initial commit of SVN release repo

2018-05-07 10:51:08 -04:00
parent 2c25d5e577
commit 8c38a6cdb9
4369 changed files with 728576 additions and 0 deletions
--- a/Tools/Unix/OSE-Unix-MD5.tar.gz
+++ b/Tools/Unix/OSE-Unix-MD5.tar.gz
--- a/Tools/Unix/linux-data-collection.sh
+++ b/Tools/Unix/linux-data-collection.sh
@ -0,0 +1,182 @@
+#!/bin/bash
+# Script to collect the major security configuration files on a Linux system
+# RUN AS ROOT!
+# tested on RHEL 5.2, SUSE 11
+
+# Jeff A. Odegard, CISSP, CPT, CEH
+# AFSPC SMC/GPEVA
+# 20 Aug 13
+# Rewritten 16 Sep 14
+# Update 31 Mar 15:  Use find -xdev to limit the ffile-permissions.txt to local filesystems only.
+	# Erik Wohlgemuth (Raytheon) and Jeff Odegard
+
+# Add to this list as necessary (get copies of these files)
+FILELIST="/.cshrc
+/.profile
+/etc/aide.conf
+/etc/apache
+/etc/apache2
+/etc/audit/audit.rules
+/etc/audit/auditd.conf
+/etc/cron.allow
+/etc/cron.d
+/etc/cron.deny
+/etc/crontab
+/etc/default
+/etc/ftpusers
+/etc/gshadow
+/etc/hosts
+/etc/hosts.allow
+/etc/hosts.deny
+/etc/hosts.equiv
+/etc/httpd
+/etc/inetd.conf
+/etc/inittab
+/etc/motd
+/etc/newsyslog.conf
+/etc/nsswitch.conf
+/etc/ntp.conf
+/etc/ntp.conf
+/etc/pam.conf
+/etc/pam.d
+/etc/passwd
+/etc/profile
+/etc/redhat-release
+/etc/resolv.conf
+/etc/securetty
+/etc/security
+/etc/shells
+/etc/ssh_config
+/etc/sshd_config
+/etc/ssh/ssh_config
+/etc/ssh/sshd_config
+/etc/SuSE-brand
+/etc/SuSE-release
+/etc/syslog-ng
+/etc/sysconfig/apache2
+/etc/sysconfig/selinux
+/etc/sysctl.conf
+/etc/syslog.conf
+/etc/syslog-ng
+/etc/xinetd.conf
+/etc/xinetd.d
+/proc/cmdline
+/root/.cshrc
+/root/.profile"
+
+
+#HOSTNAME=`uname -a | cut -d" " -f2`
+HOSTNAME=`hostname`
+DIR="$HOSTNAME-baseline"
+echo ""
+echo "Results will be in ./$DIR"
+mkdir -p $DIR
+cd $DIR
+FILEDIR="system-files"
+echo "System files will be in ./$DIR/system-files"
+mkdir -p system-files
+rm -f $HOSTNAME-errors.txt
+echo "Linux Data collection started on `date`" >> $HOSTNAME-errors.txt
+echo ""
+echo "Collecting some system information..."
+echo "	uname -a"
+uname -a > uname.txt
+echo "	ifconfig -a"
+ifconfig -a > ifconfig.txt
+echo "	netstat -nr"
+netstat -nr > netstat-nr.txt
+echo "	netstat -nap"
+netstat -nap > netstat-nap.txt
+echo "	ps aux"
+ps aux > ps-aux.txt
+echo "	last -a"
+last -a -i > last-a-i.txt
+echo "	who -a"
+who -a > who-a.txt
+echo "	df -ak"
+df -ak > df-ak.txt
+echo "	mount"
+mount > mount.txt
+echo "	rpcinfo -p"
+rpcinfo -p > rpcinfo-p.txt
+if [ `grep "nfs" rpcinfo-p.txt` ] ; then
+	echo "	showmount"
+	showmount 2>showmount.txt > showmount.txt
+	echo "	showmount -e"
+	showmount -e 2>showmount.txt > showmount-e.txt
+else
+	echo "	Skipping showmount. NFS does not appear in rpcinfo."
+	echo "	NFS does not appear in rpcinfo.  Skipping showmount." >> $HOSTNAME-errors.txt
+fi
+
+echo "	rpm -qa -last"
+rpm -qa -last > rpm-qa-last.txt
+echo "	crontab -l"
+crontab -l 2>crontab-l.txt > crontab-l.txt
+echo "	pwck -r"
+pwck -r > pwck-r.txt
+
+echo ""
+echo "Gathering file listing/permissions for STIG checks"
+echo "   NOTE: find errors are normal"
+rm -f file-permissions.txt
+FSTYPE=`mount | egrep "on \/ type" | awk '{print $5}'`
+for MOUNTPT in `mount | grep $FSTYPE | awk '{print $3}'`; do
+	find $MOUNTPT -xdev -fstype $FSTYPE -ls >> file-permissions.txt
+done
+FILESIZE=`ls -sh file-permissions.txt | cut -d" " -f1`
+if [ $FILESIZE -eq "0" ]; then # SuSE Linux 
+	echo "  Hmmm, might be a SuSE Linux system"
+	find / -fstype rootfs -ls > file-permissions.txt
+fi
+ls -sh file-permissions.txt
+
+echo ""
+echo "Collecting some security configuration files and folders."
+echo "   NOTE: Inability to find some files is normal":
+for FILE in $FILELIST ; do
+   if [ -f  $FILE -o -d $FILE ] ; then
+	DEST=`echo $FILE | sed "s/\//\-/g" | sed "s/^\-//"`
+      echo " cp -af $FILE ./$FILEDIR/$DEST"
+      cp -af $FILE ./$FILEDIR/$DEST
+   else
+	#egrep "\/passwd$" ehud-baseline/file-permissions.txt | awk '{print $11}'
+     echo "	  Could not find $FILE" >> $HOSTNAME-errors.txt
+     echo "	  Could not find $FILE"
+   fi
+done
+
+# We don't want to collect password hashes, but need to know if the accounts are locked.
+# Note: this "for LINE in" hack only works because there are no spaces in /etc/shadow... :o}
+
+rm -f shadow-trimmed
+echo ""
+echo "Trimming /etc/shadow for safety..."
+for LINE in `cat /etc/shadow` ; do
+   HASH=`echo $LINE | cut -d":" -f2`
+   # Typical password hash is 34 characters
+   if [ ${#HASH} -lt 13 ] ; then
+	echo $LINE >> shadow-trimmed.txt
+   elif [ ${#HASH} -lt 34 ] ; then
+	echo $LINE | awk -F':' 'BEGIN{ OFS=":"; } { print $1,"SHORT/WEAK HASH",$3,$4,$5,$6,$7,$8,$9 }' >> shadow-trimmed.txt
+   else
+        echo $LINE | awk -F':' 'BEGIN{ OFS=":"; } { print $1,"FILTERED",$3,$4,$5,$6,$7,$8,$9 }' >> shadow-trimmed.txt
+   fi
+done
+
+echo ""
+echo "Please review to ensure hashes are filtered"
+echo ""
+cat shadow-trimmed.txt
+echo ""
+echo "Linux Data collection ended on `date`" >> $HOSTNAME-errors.txt
+cd ..
+echo "Tarring and Gzipping the results"
+tar -zcvf $DIR.tgz ./$DIR
+
+echo ""
+echo "All packaged up and ready to go in $DIR.tgz"
+ls -sh $DIR.tgz
+echo "Have a nice day!"
+echo ""
+
--- a/Tools/Unix/solaris-data-collection.sh
+++ b/Tools/Unix/solaris-data-collection.sh
@ -0,0 +1,165 @@
+#!/bin/ksh
+# Script to collect the major security configuration files on a Solaris system
+# RUN AS ROOT!
+# tested on Solaris 10
+
+# Jeff A. Odegard, CISSP
+# AFSPC SMC/GPEA
+# 20 Aug 13
+# Updated 4 Sep 14
+
+# Add to this list as necessary (get copies of these files)
+FILELIST="/.cshrc
+/.profile
+/etc/access.conf
+/etc/apache
+/etc/apache2
+/etc/cron.allow
+/etc/cron.d
+/etc/cron.deny
+/etc/default
+/etc/dfs
+/etc/ftpd
+/etc/ftpusers
+/etc/hosts
+/etc/hosts.allow
+/etc/hosts.deny
+/etc/hosts.equiv
+/etc/httpd
+/etc/inet/inetd.conf
+/etc/inet/ntp.conf
+/etc/inetd.conf
+/etc/issue
+/etc/issue.net
+/etc/motd
+/etc/nsswitch.conf
+/etc/ntp.conf
+/etc/pam.conf
+/etc/passwd
+/etc/passwd
+/etc/profile
+/etc/resolv.conf
+/etc/securetty
+/etc/security
+/etc/shells
+/etc/snmp/conf/snmpd.conf
+/etc/snmpd.conf
+/etc/syslog.conf
+/etc/system
+/noshell"
+
+#HOSTNAME=`uname -a | cut -d" " -f2`
+HOSTNAME=`hostname`
+DIR="$HOSTNAME-baseline"
+echo ""
+echo "Results will be in ./$DIR"
+mkdir -p $DIR
+cd $DIR
+FILEDIR="system-files"
+echo "System files will be in ./$DIR/system-files"
+mkdir -p system-files
+rm -f $HOSTNAME-errors
+
+echo ""
+echo "Collecting some system information..."
+echo "	uname -a"
+uname -a > uname.txt
+echo "	ifconfig -a"
+ifconfig -a > ifconfig.txt
+echo "	netstat -nr"
+netstat -nr > netstat-nr.txt
+echo "	netstat -nap"
+netstat -nap > netstat-nap.txt
+echo "	ps -eaf"
+ps -eaf > ps-eaf.txt
+echo "	last -a"
+last -a > last-a.txt
+echo "	who -a"
+who -a > who-a.txt
+echo "	df -ak"
+df -ak > df-ak.txt
+echo "	mount -p"
+mount -p > mount-p.txt
+echo "	rpcinfo -p"
+rpcinfo -p >rpcinfo-p.txt
+if [ `grep "nfs" rpcinfo-p.txt` ] ; then
+	echo "	showmount"
+	showmount 2>&1 > showmount.txt
+	echo "	showmount -e"
+	showmount -e 2>&1 > showmount-e.txt
+else
+	echo "	Skipping showmount. NFS does not appear in rpcinfo."
+	echo "	NFS does not appear in rpcinfo.  Skipping showmount." >> $HOSTNAME-errors.log
+fi
+echo "	pkginfo -l"
+pkginfo -l > pkginfo-l.txt
+echo "	crontab -l"
+crontab -l > crontab-l.txt
+echo "	showrev -a"
+showrev -a > showrev-a.txt
+echo "	xhost"
+xhost 2>&1 1>xhost.txt
+echo "	eeprom security-mode"
+eeprom security-mode 2>&1 1>eeprom-security-mode.txt
+echo "	prtconf -D"
+prtconf -D 2>&1 1>prtconf-D.txt
+
+echo ""
+echo "Gathering file listing/permissions for STIG checks"
+echo "   NOTE: find errors are normal"
+rm -f file-permissions.txt
+# Get FStype for /
+#FSTYPE=`mount -p | egrep " \/ [a-z]+" | awk '{print $4}'`
+find / -local -ls > file-permissions.txt
+ls -sh file-permissions.txt
+
+echo ""
+echo "Collecting some security configuration files and folders."
+echo "   NOTE: Inability to find some files is normal":
+# use cp -R - cron.d has a named pipe
+for FILE in $FILELIST ; do
+   if [ -f  $FILE -o -d $FILE ] ; then
+	  DEST=`echo $FILE | sed "s/\//\-/g" | sed "s/^\-//"`
+      echo "cp -R $FILE ./$FILEDIR/$DEST"
+      cp -R $FILE ./$FILEDIR/$DEST
+   else
+     echo "   Could not find $FILE" >> $HOSTNAME-errors.log
+     echo "   Could not find $FILE"
+   fi
+done
+
+# We don't want to collect password hashes, but need to know if the accounts are locked.
+# Note: this "for LINE in" hack only works because there are no spaces in /etc/shadow... :o}
+
+rm -f shadow-trimmed
+echo ""
+echo "Trimming /etc/shadow for safety..."
+for LINE in `cat /etc/shadow` ; do
+   HASH=`echo $LINE | cut -d":" -f2`
+   # Typical password hash is 34 characters
+   if [ ${#HASH} -lt 13 ] ; then
+	echo $LINE >> shadow-trimmed.txt
+   elif [ ${#HASH} -lt 34 ] ; then
+        echo $LINE | awk -F':' 'BEGIN{ OFS=":"; } { print $1,"SHORT/WEAK HASH",$3,$4,$5,$6,$7,$8,$9 }' >> shadow-trimmed.txt
+   else
+        echo $LINE | awk -F':' 'BEGIN{ OFS=":"; } { print $1,"FILTERED",$3,$4,$5,$6,$7,$8,$9 }' >> shadow-trimmed.txt
+   fi
+done
+
+echo ""
+echo "Please review to ensure hashes are filtered"
+echo ""
+cat shadow-trimmed.txt
+echo ""
+
+cd ..
+echo "Tarring and Gzipping the results"
+tar -cvf $DIR.tar ./$DIR
+gzip $DIR.tar
+
+echo ""
+echo "All packaged up and ready to go in $DIR.tar.gz"
+ls -sh $DIR.tar.gz
+echo "Have a nice day!"
+echo ""
+