thanthos/Linux-System-Audit-Report
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Linux-System-Audit-Report/audit.sh

255 lines
9.4 KiB
Bash
Executable File
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/usr/bin/env bash
# -------------------------------------------------
# audit_packages.sh reproducible package audit
# -------------------------------------------------
set -euo pipefail
TIMESTAMP="$(date +%Y%m%d_%H%M%S)"
AUDIT_DIR="${HOME}/audit_${TIMESTAMP}"
mkdir -p "${AUDIT_DIR}"
chmod 700 "${AUDIT_DIR}"
# -------------------------------------------------
# 1. OS / kernel info
# -------------------------------------------------
cat /etc/os-release > "${AUDIT_DIR}/os_release.txt"
uname -a >> "${AUDIT_DIR}/kernel.txt"
lsb_release -a >> "${AUDIT_DIR}/os_release.txt" 2>/dev/null || true
# -------------------------------------------------
# 2. DEB packages
# -------------------------------------------------
dpkg -l > "${AUDIT_DIR}/dpkg_list.txt"
apt list --installed > "${AUDIT_DIR}/apt_installed.txt"
dpkg-query -W -f='${Package}\t${Version}\t${Architecture}\n' > "${AUDIT_DIR}/dpkg_detailed.txt"
apt-mark showmanual > "${AUDIT_DIR}/manual_installed.txt"
apt-mark showauto > "${AUDIT_DIR}/auto_installed.txt"
# -------------------------------------------------
# 3. Snap packages (if snapd is present)
# -------------------------------------------------
if command -v snap >/dev/null; then
snap list > "${AUDIT_DIR}/snap_list.txt"
fi
# -------------------------------------------------
# 4. Flatpak packages (if flatpak is present)
# -------------------------------------------------
if command -v flatpak >/dev/null; then
flatpak list > "${AUDIT_DIR}/flatpak_list.txt"
fi
# -------------------------------------------------
# 5. Languagespecific packages
# -------------------------------------------------
if command -v pip3 >/dev/null; then
pip3 list --format=columns > "${AUDIT_DIR}/pip3_list.txt"
fi
if command -v npm >/dev/null; then
npm list -g --depth=0 > "${AUDIT_DIR}/npm_global.txt"
fi
# -------------------------------------------------
# 6. Example: which DEB owns /bin/bash
# -------------------------------------------------
dpkg -S "$(command -v bash)" > "${AUDIT_DIR}/bash_owning_package.txt" 2>/dev/null || true
# -------------------------------------------------
# 7. SYSTEM & SECURITY BASELINE
# -------------------------------------------------
# 7.1 Systemd unit status (enabled/disabled, failed)
# NOTE: These commands need root to see *all* units. Uncomment if running as root.
# systemctl list-unit-files --type=service > "${AUDIT_DIR}/systemd_unit_files.txt"
# systemctl --failed > "${AUDIT_DIR}/systemd_failed_units.txt"
# 7.2 Running services (active units)
# NOTE: Root privileges give a complete view. Uncomment if desired.
# systemctl list-units --type=service --state=running > "${AUDIT_DIR}/systemd_running_services.txt"
# -------------------------------------------------
# 8. USERS, GROUPS & PRIVILEGE ESCALATION
# -------------------------------------------------
# 8.1 Local users (passwd entries) readable by any user
getent passwd > "${AUDIT_DIR}/passwd_entries.txt"
# 8.2 Local groups readable by any user
getent group > "${AUDIT_DIR}/group_entries.txt"
# 8.3 sudo configuration (who can sudo) may prompt for password
# sudo -l > "${AUDIT_DIR}/sudoers.txt" 2>/dev/null || echo "sudo not configured" > "${AUDIT_DIR}/sudoers.txt"
echo "sudo check skipped (requires password/root)" > "${AUDIT_DIR}/sudoers.txt"
# 8.4 Authorized SSH keys (all users) readable by any user
{
for d in /home/*/.ssh; do
[ -d "$d" ] && cat "$d/authorized_keys" 2>/dev/null
done
} > "${AUDIT_DIR}/ssh_authorized_keys.txt"
# 8.5 Shadow file (password hashes & policies) **requires root**
# Uncomment the line below if you run the script as root.
# cat /etc/shadow > "${AUDIT_DIR}/shadow.txt" 2>/dev/null || echo "shadow not readable" > "${AUDIT_DIR}/shadow.txt"
# 8.6 Cron jobs (systemwide and peruser) root crontab needs root
# Uncomment if you have root privileges.
# crontab -l > "${AUDIT_DIR}/root_crontab.txt" 2>/dev/null || true
for u in $(cut -d: -f1 /etc/passwd); do
crontab -u "$u" -l > "${AUDIT_DIR}/crontab_${u}.txt" 2>/dev/null || true
done
# -------------------------------------------------
# 9. NETWORK & FIREWALL
# -------------------------------------------------
# 9.1 Listening sockets
ss -tulnp > "${AUDIT_DIR}/listening_sockets.txt"
# 9.2 Active network connections
ss -tunap > "${AUDIT_DIR}/active_connections.txt"
# 9.3 Firewall rules (ufw or iptables) iptables needs root
if command -v ufw >/dev/null; then
# ufw status verbose > "${AUDIT_DIR}/firewall_ufw.txt"
echo "ufw status skipped (requires root)" > "${AUDIT_DIR}/firewall_ufw.txt"
else
# iptables requires root; uncomment if running as root.
# iptables -L -nv > "${AUDIT_DIR}/firewall_iptables.txt"
echo "iptables command requires root not executed" > "${AUDIT_DIR}/firewall_iptables.txt"
fi
# 9.4 Routing table
ip route show > "${AUDIT_DIR}/routing_table.txt"
# 9.5 Network interfaces & IP addresses
ip -brief address > "${AUDIT_DIR}/interfaces.txt"
# -------------------------------------------------
# 10. STORAGE & FILESYSTEM
# -------------------------------------------------
# 10.1 Disk usage per filesystem
df -hT > "${AUDIT_DIR}/disk_usage.txt"
# 10.2 Mounted filesystems (options)
mount > "${AUDIT_DIR}/mounts.txt"
# 10.3 Top10 largest files on the system
# du -ah / | sort -rh | head -n 10 > "${AUDIT_DIR}/largest_files.txt"
echo "du check skipped (requires root to scan /)" > "${AUDIT_DIR}/largest_files.txt"
# 10.4 Modified package files (debsums) needs root for a full check
# Uncomment if you have root privileges.
# if command -v debsums >/dev/null; then
# debsums -s > "${AUDIT_DIR}/modified_deb_files.txt" 2>/dev/null || echo "No modified files detected" > "${AUDIT_DIR}/modified_deb_files.txt"
# else
# echo "debsums not installed" > "${AUDIT_DIR}/modified_deb_files.txt"
# fi
echo "debsums check omitted (requires root)" > "${AUDIT_DIR}/modified_deb_files.txt"
# -------------------------------------------------
# 11. BUILD A SINGLE HUMANREADABLE REPORT
# -------------------------------------------------
{
echo "=== OS INFORMATION ==="
cat "${AUDIT_DIR}/os_release.txt"
echo -e "\n=== KERNEL ==="
cat "${AUDIT_DIR}/kernel.txt"
echo -e "\n=== DEB PACKAGES (dpkg -l) ==="
cat "${AUDIT_DIR}/dpkg_list.txt"
echo -e "\n=== APT INSTALLED LIST ==="
cat "${AUDIT_DIR}/apt_installed.txt"
echo -e "\n=== SNAP PACKAGES ==="
cat "${AUDIT_DIR}/snap_list.txt" 2>/dev/null || echo "Snap not installed"
echo -e "\n=== FLATPAK PACKAGES ==="
cat "${AUDIT_DIR}/flatpak_list.txt" 2>/dev/null || echo "Flatpak not installed"
echo -e "\n=== PYTHON3 PACKAGES ==="
cat "${AUDIT_DIR}/pip3_list.txt" 2>/dev/null || echo "pip3 not installed"
echo -e "\n=== NODEJS GLOBAL PACKAGES ==="
cat "${AUDIT_DIR}/npm_global.txt" 2>/dev/null || echo "npm not installed"
echo -e "\n=== MANUALLY INSTALLED DEB PACKAGES ==="
cat "${AUDIT_DIR}/manual_installed.txt"
echo -e "\n=== AUTOMATIC DEB PACKAGES ==="
cat "${AUDIT_DIR}/auto_installed.txt"
echo -e "\n=== OWNING PACKAGE FOR /bin/bash ==="
cat "${AUDIT_DIR}/bash_owning_package.txt" 2>/dev/null || echo "Not found"
# ---- System & security baseline ----
echo -e "\n=== SYSTEMD UNIT FILES (enabled/disabled) ==="
cat "${AUDIT_DIR}/systemd_unit_files.txt" 2>/dev/null || echo "Skipped (requires root)"
echo -e "\n=== SYSTEMD FAILED UNITS ==="
cat "${AUDIT_DIR}/systemd_failed_units.txt" 2>/dev/null || echo "Skipped (requires root)"
echo -e "\n=== SYSTEMD RUNNING SERVICES ==="
cat "${AUDIT_DIR}/systemd_running_services.txt" 2>/dev/null || echo "Skipped (requires root)"
# ---- Users, groups & privilege escalation ----
echo -e "\n=== /etc/passwd ENTRIES ==="
cat "${AUDIT_DIR}/passwd_entries.txt"
echo -e "\n=== /etc/group ENTRIES ==="
cat "${AUDIT_DIR}/group_entries.txt"
echo -e "\n=== SUDOERS (who can sudo) ==="
cat "${AUDIT_DIR}/sudoers.txt"
echo -e "\n=== SSH AUTHORIZED KEYS ==="
cat "${AUDIT_DIR}/ssh_authorized_keys.txt"
echo -e "\n=== /etc/shadow (password hashes) ==="
cat "${AUDIT_DIR}/shadow.txt" 2>/dev/null || echo "Skipped (requires root)"
echo -e "\n=== ROOT CRONTAB ==="
cat "${AUDIT_DIR}/root_crontab.txt" 2>/dev/null || echo "Skipped (requires root)"
echo -e "\n=== USER CRONTABS ==="
for f in "${AUDIT_DIR}"/crontab_*.txt; do
echo "---- $(basename "$f") ----"
cat "$f"
done
# ---- Network & firewall ----
echo -e "\n=== LISTENING SOCKETS ==="
cat "${AUDIT_DIR}/listening_sockets.txt"
echo -e "\n=== ACTIVE NETWORK CONNECTIONS ==="
cat "${AUDIT_DIR}/active_connections.txt"
echo -e "\n=== FIREWALL RULES ==="
if [ -f "${AUDIT_DIR}/firewall_ufw.txt" ]; then
cat "${AUDIT_DIR}/firewall_ufw.txt"
else
cat "${AUDIT_DIR}/firewall_iptables.txt"
fi
echo -e "\n=== ROUTING TABLE ==="
cat "${AUDIT_DIR}/routing_table.txt"
echo -e "\n=== NETWORK INTERFACES ==="
cat "${AUDIT_DIR}/interfaces.txt"
# ---- Storage & filesystem ----
echo -e "\n=== DISK USAGE ==="
cat "${AUDIT_DIR}/disk_usage.txt"
echo -e "\n=== MOUNTED FILESYSTEMS ==="
cat "${AUDIT_DIR}/mounts.txt"
echo -e "\n=== TOP 10 LARGEST FILES ==="
cat "${AUDIT_DIR}/largest_files.txt"
echo -e "\n=== MODIFIED DEB PACKAGE FILES (debsums) ==="
cat "${AUDIT_DIR}/modified_deb_files.txt"
} > "${AUDIT_DIR}/audit_report.txt"
echo "Audit completed. Report saved to ${AUDIT_DIR}/audit_report.txt"
Reference in New Issue View Git Blame Copy Permalink