Shell Script To Check System Security Changes | Linux

Shell Scripting

Be careful about running below script in production boxes. First check this linux security shell script example in some test box and get the result or modify it for more customised results. This script is for root level user permissions. It’s not yet tested so please check your self.

#!/bin/sh
#
# get all the usernames present @ passwd file
#cat /etc/passwd | cut -d : -f1
###############################################################################################################################
# SHELL VARIABLES FEED SECTION
#Put all the shell variables in below section only for integrity of script
##############################################################################################################################
_User_L=`last | grep -v root | grep -v reboot | awk '{print $1" "$8$9$10}' | grep -i stillloggedin | awk '{print $1}' | sort -u`
_User_Att_Fail1=`grep fail /var/log/messages`
_User_Att_Repeat2=`grep repeat /var/log/messages`
_User_Att_Reverse3=`grep reverse /var/log/messages`
_User_Att_Error=`grep error /var/log/messages`
_User_Att_Config=`chkconfig | awk '{print $1" "$7}'` # | grep off
_User_Att_Missing_F=`rpm -Va | grep missing | awk '{print $2NF}'`
_User_Att_Missing=`rpm -qf `rpm -Va | grep missing | awk '{print $2NF}'``
_User_Att_Config_Off=`chkconfig | awk '{print $1" "$7}' | grep off`
_User_Att_Config_On=`chkconfig | awk '{print $1" "$7}' | grep on`
_User_Att_Service_Stop=`service --status-all | grep stopped`
_User_Att_NEW=`iptables -L -v | grep NEW`

###########################################################################################################################
# SHELL BODY STARTS HERE
# Put all shell functions and procedures here for better visibility through out the shell script
##########################################################################################################################
###########################################################################################################################
touch _User_F
echo "${_User_L}" > /tmp/_User_F
if [ "${_User_L}" = "" ]
then
echo -e "No Unauthorised Logins Found Till Date `date`\n"
else
terminal=`tty`
#echo "${_User_L}"
exec< /tmp/_User_F
while read line
do
#To get the login details of the suspicious users
_Out_In=`last | grep $line | awk '{print $5" "$6" "$7" "$8}' | sort -u`
echo -e "${_Out_In}\n" #Append o/p to >> File_Name to send to mail
echo -e "passwd -l $line\n" #If automate precussion required then block the users account even before sending the mail to admin
done
exec < "${terminal}"
fi
if [[ ("${_User_Att_Fail1}" != "") || ("${_User_Att_Repeat2}" = "") || ("${_User_Att_Reverse3}" != "") ]]
then
echo -e "Security Risks Found While Scanning through log files \n"
if [ "${_User_Att_Fail1}" != "" ]
then
echo -e "Below Failed attempts Found:\n"
echo -e "${_User_Att_Fail1}\n" #Need to find a way to show up sorted lines
else
echo -e "No Failed log attempts till date:`date` \n"
fi
if [ "${_User_Att_Repeat2}" != "" ]
then
echo -e "Below Repeated attempts Found:\n"
echo -e "${_User_Att_Repeat2}\n"
else
echo -e "No Repeated attempts log till date:`date` \n"
fi
if [ "${_User_Att_Reverse3}" != "" ]
then
echo -e "Below Process Reverse tries Found: \n"
echo -e "${_User_Att_Reverse3}\n"
else
echo -e "No Process Reverse attempts log till date:`date` \n"
fi
else
echo -e "No Failed,Repeated or Process Reverse attempts found \n"
fi

##################################################################################################################
# BODY SECTION
# FILE SYSTEM CHECK FOR MISSING FILES AND PACKAGES
##################################################################################################################

#Finding out which files and filesystems settings are no longer as they were when the system was installed.
#If the fields suggest as below
#S File size has changed
#M Mode (Permissions and file types) has changed
#5 MD5 sum has changed
#D the characteristics of a device node has changed
#L a symbolic link has been changed #U the owner of the file/dir/device node has changed
#G Group owner of the file/dir/device node has changed
#T modification of timestamp has changed or "missing" will be printed if the file is missing from system.
##################################################################################################################
#rpm -Va | grep missing | awk '{print $NF}'
#To get the missing rpm names so to reinstall can be possible.
#rpm -qf `rpm -Va | grep missing | awk '{print $2NF}'`
echo -e "WARNING!! Below filesystems settings are no longer as they were when the system was installed. \n"
#echo -e "${_User_Att_Missing} \n"
echo -e "Missing file package names are: \n"
#echo -e "${_User_Att_Missing_F} \n"
##################################################################################################################
#validate hardware operations
##################################################################################################################
#grep error /var/log/messages
echo -e "WARNING!!!Error found in log files \n"
echo -e "${_User_Att_Error}\n"
##################################################################################################################
#chkconfig use it to check the config of all services at diff. run level
#for checking services which are no longer running
chkconfig | awk '{print $1" "$7}' | grep off
#chkconfig use it to check the config of all services at diff. run level
#for checking services which are no longer running
echo -e "RUN LEVEL 5 Services:\n"
echo -e "Programs that are in OFF state are:\n"
echo -e "${_User_Att_Config_Off}\n"
echo -e "Programs that are in ON state are:\n"
echo -e "${_User_Att_Config_On}\n"
#################################################################################################################
#check for the services which are stopped
echo -e "Below Services are stopped \n"
service --status-all | grep stopped
echo -e "${_User_Att_Service_Stop} \n"
################################################################################################################
#check fire wall is enabled or not
iptables -L -v | grep NEW
echo -e "${_User_Att_NEW} \n"
################################################################################################################
################################################################################################################

In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.

Leave a Reply