______________________________________________________________________________ secheck v0.2 Bram Shirani (bram@aversion.net) http://www.aversion.net/secheck/ secheck-support@aversion.net ------------------------------------------------------------------------------ USER INPUT IS GREATLY APPRECIATED! LET ME KNOW WHAT YOU WANT TO SEE! secheck is a small shell script written to take a snapshot of a given system nightly for security. It eveolved when I decided to try and combine the outputs of several pre-existing security check programs already in existance, and add some other information I feel useful. This is a alpha alpha alpha release (not because of holes in the code) but because it really doesn't contain anything cool yet. * Currently, secheck does the following: 1. Shows the output of lsof -i |grep LISTEN This will show which ports are open at the snapshot time, along with who has them open, and what program (name) is running on that port. Useful to find who is running bots on your system, who is running bounces, is there something you didn't know was listening on your system, etc. 2. Shows the current users on the system. 3. Shows how much drive space is free (in gb) 4. Shows SUID files on the system 5. Emails the output of all of these to a user specified in check.sh (the wrapper script). 6. Shows who has su'd to root (also includes sudo) 7. Optional: shows denied packets through ipchains/iptables * In the future, I plan to include the input from the following programs: 1. chkrootkit 2. logwatch/logcheck (the security violations sections) 3. iplog (DOS and ping scans) (see todo for more information) * Also planned for future releases: 1. Re-write in Perl 2. Add better documentations/coments **** I have already noticed some differences in distro's. If you run across any, PLEASE let me know. Here is what I have found so far: Debian installs exim by default, /usr/bin/mail is replaced with /usr/bin/rmail Debian keeps 'su' logs in /var/log/auth.log I have added debian support for the latter, but not the former. If you 'secheck' wrapper script dies because it cannot find 'mail' plese change that to /usr/bin/rmail (for debian/exim users.) ___________ Instalation ----------- ** I have written a small install.sh script which should handle all installation. Here's basiclly what it does, minus the crontab'ing. 1. cp secheck-* /usr/local/etc/ && cd to /usr/local/etc/secheck 2. unpack the archive with: tar -xvf secheck-0.01.tar If you're reading this, you've already unpacked the archive. 3. cd into /usr/local/etc/secheck/ 4. chmod +x security.check secheck 5. edit secheck and change the email address to the user(s) or email address you want the output mailed to. 6. Run secheck 7. crontab secheck When you are finished, your layout should look like this: /root/secheck-*(version number) /root/secheck-*/secheck /root/secheck-*/security.check /root/secheck-*/other docs, README, INSTALL, etc /usr/local/etc/secheck/secheck /usr/local/etc/secheck/security.check /root/.secheck/baslinefiles If that isn't the case.. you may need to cp a few files here and there, and I will have it fixed in the next release. ____________ Crontab Help ------------ crontab -e To check at midnight every night... 0 0 * * * /usr/local/etc/secheck/secheck I check every hour with: 00 * * * * /usr/local/etc/secheck/secheck **** PLEASE MAKE SURE SECURITY.CHECK IS IN /usr/local/etc/secheck/ !!!!!! You may also make a symbolic link in /etc/cron.daily (for red hat users) to the check.sh file. ln -s /usr/local/etc/secheck/secheck /etc/cron.daily/00-secheck Again, if you have any input, system information you would like to see added, please let me know. Please email secheck-support@aversion.net for questions/comments/additions/etc.