#!/bin/ksh # Script to collect the major security configuration files on a Solaris system # RUN AS ROOT! # tested on Solaris 10 # Jeff A. Odegard, CISSP # AFSPC SMC/GPEA # 20 Aug 13 # Updated 4 Sep 14 # Add to this list as necessary (get copies of these files) FILELIST="/.cshrc /.profile /etc/access.conf /etc/apache /etc/apache2 /etc/cron.allow /etc/cron.d /etc/cron.deny /etc/default /etc/dfs /etc/ftpd /etc/ftpusers /etc/hosts /etc/hosts.allow /etc/hosts.deny /etc/hosts.equiv /etc/httpd /etc/inet/inetd.conf /etc/inet/ntp.conf /etc/inetd.conf /etc/issue /etc/issue.net /etc/motd /etc/nsswitch.conf /etc/ntp.conf /etc/pam.conf /etc/passwd /etc/passwd /etc/profile /etc/resolv.conf /etc/securetty /etc/security /etc/shells /etc/snmp/conf/snmpd.conf /etc/snmpd.conf /etc/syslog.conf /etc/system /noshell" #HOSTNAME=`uname -a | cut -d" " -f2` HOSTNAME=`hostname` DIR="$HOSTNAME-baseline" echo "" echo "Results will be in ./$DIR" mkdir -p $DIR cd $DIR FILEDIR="system-files" echo "System files will be in ./$DIR/system-files" mkdir -p system-files rm -f $HOSTNAME-errors echo "" echo "Collecting some system information..." echo " uname -a" uname -a > uname.txt echo " ifconfig -a" ifconfig -a > ifconfig.txt echo " netstat -nr" netstat -nr > netstat-nr.txt echo " netstat -nap" netstat -nap > netstat-nap.txt echo " ps -eaf" ps -eaf > ps-eaf.txt echo " last -a" last -a > last-a.txt echo " who -a" who -a > who-a.txt echo " df -ak" df -ak > df-ak.txt echo " mount -p" mount -p > mount-p.txt echo " rpcinfo -p" rpcinfo -p >rpcinfo-p.txt if [ `grep "nfs" rpcinfo-p.txt` ] ; then echo " showmount" showmount 2>&1 > showmount.txt echo " showmount -e" showmount -e 2>&1 > showmount-e.txt else echo " Skipping showmount. NFS does not appear in rpcinfo." echo " NFS does not appear in rpcinfo. Skipping showmount." >> $HOSTNAME-errors.log fi echo " pkginfo -l" pkginfo -l > pkginfo-l.txt echo " crontab -l" crontab -l > crontab-l.txt echo " showrev -a" showrev -a > showrev-a.txt echo " xhost" xhost 2>&1 1>xhost.txt echo " eeprom security-mode" eeprom security-mode 2>&1 1>eeprom-security-mode.txt echo " prtconf -D" prtconf -D 2>&1 1>prtconf-D.txt echo "" echo "Gathering file listing/permissions for STIG checks" echo " NOTE: find errors are normal" rm -f file-permissions.txt # Get FStype for / #FSTYPE=`mount -p | egrep " \/ [a-z]+" | awk '{print $4}'` find / -local -ls > file-permissions.txt ls -sh file-permissions.txt echo "" echo "Collecting some security configuration files and folders." echo " NOTE: Inability to find some files is normal": # use cp -R - cron.d has a named pipe for FILE in $FILELIST ; do if [ -f $FILE -o -d $FILE ] ; then DEST=`echo $FILE | sed "s/\//\-/g" | sed "s/^\-//"` echo "cp -R $FILE ./$FILEDIR/$DEST" cp -R $FILE ./$FILEDIR/$DEST else echo " Could not find $FILE" >> $HOSTNAME-errors.log echo " Could not find $FILE" fi done # We don't want to collect password hashes, but need to know if the accounts are locked. # Note: this "for LINE in" hack only works because there are no spaces in /etc/shadow... :o} rm -f shadow-trimmed echo "" echo "Trimming /etc/shadow for safety..." for LINE in `cat /etc/shadow` ; do HASH=`echo $LINE | cut -d":" -f2` # Typical password hash is 34 characters if [ ${#HASH} -lt 13 ] ; then echo $LINE >> shadow-trimmed.txt elif [ ${#HASH} -lt 34 ] ; then echo $LINE | awk -F':' 'BEGIN{ OFS=":"; } { print $1,"SHORT/WEAK HASH",$3,$4,$5,$6,$7,$8,$9 }' >> shadow-trimmed.txt else echo $LINE | awk -F':' 'BEGIN{ OFS=":"; } { print $1,"FILTERED",$3,$4,$5,$6,$7,$8,$9 }' >> shadow-trimmed.txt fi done echo "" echo "Please review to ensure hashes are filtered" echo "" cat shadow-trimmed.txt echo "" cd .. echo "Tarring and Gzipping the results" tar -cvf $DIR.tar ./$DIR gzip $DIR.tar echo "" echo "All packaged up and ready to go in $DIR.tar.gz" ls -sh $DIR.tar.gz echo "Have a nice day!" echo ""