This README.suid and everything but the C programs has been hacked up be
me, so all problems you have are probably due to me, unless you can't compile
the files.  Then blame Jon :-)

  This checks for unexpected file system corruption or security breaches.
It's nice to be able to say that you know all your files are as they should
be.  Mark Mendel wrote most of crc.c and Jon Zeef wrote crc_check.c.  Seems
to work fine on BSD or SYS V.

To use it:

1) You first create a crc list with the script "crc.chk", which takes one
argument, the seed for the crc generator.  It reads the file "crc_list"
for a list of files to check; what I have are some of the more interesting
binaries, but you can add or delete from this list to your hearts content.
Wildcards or specific file names are fine.  The first time you run it,
it will create a file called "crc.files", which contains all the crc
values you generated.  Optionally, you can do a:

find / -mount -print | sort | xargs ./crc -v > crc.tmp

  However, "xargs" is a security problem, when combined with find.  Use
this judiciously, if at all, unless your vendor puts some "safe" options
to find in.

2) You can now use "crc.chk" to compare this "crc.files" file to a crc list
created each time you run the shell program.  If everything is ok, nothing
is outputted, otherwise, the results are either mailed to the user INFORM,
on line xxx, or saved to a file "crc.results".  You *MUST* use the same
seed each time you run the program, or the numbers generated will be
different each time you run the program, which kind of makes it useless.

IMPORTANT IMPORTANT IMPORTANT IMPORTANT IMPORTANT IMPORTANT IMPORTANT
IMPORTANT IMPORTANT IMPORTANT IMPORTANT IMPORTANT IMPORTANT IMPORTANT
IMPORTANT IMPORTANT IMPORTANT IMPORTANT IMPORTANT IMPORTANT IMPORTANT

  Have I got your attention?  Good.  There are some fundamental problems
with using a crc program like this.  *If* you use a seed that is hardcoded
in the program, or no seed at all, this is *bad*.  That means to really
use this program usefully, you can't run it in crontab, like the rest
of COPS.  Even worse, you should really store the results offline, since
anyone who breaks into your machine can modify a binary file, run the
crc checker again, then put the new values in your file.  That's the
right way.  But I know that most of you won't do this, so by default,
"crc.chk" just stores everything like everything else, in the COPS secure
directory.  It can still help you, if the attacker doesn't know where
you keep stuff, or doesn't know enough to trash your database of old
crc values.  If nothing else, be sure that you keep your older values
on tape or secondary medium, so when your system gets kicked around a
bit, you can grab the crc program off the tape (the intruder could modify
that, too, you know), run it on your binaries, and finally compare it
to your old values.  Believe me, this is a lot easier, though still not
perfect, than reloading everything on your system from tape, then still
not knowing.  I've put it in the "cops" shell script, but left it commented
out, on line 123, so if you want to use it this way, just uncomment this
line.
  One thing you can do, if you keep the numbers online, is do a crc on the
file of values you keep; write it down, or memorize it, then if it is ever
tampered with, you can detect it.

  Jon goes on about the initial crc value, and other stuff:

=========================================================================
  ... don't tell anyone what this is, you can
  make it nearly impossible for anyone to modify a file in such a way
  that it has the same crc value as the old one (primarily because they
  don't know what the old one was).  If anyone does discover a way to
  make files of the same size that produce the same unknown crc value
  for any unknown -i value, let me know.

  To really do it right, you need to

  1) Run find_crc in single user mode (unless you modify the crc source).
  2) Store all crc results offline.
  3) Don't let anyone see your -i value or the crc results.

  Please send me any modifications you make.

  Jon Zeeff
  zeeff@b-tech.ann-arbor.mi.us
=========================================================================

  Send 'em to me, too!

 -- dan

  The U-Kuang system is currently setup in a minimum configuration; e.g.
it assumes only that world modes/permissions are to be used.  To fully
use the system, if the password checkers and the home-directory checker
come back with any positive results (i.e. with an account that can be
broken), modify the init_kuang file to reflect this.
  To use this system to it's full capabilities, be sure to read the
manual, kuang.man.ms.

This directory contains the various programs and shell scripts
that make up the Kuang security checking system.

The file, kuang.man.1, documents the system in the style of a UNIX
manual page.  The file, kuang.mss, is a draft of a paper on
this system.


To run the system:

0. Execute 'make' to build the programs.
1. Read kuang.man.1
2. Modify the file, init_kuang, to set the initial set of privileges.
3. Execute "sh kuang" (or run the COPS system.)

Findsuid is a little utility we dreamt up to watch for potential Trojan horse
programs by keeping an eye on our suid and sgid files and telling us when
they change unexpectedly.

We run it using the following line in crontab:

	40 3 * * * /etc/findsuid/findsuid >/etc/findsuid/fserror 2>&1

Included here is the findsuid shell script, a man page, a makefile, and a
sample "stop" file.

--- Prentiss Riddle ("Aprendiz de todo, maestro de nada.")
--- {ihnp4,harvard,seismo,gatech,ctvax}!ut-sally!riddle

  A letter I got with source... I've never had the time to add this stuff
in officially.  Maybe next release?  Also, to crack C2 passwords on a
Sun, compile pass.c with the C2 defined (e.g. -DC2), and run the cracker
as root.

========================================================================

Dan,

  Please find enclose four (4) files: passwd.chk, passwd.file.chk, group.chk,
and group.file.chk. These are the files to allow checking of the Sun C2
security variations of SunOS. They will perform checking of the yellow pages
version if so selected by the TEST_YP variable being TRUE in the passwd.chk
and group.chk files. The testing of the SUN C2 security is performed by setting
the SUN_SECURITY variable to TRUE in the passwd.chk and group.chk files.

Pete Troxell

#!/bin/sh
# This is a shell archive (produced by shar 3.49)
# To extract the files from this archive, save it to a file, remove
# everything above the "!/bin/sh" line above, and type "sh file_name".
#
# made 04/10/1992 21:10 UTC by zen@death
#
# existing files will NOT be overwritten unless -c is specified
#
# This shar contains:
# length  mode       name
# ------ ---------- ------------------------------------------
#   1613 -rwx------ group.chk
#   6191 -rwx------ group.file.chk
#   1654 -rwx------ passwd.chk
#   7715 -rwx------ passwd.file.chk
#
# ============= group.chk ==============
if test -f 'group.chk' -a X"$1" != X"-c"; then
	echo 'x - skipping group.chk (File already exists)'
else
echo 'x - extracting group.chk (Text)'
sed 's/^X//' << 'SHAR_EOF' > 'group.chk' &&
#!/bin/sh
#
#   group.chk
#
#  Check group file -- /etc/group -- for incorrect number of fields,
# duplicate groups, non-alphanumeric group names, and non-numeric group
# id's.
#
ECHO=/bin/echo
RM=/bin/rm
TEST=/bin/test
YPCAT=/usr/bin/ypcat
X
#
# Enhanced Security Features addes by Pete Troxell:
#
#   Used for Sun C2 security group file.  FALSE (default) will flag
# valid C2 group syntax as an error, TRUE attempts to validate it. When
# using this option the script must be executed as root or su since the file
# /etc/security/group.adjunct is read protected from everybody except root.
#
SUN_SECURITY=FALSE
X
#
# Enable/Disable testing of the Yellow Pages group file(s)
#
TEST_YP=FALSE
X
#
# Important files:
#
etc_group=/etc/group
etc_secure_group=/etc/security/group.adjunct
yp_group=./grp$$
yp_secure_group=./sgrp$$
X
yp=false
yp_secure=false
X
#
# Testing $yp_group for potential problems....
#
if $TEST -f $YPCAT -a $TEST_YP = "TRUE"
X	then
if $TEST -s $YPCAT
X	then
X	$YPCAT group > $yp_group 2>/dev/null
X	if $TEST $? -eq 0
X		then
X		yp=true
X	fi
X	if $TEST $yp = "true" -a $SUN_SECFURITY = "TRUE"
X		then
X		$YPCAT -t group.adjunct.byname > $yp_secure_group 2>/dev/null
X		if $TEST $? -eq 0
X			then
X			yp_secure=true
X		fi
X	fi
fi
fi
X
#
# Test the system group file
#
./group.file.chk $etc_group $etc_secure_group $SUN_SECURITY
X
#
# Test yellow pages password file
#
if $TEST "$yp" = "true"
X	then
X	$ECHO
X	$ECHO "***** Testing the Yellow Pages password file(s) ******"
X	$ECHO
X	./group.file.chk $yp_group $yp_secure_group $SUN_SECURITY
X	fi
X
#
# Clean up after ourselfs
#
$RM -f $yp_group
$RM -f $yp_secure_group
# end
SHAR_EOF
chmod 0700 group.chk ||
echo 'restore of group.chk failed'
Wc_c="`wc -c < 'group.chk'`"
test 1613 -eq "$Wc_c" ||
	echo 'group.chk: original size 1613, current size' "$Wc_c"
fi
# ============= group.file.chk ==============
if test -f 'group.file.chk' -a X"$1" != X"-c"; then
	echo 'x - skipping group.file.chk (File already exists)'
else
echo 'x - extracting group.file.chk (Text)'
sed 's/^X//' << 'SHAR_EOF' > 'group.file.chk' &&
#!/bin/sh
#
#   group.file.chk
#
# Awk part based on _passwd_ from _The AWK Programming Language_, page 78
#
#   Mechanism:  Group.check uses awk to ensure that each line of the group
# has 4 fields, as well as examining each line for any duplicate groups or
# any duplicate user id's in a given group by using "sort -u" to ferret
# out any duplications.  It also checks to make sure that the password
# field (the second one) is a "*", meaning the group has no password (a
# group password is usually not necessary because each member listed on
# the line has all the privilages that the group has.)  All results are
# echoed to standard output.  Finally it ensures that the group names
# are alphanumeric, that the group id's are numeric, and that there are
# no blank lines.  For yellow pages groups, it does the same checking,
# but in order to get a listing of all members of the groups, it does a
# "ypcat group > ./$$" and uses that temporary file for a groupfile.
# It removes the tmp file after using it, of course.
#   The /etc/group file has a very specific format, making the task
# fairly simple.  Normally it has lines with 4 fields, each field
# separated by a colon (:).  The first field is the group name, the second
# field is the encrypted password (an asterix (*) means the group has no
# password, otherwise the first two characters are the salt), the third
# field is the group id number, and the fourth field is a list of user
# ids in the group.  If a line begins with a plus sign (+), it is a yellow
# pages entry.  See group(5) for more information.
#   The SUN /etc/security/group.adjunct file also has a very specific
# format, makeing the check task simple. Each entry has 2 fields separated
# by a colon (:). THe first field is the user name which matches the user
# name contained in the /etc/group file. The second field is the encrypted
# password (an asterix (*) means the group has no password, otherwise the
# first two characters are the salt). The password contained in the
# /etc/group file is comprised of the #$user_id where the user_id matches
# the entry of the first field in both group files.
#
X
#
# Parameters
#
group_file=$1
group_adjunct_file=$2
SUN_SECURITY=$3
X
#
# Utilities
#
AWK=/bin/awk
DIFF=/usr/bin/diff
ECHO=/bin/echo
JOIN=/usr/bin/join
RM=/bin/rm
SORT=/usr/bin/sort
TEST=/bin/test
UNIQ=/usr/bin/uniq
X
#
# Important files:
#
join_group_1=./grp$$.1.join
join_group_2=./grp$$.2.join
sort_group=./grp$$.sort
sort_secure_group=./sgrp$$.sort
X
#
# Testing the group file for problems
#
result=`$AWK -F: '{print $1}' $group_file | $SORT |$UNIQ -d`
if $TEST "$result"
X	then
X	$ECHO "Warning!  Duplicate gid(s) found in group file:"
X	for USER in $result
X	do
X		$ECHO "	$USER"
X	done
fi
X
#
#   First line is for a yellow pages entry in the group file.
# It really should check for correct yellow pages syntax....
#
$AWK 'BEGIN {FS = ":" } {
X	if (substr($1,1,1) != "+") { \
X	if ($0 ~ /^[ 	]*$/) { printf("Warning!  Group file, line %d, is blank\n", NR) } else {
X	if (NF != 4) { printf("Warning!  Group file, line %d, does not have 4 fields: \n\t%s\n", NR, $0) } \
X	if ($1 !~ /[A-Za-z0-9]/) {
X		printf("Warning!  Group file, line %d, nonalphanumeric user id: \n\t%s\n", NR, $0) } \
X	if ($2 != "" && $2 != "*") {
X		if ("'$SUN_SECURITY'" != "TRUE")
X			printf("Warning!  Group file, line %d, has password: \n\t%s\n", NR, $0)
X		else {
X			if ("#$"$1 != $2)
X				printf("Warning!  Group file, line %d, invalid password field for SUN C2 Security: \n\t%s\n", NR, $0) } \
X		} \
X	if ($3 !~ /[0-9]/) {
X		printf("Warning!  Group file, line %d, nonnumeric group id: \n\t%s\n", NR, $0) \
X	}}}} ' $group_file
X
#
# Ignore all groups with less than two members.
#
awk -F: '
X	split($4, users, ",") > 1 {
X		ct = 0
X		for (i in users) {
X			curuser = users[i]
X			for (j in users) {
X				if (j > i && curuser == users[j]) {
X					if (ct++ == 0) print "Warning!  Group "$1" has duplicate user(s):"
X					print curuser
X				}
X			}
X		}
X	}
X	' $group_file
X
#
# Perform checks on the security enhanced version of SUNOS
#
if $TEST $SUN_SECURITY = "TRUE"
X	then
X	result=`$AWK -F: '{print $1}' $group_adjunct_file | $SORT -t: | $UNIQ -d`
X	if $TEST "$result"
X		then
X		$ECHO
X		$ECHO "Warning!  Duplicate uid(s) found in group adjunct file:"
X		for USER in $result
X		do
X			$ECHO "	$USER"
X		done
X	fi
X	#
X	# Check that for each entry in the group file that there is a matching
X	# entry in the group.adjunct file.
X	#
X	$SORT -t: -o $sort_group $group_file
X	$SORT -t: -o $sort_secure_group $group_adjunct_file
X	$JOIN -t: $sort_group $sort_secure_group > $join_group_1
X	$JOIN -t: -a1 $sort_group $sort_secure_group > $join_group_2
X	result=`$DIFF $join_group_1 $join_group_2`
X	if $TEST "$result"
X		then
X		$ECHO
X		$ECHO "Warning!  Matching record(s) in group adjunct file not found for"
X		$ECHO "these records in group file:"
X		PREV=$$
X		for USER in $result
X		do
X			if $TEST $PREV = ">"
X				then
X				$ECHO "	$USER"
X			fi
X			PREV=$USER
X		done
X	fi
X	#
X	# Check that for each entry in the group.adjunct file that there is a
X	# matching entry in the group file.
X	#
X	$RM -f $join_group_2
X	$JOIN -t: -a2 $sort_group $sort_secure_group > $join_group_2
X	result=`$DIFF $join_group_1 $join_group_2`
X	if $TEST "$result"
X		then
X		$ECHO
X		$ECHO "Warning!  Matching record(s) in group file not found for"
X		$ECHO "these records in group adjunct file"
X		PREV=$$
X		for USER in $result
X		do
X			if $TEST $PREV = ">"
X				then
X				$ECHO "	$USER"
X			fi
X			PREV=$USER
X		done
X	fi
X	#
X	# Test the fields in the group.adjunct file for validity
X	#
X	$AWK 'BEGIN {FS = ":" } \
X		{if (substr($1,1,1) != "+") { \
X		if ($0 ~ /^[ 	]*$/) { printf("\nWarning!  Group adjunct file, line %d, is blank\n", NR) } else {
X		if (NF != 2) {
X			printf("\nWarning!  Group adjunct file, line %d, does not have 2 fields: \n\t%s\n", NR, $0) } \
X		if ($1 !~ /[A-Za-z0-9]/) {
X			printf("\nWarning!  Group adjunct file, line %d, nonalphanumeric login: \n\t%s\n", NR, $0) } \
X		if ($2 != "" && $2 != "*") {
X			printf("\nWarning!  Group adjunct file, line %d, has password: \n\t%s\n", NR, $0) } \
X		}}}' $group_adjunct_file
fi
X
#
# Clean up after ourself
#
$RM -f $join_group_1
$RM -f $join_group_2
$RM -f $sort_group
$RM -f $sort_secure_group
# end
SHAR_EOF
chmod 0700 group.file.chk ||
echo 'restore of group.file.chk failed'
Wc_c="`wc -c < 'group.file.chk'`"
test 6191 -eq "$Wc_c" ||
	echo 'group.file.chk: original size 6191, current size' "$Wc_c"
fi
# ============= passwd.chk ==============
if test -f 'passwd.chk' -a X"$1" != X"-c"; then
	echo 'x - skipping passwd.chk (File already exists)'
else
echo 'x - extracting passwd.chk (Text)'
sed 's/^X//' << 'SHAR_EOF' > 'passwd.chk' &&
#!/bin/sh
#
#   passwd.chk
#
#  Check passsword file -- /etc/passswd -- for incorrect number of fields,
# duplicate uid's, non-alphanumeric uids, and non-numeric group id's.
#
#
ECHO=/bin/echo
RM=/bin/rm
TEST=/bin/test
YPCAT=/usr/bin/ypcat
X
#
# Enhanced Security Features added by Pete Troxell:
#
#   Used for Sun C2 security password adjunct file.  FALSE (default) will flag
# valid SUN C2 passwd syntax as an error, TRUE attempts to validate it. When
# using this option, the script must be executed as root or su since the file
# /etc/security/passwd.adjunct is read protected from everybody except root.
#
SUN_SECURITY=FALSE
X
#
# Enable/Disable testing of the Yellow Pages password file(s)
#
TEST_YP=FALSE
X
#
# Important files:
#
etc_passwd=/etc/passwd
etc_secure_passwd=/etc/security/passwd.adjunct
yp_passwd=./pwd$$
yp_secure_passwd=./spwd$$
X
yp=false
yp_secure=false
X
#
# Testing $yp_passwd for potential problems....
#
if $TEST -f $YPCAT -a $TEST_YP = "TRUE"
X	then
if $TEST -s $YPCAT
X	then
X	$YPCAT passwd > $yp_passwd 2>/dev/null
X	if $TEST $? -eq 0
X		then
X		yp=true
X	fi
X	if $TEST $yp = "true" -a $SUN_SECURITY = "TRUE"
X		then
X		$YPCAT -t passwd.adjunct.byname > $yp_secure_passwd 2>/dev/null
X		if $TEST $? -eq 0
X			then
X			yp_secure=true
X		fi
X	fi
fi
fi
X
#
# Test the system password file
#
./passwd.file.chk $etc_passwd $etc_secure_passwd $SUN_SECURITY
X
#
# Test yellow pages password file
#
if $TEST "$yp" = "true"
X	then
X	$ECHO
X	$ECHO "***** Testing the Yellow Pages password file(s) *****"
X	$ECHO
X	./passwd.file.chk $yp_passwd $yp_secure_passwd $SUN_SECURITY
X	fi
X
#
# Clean up after ourselfs
#
$RM -f $yp_passwd
$RM -f $yp_secure_passwd
# end
SHAR_EOF
chmod 0700 passwd.chk ||
echo 'restore of passwd.chk failed'
Wc_c="`wc -c < 'passwd.chk'`"
test 1654 -eq "$Wc_c" ||
	echo 'passwd.chk: original size 1654, current size' "$Wc_c"
fi
# ============= passwd.file.chk ==============
if test -f 'passwd.file.chk' -a X"$1" != X"-c"; then
	echo 'x - skipping passwd.file.chk (File already exists)'
else
echo 'x - extracting passwd.file.chk (Text)'
sed 's/^X//' << 'SHAR_EOF' > 'passwd.file.chk' &&
#!/bin/sh
#
#   passwd.file.chk
#
#  Check passsword file -- /etc/passswd -- for incorrect number of fields,
# duplicate uid's, non-alphanumeric uids, and non-numeric group id's.
#
# Awk part from _The AWK Programming Language_, page 78
#
#  Mechanism:  Passwd.check uses awk to ensure that each line of the file
# has 7 fields, as well as examining the file for any duplicate users
# by using "sort -u".  It also checks to make sure that the password
# field (the second one) is either a "*", meaning the group has no password,
# or a non-null field (which would mean that the account has a null
# password.)  It then checks to ensure that all uids are alphanumeric,
# and that all user id numbers are indeed numeric.  For yellow pages
# passwords, it does the same checking, but in order to get a listing of
# all members of the password file, it does a "ypcat passwd > ./$$" and
# uses that temporary file for a passfile.  It removes the tmp file after
# using it, of course.
#   The /etc/passwd file has a very specific format, making the task
# fairly simple.  Normally it has lines with 7 fields, each field
# separated by a colon (:).  The first field is the user id, the second
# field is the encrypted password (an asterix (*) means the user id has no
# password, otherwise the first two characters are the salt), the third
# field is the user id number, the fourth field is the group id number,
# the fifth field is the GECOS field (basically holds miscellaneous
# information, varying from site to site), the sixth field is the home
# directory of the user, and lastly the seventh field is the login shell
# of the user.  No blank lines should be present.
#   The SUN /etc/security/passwd.adjunct file also has a very specific
# format, making the check task simple. Each entry has 7 fields, each field
# separated by a colon (:). The first field is the user name which matches
# the user name contained in the /etc/passwd file. The second field is the
# encrypted password (an asterix (*) means the user login is disabled,
# otherwise the first two characters are the salt). The password contained
# in the /etc/passwd file is comprised of ##user_id where the user_id
# matches the entry of the first field in both password files. The third
# through fifth specify the minimum, maximum, and default security labels
# for the user. The sixth and seventh fields specify which auditing flags
# should be always or never monitored.
#   If a line begins with a plus sign (+), it is a yellow pages entry.
# See passwd(5) for more information, if this applies to your site.
#
X
#
# Parameters
#
passwd_file=$1
passwd_adjunct_file=$2
SUN_SECURITY=$3
X
#
# Utilities
#
AWK=/bin/awk
DIFF=/usr/bin/diff
ECHO=/bin/echo
JOIN=/usr/bin/join
RM=/bin/rm
SORT=/usr/bin/sort
TEST=/bin/test
UNIQ=/usr/bin/uniq
X
#
# Important files:
#
join_passwd_1=./pwd$$.1.join
join_passwd_2=./pwd$$.2.join
sort_passwd=./pwd$$.sort
sort_secure_passwd=./spwd$$.sort
X
#
# Testing the passwd file for problems
#
result=`$AWK -F: '{print $1}' $passwd_file | $SORT -t: | $UNIQ -d`
if $TEST "$result"
X	then
X	$ECHO
X	$ECHO "Warning!  Duplicate uid(s) found in password file:"
X	for USER in $result
X	do
X		$ECHO "	$USER"
X	done
fi
X
#
#   First line is for a yellow pages entry in the password file.
# It really should check for correct yellow pages syntax....
#
$AWK 'BEGIN {FS = ":" } \
X	{if (substr($1,1,1) != "+") { \
X	if ($0 ~ /^[ 	]*$/) { printf("\nWarning!  Password file, line %d, is blank\n", NR) } else {
X	if (NF != 7) {
X		printf("\nWarning!  Password file, line %d, does not have 7 fields: \n\t%s\n", NR, $0) } \
X	if ($1 !~ /[A-Za-z0-9]/) {
X		printf("\nWarning!  Password file, line %d, nonalphanumeric login: \n\t%s\n", NR, $0) } \
X	if ($2 == "") {
X		printf("\nWarning!  Password file, line %d, no password: \n\t%s\n", NR, $0) } \
X 	if ("'$SUN_SECURITY'" == "TRUE" && "##"$1 != $2) {
X		printf("\nWarning!  Password file, line %d, invalid password field for SUN C2 Security: \n\t%s\n", NR, $0) } \
X	if ($3 !~ /[0-9]/) {
X		printf("\nWarning!  Password file, line %d, nonnumeric user id: \n\t%s\n", NR, $0) } \
X	if ($3 == "0" && $1 != "root") {
X		printf("\nWarning!  Password file, line %d, user %s has uid = 0 and is not root\n\t%s\n", NR, $1, $0) } \
X	if ($4 !~ /[0-9]/) {
X		printf("\nWarning!  Password file, line %d, nonnumeric group id: \n\t%s\n", NR, $0) } \
X	if ($6 !~ /^\//) {
X		printf("\nWarning!  Password file, line %d, invalid login directory: \n\t%s\n", NR, $0) } \
X	}}}' $passwd_file
X
#
# Perform checks on the security enhanced version of SUNOS
#
if $TEST $SUN_SECURITY = "TRUE"
X	then
X	result=`$AWK -F: '{print $1}' $passwd_adjunct_file | $SORT -t: | $UNIQ -d`
X	if $TEST "$result"
X		then
X		$ECHO
X		$ECHO "Warning!  Duplicate uid(s) found in password adjunct file:"
X		for USER in $result
X		do
X			$ECHO "	$USER"
X		done
X	fi
X	#
X	# Check that for each entry in the passwd file that there is a matching
X	# entry in the passwd.adjunct file.
X	#
X	$SORT -t: -o $sort_passwd $passwd_file
X	$SORT -t: -o $sort_secure_passwd $passwd_adjunct_file
X	$JOIN -t: $sort_passwd $sort_secure_passwd > $join_passwd_1
X	$JOIN -t: -a1 $sort_passwd $sort_secure_passwd > $join_passwd_2
X	result=`$DIFF $join_passwd_1 $join_passwd_2`
X	if $TEST "$result"
X		then
X		$ECHO
X		$ECHO "Warning!  Matching record(s) in password adjunct file not found for"
X		$ECHO "these records in password file:"
X		PREV=$$
X		for USER in $result
X		do
X			if $TEST $PREV = ">"
X				then
X				$ECHO "	$USER"
X			fi
X			PREV=$USER
X		done
X	fi
X	#
X	# Check that for each entry in the passwd.adjunct file that there is a
X	# matching entry in the passwd file.
X	#
X	$RM -f $join_passwd_2
X	$JOIN -t: -a2 $sort_passwd $sort_secure_passwd > $join_passwd_2
X	result=`$DIFF $join_passwd_1 $join_passwd_2`
X	if $TEST "$result"
X		then
X		$ECHO
X		$ECHO "Warning!  Matching record(s) in password file not found for"
X		$ECHO "these records in password adjunct file"
X		PREV=$$
X		for USER in $result
X		do
X			if $TEST $PREV = ">"
X				then
X				$ECHO "	$USER"
X			fi
X			PREV=$USER
X		done
X	fi
X	#
X	# Test the fields in the passwd.adjunct file for validity
X	#
X	$AWK 'BEGIN {FS = ":" } \
X		{if (substr($1,1,1) != "+") { \
X		if ($0 ~ /^[ 	]*$/) { printf("\nWarning!  Password adjunct file, line %d, is blank\n", NR) } else {
X		if (NF != 7) {
X			printf("\nWarning!  Password adjunct file, line %d, does not have 7 fields: \n\t%s\n", NR, $0) } \
X		if ($1 !~ /[A-Za-z0-9]/) {
X			printf("\nWarning!  Password adjunct file, line %d, nonalphanumeric login: \n\t%s\n", NR, $0) } \
X		if ($2 == "") {
X			printf("\nWarning!  Password adjunct file, line %d, no password: \n\t%s\n", NR, $0) } \
X		#
X		# Fields 3-5 are ignored since they deal with labels which are
X		# currently unused on the SUN (perhaps a future B-level??)
X		#
X		# Fields 6+7 contain audit flags for the user and are selected
X		# from the following: dr, dw, dc, da, lo, ad, p0, p1, and all.
X		# More than 1 flag can be selected by separating flags with a
X		# comma (,).
X		#
X		if ($6 != "") {
X			j=1
X			len=length($6)
X			for (i=1; i<=len; i++) {
X				if ((substr($6,i,1) != ",") && (i < len))
X					continue
X				if (i == len)
X					token=substr($6,j,i-j+1)
X				else
X					token=substr($6,j,i-j)
X				j=i+1
X				if (token == "dr") continue
X				if (token == "dw") continue
X				if (token == "dc") continue
X				if (token == "da") continue
X				if (token == "lo") continue
X				if (token == "ad") continue
X				if (token == "p0") continue
X				if (token == "p1") continue
X				if (token == "all") continue
X			printf("\nWarning!  Password adjunct file, line %d, invalid audit flag: %s\n\t%s\n", NR, token, $0) } \
X			}
X		}}}' $passwd_adjunct_file
fi
X
#
# Clean up after ourself
#
$RM -f $join_passwd_1
$RM -f $join_passwd_2
$RM -f $sort_passwd
$RM -f $sort_secure_passwd
# end
SHAR_EOF
chmod 0700 passwd.file.chk ||
echo 'restore of passwd.file.chk failed'
Wc_c="`wc -c < 'passwd.file.chk'`"
test 7715 -eq "$Wc_c" ||
	echo 'passwd.file.chk: original size 7715, current size' "$Wc_c"
fi
exit 0

  Try setting the $OVER_8 variable (line 50) in "passwd.chk" to "YES",
if you get warnings about having extra long uid's.


  This little script can be used to generate a better password file for
the password cracker, if you use those funky more-than-one-field in field
one of the password file; e.g., if you have something that looks like:

root.foo.bar:xxxxxxxxxxxxx:0:0:Mr. Fu Bear:/:/bin/sh

  This will change it to:

root:xxxxxxxxxxxxx:0:0:foo bar Mr. Fu Bear:/:/bin/sh

  So that you can use the extra fields as gcos information for password
cracking.  You can substitute the normal password cracking stuff in "cops"
("pass.chk") with something like (assuming you call this "apollo.sh"):

apollo.sh > ./apollo.pw.$$
pass.chk -P ./apollo.pw.$$
rm -f ./apollo.pw.$$


  In addition, you can add these 2 lines to the "passwd.chk" shell script
(right before the start of the awk on line 82 would be fine):

$AWK -F: '{print $1}' $etc_passwd | $AWK -F. '{if (NF > 3)
		printf("Warning!  Password file, line %d, has %d sub-fields in the user field: \n\t%s\n", NR, NF, $0) }'

  And if you're running YP (is that possible, with all of that?  :-)
You can add these 2 lines before line 119:

$AWK -F: '{print $1}' $yp_passwd | $AWK -F. '{if (NF > 3)
		printf("Warning!  YPassword file, line %d, has %d sub-fields in the user field: \n\t%s\n", NR, NF, $0) }'


:
#
#  apollo.pw
#
AWK=/bin/awk

# Quote from the man page (passwd):
# On DOMAIN systems, passwords are kept in the registry files (/registry/*).
#
# Important files:
etc_passwd=/etc/passwd

$AWK -F: '{split($1,temp,"."); \
		$1=temp[1]; \
		for (i in temp) {
			if (i!=1) \
				$5 = $5" "temp[i]; \
			} \
		for (j=1;j<=NF;j++)
			printf("%s:",$j); \
		printf("\n") \
		}' $etc_passwd

# end

A quick primer on "cops_filter"

  "cops_filter" is a mechanism for eliminating warning messages in
the final COPS report that you deem spurious.  It's a simple awk
program that looks at a list of regular expressions and prunes
out any that match.  As simple as it is, however, it is an extremely
dangerous program -- a slip of the ol' regular expression and bam --
you don't get notified that /etc/passwd is world writable, or something
like that.  Hence this file, in hopes to enlighten the masses (yeah,
right, like I can do that... anyway, on to business.)

  Awk uses regular expressions to search for things, which means you
can use wildcards or even a part of a line to nuke a warning.  For
instance -- let's say on a particular host you have NIS explicitly
included in your password file (e.g. no "+" there), but you are a
member of a NIS domain that does have NIS password maps.  Since COPS
isn't smart enough right now to figure out that you might not care
about the NIS password maps on your machine (and I'm not sure that
it would be a good idea to ignore this anyway), it checks everything...
you might get a warning like:

Warning!  YPassword file, line 9, no password:
	ypg::2200:10:YP guest acct:/tmp:/bin/rsh

  There are several things you can do to eliminate this message.
If you're familiar with awk, there are some example lines in
"cops_filter"; you can just change those to do what you want.  If
you're not an awk hacker, run out and by the book by aho, kernighan,
and weinberger, and learn awk.  Well, no, you don't have to -- it's
very easy to do simple things.



IMPORTANT!  All filter lines in "cops_filter" will *ONLY* match the
first line of this multi-line warning message (at least, and do the
right thing.)  Do not try to filter out the second line -- it won't
work.



(No new information below to awk/shell people that you couldn't get
by just glancing at the filter file -- you can go play with "cops_filter"
now if you wish.)

  The simplest thing to do is to add a line (actually 4 lines, as you'll
see below -- but the most important one is the first line) that exactly
matches what you want to get rid of; e.g., for the above example,
you could put something like:

if ($0 ~ /Warning!  YPassword file, line 9, no password:/) {
	skip_next = 1
	next
	}

  An explanation.  In awk, every line of code in the awk program
will act on every line in the input file.  In most programming languages
you need to put a loop around the program, but in awk, it is implied.
The $0 here refers to the current input line that the awk program
is looking at.  This line says that if the current input line is
equal to "Warning!  YPassword file, line 9, no password:", then
you should do what it says between the two curly braces.  In this case,
you just set a variable (don't worry about exactly what it does right
now), and then skip to the next line of input from the COPS report file.
That's all there is to it.  Notice that at the bottom half of the awk
program, there are places where information gets printed out -- all
those mean is that unless awk sees a pattern that it matches and gets
told to go to the next line, it will print out the current line.

  Well, this is probably as clear as mud, but the basic idea is
that you'll be putting a regular expression inbetween two forward
slanting lines ("/"), and if awk matches that, then it will not
print that out in the final COPS report file.

  If you don't want to use an exactly matching line, either because
you're a poor typist or lazy or perhaps you have a group of warnings,
all alike, and you'd like to get rid of them, then you can use
wildcards, or even a part of the line(s) in question -- be careful with
this, and make sure you test your awk program out before inflicting it
for real on your cops reports.

  For instance, to match the above example, you could say:

	if ($0 ~ /Warning!  YPassword file, line 9, no password:/)

or:

	if ($0 ~ /YPassword file, line 9, no password/)

or, if you really don't want to see any YP/NIS messages, you could use:

	if ($0 ~ /YPassword file/)

alternately, an example with wildcards:

	if ($0 ~ /YP.* no password/)

  All of these would match the example line.  However, the bottom two
would match other lines as well -- something like:

Warning!  YPassword file, line 12, invalid login directory:

  Would also be eliminated from the result file.  Be careful especially
when you're dealing with anything that is in the report file that looks
like a regular expression -- characters like "*", "+", and "?", as
well as the forward slash "/" (to keep it separate from the awk
regular expression separator character) should be preceded with a
backslash -- e.g. something like:

	if ($0 ~ /\/usr\/spool\/mail is _World_ writable!/)

  Check your awk program as described before, and compare the output
with the old report file with diff -- does it do what you thought?
Be careful.



  Almost the last Important note -- you can test your filter by saying
something like:

awk -f cops_filter cops_result_file

  Where cops_result_file is usually named something like "1992_Dec_31".
Well, that's about it -- good luck!

 -- dan

  There are now three types of filters for COPS -- the one in CARP, the
one in "cops_filter", and the one in "gen_fix".  They are all similar in
their mechanism, but are to be used for different reasons.  This is just
a short overview of what they do, and how they interact.

1) "cops_filter" (or whatever file you designate with the -f flag.)  This
takes place *BEFORE* the "gen_fix" filter (or whatever you designate
with the -g flag.)

Philosphy -- many things are flagged by COPS as a potential problem.  Some
	of these aren't really a problem, but it's not always practical
	(and is undesirable, from a software engineering standpoint) to
	hard code these things into the COPS package.  By using "cops_filter",
	you can eliminate the warnings from the final result file.

2) "gen_fix" filter.  This happens *after* the "cops_filter".  It generates
a shell fix for various warning messages generated by COPS (mostly
permissions.)

Philosophy -- some things are problems, but too sensitive or tricky to fix
automatically.  Put them here.

3) CARP filter.  Strips out various warnings that might not apply to the
entire network model, or can be used on hosts reports that didn't use
the "cops_filter", or whatever.  This obviously takes place after the
"cops_filter", and "gen_fix" filter doesn't affect it at all.

Philosophy -- not much :-)  You can use this as an overview tool; if you
have a problem that you fixed on all your hosts, then you can use this
to run over your old report files and look at the next-most-serious problem.
Alternately, you can try a "what if" kind of thing, I guess.

  Make sure you uncomment out line 92 in dev.chk:

# On an IBM/AIX box, you can try something like:
# all_devs=`$GREP 'dev.*=' /etc/filesystems | $AWK '{print $NF}'`

  So that COPS can read the right devices.  Also, read the "readme.shadow"
file for shadow-password info, and how to crack passwords, etc, on this
beast.

  On some sequents, I don't know why, but you'll want to have this
line uncommented out in the makefile (line 25):

SEQFLAGS   = -lseq

  Also, in "src/crc_check.c", you may need to uncomment lines 36-38.

  Part of a conversation I had with a guy about cracking shadow passords;
at the end of this is a script that should work with SVR3.2; I'm not
sure about the rest, but minor changes should make it work on
just about anything (for instance, I think on my sun, the variable
$num_fields should be changed to 15 (or you could compile pass.c with
the C2 flag)).  Let me know if you can't get it to work, and I'll
*make* it work :-)  In any case, you'll need to run as root to get the
passwords for cracking.

>On system V3.2, both  AT&T, SCO, and us (Interactive) use the following format
> /etc/passwd looks pretty much normal;
> adm:x:4:4:0000-Admin(0000):/usr/adm:
[...]
> except that the passwd field always contains an "x".
> Then, the etc/shadow file, which is owned by root and perms 400 looks
> like;
[...]
> sally:e4T6g5HbjOnck:7449:0:7000
[...]
> The first field is the account name, the second field is the excrypted
> passwd string, and the rest is password aging garbage.
> Ignore the password fields above containing "LOCKED".  I do that by
> hand to secure an account, since the output of crypt will never match it.

  Try this on for size:

========== shadow.stuff ================
#!/bin/sh
#
#  Usage: shadow.stuff [shadow_password_file]
#
#   Extracts the correct info from shadow pass to use for processing with
# pass.chk and passwd.chk.
#
# (written by me, modified by John F Haugh II, remodified by me.  Hope
# it still works :-))
#
if test -f "$1" ; then
	shadow=$1
else
	if test -f "/etc/shadow" ; then
		shadow=/etc/shadow
	else
		echo "Can't find shadow password file..."
		exit 1
	fi
fi

# This is 15, I think, for a sun?  Others seem to want 13
num_fields=13

passwd=/etc/passwd
foo_pass="./shadow.tmp.$$"
ptmp="./pfile.tmp.$$"
stmp="./sfile.tmp.$$"

sed -e 's/^/p:/' $passwd | sort > $ptmp
sed -e 's/^/s:/' $shadow | sort > $stmp
cat ./pfile.tmp.$$ ./sfile.tmp.$$ | \
	sort -t':' +1 -2 +0r -1 | \
	sed -e 's/^[sp]://' > $foo_pass

awk -F: '{parray[$1] = $0":"parray[$1]} END { \
	for (line in parray) { \
		nf=split(parray[line], pline, ":"); \
		if (nf == '"$num_fields"') {
			print pline[1]":"pline[9]":"pline[3]":"pline[4]":" \
			pline[5]":"pline[6]":"pline[7]; \
		      	} \
		      } \
		}' $foo_pass

rm -f $ptmp $stmp $foo_pass
==========================================

  Ok, the way you use this is just to type "shadow.stuff > tempfile";
this will create a file, "tempfile" (or whatever), that *should*
be the equivalent to a normal password file.  Of course, you'll have
to run this as root so that you can read the shadow password file.
This should work, but no blame if it doesn't, please :-)  Just let
me know if it does or not; I can put it in the normal distribution,
if so.

  Hope this helps -- 'luck!

 -- dan

  In bug.chk, you'll need to change this line (29) to "no":

# Do you decend from 4.3 BSD?
bsd43=yes

  Uncomment the "BRAINDEADFLAGS=-lcrypt" in the makefile, and put the line:

extern char *crypt();

  Right after the #include lines in "pass.c".  This apparently came from
the makers of Xenix, about the availability of crypt(3):

========================
Subject: crypt in Xenix

Due to the export restrictions on CRYPT, we do not ship it with the
standard product.  We do ship it as an SLS: the relevant numbers are
lng190 (for shipment inside the U.S. only) and lng225, which can be
shipped outside the U.S..
========================

  Make the following change in dev.chk:

line 39:
> mtab=/etc/fstab

To:
< mtab=/etc/checklist


(note to myself:
Need to change something... checklist has has one fs per line...)

  There are a couple of things to keep in mind if you're using yellow
pages/NIS.  Automatic checks are made in the passwd.chk, group.chk, suid.chk,
and ftp.chk.  However, if you want to crack passwords from that database,
you need to do one of three things:

1)  If you're using "pass_diff.chk" to check only changed passwords (on
line 108 of "cops"), change the flag on line 33 in "pass_diff.chk" from
"NO" to "YES"

2)  If you're not running "pass_diff.chk", replace "pass.chk" with
"yp_pass.chk" on line 109 of "cops".

3)  Create a password file with ypcat and run "pass.chk -P file".