Open-AudIT

Hi,
Who would I have a chat to to start modifying the code for the linux audit?
I have the following problems that I would like to work out, possibly with a mentor:

(server running on ubuntu/debian)
OS Installed Date: 0000-00-00
Disk Usage graphs showing /dev and proc (need / and a specified partition)
Shared Drives should read from smb.conf maybe?
Service Pack and Windows Directory should possibly auto-remove themselves from the web end when on a linux box[
IIS settings - able to be replaced with apache settings? or just removed altogether?

Thanks heaps
Nate

As far as I remember Mark did the original Linux script.

Its a bash script, so anybody who is familiar with bash (myself included) should be able to help. I have a handful of boxes running linux here, but so far I haven't audited them with this script (they are mainly running firewall/VPN distros, and rarely change, so they have not been a priority).

How familiar are you with shell scripts?
How familiar are you with Ubunto/Debian?

Most of what you are asking for is "do-able" for example uname -a will yield the *nix name, build date of linx and version info, and is a fairly universal *nix command (the creation date of the /dev folder is almost invariably a good indicator of the install date, and doesn't require a lot of effort to find).

mount (without any switches) will show a list of all of the currently mounted File Systems,

df (or df -H) will give disk stats you can pass to the disk usage graph with a little string manipulation. (try sed and grep for this)

grep and smb.conf and a little head scratching will show the smb shares (grep is the best thing since the sliced loaf).

"The Service Pack and Windows Folder should remove themselves...", or perhaps better still, the Linux boxes should appear separately from the Windows boxes in the lists. The Linux boxes could show their build and distro type or whatever.

I like the idea of showing Apache settings for Linux, and ALSO for Windows, since I use Apache on Windows instead of IIS to host most of our internal web sites.

Further reading..

bash [url]http://en.wikipedia.org/wiki/Bash[/url]
df [url]http://unixhelp.ed.ac.uk/CGI/man-cgi?df[/url]
grep [url]http://en.wikipedia.org/wiki/Grep[/url]
mount [url]http://unixhelp.ed.ac.uk/CGI/man-cgi?mount+8[/url]
sed [url]http://en.wikipedia.org/wiki/Sed[/url]
uname [url]http://en.wikipedia.org/wiki/Uname[/url]

For those *nix things that don't do what they should (or do nothing at all), see [url]http://bhami.com/rosetta.html[/url] (have a play with the select boxes on the page).

and finally a little light reading! [url]http://en.wikipedia.org/wiki/List_of_Unix_programs[/url]

Hope these ideas help.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

Thanks of the little bit of light reading. I'm slowly starting to become more accustomed to bash scripting and ubuntu/debian.
As and when I get time I'll have a play with the script on my test box and see what i can do.
I do have a few things on my plate the next few weeks (including trying to get a linux mail server working) but anything I come up with I will post up on here too.

Nate

What kind of Linux mail server?

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

I've been looking at Postfix with courier on Ubuntu.
I really want an alternative to exchange for my new server. The main problems I forsee will be calendars and mail transferring.
I also will be using it as my webserver just to put that all-round touch to it.

If you are looking for a very good server distro which includes mail server and web server then you can't go past SME server, http://smeserver.org .

It is based on Centos 4.4 so is an enterprise class server. You will find a very active community for it at http://contribs.org.

Jon

_________________
Jon Blakely

Computer Troubleshooters - Howick
Auckland
NZ

http://technologysolved.co.nz

If you want shared calendars, and Outlook for clients, you're gonna have to pay for it. We just replaced Exchange 2000 with Scalix. Not bad, but not perfect... There is another one, too - can't recall the name. Will add to this when I can. EDIT - PostPath is the other one...

As for the Linux script - yep, I have to admit to that one !!!
[quote]OS Installed Date: 0000-00-00
Disk Usage graphs showing /dev and proc (need / and a specified partition)
Shared Drives should read from smb.conf maybe?
Service Pack and Windows Directory should possibly auto-remove themselves from the web end when on a linux box[
IIS settings - able to be replaced with apache settings? or just removed altogether?

Back to topic: I also plan to use the linux shell script in order to maintain my linux servers at my company. I added some functionality to the shell script, but all of my changes are and will be somehow Debian/Ubuntu related as I'm only working on and with those server systems.

I'd like to share my improvements with the community, how would be the best way to do so? Diffs are not the best way I think because they always need a specific version for a patch.

Some things I've extended/added so far (to svn checkout 2007-04-12):

* Added possibility to override/set IP for system on commandline (when having a system with multiple IPs, the latest "eth*" one was taken for the system which is not always the best choice)
* All software packages (via dpkg --get-selection) are taken and shown in the GUI
* All notwork-adapters are shown (not only eth* as there could be other interesting devices such as OpenVPN bridges, xen bridges, etc.)

Some things I plan to fix/extend in the next few days:

* Identify memory bank configuration (perhaps via lshw?)
* Identify crontabs per user and list those (not sure how to get them into the open-audit database without having to extend it)
* many more improvements

Hi Oliver,

Could you post up on here your mod for the packages installed? Thats one thing I would like to impliment shortly, and it would be easier to use yours than rewrite it too.

Also, has anyone else had problems with the list of users on the system being rather screwed up (I can post an example of this if needed) or /dev and /proc showing up under the hdd graphs with the values 0,0 & 0 while the graphs have changed over time (but make no sense with those values)

Nate

You've got a PM.

Users: No problem here, all users are ok.

HDD Graphs: Also a problem here - in my case the corresponding drive_letter column in the database was only varchar(4) and so always truncated to /dev. Maybe database specification was too old as this database was set up long time ago.

With the users, it lists the first few fine, until this:

[code]
Name: root
Full Name: root
SID: 0
Disabled:
Password :
Changeable:
Description:

Name: Hardware
Full Name: daemon
SID: abstraction
Disabled:
Password :
Changeable:
Description:

Name: daemon
Full Name: layer
SID: 1
Disabled:
Password :
Changeable:
Description:

Name:
Full Name: 112
SID:
Disabled:
Password :
Changeable:
Description:

Name: daemon
Full Name: root
SID: bin
Disabled:
Password :
Changeable:
Description:

Name: sync
Full Name: sys
SID: games
Disabled:
Password :
Changeable:
Description:

Name: lp
Full Name: man
SID: mail
Disabled:
Password :
Changeable:
Description:
[/code]

I think its reading Hardware Abstraction Layer as 3 separate fields

any ideas?

Fixed another problem concerning LVM partitions. Reading those crashed as the df command does a line break if the partitions name has more characters then normal output of df has for this column. This is the new partion-block for the audit_linux.sh file:

[code]
#Partitions
for j in `df -P -l -T -x tmpfs |awk '{print $1}'`
do
if [ "$j" != "Filesystem" ] ; then
if [ -b "$j" ]; then
part_capt=`df -P -l -T -x tmpfs | grep "^$j " | awk '{print $7}'`
if [ "$part_capt" = "/" ]; then
part_boot="True"
else
part_boot="False"
fi
part_perc=`df -P -l -T -x tmpfs | grep "^$j " |awk '{print $6}'`
part_name=`df -P -l -T -x tmpfs | grep "^$j " |awk '{print $1}'`
part_form=`df -P -l -T -x tmpfs | grep "^$j " |awk '{print $2}'`
part_size=`df -P -l -T -x tmpfs | grep "^$j " |awk '{print $3}'`
part_size=`expr $part_size / 1`
part_size=`expr $part_size / 1024`
part_aval=`df -P -l -T -x tmpfs | grep "^$j " |awk '{print $5}'`
part_aval=`expr $part_aval / 1`
part_aval=`expr $part_aval / 1024`
if [ "$part_form" != "Type" ]; then
echo "partition^^^$part_boot^^^$part_boot^^^ ^^^ ^^^$part_perc^^^$part_boot^^^$part_name^^^$part_form^^^$part_aval^^^$part_size^^^$part_name^^^" >> $ReportFile
fi
# Missing - DeviceID
# - Disk Index
# - File System
fi
fi
done
[/code]

Changes:

* Added parameter "-P" for df (-P stands for POSIX compatible format and forces df to return one lined output instead of doing line break)
* Added if clause to exclude "Filesystem" output (default header) and non-block-devices (-b)
* extended the grep command to "^$j " in order to only get the current filesystem instead of all those matches (e.g. /dev/mapper/sysvg-var matches also /dev/mapper/sysvg-var_tmp and produces an error)

Speaking of Linux scripts, Mark said he had a SUSE audit script. Since I can't get ahold of him,l anyone else have a copy of it? All of my servers all running SLES and OpenSUSE. Thanks.