├── .gitignore ├── .gitmodules ├── LICENSE ├── README.md ├── system-inspector_el7 └── inspect.sh └── system-inspector_el6 └── inspect.sh /.gitignore: -------------------------------------------------------------------------------- 1 | *.swp 2 | *.tar 3 | *.tar.gz 4 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "repochk"] 2 | path = repochk 3 | url = https://github.com/mitre/repochk.git 4 | [submodule "FindRogueElfs"] 5 | path = FindRogueElfs 6 | url = https://github.com/mitre/FindRogueElfs.git 7 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2017 The MITRE Corporation. Case Number 16-3593 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## SystemInspector for Enterprise Linux ## 2 | 3 | System Inspector for Enterprise Linux is designed to pull some of the most of the security-relevant files and 4 | information from a Linux system; current versions supported are Red Hat Enterprise Linux 6 and 7 and 5 | CentOS 6 and 7. Items such as iptables may differ between the output of the running configuration and the 6 | saved configuration in /etc/sysconfig/iptables, so System Inspector pulls both in order for the user to 7 | evaluate such conditions. 8 | 9 | If you would like to use System Inspector to its full potential, please download the Unix Privilege Escalation 10 | Check zip file from the following link and save the `unix-privesc-check-1_x` folder into the root of 11 | the `system-inspector-el[x]` folder. Note that there will probably be a `unix-privesc-check-1_x` folder within a folder of the same name, move the second folder to the `SystemInspector` directory: https://github.com/pentestmonkey/unix-privesc-check/tree/1_x 12 | 13 | ## Requirements ## 14 | 1. Run as root 15 | 2. Set SELinux to Permissive 16 | 3. OpenSCAP installation (openscap-scanner and scap-security-guide) 17 | 4. python >= 2.x (if running repochk) 18 | 19 | ## How to Operate ## 20 | If the system is able to connect to the Internet, the user needs to run the following to clone the repo correctly, which will clone SystemInspector, repochk, and FindRogueElfs: `git clone --recursive https://github.com/mitre/SystemInspector.git` 21 | 22 | If the system is not able to connect to the Internet, the user needs to download the .zip file from GitHub, extract the contents, and manually bring the files to the system (i.e. via CD/DVD, USB, etc.). If the user plans to run repochk, the `update_repo.sh` script needs to be run on a system with Internet access. The output of that script should then be placed in the `repochk` directory on the system to be inspected. If the system does not have Python >= 2.x, repochk will not work. 23 | 24 | In the root directory of system-inspector-el[x], run the `inspect.sh` shell script. The user will be prompted to run the tool in either offline or online mode. 25 | 26 | Once the scan is complete, everything will be dumped into a `results/` folder and then into a gzipped tarball; the `results/` folder will be deleted for ease of use. 27 | 28 | ***DO NOT FORGET TO REMOVE THE FILES FROM THE SYSTEM WHEN FINISHED.*** 29 | -------------------------------------------------------------------------------- /system-inspector_el7/inspect.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ############################################################################### 3 | # System Inspector 4 | # 5 | # This script was written by Zach LeBlanc 6 | # Last update was 22 May 2018 7 | # 8 | # Author: Zach LeBlanc (zleblanc@mitre.org) 9 | # Contributor: Drew Bonasera (dbonasera@mitre.org) 10 | # Contributor: Frank Caviggia (fcaviggia@mitre.org) 11 | # Copyright: The MITRE Corporation, 2018 12 | # License: MIT 13 | # Description: Evaluates the security settings of a Linux (RHEL/CentOS) 14 | # System. 15 | ############################################################################### 16 | ############################################################################### 17 | # (C) 2018 The MITRE Corporation. All Rights Reserved. This software is provided 18 | # as-is and MITRE disclaims all liability and all guarantees and warranties, 19 | # express or implied, including warranties of merchantability, non-infringement, 20 | # and fitness for a particular purpose. For open source code incorporated, such 21 | # open source software is distributed on an as-is basis under the respective 22 | # license terms thereof. MITRE disclaims any liability in relation to this 23 | # open source software. This notice shall be marked on any reproduction of 24 | # these data, in whole or in part. For further information, please contact 25 | # The MITRE Corporation, Contracts Office, 26 | # 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000. 27 | ############################################################################### 28 | 29 | # Determine the Path 30 | function realpath() { 31 | local r=$1; local t=$(readlink $r) 32 | while [ $t ]; do 33 | r=$(cd $(dirname $r) && cd $(dirname $t) && pwd -P)/$(basename $t) 34 | t=$(readlink $r) 35 | done 36 | echo $r 37 | } 38 | # Determine Execution Directory 39 | BASE_DIR=$(dirname $(realpath $0)) 40 | # Working Directory for results 41 | WORK_DIR=$(pwd) 42 | 43 | trap ctrl_c INT 44 | ctrl_c() { 45 | echo "** Trapped CTRL-C **" 46 | cd $WORK_DIR 47 | rm -rf results 48 | rm -f results.tar.gz 49 | killall inspect.sh 50 | exit 1 51 | } 52 | if [ "$(id -u)" != "0" ]; then 53 | echo "Please run as root!" 54 | exit 1 55 | fi 56 | MAIL=$(echo $MAIL | awk -F / '{print $5}') 57 | if [ ! $MAIL = "root" ]; then 58 | echo "Run as root, not SUDOER!" 59 | exit 1 60 | fi 61 | GETENFORCE=$(getenforce) 62 | if [ $GETENFORCE = "Enforcing" ]; then 63 | echo "Please set SELinux to Permissive." 64 | exit 1 65 | elif [ $GETENFORCE = "Disabled" ]; then 66 | echo "STOP DISABLING SELINUX!" 67 | exit 1 68 | fi 69 | if [ -a "/etc/redhat-release" ]; then 70 | VERSION="$(grep -oP "(?<=release )[^ ]+" /etc/redhat-release | cut -d . -f 1,2)" 71 | if [[ ! $VERSION = "7."[0-9] ]]; then 72 | echo "This script will not work with $(cat /etc/redhat-release)" | sed 's/release //g' | sed 's/ (Maipo)//g' 73 | exit 1 74 | fi 75 | fi 76 | MODE=0 77 | echo "Please select a mode: " 78 | echo "[1] Online" 79 | echo "[2] Offline" 80 | echo 81 | echo -n "Selection: " 82 | read MODE 83 | if [ -d $WORK_DIR/results ]; then 84 | rm -rf $WORK_DIR/results 85 | fi 86 | mkdir -p $WORK_DIR/results 87 | cd $WORK_DIR/results 88 | mkdir {elfs,scap,network,users,selinux,pirvsec,repochk} 89 | ( 90 | echo "Starting Main Processes." 91 | 92 | ########## BEGIN SYSTEMCTL ########## 93 | systemctl list-units > systemctl-list-units 94 | 95 | ########## BEGIN NETWORK CHECKS ########## 96 | cd network 97 | if [ -x /usr/sbin/ifconfig ]; then 98 | ifconfig > network_information.txt 99 | elif [ -x /usr/sbin/ip ]; then 100 | ip addr > network_information.txt 101 | fi 102 | cat /etc/hosts > etc-hosts 103 | cat /etc/resolv.conf > etc-resolv.conf 104 | cat /etc/sysctl.conf > etc-sysctl.conf 105 | cat /etc/sysconfig/network > etc-sysconfig-network 106 | if [ -x /usr/sbin/iptables ]; then 107 | iptables -L -n -v > iptables-output.txt 108 | cat /etc/sysconfig/iptables-config > etc-sysconfig-iptables 109 | fi 110 | if [ -x /usr/sbin/ip6tables ]; then 111 | ip6tables -L -n -v > ip6tables-output.txt 112 | cat /etc/sysconfig/ip6tables-config > etc-sysconfig-ip6tables 113 | fi 114 | if [ -x /usr/bin/firewall-cmd ]; then 115 | firewall-cmd --list-all-zones > firewall-cmd-output 116 | fi 117 | if [ -x /usr/bin/netstat ]; then 118 | netstat -a > netstat-a.txt 119 | netstat -lnZ > netstat-lnZ.txt 120 | fi 121 | cd $WORK_DIR/results 122 | 123 | ########## BEGIN USER CHECKS ########## 124 | cd users 125 | cat /etc/passwd > etc-passwd 126 | cat /etc/shadow > etc-shadow 127 | cat /etc/group > etc-group 128 | cat /etc/shells > etc-shells 129 | BIN=($(cat /etc/passwd | awk -F: '{print $NF}')) 130 | USR=($(cat /etc/passwd | awk -F: '{print $1}')) 131 | SIZE=${#BIN[@]} 132 | VAL=/bin/bash 133 | echo 'User'' | ''Groups' > users-groups 134 | for (( c=0; c> users-groups 137 | fi 138 | done 139 | cd $WORK_DIR/results 140 | 141 | ########## BEGIN SELINUX CHECKS ########## 142 | cd selinux 143 | echo '############### sestatus ###############' > selinux-info 144 | sestatus >> selinux-info 145 | echo >> selinux-info 146 | if [ -x /usr/sbin/semanage ]; then 147 | echo '############### semanage login -l (SELinux Login/Users Map) ###############' >> selinux-info 148 | semanage login -l >> selinux-info 149 | echo '############### semanage user -l (SELinux Users) ###############' >> selinux-info 150 | semanage user -l >> selinux-info 151 | fi 152 | if [ -x /usr/bin/seinfo ]; then 153 | echo '############### seinfo -r (SELinux Roles) ###############' >> selinux-info 154 | seinfo -r >> selinux-info 155 | fi 156 | cd $WORK_DIR/results 157 | 158 | ########## BEGIN MISC CHECKS ########## 159 | 160 | echo "Running Kernel: $(uname -mrs)" > kernel-info.txt 161 | echo "Kernel FIPS Mode: $(cat /proc/sys/crypto/fips_enabled)" >> kernel-info.txt 162 | echo "Blacklisted/Disabled Kernel Modules:" >> kernel-info.txt 163 | echo "---------------------------------------------------" >> kernel-info.txt 164 | grep -E 'blacklist|/bin/true|/bin/false' /etc/modprobe.d/* >> kernel-info.txt 165 | echo >> kernel-info.txt 166 | echo "---------------------------------------------------" >> kernel-info.txt 167 | echo "Kernel Modules:" >> kernel-info.txt 168 | echo "---------------------------------------------------" >> kernel-info.txt 169 | lsmod &>> kernel-info.txt 170 | echo >> kernel-info.txt 171 | echo "---------------------------------------------------" >> kernel-info.txt 172 | echo "Kernel Module Configuration (Detailed):" >> kernel-info.txt 173 | echo "---------------------------------------------------" >> kernel-info.txt 174 | modprobe -c &>> kernel-info.txt 175 | echo >> kernel-info.txt 176 | echo "---------------------------------------------------" >> kernel-info.txt 177 | echo "Kernel Options:" >> kernel-info.txt 178 | echo "---------------------------------------------------" >> kernel-info.txt 179 | sysctl -a &>> kernel-info.txt 180 | echo >> kernel-info.txt 181 | echo "---------------------------------------------------" >> kernel-info.txt 182 | 183 | echo "Hardware Information" > hardware-info.txt 184 | echo >> hardware-info.txt 185 | echo "CPU Information:" >> hardware-info.txt 186 | echo "---------------------------------------------------" >> hardware-info.txt 187 | cat /proc/cpuinfo >> hardware-info.txt 188 | echo >> hardware-info.txt 189 | echo "---------------------------------------------------" >> hardware-info.txt 190 | echo "Storage Information:" >> hardware-info.txt 191 | echo "---------------------------------------------------" >> hardware-info.txt 192 | lsblk >> hardware-info.txt 193 | echo >> hardware-info.txt 194 | echo "---------------------------------------------------" >> hardware-info.txt 195 | if [ -x /sbin/lspci ]; then 196 | echo "PCI Information:" >> hardware-info.txt 197 | echo "---------------------------------------------------" >> hardware-info.txt 198 | lspci -v >> hardware-info.txt 199 | echo >> hardware-info.txt 200 | echo "---------------------------------------------------" >> hardware-info.txt 201 | fi 202 | if [ -x /sbin/lsusb ]; then 203 | echo "USB Information:" >> hardware-info.txt 204 | echo "---------------------------------------------------" >> hardware-info.txt 205 | lsusb -v >> hardware-info.txt 206 | echo >> hardware-info.txt 207 | echo "---------------------------------------------------" >> hardware-info.txt 208 | fi 209 | mapfile -t ARRAY < <(find / -name "*sshd_config*" >/dev/null 2>&1) 210 | LENGTH=${#ARRAY[@]} 211 | for ((i=0; i" ${ARRAY[$i]} && grep -q "\" ${ARRAY[$i]}; then 214 | cat ${ARRAY[$i]} > sshd_config[$i] 215 | fi 216 | fi 217 | done 218 | cd $WORK_DIR/results 219 | 220 | ######### BEGIN REPOCHK ########## 221 | yum -v repolist &> repository-info.txt 222 | cd $WORK_DIR 223 | if [ $MODE -eq 1 ]; then 224 | $BASE_DIR/../repochk/getrpms.sh 225 | $BASE_DIR/../repochk/update_repo.sh >/dev/null 2>&1 226 | $BASE_DIR/../repochk/repochk.py > $WORK_DIR/results/repochk/repochk-results 227 | mv rpmlist.txt $WORK_DIR/results/repochk/ 228 | rm -f repocache.txt 229 | echo "Finished Main Processes." 230 | elif [ $MODE -eq 2 ]; then 231 | if [ -f $BASE_DIR/../repochk/repocache.txt ]; then 232 | $BASE_DIR/../repochk/getrpms.sh 233 | cp $BASE_DIR/../repochk/repocache.txt . 234 | $BASE_DIR/../repochk/repochk.py > $WORK_DIR/results/repochk/repochk-results 235 | mv rpmlist.txt $WORK_DIR/results/repochk/ 236 | rm -f repocache.txt 237 | echo "Finished Main Processes." 238 | else 239 | echo "Repo Cache file (repocache.txt) does not exist. Skipping repochk." 240 | fi 241 | fi 242 | cd $WORK_DIR/results 243 | ) & 244 | 245 | ( 246 | ########## BEGIN OSCAP CHECK ########## 247 | echo "Starting OpenSCAP Process." 248 | cd $WORK_DIR/results/scap 249 | oscap >/dev/null 2>&1 oval eval --results oscap-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml & 250 | SCAP_SCAN_PID=$! 251 | while kill -0 $SCAP_SCAN_PID >/dev/null 2>&1; do 252 | echo "OpenSCAP configuration scan process is still active..." 253 | sleep 15 254 | done 255 | oscap >/dev/null 2>&1 oval generate report oscap-results.xml > $(hostname)-scap-scan-report-$(date +%Y%m%d).html & 256 | SCAP_RESULTS_PID=$! 257 | while kill -0 $SCAP_RESULTS_PID >/dev/null 2>&1; do 258 | echo "OpenSCAP configuration scan process is still active..." 259 | sleep 15 260 | done 261 | 262 | if [ $MODE -eq 1 ]; then 263 | wget http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml >/dev/null 2>&1 264 | if [ $? -gt 1 ]; then 265 | echo "Error Downloading Red Hat Security Advisory (RHSA) data from Red Hat!" 266 | fi 267 | wget http://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml >/dev/null 2>&1 268 | if [ $? -gt 1 ]; then 269 | echo "Error Downloading XCCDF data from Red Hat!" 270 | fi 271 | fi 272 | if [[ -e com.redhat.rhsa-all.xml && -e com.redhat.rhsa-all.xccdf.xml ]]; then 273 | oscap xccdf eval --results $(hostname)-scap-vulnerability-report-$(date +%Y%m%d).xml --report $(hostname)-scap-vulnerability-report-$(date +%Y%m%d).html com.redhat.rhsa-all.xccdf.xml >/dev/null 2>&1 & 274 | SCAP_VULN_PID=$! 275 | while kill -0 $SCAP_VULN_PID >/dev/null 2>&1; do 276 | echo "OpenSCAP vulnerability check process is still active..." 277 | sleep 15 278 | done 279 | else 280 | echo "Red Hat Vulnerability Content Missing - please run in Online mode!" 281 | fi 282 | echo "Finished OpenSCAP Process." 283 | ) & 284 | 285 | ( 286 | ########## BEGIN PRIVESC CHECK ########## 287 | if [ -d $BASE_DIR/../unix-privesc-check-1_x ]; then 288 | echo "Starting Privilege Checks." 289 | cd $BASE_DIR/../unix-privesc-check-1_x 290 | chmod 755 unix-privesc-check 291 | ./unix-privesc-check detailed > $WORK_DIR/results/privesc/privesc-check 292 | echo "Finished Privilege Checks." 293 | else 294 | echo "Unix Privesc Check does not exist." 295 | fi 296 | ) & 297 | 298 | ( 299 | ######### BEGIN AIDE CHECKS ########## 300 | echo "Starting AIDE Process." 301 | if [ -f /etc/aide.conf ] && [ -f /var/lib/aide/aide.db.gz ]; then 302 | mkdir -p AIDE 303 | cd AIDE 304 | echo 'Performing AIDE Check.' 305 | cat /etc/aide.conf > etc-aide.conf 306 | aide --check > aide-check & 307 | AIDE_PID=$! 308 | while kill -0 $AIDE_PID >/dev/null 2>&1; do 309 | echo "AIDE check process is still active..." 310 | sleep 15 311 | done 312 | cd $WORK_DIR/results 313 | else 314 | echo 'AIDE is not installed or configured!' > aide-check 315 | fi 316 | echo "Finished AIDE Process." 317 | ) & 318 | 319 | ( 320 | ########## BEGIN FIND ROGUE ELFS ########### 321 | cd $WORK_DIR 322 | echo "Starting Rogue ELFs Process." 323 | $BASE_DIR/../FindRogueElfs/FindRogueElfs.sh &> $WORK_DIR/results/elfs/report.txt & 324 | ELFS_PID=$! 325 | while kill -0 $ELFS_PID >/dev/null 2>&1; do 326 | echo "Find Rogue ELFs process is still active..." 327 | sleep 15 328 | done 329 | rm -f *.txt 330 | echo "Finished Rogue ELFs Process." 331 | ) & 332 | 333 | wait 334 | cd $WORK_DIR 335 | warning() { 336 | cat << EOF 337 | ********************************************* 338 | * WARNING WARNING WARNING WARNING * 339 | ********************************************* 340 | * * 341 | * Remove the files from the system that * 342 | * this script has created! They contain * 343 | * highly sensitive information and should * 344 | * and should not be left on the system. * 345 | * * 346 | ********************************************* 347 | EOF 348 | } 349 | cd $WORK_DIR 350 | echo "Everything is done." 351 | tar -zcf results.tar.gz ./results 352 | rm -rf results 353 | echo 354 | warning 355 | -------------------------------------------------------------------------------- /system-inspector_el6/inspect.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ############################################################################### 3 | # System Inspector 4 | # 5 | # This script was written by Zach LeBlanc 6 | # Last update was 22 May 2018 7 | # 8 | # Author: Zach LeBlanc (zleblanc@mitre.org) 9 | # Contributor: Drew Bonasera (dbonasera@mitre.org) 10 | # Contributor: Frank Caviggia (fcaviggia@mitre.org) 11 | # Copyright: The MITRE Corporation, 2018 12 | # License: MIT 13 | # Description: Evaluates the security settings of a Linux (RHEL/CentOS) 14 | # System. 15 | ############################################################################### 16 | ############################################################################### 17 | # (C) 2018 The MITRE Corporation. All Rights Reserved. This software is provided 18 | # as-is and MITRE disclaims all liability and all guarantees and warranties, 19 | # express or implied, including warranties of merchantability, non-infringement, 20 | # and fitness for a particular purpose. For open source code incorporated, such 21 | # open source software is distributed on an as-is basis under the respective 22 | # license terms thereof. MITRE disclaims any liability in relation to this 23 | # open source software. This notice shall be marked on any reproduction of 24 | # these data, in whole or in part. For further information, please contact 25 | # The MITRE Corporation, Contracts Office, 26 | # 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000. 27 | ############################################################################### 28 | 29 | # Determine the Path 30 | function realpath() { 31 | local r=$1; local t=$(readlink $r) 32 | while [ $t ]; do 33 | r=$(cd $(dirname $r) && cd $(dirname $t) && pwd -P)/$(basename $t) 34 | t=$(readlink $r) 35 | done 36 | echo $r 37 | } 38 | # Determine Execution Directory 39 | BASE_DIR=$(dirname $(realpath $0)) 40 | # Working Directory for results 41 | WORK_DIR=$(pwd) 42 | 43 | trap ctrl_c INT 44 | ctrl_c() { 45 | echo "** Trapped CTRL-C **" 46 | cd $WORK_DIR 47 | rm -rf results 48 | rm -f results.tar.gz 49 | killall -9 inspect.sh 50 | exit 1 51 | } 52 | if [ "$(id -u)" != "0" ]; then 53 | echo "Please run as root!" 54 | exit 1 55 | fi 56 | MAIL=$(echo $MAIL | awk -F / '{print $5}') 57 | if [ ! $MAIL = "root" ]; then 58 | echo "Run as root, not SUDOER!" 59 | exit 1 60 | fi 61 | GETENFORCE=$(getenforce) 62 | if [ $GETENFORCE = "Disabled" ]; then 63 | echo "STOP DISABLING SELINUX!" 64 | exit 1 65 | fi 66 | if [ $GETENFORCE = "Enforcing" ]; then 67 | echo "Please set SELinux to Permissive." 68 | exit 1 69 | fi 70 | if [ -a "/etc/redhat-release" ]; then 71 | VERSION="$(grep -oP "(?<=release )[^ ]+" /etc/redhat-release)" 72 | if [[ ! $VERSION = "6."[0-9] ]]; then 73 | echo "This script will not work with $( cat /etc/redhat-release)" | sed 's/release //g' | sed 's/ (Maipo)//g' 74 | exit 1 75 | fi 76 | fi 77 | MODE=0 78 | echo "Please select a mode: " 79 | echo "[1] Online" 80 | echo "[2] Offline" 81 | echo 82 | echo -n "Selection: " 83 | read MODE 84 | if [ ! -d $WORK_DIR/results ]; then 85 | mkdir $WORK_DIR/results 86 | fi 87 | cd $WORK_DIR/results 88 | mkdir {elfs,scap,network,users,selinux,pirvsec,repochk} 89 | ( 90 | echo "Starting Main Processes." 91 | ########## BEGIN CHKCONFIG ########## 92 | chkconfig --list > chkconfig-list.txt 93 | 94 | ########## BEGIN NETWORK CHECKS ########## 95 | cd network 96 | if [ -x /usr/sbin/ifconfig ]; then 97 | ifconfig > network_information.txt 98 | elif [ -x /usr/sbin/ip ]; then 99 | ip addr > network_information.txt 100 | fi 101 | cat /etc/hosts > etc-hosts 102 | cat /etc/resolv.conf > etc-resolv.conf 103 | cat /etc/sysctl.conf > etc-sysctl.conf 104 | cat /etc/sysconfig/network > etc-sysconfig-network 105 | if [ -x /usr/sbin/iptables ]; then 106 | iptables -L -n -v > iptables-output.txt 107 | cat /etc/sysconfig/iptables-config > etc-sysconfig-iptables 108 | fi 109 | if [ -x /usr/sbin/ip6tables ]; then 110 | ip6tables -L -n -v > ip6tables-output.txt 111 | cat /etc/sysconfig/ip6tables-config > etc-sysconfig-ip6tables 112 | fi 113 | if [ -x /usr/bin/netstat ]; then 114 | netstat -a > netstat-a.txt 115 | netstat -lnZ > netstat-lnZ.txt 116 | fi 117 | ps auxZ | grep sshd > psauxZ-sshd.txt 118 | cd $WORK_DIR/results 119 | 120 | ########## BEGIN USER CHECKS ########## 121 | cd users 122 | cat /etc/passwd > etc-passwd 123 | cat /etc/shadow > etc-shadow 124 | cat /etc/group > etc-group 125 | cat /etc/shells > etc-shells 126 | BIN=($(cat /etc/passwd | awk -F: '{print $NF}')) 127 | USR=($(cat /etc/passwd | awk -F: '{print $1}')) 128 | SIZE=${#BIN[@]} 129 | VAL=/bin/bash 130 | echo 'User'' | ''Groups' > users-groups.txt 131 | for (( c=0; c> users-groups.txt 134 | fi 135 | done 136 | cd $WORK_DIR/results 137 | 138 | ########## BEGIN SELINUX CHECKS ########## 139 | cd $WORK_DIR/results/selinux/ 140 | echo '############### sestatus ###############' > selinux-info 141 | sestatus >> selinux-info 142 | echo >> selinux-info 143 | if [ -x /usr/sbin/semanage ]; then 144 | echo '############### semanage login -l (SELinux Login/Users Map) ###############' >> selinux-info 145 | semanage login -l >> selinux-info 146 | echo '############### semanage user -l (SELinux Users) ###############' >> selinux-info 147 | semanage user -l >> selinux-info 148 | fi 149 | if [ -x /usr/bin/seinfo ]; then 150 | echo '############### seinfo -r (SELinux Roles) ###############' >> selinux-info 151 | seinfo -r >> selinux-info 152 | fi 153 | cd $WORK_DIR/results 154 | 155 | ########## BEGIN MISC CHECKS ########## 156 | 157 | echo "Running Kernel: $(uname -mrs)" > kernel-info.txt 158 | echo "Kernel FIPS Mode: $(cat /proc/sys/crypto/fips_enabled)" >> kernel-info.txt 159 | echo "Blacklisted/Disabled Kernel Modules:" >> kernel-info.txt 160 | echo "---------------------------------------------------" >> kernel-info.txt 161 | grep -E 'blacklist|/bin/true|/bin/false' /etc/modprobe.d/* >> kernel-info.txt 162 | echo >> kernel-info.txt 163 | echo "---------------------------------------------------" >> kernel-info.txt 164 | echo "Kernel Modules:" >> kernel-info.txt 165 | echo "---------------------------------------------------" >> kernel-info.txt 166 | lsmod &>> kernel-info.txt 167 | echo >> kernel-info.txt 168 | echo "---------------------------------------------------" >> kernel-info.txt 169 | echo "Kernel Module Configuration (Detailed):" >> kernel-info.txt 170 | echo "---------------------------------------------------" >> kernel-info.txt 171 | modprobe -c &>> kernel-info.txt 172 | echo >> kernel-info.txt 173 | echo "---------------------------------------------------" >> kernel-info.txt 174 | echo "Kernel Options:" >> kernel-info.txt 175 | echo "---------------------------------------------------" >> kernel-info.txt 176 | sysctl -a &>> kernel-info.txt 177 | echo >> kernel-info.txt 178 | echo "---------------------------------------------------" >> kernel-info.txt 179 | 180 | echo "Hardware Information" > hardware-info.txt 181 | echo >> hardware-info.txt 182 | echo "CPU Information:" >> hardware-info.txt 183 | echo "---------------------------------------------------" >> hardware-info.txt 184 | cat /proc/cpuinfo >> hardware-info.txt 185 | echo >> hardware-info.txt 186 | echo "---------------------------------------------------" >> hardware-info.txt 187 | echo "Storage Information:" >> hardware-info.txt 188 | echo "---------------------------------------------------" >> hardware-info.txt 189 | lsblk >> hardware-info.txt 190 | echo >> hardware-info.txt 191 | echo "---------------------------------------------------" >> hardware-info.txt 192 | if [ -x /sbin/lspci ]; then 193 | echo "PCI Information:" >> hardware-info.txt 194 | echo "---------------------------------------------------" >> hardware-info.txt 195 | lspci -v >> hardware-info.txt 196 | echo >> hardware-info.txt 197 | echo "---------------------------------------------------" >> hardware-info.txt 198 | fi 199 | if [ -x /sbin/lsusb ]; then 200 | echo "USB Information:" >> hardware-info.txt 201 | echo "---------------------------------------------------" >> hardware-info.txt 202 | lsusb -v >> hardware-info.txt 203 | echo >> hardware-info.txt 204 | echo "---------------------------------------------------" >> hardware-info.txt 205 | fi 206 | 207 | mapfile -t ARRAY < <(find / -name "*sshd_config*" >/dev/null 2>&1) 208 | LENGTH=${#ARRAY[@]} 209 | for ((i=0; i" ${ARRAY[$i]} && grep -q "\" ${ARRAY[$i]}; then 212 | cat ${ARRAY[$i]} > sshd_config[$i] 213 | fi 214 | fi 215 | done 216 | cd $WORK_DIR/results 217 | 218 | ######### BEGIN REPOCHK ########## 219 | yum -v repolist &> repository-info.txt 220 | cd $WORK_DIR 221 | if [ $MODE -eq 1 ]; then 222 | $BASE_DIR/../repochk/getrpms.sh 223 | $BASE_DIR/../repochk/update_repo.sh >/dev/null 2>&1 224 | $BASE_DIR/../repochk/repochk.py > $WORK_DIR/results/repochk/repochk-results 225 | mv rpmlist.txt $WORK_DIR/results/repochk/ 226 | rm -f repocache.txt 227 | echo "Finished Main Processes." 228 | elif [ $MODE -eq 2 ]; then 229 | if [ -f $BASE_DIR/../repochk/repocache.txt ]; then 230 | $BASE_DIR/../repochk/getrpms.sh 231 | cp $BASE_DIR/../repochk/repocache.txt . 232 | $BASE_DIR/../repochk/repochk.py > $WORK_DIR/results/repochk/repochk-results 233 | mv rpmlist.txt $WORK_DIR/results/repochk/ 234 | rm -f repocache.txt 235 | echo "Finished Main Processes." 236 | else 237 | echo "Repo Cache file (repocache.txt) does not exist. Skipping repochk." 238 | fi 239 | fi 240 | cd $WORK_DIR/results 241 | ) & 242 | 243 | ( 244 | ########## BEGIN OSCAP CHECK ########## 245 | echo "Starting OpenSCAP Process." 246 | cd $WORK_DIR/results/scap 247 | oscap >/dev/null 2>&1 oval eval --results oscap-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml & 248 | SCAP_SCAN_PID=$! 249 | while kill -0 $SCAP_SCAN_PID >/dev/null 2>&1; do 250 | echo "OpenSCAP configuration scan process is still active..." 251 | sleep 15 252 | done 253 | oscap >/dev/null 2>&1 oval generate report oscap-results.xml > $(hostname)-scap-scan-report-$(date +%Y%m%d).html & 254 | SCAP_RESULTS_PID=$! 255 | while kill -0 $SCAP_RESULTS_PID >/dev/null 2>&1; do 256 | echo "OpenSCAP configuration scan process is still active..." 257 | sleep 15 258 | done 259 | 260 | if [ $MODE -eq 1 ]; then 261 | wget http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml >/dev/null 2>&1 262 | if [ $? -gt 1 ]; then 263 | echo "Error Downloading Red Hat Security Advisory (RHSA) data from Red Hat!" 264 | fi 265 | wget http://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml >/dev/null 2>&1 266 | if [ $? -gt 1 ]; then 267 | echo "Error Downloading XCCDF data from Red Hat!" 268 | fi 269 | fi 270 | if [[ -e com.redhat.rhsa-all.xml && -e com.redhat.rhsa-all.xccdf.xml ]]; then 271 | oscap xccdf eval --results $(hostname)-scap-vulnerability-report-$(date +%Y%m%d).xml --report $(hostname)-scap-vulnerability-report-$(date +%Y%m%d).html com.redhat.rhsa-all.xccdf.xml >/dev/null 2>&1 & 272 | SCAP_VULN_PID=$! 273 | while kill -0 $SCAP_VULN_PID >/dev/null 2>&1; do 274 | echo "OpenSCAP vulnerability check process is still active..." 275 | sleep 30 276 | done 277 | else 278 | echo "Red Hat Vulnerability Content Missing - please run in Online mode!" 279 | fi 280 | echo "Finished OpenSCAP Process." 281 | ) & 282 | 283 | ( 284 | ########## BEGIN PRIVESC CHECK ########## 285 | if [ -d $BASE_DIR/../unix-privesc-check-1_x ]; then 286 | echo "Starting Privilege Checks." 287 | cd $BASE_DIR/../unix-privesc-check-1_x 288 | chmod 755 unix-privesc-check 289 | ./unix-privesc-check detailed > $WORK_DIR/results/privesc/privesc-check 290 | echo "Finished Privilege Checks." 291 | else 292 | echo "PRIVESC Check does not exist." 293 | fi 294 | ) & 295 | 296 | ( 297 | ######### BEGIN AIDE CHECKS ########## 298 | echo "Starting AIDE Process." 299 | if [ -f /etc/aide.conf ] && [ -f /var/lib/aide/aide.db.gz ]; then 300 | mkdir -p cd $WORK_DIR/results/AIDE 301 | cd $WORK_DIR/results/AIDE 302 | echo 'Performing AIDE Check.' 303 | cat /etc/aide.conf > etc-aide.conf 304 | aide --check > aide-check & 305 | AIDE_PID=$! 306 | while kill -0 $AIDE_PID >/dev/null 2>&1; do 307 | echo "AIDE check process is still active..." 308 | sleep 15 309 | done 310 | cd $WORK_DIR/results 311 | else 312 | echo 'AIDE is not installed or configured!' > aide-check 313 | fi 314 | echo "Finished AIDE Process." 315 | ) & 316 | 317 | ( 318 | ########## BEGIN FIND ROGUE ELFS ########## 319 | cd $WORK_DIR 320 | echo "Starting Rogue ELFs Process." 321 | $BASE_DIR/../FindRogueElfs/FindRogueElfs.sh &> $WORK_DIR/results/elfs/report.txt & 322 | ELFS_PID=$! 323 | while kill -0 $ELFS_PID >/dev/null 2>&1; do 324 | echo "Find Rogue ELFs process is still active..." 325 | sleep 15 326 | done 327 | rm -f *.txt 328 | echo "Finished Rogue ELFs Process." 329 | ) & 330 | 331 | wait 332 | cd $WORK_DIR 333 | warning() { 334 | cat << EOF 335 | ********************************************* 336 | * WARNING WARNING WARNING WARNING * 337 | ********************************************* 338 | * * 339 | * Remove the files from the system that * 340 | * this script has created! They contain * 341 | * highly sensitive information and should * 342 | * and should not be left on the system. * 343 | * * 344 | ********************************************* 345 | EOF 346 | } 347 | cd $WORK_DIR 348 | echo "Everything is done." 349 | tar -zcf results.tar.gz ./results 350 | rm -rf results 351 | echo 352 | warning 353 | echo 354 | --------------------------------------------------------------------------------