Hi everyone,
I just started using openaudit. it's a great system. I first started scanning my slack box, and realized that the audit_linux.sh script didn't detect slack correctly, and none of the software were detected.
the first problem seems to be because Ubuntu detection was looking at "/etc/issue" and it seems a lot of linux distro has this file, so any system with it gets assigned as Ubuntu. I've never used Ubuntu, so i dont know if there are any other way to tell what it is. But i moved that detection to the very last case statement, to have it try to detect other systems first.
I know software detection is fairly new (only in svn it seems), so i added a slackware package detections. They were simple changes, attached is the patch. i've tested it on my Slack 12 and i am quite confident it will work on older versions of slack also.
[code] --- audit_linux.sh 2008-04-09 17:41:23.000000000 -0700 +++ audit_linux_slack.sh 2008-04-09 17:41:23.000000000 -0700 @@ -10,6 +10,7 @@ OA_PACKAGES="apt azureus bash build-essential cdparanoia cdrdao cdrecord cpp cron cupsys cvs dbus dhcp3-client diff dpkg epiphany-browser esound evolution firefox flashplugin-nonfree foomatic-db g++ gaim gcc gdm gedit gimp gnome-about gnucash gnumeric gtk+ httpd inkscape iptables k3b kdebase koffice libgnome2-0 linux-image-386 metacity mozilla-browser mysql-admin mysql-query-browser mysql-server-4.1 nautilus openoffice.org openssh-client openssh-server perl php4 php5 postfix postgresql python python2.4 rdesktop rhythmbox samba-common sendmail smbclient subversion sun-j2re1.5 swf-player synaptic thunderbird tsclient udev vim vlc vnc-common webmin xfce xmms xserver-xorg" OA_DPKG_TRACK=$OA_PACKAGES OA_YUM_TRACK=$OA_PACKAGES +OA_PKG_TRACK=$OA_PACKAGES # If you're not worried about attacks, you can just use the first one in the path. if [ $OA_SAFEMODE="n" ] || [ $OA_SAFEMODE="N" ] @@ -29,6 +30,7 @@ OA_HOSTNAME=`which hostname` OA_IFCONFIG=`which ifconfig` OA_LSPCI=`which lspci` + OA_PKG=`which pkgtool 2> /dev/null` OA_RM=`which rm` OA_UNAME=`which uname` OA_TAIL=`which tail` @@ -51,6 +53,7 @@ OA_HOSTNAME=/bin/hostname OA_IFCONFIG=/sbin/ifconfig OA_LSPCI=/usr/bin/lspci + OA_PKG=/var/log/packages OA_RM=/bin/rm OA_TAIL=/usr/bin/tail OA_UNAME=/bin/uname @@ -124,10 +127,6 @@ distribution="Novell SuSE" OS_RELEASE=`$OA_CAT /etc/SuSE-release` OS_PCK_MGR=$OA_YUM - elif test -f /etc/issue; then - distribution="Ubuntu" - OS_RELEASE=`$OA_CAT /etc/issue` - OS_PCK_MGR=$OA_DPKG elif test -f /etc/debian_version; then distribution="Debian" OS_RELEASE=`$OA_CAT /etc/debian_version` @@ -147,15 +146,19 @@ elif test -f /etc/slackware-release; then distribution="Slackware" OS_RELEASE=`$OA_CAT /etc/slackware-release` - OS_PCK_MGR='' + OS_PCK_MGR=$OA_PKG elif test -f /etc/slackware-version; then distribution="Slackware" OS_RELEASE=`$OA_CAT /etc/slackware-version` - OS_PCK_MGR='' + OS_PCK_MGR=$OA_PKG elif test -f /etc/yellowdog-release; then distribution="Yellow dog" OS_RELEASE=`$OA_CAT /etc/yellowdog-release` OS_PCK_MGR='' + elif test -f /etc/issue; then + distribution="Ubuntu" + OS_RELEASE=`$OA_CAT /etc/issue` + OS_PCK_MGR=$OA_DPKG else distribution="unknown" OS_RELEASE="unknown" OS_PCK_MGR='' @@ -418,6 +421,31 @@ fi done fi +elif [ "$OS_PCK_MGR" = "$OA_PKG" ] +then + OA_ALL_PACKAGES=`ls /var/log/packages` + + if [ "$OA_PKG_TRACK" = "" ] + then + for OA_PACKAGE_LINE in $OA_ALL_PACKAGES; do + OA_PACKAGE_NAME=`echo $OA_PACKAGE_LINE | $OA_AWK '{ match($0, /^([a-zA-Z\-]*)\-([0-9].*)$/, a); print a[1] }' 2> /dev/null` + OA_PACKAGE_VERSION=`echo $OA_PACKAGE_LINE | $OA_AWK '{ match($0, /^([a-zA-Z\-]*)\-([0-9].*)$/, a); print a[2] }' 2> /dev/null` + + if [ "$OA_PACKAGE_NAME" ] && [ "$OA_PACKAGE_VERSION" ] + then + echo "software^^^$OA_PACKAGE_NAME^^^$OA_PACKAGE_VERSION^^^^^^^^^^^^^^^^^^^^^^^^^^^" >> $ReportFile + fi + done + else + for OA_PACKAGE_NAME in $OA_PKG_TRACK; do + OA_PACKAGE_VERSION=`ls /var/log/packages | $OA_GREP "$OA_PACKAGE_NAME" | $OA_TAIL -n1 | $OA_AWK '{ match($0, /^([a-zA-Z\-]*)\-([0-9].*)$/, a); print a[2] }' 2> /dev/null` + + if [ "$OA_PACKAGE_VERSION" ] + then + echo "software^^^$OA_PACKAGE_NAME^^^$OA_PACKAGE_VERSION^^^^^^^^^^^^^^^^^^^^^^^^^^^" >> $ReportFile + fi + done + fi fi COLUMNS=OA_OLDCOLUMNS [/code]
|