UNIX/Linux local audit tool

By Sean Boran (sean at boran.com)


Introduction

Auditing the security of an existing Solaris system can be time-consuming, and often requires on-site visits. There are several commercial tools and a few free ones (e.g., Titan and the Coroner's Toolkit) that help, but they can be complicated and require local compilation or configuration.

So a tool was developed with the following aims:

This script automates the gathering of the information only. Of course, the difficult part is the interpretation of results and deciding what countermeasures to take.

Note:
Please visit the Lusas project which is newer than this page

The script
audit.sh can be used to call audit1.sh and audit2.pl and create one file with all results

What does it do?

The tool consists of two main scripts, both of which look at the system, but do not make any modifications.

  1. audit1.sh (Bourne shell): This script is designed to run quickly and gather as much security information as possible about the system.
    No file searches are conducted, to keep it fast.
    Tested on: Solaris 2.6/7/8/9, OpenBSD 2.6, RH 7, Suse 7.1/8.1, HP-UX11. Solaris is best supported.
  2. audit2.pl (perl): This second script searches the entire filesystem, listing SUID, SGID, world-writeable, group-writeable files. It also lists trust files and their contents. Finally it lists files with weird names (e.g., containing punctuation characters), which might be danger or a sign of penetration. On a large server with 100GB disks, this can take a few hours to run.
    Tested on SunOS 5.5/6/7/8/9, OpenBSD 2.6, RH 7, Suse 7.1/8.1/9, HP-UX11.
     
  3. audit3.sh is a minimal Bourne shell script, that replaces audit2.pl and old systems than don't have Perl. Normally you don't need to run this.

Using the tool

Please read the headers in the scripts before using.

dir=`dirname $0`;
hostname=`uname -n`
echo "Run audit part 1, results in $dir/$hostname.audit1.log..."
sh $dir/audit1.sh > $dir/$hostname.audit1.log 2>&1

echo "Run audit part 2..."
perl $dir/audit2.pl

echo "Create a gzipped tarball from .."
ls -al $hostname.audit[12]*log
tar cf - $hostname.audit[12]*log | gzip > $dir/audit.$hostname.tgz
if [ $? -eq 0 ] ; then
  echo "Deleting temporary audit files .."
  rm $dir/$hostname.audit[12]*log
fi
ls -l $dir/audit.$hostname.tgz
echo "finished"

Tips

  1. Compare Solaris patch levels:
    for f in *audit1.log ; do
      echo $f;
      egrep "^Patch: " $f |awk '{print $2}' |sort > $f.pat;
    done
    sdiff system1.audit1.log.pat system2.audit1.log.pat |grep "|"

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2004, Seán .Boran, All Rights Reserved, Last Update: 11 février, 2004