{{tag>Sécurité Bash Perl DNS MySQL Regex Audit}} = Notes audit Liens : * http://www.linuxjournal.com/content/server-hardening?page=0,0 Note : * Penser à vérifier le NTP / l'heure des serveurs * Penser à vérifier le SMTP des fax, scanners, imprimantes == Quelques commande pour Audit système Disques


lsblk

Réseaux


nft list ruleset
iptables -vnxL
ip6tables -vnxL
ip -s macsec show
ss -peaonmi
resolvectl status
resolvectl statistics

=== Fichier de conf Debian DEB Voir [[audit_debian_differences_de_version_entre_un_fichier_d_origine_et_le_fichier_actuelle]]


dpkg -l
LANG=C find /etc -type f -exec dpkg -S {} 2>&1 \; |grep -e '^dpkg-query:' |tee jb_dpkg-S.txt
LANG=C debsums -as 2>&1 |tee jb_debsums.txt

Pour RedHat/CentOS RPM


rpm -Va

Exemple


rpm -V -a |egrep -v -e '^missing|/var/run|/var/log|\.jar$' |sed -e 's% c %   %' |awk '{print $2}' |grep -v -e '/$' |cpio -ov --format=ustar |pigz > /tmp/plop/fic-${HOSTNAME}.tar.gz

=== Matos [[linux-avoir-des-infos-sur-le-materiel]] ==== Drivers


for MODULE in $(lsmod |sed 1d |awk '{print $1}') ; 
do 
    modinfo $MODULE |grep -e '^filename:' |awk '{print $2}'| xargs dpkg -S || echo -e "\t ERR IN $MODULE";
done 2>&1 |tee  jb_modules.txt

Voir DKMS /var/lib/dkms/megaraid-sas


# LANG=C dpkg -S /var/lib/dkms/megaraid-sas
dpkg-query: no path found matching pattern /var/lib/dkms/megaraid-sas

# dpkg -S /usr/share/dkms/modules_to_force_install/megaraid-sas.force
megaraid-sas-dkms: /usr/share/dkms/modules_to_force_install/megaraid-sas.force


megaraid-sas

=== sudoers


for user in $(awk -F':' '{print $1}' /etc/passwd) ; do sudo -U $user -l |sed -n -e '/^User /,/$$/p' |sed -e 1d |egrep -q -i '(root|all).*ALL' && echo "$user" ; done

Est-ce que cela fonctionne avec les groupes ? Les netgroups ? etc.... Ne liste pas les utilisateurs ayant des droits sur sh, bash, perl, python etc... === Config Flux réseaux :


tcpdump tcp -p -qtn -i eth0 and not host 192.168.1.11

Config Apache


apache2ctl -S


cat /usr/local/apache/conf/httpd.conf   |sed -n -e '/\

Comptes système

# uid0
cat /etc/passwd |awk -F':' '{print $3":"$1}' |grep -e '^0:'

# list active account
for compte in $(cat /etc/shadow |awk -F':' '{print $2":"$1}' |egrep -v -e "^\*|^\!" |awk -F ':' '{print $2}')
    do grep -e "^$compte:" /etc/passwd
done > /tmp/ftp1.txt

#cat ftp1.txt  |awk -F':'  '{print "| "$1" || || JJ/MM/AAAA || "$6" || "}' |perl -pe 's/\n/\n|-\n/' > ftp.txt 


Réseaux. Serveur

netstat -tapen |grep LISTEN |grep -v '127\.0\.0\.1' |awk '{print "| " $4 " || " $9}' 


Comptes système. Clefs SSH

for hom in $(cut -d':' -f 6 /etc/passwd) ; do ls $hom/$(grep AuthorizedKeysFile /etc/ssh/sshd_config |awk '{print $2}'  |sed -e 's#^%h/##' ) 2>/dev/null ;done 



perl -a -F':' -ne '$HOMEUSER=$F[5] ; $CHAINE="$HOMEUSER/.ssh/authorized_keys\n" ; $CHAINE=~s|//|/| ; print $CHAINE unless /false$/ or /nologin$/' /etc/passwd


Zones DNS

for zone in $(cat /etc/bind/named.conf |grep ^zone |egrep -v 'zone "." IN {|zone "localhost" IN {|zone "127.in-addr.arpa" IN {' |awk '{print $2}'| tr -d '"' |sort);  do dig -t AXFR @127.0.0.1 $zone > /tmp/dns_${HOSTNAME}_${zone}.txt ; done 


MySQL

mysql -u root -p < <(echo "select host, user from mysql.user;") > /tmp/mysql_user.txt 
mysql -u root -p < <(echo "show databases;") > /tmp/mysql_databases.txt 



== Logs

à un jour et une heure précise


journalctl --since "2019-10-16 06:00" --until "2019-10-16 10:00" 

touch -t 1910160600 fic1
touch -t 1910161000 fic2
find / -newer fic1 -not -newer fic2

atop -r 20191016

sar -A -f /var/log/sa/sa18

last