Skip to content

Instantly share code, notes, and snippets.

@unfo

unfo/enum.sh

Created April 7, 2017 14:30
Show Gist options
  • Save unfo/8bc4923240c2fc119967fd1a4ad29fb9 to your computer and use it in GitHub Desktop.
Save unfo/8bc4923240c2fc119967fd1a4ad29fb9 to your computer and use it in GitHub Desktop.
Download ZIP
Linux priv esc. Might be out-dated script versions
Raw
enum.sh
#!/bin/bash
BLACK="\033[30m"
RED="\033[31m"
GREEN="\033[32m"
YELLOW="\033[33m"
BLUE="\033[34m"
PINK="\033[35m"
CYAN="\033[36m"
WHITE="\033[37m"
RED="\033[31m"
NORMAL="\033[0;39m"
GREEN="\033[32m"
# Quick Linux Local Enumeration Script
# v1.0
cat << "EOF"
.
`:.
`:.
.:' ,::
.:' ;:'
:: ;:'
: .:'
`. :.
_________________________
: :
,---: HighOn.Coffee :
: ,'"`: :'
`.`. `: :'
`.`-._: :
`-.__`. ,'
,--------`"`-------------'--------.
`"--.__ __.--"'
`""-------------""'
EOF
sleep 1.4
printf "URL: $GREEN http://highon.coffee $NORMAL \n"
sleep 0.4
printf "Version: $YELLOW 1.0 $NORMAL \n"
sleep 0.4
printf "Twitter: $BLUE @HighOn_Coffee $NORMAL \n"
sleep 0.2
printf "Author: $BLUE @Arr0way $NORMAL \n"
sleep 0.4
printf "Disclaimer: \n"
printf "\n"
printf "$RED HighOn.Coffee is not responsible for misuse or for any damage that you may cause! \n
You agree that you use this software at your own risk. $NORMAL \n"
printf "\n"
printf "\n"
sleep 3
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED Linux Version"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
/bin/cat /etc/issue;
printf "\n"
/bin/cat /etc/*-release
printf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED Kernel Info"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
/bin/uname -ar
printf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED Network Info"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
/bin/cat /etc/sysconfig/network
printf "\n"
/bin/cat /etc/resolv.conf
iprintf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED File System Info"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
/bin/df -h
iprintf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED Mounted File Systems with Pretty Output"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
/bin/df -h
mount | column -t
printf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED /etc/fstab File Contents"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
/bin/cat /etc/fstab
printf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED /etc/passwd File Contents"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
/bin/cat /etc/passwd
printf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED /etc/passwd File Contents"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
/bin/cat /etc/shadow
printf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED /etc/group File Contents"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
/bin/cat /etc/group
printf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED /etc/sudoers File Contents"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
/bin/cat /etc/sudoers
printf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED Sticky Bit Files"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
/usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
printf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED World Writable Directories"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
/usr/bin/find / -perm -222 -type d 2>/dev/null
printf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED World Writable FIles"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
/usr/bin/find / -type f -perm 0777 2>/dev/null
printf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED Files Owned by Current User"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
/usr/bin/find / -user $(whoami) 2>/dev/null
printf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED /home and /root Permissions"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
/bin/ls -ahlR /home/
/bin/ls -ahlR /root/
printf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED Logged on Users"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
/usr/bin/w
printf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED Last Logged on Users"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
/usr/bin/last
printf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED Processes Running as root"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
/bin/ps -ef | /bin/grep root
printf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED Installed Packages for RHEL / Debian Based Systems"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
# Enumarate CentOS / Ubuntu Boxes
# This is not a great way of ID'ing a box, but I'm being lazy
printf "\n"
/usr/bin/dpkg -l
printf "\n"
/usr/bin/rpm -qa
printf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED CentOS / RHEL Services that start at Boot"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
chkconfig --list | grep $(runlevel | awk '{ print $2}'):on
printf "\n"
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "##"
printf "\n"
printf "$RED"
printf "$BLUE## $RED List of init Scripts aka System Services"
printf "\n"
printf "$BLUE"
printf "##"
printf "\n"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "\n"
printf "$NORMAL"
ls /etc/init.d/
printf "$BLUE"
printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' '#'
printf "$NORMAL"
printf "\n More Linux enumeration commands can be found at: $BLUE https://highon.coffee/docs/linux-commands \n"
printf "\n $RED So long, and thanks for all the fish... \n $NORMAL"
printf "\n"
Raw
linuxprivchecker.py
#!/usr/env python
###############################################################################################################
## [Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script
## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift
##-------------------------------------------------------------------------------------------------------------
## [Details]:
## This script is intended to be executed locally on a Linux box to enumerate basic system info and
## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text
## passwords and applicable exploits.
##-------------------------------------------------------------------------------------------------------------
## [Warning]:
## This script comes as-is with no promise of functionality or accuracy. I have no plans to maintain updates,
## I did not write it to be efficient and in some cases you may find the functions may not produce the desired
## results. For example, the function that links packages to running processes is based on keywords and will
## not always be accurate. Also, the exploit list included in this function will need to be updated over time.
## Feel free to change or improve it any way you see fit.
##-------------------------------------------------------------------------------------------------------------
## [Modification, Distribution, and Attribution]:
## You are free to modify and/or distribute this script as you wish. I only ask that you maintain original
## author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's
## worth anything anyway :)
###############################################################################################################
# conditional import for older versions of python not compatible with subprocess
try:
import subprocess as sub
compatmode = 0 # newer version of python, no need for compatibility mode
except ImportError:
import os # older version of python, need to use os instead
compatmode = 1
# title / formatting
bigline = "================================================================================================="
smlline = "-------------------------------------------------------------------------------------------------"
print bigline
print "LINUX PRIVILEGE ESCALATION CHECKER"
print bigline
print
# loop through dictionary, execute the commands, store the results, return updated dict
def execCmd(cmdDict):
for item in cmdDict:
cmd = cmdDict[item]["cmd"]
if compatmode == 0: # newer version of python, use preferred subprocess
out, error = sub.Popen([cmd], stdout=sub.PIPE, stderr=sub.PIPE, shell=True).communicate()
results = out.split('\n')
else: # older version of python, use os.popen
echo_stdout = os.popen(cmd, 'r')
results = echo_stdout.read().split('\n')
cmdDict[item]["results"]=results
return cmdDict
# print results for each previously executed command, no return value
def printResults(cmdDict):
for item in cmdDict:
msg = cmdDict[item]["msg"]
results = cmdDict[item]["results"]
print "[+] " + msg
for result in results:
if result.strip() != "":
print " " + result.strip()
print
return
def writeResults(msg, results):
f = open("privcheckout.txt", "a");
f.write("[+] " + str(len(results)-1) + " " + msg)
for result in results:
if result.strip() != "":
f.write(" " + result.strip())
f.close()
return
# Basic system info
print "[*] GETTING BASIC SYSTEM INFO...\n"
results=[]
sysInfo = {"OS":{"cmd":"cat /etc/issue","msg":"Operating System","results":results},
"KERNEL":{"cmd":"cat /proc/version","msg":"Kernel","results":results},
"HOSTNAME":{"cmd":"hostname", "msg":"Hostname", "results":results}
}
sysInfo = execCmd(sysInfo)
printResults(sysInfo)
# Networking Info
print "[*] GETTING NETWORKING INFO...\n"
netInfo = {"NETINFO":{"cmd":"/sbin/ifconfig -a", "msg":"Interfaces", "results":results},
"ROUTE":{"cmd":"route", "msg":"Route", "results":results},
"NETSTAT":{"cmd":"netstat -antup | grep -v 'TIME_WAIT'", "msg":"Netstat", "results":results}
}
netInfo = execCmd(netInfo)
printResults(netInfo)
# File System Info
print "[*] GETTING FILESYSTEM INFO...\n"
driveInfo = {"MOUNT":{"cmd":"mount","msg":"Mount results", "results":results},
"FSTAB":{"cmd":"cat /etc/fstab 2>/dev/null", "msg":"fstab entries", "results":results}
}
driveInfo = execCmd(driveInfo)
printResults(driveInfo)
# Scheduled Cron Jobs
cronInfo = {"CRON":{"cmd":"ls -la /etc/cron* 2>/dev/null", "msg":"Scheduled cron jobs", "results":results},
"CRONW": {"cmd":"ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$/' 2>/dev/null", "msg":"Writable cron dirs", "results":results}
}
cronInfo = execCmd(cronInfo)
printResults(cronInfo)
# User Info
print "\n[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n"
userInfo = {"WHOAMI":{"cmd":"whoami", "msg":"Current User", "results":results},
"ID":{"cmd":"id","msg":"Current User ID", "results":results},
"ALLUSERS":{"cmd":"cat /etc/passwd", "msg":"All users", "results":results},
"SUPUSERS":{"cmd":"grep -v -E '^#' /etc/passwd | awk -F: '$3 == 0{print $1}'", "msg":"Super Users Found:", "results":results},
"HISTORY":{"cmd":"ls -la ~/.*_history; ls -la /root/.*_history 2>/dev/null", "msg":"Root and current user history (depends on privs)", "results":results},
"ENV":{"cmd":"env 2>/dev/null | grep -v 'LS_COLORS'", "msg":"Environment", "results":results},
"SUDOERS":{"cmd":"cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null", "msg":"Sudoers (privileged)", "results":results},
"LOGGEDIN":{"cmd":"w 2>/dev/null", "msg":"Logged in User Activity", "results":results}
}
userInfo = execCmd(userInfo)
printResults(userInfo)
if "root" in userInfo["ID"]["results"][0]:
print "[!] ARE YOU SURE YOU'RE NOT ROOT ALREADY?\n"
# File/Directory Privs
print "[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n"
fdPerms = {"WWDIRSROOT":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root", "msg":"World Writeable Directories for User/Group 'Root'", "results":results},
"WWDIRS":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root", "msg":"World Writeable Directories for Users other than Root", "results":results},
"WWFILES":{"cmd":"find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null", "msg":"World Writable Files", "results":results},
"SUID":{"cmd":"find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null", "msg":"SUID/SGID Files and Directories", "results":results},
"ROOTHOME":{"cmd":"ls -ahlR /root 2>/dev/null", "msg":"Checking if root's home folder is accessible", "results":results}
}
fdPerms = execCmd(fdPerms)
printResults(fdPerms)
pwdFiles = {"LOGPWDS":{"cmd":"find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Logs containing keyword 'password'", "results":results},
"CONFPWDS":{"cmd":"find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Config files containing keyword 'password'", "results":results},
"SHADOW":{"cmd":"cat /etc/shadow 2>/dev/null", "msg":"Shadow File (Privileged)", "results":results}
}
pwdFiles = execCmd(pwdFiles)
printResults(pwdFiles)
# Processes and Applications
print "[*] ENUMERATING PROCESSES AND APPLICATIONS...\n"
if "debian" in sysInfo["KERNEL"]["results"][0] or "ubuntu" in sysInfo["KERNEL"]["results"][0]:
getPkgs = "dpkg -l | awk '{$1=$4=\"\"; print $0}'" # debian
else:
getPkgs = "rpm -qa | sort -u" # RH/other
getAppProc = {"PROCS":{"cmd":"ps aux | awk '{print $1,$2,$9,$10,$11}'", "msg":"Current processes", "results":results},
"PKGS":{"cmd":getPkgs, "msg":"Installed Packages", "results":results}
}
getAppProc = execCmd(getAppProc)
printResults(getAppProc) # comment to reduce output
otherApps = { "SUDO":{"cmd":"sudo -V | grep version 2>/dev/null", "msg":"Sudo Version (Check out http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo)", "results":results},
"APACHE":{"cmd":"apache2 -v; apache2ctl -M; httpd -v; apachectl -l 2>/dev/null", "msg":"Apache Version and Modules", "results":results},
"APACHECONF":{"cmd":"cat /etc/apache2/apache2.conf 2>/dev/null", "msg":"Apache Config File", "results":results}
}
otherApps = execCmd(otherApps)
printResults(otherApps)
print "[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n"
# find the package information for the processes currently running
# under root or another super user
procs = getAppProc["PROCS"]["results"]
pkgs = getAppProc["PKGS"]["results"]
supusers = userInfo["SUPUSERS"]["results"]
procdict = {} # dictionary to hold the processes running as super users
for proc in procs: # loop through each process
relatedpkgs = [] # list to hold the packages related to a process
try:
for user in supusers: # loop through the known super users
if (user != "") and (user in proc): # if the process is being run by a super user
procname = proc.split(" ")[4] # grab the process name
if "/" in procname:
splitname = procname.split("/")
procname = splitname[len(splitname)-1]
for pkg in pkgs: # loop through the packages
if not len(procname) < 3: # name too short to get reliable package results
if procname in pkg:
if procname in procdict:
relatedpkgs = procdict[proc] # if already in the dict, grab its pkg list
if pkg not in relatedpkgs:
relatedpkgs.append(pkg) # add pkg to the list
procdict[proc]=relatedpkgs # add any found related packages to the process dictionary entry
except:
pass
for key in procdict:
print " " + key # print the process name
try:
if not procdict[key][0] == "": # only print the rest if related packages were found
print " Possible Related Packages: "
for entry in procdict[key]:
print " " + entry # print each related package
except:
pass
# EXPLOIT ENUMERATION
# First discover the avaialable tools
print
print "[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...\n"
devTools = {"TOOLS":{"cmd":"which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null", "msg":"Installed Tools", "results":results}}
devTools = execCmd(devTools)
printResults(devTools)
print "[+] Related Shell Escape Sequences...\n"
escapeCmd = {"vi":[":!bash", ":set shell=/bin/bash:shell"], "awk":["awk 'BEGIN {system(\"/bin/bash\")}'"], "perl":["perl -e 'exec \"/bin/bash\";'"], "find":["find / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;"], "nmap":["--interactive"]}
for cmd in escapeCmd:
for result in devTools["TOOLS"]["results"]:
if cmd in result:
for item in escapeCmd[cmd]:
print " " + cmd + "-->\t" + item
print
print "[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...\n"
# Now check for relevant exploits (note: this list should be updated over time; source: Exploit-DB)
# sploit format = sploit name : {minversion, maxversion, exploitdb#, language, {keywords for applicability}} -- current keywords are 'kernel', 'proc', 'pkg' (unused), and 'os'
sploits= { "2.2.x-2.4.x ptrace kmod local exploit":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"3", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"< 2.4.20 Module Loader Local Root Exploit":{"minver":"0", "maxver":"2.4.20", "exploitdb":"12", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4.22 "'do_brk()'" local Root Exploit (PoC)":{"minver":"2.4.22", "maxver":"2.4.22", "exploitdb":"129", "lang":"asm", "keywords":{"loc":["kernel"], "val":"kernel"}},
"<= 2.4.22 (do_brk) Local Root Exploit (working)":{"minver":"0", "maxver":"2.4.22", "exploitdb":"131", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4.x mremap() bound checking Root Exploit":{"minver":"2.4", "maxver":"2.4.99", "exploitdb":"145", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"<= 2.4.29-rc2 uselib() Privilege Elevation":{"minver":"0", "maxver":"2.4.29", "exploitdb":"744", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4 uselib() Privilege Elevation Exploit":{"minver":"2.4", "maxver":"2.4", "exploitdb":"778", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"895", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4/2.6 bluez Local Root Privilege Escalation Exploit (update)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"926", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluez"}},
"<= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c)":{"minver":"0", "maxver":"2.6.11", "exploitdb":"1397", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit":{"minver":"0", "maxver":"99", "exploitdb":"1518", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"mysql"}},
"2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2004", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (2)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2005", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2006", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (4)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2011", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}},
"<= 2.6.17.4 (proc) Local Root Exploit":{"minver":"0", "maxver":"2.6.17.4", "exploitdb":"2013", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2031", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit":{"minver":"4.10", "maxver":"7.04", "exploitdb":"3384", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}},
"Linux/Kernel 2.4/2.6 x86-64 System Call Emulation Exploit":{"minver":"2.4", "maxver":"2.6", "exploitdb":"4460", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"< 2.6.11.5 BLUETOOTH Stack Local Root Exploit":{"minver":"0", "maxver":"2.6.11.5", "exploitdb":"4756", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluetooth"}},
"2.6.17 - 2.6.24.1 vmsplice Local Root Exploit":{"minver":"2.6.17", "maxver":"2.6.24.1", "exploitdb":"5092", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.6.23 - 2.6.24 vmsplice Local Root Exploit":{"minver":"2.6.23", "maxver":"2.6.24", "exploitdb":"5093", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}},
"Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit":{"minver":"0", "maxver":"99", "exploitdb":"5720", "lang":"python", "keywords":{"loc":["os"], "val":"debian"}},
"Linux Kernel < 2.6.22 ftruncate()/open() Local Exploit":{"minver":"0", "maxver":"2.6.22", "exploitdb":"6851", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"< 2.6.29 exit_notify() Local Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.29", "exploitdb":"8369", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.6 UDEV Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8478", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}},
"2.6 UDEV < 141 Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8572", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}},
"2.6.x ptrace_attach Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8673", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.6.29 ptrace_attach() Local Root Race Condition Exploit":{"minver":"2.6.29", "maxver":"2.6.29", "exploitdb":"8678", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Linux Kernel <=2.6.28.3 set_selection() UTF-8 Off By One Local Exploit":{"minver":"0", "maxver":"2.6.28.3", "exploitdb":"9083", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Test Kernel Local Root Exploit 0day":{"minver":"2.6.18", "maxver":"2.6.30", "exploitdb":"9191", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0)":{"minver":"2.6.9", "maxver":"2.6.30", "exploitdb":"9208", "lang":"c", "keywords":{"loc":["pkg"], "val":"pulse"}},
"2.x sock_sendpage() Local Ring0 Root Exploit":{"minver":"2", "maxver":"2.99", "exploitdb":"9435", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.x sock_sendpage() Local Root Exploit 2":{"minver":"2", "maxver":"2.99", "exploitdb":"9436", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9479", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit":{"minver":"2.6", "maxver":"2.6.19", "exploitdb":"9542", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4/2.6 sock_sendpage() Local Root Exploit (ppc)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9545", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"< 2.6.19 udp_sendmsg Local Root Exploit (x86/x64)":{"minver":"0", "maxver":"2.6.19", "exploitdb":"9574", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"< 2.6.19 udp_sendmsg Local Root Exploit":{"minver":"0", "maxver":"2.6.19", "exploitdb":"9575", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4/2.6 sock_sendpage() Local Root Exploit [2]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9598", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4/2.6 sock_sendpage() Local Root Exploit [3]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9641", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"9844", "lang":"python", "keywords":{"loc":["kernel"], "val":"kernel"}},
"'pipe.c' Local Privilege Escalation Vulnerability":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"10018", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.6.18-20 2009 Local Root Exploit":{"minver":"2.6.18", "maxver":"2.6.20", "exploitdb":"10613", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Apache Spamassassin Milter Plugin Remote Root Command Execution":{"minver":"0", "maxver":"99", "exploitdb":"11662", "lang":"sh", "keywords":{"loc":["proc"], "val":"spamass-milter"}},
"<= 2.6.34-rc3 ReiserFS xattr Privilege Escalation":{"minver":"0", "maxver":"2.6.34", "exploitdb":"12130", "lang":"python", "keywords":{"loc":["mnt"], "val":"reiser"}},
"Ubuntu PAM MOTD local root":{"minver":"7", "maxver":"10.04", "exploitdb":"14339", "lang":"sh", "keywords":{"loc":["os"], "val":"ubuntu"}},
"< 2.6.36-rc1 CAN BCM Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.36", "exploitdb":"14814", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Kernel ia32syscall Emulation Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"15023", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Linux RDS Protocol Local Privilege Escalation":{"minver":"0", "maxver":"2.6.36", "exploitdb":"15285", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"<= 2.6.37 Local Privilege Escalation":{"minver":"0", "maxver":"2.6.37", "exploitdb":"15704", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"< 2.6.37-rc2 ACPI custom_method Privilege Escalation":{"minver":"0", "maxver":"2.6.37", "exploitdb":"15774", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"CAP_SYS_ADMIN to root Exploit":{"minver":"0", "maxver":"99", "exploitdb":"15916", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit)":{"minver":"0", "maxver":"99", "exploitdb":"15944", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"< 2.6.36.2 Econet Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.36.2", "exploitdb":"17787", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Sendpage Local Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"19933", "lang":"ruby", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.4.18/19 Privileged File Descriptor Resource Exhaustion Vulnerability":{"minver":"2.4.18", "maxver":"2.4.19", "exploitdb":"21598", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.2.x/2.4.x Privileged Process Hijacking Vulnerability (1)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"22362", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.2.x/2.4.x Privileged Process Hijacking Vulnerability (2)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"22363", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Samba 2.2.8 Share Local Privilege Elevation Vulnerability":{"minver":"2.2.8", "maxver":"2.2.8", "exploitdb":"23674", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"samba"}},
"open-time Capability file_ns_capable() - Privilege Escalation Vulnerability":{"minver":"0", "maxver":"99", "exploitdb":"25307", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"open-time Capability file_ns_capable() Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"25450", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
}
# variable declaration
os = sysInfo["OS"]["results"][0]
version = sysInfo["KERNEL"]["results"][0].split(" ")[2].split("-")[0]
langs = devTools["TOOLS"]["results"]
procs = getAppProc["PROCS"]["results"]
kernel = str(sysInfo["KERNEL"]["results"][0])
mount = driveInfo["MOUNT"]["results"]
#pkgs = getAppProc["PKGS"]["results"] # currently not using packages for sploit appicability but my in future
# lists to hold ranked, applicable sploits
# note: this is a best-effort, basic ranking designed to help in prioritizing priv escalation exploit checks
# all applicable exploits should be checked and this function could probably use some improvement
avgprob = []
highprob = []
for sploit in sploits:
lang = 0 # use to rank applicability of sploits
keyword = sploits[sploit]["keywords"]["val"]
sploitout = sploit + " || " + "http://www.exploit-db.com/exploits/" + sploits[sploit]["exploitdb"] + " || " + "Language=" + sploits[sploit]["lang"]
# first check for kernell applicability
if (version >= sploits[sploit]["minver"]) and (version <= sploits[sploit]["maxver"]):
# next check language applicability
if (sploits[sploit]["lang"] == "c") and (("gcc" in str(langs)) or ("cc" in str(langs))):
lang = 1 # language found, increase applicability score
elif sploits[sploit]["lang"] == "sh":
lang = 1 # language found, increase applicability score
elif (sploits[sploit]["lang"] in str(langs)):
lang = 1 # language found, increase applicability score
if lang == 0:
sploitout = sploitout + "**" # added mark if language not detected on system
# next check keyword matches to determine if some sploits have a higher probability of success
for loc in sploits[sploit]["keywords"]["loc"]:
if loc == "proc":
for proc in procs:
if keyword in proc:
highprob.append(sploitout) # if sploit is associated with a running process consider it a higher probability/applicability
break
break
elif loc == "os":
if (keyword in os) or (keyword in kernel):
highprob.append(sploitout) # if sploit is specifically applicable to this OS consider it a higher probability/applicability
break
elif loc == "mnt":
if keyword in mount:
highprob.append(sploitout) # if sploit is specifically applicable to a mounted file system consider it a higher probability/applicability
break
else:
avgprob.append(sploitout) # otherwise, consider average probability/applicability based only on kernel version
print " Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!"
print
print " The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system"
for exploit in highprob:
print " - " + exploit
print
print " The following exploits are applicable to this kernel version and should be investigated as well"
for exploit in avgprob:
print " - " + exploit
print
print "Finished"
print bigline
Raw
unix-privesc-check.sh
#!/bin/sh
# unix-privesc-check - Checks Unix system for simple privilege escalations
# Copyright (C) 2008 [email protected]
#
#
# License
# -------
# This tool may be used for legal purposes only. Users take full responsibility
# for any actions performed using this tool. The author accepts no liability
# for damage caused by this tool. If you do not accept these condition then
# you are prohibited from using this tool.
#
# In all other respects the GPL version 2 applies:
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# You are encouraged to send comments, improvements or suggestions to
# me at [email protected]
#
#
# Description
# -----------
# Auditing tool to check for weak file permissions and other problems that
# may allow local attackers to escalate privileges.
#
# It is intended to be run by security auditors and pentetration testers
# against systems they have been engaged to assess, and also by system
# admnisitrators who want to check for "obvious" misconfigurations. It
# can even be run as a cron job so you can check regularly for misconfigurations
# that might be introduced.
#
# Ensure that you have the appropriate legal permission before running it
# someone else's system.
#
# TODO List
# ---------
# There's still plenty that this script doesn't do...
# - Doesn't work for shell scripts! These appear as "/bin/sh my.sh" in the process listing.
# This script only checks the perms of /bin/sh. Not what we're after. :-(
# - Similarly for perl scripts. Probably python, etc. too.
# - Check /proc/pid/cmdline for absolute path names. Check security of these (e.g. /etc/snmp/snmpd.conf)
# - Check everything in root's path - how to find root's path?
# - /proc/pid/maps, smaps are readable and lists some shared objects. We should check these.
# - /proc/pid/fd contain symlinks to all open files (but you can't see other people FDs)
# - check for trust relationships in /etc/hosts.equiv
# - NFS imports / exports / automounter
# - Insecure stuff in /etc/fstab (e.g. allowing users to mount file systems)
# - Inspecting people's PATH. tricky. maybe read from /proc/pid/environ, .bashrc, /etc/profile, .bash_profile
# - Check if /etc/init.d/* scripts are readable. Advise user to audit them if they are.
# - .exrc?
# - X11 trusts, apache passwd files, mysql trusts?
# - Daemons configured in an insecure way: tftpd, sadmind, rexd
# - World writable dirs aren't as bad if the sticky bit is set. Check for this before reporting vulns.
# - Maybe do a strings of binaries (and their .so's?)
# - Do a better job of parsing cron lines - search for full paths
# - Maybe LDPATHs from /etc/env.d
# - Check if ldd, ld.so.conf changes have broken this script on non-linux systems.
# - Avoid check certain paths e.g. /-/_ clearly isn't a real directory.
# - create some sort of readable report
# - indicate when it's likely a result is a false positive and when it's not.
# - Skip pseudo processes e.g. [usb-storage]
# - File permission on kernel modules
# - Replace calls to echo with a my_echo func. Should be passed a string and an "importance" value:
# - my_echo 1 "This is important and should always be printed out"
# - my_echo 2 "This is less important and should only be printed in verbose mode"
# - We check some files / dirs multiple times. Slow. Can we implement a cache?
# - grep for PRIVATE KEY to find private ssh and ssl keys. Where to grep?
# - check SGID programs
VERSION="1.4"
HOME_DIR_FILES=".netrc .ssh/id_rsa .ssh/id_dsa .rhosts .shosts .my.cnf .ssh/authorized_keys .bash_history .sh_history .forward"
CONFIG_FILES="/etc/passwd /etc/group /etc/master.passwd /etc/inittab /etc/inetd.conf /etc/xinetd.con /etc/xinetd.d/* /etc/contab /etc/fstab /etc/profile /etc/sudoers"
PGDIRS="/usr/local/pgsql/data ~postgres/postgresql/data ~postgres/data ~pgsql/data ~pgsql/pgsql/data /var/lib/postgresql/data /etc/postgresql/8.2/main /var/lib/pgsql/data"
get_owner () {
GET_OWNER_FILE=$1
GET_OWNER_RETURN=`ls -lLd "$GET_OWNER_FILE" | awk '{print $3}'`
}
get_group () {
GET_GROUP_FILE=$1
GET_GROUP_RETURN=`ls -lLd "$GET_GROUP_FILE" | awk '{print $4}'`
}
usage () {
echo "unix-privesc-check v$VERSION ( http://pentestmonkey.net/tools/unix-privesc-check )"
echo
echo "Usage: unix-privesc-check { standard | detailed }"
echo
echo '"standard" mode: Speed-optimised check of lots of security settings.'
echo
echo '"detailed" mode: Same as standard mode, but also checks perms of open file'
echo ' handles and called files (e.g. parsed from shell scripts,'
echo ' linked .so files). This mode is slow and prone to false '
echo ' positives but might help you find more subtle flaws in 3rd'
echo ' party programs.'
echo
echo "This script checks file permissions and other settings that could allow"
echo "local users to escalate privileges."
echo
echo "Use of this script is only permitted on systems which you have been granted"
echo "legal permission to perform a security assessment of. Apart from this "
echo "condition the GPL v2 applies."
echo
echo "Search the output for the word 'WARNING'. If you don't see it then this"
echo "script didn't find any problems."
echo
}
banner () {
echo "Starting unix-privesc-check v$VERSION ( http://pentestmonkey.net/tools/unix-privesc-check )"
echo
echo "This script checks file permissions and other settings that could allow"
echo "local users to escalate privileges."
echo
echo "Use of this script is only permitted on systems which you have been granted"
echo "legal permission to perform a security assessment of. Apart from this "
echo "condition the GPL v2 applies."
echo
echo "Search the output below for the word 'WARNING'. If you don't see it then"
echo "this script didn't find any problems."
echo
}
MODE=$1
if [ ! "$MODE" = "standard" ] && [ ! "$MODE" = "detailed" ]; then
usage
exit 0
fi
# Parse any full paths from $1 (config files, progs, dirs).
# Check the permissions on each of these.
check_called_programs () {
CCP_MESSAGE_STACK=$1
CCP_FILE=$2
CCP_USER=$3
CCP_PATH=$4 # optional
# Check the perms of the supplied file regardless
# The caller doesn't want to have to call check_perms as well as check_called_programs
check_perms "$CCP_MESSAGE_STACK" "$CCP_FILE" "$CCP_USER" "$CCP_PATH"
# Skip the slow check if we're in quick mode
if [ "$MODE" = "standard" ]; then
return 0;
fi
# Check if file is text or not
IS_TEXT=`file "$CCP_FILE" | grep -i text`
IS_DYNBIN=`file "$CCP_FILE" | grep -i 'dynamically linked'`
# Process shell scripts (would also work on config files that reference other files)
if [ ! -z "$IS_TEXT" ]; then
# Parse full paths from file - ignoring commented lines
CALLED_FILES=`grep -v '^#' "$CCP_FILE" | sed -e 's/^[^\/]*//' -e 's/["'\'':}$]/\x0a/g' | grep '/' | sed -e 's/[ \*].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`
for CALLED_FILE in $CALLED_FILES; do
# echo "$CCP_FILE contains a reference to $CALLED_FILE. Checking perms."
check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"
done
else
# Process dynamically linked binaries
if [ ! -z "$IS_DYNBIN" ]; then
CALLED_FILES=`ldd "$CCP_FILE" 2>/dev/null | grep '/' | sed 's/[^\/]*\//\//' | cut -f 1 -d ' '`
for CALLED_FILE in $CALLED_FILES; do
check_perms "$CCP_MESSAGE_STACK $CCP_FILE uses the library $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"
done
# Strings binary to look for hard-coded config files
# or other programs that might be called.
for CALLED_FILE in `strings "$CCP_FILE" | sed -e 's/^[^\/]*//' -e 's/["'\'':}$]/\x0a/g' | grep '/' | sed -e 's/[ \*].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`; do
check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"
done
fi
fi
}
# Parse any full paths from $1 (config files, progs, dirs).
# Check the permissions on each of these.
check_called_programs_suid () {
CCP_FILE=$1
CCP_PATH=$2 # optional
get_owner $CCP_FILE; CCP_USER=$GET_OWNER_RETURN
CCP_MESSAGE_STACK="$CCP_FILE is SUID $CCP_USER."
LS=`ls -l $CCP_FILE`
echo "Checking SUID-$CCP_USER program $CCP_FILE: $LS"
# Don't check perms of executable itself
# check_perms "$CCP_MESSAGE_STACK" "$CCP_FILE" "$CCP_USER" "$CCP_PATH"
# Check if file is text or not
IS_TEXT=`file "$CCP_FILE" | grep -i text`
IS_DYNBIN=`file "$CCP_FILE" | grep -i 'dynamically linked'`
# Process shell scripts (would also work on config files that reference other files)
if [ ! -z "$IS_TEXT" ]; then
# Skip the slow check if we're in quick mode
if [ "$MODE" = "standard" ]; then
return 0;
fi
# Parse full paths from file - ignoring commented lines
CALLED_FILES=`grep -v '^#' "$CCP_FILE" | sed -e 's/^[^\/]*//' -e 's/["'\'':}$]/\x0a/g' | grep '/' | sed -e 's/[ \*].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`
for CALLED_FILE in $CALLED_FILES; do
# echo "$CCP_FILE contains a reference to $CALLED_FILE. Checking perms."
check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"
done
else
# Process dynamically linked binaries
if [ ! -z "$IS_DYNBIN" ]; then
CALLED_FILES=`ldd "$CCP_FILE" 2>/dev/null | grep '/' | sed 's/[^\/]*\//\//' | cut -f 1 -d ' '`
for CALLED_FILE in $CALLED_FILES; do
check_perms "$CCP_MESSAGE_STACK $CCP_FILE uses the library $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"
done
# Skip the slow check if we're in quick mode
if [ "$MODE" = "standard" ]; then
return 0;
fi
# Strings binary to look for hard-coded config files
# or other programs that might be called.
for CALLED_FILE in `strings "$CCP_FILE" | sed -e 's/^[^\/]*//' -e 's/["'\'':}$]/\x0a/g' | grep '/' | sed -e 's/[ \*].*//' | grep '^/[a-zA-Z0-9_/-]*$' | sort -u`; do
check_perms "$CCP_MESSAGE_STACK $CCP_FILE contains the string $CALLED_FILE." "$CALLED_FILE" "$CCP_USER" "$CCP_PATH"
done
fi
fi
}
# Check if $1 can be changed by users who are not $2
check_perms () {
CP_MESSAGE_STACK=$1
CHECK_PERMS_FILE=$2
CHECK_PERMS_USER=$3
CHECK_PERMS_PATH=$4 # optional
if [ ! -f "$CHECK_PERMS_FILE" ] && [ ! -d "$CHECK_PERMS_FILE" ] && [ ! -b "$CHECK_PERMS_FILE" ]; then
CHECK_PERMS_FOUND=0
if [ ! -z "$CHECK_PERMS_PATH" ]; then
# Look for it in the supplied path
for DIR in `echo "$CHECK_PERMS_PATH" | sed 's/:/ /g'`; do
if [ -f "$DIR/$CHECK_PERMS_FILE" ]; then
CHECK_PERMS_FOUND=1
CHECK_PERMS_FILE="$DIR/$CHECK_PERMS_FILE"
break
fi
done
fi
#if [ "$CHECK_PERMS_FOUND" = "0" ]; then
# echo "ERROR: File $CHECK_PERMS_FILE doesn't exist. Checking parent path anyway."
# # return 0
# fi
fi
C=`echo "$CHECK_PERMS_FILE" | cut -c 1`
if [ ! "$C" = "/" ]; then
echo "ERROR: Can't find absolute path for $CHECK_PERMS_FILE. Skipping."
return 0
fi
echo " Checking if anyone except $CHECK_PERMS_USER can change $CHECK_PERMS_FILE"
while [ -n "$CHECK_PERMS_FILE" ]; do
perms_secure "$CP_MESSAGE_STACK" $CHECK_PERMS_FILE $CHECK_PERMS_USER
CHECK_PERMS_FILE=`echo $CHECK_PERMS_FILE | sed 's/\/[^\/]*$//'`
done
}
# Check if $1 can be read by users who are not $2
check_read_perms () {
CP_MESSAGE_STACK=$1
CHECK_PERMS_FILE=$2
CHECK_PERMS_USER=$3
if [ ! -f "$CHECK_PERMS_FILE" ] && [ ! -b "$CHECK_PERMS_FILE" ]; then
echo "ERROR: File $CHECK_PERMS_FILE doesn't exist"
return 0
fi
echo " Checking if anyone except $CHECK_PERMS_USER can read file $CHECK_PERMS_FILE"
perms_secure_read "$CP_MESSAGE_STACK" "$CHECK_PERMS_FILE" "$CHECK_PERMS_USER"
}
perms_secure_read () {
PS_MESSAGE_STACK=$1
PERMS_SECURE_FILE=$2
PERMS_SECURE_USER=$3
if [ ! -b "$PERMS_SECURE_FILE" ] && [ ! -f "$PERMS_SECURE_FILE" ] && [ ! -d "$PERMS_SECURE_FILE" ]; then
echo "ERROR: No such file or directory: $PERMS_SECURE_FILE. Skipping."
return 0
fi
# Check if owner is different (but ignore root ownership, that's OK)
only_user_can_read "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USER
# Check group read perm (but ignore root group, that's OK)
group_can_read "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USER
# Check world read perm
world_can_read "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE
}
perms_secure () {
PS_MESSAGE_STACK=$1
PERMS_SECURE_FILE=$2
PERMS_SECURE_USER=$3
if [ ! -d "$PERMS_SECURE_FILE" ] && [ ! -f "$PERMS_SECURE_FILE" ] && [ ! -b "$PERMS_SECURE_FILE" ]; then
# echo "ERROR: No such file or directory: $PERMS_SECURE_FILE. Skipping."
return 0
fi
# Check if owner is different (but ignore root ownership, that's OK)
only_user_can_write "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USER
# Check group write perm (but ignore root group, that's OK)
group_can_write "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE $PERMS_SECURE_USER
# Check world write perm
world_can_write "$PS_MESSAGE_STACK" $PERMS_SECURE_FILE
}
only_user_can_write () {
O_MESSAGE_STACK=$1
O_FILE=$2
O_USER=$3
# We just need to check the owner really as the owner
# can always grant themselves write access
get_owner $O_FILE; O_FILE_USER=$GET_OWNER_RETURN
if [ ! "$O_USER" = "$O_FILE_USER" ] && [ ! "$O_FILE_USER" = "root" ]; then
echo "WARNING: $O_MESSAGE_STACK The user $O_FILE_USER can write to $O_FILE"
fi
}
group_can_write () {
O_MESSAGE_STACK=$1
O_FILE=$2
O_USER=$3 # ignore group write access $3 is only member of group
get_group $O_FILE; O_FILE_GROUP=$GET_GROUP_RETURN
P=`ls -lLd $O_FILE | cut -c 6`
if [ "$P" = "w" ] && [ ! "$O_GROUP" = "root" ]; then
# check the group actually has some members other than $O_USER
group_has_other_members "$O_FILE_GROUP" "$O_USER"; # sets OTHER_MEMBERS to 1 or 0
if [ "$OTHER_MEMBERS" = "1" ]; then
echo "WARNING: $O_MESSAGE_STACK The group $O_FILE_GROUP can write to $O_FILE"
fi
fi
}
group_has_other_members () {
G_GROUP=$1
G_USER=$2
# If LDAP/NIS is being used this script can't check group memberships
# we therefore assume the worst.
if [ "$EXT_AUTH" = 1 ]; then
OTHER_MEMBERS=1
return 1
fi
GROUP_LINE=`grep "^$G_GROUP:" /etc/group`
MEMBERS=`echo "$GROUP_LINE" | cut -f 4 -d : | sed 's/,/ /g'`
GID=`echo "$GROUP_LINE" | cut -f 3 -d :`
EXTRA_MEMBERS=`grep "^[^:]*:[^:]*:[0-9]*:$GID:" /etc/passwd | cut -f 1 -d : | xargs echo`
for M in $MEMBERS; do
if [ ! "$M" = "$G_USER" ] && [ ! "$M" = "root" ]; then
OTHER_MEMBERS=1
return 1
fi
done
for M in $EXTRA_MEMBERS; do
if [ ! "$M" = "$G_USER" ] && [ ! "$M" = "root" ]; then
OTHER_MEMBERS=1
return 1
fi
done
OTHER_MEMBERS=0
return 0
}
world_can_write () {
O_MESSAGE_STACK=$1
O_FILE=$2
P=`ls -lLd $O_FILE | cut -c 9`
S=`ls -lLd $O_FILE | cut -c 10`
if [ "$P" = "w" ]; then
if [ "$S" = "t" ]; then
echo "WARNING: $O_MESSAGE_STACK World write is set for $O_FILE (but sticky bit set)"
else
echo "WARNING: $O_MESSAGE_STACK World write is set for $O_FILE"
fi
fi
}
only_user_can_read () {
O_MESSAGE_STACK=$1
O_FILE=$2
O_USER=$3
# We just need to check the owner really as the owner
# can always grant themselves read access
get_owner $O_FILE; O_FILE_USER=$GET_OWNER_RETURN
if [ ! "$O_USER" = "$O_FILE_USER" ] && [ ! "$O_FILE_USER" = "root" ]; then
echo "WARNING: $O_MESSAGE_STACK The user $O_FILE_USER can read $O_FILE"
fi
}
group_can_read () {
O_MESSAGE_STACK=$1
O_FILE=$2
O_USER=$3
get_group $O_FILE; O_FILE_GROUP=$GET_GROUP_RETURN
P=`ls -lLd $O_FILE | cut -c 5`
if [ "$P" = "r" ] && [ ! "$O_GROUP" = "root" ]; then
# check the group actually has some members other than $O_USER
group_has_other_members "$O_FILE_GROUP" "$O_USER"; # sets OTHER_MEMBERS to 1 or 0
if [ "$OTHER_MEMBERS" = "1" ]; then
echo "WARNING: $O_MESSAGE_STACK The group $O_FILE_GROUP can read $O_FILE"
fi
fi
}
world_can_read () {
O_MESSAGE_STACK=$1
O_FILE=$2
P=`ls -lLd $O_FILE | cut -c 8`
if [ "$P" = "w" ]; then
echo "WARNING: $O_MESSAGE_STACK World read is set for $O_FILE"
fi
}
section () {
echo
echo '############################################'
echo $1
echo '############################################'
}
# Guess OS
if [ -x /usr/bin/showrev ]; then
OS="solaris"
SHADOW="/etc/shadow"
elif [ -x /usr/sbin/sam -o -x /usr/bin/sam ]; then
OS="hpux"
SHADOW="/etc/shadow"
elif [ -f /etc/master.passwd ]; then
OS="bsd"
SHADOW="/etc/master.passwd"
else
OS="linux"
SHADOW="/etc/shadow"
fi
echo "Assuming the OS is: $OS"
CONFIG_FILES="$CONFIG_FILES $SHADOW"
# Set path so we can access usual directories. HPUX and some linuxes don't have sbin in the path.
PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin; export PATH
# Check dependent programs are installed
# Assume "which" is installed!
PROGS="ls awk grep cat mount xargs file ldd strings"
for PROG in $PROGS; do
which $PROG 2>&1 > /dev/null
if [ ! $? = "0" ]; then
echo "ERROR: Dependend program '$PROG' is mising. Can't run. Sorry!"
exit 1
fi
done
banner
section "Recording hostname"
hostname
section "Recording uname"
uname -a
section "Recording Interface IP addresses"
if [ $OS = 'hpux' ]; then
for IFACE in `lanscan | grep x | awk '{print $5}' 2>/dev/null`; do
ifconfig $IFACE 2>/dev/null
done
else
ifconfig -a
fi
section "Checking if external authentication is allowed in /etc/passwd"
FLAG=`grep '^+:' /etc/passwd`
if [ -n "$FLAG" ]; then
echo "WARNING: /etc/passwd allows external authentcation:"
grep '^+:' /etc/passwd
EXT_AUTH=1
else
echo "No +:... line found in /etc/passwd"
fi
section "Checking nsswitch.conf for addition authentication methods"
if [ -r "/etc/nsswitch.conf" ]; then
NIS=`grep '^passwd' /etc/nsswitch.conf | grep 'nis'`
if [ -n "$NIS" ]; then
echo "WARNING: NIS is used for authentication on this system"
EXT_AUTH=1
fi
LDAP=`grep '^passwd' /etc/nsswitch.conf | grep 'ldap'`
if [ -n "$LDAP" ]; then
echo "WARNING: LDAP is used for authentication on this system"
EXT_AUTH=1
fi
if [ -z "$NIS" ] && [ -z "$LDAP" ]; then
echo "Neither LDAP nor NIS are used for authentication"
fi
else
echo "ERROR: File /etc/nsswitch.conf isn't readable. Skipping checks."
fi
# Check important config files aren't writable
section "Checking for writable config files"
for FILE in $CONFIG_FILES; do
if [ -f "$FILE" ]; then
check_perms "$FILE is a critical config file." "$FILE" root
fi
done
section "Checking if $SHADOW is readable"
check_read_perms "/etc/shadow holds authentication data" $SHADOW root
section "Checking for password hashes in /etc/passwd"
FLAG=`grep -v '^[^:]*:[x\*]*:' /etc/passwd | grep -v '^#'`
if [ -n "$FLAG" ]; then
echo "WARNING: There seem to be some password hashes in /etc/passwd"
grep -v '^[^:]*:[x\*]*:' /etc/passwd | grep -v '^#'
EXT_AUTH=1
else
echo "No password hashes found in /etc/passwd"
fi
section "Checking account settings"
# Check for something nasty like r00t::0:0::/:/bin/sh in /etc/passwd
# We only need read access to /etc/passwd to be able to check this.
if [ -r "/etc/passwd" ]; then
OPEN=`grep "^[^:][^:]*::" /etc/passwd | cut -f 1 -d ":"`
if [ -n "$OPEN" ]; then
echo "WARNING: The following accounts have no password:"
grep "^[^:][^:]*::" /etc/passwd | cut -f 1 -d ":"
fi
fi
if [ -r "$SHADOW" ]; then
echo "Checking for accounts with no passwords"
if [ "$OS" = "linux" ]; then
passwd -S -a | while read LINE
do
USER=`echo "$LINE" | awk '{print $1}'`
STATUS=`echo "$LINE" | awk '{print $2}'`
if [ "$STATUS" = "NP" ]; then
echo "WARNING: User $USER doesn't have a password"
fi
done
elif [ "$OS" = "solaris" ]; then
passwd -s -a | while read LINE
do
USER=`echo "$LINE" | awk '{print $1}'`
STATUS=`echo "$LINE" | awk '{print $2}'`
if [ "$STATUS" = "NP" ]; then
echo "WARNING: User $USER doesn't have a password"
fi
done
fi
else
echo "File $SHADOW isn't readable. Skipping some checks."
fi
section "Checking library directories from /etc/ld.so.conf"
if [ -f "/etc/ld.so.conf" ] && [ -r "/etc/ld.so.conf" ]; then
for DIR in `grep '^/' /etc/ld.so.conf`; do
check_perms "$DIR is in /etc/ld.so.conf." $DIR root
done
#FILES=`grep '^include' /etc/ld.so.conf | sed 's/^include *//'`
#if [ ! -z "$FILES" ]; then
# for DIR in `echo $FILES | xargs cat | sort -u`; do
# done
#fi
else
echo "File /etc/ld.so.conf not present. Skipping checks."
fi
# Check sudoers if we have permission - needs root normally
section "Checking sudo configuration"
if [ -f "/etc/sudoers" ] && [ -r "/etc/sudoers" ]; then
echo -----------------
echo "Checking if sudo is configured"
SUDO_USERS=`grep -v '^#' /etc/sudoers | grep -v '^[ \t]*$' | grep -v '^[ \t]*Default' | grep =`
if [ ! -z "$SUDO_USERS" ]; then
echo "WARNING: Sudo is configured. Manually check nothing unsafe is allowed:"
grep -v '^#' /etc/sudoers | grep -v '^[ \t]*$' | grep = | grep -v '^[ \t]*Default'
fi
echo -----------------
echo "Checking sudo users need a password"
SUDO_NOPASSWD=`grep -v '^#' /etc/sudoers | grep -v '^[ \t]*$' | grep NOPASSWD`
if [ ! -z "$SUDO_NOPASSWD" ]; then
echo "WARNING: Some users can use sudo without a password:"
grep -v '^#' /etc/sudoers | grep -v '^[ \t]*$' | grep NOPASSWD
fi
else
echo "File /etc/sudoers not present. Skipping checks."
fi
section "Checking permissions on swap file(s)"
for SWAP in `swapon -s | grep -v '^Filename' | cut -f 1 -d ' '`; do
check_perms "$SWAP is used for swap space." $SWAP root
check_read_perms "$SWAP is used for swap space." $SWAP root
done
section "Checking programs run from inittab"
if [ -f "/etc/inittab" ] && [ -r "/etc/inittab" ]; then
for FILE in `cat /etc/inittab | grep : | grep -v '^#' | cut -f 4 -d : | grep '/' | cut -f 1 -d ' ' | sort -u`; do
check_called_programs "$FILE is run from /etc/inittab as root." $FILE root
done
else
echo "File /etc/inittab not present. Skipping checks."
fi
section "Checking postgres trust relationships"
for DIR in $PGDIRS; do
if [ -d "$DIR" ] && [ -r "$DIR/pg_hba.conf" ]; then
grep -v '^#' "$DIR/pg_hba.conf" | grep -v '^[ \t]*$' | while read LINE
do
AUTH=`echo "$LINE" | awk '{print $NF}'`
if [ "$AUTH" = "trust" ]; then
PGTRUST=1
echo "WARNING: Postgres trust configured in $DIR/pg_hba.conf: $LINE"
fi
done
fi
done
PGVER1=`psql -U postgres template1 -c 'select version()' 2>/dev/null | grep version`
if [ -n "$PGVER1" ]; then
PGTRUST=1
echo "WARNING: Can connect to local postgres database as \"postgres\" without a password"
fi
PGVER2=`psql -U pgsql template1 -c 'select version()' 2>/dev/null | grep version`
if [ -n "$PGVER2" ]; then
PGTRUST=1
echo "WARNING: Can connect to local postgres database as \"pgsql\" without a password"
fi
if [ -z "$PGTRUST" ]; then
echo "No postgres trusts detected"
fi
# Check device files for mounted file systems are secure
# cat /proc/mounts | while read LINE # Doesn't work so well when LVM is used - need to be root
section "Checking permissions on device files for mounted partitions"
if [ "$OS" = "linux" ]; then
mount | while read LINE
do
DEVICE=`echo "$LINE" | awk '{print $1}'`
FS=`echo "$LINE" | awk '{print $5}'`
if [ "$FS" = "ext2" ] || [ "$FS" = "ext3" ] ||[ "$FS" = "reiserfs" ]; then
echo "Checking device $DEVICE"
check_perms "$DEVICE is a mounted file system." $DEVICE root
fi
done
elif [ "$OS" = "bsd" ]; then
mount | grep ufs | while read LINE
do
DEVICE=`echo "$LINE" | awk '{print $1}'`
echo "Checking device $DEVICE"
check_perms "$DEVICE is a mounted file system." $DEVICE root
done
elif [ "$OS" = "solaris" ]; then
mount | grep xattr | while read LINE
do
DEVICE=`echo "$LINE" | awk '{print $3}'`
if [ ! "$DEVICE" = "swap" ]; then
echo "Checking device $DEVICE"
check_perms "$DEVICE is a mounted file system." $DEVICE root
fi
done
elif [ "$OS" = "hpux" ]; then
mount | while read LINE
do
DEVICE=`echo "$LINE" | awk '{print $3}'`
C=`echo $DEVICE | cut -c 1`
if [ "$C" = "/" ]; then
echo "Checking device $DEVICE"
check_perms "$DEVICE is a mounted file system." $DEVICE root
fi
done
NFS=`mount | grep NFS`
if [ -n "$NFS" ]; then
echo "WARNING: This system is an NFS client. Check for nosuid and nodev options."
mount | grep NFS
fi
fi
# Check cron jobs if they're readable
# TODO check that cron is actually running
section "Checking cron job programs aren't writable (/etc/crontab)"
CRONDIRS=""
if [ -f "/etc/crontab" ] && [ -r "/etc/crontab" ]; then
MYPATH=`grep '^PATH=' /etc/crontab | cut -f 2 -d = `
echo Crontab path is $MYPATH
# Check if /etc/cron.(hourly|daily|weekly|monthly) are being used
CRONDIRS=`grep -v '^#' /etc/crontab | grep -v '^[ \t]*$' | grep '[ \t][^ \t][^ \t]*[ \t][ \t]*' | grep run-crons`
# Process run-parts
grep -v '^#' /etc/crontab | grep -v '^[ \t]*$' | grep '[ \t][^ \t][^ \t]*[ \t][ \t]*' | grep run-parts | while read LINE
do
echo "Processing crontab run-parts entry: $LINE"
USER=`echo "$LINE" | awk '{print $6}'`
DIR=`echo "$LINE" | sed 's/.*run-parts[^()&|;\/]*\(\/[^ ]*\).*/\1/'`
check_perms "$DIR holds cron jobs which are run as $USER." "$DIR" "$USER"
if [ -d "$DIR" ]; then
echo " Checking directory: $DIR"
for FILE in $DIR/*; do
FILENAME=`echo "$FILE" | sed 's/.*\///'`
if [ "$FILENAME" = "*" ]; then
echo " No files in this directory."
continue
fi
check_called_programs "$FILE is run by cron as $USER." "$FILE" "$USER"
done
fi
done
# TODO bsd'd periodic:
# 1 3 * * * root periodic daily
# 15 4 * * 6 root periodic weekly
# 30 5 1 * * root periodic monthly
grep -v '^#' /etc/crontab | grep -v '^[ ]*$' | grep '[ ][^ ][^ ]*[ ][ ]*' | while read LINE
do
echo "Processing crontab entry: $LINE"
USER=`echo "$LINE" | awk '{print $6}'`
PROG=`echo "$LINE" | awk '{print $7}'`
check_called_programs "$PROG is run from crontab as $USER." $PROG $USER $MYPATH
done
else
echo "File /etc/crontab not present. Skipping checks."
fi
# Do this if run-crons is run from /etc/crontab
if [ -n "$CRONDIRS" ]; then
USER=`echo "$CRONDIRS" | awk '{print $6}'`
section "Checking /etc/cron.(hourly|daily|weekly|monthly)"
for DIR in hourly daily weekly monthly; do
if [ -d "/etc/cron.$DIR" ]; then
echo " Checking directory: /etc/cron.$DIR"
for FILE in /etc/cron.$DIR/*; do
FILENAME=`echo "$FILE" | sed 's/.*\///'`
if [ "$FILENAME" = "*" ]; then
echo "No files in this directory."
continue
fi
check_called_programs "$FILE is run via cron as $USER." "$FILE" $USER
done
fi
done
fi
section "Checking cron job programs aren't writable (/var/spool/cron/crontabs)"
if [ -d "/var/spool/cron/crontabs" ]; then
for FILE in /var/spool/cron/crontabs/*; do
USER=`echo "$FILE" | sed 's/^.*\///'`
if [ "$USER" = "*" ]; then
echo "No user crontabs found in /var/spool/cron/crontabs. Skipping checks."
continue
fi
echo "Processing crontab for $USER: $FILE"
if [ -r "$FILE" ]; then
MYPATH=`grep '^PATH=' "$FILE" | cut -f 2 -d = `
if [ -n "$MYPATH" ]; then
echo Crontab path is $MYPATH
fi
grep -v '^#' "$FILE" | grep -v '^[ \t]*$' | grep '[ \t][^ \t][^ \t]*[ \t][ \t]*' | while read LINE
do
echo "Processing crontab entry: $LINE"
PROG=`echo "$LINE" | awk '{print $6}'`
check_called_programs "$PROG is run via cron as $USER." "$PROG" $USER
done
else
echo "ERROR: Can't read file $FILE"
fi
done
else
echo "Directory /var/spool/cron/crontabs is not present. Skipping checks."
fi
section "Checking cron job programs aren't writable (/var/spool/cron/tabs)"
if [ -d "/var/spool/cron/tabs" ]; then
for FILE in /var/spool/cron/tabs/*; do
USER=`echo "$FILE" | sed 's/^.*\///'`
if [ "$USER" = "*" ]; then
echo "No user crontabs found in /var/spool/cron/crontabs. Skipping checks."
continue
fi
echo "Processing crontab for $USER: $FILE"
if [ -r "$FILE" ]; then
MYPATH=`grep '^PATH=' "$FILE" | cut -f 2 -d = `
if [ -n "$MYPATH" ]; then
echo Crontab path is $MYPATH
fi
grep -v '^#' "$FILE" | grep -v '^[ \t]*$' | grep '[ \t][^ \t][^ \t]*[ \t][ \t]*' | while read LINE
do
echo "Processing crontab entry: $LINE"
PROG=`echo "$LINE" | awk '{print $6}'`
check_called_programs "$PROG is run from cron as $USER." $PROG $USER $MYPATH
done
else
echo "ERROR: Can't read file $FILE"
fi
done
else
echo "Directory /var/spool/cron/tabs is not present. Skipping checks."
fi
# Check programs run from /etc/inetd.conf have secure permissions
# TODO: check inetd is actually running
section "Checking inetd programs aren't writable"
if [ -f /etc/inetd.conf ] && [ -r /etc/inetd.conf ]; then
grep -v '^#' /etc/inetd.conf | grep -v '^[ \t]*$' | while read LINE
do
USER=`echo $LINE | awk '{print $5}'`
PROG=`echo $LINE | awk '{print $6}'` # could be tcpwappers ...
PROG2=`echo $LINE | awk '{print $7}'` # ... and this is the real prog
if [ -z "$PROG" ] || [ "$PROG" = "internal" ]; then
# Not calling an external program
continue
fi
echo Processing inetd line: $LINE
if [ -f "$PROG" ]; then
check_called_programs "$PROG is run from inetd as $USER." $PROG $USER
fi
if [ -f "$PROG2" ]; then
check_called_programs "$PROG is run from inetd as $USER." $PROG2 $USER
fi
done
else
echo "File /etc/inetd.conf not present. Skipping checks."
fi
# Check programs run from /etc/xinetd.d/*
# TODO: check xinetd is actually running
section "Checking xinetd programs aren't writeable"
if [ -d /etc/xinetd.d ]; then
for FILE in `grep 'disable[ \t]*=[ \t]*no' /etc/xinetd.d/* | cut -f 1 -d :`; do
echo Processing xinetd service file: $FILE
PROG=`grep '^[ \t]*server[ \t]*=[ \t]*' $FILE | sed 's/.*server.*=[ \t]*//'`
USER=`grep '^[ \t]*user[ \t]*=[ \t]*' $FILE | sed 's/.*user.*=[ \t]*//'`
check_called_programs "$PROG is run from xinetd as $USER." $PROG $USER
done
else
echo "Directory /etc/xinetd.d not present. Skipping checks."
fi
# Check for writable home directories
section "Checking home directories aren't writable"
cat /etc/passwd | grep -v '^#' | while read LINE
do
echo Processing /etc/passwd line: $LINE
USER=`echo $LINE | cut -f 1 -d :`
DIR=`echo $LINE | cut -f 6 -d :`
SHELL=`echo $LINE | cut -f 7 -d :`
if [ "$SHELL" = "/sbin/nologin" ] || [ "$SHELL" = "/bin/false" ]; then
echo " Skipping user $USER. They don't have a shell."
else
if [ "$DIR" = "/dev/null" ]; then
echo " Skipping /dev/null home directory"
else
check_perms "$DIR is the home directory of $USER." $DIR $USER
fi
fi
done
# Check for readable files in home directories
section "Checking for readable sensitive files in home directories"
cat /etc/passwd | while read LINE
do
USER=`echo $LINE | cut -f 1 -d :`
DIR=`echo $LINE | cut -f 6 -d :`
SHELL=`echo $LINE | cut -f 7 -d :`
for FILE in $HOME_DIR_FILES; do
if [ -f "$DIR/$FILE" ]; then
check_read_perms "$DIR/$FILE is in the home directory of $USER." "$DIR/$FILE" $USER
fi
done
done
section "Checking SUID programs"
if [ "$MODE" = "detailed" ]; then
for FILE in `find / -type f -perm -04000 2>/dev/null`; do
check_called_programs_suid $FILE
done
else
echo "Skipping checks of SUID programs (it's slow!). Run again in 'detailed' mode."
fi
# Check for private SSH keys in home directories
section "Checking for Private SSH Keys home directories"
for HOMEDIR in `cut -f 6 -d : /etc/passwd`; do
if [ -d "$HOMEDIR/.ssh" ]; then
PRIV_KEYS=`grep -l 'BEGIN [RD]SA PRIVATE KEY' $HOMEDIR/.ssh/* 2>/dev/null`
if [ -n "$PRIV_KEYS" ]; then
for KEY in $PRIV_KEYS; do
ENC_KEY=`grep -l 'ENCRYPTED' "$KEY" 2>/dev/null`
if [ -n "$ENC_KEY" ]; then
echo "WARNING: Encrypted Private SSH Key Found in $KEY"
else
echo "WARNING: Unencrypted Private SSH Key Found in $KEY"
fi
done
fi
fi
done
# Check for public SSH keys in home directories
section "Checking for Public SSH Keys home directories"
for HOMEDIR in `cut -f 6 -d : /etc/passwd`; do
if [ -r "$HOMEDIR/.ssh/authorized_keys" ]; then
KEYS=`grep '^ssh-' $HOMEDIR/.ssh/authorized_keys 2>/dev/null`
if [ -n "$KEYS" ]; then
echo "WARNING: Public SSH Key Found in $HOMEDIR/.ssh/authorized_keys"
fi
fi
done
# Check for any SSH agents running on the box
section "Checking for SSH agents"
AGENTS=`ps -ef | grep ssh-agent | grep -v grep`
if [ -n "$AGENTS" ]; then
echo "WARNING: There are SSH agents running on this system:"
ps -ef | grep ssh-agent | grep -v grep
# for PID in `ps aux | grep ssh-agent | grep -v grep | awk '{print $2}'`; do
for SOCK in `ls /tmp/ssh-*/agent.* 2>/dev/null`; do
SSH_AUTH_SOCK=$SOCK; export SSH_AUTH_SOCK
AGENT_KEYS=`ssh-add -l | grep -v 'agent has no identities.' 2>/dev/null`
if [ -n "$AGENT_KEYS" ]; then
echo "WARNING: SSH Agent has keys loaded [SSH_AUTH_SOCK=$SSH_AUTH_SOCK]"
ssh-add -l
fi
done
else
echo "No SSH agents found"
fi
# Check for any GPG agents running on the box
section "Checking for GPG agents"
AGENTS=`ps -ef | grep gpg-agent | grep -v grep`
if [ -n "$AGENTS" ]; then
echo "WARNING: There are GPG agents running on this system:"
ps aux | grep gpg-agent | grep -v grep
else
echo "No GPG agents found"
fi
# Check files in /etc/init.d/* can't be modified by non-root users
section "Checking startup files (init.d / rc.d) aren't writable"
for DIR in /etc/init.d /etc/rc.d /usr/local/etc/rc.d; do
if [ -d "$DIR" ]; then
for FILE in $DIR/*; do
F=`echo "$FILE" | sed 's/^.*\///'`
if [ "$F" = "*" ]; then
echo "No user startup script found in $DIR. Skipping checks."
continue
fi
echo Processing startup script $FILE
check_called_programs "$FILE is run by root at startup." $FILE root
done
fi
done
section "Checking if running programs are writable"
if [ $OS = "solaris" ]; then
# use the output of ps command
ps -ef -o user,comm | while read LINE
do
USER=`echo "$LINE" | awk '{print $1}'`
PROG=`echo "$LINE" | awk '{print $2}'`
check_called_programs "$PROG is currently running as $USER." "$PROG" "$USER"
done
elif [ $OS = "bsd" ]; then
# use the output of ps command
ps aux | while read LINE
do
USER=`echo "$LINE" | awk '{print $1}'`
PROG=`echo "$LINE" | awk '{print $11}'`
check_called_programs "$PROG is currently running as $USER." "$PROG" "$USER"
done
elif [ $OS = "hpux" ]; then
# use the output of ps command
ps -ef | while read LINE
do
USER=`echo "$LINE" | awk '{print $1}'`
PROG1=`echo "$LINE" | awk '{print $8}'`
PROG2=`echo "$LINE" | awk '{print $9}'`
if [ -f "$PROG1" ]; then
check_called_programs "$PROG is currently running as $USER." "$PROG1" "$USER"
fi
if [ -f "$PROG2" ]; then
check_called_programs "$PROG is currently running as $USER." "$PROG2" "$USER"
fi
done
elif [ $OS = "linux" ]; then
# use the /proc file system
for PROCDIR in /proc/[0-9]*; do
unset PROGPATH
PID=`echo $PROCDIR | cut -f 3 -d /`
echo ------------------------
echo "PID: $PID"
if [ -d "$PROCDIR" ]; then
if [ -r "$PROCDIR/exe" ]; then
PROGPATH=`ls -l "$PROCDIR/exe" 2>&1 | sed 's/ (deleted)//' | awk '{print $NF}'`
else
if [ -r "$PROCDIR/cmdline" ]; then
P=`cat $PROCDIR/cmdline | tr "\0" = | cut -f 1 -d = | grep '^/'`
if [ -z "$P" ]; then
echo "ERROR: Can't find full path of running program: "`cat $PROCDIR/cmdline`
else
PROGPATH=$P
fi
else
echo "ERROR: Can't find full path of running program: "`cat $PROCDIR/cmdline`
continue
fi
fi
get_owner $PROCDIR; OWNER=$GET_OWNER_RETURN
echo "Owner: $OWNER"
else
echo "ERROR: Can't find OWNER. Process has gone."
continue
fi
if [ -n "$PROGPATH" ]; then
get_owner $PROGPATH; PROGOWNER=$GET_OWNER_RETURN
echo "Program path: $PROGPATH"
check_called_programs "$PROGPATH is currently running as $OWNER." $PROGPATH $OWNER
fi
if [ "$MODE" == "detailed" ]; then
for FILE in $PROCDIR/fd/*; do
F=`echo "$FILE" | sed 's/^.*\///'`
if [ "$F" = "*" ]; then
continue
fi
check_perms "$FILE is an open file descriptor for process $PID running as $OWNER." $FILE $OWNER
done
fi
done
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment