By Sean Boran (sean at boran.com)
Auditing the security of an existing Solaris system can be time-consuming, and often requires on-site visits. There are several commercial tools and a few free ones (e.g., Titan and the Coroner's Toolkit) that help, but they can be complicated and require local compilation or configuration.
So a tool was developed with the following aims:
- Simple to use: the auditor could even give the tool to the sysadmin, ask him to run it at night and send the results back to the auditor (perhaps by encrypted email).
- For situations where a "quick audit" of the system is required.
- Easy to verify: it is not as thorough as other tools, but it is small and easy to understand.
- Does not require a compiler or other tools.
This script automates the gathering of the information only. Of course, the difficult part is the interpretation of results and deciding what countermeasures to take.
Note: Please visit the Lusas project which is newer than this page The script audit.sh can be used to call audit1.sh and audit2.pl and create one file with all results |
|||
The tool consists of two main scripts, both of which look at the system, but do not make any modifications.
- audit1.sh (Bourne shell): This script is designed to run quickly and gather as much security information as possible about the system.
No file searches are conducted, to keep it fast.
Tested on: Solaris 2.6/7/8/9, OpenBSD 2.6, RH 7, Suse 7.1/8.1, HP-UX11. Solaris is best supported.
- audit2.pl (perl): This second script searches the entire filesystem, listing SUID, SGID, world-writeable, group-writeable files. It also lists trust files and their contents. Finally it lists files with weird names (e.g., containing punctuation characters), which might be danger or a sign of penetration. On a large server with 100GB disks, this can take a few hours to run.
Tested on SunOS 5.5/6/7/8/9, OpenBSD 2.6, RH 7, Suse 7.1/8.1/9, HP-UX11.
- audit3.sh is a minimal Bourne shell script, that replaces audit2.pl and old systems than don't have Perl. Normally you don't need to run this.
Please read the headers in the scripts before using.
dir=`dirname $0`;
hostname=`uname -n`
echo "Run audit part 1, results in $dir/$hostname.audit1.log..."
sh $dir/audit1.sh > $dir/$hostname.audit1.log 2>&1
echo "Run audit part 2..."
perl $dir/audit2.pl
echo "Create a gzipped tarball from .."
ls -al $hostname.audit[12]*log
tar cf - $hostname.audit[12]*log | gzip > $dir/audit.$hostname.tgz
if [ $? -eq 0 ] ; then
echo "Deleting temporary audit files .."
rm $dir/$hostname.audit[12]*log
fi
ls -l $dir/audit.$hostname.tgz
echo "finished"
- Compare Solaris patch levels:
for f in *audit1.log ; do
echo $f;
egrep "^Patch: " $f |awk '{print $2}' |sort > $f.pat;
done
sdiff system1.audit1.log.pat system2.audit1.log.pat |grep "|"
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
© Copyright 2004, Seán .Boran, All Rights Reserved, Last Update: 11 février, 2004 |