#! /bin/bash # # MTH_Linux_Audit.txt version 0.0.5 # # Installation: # 1.) Log in as ROOT. # 2.) Create a directory under root called : audit-scripts use this exact name # as further processing depends on this # exact spelling # 3.) mount the floppy and copy the 2 files to /root/audit-scripts # MTH_Linux_Audit_V5.txt # chkrootkit-0.43.tar.gz # 4.) change the mode of MTH_Linux_Audit.txt to 777 = # chmod 777 /root/audit-scripts/MTH_Linux_Audit_V5.txt # # Run this script with ./MTH_Linux_Audit_V5.txt Each command # appends the output of that command to a log file or separate text files listed below. # The command-results.log file and the txt files below need to be compared manually by # the auditor to managements policies, standards, and procedures. # # Possible Output Files: # command_results.log results of the commands executed in this script that # do NOT create their own distinct output file below # error-mesgs.log command execution time error messages # # Users & Group Files: # useraccounts.txt all users # defaultlogin.txt default login # defpass.txt default passwords # group.txt list of groups # group2.txt list of security groups # passwdvartcb.txt trusted computer block from /var/tcb # passwdtcb.txt trusted computer block from /tcb # netgroup.txt groups trusted # # Services, Deamons, Module Files: # dmesg.txt deamon messages # bootmsg.txt /var/log/boot.msg file of boot load messages (SuSE) # inittab.txt initialization table # lsof-result.txt listing of open files at the time of the test # crondaily.txt jobs scheduled to run daily # # Networks & Connections # netstat-a.txt network connection status # dialups.txt hosts allowed to dail in # dpasswd.txt passwords for dial in hosts # exports.txt directories allowed to export files # ftpusers.txt users allowed the file transfer protcol # ftpaccess.txt hosts allowed ftp connections # networks.txt hosts as part of the doamin # protocols network protcols # inetd.txt # inetd.sec.txt # hosts.txt hosts allowed in the domain # hostsall.txt hosts specifically allowed to use local INET services # hostsden.txt hosts specifically denied access to local INET services # hostseq.txt hosts # ssh_config.txt ssh configuration # # File Systems # defsu.txt default accounts that can switch user (su) # worldw.txt world writable files (possibly large, optional at start up) # worldwdir.txt world writable directories # sensdir.txt lists sensitive directories # sensfile.txt lists sensitive files # unowned.txt files withno owner or no group owner # # Auditing & Logging # message_last_500.txt last 500 lines of the /var/log/massages system log file # # Security # xinetd.txt X windows deamon # logindefs.txt log in configuration, length, alpha, life # secenviron.txt # seclastlog.txt # secloginconf.txt shells, login times # secportlog.txt # # Applications # apps.txt list of RPM identified applications # chkroot.txt list of positive & negative results of CHKROOTKIT # # The script runs for about 10 minutes on a base install of SuSE 8.2 professional # which has approximately 84,000 files and 7,000 directories. The time can be reduced # by commenting out the search for world writeable directories (3 min) and the search # sedarch for unowned files (3 more minutes) in section 4. # # The search for world writable files has been made interactive due to resource demands. # If your asnswer "Y" to inventory world writable files question, the script could run # for 20 minutes and may max out the processor. Run this test after hours # or during low system usage. # # World writable directories are discovered and written to a file. # # The script copies and installs an execurtable file that chec ks for malware. # CHKROOTKIT-0.43 if the version used changes the command line needs to be edited. # # ****Run this script in a test envirnment before it is run on a production system ******* # # Choice for world riteable file detection read -p "Enter Y (not yes, not y) if you wish to run the listing of world writable files = " echo "You entered $REPLY ." # # The password file can be copied to the auditresults directory. It may be preferable to run # the password cracking test against that copy of the file on the system, delete the copy, # before copying the contents of the auditresults directory to a floppy. Depends how much you # trust your assessor. All these password steps are commented out, you must un-comment # those lines to execute them. # # ***************** BACKGROUND SECTION ********************************* # This section gathers background data on the machine under review. # Builds the directory /root/auditresults/$date$time, gathers logs files, # creates a results file command-results.log & sets Variables. # # # default paths usually allow the running of all commands # if commands do not run consider removing the comment from the following path command # PATH=/:/root:/root/audit-scripts:/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin # # variables: SERVERNM=`/bin/hostname` AUDITDATETIME=`date +%m%d%y"-"%H%M%S` if [ -d /root/auditresults ] then echo "The directory /root/auditresults/ already exists" else mkdir /root/auditresults fi mkdir /root/auditresults/$AUDITDATETIME OUTDIR="/root/auditresults/$AUDITDATETIME" OUTLOG="/root/auditresults/$AUDITDATETIME/commandresults.log" ERRORLOG="/root/auditresults/$AUDITDATETIME/error-mesgs.log" # Open output files with a seperator line POUNDLINE="################################################################" echo $POUNDLINE > $ERRORLOG echo $POUNDLINE > $OUTLOG # # Functions # This function is called to insert a form feed and a seperator line in the log file. seperator() { printf "f" echo " " >>$OUTLOG echo $POUNDLINE >>$OUTLOG echo " " >>$OUTLOG } # echo "################################################################" >$OUTLOG echo " " >>$OUTLOG echo " command_results.log" >>$OUTLOG echo " " >>$OUTLOG echo "start date & time " `date` >>$OUTLOG echo " " >>$OUTLOG echo "Linux Audit Server Name = " $SERVERNM >>$OUTLOG echo Results are stored in the directory $OUTDIR >>$OUTLOG echo " " >>$OUTLOG echo "###############################################################" >>$OUTLOG SYSTNAME=`uname -s` echo "Background Information" >> $OUTLOG echo " System Name = "$SYSTNAME >> $OUTLOG RELEASENM=`uname -r` VERSIONNM=`uname -v` MACHINENM=`uname -m` echo " Release = " $RELEASENM >>$OUTLOG echo " Linux Release Name =" >>$OUTLOG if [ -f /etc/redhat-release ] then echo `cat /etc/redhat-release` >> $OUTLOG 2>>$ERRORLOG else echo `cat /etc/SuSE-release` >> $OUTLOG 2>>$ERRORLOG fi echo " Version = " $VERSIONNM >>$OUTLOG echo " Machine Name = " $MACHINENM >>$OUTLOG if [ -f /etc/redhat-release ] then cat /etc/defaultdomain >> $OUTLOG 2>>$ERRORLOG fi echo " Message of the Day = " `cat /etc/motd` >> $OUTLOG # # system info: uname -a >> $OUTLOG # # ************ SECTION 1 - USER ACCOUNTS and GROUPS ************************** seperator echo "SECTION 1 - GROUPS and USER ACCOUNTS" >>$OUTLOG echo " " >>$OUTLOG # Count of users echo "Number of accounts = " >> $OUTLOG wc -l /etc/shadow >> $OUTLOG 2>>$ERRORLOG echo " " >> $OUTLOG # list the password shadow file and view for evidence of encryption echo "Password Shadow File " >> $OUTLOG cat /etc/shadow >> $OUTLOG 2>>$ERRORLOG echo " " >> $OUTLOG # accounts with UID ZERO echo "Accounts with user ID (field 3) equal to zero (UID = 0) " >> $OUTLOG echo `awk -F: '{if ($3=="0") print $1}' /etc/passwd` >> $OUTLOG 2>>$ERRORLOG echo " " >> $OUTLOG # accounts with no password echo "Accounts with no password" >> $OUTLOG if [ -f /etc/shadow ] then awk -F: '{if ($2=="") print $1}' /etc/shadow >> $OUTLOG 2>>$ERRORLOG else awk -F: '{if ($2=="") print $1}' /etc/password >> $OUTLOG 2>>$ERRORLOG fi echo " " >> $OUTLOG # # where root can log into echo "SECURETTY Where root can login:" >>$OUTLOG cat /etc/securetty >> $OUTLOG 2>>$ERRORLOG echo " " >> $OUTLOG # who was logged in to what when the audit script was run echo "Users logged in to the system during the test" >>$OUTLOG w >> $OUTLOG 2>>$ERRORLOG echo " " >> $OUTLOG # # start copying files: echo "Copy relevant files if they exist:" >> $OUTLOG # default login if [ -f /etc/default/login ] then cp /etc/default/login $OUTDIR/defaultlogin.txt echo "/etc/default/login copied to " $OUTDIR >> $OUTLOG else echo " /etc/default/login not found" >> $OUTLOG fi # # default password if [ -f /etc/default/passwd ] then cp /etc/default/passwd $OUTDIR/defpas.txt echo "/etc/default/passwd copied to defpas.txt" >> $OUTLOG else echo " /etc/default/passwd not found" >> $OUTLOG fi # # groups if [ -f /etc/group ] then cp /etc/group $OUTDIR/group.txt echo "/etc/group copied to group.txt" >> $OUTLOG else echo " /etc/group not found" >> $OUTLOG fi # # security group if [ -f /etc/security/group ] then cp /etc/security/group $OUTDIR/group2.txt echo "/etc/security/group copied to group2.txt" >> $OUTLOG else echo " /etc/security/group not found" >> $OUTLOG fi # # System usernames if [ -f /var/tcb/files/auth.db ] then cp /var/tcb/files/auth.db $OUTDIR/passwdvartcb.txt echo "/var/tcb/files/auth.db copied to passwdvartcb.txt" >> $OUTLOG else echo " /var/tcb/files/auth.db not found" >> $OUTLOG fi # # Normal usernames if [ -f /tcb/files/auth.db ] then cp /tcb/files/auth.db $OUTDIR/passwdtcb.txt echo "/tcb/files/auth.db copied to passwdtcb.txt" >> $OUTLOG else echo " /tcb/files/passwdtcb.txt not found" >> $OUTLOG fi # # netgroup if [ -f /etc/netgroup ] then cat /etc/netgroup > $OUTDIR/netgroup.txt echo "/etc/netgroup copied to netgroup.txt" >> $OUTLOG else echo " /etc/netgroup not found" >> $OUTLOG fi # # # # FUTURE TESTS ********** # generic guest accoumts # groups relevent to the applications installed # groups should have a password or locked # unused accounts # default vendor accounts # # # # # ************ SECTION 2 - SERVICES, DAEMONS, and MODULES ********************* # seperator echo "SECTION 2 - SEVICES, DAEMONS, and MODULES" >>$OUTLOG echo " " >>$OUTLOG # copy dmesg to a text file for later analysis of devices loaded at startup dmesg >> $OUTDIR/dmesg.txt 2>>$ERRORLOG cp /var/log/boot.msg $OUTDIR/bootmsg.txt 2>>$ERRORLOG echo " " >> $OUTLOG echo " System Processes " >>$OUTLOG echo " " >> $OUTLOG # running processes echo "Processes running:" >>$OUTLOG ps -auwx >>$OUTLOG 2>>$ERRORLOG echo " " >> $OUTLOG # number of processes running echo The number of running processes: >>$OUTLOG ps -auwx | wc -l >>$OUTLOG 2>>$ERRORLOG echo " " >> $OUTLOG # services set to run echo "Services set to run:" >>$OUTLOG chkconfig --list >>$OUTLOG 2>>$ERRORLOG echo " " >> $OUTLOG # modules loaded echo "Modules loaded:" >>$OUTLOG lsmod >>$OUTLOG 2>>$ERRORLOG echo " " >> $OUTLOG # TOP list of process ID and commands associated with the PID echo "TOP lists process ID, the command assocaited with that process, memory usage and CPU usage:" >>$OUTLOG top -b -n1 >>$OUTLOG 2>>$ERRORLOG echo " " >> $OUTLOG # copy inittab to a file if [ -f /etc/inittab ] then cp /etc/inittab $OUTDIR/inittab.txt echo "/etc/inittab copied to inittab.txt" >> $OUTLOG else echo " /etc/inittab not found" >> $OUTLOG fi echo " " >> $OUTLOG # get the dialy cron schedule if [ -f /etc/cron.daily ] then cp /etc/cron.daily $OUTDIR/crondaily.txt echo "/etc/cron.daily copied to crondaily.txt" >> $OUTLOG else echo " /etc/cron.daily not found" >> $OUTLOG fi echo " " >>$OUTLOG # LSOF -l lists all open processes if [ lsof ] then echo "LSOF -l command results, all open processes copied to lsof-result.txt" >> $OUTLOG lsof -l >> $OUTDIR/lsof-result.txt 2>>$ERRORLOG else echo " lsof command was not found" >> $OUTLOG fi echo " " >>$OUTLOG # # # FUITURE TESTS *************************** # ****** GET /tmp/install.log to review what options were chosen at build ***** # ****** GET /sbin/inet.d/boot.local ****************************************** # ****** GET lmsensors ?? ***************************************************** # comment out unused services in /etc/inetd.conf # check /etc/services # rc.d # # # ************ SECTION 3 - NETWORKS and CONNECTIONS *************************** # seperator echo " SECTION 3 - NETWORKS and CONNECTIONS " >>$OUTLOG echo " " >>$OUTLOG # # check for SSH configuration echo " Secure Shell ssh_config was copied to ssh_config.txt" >>$OUTLOG echo cat /etc/ssh/ssh_config>>$OUTDIR/ssh_config.txt echo " " >>$OUTLOG # # Simple Network Management Protocol echo " SNMP Configuration " >>$OUTLOG if [ -f /etc/snmp/snmp.conf ] then cat /etc/snmp/snmp.conf >>$OUTLOG 2>>$ERRORLOG else echo "File /etc/snmp/snmp.conf was not found" >>$OUTLOG fi echo " " >>$OUTLOG # # check the Internet Protocol devices echo "Networking " >>$OUTLOG echo "IFCONFIG devices:" >>$OUTLOG ifconfig -a >>$OUTLOG 2>>$ERRORLOG echo " " >>$OUTLOG # # current network connection status echo "NETSTAT current connections:" >>$OUTLOG echo " " >>$OUTLOG # netstat current interfaces & routing tables echo "NETSTAT current interfaces and routing tables:" >>$OUTLOG netstat -i >>$OUTLOG 2>>$ERRORLOG netstat -rn >>$OUTLOG 2>>$ERRORLOG echo " " >>$OUTLOG # netstat -a is verbose, dump it to it's own file echo "Note: netstat -a is verbose, dump it to it's own file" >> $OUTLOG netstat -a > $OUTDIR/netstat_a.txt 2>>$ERRORLOG echo " The results of Netstat -a command are in the file netstat_a.txt" >> $OUTLOG echo " " >>$OUTLOG # # RPC existence check echo "RPC Info (null= no RPC services running= ok):" >>$OUTLOG /usr/sbin/rpcinfo -p >>$OUTLOG 2>>$ERRORLOG echo " " >>$OUTLOG # # start copying files 12 more files possible (13 for section 3 counting netstat -a above) # # ICMP settings echo " ICMP Settings: ">>$OUTLOG ls /proc/sys/net/ipv4/icmp_e* >>$OUTLOG 2>>$ERRORLOG # We don't know how many files will be returned in the previous command # so don't do next command, brush up on the grep thingy # cat /proc/sys/net/ipv4/icmp_e* >>$OUTLOG 2>>$ERRORLOG echo " " >>$OUTLOG # #IP Forwarding echo " IP Forwarding: ">>$OUTLOG ls /proc/sys/net/ipv4/ip_f* >>$OUTLOG 2>>$ERRORLOG # We don't know how many files will be returned in the previous command # so don't do next command, brush up on the grep thingy # cat /proc/sys/net/ipv4/ip_f* >>$OUTLOG 2>>$ERRORLOG echo " " >>$OUTLOG if [ -f /etc/dialups ] then cp /etc/dialups $OUTDIR/dialups.txt echo "/etc/dialups copied to dialups.txt" >> $OUTLOG else echo " /etc/dialups not found" >> $OUTLOG fi # if [ -f /etc/d_passwd ] then cp /etc/d_passwd $OUTDIR/dpasswd.txt echo "/etc/d_passwd copied to dpasswd.txt" >> $OUTLOG else echo " /etc/d_passwd not found" >> $OUTLOG fi # if [ -f /etc/exports ] then cp /etc/exports $OUTDIR/exports.txt echo "/etc/exports copied to exports.txt" >> $OUTLOG else echo " /etc/exports not found" >> $OUTLOG fi # if [ -f /etc/ftpusers ] then cp /etc/ftpusers $OUTDIR/ftpusers.txt echo "/etc/ftpusers copied to ftpusers.txt" >> $OUTLOG else echo " /etc/ftpusers not found" >> $OUTLOG fi # if [ -f /etc/ftpaccess ] then cp /etc/ftpaccess $OUTDIR/ftpaccess.txt echo "/etc/ftpaccess copied to ftpaccess.txt" >> $OUTLOG else echo " /etc/ftpaccess not found" >> $OUTLOG fi # if [ -f /etc/networks ] then cp /etc/networks $OUTDIR/networks.txt echo "/etc/networks copied to networks.txt" >> $OUTLOG else echo " /etc/networks not found" >> $OUTLOG fi # if [ -f /etc/protocols ] then cp /etc/protocols $OUTDIR/protocols.txt echo "/etc/protocols copied to protocols.txt" >> $OUTLOG else echo " /etc/protocols not found" >> $OUTLOG fi # if [ -f /etc/inetd.conf ] then cp /etc/inetd.conf $OUTDIR/inetd.txt echo "/etc/inetd.conf copied to inetd.txt" >> $OUTLOG else echo " /etc/inetd.conf not found" >> $OUTLOG fi # if [ -f /etc/inetd.sec ] then cp /etc/inetd.sec $OUTDIR/inetd.sec.txt echo "/etc/inetd.sec copied to inetd.sec.txt" >> $OUTLOG else echo " /etc/inetd.sec not found" >> $OUTLOG fi # if [ -f /etc/hosts ] then cp /etc/hosts $OUTDIR/hosts.txt echo "/etc/hosts copied to hosts.txt" >> $OUTLOG else echo " /etc/hosts not found" >> $OUTLOG fi # if [ -f /etc/hosts.allow ] then cp /etc/hosts.allow $OUTDIR/hostsall.txt echo "/etc/hosts.allow copied to hostsall.txt" >> $OUTLOG else echo " /etc/hosts.allow not found" >> $OUTLOG fi # if [ -f /etc/hosts.deny ] then cp /etc/hosts.deny $OUTDIR/hostsden.txt echo "/etc/hosts.deny copied to hostsden.txt" >> $OUTLOG else echo " /etc/hosts.deny not found" >> $OUTLOG fi # if [ -f /etc/hosts.equiv ] then cp /etc/hosts.equiv $OUTDIR/hostseq.txt echo "/etc/hosts.equiv copied to hostseq.txt" >> $OUTLOG else echo " /etc/hosts.equiv not found" >> $OUTLOG fi # # # FUTURE TESTS *********** # no promiscuous devices # check .rhost # check for FTP and TCB # no promiscuous "+" in .rhost or hosts.equiv # # ping to check status on critical servers. # echo Ping >>$OUTLOG # this line needs an IP ***** ping -c 2 >>$OUTLOG # # # # ************ SECTION 4 - FILE SYSTEMS *************************************** echo " " >>$OUTLOG # seperator echo " SECTION 4 - FILE SYSTEMS " >>$OUTLOG echo " " >>$OUTLOG # # check /etc/fstab for authorized file systems echo "File Systems Table (/etc/fstab):" >> $OUTLOG cat /etc/fstab >>$OUTLOG 2>>$ERRORLOG echo " " >>$OUTLOG echo "File system checks:" >>$OUTLOG # Default SU (switch user) if [ -f /etc/default/su ] then cp /etc/default/su >> $OUTDIR/defsu.txt echo "/etc/default/su copied to defsu.txt" >> $OUTLOG else echo " /etc/default/su not found" >> $OUTLOG fi echo " " >>$OUTLOG # Who can switch users (sudoers) echo "Who can switch users: ">>$OUTLOG cat /etc/sudoers >> $OUTLOG 2>>$ERRORLOG echo " " >>$OUTLOG # # The next items listing SU and SG files took 20 minutes onn a small system # un-comment the next group of lines only after runing these commands on a test system # Number of SU and SGID Files # echo "Number of SUID and Switch Group ID files:" >>$OUTLOG # find / -type f \( -perm -04000 -o -perm -02000 \) -ls |wc -l >>$OUTLOG 2>>$ERRORLOG # echo " " >>$OUTLOG # List of SU and SGID files # echo "List of SU and SGID files : " >>$OUTLOG # find / -type f \( -perm -04000 -o -perm -02000 \) -ls >>$OUTLOG 2>>$ERRORLOG # echo " " >>$OUTLOG # # World Writeable Files echo "Listing world writable files could be time comsuming, run this on a test system first" if [ $REPLY = "Y" ] then echo "World writable files:" >>$OUTLOG find / -type f \( -perm -2 \) -ls |wc -l >>$OUTLOG find / -type f \( -perm -2 \) -ls >>$OUTDIR/worldwfiles.txt 2>>$ERRORLOG echo " " >>$OUTLOG else echo "World writeable files inventory step was skipped" >>$OUTLOG fi echo " " >> $OUTLOG # World Writeable Directories echo "World writable directories:" >>$OUTLOG find / -type d \( -perm -2 \) -ls |wc -l >>$OUTLOG 2>>$ERRORLOG find / -type d -perm -2 -exec ls -ld {} \; > $OUTDIR/worldwdir.txt echo " " >>$OUTLOG # Un-owned files echo "Un-owned files:written to unowned.txt" >>$OUTLOG find / -nouser -o -nogroup >>$OUTDIR/unowned.txt 2>>$ERRORLOG echo " " >>$OUTLOG # Number of core files echo "Number of core files:" >>$OUTLOG find / -name core | wc -l >>$OUTLOG echo " " >>$OUTLOG # List of Core files echo "List of CORE files : " >>$OUTLOG find / -name core >>$OUTLOG 2>>$ERRORLOG echo " " >>$OUTLOG # files modified within the last day echo "Files modified in the last day in the /etc directory and subdirectories:" >>$OUTLOG find /etc -mtime -1 >>$OUTLOG 2>>$ERRORLOG echo " " >>$OUTLOG # Hard drive usage echo "Hard drive usage:" >>$OUTLOG df -h >>$OUTLOG 2>>$ERRORLOG echo " " >>$OUTLOG # Permissions on /ect/shadow/ and other sensitive directories echo "permissions on /etc/shadow and others:" >>$OUTLOG ls -l /etc/shadow >>$OUTLOG 2>>$ERRORLOG ls -l /usr/bin/crontab >>$OUTLOG 2>>$ERRORLOG ls -l /bin/mount >>$OUTLOG 2>>$ERRORLOG ls -l /bin/umount >>$OUTLOG 2>>$ERRORLOG ls -l /etc/crontab >>$OUTLOG 2>>$ERRORLOG ls -ld /etc/cron.daily >>$OUTLOG 2>>$ERRORLOG ls -ld /etc/cron.d >>$OUTLOG 2>>$ERRORLOG echo " " >>$OUTLOG # Sensitive Directories ls -ld /lib >> $OUTDIR/sensdir.txt # if [ -d /usr/conf ] then ls -ld /usr/conf >> $OUTDIR/sensdir.txt fi if [ -d /usr/kernel ] then ls -ld /usr/kernel >> $OUTDIR/sensdir.txt fi if [ -d /usr/lib ] then ls -ld /usr/lib >> $OUTDIR/sensdir.txt fi if [ -d /var/log ] then ls -ld /var/log >> $OUTDIR/sensdir.txt fi if [ -d /var/tcb/files ] then ls -ld /var/tcb/files >> $OUTDIR/sensdir.txt fi echo "created sensdir.txt" >> $OUTLOG echo " " >>$OUTLOG # # Sensitive Files if [ -f /etc/aliases ] then ls -l /etc/aliases >> $OUTDIR/sensfile.txt fi if [ -f /etc/csh.login ] then ls -l /etc/csh.login >> $OUTDIR/sensfile.txt fi ls -ld /etc/default/* >> $OUTDIR/sensfile.txt echo "created file sensfile.txt" >>$OUTLOG echo " " >>$OUTLOG # # # FUTURE TESTS ************************ # check nfs statd # host based file locking with LIDS ??? # .profiles .chsrc .login should not be world writeable # home directories should not include .rhost nor .netrc # check sgid programs for approval # # # # ************ SECTION 5 - LOGGING and AUDITING ****************************** echo " " >>$OUTLOG # seperator echo " SECTION 5 - LOGGING & AUDITING " >>$OUTLOG echo " " >>$OUTLOG # # the messages log echo "The Messages Log:" >>$OUTLOG tail -n500 /var/log/messages >>$OUTDIR/message_last_500.txt 2>>$ERRORLOG echo "The last 500 records of the system message log were written to message_last_500.txt">>$OUTLOG echo " " >>$OUTLOG # # System accounting echo "System Accounting " >>$OUTLOG echo " " >>$OUTLOG echo " system uptime:" >>$OUTLOG /usr/bin/uptime >>$OUTLOG 2>>$ERRORLOG echo " " >>$OUTLOG # echo " who is logged on now:" >>$OUTLOG /usr/bin/who >>$OUTLOG 2>>$ERRORLOG echo " " >>$OUTLOG # echo " cron jobs:" >>$OUTLOG /usr/bin/crontab -l >>$OUTLOG 2>>$ERRORLOG echo " " >>$OUTLOG # echo " list files in the directory of /var/log ensure archives are made:" >>$OUTLOG ls -lt /var/log >>$OUTLOG echo " " >>$OUTLOG # # *** /var/log/messages and /var/log/warn are huge files # narrow the request and AWK the relevent lines to output file ****** # # # ***** Check these out, not on either RH 7.2 nor Suse 8.2 ****** # if [ -f /etc/security/audit/config ] # then # cp /etc/security/audit/config $OUTDIR/secaudcfg.txt # echo "/etc/security/audit/config copied to secaudcfg.txt" >> $OUTLOG # else # echo " /etc/security/audit/config not found" >> $OUTLOG # fi # if [ -f /etc/security/audit/events ] # then # cp /etc/security/audit/events $OUTDIR/secaudevnt.txt # echo "/etc/security/audit/events copied to secaudevnt.txt" >> $OUTLOG # else # echo " /etc/security/audit/events not found" >> $OUTLOG # fi # if [ -f /etc/security/audit/objects ] # then # cp /etc/security/audit/objects $OUTDIR/secaudobj.txt # echo "/etc/security/audit/objects copied to secaudobj.txt" >> $OUTLOG # else # echo " /etc/security/audit/objects not found" >> $OUTLOG # fi # # # FUTURE TESTS ************************ # # audit log changes # audit log archival # login/logout # admin actions # change of user, group or file permissions # system time changes # removal of fles or directories # cron to check see if logging is still enabled # cron to periodically archive the log file so it is not overwritten # # # # ************ SECTION 6 - SECURITY *************************************** # seperator echo " SECTION 6 - Security ">>$OUTLOG echo " " >>$OUTLOG # # # Initialized deamons for X windows if [ -f /etc/sysconfig/xinetd ] then cp /etc/xinetd.conf $OUTDIR/xinetd.txt echo "/etc/xinetd.conf copied to xinetd.txt" >> $OUTLOG else echo " /etc/xinetd.conf not found" >> $OUTLOG fi # Log-in Definitions (lockout, lemgth...) if [ -f /etc/login.defs ] then cp /etc/login.defs $OUTDIR/logindefs.txt echo "/etc/login.defs copied to logindefs.txt" >> $OUTLOG else echo " /etc/login.defs not found" >> $OUTLOG fi # Security Environment if [ -f /etc/security/environ ] then cp /etc/security/environ $OUTDIR/secenviron.txt echo "/etc/security/environ copied to secenviron.txt" >> $OUTLOG else echo " /etc/security/environ not found" >> $OUTLOG fi # Last Users to login if [ -f /etc/security/lastlog ] then cp /etc/security/lastlog $OUTDIR/seclstlog.txt echo "/etc/security/lastlog copied to seclstlog.txt" >> $OUTLOG else echo " /etc/security/lastlog not found" >> $OUTLOG fi # Shells, login times if [ -f /etc/security/login.cfg ] then cp /etc/security/login.cfg $OUTDIR/seclogin.txt echo "/etc/security/login.cfg copied to seclogin.txt" >> $OUTLOG else echo " /etc/security/login.cfg not found" >> $OUTLOG fi # Unsucessful logins per port if [ -f /etc/security/portlog ] then cp /etc/security/portlog $OUTDIR/secportlog.txt echo "/etc/security/portlog copied to secportlog.txt" >> $OUTLOG else echo " /etc/security/portlog not found" >> $OUTLOG fi # # # # FUTURE TESTS ************************ # # copying the password or shadow file to run against a cracker # separate engagement, not a test of the O/S # if [ -f /etc/passwd ] # then # cp /etc/passwd $OUTDIR/passwd.txt # echo "/etc/passwd copied to passwd.txt" >> $OUTLOG # else # echo " /etc/passwd not found" >> $OUTLOG # fi # # if [ -f /etc/shadow ] # then # cp /etc/shadow $OUTDIR/passwd1.txt # echo "/etc/shadow copied to passwd1.txt" >> $OUTLOG # else # echo " /etc/shadow not found" >> $OUTLOG # fi # # C2 # TCB, shadowing, .profiles .chsrc .login # shadowed password file # patches up to date # version number # no .rhost # no .netrc # # # ************ SECTION 7 - APPLICATIONS *************************************** # seperator echo "SECTION 7 - Applications">>$OUTLOG echo " " >>$OUTLOG # # Count the number opf RPM applications echo "Number of RPM Applicastions (detailed list is in file apps.txt )" >>$OUTLOG rpm -qa|wc -l>>$OUTLOG 2>>$ERRORLOG echo " " >>$OUTLOG # List the RPM applications (note user installed apps may not appear in the list) rpm -qa|sort>>$OUTDIR/apps.txt 2>>$ERRORLOG # # Run chkrootkit-0.43 to check for malware if [ -d /root/audit-script/chkrootkit-0.43 ] then echo "The directory /root/audit-script/chkrootkit-0.43 already exists" else tar -zxvf chkrootkit.tar.gz 2>>$ERRORLOG fi cd chkrootkit-0.43 2>>$ERRORLOG ./chkrootkit >>$OUTDIR/chkroot.txt cd .. echo "The results of running chkrootkit-0.43 were written to chkroot.txt." >> $OUTLOG echo " " >>$OUTLOG # # Look for Tripwire installation echo "Tripwire files found : " >>$OUTLOG find / -name tripwire*.* >>$OUTLOG echo " " >> $OUTLOG # # FUTURE TESTS ************************ # # Maybe MD5 some critical files, then recalc each audit cycle? # # ************ COMPLETION SECTION ********************************************** echo "################## Done ################" >>$OUTLOG echo " " >>$OUTLOG echo "end date & time " `date` >>$OUTLOG # Clean up clear