feat: Add a comprehensive Linux system audit script (audit.sh) and update README with usage instructions.

2026-01-28 12:14:12 +08:00
parent 8bf3c31ae3
commit fc1789fb61
2 changed files with 261 additions and 1 deletions
--- a/audit.sh
+++ b/audit.sh
@@ -0,0 +1,254 @@
+#!/usr/bin/env bash
+# -------------------------------------------------
+# audit_packages.sh – reproducible package audit
+# -------------------------------------------------
+set -euo pipefail
+
+TIMESTAMP="$(date +%Y%m%d_%H%M%S)"
+AUDIT_DIR="${HOME}/audit_${TIMESTAMP}"
+mkdir -p "${AUDIT_DIR}"
+chmod 700 "${AUDIT_DIR}"
+
+# -------------------------------------------------
+# 1. OS / kernel info
+# -------------------------------------------------
+cat /etc/os-release > "${AUDIT_DIR}/os_release.txt"
+uname -a >> "${AUDIT_DIR}/kernel.txt"
+lsb_release -a >> "${AUDIT_DIR}/os_release.txt" 2>/dev/null || true
+
+# -------------------------------------------------
+# 2. DEB packages
+# -------------------------------------------------
+dpkg -l > "${AUDIT_DIR}/dpkg_list.txt"
+apt list --installed > "${AUDIT_DIR}/apt_installed.txt"
+dpkg-query -W -f='${Package}\t${Version}\t${Architecture}\n' > "${AUDIT_DIR}/dpkg_detailed.txt"
+apt-mark showmanual > "${AUDIT_DIR}/manual_installed.txt"
+apt-mark showauto   > "${AUDIT_DIR}/auto_installed.txt"
+
+# -------------------------------------------------
+# 3. Snap packages (if snapd is present)
+# -------------------------------------------------
+if command -v snap >/dev/null; then
+    snap list > "${AUDIT_DIR}/snap_list.txt"
+fi
+
+# -------------------------------------------------
+# 4. Flatpak packages (if flatpak is present)
+# -------------------------------------------------
+if command -v flatpak >/dev/null; then
+    flatpak list > "${AUDIT_DIR}/flatpak_list.txt"
+fi
+
+# -------------------------------------------------
+# 5. Language‑specific packages
+# -------------------------------------------------
+if command -v pip3 >/dev/null; then
+    pip3 list --format=columns > "${AUDIT_DIR}/pip3_list.txt"
+fi
+
+if command -v npm >/dev/null; then
+    npm list -g --depth=0 > "${AUDIT_DIR}/npm_global.txt"
+fi
+
+# -------------------------------------------------
+# 6. Example: which DEB owns /bin/bash
+# -------------------------------------------------
+dpkg -S "$(command -v bash)" > "${AUDIT_DIR}/bash_owning_package.txt" 2>/dev/null || true
+
+# -------------------------------------------------
+# 7. SYSTEM & SECURITY BASELINE
+# -------------------------------------------------
+# 7.1 Systemd unit status (enabled/disabled, failed)
+# NOTE: These commands need root to see *all* units. Uncomment if running as root.
+# systemctl list-unit-files --type=service > "${AUDIT_DIR}/systemd_unit_files.txt"
+# systemctl --failed > "${AUDIT_DIR}/systemd_failed_units.txt"
+
+# 7.2 Running services (active units)
+# NOTE: Root privileges give a complete view. Uncomment if desired.
+# systemctl list-units --type=service --state=running > "${AUDIT_DIR}/systemd_running_services.txt"
+
+# -------------------------------------------------
+# 8. USERS, GROUPS & PRIVILEGE ESCALATION
+# -------------------------------------------------
+# 8.1 Local users (passwd entries) – readable by any user
+getent passwd > "${AUDIT_DIR}/passwd_entries.txt"
+
+# 8.2 Local groups – readable by any user
+getent group > "${AUDIT_DIR}/group_entries.txt"
+
+# 8.3 sudo configuration (who can sudo) – may prompt for password
+# sudo -l > "${AUDIT_DIR}/sudoers.txt" 2>/dev/null || echo "sudo not configured" > "${AUDIT_DIR}/sudoers.txt"
+echo "sudo check skipped (requires password/root)" > "${AUDIT_DIR}/sudoers.txt"
+
+# 8.4 Authorized SSH keys (all users) – readable by any user
+{
+    for d in /home/*/.ssh; do
+        [ -d "$d" ] && cat "$d/authorized_keys" 2>/dev/null
+    done
+} > "${AUDIT_DIR}/ssh_authorized_keys.txt"
+
+# 8.5 Shadow file (password hashes & policies) – **requires root**
+# Uncomment the line below if you run the script as root.
+# cat /etc/shadow > "${AUDIT_DIR}/shadow.txt" 2>/dev/null || echo "shadow not readable" > "${AUDIT_DIR}/shadow.txt"
+
+# 8.6 Cron jobs (system‑wide and per‑user) – root crontab needs root
+# Uncomment if you have root privileges.
+# crontab -l > "${AUDIT_DIR}/root_crontab.txt" 2>/dev/null || true
+for u in $(cut -d: -f1 /etc/passwd); do
+    crontab -u "$u" -l > "${AUDIT_DIR}/crontab_${u}.txt" 2>/dev/null || true
+done
+
+# -------------------------------------------------
+# 9. NETWORK & FIREWALL
+# -------------------------------------------------
+# 9.1 Listening sockets
+ss -tulnp > "${AUDIT_DIR}/listening_sockets.txt"
+
+# 9.2 Active network connections
+ss -tunap > "${AUDIT_DIR}/active_connections.txt"
+
+# 9.3 Firewall rules (ufw or iptables) – iptables needs root
+if command -v ufw >/dev/null; then
+    # ufw status verbose > "${AUDIT_DIR}/firewall_ufw.txt"
+    echo "ufw status skipped (requires root)" > "${AUDIT_DIR}/firewall_ufw.txt"
+else
+    # iptables requires root; uncomment if running as root.
+    # iptables -L -nv > "${AUDIT_DIR}/firewall_iptables.txt"
+    echo "iptables command requires root – not executed" > "${AUDIT_DIR}/firewall_iptables.txt"
+fi
+
+# 9.4 Routing table
+ip route show > "${AUDIT_DIR}/routing_table.txt"
+
+# 9.5 Network interfaces & IP addresses
+ip -brief address > "${AUDIT_DIR}/interfaces.txt"
+
+# -------------------------------------------------
+# 10. STORAGE & FILESYSTEM
+# -------------------------------------------------
+# 10.1 Disk usage per filesystem
+df -hT > "${AUDIT_DIR}/disk_usage.txt"
+
+# 10.2 Mounted filesystems (options)
+mount > "${AUDIT_DIR}/mounts.txt"
+
+# 10.3 Top‑10 largest files on the system
+# du -ah / | sort -rh | head -n 10 > "${AUDIT_DIR}/largest_files.txt"
+echo "du check skipped (requires root to scan /)" > "${AUDIT_DIR}/largest_files.txt"
+
+# 10.4 Modified package files (debsums) – needs root for a full check
+# Uncomment if you have root privileges.
+# if command -v debsums >/dev/null; then
+#     debsums -s > "${AUDIT_DIR}/modified_deb_files.txt" 2>/dev/null || echo "No modified files detected" > "${AUDIT_DIR}/modified_deb_files.txt"
+# else
+#     echo "debsums not installed" > "${AUDIT_DIR}/modified_deb_files.txt"
+# fi
+echo "debsums check omitted (requires root)" > "${AUDIT_DIR}/modified_deb_files.txt"
+
+# -------------------------------------------------
+# 11. BUILD A SINGLE HUMAN‑READABLE REPORT
+# -------------------------------------------------
+{
+    echo "=== OS INFORMATION ==="
+    cat "${AUDIT_DIR}/os_release.txt"
+
+    echo -e "\n=== KERNEL ==="
+    cat "${AUDIT_DIR}/kernel.txt"
+
+    echo -e "\n=== DEB PACKAGES (dpkg -l) ==="
+    cat "${AUDIT_DIR}/dpkg_list.txt"
+
+    echo -e "\n=== APT INSTALLED LIST ==="
+    cat "${AUDIT_DIR}/apt_installed.txt"
+
+    echo -e "\n=== SNAP PACKAGES ==="
+    cat "${AUDIT_DIR}/snap_list.txt" 2>/dev/null || echo "Snap not installed"
+
+    echo -e "\n=== FLATPAK PACKAGES ==="
+    cat "${AUDIT_DIR}/flatpak_list.txt" 2>/dev/null || echo "Flatpak not installed"
+
+    echo -e "\n=== PYTHON3 PACKAGES ==="
+    cat "${AUDIT_DIR}/pip3_list.txt" 2>/dev/null || echo "pip3 not installed"
+
+    echo -e "\n=== NODEJS GLOBAL PACKAGES ==="
+    cat "${AUDIT_DIR}/npm_global.txt" 2>/dev/null || echo "npm not installed"
+
+    echo -e "\n=== MANUALLY INSTALLED DEB PACKAGES ==="
+    cat "${AUDIT_DIR}/manual_installed.txt"
+
+    echo -e "\n=== AUTOMATIC DEB PACKAGES ==="
+    cat "${AUDIT_DIR}/auto_installed.txt"
+
+    echo -e "\n=== OWNING PACKAGE FOR /bin/bash ==="
+    cat "${AUDIT_DIR}/bash_owning_package.txt" 2>/dev/null || echo "Not found"
+
+    # ---- System & security baseline ----
+    echo -e "\n=== SYSTEMD UNIT FILES (enabled/disabled) ==="
+    cat "${AUDIT_DIR}/systemd_unit_files.txt" 2>/dev/null || echo "Skipped (requires root)"
+
+    echo -e "\n=== SYSTEMD FAILED UNITS ==="
+    cat "${AUDIT_DIR}/systemd_failed_units.txt" 2>/dev/null || echo "Skipped (requires root)"
+
+    echo -e "\n=== SYSTEMD RUNNING SERVICES ==="
+    cat "${AUDIT_DIR}/systemd_running_services.txt" 2>/dev/null || echo "Skipped (requires root)"
+
+    # ---- Users, groups & privilege escalation ----
+    echo -e "\n=== /etc/passwd ENTRIES ==="
+    cat "${AUDIT_DIR}/passwd_entries.txt"
+
+    echo -e "\n=== /etc/group ENTRIES ==="
+    cat "${AUDIT_DIR}/group_entries.txt"
+
+    echo -e "\n=== SUDOERS (who can sudo) ==="
+    cat "${AUDIT_DIR}/sudoers.txt"
+
+    echo -e "\n=== SSH AUTHORIZED KEYS ==="
+    cat "${AUDIT_DIR}/ssh_authorized_keys.txt"
+
+    echo -e "\n=== /etc/shadow (password hashes) ==="
+    cat "${AUDIT_DIR}/shadow.txt" 2>/dev/null || echo "Skipped (requires root)"
+
+    echo -e "\n=== ROOT CRONTAB ==="
+    cat "${AUDIT_DIR}/root_crontab.txt" 2>/dev/null || echo "Skipped (requires root)"
+
+    echo -e "\n=== USER CRONTABS ==="
+    for f in "${AUDIT_DIR}"/crontab_*.txt; do
+        echo "---- $(basename "$f") ----"
+        cat "$f"
+    done
+
+    # ---- Network & firewall ----
+    echo -e "\n=== LISTENING SOCKETS ==="
+    cat "${AUDIT_DIR}/listening_sockets.txt"
+
+    echo -e "\n=== ACTIVE NETWORK CONNECTIONS ==="
+    cat "${AUDIT_DIR}/active_connections.txt"
+
+    echo -e "\n=== FIREWALL RULES ==="
+    if [ -f "${AUDIT_DIR}/firewall_ufw.txt" ]; then
+        cat "${AUDIT_DIR}/firewall_ufw.txt"
+    else
+        cat "${AUDIT_DIR}/firewall_iptables.txt"
+    fi
+
+    echo -e "\n=== ROUTING TABLE ==="
+    cat "${AUDIT_DIR}/routing_table.txt"
+
+    echo -e "\n=== NETWORK INTERFACES ==="
+    cat "${AUDIT_DIR}/interfaces.txt"
+
+    # ---- Storage & filesystem ----
+    echo -e "\n=== DISK USAGE ==="
+    cat "${AUDIT_DIR}/disk_usage.txt"
+
+    echo -e "\n=== MOUNTED FILESYSTEMS ==="
+    cat "${AUDIT_DIR}/mounts.txt"
+
+    echo -e "\n=== TOP 10 LARGEST FILES ==="
+    cat "${AUDIT_DIR}/largest_files.txt"
+
+    echo -e "\n=== MODIFIED DEB PACKAGE FILES (debsums) ==="
+    cat "${AUDIT_DIR}/modified_deb_files.txt"
+} > "${AUDIT_DIR}/audit_report.txt"
+
+echo "Audit completed. Report saved to ${AUDIT_DIR}/audit_report.txt"