#!/usr/bin/env bash # ------------------------------------------------- # audit_packages.sh – reproducible package audit # ------------------------------------------------- set -euo pipefail TIMESTAMP="$(date +%Y%m%d_%H%M%S)" AUDIT_DIR="${HOME}/audit_${TIMESTAMP}" mkdir -p "${AUDIT_DIR}" chmod 700 "${AUDIT_DIR}" # ------------------------------------------------- # 1. OS / kernel info # ------------------------------------------------- cat /etc/os-release > "${AUDIT_DIR}/os_release.txt" uname -a >> "${AUDIT_DIR}/kernel.txt" lsb_release -a >> "${AUDIT_DIR}/os_release.txt" 2>/dev/null || true # ------------------------------------------------- # 2. DEB packages # ------------------------------------------------- dpkg -l > "${AUDIT_DIR}/dpkg_list.txt" apt list --installed > "${AUDIT_DIR}/apt_installed.txt" dpkg-query -W -f='${Package}\t${Version}\t${Architecture}\n' > "${AUDIT_DIR}/dpkg_detailed.txt" apt-mark showmanual > "${AUDIT_DIR}/manual_installed.txt" apt-mark showauto > "${AUDIT_DIR}/auto_installed.txt" # ------------------------------------------------- # 3. Snap packages (if snapd is present) # ------------------------------------------------- if command -v snap >/dev/null; then snap list > "${AUDIT_DIR}/snap_list.txt" fi # ------------------------------------------------- # 4. Flatpak packages (if flatpak is present) # ------------------------------------------------- if command -v flatpak >/dev/null; then flatpak list > "${AUDIT_DIR}/flatpak_list.txt" fi # ------------------------------------------------- # 5. Language‑specific packages # ------------------------------------------------- if command -v pip3 >/dev/null; then pip3 list --format=columns > "${AUDIT_DIR}/pip3_list.txt" fi if command -v npm >/dev/null; then npm list -g --depth=0 > "${AUDIT_DIR}/npm_global.txt" fi # ------------------------------------------------- # 6. Example: which DEB owns /bin/bash # ------------------------------------------------- dpkg -S "$(command -v bash)" > "${AUDIT_DIR}/bash_owning_package.txt" 2>/dev/null || true # ------------------------------------------------- # 7. SYSTEM & SECURITY BASELINE # ------------------------------------------------- # 7.1 Systemd unit status (enabled/disabled, failed) # NOTE: These commands need root to see *all* units. Uncomment if running as root. # systemctl list-unit-files --type=service > "${AUDIT_DIR}/systemd_unit_files.txt" # systemctl --failed > "${AUDIT_DIR}/systemd_failed_units.txt" # 7.2 Running services (active units) # NOTE: Root privileges give a complete view. Uncomment if desired. # systemctl list-units --type=service --state=running > "${AUDIT_DIR}/systemd_running_services.txt" # ------------------------------------------------- # 8. USERS, GROUPS & PRIVILEGE ESCALATION # ------------------------------------------------- # 8.1 Local users (passwd entries) – readable by any user getent passwd > "${AUDIT_DIR}/passwd_entries.txt" # 8.2 Local groups – readable by any user getent group > "${AUDIT_DIR}/group_entries.txt" # 8.3 sudo configuration (who can sudo) – may prompt for password # sudo -l > "${AUDIT_DIR}/sudoers.txt" 2>/dev/null || echo "sudo not configured" > "${AUDIT_DIR}/sudoers.txt" echo "sudo check skipped (requires password/root)" > "${AUDIT_DIR}/sudoers.txt" # 8.4 Authorized SSH keys (all users) – readable by any user { for d in /home/*/.ssh; do [ -d "$d" ] && cat "$d/authorized_keys" 2>/dev/null done } > "${AUDIT_DIR}/ssh_authorized_keys.txt" # 8.5 Shadow file (password hashes & policies) – **requires root** # Uncomment the line below if you run the script as root. # cat /etc/shadow > "${AUDIT_DIR}/shadow.txt" 2>/dev/null || echo "shadow not readable" > "${AUDIT_DIR}/shadow.txt" # 8.6 Cron jobs (system‑wide and per‑user) – root crontab needs root # Uncomment if you have root privileges. # crontab -l > "${AUDIT_DIR}/root_crontab.txt" 2>/dev/null || true for u in $(cut -d: -f1 /etc/passwd); do crontab -u "$u" -l > "${AUDIT_DIR}/crontab_${u}.txt" 2>/dev/null || true done # ------------------------------------------------- # 9. NETWORK & FIREWALL # ------------------------------------------------- # 9.1 Listening sockets ss -tulnp > "${AUDIT_DIR}/listening_sockets.txt" # 9.2 Active network connections ss -tunap > "${AUDIT_DIR}/active_connections.txt" # 9.3 Firewall rules (ufw or iptables) – iptables needs root if command -v ufw >/dev/null; then # ufw status verbose > "${AUDIT_DIR}/firewall_ufw.txt" echo "ufw status skipped (requires root)" > "${AUDIT_DIR}/firewall_ufw.txt" else # iptables requires root; uncomment if running as root. # iptables -L -nv > "${AUDIT_DIR}/firewall_iptables.txt" echo "iptables command requires root – not executed" > "${AUDIT_DIR}/firewall_iptables.txt" fi # 9.4 Routing table ip route show > "${AUDIT_DIR}/routing_table.txt" # 9.5 Network interfaces & IP addresses ip -brief address > "${AUDIT_DIR}/interfaces.txt" # ------------------------------------------------- # 10. STORAGE & FILESYSTEM # ------------------------------------------------- # 10.1 Disk usage per filesystem df -hT > "${AUDIT_DIR}/disk_usage.txt" # 10.2 Mounted filesystems (options) mount > "${AUDIT_DIR}/mounts.txt" # 10.3 Top‑10 largest files on the system # du -ah / | sort -rh | head -n 10 > "${AUDIT_DIR}/largest_files.txt" echo "du check skipped (requires root to scan /)" > "${AUDIT_DIR}/largest_files.txt" # 10.4 Modified package files (debsums) – needs root for a full check # Uncomment if you have root privileges. # if command -v debsums >/dev/null; then # debsums -s > "${AUDIT_DIR}/modified_deb_files.txt" 2>/dev/null || echo "No modified files detected" > "${AUDIT_DIR}/modified_deb_files.txt" # else # echo "debsums not installed" > "${AUDIT_DIR}/modified_deb_files.txt" # fi echo "debsums check omitted (requires root)" > "${AUDIT_DIR}/modified_deb_files.txt" # ------------------------------------------------- # 11. BUILD A SINGLE HUMAN‑READABLE REPORT # ------------------------------------------------- { echo "=== OS INFORMATION ===" cat "${AUDIT_DIR}/os_release.txt" echo -e "\n=== KERNEL ===" cat "${AUDIT_DIR}/kernel.txt" echo -e "\n=== DEB PACKAGES (dpkg -l) ===" cat "${AUDIT_DIR}/dpkg_list.txt" echo -e "\n=== APT INSTALLED LIST ===" cat "${AUDIT_DIR}/apt_installed.txt" echo -e "\n=== SNAP PACKAGES ===" cat "${AUDIT_DIR}/snap_list.txt" 2>/dev/null || echo "Snap not installed" echo -e "\n=== FLATPAK PACKAGES ===" cat "${AUDIT_DIR}/flatpak_list.txt" 2>/dev/null || echo "Flatpak not installed" echo -e "\n=== PYTHON3 PACKAGES ===" cat "${AUDIT_DIR}/pip3_list.txt" 2>/dev/null || echo "pip3 not installed" echo -e "\n=== NODEJS GLOBAL PACKAGES ===" cat "${AUDIT_DIR}/npm_global.txt" 2>/dev/null || echo "npm not installed" echo -e "\n=== MANUALLY INSTALLED DEB PACKAGES ===" cat "${AUDIT_DIR}/manual_installed.txt" echo -e "\n=== AUTOMATIC DEB PACKAGES ===" cat "${AUDIT_DIR}/auto_installed.txt" echo -e "\n=== OWNING PACKAGE FOR /bin/bash ===" cat "${AUDIT_DIR}/bash_owning_package.txt" 2>/dev/null || echo "Not found" # ---- System & security baseline ---- echo -e "\n=== SYSTEMD UNIT FILES (enabled/disabled) ===" cat "${AUDIT_DIR}/systemd_unit_files.txt" 2>/dev/null || echo "Skipped (requires root)" echo -e "\n=== SYSTEMD FAILED UNITS ===" cat "${AUDIT_DIR}/systemd_failed_units.txt" 2>/dev/null || echo "Skipped (requires root)" echo -e "\n=== SYSTEMD RUNNING SERVICES ===" cat "${AUDIT_DIR}/systemd_running_services.txt" 2>/dev/null || echo "Skipped (requires root)" # ---- Users, groups & privilege escalation ---- echo -e "\n=== /etc/passwd ENTRIES ===" cat "${AUDIT_DIR}/passwd_entries.txt" echo -e "\n=== /etc/group ENTRIES ===" cat "${AUDIT_DIR}/group_entries.txt" echo -e "\n=== SUDOERS (who can sudo) ===" cat "${AUDIT_DIR}/sudoers.txt" echo -e "\n=== SSH AUTHORIZED KEYS ===" cat "${AUDIT_DIR}/ssh_authorized_keys.txt" echo -e "\n=== /etc/shadow (password hashes) ===" cat "${AUDIT_DIR}/shadow.txt" 2>/dev/null || echo "Skipped (requires root)" echo -e "\n=== ROOT CRONTAB ===" cat "${AUDIT_DIR}/root_crontab.txt" 2>/dev/null || echo "Skipped (requires root)" echo -e "\n=== USER CRONTABS ===" for f in "${AUDIT_DIR}"/crontab_*.txt; do echo "---- $(basename "$f") ----" cat "$f" done # ---- Network & firewall ---- echo -e "\n=== LISTENING SOCKETS ===" cat "${AUDIT_DIR}/listening_sockets.txt" echo -e "\n=== ACTIVE NETWORK CONNECTIONS ===" cat "${AUDIT_DIR}/active_connections.txt" echo -e "\n=== FIREWALL RULES ===" if [ -f "${AUDIT_DIR}/firewall_ufw.txt" ]; then cat "${AUDIT_DIR}/firewall_ufw.txt" else cat "${AUDIT_DIR}/firewall_iptables.txt" fi echo -e "\n=== ROUTING TABLE ===" cat "${AUDIT_DIR}/routing_table.txt" echo -e "\n=== NETWORK INTERFACES ===" cat "${AUDIT_DIR}/interfaces.txt" # ---- Storage & filesystem ---- echo -e "\n=== DISK USAGE ===" cat "${AUDIT_DIR}/disk_usage.txt" echo -e "\n=== MOUNTED FILESYSTEMS ===" cat "${AUDIT_DIR}/mounts.txt" echo -e "\n=== TOP 10 LARGEST FILES ===" cat "${AUDIT_DIR}/largest_files.txt" echo -e "\n=== MODIFIED DEB PACKAGE FILES (debsums) ===" cat "${AUDIT_DIR}/modified_deb_files.txt" } > "${AUDIT_DIR}/audit_report.txt" echo "Audit completed. Report saved to ${AUDIT_DIR}/audit_report.txt"