I want to periodically check if ASCII password/config files on Unix[solaris8] have 400 or 600 access. Folders and files are owned by designated group and user. Folders and Files do not have world write access.
Are there any tools/scripts available for this kind of auditing that I can use on Solaris?
Try googling for "BART" and "ASET". They are available for Solaris 10, I don't know if you can use them with Solaris 8...
Those two tools appear to be geared towards system administrators.
I am mostly interested in checking just application folders and files.
Are there any custom scripts that only check folders and files not worry about super user level auditing.
You could ls -l /home/*/.passwordfile and parse the resulting output for permissions etc.
I can use find to check more evident conditions
find . -user <user> -perm [<-perm#>|<-u=xxx,g=xx>] ..
I am thinking in terms of ignoring link files. Not worrying about owner of files that has GID bit set. [ these two scenarios I know ]
Are there any other scenarios that are not more evident but should be considered for this kind of generic script !? One example is check for broken link files!
You could also check the checksum of the files. This gives a unique number associated with the file and its contents. If the contents change but the size, permissions and mod time stay the same, the checksum will change.
# cd /tmp
# echo "this file is ok" > file
# cksum file
3592584977 16 file
# echo "the file is new" > file
# cksum file
3405287892 16 file
HTH
Thanks for the idea.
I dont know if this is what you are looking for but something like this will email it too you daily.
#!/bin/ksh
echo "Permissions to Shadow File" > /home/perm.txt
ls -asl /etc/shadow | awk '{print $2}' >> /home/perm.txt
echo "Permissions to Passwd File" >> /home/perm.txt
ls -asl /etc/passwd | awk '{print $2}' >> /home/perm.txt
cat /home/perm.txt | mailx -s "File Permissions" user@mail.com
rm perm.txt
Dont know if this is on the right track, but it is just a simple script that you can put in cron that will check files and email too you. For any other files you want just put them in there as a new line.