Scribd
Upload
67 views

Unix Script Audit

This document contains the output of a script that runs various commands to gather security-related information from a Unix system. The script checks for things like the operating system version, network configuration, disk space, running services, password security, patching levels and more. It is identifying configuration issues, vulnerabilities and areas for improvement for the security of the system.

Uploaded by

Mohammad Aref
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
67 views

Unix Script Audit

This document contains the output of a script that runs various commands to gather security-related information from a Unix system. The script checks for things like the operating system version, network configuration, disk space, running services, password security, patching levels and more. It is identifying configuration issues, vulnerabilities and areas for improvement for the security of the system.

Uploaded by

Mohammad Aref
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 10

echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
echo "
HP-Unix Security Audit - Information gathering Sc
ript - Version 3
"
echo "
Information Risk Management Advi
sory, TCS CMC Limited
"
echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
echo " "
echo " "
echo " "
echo "###################################################"
echo "***************************************************"
echo "1. Operating System Version"
echo "***************************************************"
uname -a
echo " "
echo "###################################################"
echo "***************************************************"
echo "2. NTP"
echo "***************************************************"
/usr/bin/grep XNTPD= /etc/rc.config.d/netdaemons
echo "------------ "
/usr/bin/ps -ef | /usr/bin/grep xntpd
echo "------------ "
/usr/sbin/ntpq -p
echo " "
echo "###################################################"
echo "***************************************************"
echo "3. Network Configuration"
echo "***************************************************"
ifconfig -a
echo " "
echo "###################################################"
echo "***************************************************"
echo "4. Disk Space Utilization"
echo "***************************************************"
/usr/bin/df -t
echo " "
echo "###################################################"
echo "***************************************************"
echo "5.Are any services being allowed to start from the scripts in / etc/ rc.co
nfig.d which are not needed"
echo "***************************************************"
/usr/bin/grep -v "^#" /etc/rc.config.d/* | /usr/bin/grep "=1"
echo "------------ "
/usr/bin/grep -v "^#" /etc/rc.config.d/* | /usr/bin/grep "=0"
echo " "
echo "###################################################"
echo "***************************************************"
echo " 6. Inetd daemon logging"
echo "***************************************************"
/usr/bin/grep INETD_ARGS= /etc/rc.config.d/netdaemons

echo "------------ "


/usr/bin/grep inetd /var/adm/syslog/syslog.log
echo " "
echo "###################################################"
echo "***************************************************"
echo " 7. Are any services being allowed to start from the scripts in / etc/ ine
td.conf which are not needed"
echo "***************************************************"
/usr/bin/grep -v "^#" /etc/inetd.conf
echo "###################################################"
echo "***************************************************"
echo " 8. TCP Wrappers"
echo "***************************************************"
/usr/bin/ls -l /usr/lbin/tcpd /usr/bin/tcpdchk /opt/tcpwrap/bin/tcpd
echo "----------- "
/usr/bin/grep tcpwrap /etc/inetd.conf
echo "----------- "
/usr/bin/more /etc/hosts.allow /etc/hosts.deny
echo "----------- "
echo " "
echo "###################################################"
echo "***************************************************"
echo "9. Internet daemon security file: Is /var/adm /inetd.sec being used to res
trict access to inetd services"
echo "***************************************************"
/usr/bin/grep -v "^#" /var/adm/inetd.sec
echo " "
echo "###################################################"
echo "***************************************************"
echo "10. Is ssh used instead of telnet and ftp?"
echo "***************************************************"
/usr/bin/netstat -af inet | /usr/bin/grep telnet
echo "----------- "
/usr/bin/netstat -af inet | /usr/bin/grep ftp
echo "----------- "
/usr/bin/ssh -V
echo " "
echo "###################################################"
echo "***************************************************"
echo "11. Trust Realtionships"
echo "***************************************************"
/usr/bin/ls -l /etc/hosts.equiv
echo "----------- "
/usr/bin/grep -v "^#" /etc/hosts.equiv
echo "----------- "
/usr/bin/find / -name .rhosts -exec /usr/bin/ls -ld {} \;
echo " "
echo
echo
echo
echo

"###################################################"
"***************************************************"
"12. Is this system intended to be a sendmail server?"
"***************************************************"

/usr/bin/grep SENDMAIL_SERVER /etc/rc.config.d/mailservs


echo "----------- "
/usr/bin/grep "sendmail -" /sbin/init.d/sendmail
echo "----------- "
/usr/bin/ps -ef | /usr/bin/grep sendmail
echo "----------- "
/usr/bin/grep PrivacyOptions /etc/mail/sendmail.cf
echo " "
echo "###################################################"
echo "***************************************************"
echo "13. Is access to CDE from the network limited by the /etc/dt/ config/Xacce
ss file?"
echo "***************************************************"
/usr/bin/ls -l /etc/dt/config/Xaccess
echo " "
/usr/bin/grep -v "^#" /etc/dt/config/Xaccess
echo " "
echo "###################################################"
echo "***************************************************"
echo "14. Banners"
echo "***************************************************"
/usr/bin/cat /etc/motd
/usr/bin/cat /etc/issue
echo "If ftp is being used, test that a banner is configured by typing"
/usr/bin/grep banner /etc/ftpd/ftpaccess
echo "If telnet is being used, test that the daemon is configured to not display
a banner by typing"
/usr/bin/grep telnetd /etc/inetd.conf
echo " "
echo "###################################################"
echo "***************************************************"
echo "15. Modems"
echo "***************************************************"
/usr/bin/grep getty /etc/inittab
echo "----------- "
/usr/sbin/ioscan -FunC tty
echo "----------- "
/usr/bin/cat /etc/dialups
echo "----------- "
/usr/bin/cat /etc/d_passwd
echo " "
echo "###################################################"
echo "***************************************************"
echo "16. Security Patch Checker Utility"
echo "***************************************************"
/usr/bin/ls -l /opt/sec_mgmt/spc/bin/security_patch_check
/usr/bin/grep security_patch_check /var/spool/cron/crontabs/*
echo " "
echo "###################################################"
echo "***************************************************"
echo "17. Operating system Patches "
echo "***************************************************"
echo "To get a list of individual patches"
/usr/sbin/swlist -l patch

echo "To get a list of patch bundles"


/usr/sbin/swlist -l bundle | /usr/bin/grep Patch
echo "for evidence of regular patching"
tail /var/adm/sw/swinstall.log
echo " "
echo "###################################################"
echo "***************************************************"
echo "18. Are Shadow Passwords used on this machine?"
echo "***************************************************"
/usr/bin/ls -l /etc/shadow
/usr/bin/ls -l /etc/passwd
/usr/bin/ls -l /etc/group
/usr/bin/awk -F: '{print $2}' /etc/passwd | /usr/bin/sort -u
echo "copy of file "
/usr/bin/cat /etc/passwd
echo "copy of file"
/usr/bin/cat /etc/shadow
echo "copy of file"
/usr/bin/cat /etc/group
echo "###################################################"
echo "***************************************************"
echo "19. Minimum password length"
echo "***************************************************"
/usr/bin/grep MIN_PASSWORD_LENGTH /etc/default/security
/usr/bin/cat /etc/default/security
echo " "
echo "###################################################"
echo "***************************************************"
echo "20. Empty Passwords"
echo "***************************************************"
/usr/sbin/logins -p
echo " "
echo "###################################################"
echo "***************************************************"
echo "21. Weak Passwords"
echo "***************************************************"
echo "Type ./john copy-of-passwd-file "
echo "After one hour, terminate the program with a and type following"
echo "------------- "
echo " "
echo "###################################################"
echo "***************************************************"
echo "22. Duplicate superuser accounts"
echo "***************************************************"
/usr/sbin/logins -d | /usr/bin/grep "0"
echo " "
echo "###################################################"
echo "***************************************************"
echo "23. Root Login Restricted"
echo "***************************************************"
/usr/bin/ls -l /etc/securetty
/usr/bin/cat /etc/securetty
echo " "

echo "###################################################"
echo "***************************************************"
echo "24. Have all unneeded system accounts been locked?"
echo "***************************************************"
for user in uucp nuucp adm bin daemon lp nobody noaccess hpdb useradm
do
/usr/bin/grep "^$user" /etc/passwd
done
echo "------------ "
for user in uucp nuucp adm bin daemon lp nobody noaccess hpdb useradm
do
/usr/bin/grep "^$user" /etc/shadow
done
echo " "
echo "###################################################"
echo "***************************************************"
echo "25. root PATH variable and world writeable directories in the PATH?"
echo "***************************************************"
echo "Examine output for dot in PATH"
/usr/bin/echo $PATH
echo "Perform a /usr/bin/ls -ld on each entry in the PATH variable"
/usr/bin/ls -ld `/usr/bin/echo $PATH | /usr/bin/awk -F: '{for (x=1;x<=NF;x++){pr
int $x}}'`
echo " "
echo "###################################################"
echo "***************************************************"
echo "26. Users Directory security"
echo "***************************************************"
/usr/sbin/logins -ox | /usr/bin/awk -F: '{print $1,$6}' | while /usr/bin/read us
er home
do
/usr/bin/echo $user\'s home is:
/usr/bin/ls -ld $home
/usr/bin/echo " and dot files are:"
/usr/bin/ls -ld "$home/".[!.]*
/usr/bin/echo " "
done
echo " "
echo "###################################################"
echo "***************************************************"
echo "27. World-Writable Directories Should Have Their Sticky Bit Set"
echo "***************************************************"
/usr/bin/ls -ld /tmp /var/tmp /var/preserve /var/stm/logs \
/var/stm/catalog /var/spool/cron/tmp
echo " "
echo "###################################################"
echo "***************************************************"
echo "27. Find unauthorized world-writable files"
echo "***************************************************"
for part in \
`awk '($3 ~ /^(hfs|vxfs)$/) { print $2 }' /etc/fstab`
do find $part -xdev -type f -perm -0002 -print
done
echo " "

echo
echo
echo
echo
find
echo

"###################################################"
"***************************************************"
"27. Find unowned files and directories"
"***************************************************"
/ \( -nouser -o -nogroup \) -print
" "

echo "###################################################"
echo "***************************************************"
echo "28. Root's home directory"
echo "***************************************************"
/usr/sbin/logins -xl root
echo " "
echo "###################################################"
echo "***************************************************"
echo "29. Defaukt umask"
echo "***************************************************"
/usr/bin/umask
echo " "
echo "###################################################"
echo "***************************************************"
echo "30. Global chown privileges"
echo "***************************************************"
/usr/bin/getprivgrp
echo " "
echo "###################################################"
echo "***************************************************"
echo "31. SUID,SGID Files"
echo "***************************************************"
/usr/bin/find / \( -perm -4000 -o -perm -2000 \) -type f \
-exec /usr/bin/ls -l {} \;
echo " "
echo "Note- Any files under the /var/ adm/sw/save directory NOT need SUID/SGID"

echo "###################################################"
echo "***************************************************"
echo "32. File integrity software"
echo "***************************************************"
/usr/bin/grep -e tripwire -e swverify -e pdfdiff -e pdfck \
/var/spool/cron/crontabs/*
echo " "
echo "###################################################"
echo "***************************************************"
echo "33. Log file and configuration file permissions"
echo "***************************************************"
/usr/bin/grep -v "^#" /etc/syslog.conf
/usr/bin/ls -l /var/adm/syslog/mail.log
/usr/bin/ls -l /var/adm/syslog/syslog.log
echo "###################################################"
echo "***************************************************"
echo "34. Log files permissions"

echo "***************************************************"
/usr/bin/ls -ld /var/spool/cron/crontabs/root
/usr/bin/ls -ld /var/X11/Xserver/logs/X0.log
/usr/bin/ls -ld /var/adm/automount.log
/usr/bin/ls -ld /var/adm/snmpd.log
/usr/bin/ls -ld /var/opt/dce/svc/fatal.log
/usr/bin/ls -ld /var/opt/dce/svc/warning.log
/usr/bin/ls -ld /var/opt/ignite/recovery/fstab
/usr/bin/ls -ld /var/sam/hpbottom.iout
/usr/bin/ls -ld /var/sam/lock
/usr/bin/ls -ld /var/sam/log/samlog
/usr/bin/ls -ld /var/adm/sw/sav
/usr/bin/ls -ld /var/adm/sw/patch
/usr/bin/ls -ld /stand/dlkm
/usr/bin/ls -ld /stand/dlkm.vmunix.prev
/usr/bin/ls -ld /usr/local
/usr/bin/ls -ld /usr/lbin
/usr/bin/ls -ld /var/stm
/usr/bin/ls -ld /usr/share/man
/usr/bin/ls -ld /var/dt/Xerrors
/usr/bin/ls -ld /var/opt/common
/usr/bin/ls -ld /var/spool/sockets/common
echo
echo
echo
echo

"###################################################"
"***************************************************"
"34. Log file and configuration file permissions"
"***************************************************"

cat /var/adm/cron/cron.allow
echo "---- "
cat /var/adm/cron/cron.deny
echo "---- "
cat /var/adm/cron/at.allow
echo "---- "
cat /var/adm/cron/at.deny
echo " "
ls -l /var/adm/cron/cron.allow
ls -l /var/adm/cron/cron.deny
ls -l /var/adm/cron/at.allow
ls -l /var/adm/cron/at.deny
echo " "
echo "###################################################"
echo "***************************************************"
echo "35. Buffer overflow protection mechanism"
echo "***************************************************"
/usr/sbin/kmtune -q executable_stack
echo " "
echo "###################################################"
echo "***************************************************"
echo "36. Root email must be read in a timely manner"
echo "***************************************************"
/usr/bin/mailx -H
/usr/bin/cat ~root/.forward
/usr/bin/grep "^root" /etc/mail/aliases
echo " "

echo "###################################################"
echo "***************************************************"
echo "37. Password policy"
echo "***************************************************"
cat /etc/login.defs
echo " "
echo
echo
echo
echo
find
echo

"###################################################"
"***************************************************"
"38. .netrc file"
"***************************************************"
/ -type f -name .netrc -exec ls -ld {} \;
" "

echo
echo
echo
echo
echo
echo
echo
echo
echo
echo

"###################################################"
"***************************************************"
"39. Log file review"
"***************************************************"
"log files should be reviewed on a weekly basis:"
" Examine /var/adm/syslog/syslog.log"
" Examine /var/adm/sulog"
" Examine /var/adm/syslog/mail.log"
" Examine /etc/rc.log"
" "

echo
echo
echo
echo
echo
echo

"###################################################"
"***************************************************"
"40. Change Control Processes"
"***************************************************"
"check for change control process with sys admins"
" "

echo
echo
echo
echo
echo
echo

"###################################################"
"***************************************************"
"41. Retirement of old media"
"***************************************************"
"Sanitization and disposition of media"
" "

echo "###################################################"
echo "***************************************************"
echo "42. Stripping down OS"
echo "***************************************************"
swlist -l product
echo " "
echo "###################################################"
echo "***************************************************"
echo "43. Ip forwarding, TCP sequence number"
echo "***************************************************"
/usr/bin/cat /sbin/init.d/net
echo " "
echo "###################################################"
echo "***************************************************"
echo "43. Network Parameters"

echo "***************************************************"
/usr/bin/cat /etc/rc.config.d/nddconf
echo " "
echo "###################################################"
echo "***************************************************"
echo "44. FTP Users"
echo "***************************************************"
/usr/bin/cat /etc/ftpusers
echo " "
echo "###################################################"
echo "***************************************************"
echo "45. File Systems"
echo "***************************************************"
/usr/bin/cat /etc/fstab
echo " "
echo "###################################################"
echo "***************************************************"
echo "46. Ensure the audit subsystem is enabled and is configured securely."
echo "***************************************************"
echo "audsys: Start/Stops auditing, displays audit file information"
echo "/usr/sbin/sam"
/usr/bin/cat /etc/rc.config.d/auditing
ls -ldb /.secure/etc/auditfile1
ls -ldb /.secure/etc/auditfile2
echo " "
echo "###################################################"
echo "***************************************************"
echo "47. Verify root's startup files are only writable by root."
echo "***************************************************"
ls -l /.login
ls -l /.profile
ls -l /etc/profile
ls -l /.cshrc
ls -l /.kshrc
ls -l /.emacs
ls -l /.exrc
ls -l /.forward
ls -l /.rhosts
ls -l /.dtprofile
ls -l /.Xdefaults
/usr/bin/cat
echo "---- "
/usr/bin/cat
echo "---- "
/usr/bin/cat
echo "---- "
/usr/bin/cat
echo "---- "
/usr/bin/cat
echo "---- "
/usr/bin/cat

/.login
/.profile
/etc/profile
/.cshrc
/.kshrc
/.emace

echo "---- "


/usr/bin/cat
echo "---- "
/usr/bin/cat
echo "---- "
/usr/bin/cat
echo "---- "
/usr/bin/cat
echo "---- "
/usr/bin/cat
echo " "

/.exrc
/.forward
/.rhosts
/.dtprofile
/.Xdefaults

echo "###################################################"
echo "***************************************************"
echo "47.Identify all world-writable files on the system and verify their need."
echo "***************************************************"
/usr/bin/find / -type f \( -perm 2 -o -perm 20 \) -exec ls -ldb {} \;
/usr/bin/find / -type d \( -perm 2 -o -perm 20 \) -exec ls -ldb {} \;
echo " "
echo "###################################################"
echo "***************************************************"
echo "48.NFS Exports"
echo "***************************************************"
/usr/bin/cat /etc/exports
echo " "
echo "###################################################"
echo "***************************************************"
echo "49.Logon Banners"
echo "***************************************************"
cat /etc/issue
echo "---- "
cat /etc/issue.net
echo "---- "
cat /etc/motd

You might also like