#!/bin/bash -debug
#
# Audit SuSE Linux Script v0.9 (c) 2000 by Marc Heuse <[email protected]>
# This is private property. Everyone may use and change this script,
# as long as this copyright notice is kept unchanged.
#
# 24 February 04 - v0.11
# Modified by Jeffrey Denton <[email protected]>
# for Slackware Linux.
#

PATH="/sbin:/usr/sbin:/bin:/usr/bin"
HOSTNAME=$(/bin/hostname)
AUDIT_DIR="${HOSTNAME}_audit"
OUTFILE="${HOSTNAME}_audit.tar.gz"


if [ "$(/bin/echo $USER)" != "root" ]; then
   /bin/echo "You must be root." && exit 1
fi
umask 077
if [ -e ${AUDIT_DIR} ]; then
   /bin/mv ${AUDIT_DIR} ${AUDIT_DIR}.old || exit 1
fi

/bin/mkdir ${AUDIT_DIR} || exit 1
cd ${AUDIT_DIR} || exit 1


COMMAND_LIST="/usr/bin/chfn /usr/bin/chsh /usr/sbin/crond /usr/bin/crontab \
/bin/du /usr/bin/find /sbin/ifconfig /usr/sbin/in.fingerd /usr/sbin/in.rshd \
/usr/sbin/inetd /bin/killall /sbin/killall5 /bin/login /bin/ls \
/bin/netstat /usr/bin/passwd /bin/ps /usr/bin/pstree /usr/sbin/sshd \
/usr/sbin/syslogd /usr/sbin/tcpd /usr/bin/top"

ETC_LIST="/etc/apache /etc/at* /etc/*conf* /etc/csh* /etc/default /etc/dhc* \
/etc/export* /etc/fstab /etc/*ftp* /etc/X11/gdm/gdm.conf /etc/group \
/etc/gshadow /etc/host* /etc/identd* /etc/inetd.conf /etc/inittab \
/etc/issue* /etc/ld* /etc/lilo.conf /etc/limits /etc/login* /etc/mail* \
/etc/modules.conf /etc/motd /etc/named* /etc/orbitrc /etc/passwd \
/etc/porttime /etc/ppp /etc/profile* /etc/resolv.conf /etc/rc.d \
/etc/securetty /etc/sendmail.cf /etc/shadow /etc/shells /etc/snort* /etc/ssh \
/etc/ssl /etc/su* /etc/syslog.conf /etc/tripwire /etc/X11/xdm/X* \
/etc/X11/xdm/xdm-config /etc/yp*"

HOME_LIST="/home/*/.*bash* /home/*/.*csh* /home/*/dead.letter /home/*/.gnupg \
/home/*/.log* /home/*/.netrc /home/*/.prof* /home/*/.rhosts /home/*/.ssh \
/home/*/.Xa* /root/.*bash* /root/.*csh* /root/dead.letter /root/.gnupg \
/root/.log* /root/.netrc /root/.prof* /root/.rhosts /root/.ssh /root/.Xa* \
/home/*/.shosts"

LOG_LIST="access_log apache/access_log boot.log cron debug error_log \
apache/error_log mail messages proftpd.log secure sulog syslog xferlog"

VAR_LIST="/var/lib/apache/cgi-bin /var/lib/apache/conf /var/spool/cron \
/var/tmp /var/www/cgi-bin /var/yp"


# Make copies
/bin/cp -Ppf ${COMMAND_LIST} ./ 2> /dev/null
/bin/cp -PpfR ${ETC_LIST} ./ 2> /dev/null
/bin/cp -PpfR ${HOME_LIST} ./ 2> /dev/null
/bin/cp -PpfR ${VAR_LIST} ./ 2> /dev/null


# Various checks
/bin/cat > file_stripped.out <<EOF
NOTE: Slackware strips all of it's binaries.  Any file that is not stripped
has been replaced and is more than likely trojaned.

EOF
for i in ${COMMAND_LIST}; do
   /bin/echo -e "\nCommand: ${i}:" >> file_stripped.out 2>&1
   /usr/bin/file ${i} | /usr/bin/egrep "not stripped" >> file_stripped.out 2>&1
done

# md5sum doesn't like to do globbing =(
for i in ${COMMAND_LIST} ${ETC_LIST} ${HOME_LIST} ${VAR_LIST}; do
   if [ -f ${i} ]; then
       /usr/bin/md5sum ${i} >> md5sum.out 2>&1
   fi
done

/bin/cat > strings_filelist.out <<EOF
NOTE:  This is a list of files that the commands access.  Look for anything
that doesn't seem right.

EOF
for i in ${COMMAND_LIST}; do
   /bin/echo -e "\nCommand: ${i}" >> strings_filelist.out 2>&1
   for j in `/usr/bin/strings ${i} | /usr/bin/egrep "^/"`; do
       if [ -f ${j} ]; then
           /bin/echo ${j} >> strings_filelist.out 2>&1
       fi
   done
done

/bin/cat > strings_md5sum.out <<EOF
NOTE: If an md5sum is present in a command, this could possibly indicate
a password is included in that command and it is more than likely trojaned.

EOF
for i in ${COMMAND_LIST}; do
   /bin/echo -e "\nCommand: ${i}" >> strings_md5sum.out 2>&1
#    /usr/bin/strings ${i} | /usr/bin/egrep "([0-9a-z]{32})" >> strings_md5sum.out 2>&1
#done
   /usr/bin/strings ${i} | /usr/bin/egrep -i "(^|[^0-9a-f])[0-9a-f]{32}($|[^0-9a-f])" >> strings_md5sum.out 2>&1
done

for i in ${COMMAND_LIST}; do
   /bin/echo -e "\n Command: ${i}" >> ldd.out 2&>1
   /usr/bin/ldd ${i} >> ldd.out 2&>1
done

/bin/cat > strings_promisc.out << EOF
NOTE: If \"PROMISC\" is not present for each command, then it is more than
likely trojaned.

EOF
for i in /sbin/ifconfig /bin/netstat; do
   /bin/echo -n "Command ${i}: " >> strings_promisc.out 2>&1
   /usr/bin/strings ${i} | /usr/bin/egrep "PROMISC" >> strings_promisc.out 2>&1
done

for i in `/usr/bin/cat /etc/passwd | /usr/bin/awk -F: '{print $1}'`; do
   /usr/bin/passwd -S $i >> passwd_status.out 2>&1
done

for i in `/bin/netstat -ant | /usr/bin/awk '{print $4}' | /usr/bin/awk -F: '{print $2}'`; do
   /usr/bin/fuser -v -n tcp $i >> fuser.out 2>&1
done

for i in `/bin/netstat -ant | /usr/bin/awk '{print $4}' | /usr/bin/awk -F: '{print
$2}'`; do
   /usr/bin/lsof -i :$i >> lsof_ports.out 2>&1
done


# List
/bin/ls -alR /etc &> ls-etc.out
/bin/ls -alRL /dev &> ls-dev.out
/bin/ls -al /tmp &> ls-tmp.out
/bin/ls -alR /var/log /var/spool/mail &> ls-var.out


# Various commands
/sbin/arp -a &> arp.out
/usr/bin/atq &> atq.out
/usr/bin/cat /etc/slackware-version &> uname.out
/usr/bin/cat /proc/mount &> mount_proc.out
/usr/bin/cat /proc/*/stat | /usr/bin/awk '{print $1,$2}' &> proc_stat.out
/usr/bin/env &> env.out
/usr/sbin/faillog &> faillog.out
/usr/sbin/grpck -r &> grpck.out
/sbin/ifconfig -a &> ifconfig.out
/sbin/ipchains -nL &> ipchains.out
/usr/bin/last -5 root &> last_root.out
/usr/bin/last -25 &> last_25.out
# lastb and /var/log/btmp must be created first
/usr/sbin/lastb &> lastb.out
/usr/local/bin/lastcomm &> lastcomm.out
/sbin/ldconfig -p &> ldconfig.out
/sbin/lsmod &> lsmod.out
/usr/bin/lsof &> lsof.out
/sbin/mount &> mount.out
/bin/netstat -an &> netstat-an.out
/bin/netstat -rnee &> netstat-rnee.out
/bin/ps auxwww &> ps.out
/usr/bin/praliases &> praliases.out
/usr/bin/procinfo -a &> procinfo.out
/usr/sbin/pwck -r &> pwck.out
/sbin/quotacheck -a &> quotacheck.out
/usr/sbin/quotastats &> quotastats.out
/usr/sbin/rpcinfo -p &> rpcinfo.out
/usr/local/sbin/sa &> sa.out
/usr/sbin/sfdisk -lVx &> sfdisk.out
/usr/bin/socklist &> socklist.out
/usr/local/sbin/sxid -kn &> sxid.out
for i in ${LOG_LIST}; do
   /bin/echo -e "\nLogfile: ${i}" >> log.out 2>&1
   /usr/bin/tail -n 25 /var/log/${i} >> log.out 2>&1
done
/bin/uname -a >> uname.out 2>&1
/usr/bin/uptime &> uptime.out
/usr/bin/w &> who.out


# Various shell commands
alias -p &> alias.out
bind -P &> bind-functions.out
bind -V &> bind-variables.out
enable -a &> enable.out
export -p &> export.out
shopt &> shopt.out


# Proc settings
for i in icmp_echo_ignore_broadcasts icmp_echo_ignore_all tcp_syncookies \
ip_always_defrag ; do
   /bin/echo -n "/proc/sys/net/ipv4/${i}: " >> proc.out 2>&1
   /usr/bin/cat /proc/sys/net/ipv4/${i} >> proc.out 2>&1
   /bin/echo "" >> proc.out 2>&1
done

for i in /proc/sys/net/ipv4/conf/*; do
   for j in accept_redirects accept_source_route rp_filter bootp_relay \
    mc_forwarding log_martians proxy_arp secure_redirects; do
       /bin/echo -n "${i}/${j}: " >> proc.out 2>&1
       /usr/bin/cat ${i}/${j} >> proc.out 2>&1
       /bin/echo "" >> proc.out 2>&1
   done
done


# Find
# These significantly add to the time it takes for this script to run.
# Comment as necessary.
/usr/bin/find / \( -perm -4000 -o -perm -2000 \) -type f \
-ls &> find-s_id.out
#/usr/bin/find / -perm -2 '!' -type l -ls | egrep -v "dev" &> find-write.out
/usr/bin/find / \( -pern -g+w -o -perm -o+w \) -type d -ls &> find-dir-write.out
/usr/bin/find / \( -perm -g+w -o -perm -o+w \) -type d -not -perm -a+t \
-ls &> find-not-sticky.out
/usr/bin/find / -nouser -o -nogroup -ls &> find-nouser.out
/usr/bin/find / -type l -ls | grep "/dev/null" &> find-null.out
/usr/bin/find / \( -name "\ *" -o -name ".\ *" -o -name "..?*" \) \
-exec /bin/cp -PpR {} ./odd/ \;
/usr/bin/find / -type f -name "*.swp" -exec /bin/cp -Pp {} ./swp/ \;
/usr/bin/find / -name core -ls &> core.out
/usr/bin/find /dev -type f -ls &> dev-files.out
/usr/bin/find / \( -type b -o -type c \) -print | /usr/bin/grep -v '^/dev' \
&> devices.out
/usr/bin/find / \( -perm -4000 -o -2000 \) -type f \
-exec file {} \; | grep -v ELF &> suid-scripts.out


# Filesystem Integrity Checks
if [ -x /usr/sbin/tripwire -o -x /usr/local/sbin/tripwire ]; then
   tripwire -m c &> twcheck.out
fi

if [ -x /usr/sbin/aide -o -x /usr/local/sbin/aide ]; then
   aide --config=/etc/aide.conf &> aide.out
fi


cd ..
/bin/tar zcf ${OUTFILE} ${AUDIT_DIR} 2> /dev/null
/bin/rm -rf ${AUDIT_DIR} 2> /dev/null
/bin/mv ${AUDIT_DIR}.old ${AUDIT_DIR} 2> /dev/null
/bin/echo -e "\nFinished.  The output file is called ${OUTFILE}.\n"

exit 0

#systemout

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.