Open-AudIT https://www.open-audit.org/phpBB3/ |
|
Current Linux audit script https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=5794 |
Page 1 of 4 |
Author: | a.arenas [ Fri Sep 28, 2012 10:09 am ] | ||
Post subject: | Current Linux audit script | ||
EDIT - Mark here, sorry for post hijacking. I figure I'd put this link right in the first post so people can grab the file easily. The current audit_linux.sh is on Launchpad, [url=http://bazaar.launchpad.net/~ihashacks/oav2/linux-audit-additions/view/head:/other/audit_linux.sh]here[/url]. Now back to your regular programming -------------------------------------------------------------------------------------- Hi everyone, I started working on a Linux audit script. I gave it a try log time ago on an early beta, but now I'm trying to start again based on the Windows Version 11. At this moment the script just reports the system info, bios and processor info. I added a new switch check_commands=y just to check the location of the required commands and exit... it is pretty early stuff, but at least I can report my Linux boxes on Beta 7.3. Since I'm using dmidecode to get some info the script requires root access. Copy the audit_linux script on your preferred location (/usr/share/audit_linux.sh is what I'm using) #cd /usr/share #chown root.root audit_linux.sh #chmod u+x audit_linux.sh Now as a normal user, from your home directory: [code]$ su -c "/usr/share/audit_linux.sh check_commands=y" $ su -c "/usr/share/audit_linux.sh create_file=y" $ su -c "/usr/share/audit_linux.sh submit_online=y url='http://server/oav2/index.php/system/add_system'"[/code] or [code]$ sudo "/usr/share/audit_linux.sh create_file=y" $ sudo "/usr/share/audit_linux.sh create_file=y" $ sudo "/usr/share/audit_linux.sh submit_online=y url='http://server/oav2/index.php/system/add_system'"[/code] As new versions are ready I will keep posting. Enjoy!
|
Author: | Mark [ Fri Sep 28, 2012 12:03 pm ] | ||
Post subject: | Re: Linux auditing? | ||
Here's a very basic one I've toying with. It is no where near complete (take a look), but it seem's to work with a couple of distro's I've tried it on. I have been avoiding HAL on purpose as it is depreciated. A shame really as it was very handy...
|
Author: | a.arenas [ Fri Sep 28, 2012 9:45 pm ] |
Post subject: | Re: Linux auditing? |
Great, I will check it and use some stuff from there. I see you use lshw (to get Processor info) which is not available by default on Centos. I will try to use as few commands as possible. Currently I'm testing in Centos 6.3 (64 on HW & 32 virtual) openSUSE-12.2 (32 virtual) linuxmint-13 (virtual) ubuntu-12.04 (32 virtual). I will try Debian also to cover I think the most common distros around. |
Author: | a.arenas [ Tue Oct 02, 2012 8:30 am ] | ||
Post subject: | Re: Linux auditing? | ||
OK. Updated script, now audits: system bios processor memory motherboard optical drives video cards Network cards addresses ipv4 & ipv6 Next I will report disks and partitions. Regards,
|
Author: | Mark [ Wed Oct 03, 2012 2:55 pm ] |
Post subject: | Re: Linux auditing? |
Just checked on a fairly standard Ubuntu 11.10 server install. Missing commands are: bc cdrdao ethtool iwlist lvm mdadm And on a Debian 5 install: cdrdao ethtool iwlist lsb_release lshw lvm mdadm partprobe Will check at home on a 12.04 desktop as well. The script runs without these present, but obviously produces errors and does not populate the attributes. For these commands (and only these), maybe when we run them we should suppress errors to /dev/null (example 2>/dev/null) ? Or we could detect they are not their in the first place and not run the commands at all? Just thinking... Initially looking at a result, your processor description is incorrect. Suggest you use [code]cat /proc/cpuinfo | grep "model name" | cut -d: -f2 | cut -c2- | tr "\n" "^" | cut -d^ -f$PROCESSOR_COUNT[/code] instead of [code]$OA_DMIDECODE -s processor-version | $OA_HEAD -n1[/code] replacing the commands as needed. Same with processor speed and cores. The different results on my (VMware virtualised) Ubuntu 11.10 server are: Intel(R) Xeon(R) CPU X5460 @ 3.16GHz (the correct value - note, need to remove whitespace) verses Pentium(R) III (the value from your script). As above, also check net_connection_status and net_speed. Loving it so far |
Author: | a.arenas [ Thu Oct 04, 2012 11:17 am ] |
Post subject: | Re: Linux auditing? |
Hi Mark, thanks for your comments. OK, replaced the optical drive detection without cdrdao. About ethtool and ip are supposed to replace ifconfig in the future. I use ethtool to get the link speed since I can not find a way to obtain it anymore (the dmesg trick is not working on Centos nor in Fedora). The problem is that in VM's doesn't seem to work that well. Any ideas? iwlist is only used on wireless. madm if you have software RAID, lvm only needed if you use it. What I mean is that if you have such configuration you will have those, otherwise not needed (and not used). I already changed the processor description as you suggested. About the speed I have an issue. If i see /proc/cpuinfo I get the current speed, wich in my lattop is usually lower than the real processor speed. That's why I prefer to use dmidecode max speed, and fall back to /proc is needed. Well not enough time this week to test, but no matter how I will keep going, I love this project. regards, |
Author: | Mark [ Thu Oct 04, 2012 11:19 am ] |
Post subject: | Re: Linux auditing? |
Thanks A - love the work. Keep it up! |
Author: | shanimal [ Fri Oct 05, 2012 4:42 am ] |
Post subject: | Re: Linux auditing? |
Great job! |
Author: | ihashacks [ Tue Dec 18, 2012 7:22 am ] |
Post subject: | Re: Linux auditing? |
Any chance that the attached script can make it to Launchpad? I'd like to be able to branch and contribute changes back. Side note - here is a list of the packages required to satisfy the check_commands=y test on a minimal CentOS 6 installation:
cdrdao dmidecode lshw mdadm parted pciutils redhat-lsb wget wireless-tools I know the script doesn't actually use most of those at this point, but for documentation sake that is probably useful. I also think (even though it isn't used yet) it might be helpful to have a check for 'rpm' vs. 'dpkg' for the software inventory. Something like... [code]if [ -f /etc/redhat-release ]; then echo "Distribution is RedHat based. Using RPM package tool." OA_PKG=`which rpm 2>/dev/null` elif [ -f /etc/debian_version ]; then echo "Distribution is Debian based. Using DPKG package tool." OA_PKG=`which dpkg 2>/dev/null` else echo "Distribution is unknown. Software inventory not possible."[/code] Taking flags to each package manager and how to format the output into consideration is important too. I haven't read the entire script line-by-line yet so there may already be some check for what distribution is in use. If so, might as well incorporate it into the package manager/software inventory too. |
Author: | ihashacks [ Fri Dec 21, 2012 6:53 am ] |
Post subject: | Re: Linux auditing? |
[quote]Any chance that the attached script can make it to Launchpad? I'd like to be able to branch and contribute changes back. Eh, I decided to make my own branch and stick this script in it: [code]bzr branch lp:~ihashacks/oav2/linux-audit-additions[/code] Nothing major so far. This: [quote]The different results on my (VMware virtualised) Ubuntu 11.10 server are: Intel(R) Xeon(R) CPU X5460 @ 3.16GHz (the correct value - note, need to remove whitespace) verses Pentium(R) III (the value from your script) ... should be addressed (well, I at least verified it works in Hyper-V guests now that were originally showing "None"). |
Author: | ihashacks [ Mon Dec 31, 2012 3:53 pm ] |
Post subject: | Re: Linux auditing? |
Virtual devices (like bridges) and VirtIO (like in KVM guests) are now reporting Model and Manufacturer: https://bazaar.launchpad.net/~ihashacks ... evision/41 I'm having an issue with the interface speeds though. Here is a wireless example: [code] 979 # This is a wireless link 980 net_card_speed=`$OA_IWLIST $net_card_id bitrate |\ 981 $OA_GREP Current |\ 982 $OA_AWK -F[=\ ] ' { print $14 } '` [/code] The speed is reported properly in the XML file (only the third result is a wireless device - I haven't fixed wired yet): [code] $ grep net_speed *.xml rocket-20121230212234.xml: <net_speed></net_speed> rocket-20121230212234.xml: <net_speed></net_speed> rocket-20121230212234.xml: <net_speed>72.2</net_speed> [/code] ... and it does look ok in MySQL: [code] mysql> SELECT net_adapter_type,net_speed FROM sys_hw_network_card WHERE system_id = 12; +--------------------------+-----------+ | net_adapter_type | net_speed | +--------------------------+-----------+ | Ethernet 802.3 | | | Ethernet 802.3 | | | Wireless Ethernet 802.11 | 72.2 | +--------------------------+-----------+ [/code] ... but I'm still getting "Speed: 0 MB/s" in the OAv2 web interface (including for the wireless device that shows 72.2 in SQL). I'm not sure how this code_igniter thing works or I would try to debug further. |
Author: | jpa [ Tue Jan 01, 2013 2:25 am ] |
Post subject: | Re: Linux auditing? |
If you're on the latest there should be a Debug check in the upper right of the screen. When that is set OA will show you all the queries used to build the page. Maybe that will help track down the problem. |
Author: | ihashacks [ Fri Jan 11, 2013 2:18 am ] |
Post subject: | Re: Linux auditing? |
Woohoo! 44. By Brandon Pierce 7 minutes ago preliminary janky dpkg support for installed software [url]https://bazaar.launchpad.net/~ihashacks/oav2/linux-audit-additions/revision/44[/url] Should I propose a merge at any point in tinkering with this script? I haven't touched anything outside of audit_linux.sh (and don't plan to). |
Author: | Mark [ Fri Jan 11, 2013 12:09 pm ] |
Post subject: | Re: Linux auditing? |
Might as well add in the Memory Serial #. [code]memory_serial=$($OA_$OA_ECHO "$bank_info" | $OA_AWK '/Serial Number:/{for (u=3; u<=NF; u++){printf("%s ", $u)}printf("\n")}' | $OA_CUT -d" " -f1)[/code] and [code]$OA_ECHO " <serial>"$(escape_xml "$memory_serial")"</serial>">> $xml_file[/code] Also the returned packages seem to contain the header for the DPKG command. |
Author: | ihashacks [ Sat Jan 12, 2013 2:00 am ] |
Post subject: | Re: Linux auditing? |
[quote]Might as well add in the Memory Serial #. Will do. [quote]Also the returned packages seem to contain the header for the DPKG command. I whipped out a few more releases yesterday (45 stripped off the dpkg header and then 47 switched to dpkg-query for cleaner output control and less awk'ing) 49. By Brandon Pierce 9 hours ago added basic local user support 48. By Brandon Pierce 9 hours ago added form factor "Virtual" for Bochs / QEMU guests 47. By Brandon Pierce 14 hours ago less jankiness in software detection in Debian/Ubuntu 46. By Brandon Pierce 16 hours ago changed software audit to be distro-oriented - now support RedHat/CentOS 45. By Brandon Pierce 18 hours ago strip off leading dpkg header to avoid empty package entries |
Page 1 of 4 | All times are UTC + 10 hours |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |