diff --git a/README.md b/README.md index 4a90ace..bfb81a1 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,9 @@ # Linux-System-Audit-Report -A shell script that generate some data which can be used to check for drift. \ No newline at end of file +## How to use + +Run as a normal user – the script will skip the root‑only sections (they are already commented out). + +Run with sudo or as root – simply uncomment the lines that are marked with # NOTE: … or # Uncomment … and the script will collect the additional privileged data. + +Feel free to adjust any of the comments or uncomment the sections you need. Let me know if you’d like any further tweaks! diff --git a/audit.sh b/audit.sh new file mode 100755 index 0000000..6ddeb05 --- /dev/null +++ b/audit.sh @@ -0,0 +1,254 @@ +#!/usr/bin/env bash +# ------------------------------------------------- +# audit_packages.sh – reproducible package audit +# ------------------------------------------------- +set -euo pipefail + +TIMESTAMP="$(date +%Y%m%d_%H%M%S)" +AUDIT_DIR="${HOME}/audit_${TIMESTAMP}" +mkdir -p "${AUDIT_DIR}" +chmod 700 "${AUDIT_DIR}" + +# ------------------------------------------------- +# 1. OS / kernel info +# ------------------------------------------------- +cat /etc/os-release > "${AUDIT_DIR}/os_release.txt" +uname -a >> "${AUDIT_DIR}/kernel.txt" +lsb_release -a >> "${AUDIT_DIR}/os_release.txt" 2>/dev/null || true + +# ------------------------------------------------- +# 2. DEB packages +# ------------------------------------------------- +dpkg -l > "${AUDIT_DIR}/dpkg_list.txt" +apt list --installed > "${AUDIT_DIR}/apt_installed.txt" +dpkg-query -W -f='${Package}\t${Version}\t${Architecture}\n' > "${AUDIT_DIR}/dpkg_detailed.txt" +apt-mark showmanual > "${AUDIT_DIR}/manual_installed.txt" +apt-mark showauto > "${AUDIT_DIR}/auto_installed.txt" + +# ------------------------------------------------- +# 3. Snap packages (if snapd is present) +# ------------------------------------------------- +if command -v snap >/dev/null; then + snap list > "${AUDIT_DIR}/snap_list.txt" +fi + +# ------------------------------------------------- +# 4. Flatpak packages (if flatpak is present) +# ------------------------------------------------- +if command -v flatpak >/dev/null; then + flatpak list > "${AUDIT_DIR}/flatpak_list.txt" +fi + +# ------------------------------------------------- +# 5. Language‑specific packages +# ------------------------------------------------- +if command -v pip3 >/dev/null; then + pip3 list --format=columns > "${AUDIT_DIR}/pip3_list.txt" +fi + +if command -v npm >/dev/null; then + npm list -g --depth=0 > "${AUDIT_DIR}/npm_global.txt" +fi + +# ------------------------------------------------- +# 6. Example: which DEB owns /bin/bash +# ------------------------------------------------- +dpkg -S "$(command -v bash)" > "${AUDIT_DIR}/bash_owning_package.txt" 2>/dev/null || true + +# ------------------------------------------------- +# 7. SYSTEM & SECURITY BASELINE +# ------------------------------------------------- +# 7.1 Systemd unit status (enabled/disabled, failed) +# NOTE: These commands need root to see *all* units. Uncomment if running as root. +# systemctl list-unit-files --type=service > "${AUDIT_DIR}/systemd_unit_files.txt" +# systemctl --failed > "${AUDIT_DIR}/systemd_failed_units.txt" + +# 7.2 Running services (active units) +# NOTE: Root privileges give a complete view. Uncomment if desired. +# systemctl list-units --type=service --state=running > "${AUDIT_DIR}/systemd_running_services.txt" + +# ------------------------------------------------- +# 8. USERS, GROUPS & PRIVILEGE ESCALATION +# ------------------------------------------------- +# 8.1 Local users (passwd entries) – readable by any user +getent passwd > "${AUDIT_DIR}/passwd_entries.txt" + +# 8.2 Local groups – readable by any user +getent group > "${AUDIT_DIR}/group_entries.txt" + +# 8.3 sudo configuration (who can sudo) – may prompt for password +# sudo -l > "${AUDIT_DIR}/sudoers.txt" 2>/dev/null || echo "sudo not configured" > "${AUDIT_DIR}/sudoers.txt" +echo "sudo check skipped (requires password/root)" > "${AUDIT_DIR}/sudoers.txt" + +# 8.4 Authorized SSH keys (all users) – readable by any user +{ + for d in /home/*/.ssh; do + [ -d "$d" ] && cat "$d/authorized_keys" 2>/dev/null + done +} > "${AUDIT_DIR}/ssh_authorized_keys.txt" + +# 8.5 Shadow file (password hashes & policies) – **requires root** +# Uncomment the line below if you run the script as root. +# cat /etc/shadow > "${AUDIT_DIR}/shadow.txt" 2>/dev/null || echo "shadow not readable" > "${AUDIT_DIR}/shadow.txt" + +# 8.6 Cron jobs (system‑wide and per‑user) – root crontab needs root +# Uncomment if you have root privileges. +# crontab -l > "${AUDIT_DIR}/root_crontab.txt" 2>/dev/null || true +for u in $(cut -d: -f1 /etc/passwd); do + crontab -u "$u" -l > "${AUDIT_DIR}/crontab_${u}.txt" 2>/dev/null || true +done + +# ------------------------------------------------- +# 9. NETWORK & FIREWALL +# ------------------------------------------------- +# 9.1 Listening sockets +ss -tulnp > "${AUDIT_DIR}/listening_sockets.txt" + +# 9.2 Active network connections +ss -tunap > "${AUDIT_DIR}/active_connections.txt" + +# 9.3 Firewall rules (ufw or iptables) – iptables needs root +if command -v ufw >/dev/null; then + # ufw status verbose > "${AUDIT_DIR}/firewall_ufw.txt" + echo "ufw status skipped (requires root)" > "${AUDIT_DIR}/firewall_ufw.txt" +else + # iptables requires root; uncomment if running as root. + # iptables -L -nv > "${AUDIT_DIR}/firewall_iptables.txt" + echo "iptables command requires root – not executed" > "${AUDIT_DIR}/firewall_iptables.txt" +fi + +# 9.4 Routing table +ip route show > "${AUDIT_DIR}/routing_table.txt" + +# 9.5 Network interfaces & IP addresses +ip -brief address > "${AUDIT_DIR}/interfaces.txt" + +# ------------------------------------------------- +# 10. STORAGE & FILESYSTEM +# ------------------------------------------------- +# 10.1 Disk usage per filesystem +df -hT > "${AUDIT_DIR}/disk_usage.txt" + +# 10.2 Mounted filesystems (options) +mount > "${AUDIT_DIR}/mounts.txt" + +# 10.3 Top‑10 largest files on the system +# du -ah / | sort -rh | head -n 10 > "${AUDIT_DIR}/largest_files.txt" +echo "du check skipped (requires root to scan /)" > "${AUDIT_DIR}/largest_files.txt" + +# 10.4 Modified package files (debsums) – needs root for a full check +# Uncomment if you have root privileges. +# if command -v debsums >/dev/null; then +# debsums -s > "${AUDIT_DIR}/modified_deb_files.txt" 2>/dev/null || echo "No modified files detected" > "${AUDIT_DIR}/modified_deb_files.txt" +# else +# echo "debsums not installed" > "${AUDIT_DIR}/modified_deb_files.txt" +# fi +echo "debsums check omitted (requires root)" > "${AUDIT_DIR}/modified_deb_files.txt" + +# ------------------------------------------------- +# 11. BUILD A SINGLE HUMAN‑READABLE REPORT +# ------------------------------------------------- +{ + echo "=== OS INFORMATION ===" + cat "${AUDIT_DIR}/os_release.txt" + + echo -e "\n=== KERNEL ===" + cat "${AUDIT_DIR}/kernel.txt" + + echo -e "\n=== DEB PACKAGES (dpkg -l) ===" + cat "${AUDIT_DIR}/dpkg_list.txt" + + echo -e "\n=== APT INSTALLED LIST ===" + cat "${AUDIT_DIR}/apt_installed.txt" + + echo -e "\n=== SNAP PACKAGES ===" + cat "${AUDIT_DIR}/snap_list.txt" 2>/dev/null || echo "Snap not installed" + + echo -e "\n=== FLATPAK PACKAGES ===" + cat "${AUDIT_DIR}/flatpak_list.txt" 2>/dev/null || echo "Flatpak not installed" + + echo -e "\n=== PYTHON3 PACKAGES ===" + cat "${AUDIT_DIR}/pip3_list.txt" 2>/dev/null || echo "pip3 not installed" + + echo -e "\n=== NODEJS GLOBAL PACKAGES ===" + cat "${AUDIT_DIR}/npm_global.txt" 2>/dev/null || echo "npm not installed" + + echo -e "\n=== MANUALLY INSTALLED DEB PACKAGES ===" + cat "${AUDIT_DIR}/manual_installed.txt" + + echo -e "\n=== AUTOMATIC DEB PACKAGES ===" + cat "${AUDIT_DIR}/auto_installed.txt" + + echo -e "\n=== OWNING PACKAGE FOR /bin/bash ===" + cat "${AUDIT_DIR}/bash_owning_package.txt" 2>/dev/null || echo "Not found" + + # ---- System & security baseline ---- + echo -e "\n=== SYSTEMD UNIT FILES (enabled/disabled) ===" + cat "${AUDIT_DIR}/systemd_unit_files.txt" 2>/dev/null || echo "Skipped (requires root)" + + echo -e "\n=== SYSTEMD FAILED UNITS ===" + cat "${AUDIT_DIR}/systemd_failed_units.txt" 2>/dev/null || echo "Skipped (requires root)" + + echo -e "\n=== SYSTEMD RUNNING SERVICES ===" + cat "${AUDIT_DIR}/systemd_running_services.txt" 2>/dev/null || echo "Skipped (requires root)" + + # ---- Users, groups & privilege escalation ---- + echo -e "\n=== /etc/passwd ENTRIES ===" + cat "${AUDIT_DIR}/passwd_entries.txt" + + echo -e "\n=== /etc/group ENTRIES ===" + cat "${AUDIT_DIR}/group_entries.txt" + + echo -e "\n=== SUDOERS (who can sudo) ===" + cat "${AUDIT_DIR}/sudoers.txt" + + echo -e "\n=== SSH AUTHORIZED KEYS ===" + cat "${AUDIT_DIR}/ssh_authorized_keys.txt" + + echo -e "\n=== /etc/shadow (password hashes) ===" + cat "${AUDIT_DIR}/shadow.txt" 2>/dev/null || echo "Skipped (requires root)" + + echo -e "\n=== ROOT CRONTAB ===" + cat "${AUDIT_DIR}/root_crontab.txt" 2>/dev/null || echo "Skipped (requires root)" + + echo -e "\n=== USER CRONTABS ===" + for f in "${AUDIT_DIR}"/crontab_*.txt; do + echo "---- $(basename "$f") ----" + cat "$f" + done + + # ---- Network & firewall ---- + echo -e "\n=== LISTENING SOCKETS ===" + cat "${AUDIT_DIR}/listening_sockets.txt" + + echo -e "\n=== ACTIVE NETWORK CONNECTIONS ===" + cat "${AUDIT_DIR}/active_connections.txt" + + echo -e "\n=== FIREWALL RULES ===" + if [ -f "${AUDIT_DIR}/firewall_ufw.txt" ]; then + cat "${AUDIT_DIR}/firewall_ufw.txt" + else + cat "${AUDIT_DIR}/firewall_iptables.txt" + fi + + echo -e "\n=== ROUTING TABLE ===" + cat "${AUDIT_DIR}/routing_table.txt" + + echo -e "\n=== NETWORK INTERFACES ===" + cat "${AUDIT_DIR}/interfaces.txt" + + # ---- Storage & filesystem ---- + echo -e "\n=== DISK USAGE ===" + cat "${AUDIT_DIR}/disk_usage.txt" + + echo -e "\n=== MOUNTED FILESYSTEMS ===" + cat "${AUDIT_DIR}/mounts.txt" + + echo -e "\n=== TOP 10 LARGEST FILES ===" + cat "${AUDIT_DIR}/largest_files.txt" + + echo -e "\n=== MODIFIED DEB PACKAGE FILES (debsums) ===" + cat "${AUDIT_DIR}/modified_deb_files.txt" +} > "${AUDIT_DIR}/audit_report.txt" + +echo "Audit completed. Report saved to ${AUDIT_DIR}/audit_report.txt"