183 lines
4.6 KiB
Bash
183 lines
4.6 KiB
Bash
|
#!/bin/bash
|
||
|
# Script to collect the major security configuration files on a Linux system
|
||
|
# RUN AS ROOT!
|
||
|
# tested on RHEL 5.2, SUSE 11
|
||
|
|
||
|
# Jeff A. Odegard, CISSP, CPT, CEH
|
||
|
# AFSPC SMC/GPEVA
|
||
|
# 20 Aug 13
|
||
|
# Rewritten 16 Sep 14
|
||
|
# Update 31 Mar 15: Use find -xdev to limit the ffile-permissions.txt to local filesystems only.
|
||
|
# Erik Wohlgemuth (Raytheon) and Jeff Odegard
|
||
|
|
||
|
# Add to this list as necessary (get copies of these files)
|
||
|
FILELIST="/.cshrc
|
||
|
/.profile
|
||
|
/etc/aide.conf
|
||
|
/etc/apache
|
||
|
/etc/apache2
|
||
|
/etc/audit/audit.rules
|
||
|
/etc/audit/auditd.conf
|
||
|
/etc/cron.allow
|
||
|
/etc/cron.d
|
||
|
/etc/cron.deny
|
||
|
/etc/crontab
|
||
|
/etc/default
|
||
|
/etc/ftpusers
|
||
|
/etc/gshadow
|
||
|
/etc/hosts
|
||
|
/etc/hosts.allow
|
||
|
/etc/hosts.deny
|
||
|
/etc/hosts.equiv
|
||
|
/etc/httpd
|
||
|
/etc/inetd.conf
|
||
|
/etc/inittab
|
||
|
/etc/motd
|
||
|
/etc/newsyslog.conf
|
||
|
/etc/nsswitch.conf
|
||
|
/etc/ntp.conf
|
||
|
/etc/ntp.conf
|
||
|
/etc/pam.conf
|
||
|
/etc/pam.d
|
||
|
/etc/passwd
|
||
|
/etc/profile
|
||
|
/etc/redhat-release
|
||
|
/etc/resolv.conf
|
||
|
/etc/securetty
|
||
|
/etc/security
|
||
|
/etc/shells
|
||
|
/etc/ssh_config
|
||
|
/etc/sshd_config
|
||
|
/etc/ssh/ssh_config
|
||
|
/etc/ssh/sshd_config
|
||
|
/etc/SuSE-brand
|
||
|
/etc/SuSE-release
|
||
|
/etc/syslog-ng
|
||
|
/etc/sysconfig/apache2
|
||
|
/etc/sysconfig/selinux
|
||
|
/etc/sysctl.conf
|
||
|
/etc/syslog.conf
|
||
|
/etc/syslog-ng
|
||
|
/etc/xinetd.conf
|
||
|
/etc/xinetd.d
|
||
|
/proc/cmdline
|
||
|
/root/.cshrc
|
||
|
/root/.profile"
|
||
|
|
||
|
|
||
|
#HOSTNAME=`uname -a | cut -d" " -f2`
|
||
|
HOSTNAME=`hostname`
|
||
|
DIR="$HOSTNAME-baseline"
|
||
|
echo ""
|
||
|
echo "Results will be in ./$DIR"
|
||
|
mkdir -p $DIR
|
||
|
cd $DIR
|
||
|
FILEDIR="system-files"
|
||
|
echo "System files will be in ./$DIR/system-files"
|
||
|
mkdir -p system-files
|
||
|
rm -f $HOSTNAME-errors.txt
|
||
|
echo "Linux Data collection started on `date`" >> $HOSTNAME-errors.txt
|
||
|
echo ""
|
||
|
echo "Collecting some system information..."
|
||
|
echo " uname -a"
|
||
|
uname -a > uname.txt
|
||
|
echo " ifconfig -a"
|
||
|
ifconfig -a > ifconfig.txt
|
||
|
echo " netstat -nr"
|
||
|
netstat -nr > netstat-nr.txt
|
||
|
echo " netstat -nap"
|
||
|
netstat -nap > netstat-nap.txt
|
||
|
echo " ps aux"
|
||
|
ps aux > ps-aux.txt
|
||
|
echo " last -a"
|
||
|
last -a -i > last-a-i.txt
|
||
|
echo " who -a"
|
||
|
who -a > who-a.txt
|
||
|
echo " df -ak"
|
||
|
df -ak > df-ak.txt
|
||
|
echo " mount"
|
||
|
mount > mount.txt
|
||
|
echo " rpcinfo -p"
|
||
|
rpcinfo -p > rpcinfo-p.txt
|
||
|
if [ `grep "nfs" rpcinfo-p.txt` ] ; then
|
||
|
echo " showmount"
|
||
|
showmount 2>showmount.txt > showmount.txt
|
||
|
echo " showmount -e"
|
||
|
showmount -e 2>showmount.txt > showmount-e.txt
|
||
|
else
|
||
|
echo " Skipping showmount. NFS does not appear in rpcinfo."
|
||
|
echo " NFS does not appear in rpcinfo. Skipping showmount." >> $HOSTNAME-errors.txt
|
||
|
fi
|
||
|
|
||
|
echo " rpm -qa -last"
|
||
|
rpm -qa -last > rpm-qa-last.txt
|
||
|
echo " crontab -l"
|
||
|
crontab -l 2>crontab-l.txt > crontab-l.txt
|
||
|
echo " pwck -r"
|
||
|
pwck -r > pwck-r.txt
|
||
|
|
||
|
echo ""
|
||
|
echo "Gathering file listing/permissions for STIG checks"
|
||
|
echo " NOTE: find errors are normal"
|
||
|
rm -f file-permissions.txt
|
||
|
FSTYPE=`mount | egrep "on \/ type" | awk '{print $5}'`
|
||
|
for MOUNTPT in `mount | grep $FSTYPE | awk '{print $3}'`; do
|
||
|
find $MOUNTPT -xdev -fstype $FSTYPE -ls >> file-permissions.txt
|
||
|
done
|
||
|
FILESIZE=`ls -sh file-permissions.txt | cut -d" " -f1`
|
||
|
if [ $FILESIZE -eq "0" ]; then # SuSE Linux
|
||
|
echo " Hmmm, might be a SuSE Linux system"
|
||
|
find / -fstype rootfs -ls > file-permissions.txt
|
||
|
fi
|
||
|
ls -sh file-permissions.txt
|
||
|
|
||
|
echo ""
|
||
|
echo "Collecting some security configuration files and folders."
|
||
|
echo " NOTE: Inability to find some files is normal":
|
||
|
for FILE in $FILELIST ; do
|
||
|
if [ -f $FILE -o -d $FILE ] ; then
|
||
|
DEST=`echo $FILE | sed "s/\//\-/g" | sed "s/^\-//"`
|
||
|
echo " cp -af $FILE ./$FILEDIR/$DEST"
|
||
|
cp -af $FILE ./$FILEDIR/$DEST
|
||
|
else
|
||
|
#egrep "\/passwd$" ehud-baseline/file-permissions.txt | awk '{print $11}'
|
||
|
echo " Could not find $FILE" >> $HOSTNAME-errors.txt
|
||
|
echo " Could not find $FILE"
|
||
|
fi
|
||
|
done
|
||
|
|
||
|
# We don't want to collect password hashes, but need to know if the accounts are locked.
|
||
|
# Note: this "for LINE in" hack only works because there are no spaces in /etc/shadow... :o}
|
||
|
|
||
|
rm -f shadow-trimmed
|
||
|
echo ""
|
||
|
echo "Trimming /etc/shadow for safety..."
|
||
|
for LINE in `cat /etc/shadow` ; do
|
||
|
HASH=`echo $LINE | cut -d":" -f2`
|
||
|
# Typical password hash is 34 characters
|
||
|
if [ ${#HASH} -lt 13 ] ; then
|
||
|
echo $LINE >> shadow-trimmed.txt
|
||
|
elif [ ${#HASH} -lt 34 ] ; then
|
||
|
echo $LINE | awk -F':' 'BEGIN{ OFS=":"; } { print $1,"SHORT/WEAK HASH",$3,$4,$5,$6,$7,$8,$9 }' >> shadow-trimmed.txt
|
||
|
else
|
||
|
echo $LINE | awk -F':' 'BEGIN{ OFS=":"; } { print $1,"FILTERED",$3,$4,$5,$6,$7,$8,$9 }' >> shadow-trimmed.txt
|
||
|
fi
|
||
|
done
|
||
|
|
||
|
echo ""
|
||
|
echo "Please review to ensure hashes are filtered"
|
||
|
echo ""
|
||
|
cat shadow-trimmed.txt
|
||
|
echo ""
|
||
|
echo "Linux Data collection ended on `date`" >> $HOSTNAME-errors.txt
|
||
|
cd ..
|
||
|
echo "Tarring and Gzipping the results"
|
||
|
tar -zcvf $DIR.tgz ./$DIR
|
||
|
|
||
|
echo ""
|
||
|
echo "All packaged up and ready to go in $DIR.tgz"
|
||
|
ls -sh $DIR.tgz
|
||
|
echo "Have a nice day!"
|
||
|
echo ""
|
||
|
|