tech:audit
Table des matières
Notes audit
Liens :
Note :
- Penser à vérifier le NTP / l'heure des serveurs
- Penser à vérifier le SMTP des fax, scanners, imprimantes
Quelques commande pour Audit système
Disques
lsblk
Réseaux
nft list ruleset iptables -vnxL ip6tables -vnxL ip -s macsec show ss -peaonmi resolvectl status resolvectl statistics
Fichier de conf
Debian DEB Voir audit_debian_differences_de_version_entre_un_fichier_d_origine_et_le_fichier_actuelle
dpkg -l LANG=C find /etc -type f -exec dpkg -S {} 2>&1 \; |grep -e '^dpkg-query:' |tee jb_dpkg-S.txt LANG=C debsums -as 2>&1 |tee jb_debsums.txt
Pour RedHat/CentOS RPM
rpm -Va
Exemple
rpm -V -a |egrep -v -e '^missing|/var/run|/var/log|\.jar$' |sed -e 's% c % %' |awk '{print $2}' |grep -v -e '/$' |cpio -ov --format=ustar |pigz > /tmp/plop/fic-${HOSTNAME}.tar.gz
Matos
Drivers
for MODULE in $(lsmod |sed 1d |awk '{print $1}') ; do modinfo $MODULE |grep -e '^filename:' |awk '{print $2}'| xargs dpkg -S || echo -e "\t ERR IN $MODULE"; done 2>&1 |tee jb_modules.txt
Voir DKMS /var/lib/dkms/megaraid-sas
# LANG=C dpkg -S /var/lib/dkms/megaraid-sas dpkg-query: no path found matching pattern /var/lib/dkms/megaraid-sas # dpkg -S /usr/share/dkms/modules_to_force_install/megaraid-sas.force megaraid-sas-dkms: /usr/share/dkms/modules_to_force_install/megaraid-sas.force
sudoers
for user in $(awk -F':' '{print $1}' /etc/passwd) ; do sudo -U $user -l |sed -n -e '/^User /,/$$/p' |sed -e 1d |egrep -q -i '(root|all).*ALL' && echo "$user" ; done
Est-ce que cela fonctionne avec les groupes ? Les netgroups ? etc….
Ne liste pas les utilisateurs ayant des droits sur sh, bash, perl, python etc…
Config
Flux réseaux :
tcpdump tcp -p -qtn -i eth0 and not host 192.168.1.11
Config Apache
apache2ctl -S
cat /usr/local/apache/conf/httpd.conf |sed -n -e '/\<VirtualHost/,/\<\/VirtualHost/p' |egrep -i -e "DocumentRoot|ServerName|ServerAlias|^$" |grep -v -e '^#' |tr -d '\n' | sed -e 's/DocumentRoot/\n/g' | sed -e 's/ServerName/|/g' | sed -e 's/ServerAlias/|ServerAlias/g' |sed -e 's/DocumentRoot/\nDocumentRoot/g' | grep -v -e "^$" | sed -e 's/[[:space:]]//g'
Comptes système
# uid0 cat /etc/passwd |awk -F':' '{print $3":"$1}' |grep -e '^0:' # list active account for compte in $(cat /etc/shadow |awk -F':' '{print $2":"$1}' |egrep -v -e "^\*|^\!" |awk -F ':' '{print $2}') do grep -e "^$compte:" /etc/passwd done > /tmp/ftp1.txt #cat ftp1.txt |awk -F':' '{print "| "$1" || || JJ/MM/AAAA || "$6" || "}' |perl -pe 's/\n/\n|-\n/' > ftp.txt
Réseaux. Serveur
netstat -tapen |grep LISTEN |grep -v '127\.0\.0\.1' |awk '{print "| " $4 " || " $9}'
Comptes système. Clefs SSH
for hom in $(cut -d':' -f 6 /etc/passwd) ; do ls $hom/$(grep AuthorizedKeysFile /etc/ssh/sshd_config |awk '{print $2}' |sed -e 's#^%h/##' ) 2>/dev/null ;done
perl -a -F':' -ne '$HOMEUSER=$F[5] ; $CHAINE="$HOMEUSER/.ssh/authorized_keys\n" ; $CHAINE=~s|//|/| ; print $CHAINE unless /false$/ or /nologin$/' /etc/passwd
Zones DNS
for zone in $(cat /etc/bind/named.conf |grep ^zone |egrep -v 'zone "." IN {|zone "localhost" IN {|zone "127.in-addr.arpa" IN {' |awk '{print $2}'| tr -d '"' |sort); do dig -t AXFR @127.0.0.1 $zone > /tmp/dns_${HOSTNAME}_${zone}.txt ; done
MySQL
mysql -u root -p < <(echo "select host, user from mysql.user;") > /tmp/mysql_user.txt mysql -u root -p < <(echo "show databases;") > /tmp/mysql_databases.txt
Logs
à un jour et une heure précise
journalctl --since "2019-10-16 06:00" --until "2019-10-16 10:00" touch -t 1910160600 fic1 touch -t 1910161000 fic2 find / -newer fic1 -not -newer fic2 atop -r 20191016 sar -A -f /var/log/sa/sa18 last
tech/audit.txt · Dernière modification : de 127.0.0.1