Scribd Logo
Importer

Bienvenue sur Scribd !

  • Unix Script Audit

    Transféré par

    Mohammad Aref
    37 vues10 pages
    This document contains the output of a script that runs various commands to gather security-related information from a Unix system. The script checks for things like the operating system version, network configuration, disk space, running services, password security, patching levels and more. It is identifying configuration issues, vulnerabilities and areas for improvement for the security of the system.

    Description originale:

    Unix Script Audit

    Titre original

    Unix_Script_audit.txt

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formats disponibles

    TXT, PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    This document contains the output of a script that runs various commands to gather security-related information from a Unix system. The script checks for things like the operating system version, network configuration, disk space, running services, password security, patching levels and more. It is identifying configuration issues, vulnerabilities and areas for improvement for the security of the system.

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme TXT, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    37 vues10 pages

    Unix Script Audit

    Transféré par

    Mohammad Aref
    This document contains the output of a script that runs various commands to gather security-related information from a Unix system. The script checks for things like the operating system version, network configuration, disk space, running services, password security, patching levels and more. It is identifying configuration issues, vulnerabilities and areas for improvement for the security of the system.

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme TXT, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 10

    echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
    echo "
    HP-Unix Security Audit - Information gathering Sc
    ript - Version 3
    "
    echo "
    Information Risk Management Advi
    sory, TCS CMC Limited
    "
    echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
    echo " "
    echo " "
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "1. Operating System Version"
    echo "***************************************************"
    uname -a
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "2. NTP"
    echo "***************************************************"
    /usr/bin/grep XNTPD= /etc/rc.config.d/netdaemons
    echo "------------ "
    /usr/bin/ps -ef | /usr/bin/grep xntpd
    echo "------------ "
    /usr/sbin/ntpq -p
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "3. Network Configuration"
    echo "***************************************************"
    ifconfig -a
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "4. Disk Space Utilization"
    echo "***************************************************"
    /usr/bin/df -t
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "5.Are any services being allowed to start from the scripts in / etc/ rc.co
    nfig.d which are not needed"
    echo "***************************************************"
    /usr/bin/grep -v "^#" /etc/rc.config.d/* | /usr/bin/grep "=1"
    echo "------------ "
    /usr/bin/grep -v "^#" /etc/rc.config.d/* | /usr/bin/grep "=0"
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo " 6. Inetd daemon logging"
    echo "***************************************************"
    /usr/bin/grep INETD_ARGS= /etc/rc.config.d/netdaemons

    echo "------------ "


    /usr/bin/grep inetd /var/adm/syslog/syslog.log
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo " 7. Are any services being allowed to start from the scripts in / etc/ ine
    td.conf which are not needed"
    echo "***************************************************"
    /usr/bin/grep -v "^#" /etc/inetd.conf
    echo "###################################################"
    echo "***************************************************"
    echo " 8. TCP Wrappers"
    echo "***************************************************"
    /usr/bin/ls -l /usr/lbin/tcpd /usr/bin/tcpdchk /opt/tcpwrap/bin/tcpd
    echo "----------- "
    /usr/bin/grep tcpwrap /etc/inetd.conf
    echo "----------- "
    /usr/bin/more /etc/hosts.allow /etc/hosts.deny
    echo "----------- "
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "9. Internet daemon security file: Is /var/adm /inetd.sec being used to res
    trict access to inetd services"
    echo "***************************************************"
    /usr/bin/grep -v "^#" /var/adm/inetd.sec
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "10. Is ssh used instead of telnet and ftp?"
    echo "***************************************************"
    /usr/bin/netstat -af inet | /usr/bin/grep telnet
    echo "----------- "
    /usr/bin/netstat -af inet | /usr/bin/grep ftp
    echo "----------- "
    /usr/bin/ssh -V
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "11. Trust Realtionships"
    echo "***************************************************"
    /usr/bin/ls -l /etc/hosts.equiv
    echo "----------- "
    /usr/bin/grep -v "^#" /etc/hosts.equiv
    echo "----------- "
    /usr/bin/find / -name .rhosts -exec /usr/bin/ls -ld {} \;
    echo " "
    echo
    echo
    echo
    echo

    "###################################################"
    "***************************************************"
    "12. Is this system intended to be a sendmail server?"
    "***************************************************"

    /usr/bin/grep SENDMAIL_SERVER /etc/rc.config.d/mailservs


    echo "----------- "
    /usr/bin/grep "sendmail -" /sbin/init.d/sendmail
    echo "----------- "
    /usr/bin/ps -ef | /usr/bin/grep sendmail
    echo "----------- "
    /usr/bin/grep PrivacyOptions /etc/mail/sendmail.cf
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "13. Is access to CDE from the network limited by the /etc/dt/ config/Xacce
    ss file?"
    echo "***************************************************"
    /usr/bin/ls -l /etc/dt/config/Xaccess
    echo " "
    /usr/bin/grep -v "^#" /etc/dt/config/Xaccess
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "14. Banners"
    echo "***************************************************"
    /usr/bin/cat /etc/motd
    /usr/bin/cat /etc/issue
    echo "If ftp is being used, test that a banner is configured by typing"
    /usr/bin/grep banner /etc/ftpd/ftpaccess
    echo "If telnet is being used, test that the daemon is configured to not display
    a banner by typing"
    /usr/bin/grep telnetd /etc/inetd.conf
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "15. Modems"
    echo "***************************************************"
    /usr/bin/grep getty /etc/inittab
    echo "----------- "
    /usr/sbin/ioscan -FunC tty
    echo "----------- "
    /usr/bin/cat /etc/dialups
    echo "----------- "
    /usr/bin/cat /etc/d_passwd
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "16. Security Patch Checker Utility"
    echo "***************************************************"
    /usr/bin/ls -l /opt/sec_mgmt/spc/bin/security_patch_check
    /usr/bin/grep security_patch_check /var/spool/cron/crontabs/*
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "17. Operating system Patches "
    echo "***************************************************"
    echo "To get a list of individual patches"
    /usr/sbin/swlist -l patch

    echo "To get a list of patch bundles"


    /usr/sbin/swlist -l bundle | /usr/bin/grep Patch
    echo "for evidence of regular patching"
    tail /var/adm/sw/swinstall.log
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "18. Are Shadow Passwords used on this machine?"
    echo "***************************************************"
    /usr/bin/ls -l /etc/shadow
    /usr/bin/ls -l /etc/passwd
    /usr/bin/ls -l /etc/group
    /usr/bin/awk -F: '{print $2}' /etc/passwd | /usr/bin/sort -u
    echo "copy of file "
    /usr/bin/cat /etc/passwd
    echo "copy of file"
    /usr/bin/cat /etc/shadow
    echo "copy of file"
    /usr/bin/cat /etc/group
    echo "###################################################"
    echo "***************************************************"
    echo "19. Minimum password length"
    echo "***************************************************"
    /usr/bin/grep MIN_PASSWORD_LENGTH /etc/default/security
    /usr/bin/cat /etc/default/security
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "20. Empty Passwords"
    echo "***************************************************"
    /usr/sbin/logins -p
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "21. Weak Passwords"
    echo "***************************************************"
    echo "Type ./john copy-of-passwd-file "
    echo "After one hour, terminate the program with a and type following"
    echo "------------- "
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "22. Duplicate superuser accounts"
    echo "***************************************************"
    /usr/sbin/logins -d | /usr/bin/grep "0"
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "23. Root Login Restricted"
    echo "***************************************************"
    /usr/bin/ls -l /etc/securetty
    /usr/bin/cat /etc/securetty
    echo " "

    echo "###################################################"
    echo "***************************************************"
    echo "24. Have all unneeded system accounts been locked?"
    echo "***************************************************"
    for user in uucp nuucp adm bin daemon lp nobody noaccess hpdb useradm
    do
    /usr/bin/grep "^$user" /etc/passwd
    done
    echo "------------ "
    for user in uucp nuucp adm bin daemon lp nobody noaccess hpdb useradm
    do
    /usr/bin/grep "^$user" /etc/shadow
    done
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "25. root PATH variable and world writeable directories in the PATH?"
    echo "***************************************************"
    echo "Examine output for dot in PATH"
    /usr/bin/echo $PATH
    echo "Perform a /usr/bin/ls -ld on each entry in the PATH variable"
    /usr/bin/ls -ld `/usr/bin/echo $PATH | /usr/bin/awk -F: '{for (x=1;x<=NF;x++){pr
    int $x}}'`
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "26. Users Directory security"
    echo "***************************************************"
    /usr/sbin/logins -ox | /usr/bin/awk -F: '{print $1,$6}' | while /usr/bin/read us
    er home
    do
    /usr/bin/echo $user\'s home is:
    /usr/bin/ls -ld $home
    /usr/bin/echo " and dot files are:"
    /usr/bin/ls -ld "$home/".[!.]*
    /usr/bin/echo " "
    done
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "27. World-Writable Directories Should Have Their Sticky Bit Set"
    echo "***************************************************"
    /usr/bin/ls -ld /tmp /var/tmp /var/preserve /var/stm/logs \
    /var/stm/catalog /var/spool/cron/tmp
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "27. Find unauthorized world-writable files"
    echo "***************************************************"
    for part in \
    `awk '($3 ~ /^(hfs|vxfs)$/) { print $2 }' /etc/fstab`
    do find $part -xdev -type f -perm -0002 -print
    done
    echo " "

    echo
    echo
    echo
    echo
    find
    echo

    "###################################################"
    "***************************************************"
    "27. Find unowned files and directories"
    "***************************************************"
    / \( -nouser -o -nogroup \) -print
    " "

    echo "###################################################"
    echo "***************************************************"
    echo "28. Root's home directory"
    echo "***************************************************"
    /usr/sbin/logins -xl root
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "29. Defaukt umask"
    echo "***************************************************"
    /usr/bin/umask
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "30. Global chown privileges"
    echo "***************************************************"
    /usr/bin/getprivgrp
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "31. SUID,SGID Files"
    echo "***************************************************"
    /usr/bin/find / \( -perm -4000 -o -perm -2000 \) -type f \
    -exec /usr/bin/ls -l {} \;
    echo " "
    echo "Note- Any files under the /var/ adm/sw/save directory NOT need SUID/SGID"

    echo "###################################################"
    echo "***************************************************"
    echo "32. File integrity software"
    echo "***************************************************"
    /usr/bin/grep -e tripwire -e swverify -e pdfdiff -e pdfck \
    /var/spool/cron/crontabs/*
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "33. Log file and configuration file permissions"
    echo "***************************************************"
    /usr/bin/grep -v "^#" /etc/syslog.conf
    /usr/bin/ls -l /var/adm/syslog/mail.log
    /usr/bin/ls -l /var/adm/syslog/syslog.log
    echo "###################################################"
    echo "***************************************************"
    echo "34. Log files permissions"

    echo "***************************************************"
    /usr/bin/ls -ld /var/spool/cron/crontabs/root
    /usr/bin/ls -ld /var/X11/Xserver/logs/X0.log
    /usr/bin/ls -ld /var/adm/automount.log
    /usr/bin/ls -ld /var/adm/snmpd.log
    /usr/bin/ls -ld /var/opt/dce/svc/fatal.log
    /usr/bin/ls -ld /var/opt/dce/svc/warning.log
    /usr/bin/ls -ld /var/opt/ignite/recovery/fstab
    /usr/bin/ls -ld /var/sam/hpbottom.iout
    /usr/bin/ls -ld /var/sam/lock
    /usr/bin/ls -ld /var/sam/log/samlog
    /usr/bin/ls -ld /var/adm/sw/sav
    /usr/bin/ls -ld /var/adm/sw/patch
    /usr/bin/ls -ld /stand/dlkm
    /usr/bin/ls -ld /stand/dlkm.vmunix.prev
    /usr/bin/ls -ld /usr/local
    /usr/bin/ls -ld /usr/lbin
    /usr/bin/ls -ld /var/stm
    /usr/bin/ls -ld /usr/share/man
    /usr/bin/ls -ld /var/dt/Xerrors
    /usr/bin/ls -ld /var/opt/common
    /usr/bin/ls -ld /var/spool/sockets/common
    echo
    echo
    echo
    echo

    "###################################################"
    "***************************************************"
    "34. Log file and configuration file permissions"
    "***************************************************"

    cat /var/adm/cron/cron.allow
    echo "---- "
    cat /var/adm/cron/cron.deny
    echo "---- "
    cat /var/adm/cron/at.allow
    echo "---- "
    cat /var/adm/cron/at.deny
    echo " "
    ls -l /var/adm/cron/cron.allow
    ls -l /var/adm/cron/cron.deny
    ls -l /var/adm/cron/at.allow
    ls -l /var/adm/cron/at.deny
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "35. Buffer overflow protection mechanism"
    echo "***************************************************"
    /usr/sbin/kmtune -q executable_stack
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "36. Root email must be read in a timely manner"
    echo "***************************************************"
    /usr/bin/mailx -H
    /usr/bin/cat ~root/.forward
    /usr/bin/grep "^root" /etc/mail/aliases
    echo " "

    echo "###################################################"
    echo "***************************************************"
    echo "37. Password policy"
    echo "***************************************************"
    cat /etc/login.defs
    echo " "
    echo
    echo
    echo
    echo
    find
    echo

    "###################################################"
    "***************************************************"
    "38. .netrc file"
    "***************************************************"
    / -type f -name .netrc -exec ls -ld {} \;
    " "

    echo
    echo
    echo
    echo
    echo
    echo
    echo
    echo
    echo
    echo

    "###################################################"
    "***************************************************"
    "39. Log file review"
    "***************************************************"
    "log files should be reviewed on a weekly basis:"
    " Examine /var/adm/syslog/syslog.log"
    " Examine /var/adm/sulog"
    " Examine /var/adm/syslog/mail.log"
    " Examine /etc/rc.log"
    " "

    echo
    echo
    echo
    echo
    echo
    echo

    "###################################################"
    "***************************************************"
    "40. Change Control Processes"
    "***************************************************"
    "check for change control process with sys admins"
    " "

    echo
    echo
    echo
    echo
    echo
    echo

    "###################################################"
    "***************************************************"
    "41. Retirement of old media"
    "***************************************************"
    "Sanitization and disposition of media"
    " "

    echo "###################################################"
    echo "***************************************************"
    echo "42. Stripping down OS"
    echo "***************************************************"
    swlist -l product
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "43. Ip forwarding, TCP sequence number"
    echo "***************************************************"
    /usr/bin/cat /sbin/init.d/net
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "43. Network Parameters"

    echo "***************************************************"
    /usr/bin/cat /etc/rc.config.d/nddconf
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "44. FTP Users"
    echo "***************************************************"
    /usr/bin/cat /etc/ftpusers
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "45. File Systems"
    echo "***************************************************"
    /usr/bin/cat /etc/fstab
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "46. Ensure the audit subsystem is enabled and is configured securely."
    echo "***************************************************"
    echo "audsys: Start/Stops auditing, displays audit file information"
    echo "/usr/sbin/sam"
    /usr/bin/cat /etc/rc.config.d/auditing
    ls -ldb /.secure/etc/auditfile1
    ls -ldb /.secure/etc/auditfile2
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "47. Verify root's startup files are only writable by root."
    echo "***************************************************"
    ls -l /.login
    ls -l /.profile
    ls -l /etc/profile
    ls -l /.cshrc
    ls -l /.kshrc
    ls -l /.emacs
    ls -l /.exrc
    ls -l /.forward
    ls -l /.rhosts
    ls -l /.dtprofile
    ls -l /.Xdefaults
    /usr/bin/cat
    echo "---- "
    /usr/bin/cat
    echo "---- "
    /usr/bin/cat
    echo "---- "
    /usr/bin/cat
    echo "---- "
    /usr/bin/cat
    echo "---- "
    /usr/bin/cat

    /.login
    /.profile
    /etc/profile
    /.cshrc
    /.kshrc
    /.emace

    echo "---- "


    /usr/bin/cat
    echo "---- "
    /usr/bin/cat
    echo "---- "
    /usr/bin/cat
    echo "---- "
    /usr/bin/cat
    echo "---- "
    /usr/bin/cat
    echo " "

    /.exrc
    /.forward
    /.rhosts
    /.dtprofile
    /.Xdefaults

    echo "###################################################"
    echo "***************************************************"
    echo "47.Identify all world-writable files on the system and verify their need."
    echo "***************************************************"
    /usr/bin/find / -type f \( -perm 2 -o -perm 20 \) -exec ls -ldb {} \;
    /usr/bin/find / -type d \( -perm 2 -o -perm 20 \) -exec ls -ldb {} \;
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "48.NFS Exports"
    echo "***************************************************"
    /usr/bin/cat /etc/exports
    echo " "
    echo "###################################################"
    echo "***************************************************"
    echo "49.Logon Banners"
    echo "***************************************************"
    cat /etc/issue
    echo "---- "
    cat /etc/issue.net
    echo "---- "
    cat /etc/motd

    Vous aimerez peut-être aussi