thanthos/Linux-System-Audit-Report
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add a comprehensive Linux system audit script (audit.sh) and update README with usage instructions.

Browse Source
This commit is contained in:
James TAng
2026-01-28 12:14:12 +08:00
parent 8bf3c31ae3
commit fc1789fb61
2 changed files with 261 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@@ -1,3 +1,9 @@
# Linux-System-Audit-Report # Linux-System-Audit-Report
A shell script that generate some data which can be used to check for drift. ## How to use
Run as a normal user the script will skip the rootonly sections (they are already commented out).
Run with sudo or as root simply uncomment the lines that are marked with # NOTE: … or # Uncomment … and the script will collect the additional privileged data.
Feel free to adjust any of the comments or uncomment the sections you need. Let me know if youd like any further tweaks!

254
audit.sh Executable file
View File

@@ -0,0 +1,254 @@
#!/usr/bin/env bash
# -------------------------------------------------
# audit_packages.sh reproducible package audit
# -------------------------------------------------
set -euo pipefail
TIMESTAMP="$(date +%Y%m%d_%H%M%S)"
AUDIT_DIR="${HOME}/audit_${TIMESTAMP}"
mkdir -p "${AUDIT_DIR}"
chmod 700 "${AUDIT_DIR}"
# -------------------------------------------------
# 1. OS / kernel info
# -------------------------------------------------
cat /etc/os-release > "${AUDIT_DIR}/os_release.txt"
uname -a >> "${AUDIT_DIR}/kernel.txt"
lsb_release -a >> "${AUDIT_DIR}/os_release.txt" 2>/dev/null || true
# -------------------------------------------------
# 2. DEB packages
# -------------------------------------------------
dpkg -l > "${AUDIT_DIR}/dpkg_list.txt"
apt list --installed > "${AUDIT_DIR}/apt_installed.txt"
dpkg-query -W -f='${Package}\t${Version}\t${Architecture}\n' > "${AUDIT_DIR}/dpkg_detailed.txt"
apt-mark showmanual > "${AUDIT_DIR}/manual_installed.txt"
apt-mark showauto > "${AUDIT_DIR}/auto_installed.txt"
# -------------------------------------------------
# 3. Snap packages (if snapd is present)
# -------------------------------------------------
if command -v snap >/dev/null; then
snap list > "${AUDIT_DIR}/snap_list.txt"
fi
# -------------------------------------------------
# 4. Flatpak packages (if flatpak is present)
# -------------------------------------------------
if command -v flatpak >/dev/null; then
flatpak list > "${AUDIT_DIR}/flatpak_list.txt"
fi
# -------------------------------------------------
# 5. Languagespecific packages
# -------------------------------------------------
if command -v pip3 >/dev/null; then
pip3 list --format=columns > "${AUDIT_DIR}/pip3_list.txt"
fi
if command -v npm >/dev/null; then
npm list -g --depth=0 > "${AUDIT_DIR}/npm_global.txt"
fi
# -------------------------------------------------
# 6. Example: which DEB owns /bin/bash
# -------------------------------------------------
dpkg -S "$(command -v bash)" > "${AUDIT_DIR}/bash_owning_package.txt" 2>/dev/null || true
# -------------------------------------------------
# 7. SYSTEM & SECURITY BASELINE
# -------------------------------------------------
# 7.1 Systemd unit status (enabled/disabled, failed)
# NOTE: These commands need root to see *all* units. Uncomment if running as root.
# systemctl list-unit-files --type=service > "${AUDIT_DIR}/systemd_unit_files.txt"
# systemctl --failed > "${AUDIT_DIR}/systemd_failed_units.txt"
# 7.2 Running services (active units)
# NOTE: Root privileges give a complete view. Uncomment if desired.
# systemctl list-units --type=service --state=running > "${AUDIT_DIR}/systemd_running_services.txt"
# -------------------------------------------------
# 8. USERS, GROUPS & PRIVILEGE ESCALATION
# -------------------------------------------------
# 8.1 Local users (passwd entries) readable by any user
getent passwd > "${AUDIT_DIR}/passwd_entries.txt"
# 8.2 Local groups readable by any user
getent group > "${AUDIT_DIR}/group_entries.txt"
# 8.3 sudo configuration (who can sudo) may prompt for password
# sudo -l > "${AUDIT_DIR}/sudoers.txt" 2>/dev/null || echo "sudo not configured" > "${AUDIT_DIR}/sudoers.txt"
echo "sudo check skipped (requires password/root)" > "${AUDIT_DIR}/sudoers.txt"
# 8.4 Authorized SSH keys (all users) readable by any user
{
for d in /home/*/.ssh; do
[ -d "$d" ] && cat "$d/authorized_keys" 2>/dev/null
done
} > "${AUDIT_DIR}/ssh_authorized_keys.txt"
# 8.5 Shadow file (password hashes & policies) **requires root**
# Uncomment the line below if you run the script as root.
# cat /etc/shadow > "${AUDIT_DIR}/shadow.txt" 2>/dev/null || echo "shadow not readable" > "${AUDIT_DIR}/shadow.txt"
# 8.6 Cron jobs (systemwide and peruser) root crontab needs root
# Uncomment if you have root privileges.
# crontab -l > "${AUDIT_DIR}/root_crontab.txt" 2>/dev/null || true
for u in $(cut -d: -f1 /etc/passwd); do
crontab -u "$u" -l > "${AUDIT_DIR}/crontab_${u}.txt" 2>/dev/null || true
done
# -------------------------------------------------
# 9. NETWORK & FIREWALL
# -------------------------------------------------
# 9.1 Listening sockets
ss -tulnp > "${AUDIT_DIR}/listening_sockets.txt"
# 9.2 Active network connections
ss -tunap > "${AUDIT_DIR}/active_connections.txt"
# 9.3 Firewall rules (ufw or iptables) iptables needs root
if command -v ufw >/dev/null; then
# ufw status verbose > "${AUDIT_DIR}/firewall_ufw.txt"
echo "ufw status skipped (requires root)" > "${AUDIT_DIR}/firewall_ufw.txt"
else
# iptables requires root; uncomment if running as root.
# iptables -L -nv > "${AUDIT_DIR}/firewall_iptables.txt"
echo "iptables command requires root not executed" > "${AUDIT_DIR}/firewall_iptables.txt"
fi
# 9.4 Routing table
ip route show > "${AUDIT_DIR}/routing_table.txt"
# 9.5 Network interfaces & IP addresses
ip -brief address > "${AUDIT_DIR}/interfaces.txt"
# -------------------------------------------------
# 10. STORAGE & FILESYSTEM
# -------------------------------------------------
# 10.1 Disk usage per filesystem
df -hT > "${AUDIT_DIR}/disk_usage.txt"
# 10.2 Mounted filesystems (options)
mount > "${AUDIT_DIR}/mounts.txt"
# 10.3 Top10 largest files on the system
# du -ah / | sort -rh | head -n 10 > "${AUDIT_DIR}/largest_files.txt"
echo "du check skipped (requires root to scan /)" > "${AUDIT_DIR}/largest_files.txt"
# 10.4 Modified package files (debsums) needs root for a full check
# Uncomment if you have root privileges.
# if command -v debsums >/dev/null; then
# debsums -s > "${AUDIT_DIR}/modified_deb_files.txt" 2>/dev/null || echo "No modified files detected" > "${AUDIT_DIR}/modified_deb_files.txt"
# else
# echo "debsums not installed" > "${AUDIT_DIR}/modified_deb_files.txt"
# fi
echo "debsums check omitted (requires root)" > "${AUDIT_DIR}/modified_deb_files.txt"
# -------------------------------------------------
# 11. BUILD A SINGLE HUMANREADABLE REPORT
# -------------------------------------------------
{
echo "=== OS INFORMATION ==="
cat "${AUDIT_DIR}/os_release.txt"
echo -e "\n=== KERNEL ==="
cat "${AUDIT_DIR}/kernel.txt"
echo -e "\n=== DEB PACKAGES (dpkg -l) ==="
cat "${AUDIT_DIR}/dpkg_list.txt"
echo -e "\n=== APT INSTALLED LIST ==="
cat "${AUDIT_DIR}/apt_installed.txt"
echo -e "\n=== SNAP PACKAGES ==="
cat "${AUDIT_DIR}/snap_list.txt" 2>/dev/null || echo "Snap not installed"
echo -e "\n=== FLATPAK PACKAGES ==="
cat "${AUDIT_DIR}/flatpak_list.txt" 2>/dev/null || echo "Flatpak not installed"
echo -e "\n=== PYTHON3 PACKAGES ==="
cat "${AUDIT_DIR}/pip3_list.txt" 2>/dev/null || echo "pip3 not installed"
echo -e "\n=== NODEJS GLOBAL PACKAGES ==="
cat "${AUDIT_DIR}/npm_global.txt" 2>/dev/null || echo "npm not installed"
echo -e "\n=== MANUALLY INSTALLED DEB PACKAGES ==="
cat "${AUDIT_DIR}/manual_installed.txt"
echo -e "\n=== AUTOMATIC DEB PACKAGES ==="
cat "${AUDIT_DIR}/auto_installed.txt"
echo -e "\n=== OWNING PACKAGE FOR /bin/bash ==="
cat "${AUDIT_DIR}/bash_owning_package.txt" 2>/dev/null || echo "Not found"
# ---- System & security baseline ----
echo -e "\n=== SYSTEMD UNIT FILES (enabled/disabled) ==="
cat "${AUDIT_DIR}/systemd_unit_files.txt" 2>/dev/null || echo "Skipped (requires root)"
echo -e "\n=== SYSTEMD FAILED UNITS ==="
cat "${AUDIT_DIR}/systemd_failed_units.txt" 2>/dev/null || echo "Skipped (requires root)"
echo -e "\n=== SYSTEMD RUNNING SERVICES ==="
cat "${AUDIT_DIR}/systemd_running_services.txt" 2>/dev/null || echo "Skipped (requires root)"
# ---- Users, groups & privilege escalation ----
echo -e "\n=== /etc/passwd ENTRIES ==="
cat "${AUDIT_DIR}/passwd_entries.txt"
echo -e "\n=== /etc/group ENTRIES ==="
cat "${AUDIT_DIR}/group_entries.txt"
echo -e "\n=== SUDOERS (who can sudo) ==="
cat "${AUDIT_DIR}/sudoers.txt"
echo -e "\n=== SSH AUTHORIZED KEYS ==="
cat "${AUDIT_DIR}/ssh_authorized_keys.txt"
echo -e "\n=== /etc/shadow (password hashes) ==="
cat "${AUDIT_DIR}/shadow.txt" 2>/dev/null || echo "Skipped (requires root)"
echo -e "\n=== ROOT CRONTAB ==="
cat "${AUDIT_DIR}/root_crontab.txt" 2>/dev/null || echo "Skipped (requires root)"
echo -e "\n=== USER CRONTABS ==="
for f in "${AUDIT_DIR}"/crontab_*.txt; do
echo "---- $(basename "$f") ----"
cat "$f"
done
# ---- Network & firewall ----
echo -e "\n=== LISTENING SOCKETS ==="
cat "${AUDIT_DIR}/listening_sockets.txt"
echo -e "\n=== ACTIVE NETWORK CONNECTIONS ==="
cat "${AUDIT_DIR}/active_connections.txt"
echo -e "\n=== FIREWALL RULES ==="
if [ -f "${AUDIT_DIR}/firewall_ufw.txt" ]; then
cat "${AUDIT_DIR}/firewall_ufw.txt"
else
cat "${AUDIT_DIR}/firewall_iptables.txt"
fi
echo -e "\n=== ROUTING TABLE ==="
cat "${AUDIT_DIR}/routing_table.txt"
echo -e "\n=== NETWORK INTERFACES ==="
cat "${AUDIT_DIR}/interfaces.txt"
# ---- Storage & filesystem ----
echo -e "\n=== DISK USAGE ==="
cat "${AUDIT_DIR}/disk_usage.txt"
echo -e "\n=== MOUNTED FILESYSTEMS ==="
cat "${AUDIT_DIR}/mounts.txt"
echo -e "\n=== TOP 10 LARGEST FILES ==="
cat "${AUDIT_DIR}/largest_files.txt"
echo -e "\n=== MODIFIED DEB PACKAGE FILES (debsums) ==="
cat "${AUDIT_DIR}/modified_deb_files.txt"
} > "${AUDIT_DIR}/audit_report.txt"
echo "Audit completed. Report saved to ${AUDIT_DIR}/audit_report.txt"