Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Thu Mar 28, 2024 9:23 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 50 posts ]  Go to page 1, 2, 3, 4  Next
Author Message
PostPosted: Fri Sep 28, 2012 10:09 am 
Offline
Newbie
User avatar

Joined: Thu Mar 11, 2010 5:19 am
Posts: 15
Location: Curacao
EDIT - Mark here, sorry for post hijacking. I figure I'd put this link right in the first post so people can grab the file easily. The current audit_linux.sh is on Launchpad, [url=http://bazaar.launchpad.net/~ihashacks/oav2/linux-audit-additions/view/head:/other/audit_linux.sh]here[/url].
Now back to your regular programming :D
--------------------------------------------------------------------------------------


Hi everyone, I started working on a Linux audit script. I gave it a try log time ago on an early beta, but now I'm trying to start again based on the Windows Version 11.

At this moment the script just reports the system info, bios and processor info. I added a new switch check_commands=y just to check the location of the required commands and exit... it is pretty early stuff, but at least I can report my Linux boxes on Beta 7.3.

Since I'm using dmidecode to get some info the script requires root access.

Copy the audit_linux script on your preferred location (/usr/share/audit_linux.sh is what I'm using)

#cd /usr/share
#chown root.root audit_linux.sh
#chmod u+x audit_linux.sh

Now as a normal user, from your home directory:

[code]$ su -c "/usr/share/audit_linux.sh check_commands=y"
$ su -c "/usr/share/audit_linux.sh create_file=y"
$ su -c "/usr/share/audit_linux.sh submit_online=y url='http://server/oav2/index.php/system/add_system'"[/code]
or
[code]$ sudo "/usr/share/audit_linux.sh create_file=y"
$ sudo "/usr/share/audit_linux.sh create_file=y"
$ sudo "/usr/share/audit_linux.sh submit_online=y url='http://server/oav2/index.php/system/add_system'"[/code]

As new versions are ready I will keep posting.

Enjoy!


Attachments:
File comment: Rename to audit_linux.sh
audit_linux.txt [24.28 KiB]
Downloaded 769 times

_________________
____________________________
Andrés Arenas Vélez
http://www.arenasa.com/


Last edited by a.arenas on Fri Sep 28, 2012 9:47 pm, edited 1 time in total.
Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Fri Sep 28, 2012 12:03 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
Here's a very basic one I've toying with.
It is no where near complete (take a look), but it seem's to work with a couple of distro's I've tried it on.
I have been avoiding HAL on purpose as it is depreciated. A shame really as it was very handy...


Attachments:
audit_linux.txt [14.23 KiB]
Downloaded 669 times

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.
Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Fri Sep 28, 2012 9:45 pm 
Offline
Newbie
User avatar

Joined: Thu Mar 11, 2010 5:19 am
Posts: 15
Location: Curacao
Great, I will check it and use some stuff from there. I see you use lshw (to get Processor info) which is not available by default on Centos. I will try to use as few commands as possible. Currently I'm testing in

Centos 6.3 (64 on HW & 32 virtual)
openSUSE-12.2 (32 virtual)
linuxmint-13 (virtual)
ubuntu-12.04 (32 virtual).

I will try Debian also to cover I think the most common distros around.

_________________
____________________________
Andrés Arenas Vélez
http://www.arenasa.com/


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Tue Oct 02, 2012 8:30 am 
Offline
Newbie
User avatar

Joined: Thu Mar 11, 2010 5:19 am
Posts: 15
Location: Curacao
OK. Updated script, now audits:

system
bios
processor
memory
motherboard
optical drives
video cards
Network cards
addresses ipv4 & ipv6

Next I will report disks and partitions.

Regards,


Attachments:
audit_linux.txt [40.62 KiB]
Downloaded 704 times

_________________
____________________________
Andrés Arenas Vélez
http://www.arenasa.com/
Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Wed Oct 03, 2012 2:55 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
Just checked on a fairly standard Ubuntu 11.10 server install.
Missing commands are:
bc
cdrdao
ethtool
iwlist
lvm
mdadm

And on a Debian 5 install:
cdrdao
ethtool
iwlist
lsb_release
lshw
lvm
mdadm
partprobe

Will check at home on a 12.04 desktop as well.
The script runs without these present, but obviously produces errors and does not populate the attributes.
For these commands (and only these), maybe when we run them we should suppress errors to /dev/null (example 2>/dev/null) ? Or we could detect they are not their in the first place and not run the commands at all? Just thinking...

Initially looking at a result, your processor description is incorrect. Suggest you use
[code]cat /proc/cpuinfo | grep "model name" | cut -d: -f2 | cut -c2- | tr "\n" "^" | cut -d^ -f$PROCESSOR_COUNT[/code]
instead of
[code]$OA_DMIDECODE -s processor-version | $OA_HEAD -n1[/code]
replacing the commands as needed.
Same with processor speed and cores.

The different results on my (VMware virtualised) Ubuntu 11.10 server are:
Intel(R) Xeon(R) CPU X5460 @ 3.16GHz (the correct value - note, need to remove whitespace)
verses
Pentium(R) III (the value from your script).

As above, also check net_connection_status and net_speed.

Loving it so far :-)

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Thu Oct 04, 2012 11:17 am 
Offline
Newbie
User avatar

Joined: Thu Mar 11, 2010 5:19 am
Posts: 15
Location: Curacao
Hi Mark, thanks for your comments. OK, replaced the optical drive detection without cdrdao. About ethtool and ip are supposed to replace ifconfig in the future. I use ethtool to get the link speed since I can not find a way to obtain it anymore (the dmesg trick is not working on Centos nor in Fedora). The problem is that in VM's doesn't seem to work that well. Any ideas?

iwlist is only used on wireless. madm if you have software RAID, lvm only needed if you use it. What I mean is that if you have such configuration you will have those, otherwise not needed (and not used).

I already changed the processor description as you suggested. About the speed I have an issue. If i see /proc/cpuinfo I get the current speed, wich in my lattop is usually lower than the real processor speed. That's why I prefer to use dmidecode max speed, and fall back to /proc is needed.

Well not enough time this week to test, but no matter how I will keep going, I love this project.

regards,

_________________
____________________________
Andrés Arenas Vélez
http://www.arenasa.com/


Last edited by a.arenas on Thu Oct 04, 2012 11:20 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Thu Oct 04, 2012 11:19 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
Thanks A - love the work. Keep it up!
:D

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Fri Oct 05, 2012 4:42 am 
Offline
Contributor
User avatar

Joined: Thu Mar 02, 2006 4:41 am
Posts: 205
Location: Massachusetts
Great job!

_________________
Server Info: running on a CentOS 7 vm
OA Version: 2.0.6 @ 500 devices


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Tue Dec 18, 2012 7:22 am 
Offline
Newbie

Joined: Wed Dec 12, 2012 9:24 am
Posts: 25
Any chance that the attached script can make it to Launchpad? I'd like to be able to branch and contribute changes back.


Side note - here is a list of the packages required to satisfy the check_commands=y test on a minimal CentOS 6 installation:
    bc
    cdrdao
    dmidecode
    lshw
    mdadm
    parted
    pciutils
    redhat-lsb
    wget
    wireless-tools


I know the script doesn't actually use most of those at this point, but for documentation sake that is probably useful.


I also think (even though it isn't used yet) it might be helpful to have a check for 'rpm' vs. 'dpkg' for the software inventory. Something like...

[code]if [ -f /etc/redhat-release ]; then
echo "Distribution is RedHat based. Using RPM package tool."
OA_PKG=`which rpm 2>/dev/null`
elif [ -f /etc/debian_version ]; then
echo "Distribution is Debian based. Using DPKG package tool."
OA_PKG=`which dpkg 2>/dev/null`
else
echo "Distribution is unknown. Software inventory not possible."[/code]


Taking flags to each package manager and how to format the output into consideration is important too. I haven't read the entire script line-by-line yet so there may already be some check for what distribution is in use. If so, might as well incorporate it into the package manager/software inventory too. :)


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Fri Dec 21, 2012 6:53 am 
Offline
Newbie

Joined: Wed Dec 12, 2012 9:24 am
Posts: 25
[quote]Any chance that the attached script can make it to Launchpad? I'd like to be able to branch and contribute changes back.


Eh, I decided to make my own branch and stick this script in it:

[code]bzr branch lp:~ihashacks/oav2/linux-audit-additions[/code]


Nothing major so far. This:


[quote]The different results on my (VMware virtualised) Ubuntu 11.10 server are:
Intel(R) Xeon(R) CPU X5460 @ 3.16GHz (the correct value - note, need to remove whitespace)
verses
Pentium(R) III (the value from your script)

... should be addressed (well, I at least verified it works in Hyper-V guests now that were originally showing "None").

Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Mon Dec 31, 2012 3:53 pm 
Offline
Newbie

Joined: Wed Dec 12, 2012 9:24 am
Posts: 25
Virtual devices (like bridges) and VirtIO (like in KVM guests) are now reporting Model and Manufacturer:

https://bazaar.launchpad.net/~ihashacks ... evision/41


I'm having an issue with the interface speeds though. Here is a wireless example:
[code]
979 # This is a wireless link
980 net_card_speed=`$OA_IWLIST $net_card_id bitrate |\
981 $OA_GREP Current |\
982 $OA_AWK -F[=\ ] ' { print $14 } '`
[/code]


The speed is reported properly in the XML file (only the third result is a wireless device - I haven't fixed wired yet):

[code]
$ grep net_speed *.xml
rocket-20121230212234.xml: <net_speed></net_speed>
rocket-20121230212234.xml: <net_speed></net_speed>
rocket-20121230212234.xml: <net_speed>72.2</net_speed>
[/code]


... and it does look ok in MySQL:

[code]
mysql> SELECT net_adapter_type,net_speed FROM sys_hw_network_card WHERE system_id = 12;
+--------------------------+-----------+
| net_adapter_type | net_speed |
+--------------------------+-----------+
| Ethernet 802.3 | |
| Ethernet 802.3 | |
| Wireless Ethernet 802.11 | 72.2 |
+--------------------------+-----------+
[/code]

... but I'm still getting "Speed: 0 MB/s" in the OAv2 web interface (including for the wireless device that shows 72.2 in SQL).

I'm not sure how this code_igniter thing works or I would try to debug further.


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Tue Jan 01, 2013 2:25 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
If you're on the latest there should be a Debug check in the upper right of the screen. When that is set OA will show you all the queries used to build the page. Maybe that will help track down the problem.


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Fri Jan 11, 2013 2:18 am 
Offline
Newbie

Joined: Wed Dec 12, 2012 9:24 am
Posts: 25
Woohoo!


44. By Brandon Pierce 7 minutes ago

preliminary janky dpkg support for installed software



[url]https://bazaar.launchpad.net/~ihashacks/oav2/linux-audit-additions/revision/44[/url]


Should I propose a merge at any point in tinkering with this script? I haven't touched anything outside of audit_linux.sh (and don't plan to).


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Fri Jan 11, 2013 12:09 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
Might as well add in the Memory Serial #.
[code]memory_serial=$($OA_$OA_ECHO "$bank_info" | $OA_AWK '/Serial Number:/{for (u=3; u<=NF; u++){printf("%s ", $u)}printf("\n")}' | $OA_CUT -d" " -f1)[/code]
and
[code]$OA_ECHO " <serial>"$(escape_xml "$memory_serial")"</serial>">> $xml_file[/code]

Also the returned packages seem to contain the header for the DPKG command.

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
 Post subject: Re: Linux auditing?
PostPosted: Sat Jan 12, 2013 2:00 am 
Offline
Newbie

Joined: Wed Dec 12, 2012 9:24 am
Posts: 25
[quote]Might as well add in the Memory Serial #.


Will do.

[quote]Also the returned packages seem to contain the header for the DPKG command.


I whipped out a few more releases yesterday (45 stripped off the dpkg header and then 47 switched to dpkg-query for cleaner output control and less awk'ing)

49. By Brandon Pierce 9 hours ago
added basic local user support

48. By Brandon Pierce 9 hours ago
added form factor "Virtual" for Bochs / QEMU guests

47. By Brandon Pierce 14 hours ago
less jankiness in software detection in Debian/Ubuntu

46. By Brandon Pierce 16 hours ago
changed software audit to be distro-oriented - now support RedHat/CentOS

45. By Brandon Pierce 18 hours ago
strip off leading dpkg header to avoid empty package entries

Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 50 posts ]  Go to page 1, 2, 3, 4  Next

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group