-
Notifications
You must be signed in to change notification settings - Fork 11
/
system-check
executable file
·216 lines (182 loc) · 6.23 KB
/
system-check
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
#!/bin/sh
VERSION="0.3"
output="check.log"
check="`which readelf 2>/dev/null`"
if [ x$check = "x" ] ; then
echo "You need to install the binutils package"
exit 1
fi
net_check="`which netcap 2>/dev/null`"
if [ x$net_check = "x" ] ; then
echo "The scan is more complete if the libcap-ng-utils package were installed"
fi
check="`which eu-strings 2>/dev/null`"
if [ x$check = "x" ] ; then
echo "The scan is more complete if the elfutils package were installed"
fi
echo "Starting system-check $VERSION"
if [ -e $output ] ; then
echo "$output already exists. Delete? [Y]"
read ANS
if [ x"`echo $ANS | grep [Yy]`" != "x" ] ; then
rm -f $output
else
exit 0
fi
fi
touch $output 2> /dev/null
if [ $? -eq 1 ] ; then
TEE="/usr/bin/tee -a /dev/null"
UNPRIV="1"
else
TEE="/usr/bin/tee -a $output"
UNPRIV="0"
fi
# Start by checking some kernel sysctls
echo -e "Important kernel sysctl settings" | $TEE
echo "================================" | $TEE
./sysctl-check | $TEE
# Next file permissions
echo -e "\nSTIG file permission scan" | $TEE
echo "=========================" | $TEE
./stig-file-test.sh | $TEE
echo -e "\nExecutable stack check" | $TEE
echo "======================" | $TEE
./find-execstack | $TEE
echo -e "\nHidden executable check" | $TEE
echo "=======================" | $TEE
./find-hidden-exec | $TEE
echo -e "\nSupplemental groups" | $TEE
echo "===================" | $TEE
cat /etc/group | tr ':' ' '| awk '$4 { printf "%-16s\t%s\n", $1, $4 }' | $TEE
echo -e "\nGroup writable files" | $TEE
echo "====================" | $TEE
./find-group-writable | $TEE
echo -e "\nWorld writable files" | $TEE
echo "====================" | $TEE
./world-writable-files | $TEE
# Process tests
echo -e "\nList all file system based capability programs" | $TEE
echo "==============================================" | $TEE
filecap 2> /dev/null | $TEE
echo -e "\nList all setuid" | $TEE
echo "===============" | $TEE
./find-suid | $TEE
echo -e "\nList all setgid" | $TEE
echo "===============" | $TEE
./find-sgid | $TEE
if [ "$UNPRIV" = "0" ] ; then
echo -e "\nList all daemons enabled for runlevel 3" | $TEE
echo "=======================================" | $TEE
chkconfig --list 2>/dev/null | grep 3:on | awk '{ print $1 }' | $TEE
if [ -e /bin/systemctl ] ; then
systemctl list-unit-files --type=service | grep enable | awk '{ print $1 }' | sed '/\.service/s///' | $TEE
fi
fi
echo -e "\nLook for shell scripts with errors" | $TEE
echo "==================================" | $TEE
if [ ! -h /bin ] ; then
./find-sh4errors /sbin | $TEE
./find-sh4errors /bin | $TEE
fi
./find-sh4errors /usr/sbin | $TEE
./find-sh4errors /usr/bin | $TEE
./find-sh4errors /etc | $TEE
echo -e "\nLook for shell scripts with well known tmp files" | $TEE
echo "================================================" | $TEE
if [ ! -h /bin ] ; then
./find-sh4tmp /sbin | $TEE
./find-sh4tmp /bin | $TEE
fi
./find-sh4tmp /usr/sbin | $TEE
./find-sh4tmp /usr/bin | $TEE
./find-sh4tmp /etc | $TEE
echo -e "\nLook for ELF binaries with well known tmp files" | $TEE
echo "===============================================" | $TEE
./find-elf4tmp | $TEE
echo -e "\nLook for ELF binaries using deprecated functions" | $TEE
echo "================================================" | $TEE
./find-legacy | $TEE
if [ "$UNPRIV" = "0" ] ; then
echo -e "\nSetuid security check" | $TEE
echo "=====================" | $TEE
./find-suid | awk '{ print $1 }' > list.log
./scan-driver | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | $TEE
rm -f list.log
echo -e "\nSetgid security check" | $TEE
echo "=====================" | $TEE
./find-sgid | awk '{ print $1 }' > list.log
./scan-driver | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | $TEE
rm -f list.log
echo -e "\nDaemon security check" | $TEE
echo "=====================" | $TEE
touch list.log
list=`chkconfig --list 2>/dev/null | grep 3:on | awk '{ print $1 }'`
FOUND=0
for f in $list
do
t=`which $f 2>/dev/null`
if [ x"$t" != "x" ] ; then
echo $t >> list.log
continue
fi
t=`which "$f"d 2>/dev/null`
if [ x"$t" != "x" ] ; then
echo $t >> list.log
continue
fi
t=`cat /etc/rc.d/init.d/$f | grep 'bin' | grep 'exit 5' | grep -v '\$' 2>/dev/null`
if [ x"$t" != "x" ] ; then
echo $t >> list.log
continue
fi
echo "Can't find the executable in /etc/rc.d/init.d/$f" | $TEE
FOUND=1
done
if [ -e /bin/systemctl ] ; then
list2=`systemctl list-unit-files --type=service | grep enable | awk '{ print $1 }'`
for f in $list2
do
cat /usr/lib/systemd/system/$f 2>/dev/null | grep '^ExecStart=' | tr '=' ' ' | awk '{ print $2 }' | sed 's|^-||' >> list.log
done
fi
if [ $FOUND -eq 1 ] ; then
echo
fi
./scan-driver | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | $TEE
rm -f list.log
fi
echo -e "\nLook for ELF apps not changing chroot correctly" | $TEE
echo "===============================================" | $TEE
./find-chroot | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | $TEE
echo -e "\nLook for Python apps not changing chroot correctly" | $TEE
echo "==================================================" | $TEE
./find-chroot-py | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | $TEE
echo -e "\nLook for apps not changing groups correctly" | $TEE
echo "===========================================" | $TEE
./find-nodrop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | $TEE
# Network tests
echo -e "\nListening processes" | $TEE
echo "===================" | $TEE
./whats-listening | $TEE
echo -e "\nPrivileged listening processes" | $TEE
echo "==============================" | $TEE
if [ x$net_check = "x" ] ; then
echo "skipped - netcap not found"
else
netcap | $TEE
fi
# SE Linux tests
echo -e "\nUnlabeled device check" | $TEE
echo "======================" | $TEE
./selinux-check-devices | $TEE
echo -e "\nUnlabeled files" | $TEE
echo "===============" | $TEE
./unlabeled_files | $TEE
echo -e "\nUnconfined processes" | $TEE
echo "====================" | $TEE
./selinux-ls-unconfined | $TEE
#echo -e "\nService start/stop AVC's" | $TEE
#echo "========================" | $TEE
#./service-avc-test | $TEE
echo -e "\nTesting complete\n"