#!/bin/sh
#
#     tiger - A UN*X security checking system
#     Copyright (C) 1993 Douglas Lee Schales, David K. Hess, David R. Safford
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 1, or (at your option)
#    any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#     Please see the file `COPYING' for the complete copyright notice.
#
# tiger - 06/14/93
#
# The UN*X security check system. This is the main program that will run
# all the checks configured for your system in the tigerrc configuration 
# file.
#
# 09/03/2003 jfs Included check_ssh to the checks
# 08/19/2003 jfs check_cron is now check_crontabs
# 08/15/2003 jfs Integrated ARSC log to syslog mechanism but modified
#                the check for it (better to use the same mechanism as
#                used by the sendtologger function in order to avoid
#                some issues and prepended it to the use of -E since
#                otherwise a wrong LOGDIR would be used (with \@) for
#                the logfile and expfile)
# 08/14/2003 jfs Commands now run through run_script (except for check_cron
#                since many systems hold a check_cron script)
# 05/09/2003 jfs Fixed missing bracket (syntax error)
# 05/01/2003 jfs Added missing checks
# 04/27/93 dls check_passwd is now check_accounts
# 04/15/2003 jfs Added new year
# 05/26/2002 jfs Added check_tcpd test
# 04/29/93 dls Added support for 'tigerrc' file.
#
#-----------------------------------------------------------------------------
#
echo "Tiger UN*X security checking system"
echo "   Developed by Texas A&M University, 1994"
echo "   Updated by the Advanced Research Corporation, 1999-2002"
echo "   Further updated by Javier Fernandez-Sanguino, 2001-2003"
echo "   Covered by the GNU General Public License (GPL)"
echo
TigerInstallDir="."
#
# Set default base directory.
# Order or preference:
#      -B option
#      TIGERHOMEDIR environment variable
#      TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}

for parm
do
   case $parm in
   -B) basedir=$2; break;;
   esac
done

#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
  echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
  exit 1
}

. $basedir/config

. $BASEDIR/initdefs

sendtologger()
{
  file=$1
  if [ -r "$file" ]; then
  	echo "Cannot read report in $file to send to syslog"
	exit 1
  fi
  logger_port="5353"
  logger_name=`echo $LOGDIR | $AWK -F\@ '{print $2}'`
  safe_temp $WORKDIR/logger.$$
  $TigerCleanup="$TigerCleanup $WORKDIR/logger.$$"
  echo "sleep 5; cat $logfile; sleep 5" >$WORKDIR/logger.$$
  sh $WORKDIR/logger.$$ | telnet $logger_name $logger_port
  if [ "$?" -ne 0 ]; then
   echo "TIGER logger server [$logger_name] is not available"
   delete $WORKDIR/logger.$$
   exit 1
  fi
  delete $WORKDIR/logger.$$
  # Do not proceed since the LOGDIR value would be useless for us
  # TODO: Consider use a -s switch to define logging to syslog
  # so that logs are always kept locally too
  exit 0
}

tigercleanup()
{
  [ -n "$fspid" ] && kill -1 $fspid 2>/dev/null
  [ -f "$Tiger_PasswdFiles" ] && {
    while read __file
    do
      delete $__file $__file.src
    done < $Tiger_PasswdFiles
  }
  [ -n "$TigerCheckEmbedded" ] && delete $TigerCheckEmbedded
  delete $WORKDIR/fsscan.log$$ $Tiger_PasswdFiles

  [ -n "$TigerCleanup" ] && {
    delete $TigerCleanup
  }  
}

trap 'tigercleanup; exit 1' 1 2 3 15

#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
  haveallcmds CAT DATE DATECMD GEN_PASSWD_SETS GREP MV RM TIMECMD || exit 1
  haveallfiles BASEDIR SCRIPTDIR WORKDIR CONFIG_DIR LOGDIR || exit 1
  haveallvars HOSTNAME OS REL REV ARCH || exit 1
  
  echo "--CONFIG-- [init003c] $0: Configuration ok..."
  exit 0
}

#------------------------------------------------------------------------

haveallcmds CAT DATE DATECMD GEN_PASSWD_SETS GREP MV RM TIMECMD || exit 1
haveallfiles BASEDIR SCRIPTDIR CONFIG_DIR LOGDIR WORKDIR || exit 1
haveallvars HOSTNAME OS REL REV ARCH || exit 1

version="$TIGERVERSION"

echo "Tiger security scripts *** $version ***"

[ "$Tiger_TESTMODE" != 'Y' ] && {
  datestamp="`$DATECMD`-`$TIMECMD`"

  logtmp="$LOGDIR/security.report.${HOSTNAME}.tmp.$$"
  logfile="$LOGDIR/security.report.${HOSTNAME}.$datestamp"
  expreport="$LOGDIR/explain.report.${HOSTNAME}.$datestamp"
}

> $logtmp

[ "$Tiger_TESTMODE" != 'Y' ] && {

  echo "Security scripts *** $version ***" >> $logtmp
  [ "$HTML" = "Y" ] && {
  	echo '<H2><CENTER>TIGER System Security Scanner</H2></Center>' > $logtmp
  	echo '<PRE>' >> $logtmp
        echo "Tiger security scripts *** $version ***" >> $logtmp
        echo "Output Mode is HTML"
        echo "HTML Generator developed by the Advanced Research Corporation (R)" >> $logtmp
  }
  


  $DATE >> $logtmp
  echo "`$TIMECMD`> Beginning security report for ${HOSTNAME} ($ARCH $OS $REV)." >> $logtmp
  echo "`$TIMECMD`> Beginning security report for ${HOSTNAME}."
}

_TIGER_RUN=Y
export _TIGER_RUN
OUTPUTMETHOD="$CAT"

Tiger_PasswdFiles=$WORKDIR/passwd.list.$$
export Tiger_PasswdFiles

[ "$Tiger_Check_EMBEDDED" != 'N' ] && {
  TigerCheckEmbedded="$WORKDIR/embed.list.$$"
  > $TigerCheckEmbedded
}
export TigerCheckEmbedded

[ "$Tiger_TESTMODE" != 'Y' ] && {
  delete $Tiger_PasswdFiles
  $GEN_PASSWD_SETS $Tiger_PasswdFiles
}

[ "$Tiger_Check_FILESYSTEM" != 'N' ] && {
  if [ "$Tiger_TESTMODE" = 'Y' ]; then
    echo "`$TIMECMD`> Performing file systems scans..."
    run_script find_files >> $logtmp
  else
    echo "`$TIMECMD`> Starting file systems scans in background..."
    $SCRIPTDIR/find_files > $WORKDIR/fsscan.log$$ &
    fspid=$!
  fi
}

crackpid=
[ "$Tiger_Run_CRACK" != 'N' ] && {
  if [ "$Tiger_TESTMODE" = 'Y' ]; then
    echo "`$TIMECMD`> Running Crack (password cracker)..."
    run_script crack_run
  else
    crackout=$WORKDIR/crack.out.$$
    echo "`$TIMECMD`> Running Crack (password cracker) in background..."
    nice -6 $SCRIPTDIR/crack_run > $crackout &
    crackpid=$!
  fi
}

trippid=
[ "$Tiger_Run_TRIPW" != 'N' ] && {
  if [ "$Tiger_TESTMODE" = 'Y' ]; then
    echo "`$TIMECMD`> Running Tripwire..."
    run_script tripwire_run
  else
    tripout=$WORKDIR/tripwire.out.$$
    echo "`$TIMECMD`> Running Tripwire in background..."
    nice -6 $SCRIPTDIR/tripwire_run > $tripout &
    trippid=$!
  fi
}

aidepid=
[ "$Tiger_Run_AIDE" != 'N' ] && {
  if [ "$Tiger_TESTMODE" = 'Y' ]; then
    echo "`$TIMECMD`> Running Aide..."
    run_script aide_run
  else
    export aideout=$WORKDIR/aide.out.$$
    echo "`$TIMECMD`> Running Aide in background..."
    nice -6 $SCRIPTDIR/aide_run > $aideout &
    aidepid=$!
  fi
}


[ "$Tiger_Check_PASSWD" != 'N' ] && {
  echo "`$TIMECMD`> Checking password files..."
  run_script check_passwd >> $logtmp
  echo "`$TIMECMD`> Checking password format..."
  run_script check_passwdformat >> $logtmp
}

[ "$Tiger_Check_PASSWD_NIS" != 'N' ] && {
  echo "`$TIMECMD`> Checking NIS settings..."
  run_script check_nisplus >> $logtmp
}

[ "$Tiger_Check_GROUP" != 'N' ] && {
  echo "`$TIMECMD`> Checking group files..."
  run_script check_group >> $logtmp
}

[ "$Tiger_Check_ACCOUNTS" != 'N' ] && {
  echo "`$TIMECMD`> Checking user accounts..."
  run_script check_accounts >> $logtmp
}

[ "$Tiger_Check_RHOSTS" != 'N' ] && {
  echo "`$TIMECMD`> Checking .rhosts files..."
  run_script check_rhosts >> $logtmp
}

[ "$Tiger_Check_NETRC" != 'N' ] && {
  echo "`$TIMECMD`> Checking .netrc files..."
  run_script check_netrc >> $logtmp
}

# Note: TARA calls this script with Tiger_Check_ROOT so we keep it
# there for compatibility purposes
[ \( "$Tiger_Check_ROOT" != 'N' -a -n "$Tiger_Check_ROOT" \) -o "$Tiger_Check_ROOT_ACCESS" != 'N' ] && {
  echo "`$TIMECMD`> Checking ttytab, securetty, and login configuration files..."
  run_script check_root >> $logtmp
}


[ "$Tiger_Check_PATH" != 'N' ] && {
  echo "`$TIMECMD`> Checking PATH settings..."
  run_script check_path >> $logtmp
}

[ "$Tiger_Check_ANONFTP" != 'N' ] && {
  echo "`$TIMECMD`> Checking anonymous ftp setup..."
  run_script check_anonftp >> $logtmp
}

[ "$Tiger_Check_ALIASES" != 'N' ] && {
  echo "`$TIMECMD`> Checking mail aliases..."
  run_script check_aliases >> $logtmp
}

[ "$Tiger_Check_CRON" != 'N' ] && {
  echo "`$TIMECMD`> Checking cron entries..."
  run_script check_crontabs >> $logtmp
}

[ "$Tiger_Check_INETD" != 'N' ] && {
  echo "`$TIMECMD`> Checking 'inetd' configuration..."
  run_script check_inetd >> $logtmp
  echo "`$TIMECMD`> Checking 'tcpd' configuration..."
  run_script check_tcpd >> $logtmp
}

[ "$Tiger_Check_SERVICES" != 'N' ] && {
  echo "`$TIMECMD`> Checking 'services' configuration..."
  run_script check_services >> $logtmp
}

[ "$Tiger_Check_EXPORTS" != 'N' ] && {
  echo "`$TIMECMD`> Checking NFS export entries..."
  run_script check_exports >> $logtmp
}

[ "$Tiger_Check_PERMS" != 'N' ] && {
  echo "`$TIMECMD`> Checking permissions and ownership of system files..."
  run_script check_perms >> $logtmp
}

[ "$Tiger_Check_SIGNATURES" != 'N' ] && {
  echo "`$TIMECMD`> Checking for altered or out of date binaries..."
  run_script check_signatures >> $logtmp
}

[ "$Tiger_Check_KNOWN" != 'N' ] && {
  echo "`$TIMECMD`> Checking for indications of break-in..."
  run_script check_known >> $logtmp
}

[ "$Tiger_Check_ROOTKIT" != 'N' ] && {
  echo "`$TIMECMD`> Performing rootkit checks..."
  run_script check_rootkit >> $logtmp
}

[ "$Tiger_Check_SYSTEM" != 'N' ] && {
  echo "`$TIMECMD`> Performing system specific checks..."
  run_script check_system >> $logtmp
}


[ "$Tiger_Check_ROOTDIR" != 'N' ] && {
  echo "`$TIMECMD`> Performing root directory checks..."
  run_script check_rootdir >> $logtmp
}

[ "$Tiger_Check_ETCISSUE" != 'N' ] && {
  echo "`$TIMECMD`> Performing /etc/issue login banner checks..."
  run_script check_issue >> $logtmp
}


[ "$Tiger_Check_BACKUPS" != 'N' ] && {
  echo "`$TIMECMD`> Checking for secure backup devices..."
  run_script check_devices >> $logtmp
}


[ "$Tiger_Check_LOGFILES" != 'N' ] && {
  echo "`$TIMECMD`> Checking for the presence of log files..."
  run_script check_logfiles >> $logtmp
}

[ "$Tiger_Check_USERUMASK" != 'N' ] && {
  echo "`$TIMECMD`> Checking for the setting of user's umask..."
  run_script check_umask >> $logtmp
}

#
# The following check has been "promoted" from Linux to
# any system since it is pretty general
#
[ "$Tiger_Check_LISTENING" != 'N' ] && {
  echo "`$TIMECMD`> Checking for listening processes..."
  run_script check_listeningprocs >> $logtmp
}

# A general watchdog for system processes
[ "$Tiger_Check_RUNPROC" != 'N' ] && {
  echo "`$TIMECMD`> Checking for running processes..."
  run_script check_runprocs >> $logtmp
}

[ "$Tiger_Check_DELETED" != 'N' ] && {
  echo "`$TIMECMD`> Checking for processes using deleted files..."
  run_script check_finddeleted >> $logtmp
}

[ "$Tiger_Check_APACHE" != 'N' ] && {
  echo "`$TIMECMD`> Checking Apache's configuration..."
  run_script check_apache >> $logtmp
}

[ "$Tiger_Check_SSH" != 'N' ] && {
  echo "`$TIMECMD`> Checking SSHD's configuration..."
  run_script check_ssh >> $logtmp
}

[ "$Tiger_Check_SENDMAIL" != 'N' ] && {
  echo "`$TIMECMD`> Checking Sendmail's configuration..."
  run_script check_sendmail >> $logtmp
}

[ "$Tiger_Check_PRINTCAP" != 'N' ] && {
  echo "`$TIMECMD`> Checking the printers control file..."
  run_script check_printcap >> $logtmp
}

[ "$Tiger_Check_EXRC" != 'N' ] && {
  echo "`$TIMECMD`> Checking for exrc files..."
  run_script check_exrc >> $logtmp
}

# This test should be changed from Perl to shell script, also there
# is repeated functionality from check_listeningprocs (jfs)
#[ "$Tiger_Check_STRICTNW" != 'N' ] && {
#  echo "`$TIMECMD`> Checking for network configuration..."
#  run_script check_network >> $logtmp
#}

[ "$Tiger_Check_FTPUSERS" != 'N' ] && {
  echo "`$TIMECMD`> Checking ftpusers configuration..."
  run_script check_ftpusers >> $logtmp
}

#
# When not doing checks of all setuid executables, we can do
# embedded checks while the file system scans are running.
#
[ "$Tiger_Check_EMBEDDED" != 'N' -a "x$Tiger_Embed_Check_SUID" != 'xY' ] && {
  echo "`$TIMECMD`> Performing check of embedded pathnames..."
  run_script check_embedded >> $logtmp
}

[ "$Tiger_Check_FILESYSTEM" != 'N' -a "$Tiger_TESTMODE" != 'Y' ] && {
  echo "`$TIMECMD`> Waiting for filesystems scans to complete..."
  wait $fspid
  fspid=
  echo "`$TIMECMD`> Filesystems scans completed..."

  [ -s $WORKDIR/fsscan.log$$ ] && $CAT $WORKDIR/fsscan.log$$ >> $logtmp
  delete $WORKDIR/fsscan.log$$
}
#
# When checking SUID executables, wait until after file system scans
# have completed.
#
[ "$Tiger_Check_EMBEDDED" != 'N' -a "x$Tiger_Embed_Check_SUID" = 'xY' ] && {
  echo "`$TIMECMD`> Performing check of embedded pathnames..."
  run_script check_embedded >> $logtmp
}

[ -n "$crackpid" ] && {
  if /bin/kill -0 $crackpid 2>/dev/null; then
    if [ "$Tiger_Collect_CRACK" = 'Y' ]; then
      wait $crackpid
      $CAT $crackout >> $logtmp
      delete $crackout
    else
      echo "`$TIMECMD`> \`Crack' not finished. Output will be in $crackout."
      echo "# \`Crack' not finished. Output will be in $crackout." >> $logtmp
    fi
  else
    $CAT $crackout >> $logtmp
    delete $crackout
  fi
} 2>/dev/null

[ -n "$trippid" ] && {
    echo "`$TIMECMD`> Waiting for Tripwire to finish..."
    wait $trippid
    $CAT $tripout >> $logtmp
    delete $tripout
} 2>/dev/null

[ -n "$aidepid" ] && {
    echo "`$TIMECMD`> Waiting for Aide to finish..."
    wait $aidepid
    $CAT $tripout >> $logtmp
    delete $tripout
} 2>/dev/null

#echo "`$TIMECMD`> Security report completed for ${HOSTNAME}."

[ "$Tiger_TESTMODE" != 'Y' ] && {
  echo "`$TIMECMD`> Security report completed for ${HOSTNAME}."
  echo "`$TIMECMD`> Security report completed for ${HOSTNAME}." >>$logtmp

  if [ -n "`echo $LOGDIR | $AWK -F\@ '{print $2}'`" ]; then
    sendtologger $logtmp
  fi

  if [ "$EXPLAINREPORT" = "Y" ]; then
    $BASEDIR/tigexp -f $logtmp > $expreport
    $MV $logtmp $logfile
  elif [ "$EXPLAINREPORT" = "I" ]; then
    $BASEDIR/tigexp -F $logtmp > $logfile
    delete $logtmp
  else
    $MV $logtmp $logfile
  fi


  [ "$HTML" = "Y" ] && {
    htmlfile="$logfile.html"
    $MV $logfile $htmlfile
#    $CAT html/* >> $htmlfile
    echo "Security report is in \`$htmlfile'."
  }
  [ "$HTML" = "N" ] && {
    echo "Security report is in \`$logfile'."
  }

 
}

# Cleanup now before exiting
tigercleanup

#
exit 0
