Open-AudIT https://www.open-audit.org/phpBB3/ |
|
Current Linux audit script https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=5794 |
Page 3 of 4 |
Author: | RedDevils [ Fri Apr 19, 2013 11:56 am ] |
Post subject: | Re: Current Linux audit script |
[quote="RedDevils"]System Info ./audit_linux.sh: line 513: -s: command not found ./audit_linux.sh: line 517: -s: command not found ./audit_linux.sh: line 527: -s: command not found BIOS Info Processor Info ./audit_linux.sh: line 695: -t: command not found ./audit_linux.sh: line 718: -t: command not found So by manually setting the lines in the script from OA_DMIDECODE to /usr/sbin/dmidecode this portion of the script now pulls the data. Now on to the network portion, |
Author: | ihashacks [ Fri Apr 19, 2013 12:48 pm ] |
Post subject: | Re: Current Linux audit script |
I can help you out with that. Do you have a little more information about the CentOS box you're running on? Type of NIC? Are they in any special configuration such as bonding? What are the interface names? eth0, em1, etc? Also, where did you get the script from and how long ago did you download it? I'm checking some of the lines that you referenced in your output, but those are comments in the latest version of the script. |
Author: | RedDevils [ Sat Apr 20, 2013 12:27 am ] |
Post subject: | Re: Current Linux audit script |
Hi ihashacks! [quote="ihashacks"]Also, where did you get the script from and how long ago did you download it? So I grabbed version 58 from your repo just a few days back. [quote="ihashacks"]Type of NIC? 01:00.0 "Ethernet controller" "Broadcom Corporation" "NetXtreme II BCM5709 Gigabit Ethernet" -r20 "Dell" "PowerEdge R610 BCM5709 Gigabit Ethernet" 01:00.1 "Ethernet controller" "Broadcom Corporation" "NetXtreme II BCM5709 Gigabit Ethernet" -r20 "Dell" "PowerEdge R610 BCM5709 Gigabit Ethernet" 02:00.0 "Ethernet controller" "Broadcom Corporation" "NetXtreme II BCM5709 Gigabit Ethernet" -r20 "Dell" "PowerEdge R610 BCM5709 Gigabit Ethernet" 02:00.1 "Ethernet controller" "Broadcom Corporation" "NetXtreme II BCM5709 Gigabit Ethernet" -r20 "Dell" "PowerEdge R610 BCM5709 Gigabit Ethernet" [quote="ihashacks"]Are they in any special configuration such as bonding? What are the interface names? eth0, em1, etc? We do have bonding setup. cd /sys/class/net/ ls bond0 bonding_masters eth0 eth1 eth2 eth3 lo sit0 What kind of indo do you want on CentOS? there versions we run are: CentOS release 5.8 (Final) CentOS Linux release 6.0 (Final) CentOS release 5.6 (Final) Let me know if you need any other info. Thanks again mate! |
Author: | ihashacks [ Sat Apr 20, 2013 1:05 am ] |
Post subject: | Re: Current Linux audit script |
Revision 58 might be the issue. 64 is the latest: https://bazaar.launchpad.net/~ihashacks ... evision/64 That release actually included a fix relating to NIC bonding issues. |
Author: | RedDevils [ Sat Apr 20, 2013 1:28 am ] |
Post subject: | Re: Current Linux audit script |
So i just pulled 64 down from the repo and i received the same errors. Network Cards Info /bin/cat: /sys/class/net/44 bond0/address: No such file or directory ./audit_linux.sh: line 1033: -vms: command not found ./audit_linux.sh: line 1037: -vms: command not found ./audit_linux.sh: line 1047: 44 bond0: command not found /bin/cat: /sys/class/net/44 bond0/operstate: No such file or directory ./audit_linux.sh: line 1013: addr: command not found ./audit_linux.sh: line 1013: addr: command not found /bin/cat: /sys/class/net/50 eth0/address: No such file or directory ./audit_linux.sh: line 1033: -vms: command not found ./audit_linux.sh: line 1037: -vms: command not found ./audit_linux.sh: line 1047: 50 eth0: command not found /bin/cat: /sys/class/net/50 eth0/operstate: No such file or directory ./audit_linux.sh: line 1013: addr: command not found ./audit_linux.sh: line 1013: addr: command not found /bin/cat: /sys/class/net/55 eth1/address: No such file or directory ./audit_linux.sh: line 1033: -vms: command not found ./audit_linux.sh: line 1037: -vms: command not found ./audit_linux.sh: line 1047: 55 eth1: command not found /bin/cat: /sys/class/net/55 eth1/operstate: No such file or directory ./audit_linux.sh: line 1013: addr: command not found ./audit_linux.sh: line 1013: addr: command not found /bin/cat: /sys/class/net/48 eth2/address: No such file or directory ./audit_linux.sh: line 1033: -vms: command not found ./audit_linux.sh: line 1037: -vms: command not found ./audit_linux.sh: line 1047: 48 eth2: command not found /bin/cat: /sys/class/net/48 eth2/operstate: No such file or directory ./audit_linux.sh: line 1013: addr: command not found ./audit_linux.sh: line 1013: addr: command not found /bin/cat: /sys/class/net/48 eth3/address: No such file or directory ./audit_linux.sh: line 1033: -vms: command not found ./audit_linux.sh: line 1037: -vms: command not found ./audit_linux.sh: line 1047: 48 eth3: command not found /bin/cat: /sys/class/net/48 eth3/operstate: No such file or directory ./audit_linux.sh: line 1013: addr: command not found ./audit_linux.sh: line 1013: addr: command not found /bin/cat: /sys/class/net/48 sit0/address: No such file or directory ./audit_linux.sh: line 1033: -vms: command not found ./audit_linux.sh: line 1037: -vms: command not found ./audit_linux.sh: line 1047: 48 sit0: command not found /bin/cat: /sys/class/net/48 sit0/operstate: No such file or directory ./audit_linux.sh: line 1013: addr: command not found ./audit_linux.sh: line 1013: addr: command not found |
Author: | ihashacks [ Sat Apr 20, 2013 6:55 am ] |
Post subject: | Re: Current Linux audit script |
I believe you are missing "lspci" since "-vms" are parameters to $OA_LSPCI What happens if you run "./audit_linux.sh check_commands=y | grep lspci" ? Does lspci have a path or is it blank? |
Author: | RedDevils [ Sun Apr 21, 2013 6:44 am ] |
Post subject: | Re: Current Linux audit script |
./audit_linux.sh check_commands=y Checking commands on . ---------------------- awk : /bin/awk bc : cat : /bin/cat cdrdao : cut : /bin/cut date : /bin/date df : /bin/df dmesg : /bin/dmesg dmidecode : /usr/sbin/dmidecode dpkg : echo : /bin/echo ethtool : /sbin/ethtool expr : /usr/bin/expr fdisk : /sbin/fdisk grep : /bin/grep head : /usr/bin/head hostname : /bin/hostname ifconfig : /sbin/ifconfig ip : /sbin/ip iwlist : lsb_release : lshw : lspci : /sbin/lspci lvm : /sbin/lvm mdadm : partprobe : ping : /bin/ping ps : /bin/ps rev : /usr/bin/rev rm : /bin/rm sed : /bin/sed sort : /bin/sort swapon : /sbin/swapon tail : /usr/bin/tail test : /usr/bin/test uname : /bin/uname wc : /usr/bin/wc wget : /usr/bin/wget whoami : /usr/bin/whoami lspci is installed, it's in /sbin. The thing is, if i set the path in the script that part will work. Although, it does not like -s. Network Cards Info /bin/cat: /sys/class/net/44 bond0/address: No such file or directory lspci: -s: Invalid slot number lspci: -s: Invalid slot number ./audit_linux.sh: line 1047: 44 bond0: command not found /bin/cat: /sys/class/net/44 bond0/operstate: No such file or directory ./audit_linux.sh: line 1013: addr: command not found ./audit_linux.sh: line 1013: addr: command not found /bin/cat: /sys/class/net/50 eth0/address: No such file or directory lspci: -s: Invalid slot number lspci: -s: Invalid slot number ./audit_linux.sh: line 1047: 50 eth0: command not found /bin/cat: /sys/class/net/50 eth0/operstate: No such file or directory ./audit_linux.sh: line 1013: addr: command not found ./audit_linux.sh: line 1013: addr: command not found /bin/cat: /sys/class/net/55 eth1/address: No such file or directory lspci: -s: Invalid slot number lspci: -s: Invalid slot number ./audit_linux.sh: line 1047: 55 eth1: command not found /bin/cat: /sys/class/net/55 eth1/operstate: No such file or directory ./audit_linux.sh: line 1013: addr: command not found ./audit_linux.sh: line 1013: addr: command not found /bin/cat: /sys/class/net/48 eth2/address: No such file or directory lspci: -s: Invalid slot number lspci: -s: Invalid slot number ./audit_linux.sh: line 1047: 48 eth2: command not found /bin/cat: /sys/class/net/48 eth2/operstate: No such file or directory ./audit_linux.sh: line 1013: addr: command not found ./audit_linux.sh: line 1013: addr: command not found /bin/cat: /sys/class/net/48 eth3/address: No such file or directory lspci: -s: Invalid slot number lspci: -s: Invalid slot number ./audit_linux.sh: line 1047: 48 eth3: command not found /bin/cat: /sys/class/net/48 eth3/operstate: No such file or directory ./audit_linux.sh: line 1013: addr: command not found ./audit_linux.sh: line 1013: addr: command not found /bin/cat: /sys/class/net/48 sit0/address: No such file or directory lspci: -s: Invalid slot number lspci: -s: Invalid slot number ./audit_linux.sh: line 1047: 48 sit0: command not found /bin/cat: /sys/class/net/48 sit0/operstate: No such file or directory ./audit_linux.sh: line 1013: addr: command not found ./audit_linux.sh: line 1013: addr: command not found |
Author: | RedDevils [ Sun Apr 21, 2013 12:54 pm ] |
Post subject: | Re: Current Linux audit script |
Little more info. ls -l /sys/class/net/ | grep -Ev 'bonding_masters|lo|total' | rev | cut -d/ -f1,3 | rev | cut -d: -f2,3 44 bond0 50 eth0 55 eth1 48 eth2 48 eth3 48 sit0 looks like it's not stripping the two digits and space before the interface. /bin/cat: /sys/class/net/44 bond0/operstate: No such file or directory So for these errors, it's not being passed $net_card_pci due to the above error. lspci: -s: Invalid slot number How can i get the script to drop the digits and space? |
Author: | RedDevils [ Mon Apr 22, 2013 1:15 am ] |
Post subject: | Re: Current Linux audit script |
So I have brought it a bit further. I have stripped out the characters by adding another cut line. From what i can tell, my servers to not have /sys/class/net/interface/device. This is why -s shows invalid slot number. Trying to figure out why my CentOS servers do not have this. lspci: -s: Invalid slot number lspci: -s: Invalid slot number ./audit_linux2.sh: line 1008: addr: command not found ./audit_linux2.sh: line 1008: addr: command not found lspci: -s: Invalid slot number lspci: -s: Invalid slot number ./audit_linux2.sh: line 1008: addr: command not found ./audit_linux2.sh: line 1008: addr: command not found lspci: -s: Invalid slot number lspci: -s: Invalid slot number ./audit_linux2.sh: line 1008: addr: command not found ./audit_linux2.sh: line 1008: addr: command not found lspci: -s: Invalid slot number lspci: -s: Invalid slot number ./audit_linux2.sh: line 1008: addr: command not found ./audit_linux2.sh: line 1008: addr: command not found lspci: -s: Invalid slot number lspci: -s: Invalid slot number ./audit_linux2.sh: line 1008: addr: command not found ./audit_linux2.sh: line 1008: addr: command not found lspci: -s: Invalid slot number lspci: -s: Invalid slot number Cannot get device settings: Invalid argument Cannot get wake-on-lan settings: Invalid argument Cannot get message level: Invalid argument Cannot get link status: Invalid argument ./audit_linux2.sh: line 1008: addr: command not found ./audit_linux2.sh: line 1008: addr: command not found |
Author: | RedDevils [ Mon Apr 22, 2013 1:58 am ] |
Post subject: | Re: Current Linux audit script |
I take that back, only bond0 is missing the device dir at /sys/class/net/bond0/. I still say a lot of this is environmental. If i hard code the path to each command, i move forward a lot. Seems to work perfectly on any ubuntu system. So I think I just found something. Looks like a permissions thing on uevent. grep: /sys/class/net/eth0/device/uevent: Permission denied On the Ubuntu systems this is where it pulls "PCI_SLOT_NAME" this is what is used for -s in lspci. So I set read perms for root, but the uevent file in bond0 is empty. |
Author: | aylnews [ Mon Apr 22, 2013 7:18 pm ] |
Post subject: | Re: Current Linux audit script |
I am running a mix of RedHat and Centos (amongst other Linux variants) and I have found the same problem with RedHat and Centos version 5.x. My Centos 6.x installations audit without any errors. Here is an audit using an identical script the first one from a RedHat 5.8 install and the second one run on a Centos 6.3 machine. RedHat 5.8 [quote] Starting audit - . Not pinging target, attempting to audit. My PID is : Audit Start Time : 2013-04-22 09:36:08 Audit Location: local ------------------- System Info BIOS Info Processor Info Memory Info Motherboard Info Optical Drives Info Video Cards Info Sound Cards Info Shares Info Network Cards Info /bin/cat: /sys/class/net/12 bond0/address: No such file or directory lspci: -s: Invalid slot number lspci: -s: Invalid slot number Cannot get device settings: No such device Cannot get wake-on-lan settings: No such device Cannot get message level: No such device Cannot get link status: No such device /bin/cat: /sys/class/net/12 bond0/operstate: No such file or directory Device "12 bond0" does not exist. Device "12 bond0" does not exist. /bin/cat: /sys/class/net/29 eth0/address: No such file or directory lspci: -s: Invalid slot number lspci: -s: Invalid slot number Cannot get device settings: No such device Cannot get wake-on-lan settings: No such device Cannot get message level: No such device Cannot get link status: No such device /bin/cat: /sys/class/net/29 eth0/operstate: No such file or directory Device "29 eth0" does not exist. Device "29 eth0" does not exist. /bin/cat: /sys/class/net/29 eth1/address: No such file or directory lspci: -s: Invalid slot number lspci: -s: Invalid slot number Cannot get device settings: No such device Cannot get wake-on-lan settings: No such device Cannot get message level: No such device Cannot get link status: No such device /bin/cat: /sys/class/net/29 eth1/operstate: No such file or directory Device "29 eth1" does not exist. Device "29 eth1" does not exist. /bin/cat: /sys/class/net/29 eth2/address: No such file or directory lspci: -s: Invalid slot number lspci: -s: Invalid slot number Cannot get device settings: No such device Cannot get wake-on-lan settings: No such device Cannot get message level: No such device Cannot get link status: No such device /bin/cat: /sys/class/net/29 eth2/operstate: No such file or directory Device "29 eth2" does not exist. Device "29 eth2" does not exist. /bin/cat: /sys/class/net/29 eth3/address: No such file or directory lspci: -s: Invalid slot number lspci: -s: Invalid slot number Cannot get device settings: No such device Cannot get wake-on-lan settings: No such device Cannot get message level: No such device Cannot get link status: No such device /bin/cat: /sys/class/net/29 eth3/operstate: No such file or directory Device "29 eth3" does not exist. Device "29 eth3" does not exist. /bin/cat: /sys/class/net/29 eth4/address: No such file or directory lspci: -s: Invalid slot number lspci: -s: Invalid slot number Cannot get device settings: No such device Cannot get wake-on-lan settings: No such device Cannot get message level: No such device Cannot get link status: No such device /bin/cat: /sys/class/net/29 eth4/operstate: No such file or directory Device "29 eth4" does not exist. Device "29 eth4" does not exist. /bin/cat: /sys/class/net/29 eth5/address: No such file or directory lspci: -s: Invalid slot number lspci: -s: Invalid slot number Cannot get device settings: No such device Cannot get wake-on-lan settings: No such device Cannot get message level: No such device Cannot get link status: No such device /bin/cat: /sys/class/net/29 eth5/operstate: No such file or directory Device "29 eth5" does not exist. Device "29 eth5" does not exist. /bin/cat: /sys/class/net/29 sit0/address: No such file or directory lspci: -s: Invalid slot number lspci: -s: Invalid slot number Cannot get device settings: No such device Cannot get wake-on-lan settings: No such device Cannot get message level: No such device Cannot get link status: No such device /bin/cat: /sys/class/net/29 sit0/operstate: No such file or directory Device "29 sit0" does not exist. Device "29 sit0" does not exist. Log Info Swap Info User Info Software Info Service Info Route Info Submitting results to server Audit Generated in 14 seconds. Centos 6.3 [quote] Starting audit - . Not pinging target, attempting to audit. My PID is : 26056 Audit Start Time : 2013-04-22 09:34:43 Audit Location: local ------------------- System Info BIOS Info Processor Info Memory Info Motherboard Info Optical Drives Info Video Cards Info Sound Cards Info Shares Info Network Cards Info Log Info Swap Info User Info Software Info Service Info Route Info Submitting results to server Audit Generated in 152 seconds. |
Author: | RedDevils [ Tue Apr 23, 2013 12:12 am ] |
Post subject: | Re: Current Linux audit script |
I ended up having to do this to get most of it to work. I had to give the path to all commands and add in an extra cut (lines 1008 and 1021) "/usr/bin/cut -d\ -f2,3`" to strip out a two digit number and space. So now it gets /sys/class/net/interface and not /sys/class/net/44 interface. [code]994 ################################## 995 # NETWORK CARDS SECTION # 996 ################################## 997 998 if [ "$debugging" -gt "0" ]; then 999 $OA_ECHO "Network Cards Info" 1000 fi 1001 1002 net_cards=`/bin/ls -l /sys/class/net/ |\ 1003 /bin/grep -Ev 'bonding_masters|lo|total' |\ 1004 /usr/bin/rev |\ 1005 /usr/bin/cut -d/ -f1,3 |\ 1006 /usr/bin/rev |\ 1007 /usr/bin/cut -d: -f2,3 |\ 1008 /usr/bin/cut -d\ -f2,3` 1009 1010 if [ "$net_cards" != "" ]; then 1011 # Store the IP Addresses Information in a variable to write it later on the file 1012 addr_info="" 1013 /bin/echo " <network_cards>" >> $xml_file 1014 IFS=$'\n'; for net_card_connection_id in `/bin/ls -l /sys/class/net/ |\ 1015 /bin/grep -Ev 'bonding_masters|lo|total' |\ 1016 /bin/sed -re 's/virtio[0-9]+\///' |\ 1017 /usr/bin/rev |\ 1018 /usr/bin/cut -d/ -f1,3 |\ 1019 /usr/bin/rev |\ 1020 /usr/bin/cut -d: -f2,3 |\ 1021 /usr/bin/cut -d\ -f2,3`; do 1022 net_card_id=`/bin/echo $net_card_connection_id |\ 1023 /usr/bin/cut -d/ -f2` 1024 net_card_pci=`/bin/echo $net_card_connection_id |\ 1025 /usr/bin/cut -d/ -f1` 1026 net_card_mac=`/bin/cat /sys/class/net/$net_card_id/address` 1027 if [ $net_card_pci = 'virtual' ]; then 1028 net_card_model="Virtual Interface" 1029 net_card_manufacturer="Linux" 1030 else 1031 net_card_model=`/sbin/lspci -vms $net_card_pci |\ 1032 /bin/grep -v $net_card_pci |\ 1033 /bin/grep ^Device |\ 1034 /usr/bin/cut -d: -f2 |\ 1035 /usr/bin/cut -c2-` 1036 net_card_manufacturer=`/sbin/lspci -vms $net_card_pci |\ 1037 /bin/grep ^Vendor |\ 1038 /usr/bin/cut -d: -f2 |\ 1039 /usr/bin/cut -c2-` 1040 fi[/code] I still have a problem with bond0. Looks like the script is looking for the dir "device" and then cat uevent for the slot number of the interface (not 100% on this and please correct me if I am wrong). On all of my CentOS release 5.8 and CentOS release 5.6 servers bond0/uevent is owned by root, but with write perms only. I then added 644 to uevent and cat to see what was in it, it's blank. I grep'ed the bond0 dir for "PCI_SLOT_NAME", nothing. In my bond0 I have the following: ls /sys/class/net/bond0 address addr_len bonding broadcast carrier dormant features flags ifindex iflink link_mode mtu operstate slave_eth0 slave_eth1 statistics subsystem tx_queue_len type uevent weight I am kinda stuck. |
Author: | ihashacks [ Tue Apr 23, 2013 1:50 am ] |
Post subject: | Re: Current Linux audit script |
Are you running this script as root? If not, you should be. Many of the things checked will require root/sudo permissions. |
Author: | RedDevils [ Tue Apr 23, 2013 4:21 am ] |
Post subject: | Re: Current Linux audit script |
sudo sh audit_linux.sh Just as a side note, i would be getting very different errors if i was not running as root/sudo. These are environmental issue with CentOS 5.9 and under. CentOS seems to be a bit better, but not much. |
Author: | ihashacks [ Tue Apr 23, 2013 3:06 pm ] |
Post subject: | Re: Current Linux audit script |
I'll fire up a CentOS 5 VM and run some tests. |
Page 3 of 4 | All times are UTC + 10 hours |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |