This file is indexed.

/usr/lib/tiger/scripts/check_inetd is in tiger 1:3.2.3-8.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
#!/bin/sh
#
#     tiger - A UN*X security checking system
#     Copyright (C) 1993 Douglas Lee Schales, David K. Hess, David R. Safford
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2, or (at your option)
#    any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#     Please see the file `COPYING' for the complete copyright notice.
#
# check_inetd - 06/14/93
#
# Checks the configuration of the inetd configuration file and determines
# possible problems in them.
#
# check_inetd - 04/20/99
#     Portions corrected y Advanced Research Corporation (R)
# check_inetd - 12/13/2001 - jfs
#     Fixes to avoid false positives 
# check_inetd - 05/27/2002 - jfs
#     Changed TigerInstallDir to .
# check_inetd - 04/15/2003 - jfs
#     Separated the services check into a separate script.
# check_inetd - 04/23/2003 - jfs
#     Fixed requirements
# check_inetd - 05/26/2003 - jfs
#     Fixed calls to test (worked in Linux but not in other OS due
#     to -n not being implicit)
# check_inetd - 08/08/2003 - jfs
#     Safe temporary file creation.
# check_inetd - 08/09/2003 - jfs
#     Re added RM to dependancies since it's used by delete.
# check_inetd - 08/11/2003 - jfs
#     Added checks for the file permissions of the INETDFILE
# check_inetd - 08/13/2003 - jfs
#     Added one of the fixes done by ARSC which were lost in the merge
# check_inetd - 08/14/2003 - jfs Added OUTPUTMETHOD to dependancies.
#     Added checks from ARSC's tara 3.0.3 for more services 
#     (recommending the use of encryption) and implemented more checks
#     for other problematic services/servers. Also checked 019 from FAIL
#     to ALERT
# check_inetd - 10/07/2003 - jfs Removed temporary files
# check_inetd - 10/19/2003 - jfs Applied patch from Ryan Bradetich which
#     adds the exec service to the 'rexd' check.
# check_inetd - 11/18/2003 - jfs Do not report the service is not protected
#     if tcp wrappers are undefined (patch from Ryan Bradetich).
# check_inetd - 03/31/2005 - jfs Dont warn about tcp wrapper protection for
#     internal services
# check_inetd - 07/05/2006 - jfs - Fix deprecated syntax with sort.
#    Thanks to Cyril Chaboisseau and Adam James for providing a patch
#    (Debian bug: #369501)
#
# TODO
# - This script needs to be improved to warn for some of the 'chatty' issues
#   closed by Titan (currently only does this for some services)
#-----------------------------------------------------------------------------
#
TigerInstallDir="/usr/lib/tiger"

#
# Set default base directory.
# Order or preference:
#      -B option
#      TIGERHOMEDIR environment variable
#      TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}

for parm
do
   case $parm in
   -B) basedir=$2; break;;
   esac
done
#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
  echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
  exit 1
}
. $basedir/config

. $BASEDIR/initdefs
#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
  haveallcmds SED AWK CAT GEN_INETD_SETS GREP JOIN LS SORT UNIQ RM OUTPUTMETHOD || exit 1
  haveallfiles BASEDIR WORKDIR INETDFILE || exit 1
  
  echo "--CONFIG-- [init003c] $0: Configuration ok..."
  exit 0
}

#------------------------------------------------------------------------
echo
echo "# Performing check of 'inetd'..."

haveallcmds SED AWK CAT GEN_INETD_SETS GREP JOIN LS SORT UNIQ RM OUTPUTMETHOD || exit 1
haveallfiles BASEDIR WORKDIR INETDFILE || exit 1

saveifs=$IFS

tmpinetd=$WORKDIR/sec.$$in
safe_temp "$tmpinetd" "$WORKDIR/cinetd.$$" "$WORKDIR/inet1.$$"
trap 'delete $tmpinetd $WORKDIR/cinetd.$$ $WORKDIR/inet1.$$; exit 1' 1 2 3 15

checkinetd ()
{
  infile=$1

  $JOIN -o 1.1 2.6 1.6 1.7 $infile $INETDFILE > $WORKDIR/cinetd.$$

  __xx="`$LS -id \`$AWK '{print $3}' $WORKDIR/cinetd.$$ |
           $GREP -v internal
          \` 2>/dev/null |
         $SORT |
         $UNIQ -c |
         $SORT -rn |
         $SED -e '1q'`"
  set x $__xx
	 
  count="$2"
  size="$3"
#  tcpdpath="$4"
  tcpdpath=$TCPD

#  [ "$count" -lt 2 ] && tcpdpath=
    
  $GREP -v '^#' $infile | grep -v '^$' |
  while read currservice s p t user currbinary parm1 parms
  do
    [ -z "$currservice" ] && continue
    if [ "$currservice" = 'rexd' -o "$currservice" = 'exec' ]; then
      message FAIL inet006f "" "'$currservice' service is enabled, consider disabling it."
    elif [ "$currservice" = 'sysstat' ]; then
      message WARN inet012w "" "'sysstat' service is enabled, consider disabling it."
    elif [ "$currservice" = 'netstat' ]; then
      message WARN inet013w "" "'netstat' service is enabled, consider disabling it."
    elif [ "$currservice" = 'telnet' ]; then
      message WARN inet098w "" "The 'telnet' server is enabled, consider using ssh instead."
    elif [ "$currservice" = 'ftp' ]; then
      message WARN inet098w "" "The 'ftp' server is enabled, consider using ssh/sftp instead."
    elif [ "$currservice" = 'login' ]; then
      message WARN inet098w "" "The 'login' server is enabled, consider using ssh/sftp instead."
    elif [ "$currservice" = 'shell' ]; then
      message WARN inet098w "" "The 'rsh' server is enabled, consider using ssh/sftp instead."
    elif [ "$currservice" = 'tftp' ]; then
      message WARN inet022w "" "The 'tftpd' server is enabled, consider disabling it"
    elif [ "$currservice" = 'finger' ]; then
      message WARN inet023w "" "The 'finger' server is enabled, consider disabling it"
    elif [ "$currservice" = 'rusers' ]; then
      message WARN inet024w "" "The 'rusers' server is enabled, consider disabling it"
    elif [ "$currservice" = 'echo' -a "$p" = 'udp' ]; then
      message WARN inet025w "" "The 'echo' udp server is enabled, consider disabling it"
    elif [ "$currservice" = 'chargen' -a "$p" = 'udp' ]; then
      message WARN inet025w "" "The 'chargen' udp server is enabled, consider disabling it"
    fi

    [ "$currbinary" = 'internal' ] && continue

    # Note: Does not make sense for the "small servers" services
    # (discard, chargen, echo....)
    if [ "$t" = "nowait" -a -n "$tcpdpath" -a "$currbinary" != "$tcpdpath" ]; then
      message WARN inet099w "" "'$currservice' is not protected by tcp wrappers."
    fi


    if [ -n "`echo $currbinary | $GREP '?'`" ] ; then
      currbinary=`echo $currbinary | $SED -e "s/\?//"`
    fi

    if [ -f "$currbinary" ]; then
      [ -n "$TigerCheckEmbedded" -a "$user" = 'root' ] && {
	echo "$currbinary $inetdsrc" >> $TigerCheckEmbedded
      }
 # SGI IRIX currbinary paths can be prefixed with '?' to indicate
 # optional existance of the binary
     elif [ "X$OS" = "XIRIX" -a "X`echo $currbinary | $SED 's:[?]::'`" != "X$currbinary" ]; then
	if [ -f "`echo $currbinary | $SED 's:[?]::'`" ]; then
		[ -n "$TigerCheckEmbedded" -a "$user" = 'root' ] && {
			echo "`echo $currbinary | $SED 's:[?]::'` $inetdsrc" >> $TigerCheckEmbedded
		 }
	else
		message INFO inet014i "" "`echo $currbinary | $SED 's:[?]::'` for $currservice does not exist (flagged as optional)."
	fi

    else
      message INFO inet010i "" "$currbinary for $currservice does not exist."
    fi
    
    if [ "X$OS" = "XIRIX" -a "X`echo $currbinary | $SED 's:[?]::'`" != "X$currbinary" ]; then
	lgetpermit "`echo $currbinary | $SED 's:[?]::'`" |
	pathmsg inet008 inet009 "`echo $currbinary | $SED 's:[?]::'`" root "inetd entry for $currservice service uses"
    else
	lgetpermit "$currbinary" |
	pathmsg inet008 inet009 "$currbinary" root "inetd entry for $currservice service uses"
    fi

    if [ "$currbinary" = "$tcpdpath" ]; then
      if [ -f "$parm1" ]; then
	[ -n "$TigerCheckEmbedded" -a "$user" = 'root' ] && {
	  echo "$parm1 $inetdsrc" >> $TigerCheckEmbedded
	}
      else
	message INFO inet010i "" "$parm1 for $currservice does not exist."
      fi
    
      lgetpermit "$parm1" |
      pathmsg inet008 inet009 "$parm1" root "inetd entry for $currservice service uses"
    fi
  done 

  while read service exppath currpath parm1 parms
  do
    if [ -n "`echo $currpath | $GREP '?'`" ]; then
     currpath=`echo $currpath | $SED -e "s/\?//"`
    fi
    if [ -n "`echo $exppath | $GREP '?'`" ]; then
     exppath=`echo $exppath | $SED -e "s/\?//"`
    fi
    if [ "$currpath" != "$exppath" -a "$currpath" != "$tcpdpath" ]; then
	message WARN inet005w "" "Service $service is using $currpath instead of $exppath."
    fi
  done < $WORKDIR/cinetd.$$
  
  delete $WORKDIR/cinetd.$$

  $AWK '$6 != "internal" {print}' $infile |
  $SORT > $WORKDIR/inet1.$$
# TODO: Consider this change done by ARSC:
#   $SORT -k 6,6 > $WORKDIR/inet1.$$
  $AWK '$6 != "internal" {print}' $INETDFILE |
  $SORT |
# TODO: Consider this change done by ARSC:
#   $SORT -k 6,6 |
  $JOIN -j 1 -o 1.1 2.1 1.6 - $WORKDIR/inet1.$$ |
  while read expservice currservice prog
  do
   if [ -n "$prog" ] ; then
    [ "$expservice" != "$currservice" ] && {
      message WARN inet007w "" "Binary $prog is being used for service $currservice.  Expected service is $expservice."
    }
   fi
  done 
  delete $WORKDIR/inet1.$$

# Print out any other entries that have been added
  $AWK '{ print $1 " " $3 }' $infile |
  $GREP -v '^#' | $GREP -v '^ $' | $SORT |
  while read service protocol
  do
	matchescount=""
	matches=`$AWK '{ print $1 " " $3 }' $INETDFILE | $GREP " $protocol$" | \
	$AWK '{ print $1 }'`
	for currservice in $matches
	do
		if [ "X$service" = "X$currservice" ]; then
			matchescount="$matchescount."
		fi
	done
	if [ "X$matchescount" = "X" ]; then
		x="`$EGREP \"^$service[     ]\" $infile`"
		message INFO inet011i "$x" "Locally added entry \`$service' in inetd.conf:"
	fi
  done
# TODO: ARSC's tara uses the following, consider using it since
# it looks (is?) more efficient
#  $AWK '{printf("%s %s\n",$1,$3)}' $infile | sort> $WORKDIR/f1.$$
#  $AWK '{printf("%s %s\n",$1,$3)}' $INETDFILE | $GREP -v "^#" | sort |
#  $COMM -23 $WORKDIR/f1.$$ - |
#  while read service protocol
#  do
#    if [ -n "$service" ]; then
#    message INFO inet011i "" "Locally added entry \`$service'in inetd.conf:"  
#    fi
#  done
#

}

realpath="$REALPATH -d"

[ ! -n "$REALPATH" -o ! $TESTEXEC "$REALPATH" ] && realpath="echo"

# Check the permissions in the /etc/inetd.conf
# TODO: Should the location of the inetd be hardcoded? 
# (it is in the gen_inetd programs)
getpermit /etc/inetd.conf |
while read _namefile _owner _group ur uw ux gr gw gx or ow ox suid sgid stk
do
     [ "$ur$uw$ux$gr$gw$gx$or$ow$ox" != '110000000' -a "$_group" != "root" ] && \
         message WARN inet017w "" "The $_namefile permissions are not 600."
     [ "$gw" != '0' ] && \
         message WARN inet018w "" "The $_namefile file can be written by any user of the group $_group."
     [ "$ow" != '0' ] && \
         message ALERT inet019a "" "The $_namefile file can be written by any user."
     [ "$_owner" != 'root' ] && \
         message FAIL inet020f "" "The $_namefile file is not owned by root (owned by $_owner)."
done


# Check the information in the INETDFILE
{

  haveallcmds GEN_INETD_SETS UNIQ &&
  haveallfiles INETDFILE && {
    $GEN_INETD_SETS |
    while read inetd_set
    do
      inetdsrc=`$CAT $inetd_set.src`
      echo "# Checking inetd entries from $inetdsrc"

      checkinetd $inetd_set

      delete $inetd_set $inetd_set.src
    done
  }
} |
$OUTPUTMETHOD

delete "$tmpinetd" "$WORKDIR/cinetd.$$" "$WORKDIR/inet1.$$"

exit 0