" = "SunOS" ]; then
    case "`uname -r`" in
      5.[89]*) 
        if [ ! -f $CRONALLOW -a ! -f $CRONDENY ]; then
          echo "--WARN-- [CRON006w] Neither cron.allow nor cron.deny exists."
        fi
        if [ ! -f $ATALLOW -a ! -f $ATDENY ]; then
          echo "--WARN-- [CRON006w] Neither at.allow nor at.deny exists."
        fi;;
    esac
  fi
fi
