Just joined after using the site as a guest.. (Very Good Stuff in here.. thanks folks.)
I am in the process of hardening a Solaris 10 server using JASS. I also must use DISA Security Checklists (SRR) scripts to test for things that did not get hardened to DISA standards.
One of the things missing is a script that would change all of the permissions on various man pages to be no more permisive than 644.
I know I can do it by manually finding and changing them, but it would be great if someone allready had a script in place.
Thanks again for a great place to browse and learn.
Thanx to both of you for your suggestions. I was and am going to be using whatever we discover here as a learning tool to be applied across other directories where permissions need to be changed.
I am wanting to find files that are more permissive than in this case 644 and change them to 644. That would be accomplised by either of your examples I think.
I may need to run my scripts more than once and need only make changes if the files are more permissive than stated, plus I also need to capture the changes in a log for documentation.
I guess I need an ls -l of the directory to get the perms and based on the perms then perform a chmod and >> to a logfile.
I tried to post this under the Dummies forum in hopes of because it is actually more dumb than security, but I was shut down for double posting.
Now that I am willing to abide by the rules, and after some help from some others on the group, I offer this bit of code hoping that someone can show a better way to get where I am heading.
I am using the suggested fid command, but I do not know how one would use the "greater than" check against the permission bits.
#!/bin/sh
#
#
# ident "@(#)stewart-set-manpage-permissions.fin 1.1 08/02/08"
#
# Set permissions for manual pages to no more permissive than 644.
# Reference GEN001280 UNIX Security Checklist V 5R1.5.
#
#
#
MANDIR=/usr/share/man
for FILENAME in `find $MANDIR -type f -perm -7 -o -type f -perm -6
-o -type f -perm -5 -o -type f -perm -3 -o -type f -perm -2 -o -type f -perm -1`
do
#chmod 644 $FILENAME
ls -l $FILENAME
done
GNU find at least has some more advanced options for this. Is installing it an option?
Also, even with regular basic old-skool BSD find, I don't really think you need to painstakingly repeat the -type f -- just add parentheses, but note that you have to backslash-escape them because they are special to the shell, too.
Of course, if you want to say "any bit except 4", that is doable too, at least with GNU find:
find $MANDIR -type f -perm /3
Also look at find2perl -- its documentation is somewhat terse but if you can't quite say what you want with the bare find(1) options, it might be less frustrating to make minor edits to a generated Perl script. Quick Googling brought up this brief tutorial
