-
Notifications
You must be signed in to change notification settings - Fork 37
/
Copy pathaudit_hpux11.sh
executable file
·151 lines (137 loc) · 5.25 KB
/
audit_hpux11.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
#!/bin/sh
# Audit HP-UX 11 Script v1.5 (c) 2001-2012 by Marc Heuse <[email protected]>
# with additions from Javier Fernandez-Sanguino <[email protected]>
# Source repository: http://www.mh-sec.de/audit/
# Note: This script is for checking the system configuration, NOT for forensic!
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/lbin:$PATH"
HOSTNAME=`hostname`
AUDIT_NAME="AUDIT-$HOSTNAME"
AUDIT_DIR="/tmp/$AUDIT_NAME"
OUTFILE="$AUDIT_DIR.tar"
[ "`id`" -ne 0 ] && echo "Not running as root, some information might not be extracted"
FILE_LIST_ETC="/etc/aliases /etc/sendmail.cf /etc/passwd /etc/group \
/etc/cron* /etc/export* /etc/profile /etc/login* /etc/inittab\
/etc/*ftp* /etc/host* /etc/inittab /etc/issue* /etc/motd /etc/csh* \
/etc/shells /etc/securetty /etc/sock* /etc/yp* /etc/SnmpAgent.d/ \
/etc/*/*conf /usr/local/etc \
/etc/ntp.conf /etc/fstab /etc/mail /etc/pam.conf /etc/shad* /tcb/auth/files"
OLD_UMASK=`umask`
OLD_ENV=`env`
umask 077
set -o noclobber
> "$OUTFILE" || exit 1
> "$OUTFILE.Z" || exit 1
if [ -e "$AUDIT_DIR" ]; then
mv "$AUDIT_DIR" "$AUDIT_DIR".old
fi
mkdir "$AUDIT_DIR" || exit 1
cd "$AUDIT_DIR" || exit 1
set +o noclobber
# get performance data
df -k > disk.out 2>/dev/null
bdf >> disk.out 2>/dev/null
uptime > uptime.out 2>/dev/null
swapinfo -t > memory.out 2>/dev/null
sar 5 2 > sar.out 2>/dev/null
vmstat > vmstat.out 2>/dev/null
/etc/dmesg > debug.out 2>/dev/null
# Extract information from the system
tar cf etc.tar /tcb /etc/*conf* /etc/*cfg* /etc/*.d /etc/rc* /etc/httpd \
/etc/default /etc/security /sbin/init.d /etc/rc* /sbin/rc* /etc/*ssh*/ssh*conf* \
/etc/mail/sendmail.cf $FILE_LIST_ETC 2> /dev/null
tar cf var.tar /var/yp /var/nis/data /var/spool/cron /var/adm/cron 2> /dev/null
tar cf usr.tar /usr/spool/cron 2> /dev/null
tar cf tcb.tar /tcb/files 2> /dev/null
tar cf home.tar /.*bash* /.netrc /.rhosts /.log* /.*csh* /.Xa* \
/.prof* /home/*/.*bash* /home/*/.netrc /home/*/.rhosts \
/home/*/.log* /home/*/.*csh* /home/*/.Xa* /home/*/.prof* \
/root/.*bash* /root/.netrc /root/.rhosts /root/.log* /root/.*csh* \
/root/.Xa* /root/.prof* 2> /dev/null
# Find stuff that might be a problem to the system
# Setuid files
find / \( -perm -4000 -o -perm -2000 \) -type f -exec /bin/ls -ld {} \; > find-s_id.out
# All-Writable stuff
find / -perm -2 '!' -type l -exec /bin/ls -ld {} \; > find-write.out
# List directories
/bin/ls -al / > ls-root.out
/bin/ls -alR /etc > ls-etc.out
/bin/ls -alRL /dev > ls-dev.out
/bin/ls -al /tmp > ls-tmp.out
/bin/ls -alR /var/adm /var/spool /var/mail > ls-var.out
/bin/ls -lL /dev/*rmt* /dev/*floppy* /dev/fd0* /dev/*audio* /dev/*mix* > ls-dev-spec.out 2> /dev/null
/bin/ls -alR /opt /software /usr/local > ls-software.out 2> /dev/null
# Mounted file systems
mount > mount.out
# RPC programs
rpcinfo -p > rpcinfo.out 2>/dev/null
# Processes
ps -ef > ps.out
# Patches
swlist -l patch > patch.out 2>/dev/null
# System information
uname -a > uname.out
getprivgrp > hpux-getprivgrp.out 2>/dev/null
# Users connected to the system
last -25 > last_25.out
last -5 root > last_root.out
# History of user running the audit
history > history.out
# Environment and Umask
echo "$OLD_ENV" > env.out
echo "$OLD_UMASK" > umask.out
# Open listeners
netstat -an > netstat-an.out
# Process-sockets
which lsof >/dev/null 2>/dev/null && lsof -n >lsof.out
# Routing
netstat -rn > netstat-rn.out
# Process-sockets
[ -n "`which lsof`" ] && lsof -n >lsof.out
# Trusted mode
getprdef -r >getprdef.out 2>/dev/null
getprdef -m umaxlntr >>getprdef.out 2>/dev/null
# Ndd parameters
for i in ip_forwarding ip_forward_src_routed ip_forward_directed_broadcasts \
ip_respond_to_timestamp_broadcast ip_respond_to_timestamp \
ip_respond_to_echo_broadcast ip_respond_to_address_mask \
ip_respond_to_address_mask_broadcast ip_pmtu_strategy \
ip_ignore_redirect ip_send_redirects ip_send_source_quench \
ip_ire_flush_interval ip_strict_dst_multihoming \
ip_ire_gw_probe ip_check_subnet_addr ip_ire_gw_probe_interval ; do
echo "$i: " >> ndd.out
ndd /dev/ip "$i" >> ndd.out 2>/dev/null
echo "" >> ndd.out
done
for i in tcp_syn_rcvd_max tcp_conn_request_max tcp_text_in_resets \
tcp_keepalive_interval tcp_keepalive_detached_interval \
tcp_time_wait_interval; do
echo "$i: " >> ndd.out
ndd /dev/tcp "$i" >> ndd.out 2>/dev/null
echo "" >> ndd.out
done
for i in arp_cleanup_interval udp_def_ttl; do
echo "$i: " >> ndd.out
ndd /dev/arp "$i" >> ndd.out 2>/dev/null
echo "" >> ndd.out
done
cd /tmp
tar cf "$OUTFILE" "$AUDIT_NAME"
compress -c "$OUTFILE" >> "$OUTFILE".Z
/bin/rm -f "$OUTFILE"
echo
echo "$OUTFILE".Z is finished, you may delete "$AUDIT_DIR" now.