-
Notifications
You must be signed in to change notification settings - Fork 11
/
container-check
executable file
·168 lines (142 loc) · 4.9 KB
/
container-check
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
#!/bin/sh
VERSION="0.3"
output="check.log"
if [ ! -e /bin/which ] ; then
echo "You need to install the which package"
exit 1
fi
check="`which readelf 2>/dev/null`"
if [ x$check = "x" ] ; then
echo "You need to install the binutils package"
exit 1
fi
check="`which pidof 2>/dev/null`"
if [ x$check = "x" ] ; then
echo "You need to install the procps-ng package"
exit 1
fi
check="`which file 2>/dev/null`"
if [ x$check = "x" ] ; then
echo "You need to install the file package"
exit 1
fi
check="`which find 2>/dev/null`"
if [ x$check = "x" ] ; then
echo "You need to install the findutils package"
exit 1
fi
net_check="`which netcap 2>/dev/null`"
if [ x$net_check = "x" ] ; then
echo "The scan is more complete if the libcap-ng-utils package were installed"
fi
check="`which eu-strings 2>/dev/null`"
if [ x$check = "x" ] ; then
echo "The scan is more complete if the elfutils package were installed"
fi
echo "Starting system-check $VERSION"
if [ -e $output ] ; then
echo "$output already exists. Delete? [Y]"
read ANS
if [ x"`echo $ANS | grep [Yy]`" != "x" ] ; then
rm -f $output
else
exit 0
fi
fi
touch $output 2> /dev/null
if [ $? -eq 1 ] ; then
TEE="/usr/bin/tee -a /dev/null"
UNPRIV="1"
else
TEE="/usr/bin/tee -a $output"
UNPRIV="0"
fi
# Next file permissions
echo -e "\nSTIG file permission scan" | $TEE
echo "=========================" | $TEE
./stig-file-test.sh | $TEE
echo -e "\nExecutable stack check" | $TEE
echo "======================" | $TEE
./find-execstack | $TEE
echo -e "\nHidden executable check" | $TEE
echo "=======================" | $TEE
./find-hidden-exec | $TEE
echo -e "\nSupplemental groups" | $TEE
echo "===================" | $TEE
cat /etc/group | tr ':' ' '| awk '$4 { printf "%-16s\t%s\n", $1, $4 }' | $TEE
echo -e "\nGroup writable files" | $TEE
echo "====================" | $TEE
./find-group-writable | $TEE
echo -e "\nWorld writable files" | $TEE
echo "====================" | $TEE
./world-writable-files | $TEE
# Process tests
echo -e "\nList all file system based capability programs" | $TEE
echo "==============================================" | $TEE
filecap 2> /dev/null | $TEE
echo -e "\nList all setuid" | $TEE
echo "===============" | $TEE
./find-suid | $TEE
echo -e "\nList all setgid" | $TEE
echo "===============" | $TEE
./find-sgid | $TEE
echo -e "\nLook for shell scripts with errors" | $TEE
echo "==================================" | $TEE
if [ ! -h /bin ] ; then
./find-sh4errors /sbin | $TEE
./find-sh4errors /bin | $TEE
fi
./find-sh4errors /usr/sbin | $TEE
./find-sh4errors /usr/bin | $TEE
./find-sh4errors /etc | $TEE
echo -e "\nLook for shell scripts with well known tmp files" | $TEE
echo "================================================" | $TEE
if [ ! -h /bin ] ; then
./find-sh4tmp /sbin | $TEE
./find-sh4tmp /bin | $TEE
fi
./find-sh4tmp /usr/sbin | $TEE
./find-sh4tmp /usr/bin | $TEE
./find-sh4tmp /etc | $TEE
echo -e "\nLook for ELF binaries with well known tmp files" | $TEE
echo "===============================================" | $TEE
./find-elf4tmp | $TEE
echo -e "\nLook for ELF apps not changing chroot correctly" | $TEE
echo "===============================================" | $TEE
./find-chroot | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | $TEE
echo -e "\nLook for Python apps not changing chroot correctly" | $TEE
echo "==================================================" | $TEE
./find-chroot-py | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | $TEE
echo -e "\nLook for apps not changing groups correctly" | $TEE
echo "===========================================" | $TEE
./find-nodrop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | $TEE
echo -e "\nLooking for elf files that were somehow not stripped during install" | $TEE
echo "===================================================================" | $TEE
./find-unstripped | $TEE
echo -e "\nLooking for elf files that have unresolved shared objects" | $TEE
echo "=========================================================" | $TEE
./check-so-resolves | $TEE
if [ -x /usr/bin/dnf ] ; then
echo -e "\nChecking if there are unapplied security updates" | $TEE
echo "================================================" | $TEE
list=$(dnf --refresh -q --security check-update 2>/dev/null | grep -v '^$' | awk '{ print $1 }')
if [ -z "$list" ] ; then echo "None" ; else echo $list | tr ' ' '\n' ; fi | $TEE
fi
pip=`which pip`
if [ ! -z "$pip" ] ; then
echo -e "\nChecking python environment" | $TEE
echo "===========================" | $TEE
pip check | $TEE
fi
# Network tests
echo -e "\nListening processes" | $TEE
echo "===================" | $TEE
./whats-listening | $TEE
echo -e "\nPrivileged listening processes" | $TEE
echo "==============================" | $TEE
if [ x$net_check = "x" ] ; then
echo "skipped - netcap not found" | $TEE
else
netcap | $TEE
fi
echo -e "\nTesting complete\n"