sagacity/exec/Target Host Tools/Unix/solaris-data-collection.sh

166 lines
3.9 KiB
Bash
Raw Normal View History

2018-05-07 10:51:08 -04:00
#!/bin/ksh
# Script to collect the major security configuration files on a Solaris system
# RUN AS ROOT!
# tested on Solaris 10
# Jeff A. Odegard, CISSP
# AFSPC SMC/GPEA
# 20 Aug 13
# Updated 4 Sep 14
# Add to this list as necessary (get copies of these files)
FILELIST="/.cshrc
/.profile
/etc/access.conf
/etc/apache
/etc/apache2
/etc/cron.allow
/etc/cron.d
/etc/cron.deny
/etc/default
/etc/dfs
/etc/ftpd
/etc/ftpusers
/etc/hosts
/etc/hosts.allow
/etc/hosts.deny
/etc/hosts.equiv
/etc/httpd
/etc/inet/inetd.conf
/etc/inet/ntp.conf
/etc/inetd.conf
/etc/issue
/etc/issue.net
/etc/motd
/etc/nsswitch.conf
/etc/ntp.conf
/etc/pam.conf
/etc/passwd
/etc/passwd
/etc/profile
/etc/resolv.conf
/etc/securetty
/etc/security
/etc/shells
/etc/snmp/conf/snmpd.conf
/etc/snmpd.conf
/etc/syslog.conf
/etc/system
/noshell"
#HOSTNAME=`uname -a | cut -d" " -f2`
HOSTNAME=`hostname`
DIR="$HOSTNAME-baseline"
echo ""
echo "Results will be in ./$DIR"
mkdir -p $DIR
cd $DIR
FILEDIR="system-files"
echo "System files will be in ./$DIR/system-files"
mkdir -p system-files
rm -f $HOSTNAME-errors
echo ""
echo "Collecting some system information..."
echo " uname -a"
uname -a > uname.txt
echo " ifconfig -a"
ifconfig -a > ifconfig.txt
echo " netstat -nr"
netstat -nr > netstat-nr.txt
echo " netstat -nap"
netstat -nap > netstat-nap.txt
echo " ps -eaf"
ps -eaf > ps-eaf.txt
echo " last -a"
last -a > last-a.txt
echo " who -a"
who -a > who-a.txt
echo " df -ak"
df -ak > df-ak.txt
echo " mount -p"
mount -p > mount-p.txt
echo " rpcinfo -p"
rpcinfo -p >rpcinfo-p.txt
if [ `grep "nfs" rpcinfo-p.txt` ] ; then
echo " showmount"
showmount 2>&1 > showmount.txt
echo " showmount -e"
showmount -e 2>&1 > showmount-e.txt
else
echo " Skipping showmount. NFS does not appear in rpcinfo."
echo " NFS does not appear in rpcinfo. Skipping showmount." >> $HOSTNAME-errors.log
fi
echo " pkginfo -l"
pkginfo -l > pkginfo-l.txt
echo " crontab -l"
crontab -l > crontab-l.txt
echo " showrev -a"
showrev -a > showrev-a.txt
echo " xhost"
xhost 2>&1 1>xhost.txt
echo " eeprom security-mode"
eeprom security-mode 2>&1 1>eeprom-security-mode.txt
echo " prtconf -D"
prtconf -D 2>&1 1>prtconf-D.txt
echo ""
echo "Gathering file listing/permissions for STIG checks"
echo " NOTE: find errors are normal"
rm -f file-permissions.txt
# Get FStype for /
#FSTYPE=`mount -p | egrep " \/ [a-z]+" | awk '{print $4}'`
find / -local -ls > file-permissions.txt
ls -sh file-permissions.txt
echo ""
echo "Collecting some security configuration files and folders."
echo " NOTE: Inability to find some files is normal":
# use cp -R - cron.d has a named pipe
for FILE in $FILELIST ; do
if [ -f $FILE -o -d $FILE ] ; then
DEST=`echo $FILE | sed "s/\//\-/g" | sed "s/^\-//"`
echo "cp -R $FILE ./$FILEDIR/$DEST"
cp -R $FILE ./$FILEDIR/$DEST
else
echo " Could not find $FILE" >> $HOSTNAME-errors.log
echo " Could not find $FILE"
fi
done
# We don't want to collect password hashes, but need to know if the accounts are locked.
# Note: this "for LINE in" hack only works because there are no spaces in /etc/shadow... :o}
rm -f shadow-trimmed
echo ""
echo "Trimming /etc/shadow for safety..."
for LINE in `cat /etc/shadow` ; do
HASH=`echo $LINE | cut -d":" -f2`
# Typical password hash is 34 characters
if [ ${#HASH} -lt 13 ] ; then
echo $LINE >> shadow-trimmed.txt
elif [ ${#HASH} -lt 34 ] ; then
echo $LINE | awk -F':' 'BEGIN{ OFS=":"; } { print $1,"SHORT/WEAK HASH",$3,$4,$5,$6,$7,$8,$9 }' >> shadow-trimmed.txt
else
echo $LINE | awk -F':' 'BEGIN{ OFS=":"; } { print $1,"FILTERED",$3,$4,$5,$6,$7,$8,$9 }' >> shadow-trimmed.txt
fi
done
echo ""
echo "Please review to ensure hashes are filtered"
echo ""
cat shadow-trimmed.txt
echo ""
cd ..
echo "Tarring and Gzipping the results"
tar -cvf $DIR.tar ./$DIR
gzip $DIR.tar
echo ""
echo "All packaged up and ready to go in $DIR.tar.gz"
ls -sh $DIR.tar.gz
echo "Have a nice day!"
echo ""