#!/bin/bash -debug # # Audit SuSE Linux Script v0.9 (c) 2000 by Marc Heuse <marc@suse.de> # This is private property. Everyone may use and change this script, # as long as this copyright notice is kept unchanged. # # 24 February 04 - v0.11 # Modified by Jeffrey Denton <dentonj@c2i2.com> # for Slackware Linux. # PATH="/sbin:/usr/sbin:/bin:/usr/bin" HOSTNAME=$(/bin/hostname) AUDIT_DIR="${HOSTNAME}_audit" OUTFILE="${HOSTNAME}_audit.tar.gz" if [ "$(/bin/echo $USER)" != "root" ]; then /bin/echo "You must be root." && exit 1 fi umask 077 if [ -e ${AUDIT_DIR} ]; then /bin/mv ${AUDIT_DIR} ${AUDIT_DIR}.old || exit 1 fi /bin/mkdir ${AUDIT_DIR} || exit 1 cd ${AUDIT_DIR} || exit 1 COMMAND_LIST="/usr/bin/chfn /usr/bin/chsh /usr/sbin/crond /usr/bin/crontab \ /bin/du /usr/bin/find /sbin/ifconfig /usr/sbin/in.fingerd /usr/sbin/in.rshd \ /usr/sbin/inetd /bin/killall /sbin/killall5 /bin/login /bin/ls \ /bin/netstat /usr/bin/passwd /bin/ps /usr/bin/pstree /usr/sbin/sshd \ /usr/sbin/syslogd /usr/sbin/tcpd /usr/bin/top" ETC_LIST="/etc/apache /etc/at* /etc/*conf* /etc/csh* /etc/default /etc/dhc* \ /etc/export* /etc/fstab /etc/*ftp* /etc/X11/gdm/gdm.conf /etc/group \ /etc/gshadow /etc/host* /etc/identd* /etc/inetd.conf /etc/inittab \ /etc/issue* /etc/ld* /etc/lilo.conf /etc/limits /etc/login* /etc/mail* \ /etc/modules.conf /etc/motd /etc/named* /etc/orbitrc /etc/passwd \ /etc/porttime /etc/ppp /etc/profile* /etc/resolv.conf /etc/rc.d \ /etc/securetty /etc/sendmail.cf /etc/shadow /etc/shells /etc/snort* /etc/ssh \ /etc/ssl /etc/su* /etc/syslog.conf /etc/tripwire /etc/X11/xdm/X* \ /etc/X11/xdm/xdm-config /etc/yp*" HOME_LIST="/home/*/.*bash* /home/*/.*csh* /home/*/dead.letter /home/*/.gnupg \ /home/*/.log* /home/*/.netrc /home/*/.prof* /home/*/.rhosts /home/*/.ssh \ /home/*/.Xa* /root/.*bash* /root/.*csh* /root/dead.letter /root/.gnupg \ /root/.log* /root/.netrc /root/.prof* /root/.rhosts /root/.ssh /root/.Xa* \ /home/*/.shosts" LOG_LIST="access_log apache/access_log boot.log cron debug error_log \ apache/error_log mail messages proftpd.log secure sulog syslog xferlog" VAR_LIST="/var/lib/apache/cgi-bin /var/lib/apache/conf /var/spool/cron \ /var/tmp /var/www/cgi-bin /var/yp" # Make copies /bin/cp -Ppf ${COMMAND_LIST} ./ 2> /dev/null /bin/cp -PpfR ${ETC_LIST} ./ 2> /dev/null /bin/cp -PpfR ${HOME_LIST} ./ 2> /dev/null /bin/cp -PpfR ${VAR_LIST} ./ 2> /dev/null # Various checks /bin/cat > file_stripped.out <<EOF NOTE: Slackware strips all of it's binaries. Any file that is not stripped has been replaced and is more than likely trojaned. EOF for i in ${COMMAND_LIST}; do /bin/echo -e "\nCommand: ${i}:" >> file_stripped.out 2>&1 /usr/bin/file ${i} | /usr/bin/egrep "not stripped" >> file_stripped.out 2>&1 done # md5sum doesn't like to do globbing =( for i in ${COMMAND_LIST} ${ETC_LIST} ${HOME_LIST} ${VAR_LIST}; do if [ -f ${i} ]; then /usr/bin/md5sum ${i} >> md5sum.out 2>&1 fi done /bin/cat > strings_filelist.out <<EOF NOTE: This is a list of files that the commands access. Look for anything that doesn't seem right. EOF for i in ${COMMAND_LIST}; do /bin/echo -e "\nCommand: ${i}" >> strings_filelist.out 2>&1 for j in `/usr/bin/strings ${i} | /usr/bin/egrep "^/"`; do if [ -f ${j} ]; then /bin/echo ${j} >> strings_filelist.out 2>&1 fi done done /bin/cat > strings_md5sum.out <<EOF NOTE: If an md5sum is present in a command, this could possibly indicate a password is included in that command and it is more than likely trojaned. EOF for i in ${COMMAND_LIST}; do /bin/echo -e "\nCommand: ${i}" >> strings_md5sum.out 2>&1 # /usr/bin/strings ${i} | /usr/bin/egrep "([0-9a-z]{32})" >> strings_md5sum.out 2>&1 #done /usr/bin/strings ${i} | /usr/bin/egrep -i "(^|[^0-9a-f])[0-9a-f]{32}($|[^0-9a-f])" >> strings_md5sum.out 2>&1 done for i in ${COMMAND_LIST}; do /bin/echo -e "\n Command: ${i}" >> ldd.out 2&>1 /usr/bin/ldd ${i} >> ldd.out 2&>1 done /bin/cat > strings_promisc.out << EOF NOTE: If \"PROMISC\" is not present for each command, then it is more than likely trojaned. EOF for i in /sbin/ifconfig /bin/netstat; do /bin/echo -n "Command ${i}: " >> strings_promisc.out 2>&1 /usr/bin/strings ${i} | /usr/bin/egrep "PROMISC" >> strings_promisc.out 2>&1 done for i in `/usr/bin/cat /etc/passwd | /usr/bin/awk -F: '{print $1}'`; do /usr/bin/passwd -S $i >> passwd_status.out 2>&1 done for i in `/bin/netstat -ant | /usr/bin/awk '{print $4}' | /usr/bin/awk -F: '{print $2}'`; do /usr/bin/fuser -v -n tcp $i >> fuser.out 2>&1 done for i in `/bin/netstat -ant | /usr/bin/awk '{print $4}' | /usr/bin/awk -F: '{print $2}'`; do /usr/bin/lsof -i :$i >> lsof_ports.out 2>&1 done # List /bin/ls -alR /etc &> ls-etc.out /bin/ls -alRL /dev &> ls-dev.out /bin/ls -al /tmp &> ls-tmp.out /bin/ls -alR /var/log /var/spool/mail &> ls-var.out # Various commands /sbin/arp -a &> arp.out /usr/bin/atq &> atq.out /usr/bin/cat /etc/slackware-version &> uname.out /usr/bin/cat /proc/mount &> mount_proc.out /usr/bin/cat /proc/*/stat | /usr/bin/awk '{print $1,$2}' &> proc_stat.out /usr/bin/env &> env.out /usr/sbin/faillog &> faillog.out /usr/sbin/grpck -r &> grpck.out /sbin/ifconfig -a &> ifconfig.out /sbin/ipchains -nL &> ipchains.out /usr/bin/last -5 root &> last_root.out /usr/bin/last -25 &> last_25.out # lastb and /var/log/btmp must be created first /usr/sbin/lastb &> lastb.out /usr/local/bin/lastcomm &> lastcomm.out /sbin/ldconfig -p &> ldconfig.out /sbin/lsmod &> lsmod.out /usr/bin/lsof &> lsof.out /sbin/mount &> mount.out /bin/netstat -an &> netstat-an.out /bin/netstat -rnee &> netstat-rnee.out /bin/ps auxwww &> ps.out /usr/bin/praliases &> praliases.out /usr/bin/procinfo -a &> procinfo.out /usr/sbin/pwck -r &> pwck.out /sbin/quotacheck -a &> quotacheck.out /usr/sbin/quotastats &> quotastats.out /usr/sbin/rpcinfo -p &> rpcinfo.out /usr/local/sbin/sa &> sa.out /usr/sbin/sfdisk -lVx &> sfdisk.out /usr/bin/socklist &> socklist.out /usr/local/sbin/sxid -kn &> sxid.out for i in ${LOG_LIST}; do /bin/echo -e "\nLogfile: ${i}" >> log.out 2>&1 /usr/bin/tail -n 25 /var/log/${i} >> log.out 2>&1 done /bin/uname -a >> uname.out 2>&1 /usr/bin/uptime &> uptime.out /usr/bin/w &> who.out # Various shell commands alias -p &> alias.out bind -P &> bind-functions.out bind -V &> bind-variables.out enable -a &> enable.out export -p &> export.out shopt &> shopt.out # Proc settings for i in icmp_echo_ignore_broadcasts icmp_echo_ignore_all tcp_syncookies \ ip_always_defrag ; do /bin/echo -n "/proc/sys/net/ipv4/${i}: " >> proc.out 2>&1 /usr/bin/cat /proc/sys/net/ipv4/${i} >> proc.out 2>&1 /bin/echo "" >> proc.out 2>&1 done for i in /proc/sys/net/ipv4/conf/*; do for j in accept_redirects accept_source_route rp_filter bootp_relay \ mc_forwarding log_martians proxy_arp secure_redirects; do /bin/echo -n "${i}/${j}: " >> proc.out 2>&1 /usr/bin/cat ${i}/${j} >> proc.out 2>&1 /bin/echo "" >> proc.out 2>&1 done done # Find # These significantly add to the time it takes for this script to run. # Comment as necessary. /usr/bin/find / \( -perm -4000 -o -perm -2000 \) -type f \ -ls &> find-s_id.out #/usr/bin/find / -perm -2 '!' -type l -ls | egrep -v "dev" &> find-write.out /usr/bin/find / \( -pern -g+w -o -perm -o+w \) -type d -ls &> find-dir-write.out /usr/bin/find / \( -perm -g+w -o -perm -o+w \) -type d -not -perm -a+t \ -ls &> find-not-sticky.out /usr/bin/find / -nouser -o -nogroup -ls &> find-nouser.out /usr/bin/find / -type l -ls | grep "/dev/null" &> find-null.out /usr/bin/find / \( -name "\ *" -o -name ".\ *" -o -name "..?*" \) \ -exec /bin/cp -PpR {} ./odd/ \; /usr/bin/find / -type f -name "*.swp" -exec /bin/cp -Pp {} ./swp/ \; /usr/bin/find / -name core -ls &> core.out /usr/bin/find /dev -type f -ls &> dev-files.out /usr/bin/find / \( -type b -o -type c \) -print | /usr/bin/grep -v '^/dev' \ &> devices.out /usr/bin/find / \( -perm -4000 -o -2000 \) -type f \ -exec file {} \; | grep -v ELF &> suid-scripts.out # Filesystem Integrity Checks if [ -x /usr/sbin/tripwire -o -x /usr/local/sbin/tripwire ]; then tripwire -m c &> twcheck.out fi if [ -x /usr/sbin/aide -o -x /usr/local/sbin/aide ]; then aide --config=/etc/aide.conf &> aide.out fi cd .. /bin/tar zcf ${OUTFILE} ${AUDIT_DIR} 2> /dev/null /bin/rm -rf ${AUDIT_DIR} 2> /dev/null /bin/mv ${AUDIT_DIR}.old ${AUDIT_DIR} 2> /dev/null /bin/echo -e "\nFinished. The output file is called ${OUTFILE}.\n" exit 0 #systemout