Auditing has become my main job as of late and so I developed a method to inspect Linux Servers from the inside out, checking for a list of Best Practices and Recommended Values and the like.

File: seccheck.sh

#!/bin/bash
# Linux Security Check version .2.0
# 2012-10-18
# Modified by Jim McKibben
# Original concept by Mike Harris
#
# .2.0
# Added a few more hardening checks from
# http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics
# more commenting!
# cleaned up the output and fixed some of the commands
#
# Added code from several projects
# .11
# Modified the iptables command to give line numbers + all extra info
#-------------------------------------
# Specific file checks
# http://www.linuxjournal.com/magazine/testing-locks-validating-security-linux-environment
#
# OS, kernel, etc information grab
# http://stackoverflow.com/a/3792848
#
# Network information grab
# http://kmaiti.blogspot.com/2010/10/how-to-get-system-information-using.html
# functions
lowercase(){
    echo "$1" | sed "y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/"
}
sl(){
  SECTION=$1
  echo >> $myoutput
  echo **********$SECTION********** >> $myoutput
  echo >> $myoutput
}
# constants
OS=`lowercase \`uname\``
KERNEL=`uname -r`
MACH=`uname -m`
mycompname=$(hostname)
mydir=$mycompname
myoutput=$mydir/secoutput.txt
# here we get information on the OS + network + other defining characteristics
if [ "{$OS}" == "windowsnt" ]; then
    OS=windows
elif [ "{$OS}" == "darwin" ]; then
    OS=mac
else
    OS=`uname`
    if [ "${OS}" = "SunOS" ] ; then
        OS=Solaris
        ARCH=`uname -p`
        OSSTR="${OS} ${REV}(${ARCH} `uname -v`)"
    elif [ "${OS}" = "AIX" ] ; then
        OSSTR="${OS} `oslevel` (`oslevel -r`)"
    elif [ "${OS}" = "Linux" ] ; then
        if [ -f /etc/redhat-release ] ; then
            DistroBasedOn='RedHat'
            DIST=`cat /etc/redhat-release |sed s/\ release.*//`
            PSUEDONAME=`cat /etc/redhat-release | sed s/.*\(// | sed s/\)//`
            REV=`cat /etc/redhat-release | sed s/.*release\ // | sed s/\ .*//`
        elif [ -f /etc/SuSE-release ] ; then
            DistroBasedOn='SuSe'
            PSUEDONAME=`cat /etc/SuSE-release | tr "\n" ' '| sed s/VERSION.*//`
            REV=`cat /etc/SuSE-release | tr "\n" ' ' | sed s/.*=\ //`
        elif [ -f /etc/mandrake-release ] ; then
            DistroBasedOn='Mandrake'
            PSUEDONAME=`cat /etc/mandrake-release | sed s/.*\(// | sed s/\)//`
            REV=`cat /etc/mandrake-release | sed s/.*release\ // | sed s/\ .*//`
        elif [ -f /etc/debian_version ] ; then
            DistroBasedOn='Debian'
            DIST=`cat /etc/lsb-release | grep '^DISTRIB_ID' | awk -F=  '{ print $2 }'`
            PSUEDONAME=`cat /etc/lsb-release | grep '^DISTRIB_CODENAME' | awk -F=  '{ print $2 }'`
            REV=`cat /etc/lsb-release | grep '^DISTRIB_RELEASE' | awk -F=  '{ print $2 }'`
        fi
        if [ -f /etc/UnitedLinux-release ] ; then
            DIST="${DIST}[`cat /etc/UnitedLinux-release | tr "\n" ' ' | sed s/VERSION.*//`]"
        fi
        OS=`lowercase $OS`
        DistroBasedOn=`lowercase $DistroBasedOn`
        readonly OS
        readonly DIST
        readonly DistroBasedOn
        readonly PSUEDONAME
        readonly REV
        readonly KERNEL
        readonly MACH
    fi
fi
mkdir -p $mydir
echo ^^^^^^^^^^ START OF OUTPUT ^^^^^^^^^^ > $myoutput
echo "-------OS information-----------" >> $myoutput
echo "OS: " $OS >> $myoutput
echo "DIST: " $DIST >> $myoutput
echo "DistroBasedOn: " $DistroBasedOn >> $myoutput
echo "PSUEDONAME: " $PSUEDONAME >> $myoutput
echo "REV: " $REV >> $myoutput
echo "KERNEL: " $KERNEL >> $myoutput
echo "MACH: " $MACH >> $myoutput
echo "" >> $myoutput
echo "-------Hostname and DNS information-----------" >> $myoutput
echo "Hostname : $(hostname -s)" >> $myoutput
echo "DNS domain : $(hostname -d)" >> $myoutput
echo "Fully qualified domain name : $(hostname -f)" >> $myoutput
echo "Network address (IP) : $(hostname -i)" >> $myoutput
echo "DNS name servers (DNS IP) : $(sed -e '/^$/d' /etc/resolv.conf | awk '{if (tolower($1)=="nameserver") print $2}')" >> $myoutput
echo "" >> $myoutput
# Purpose - Network inferface and routing info
devices=$(netstat -i | cut -d" " -f1 | egrep -v "^Kernel|Iface|lo")
echo "-------Network information-------" >> $myoutput
echo "Total network interfaces found : $(wc -w <<<${devices})" >> $myoutput
echo "" >> $myoutput
echo "*** IP Addresses Information ***" >> $myoutput
echo "$(ip -4 address show)" >> $myoutput
echo "" >> $myoutput
echo "***********************" >> $myoutput
echo "*** Network routing ***" >> $myoutput
echo "***********************" >> $myoutput
echo "$(netstat -nr)" >> $myoutput
echo "" >> $myoutput
echo "**************************************" >> $myoutput
echo "*** Interface traffic information ***" >> $myoutput
echo "**************************************" >> $myoutput
echo "$(netstat -i)" >> $myoutput
if [ $DistroBasedOn == 'redhat' ]; then
 yum update
 yum list installed > $mydir/installed.txt
 yum list updates > $mydir/patchcheck.txt
 sl "Service Runlevels";chkconfig --list >> $myoutput
 sl "Auth Messages";cat /var/log/secure|grep failure >> $myoutput
elif [ $DistroBasedOn == 'debian' ]; then
 apt-get update
 dpkg --get-selections > $mydir/installed.txt
 apt-get -qs upgrade > $mydir/patchcheck.txt
 sl "Startup Services";ls -l /etc/rc2.d >> $myoutput
 sl "Auth Messages";cat /var/log/auth.log|grep failure >> $myoutput
fi
if [ -d /var/log/btmp ]; then
 sl "lastb Results";lastb >> $myoutput
fi
sl "inetd check"; file -f /etc/inetd.conf && \
    echo "Are you using inetd? You should be using xinetd instead." \
        >> $myoutput
sl "xinetd Services";ls -l /etc/xinetd.d >> $myoutput
sl "ps list";ps axu >> $myoutput
sl "cron list";ls -lha /etc/*cron* >> $myoutput
sl "netstat";netstat -nap | grep -E '?(tcp|udp)' >> $myoutput
sl "hosts.allow";cat /etc/hosts.allow |grep -v "#" >> $myoutput
sl "hosts.deny";cat /etc/hosts.deny |grep -v "#"  >> $myoutput
sl "iptables output";iptables -L -v -n --line-numbers >> $myoutput
sl "SUID Files";find / -perm -4000 -print >> $myoutput
sl "SGID Folders";find / -perm -2000 -print >> $myoutput
sl "SUDoers";cat /etc/sudoers|grep "="|grep -v "#" >> $myoutput
sl "login.defs";grep -E '^[^#]' /etc/login.defs >> $myoutput
sl "permissions - fstab";ls -lh /etc/fstab >> $myoutput
echo "-rw-r--r-- <- should be 0644" >> $myoutput
sl "permissions - passwd";ls -lh /etc/passwd >> $myoutput
echo "-rw-r--r-- <- should be 644" >> $myoutput
sl "permissions - group";ls -lh /etc/group >> $myoutput
echo "-rw-r--r-- <- should be 644" >> $myoutput
sl "permissions - sudoers";ls -lh /etc/sudoers >> $myoutput
echo "-r--r----- <- should be 440" >> $myoutput
sl "permissions - shadow";ls -lh /etc/shadow >> $myoutput
echo "-r-------- <- should be 400" >> $myoutput
if [ -f /etc/syslog.conf ]; then
 sl "permissions - syslog";ls -lh /etc/syslog.conf >> $myoutput
 echo "-rw-r--r-- <- should be 644" >> $myoutput
fi
if [ -f /etc/syslog-ng/syslog-ng.conf ]; then
 sl "permissions - syslog-ng";ls -lh /etc/syslog-ng/syslog-ng.conf >> $myoutput
 echo "-rw-r--r-- <- should be 644" >> $myoutput
fi
if [ -f /etc/rsyslog.conf ]; then
 sl "permissions - rsyslog";ls -lh /etc/rsyslog.conf >> $myoutput
 echo "-rw-r--r-- <- should be 644" >> $myoutput
fi
#check for apache1
if [ -d /etc/apache ]; then
 sl "permissions - apache";ls -lh /etc/apache >> $myoutput
 echo "-rwxr-xr-x <- should be 755" >> $myoutput
 #sl "permissions - local/apache";ls -lh /usr/local/apache >> $myoutput
 #echo "-rwxr-xr-x <- should be 755" >> $myoutput
 sl "permissions - sbin/http";ls -lh /usr/sbin/*http* >> $myoutput
 sl "permissions - httpd.conf";ls -lh /etc/httpd/conf/httpd.conf >> $myoutput
 echo "-rw-r--r-- <- should be 644" >> $myoutput
fi
#check for apache2
if [ -d /etc/apache2 ]; then
 sl "permissions - apache2";ls -lh /etc/apache2 >> $myoutput
 echo "-rwxr-xr-x <- should be 755" >> $myoutput
 #sl "permissions - local/apache2";ls -lh /usr/local/apache2 >> $myoutput
 #echo "-rwxr-xr-x <- should be 755" >> $myoutput
 sl "permissions - sbin/apache";ls -lh /usr/sbin/*apache* >> $myoutput
 sl "permissions - sites-enabled";ls -lh /etc/apache2/sites-enabled >> $myoutput
 echo "-rw-r--r-- <- should be 644" >> $myoutput
fi
#check for hardened settings - tmpfs
sl "fstab contents - tmpfs settings";cat /etc/fstab | grep tmpfs >> $myoutput
echo "tmpfs     /dev/shm     tmpfs     defaults,noexec,nosuid     0     0 <-- should read" >> $myoutput
#check for hardened settings - sshd
sl "sshd secure settings check";cat /etc/ssh/sshd_config | grep PermitRootLogin | grep -v "#" >> $myoutput
echo "PermitRootLogin no <-- should read" >> $myoutput
echo cat /etc/ssh/sshd_config | grep Port | grep -v "#" >> $myoutput
echo "Should be a non-standard port - not 22" >> $myoutput
echo cat /etc/ssh/sshd_config | grep Protocol | grep -v "#" >> $myoutput
echo "Protocol 2 <-- should read" >> $myoutput
echo -n "Do you want to capture Password Files"
echo -n " for an offline Password Check (y or n?)"?
read REPLY2
if [ $REPLY2 = "y" ]; then
     cp /etc/passwd $mydir
     cp /etc/shadow $mydir
     echo Your Password and Shadow folders have been copied to
$mydir
fi
echo >> $myoutput
echo vvvvvvvvvv END OF OUTPUT vvvvvvvvvv >> $myoutput

Leave a comment

Your email address will not be published. Required fields are marked *