From 6b1c8a80b26d8aff71c17a453eb82d26855b061f Mon Sep 17 00:00:00 2001 From: pwnkitteh Date: Sat, 6 Feb 2021 13:32:20 -0800 Subject: [PATCH 1/4] added lynis to , fixed "LOCK TABLES" error in mysqldump --- inv.sh | 89 ---------------------------------------------------- inventory.sh | 13 +++++--- 2 files changed, 8 insertions(+), 94 deletions(-) delete mode 100644 inv.sh diff --git a/inv.sh b/inv.sh deleted file mode 100644 index 76d765f..0000000 --- a/inv.sh +++ /dev/null @@ -1,89 +0,0 @@ -#!/bin/bash - -#testing - -''' - _________ ______ - ___/ \ V \ - / ^ |\ |\ \ - /_O_/\ / / | ‾‾‾\ | - // \ |‾‾‾\_ | ‾‾ -// _\| _\| - - zot zot, thots. -''' - -if [[ $EUID -ne 0 ]]; then - printf 'Must be run as root, exiting!\n' - exit 1 -fi - -log () { printf "\033[01;30m$(date +"%T")\033[0m: $1\n"; } - -declare -a checkfiles=(~/.ssh/authorized_keys /root/.ssh/authorized_keys) - -log "SYSTEM INFORMATION" -uname -a -lsb_release -a -cat /proc/version - -## Fancy /etc/passwd -minid=$(grep "^UID_MIN" /etc/login.defs) -maxid=$(grep "^UID_MAX" /etc/login.defs) -printf "========================================================\n| Users List | Key: \033[01;34mUID = 0\033[0m, \033[01;32mUser\033[0m, \033[01;33mCan Login\033[0m, \033[01;31mNo Login\033[0m |\n========================================================\n" -awk -F':' -v minuid="${minid#UID_MIN}" -v maxuid="${maxid#UID_MAX}" '{ -if ($7=="/bin/false" || $7=="/sbin/nologin") printf "\033[1;31m%s\033[0m\n", $1; -else if ($3=="0") printf "\033[01;34m%s\033[0m\n", $1; -else if ($3 >= minuid && $3 <= maxuid) printf "\033[01;32m%s\033[0m\n", $1; -else printf "\033[01;33m%s\033[0m\n", $1; -}' /etc/passwd | column - -## /etc/group -printf "[ \033[01;35mUser\033[0m, \033[01;36mGroup\033[0m ]\n" && grep "sudo\|adm\|bin\|sys\|uucp\|wheel\|nopasswdlogin\|root" /etc/group | awk -F: '{printf "\033[01;35m" $4 "\033[0m : \033[01;36m" $1 "\033[0m\n"}' | column -printf "To delete users/groups, use \033[01;30msudo userdel -r $user\033[0m and \033[01;30msudo groupdel $user\033[0m\n" - -## /etc/sudoers -log "Sudoers" -sudo awk '!/#(.*)|^$/' /etc/sudoers - -## Less Fancy /etc/shadow -log "Passwordless accounts: " -awk -F: '($2 == "") {print}' /etc/shadow # Prints accounts without passwords -echo; - -log "IP Addresses:" # Okay I stole this one from Morgan, I'll make it prettier later -ip addr | awk '/^[0-9]+:/ { sub(/:/,"",$2); iface=$2 } /^[[:space:]]*inet / { split($2, a, "/"); print iface" : "a[1]; }' -printf "\n" - -for i in ${checkfiles[@]}; do [ -s $i ] && log "\033[01;31mWARNING: $i HAS ACCESSIBLE INFORMATION\033[0m\n"; done - -## Find world-writeable files -#log "List all world-writeable files?" -#read -n 1 -r; echo; if [[ $REPLY =~ ^[Yy]$ ]]; then find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print; fi - -## Find no-owner files -log "List all no-owner files? (This will take a while!) Y/n" -read -n 1 -r; echo; if [[ $REPLY =~ ^[Yy]$ ]]; then find / -xdev \( -nouser -o -nogroup \) -print; fi - -log "List all user files? Y/n" -read -n 1 -r; echo; if [[ $REPLY =~ ^[Yy]$ ]]; then grep -R /home; fi - -log "Ports" -sudo ss -ln -printf "To close ports: \033[01;30msudo lsof -i :$port\033[0m, remember to kill the process with \033[01;30mkillall -9 $program\033[0m and remove.\n" - -log "Cronjobs:" -sudo grep -R . /var/spool/cron/crontabs/ -for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done - -log "Services:" -which service && service --status-all -which initctl && initctl list -which systemctl && systemctl list-unit-files --type service -which rc-status && rc-status --servicelist # Alpine -#ls /etc/init.d/ -ls /etc/init/*.conf - -systemctl list-unit-files --type service | grep enabled > servicesList.txt - -watch -d systemctl list-timers diff --git a/inventory.sh b/inventory.sh index d833926..f7cb09b 100644 --- a/inventory.sh +++ b/inventory.sh @@ -7,7 +7,7 @@ #UCI CCDC linux script for inventory & common operations #Written by UCI CCDC linux subteam -#UCI CCDC, 2020 +#UCI CCDC, 2021 ######################################################## @@ -40,7 +40,10 @@ updateOS() { #FINISH ME PLS installPackages() { - packages="sudo nmap tmux tshark vim hostname htop clamav" + //packages to install, independent of package manager + packages="sudo nmap tmux tshark vim hostname htop clamav lynis" + + printf "this function will be used to install important/essential packages on barebones systems" if [ $(command -v apt-get) ]; then # Debian based apt-get install $packages -y -q @@ -52,7 +55,7 @@ installPackages() { elif [ $(command -v apk) ]; then # Alpine apk update apk upgrade - apk add bash vim man-pages mdocml-apropos bash-doc bash-completion util-linux pciutils usbutils coreutils binutils findutils attr dialog dialog-doc grep grep-doc util-linux-doc pciutils usbutils binutils findutils readline lsof lsof-doc less less-doc nano nano-doc curl-doc + apk add bash vim man-pages mdocml-apropos bash-doc bash-completion util-linux pciutils usbutils coreutils binutils findutils attr dialog dialog-doc grep grep-doc util-linux-doc pciutils usbutils binutils findutils readline lsof lsof-doc less less-doc nano nano-doc curl-doc apk add $packages fi @@ -129,7 +132,7 @@ s) read -s -p "Enter root password for mysql database " pass for db in $(mysql -u root -p$pass -e 'show databases' --skip-column-names); do - mysqldump -u root -p$pass "$db" > "$HOME/sql-backup/$db.sql" + mysqldump --skip-lock-tables -u root -p$pass "$db" > "$HOME/sql-backup/$db.sql" done cp -r /etc/mysql /$HOME/sql-backup/ tar -czf $HOME/$HOSTNAME-sqlbackup.tgz $HOME/sql-backup @@ -246,7 +249,7 @@ for user in $(cut -f1 -d: /etc/passwd); do crontab -u "$user" -l 2> >(grep -v 'n #saves services to variable, prints them out to terminal in blue printf '\n***services you should cry about***\n' -services=$(ps aux | grep -i 'docker\|samba\|postfix\|dovecot\|smtp\|psql\|ssh\|clamav\|mysql\|bind9\|apache\|smbfs\|samba\|openvpn\|splunk' | grep -v "grep") +services=$(ps aux | grep -i 'docker\|samba\|postfix\|dovecot\|smtp\|psql\|ssh\|clamav\|mysql\|bind9\|apache\|smbfs\|samba\|openvpn\|splunk\|nginx\|mysql\|mariadb\|ftp' | grep -v "grep") echo -e "\e[34m" echo "Services on this machine:" >> $outFile echo $services | $adtfile From fa57b0e742accf290e31b338944bd6665328376e Mon Sep 17 00:00:00 2001 From: Jacob Date: Fri, 26 Mar 2021 16:15:18 -0700 Subject: [PATCH 2/4] added new packages, added debsums option; all still untested --- inventory.sh | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/inventory.sh b/inventory.sh index f7cb09b..b2713b2 100644 --- a/inventory.sh +++ b/inventory.sh @@ -40,13 +40,15 @@ updateOS() { #FINISH ME PLS installPackages() { - //packages to install, independent of package manager + #packages to install, independent of package manager packages="sudo nmap tmux tshark vim hostname htop clamav lynis" printf "this function will be used to install important/essential packages on barebones systems" if [ $(command -v apt-get) ]; then # Debian based apt-get install $packages -y -q + #debian only packages + apt-get install debsums elif [ $(command -v yum) ]; then yum -y install $packages @@ -100,6 +102,7 @@ h) printf " -i Installs updates AND useful packages\n" printf " -s Backups MYSQL databases and config files\n" printf " -r Restore MYSQL database from backup tar archive (passed as argument)\n" + printf " -d Runs Debsums to check file validity on debian based systems\n" printf "\n\n\n" exit 1;; @@ -156,6 +159,17 @@ r) exit 1;; +d) + printf "Checking file validity using debsums" + + apt install -y debsums + + echo "File validity output of debsums" >> $outFile + debsums | grep -v OK | $adtfile + + + + exit 1;; #both of these are error handling. The top one handles incorrect flags, the bottom one handles when no argument is passed for a flag that requires one \?) echo "incorrect syntax, use -h for help" @@ -249,10 +263,10 @@ for user in $(cut -f1 -d: /etc/passwd); do crontab -u "$user" -l 2> >(grep -v 'n #saves services to variable, prints them out to terminal in blue printf '\n***services you should cry about***\n' -services=$(ps aux | grep -i 'docker\|samba\|postfix\|dovecot\|smtp\|psql\|ssh\|clamav\|mysql\|bind9\|apache\|smbfs\|samba\|openvpn\|splunk\|nginx\|mysql\|mariadb\|ftp' | grep -v "grep") +services=$(ps aux | grep -i 'docker\|samba\|postfix\|dovecot\|smtp\|psql\|ssh\|clamav\|mysql\|bind9\|apache\|smbfs\|samba\|openvpn\|splunk\|nginx\|mysql\|mariadb\|ftp\|slapd\|amavisd\|wazuh' | grep -v "grep") echo -e "\e[34m" echo "Services on this machine:" >> $outFile -echo $services | $adtfile +echo "$services" | $adtfile echo -e "\e[0m" #formatting so audit file is less fucked with the color markers banner >> $outFile From 94f13494411f5790faf549cccb27de7ffe5e3516 Mon Sep 17 00:00:00 2001 From: Jacob Date: Sat, 17 Apr 2021 11:06:58 -0700 Subject: [PATCH 3/4] removed unnessesary file outFile created in root directory --- inventory.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/inventory.sh b/inventory.sh index b2713b2..dbe26df 100644 --- a/inventory.sh +++ b/inventory.sh @@ -197,7 +197,6 @@ echo ' printf "\n*** generating inv direcory and audit.txt in your root home directory\n" mkdir $HOME/inv/ >&/dev/null; #creates directory; stderr is redirected in the case that directory already exists outFile="$HOME/inv/audit-$(hostname).txt" -touch outFile adtfile="tee -a $HOME/inv/audit-$(hostname).txt" From f97ee92d1b79c7becc7a06e90fdf0cd75b0237e5 Mon Sep 17 00:00:00 2001 From: Jacob Date: Sat, 17 Apr 2021 11:43:11 -0700 Subject: [PATCH 4/4] renamed splunkforwarder, added context info to forwarder and server scripts --- splunk-ent-install.sh | 11 ++++++++++- makeforwarder.sh => splunkforwarder-setup.sh | 11 ++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) rename makeforwarder.sh => splunkforwarder-setup.sh (83%) diff --git a/splunk-ent-install.sh b/splunk-ent-install.sh index 5e23ee7..d2b2885 100644 --- a/splunk-ent-install.sh +++ b/splunk-ent-install.sh @@ -1,4 +1,13 @@ -#!/usr/bin/env bash +#!/bin/bash +######################################################### +# https://github.com/UCI-CCDC/CCDC2021 +# script raw is at https://raw.githubusercontent.com/UCI-CCDC/CCDC2021/master/splunk-ent-install.sh +#UCI CCDC splunk server setup script + +#Written by UCI CCDC linux subteam +#UCI CCDC, 2021 +######################################################## + ### RUN BELOW SCRIPT TO DOWNLOAD ### wget -O splunk-8.0.2-a7f645ddaf91-Linux-x86_64.tgz 'https://splk.it/2TNfwRD' ### diff --git a/makeforwarder.sh b/splunkforwarder-setup.sh similarity index 83% rename from makeforwarder.sh rename to splunkforwarder-setup.sh index 74de1dc..a9d0c8f 100644 --- a/makeforwarder.sh +++ b/splunkforwarder-setup.sh @@ -1,4 +1,13 @@ #!/bin/bash +######################################################## +# https://github.com/UCI-CCDC/CCDC2020 +# script raw is at https://raw.githubusercontent.com/UCI-CCDC/CCDC2021/master/makeforwarder.sh +#UCI CCDC setup script for splunk client setup + +#Written by UCI CCDC linux subteam +#UCI CCDC, 2021 +######################################################## + if [[ $EUID -ne 0 ]]; then printf 'Must be run as root, exiting!\n' @@ -46,4 +55,4 @@ sed -i 's/"$SPLUNK_HOME\/bin\/splunk" stop/su - splunk -c '\''"$SPLUNK_HOME\/bin sed -i 's/"$SPLUNK_HOME\/bin\/splunk" restart/su - splunk -c '\''"$SPLUNK_HOME\/bin\/splunk" restart'\''/g' /etc/init.d/splunk sed -i 's/"$SPLUNK_HOME\/bin\/splunk" status/su - splunk -c '\''"$SPLUNK_HOME\/bin\/splunk" status'\''/g' /etc/init.d/splunk -su - splunk -c '/opt/splunkforwarder/bin/splunk restart' \ No newline at end of file +su - splunk -c '/opt/splunkforwarder/bin/splunk restart'