Audit_Host-Baseline/baseline-1.0 at master · aboutsecurity/Audit_Host-Baseline · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
#!/bin/sh

# Written by Ismael Valenzuela, McAfee Foundstone
# ismael.valenzuela@foundstone.com
# version 1.0 - August 2012
#
# This script allows you to repeatably collect baseline audit data from a Linux system.
# Based on David Hoelzer's original idea - www.cyber-defense.org

function Separator ()
{
            echo +----------------------------------------------------------------------------
}

function RunTest ()
{
            TEST=$2
            TESTNAME=$1
            if [ -z "$TEST" ] ; then
                        echo Empty test called in RunTest.  Exiting.
                        exit 50;
            fi
            if [ -z "$TESTNAME" ] ; then
                        echo Empty test name called in RunTest for $TEST.  Exiting.
                        exit 51;
            fi
            Separator >> $OutputFile
            echo "|  $TESTNAME" >> $OutputFile
            Separator >> $OutputFile

	    echo -e "\nRunning $TESTNAME"
	    Separator
            echo

            echo $TEST > __trunme
            { /bin/sh __trunme;  } >> $OutputFile
            rm -f __trunme
            if [ $? -ne 0 ] ; then
                        echo "Error running $TESTNAME: $TEST"
                        echo "Bailing out."
                        exit 5
            fi
}

function Header ()
{
            Separator > $OutputFile
            echo "  `basename $0` test for `hostname` by `whoami` on `date`" >> $OutputFile
            Separator >> $OutputFile
}

function GetOutputFile ()
{
            OutputFile=`hostname`-`date +%m%d%y_%H%M%S`.`basename $0`
}

function GetRunlevel ()
{
	    RunLevel=`awk -F: '/^id/ {print $2;}' /etc/inittab`
}

if [ ! -z $1 ] ; then
            if [ ! -s $1 ] ; then
                        echo "You requested a comparison but did not provide a valid filename."
                        exit 3
            fi
            BASELINE=$1
fi

echo -e "\nRunning automatic baseline script for `hostname` as `whoami`."
echo -e "\nIf you are attempting to validate a system, please rerun this script"
echo -e "with the name of a baseline file as a command line argument.\n"

GetOutputFile
GetRunlevel
Header

RunTest "Kernel Type/Machine Information" "uname -a"

RunTest "Physical Memory" "free | awk '/Mem/ {print \$2;}'"

RunTest "Mounted Partitions" "mount"

RunTest "Physical Partition Tables" "/sbin/fdisk -l /dev/?d?"

	    # Recursively list all interesting directories
	    # But leave out directory (and parent) entries themselves

RunTest "Critical Directory Inventory" "ls -alR /etc /bin /lib /sbin /usr/lib /usr/bin /usr/sbin /usr/local/bin /usr/local/lib /usr/local/sbin /lib64 /usr/lib64 /usr/local/lib64 | sed s/^d.*[\.]$//"

	    # Compute the MD5hash of every binary in the critical directories listed below

RunTest "Critical Binaries Integrity" "find /bin /sbin /usr/bin /usr/sbin -type f -exec md5sum {} \;"

	    # Compute the MD5hash of every system configuration file in the sysconfig directory

RunTest "System Configuration Files Integrity" "find /etc/sysconfig -type f -exec md5sum {} \;"

RunTest "Network interfaces" "/sbin/ifconfig -a | awk '/^[a-zA-Z]+/ { print \$1\" - \"\$5; }'"

            # List Listening Ports:
            # A listening TCP port will have the word "LISTEN" on the line.  A listening UDP port will
            # begin with the letters UDP

RunTest "Inventory Listening Ports" "netstat -an | awk '/(^udp)|LISTEN/ {print \$1\" \"\$4;}'"

RunTest "Current Runlevel" "who -r | awk '{ print \$1\" \"\$2;}'"

RunTest "Init Default Runlevel" "awk -F: '/^id/ {print \$2;}' /etc/inittab"

RunTest "Find Services Started During Startup" "ps eaxl | awk '/^[0-9][ \t]+[0-9]+[ \t]+[0-9]+[ \t]+1[ \t]+/ {print \$13;}'"

            # List SUID and SGID files:
            # -perm with the + option will identify all objects where any of the listed permissions
            # are set.  04000 is SUID, 02000 is SGID.  '-type f' restricts the list to files only

RunTest "Find SUID and SGID Files" "find / -perm +06000 -type f -ls"

	    # List Orphaned files, which could be a sign of an attacker's temporary account that has been deleted"

RunTest "Find Orphaned files" "find / -nouser -print"

	    # Look for unusual large files (greater than 10 Megabytes)

RunTest "Find unusual large files" "find / -size +10000k -print"

	    # List arp entries

RunTest "Arp Entries" "/sbin/arp -a"

	    # List DNS settings and hosts file

RunTest "DNS Settings and hosts file" "cat /etc/resolv.conf; /etc/hosts"

	    # List cron jobs scheduled by root and any other UID accounts as well as any other system-wide cron jobs

RunTest "Cron Jobs scheduled" "crontab -u root -l; cat /etc/crontab; ls /etc/cron.*"

RunTest "Kernel IP routing table" "netstat -rn"

	    # Look for unusual network configuration (IP forwarding, broadcasts, etc.)

RunTest "Unusual network configuration" "cat /etc/sysctl.conf"

	    # Look for files named with dots and spaces used to camouflage files

RunTest "Files named with dots and spaces" "find / -name " " -print; find / -name ".. " -print; find / -name ". " -print"

	    # List unlinked files (files can still be accessible via /proc/<PID>/fd)

RunTest "Unlinked Files" "lsof +L1"

	    # List all services enabled at various runlevels using chkconfig

RunTest "Services enabled using chkconfig" "/sbin/chkconfig --list"

            # Ensure that there is only one tcpd binary and that it's not altered (an attacker could add his or replace it)

RunTest "Unique Tcpd Binary" "find / -name tcpd"

RunTest "Current Users" "cat /etc/passwd"

            # List Root Users:
            # Root users in the passwd file will contain a username followed by colon followed by at
            # least one zero followed by a colon

RunTest "Root Users" "awk \"/^[^:]+:[^:]+:0+:/ {print;}\" /etc/passwd"

            # List Blank Passwords:
            # A blank password in the shadow file will be a line that has a username followed
            # by a colon followed by a colon

RunTest "Inventory Blank Passwords" "awk -F: '/^[^:]+::/ {print \$1;}' /etc/shadow"

            # List Active Accounts:
            # Inactive accounts in shadow file will contain a line with a username
            # followed by a colon followed by more than one character other than a colon
            # NOTE: Most awks don't understand {2,} so we require [^:][^:]+.

RunTest "Inventory Active Accounts" "awk -F: '/^[^:]+:([^:][^:]+|:)/ {print \$1;}' /etc/shadow"

RunTest "Groups and Membership" "cat /etc/group"

            # Rhosts is just a really bad idea these days.  We look for and inventory
            # any .rhost files and hosts.equiv

RunTest "Find Unencrypted Remote Trusts" "find / -name .rhost -name hosts.equiv -ls"

# The following tests are potentially VERY NOISY. Disable if needed

# RunTest "List all running processes" "ps aux"

# RunTest "List all logged in users" "last"

#
# Below are conditional tests, depending on the function of the server involved
# The tests check for existence of certain files and act upon them if they exist
#

# Checking Apache configuration files for changes
# Use symlink in /opt dir to avoid version dependencies

RunTest "Checking Apache httpd.conf" "if [ -f /opt/httpd/conf/httpd.conf ]; then cat /opt/httpd/conf/httpd.conf; fi;"

# Checking Postgresql DB configuration files for any changes

RunTest "Checking Postgresql pg_hba.conf" "if [ -f /var/lib/pgsql/data/pg_hba.conf ]; then cat /var/lib/pgsql/data/pg_hba.conf; fi;"
RunTest "Checking Postgresql pg_ident.conf" "if [ -f /var/lib/pgsql/data/pg_ident.conf ]; then cat /var/lib/pgsql/data/pg_ident.conf; fi;"
RunTest "Checking Postgresql postgres.conf" "if [ -f /var/lib/pgsql/data/postgres.conf ]; then cat /var/lib/pgsql/data/postgres.conf; fi;"

# Checking Tomcat configuration files for any changes. PLEASE REPLACE 6.0.x WITH THE CORRECT PATH IN USE.
# Use symlink in /opt dir to avoid version dependencies

RunTest "Checking Tomcat catalina.policy" "if [ -f /opt/tomcat/conf/catalina.policy ]; then cat /opt/tomcat/conf/catalina.policy; fi;"
RunTest "Checking Tomcat tomcat-users.xml" "if [ -f /opt/tomcat/conf/tomcat-users.xml ]; then cat /opt/tomcat/conf/tomcat-users.xml; fi;"


# If the script was invoked with a baseline filename, check for changes.

if [ ! -z $BASELINE ] ; then
	    echo "SECURITY EXCEPTION ALERT on `hostname`" > Exceptions
	    echo "***********************************************" >> Exceptions
            diff $BASELINE $OutputFile >> Exceptions
            NUMEXCEPTIONS=`wc -l Exceptions | awk '{print \$1;}'`
            if [ $NUMEXCEPTIONS -ne 6 ] ; then
                        echo -e "\nExceptions detected:"
                        cat Exceptions
			echo -e "\nSending Exceptions to Syslog"
			logger -f Exceptions
                        else
                                    rm -f Exceptions
            fi
	    else
			echo -e "\nSending $OutputFile to Syslog"
			logger -f $OutputFile
fi