This script is used by KirkpatrickPrice auditors to collect information from Linux hosts. Unlike many other tools out there, the approach used in this script is "keep it lite":
- Keep it simple -- there is only one file that is needed --
kpnixaudit.sh
. Everything runs from there. - Keep it simple -- the script tries not to use any crazy Bash-fu. Comments are embedded througout to facilitate DevOps, Site Reliability and other engineers' review prior to running it on your server
- Use only commands that are already built into the operating system (no Python, Perl, jq, etc required)
- In addition to built-in OS commands, only use commands that will only be present if the software that we're auditing is installed -- e.g.
- Docker ==>
docker
- Kubernetes ==>
kubectl
- Tripwire ==>
twadmin
- Docker ==>
- Minimal real-time analysis -- we collect data for off-line analysis and don't report findings during data collection. This keeps the dependencies to a minimum and the logic simple, especially important for running the script on production machines.
- Fail quietly -- If a command isn't found or the piece of software isn't installed, note that in the output and keep going
Starting with version 0.6.12, all Git Commits are signed to increase reliability that code hasn't been changed by anyone but KirkpatrickPrice. You can verify the signature of any commit by clicking on the commit message or hash ID and noting that "Verified" is indicated.
- Shell:
bash
- Package managers: Combinations of
dpkg
rpm
yum
apt
- Service management:
systemctl
service
chkconfig
- Hardened kernel:
selinux
orapparmor
- Misc. commands:
find
which
echo
awk
uname
sysctl
grep
useradd
head
tail
netstat
initctl
launchctl
- Product-specific commands:
docker
kubectl
etc. if installed
The script has been tested against currently-supported distributions of:
- Ubuntu -- 18.04LTS and 20.04LTS
- RHEL and CentOS -- version 7.x and 8.x
- Amazon Linux -- Versions 1 and 2
It will also likely run well on any other RPM- or DEB-based distribution that supports the dependencies above.
Installation is as simple as copying or cloning the Bash script to your system.
git clone https://github.com/kirkpatrickprice/linux-audit-scripts
or using wget:
wget https://raw.githubusercontent.com/kirkpatrickprice/linux-audit-scripts/main/kpnixaudit.sh
or click on the script and download the raw file.
USAGE:
kpnixaudit.sh [ -cdhw ] [-m module ...]
Options:
-c Print DumpCmd errors messages to STDERR instead of redirecting them to /dev/null
-d Print DEBUG messages to STDOUT and to REPORT_NAME
-m Select modules to run. Use -m multiple times to select more than one module
If not used, all modules will be run. If used, only the selected modules will be
run. To run all modules except for WorldFiles, use the -w switch. Module names
are CaSe SeNsItIvE.
Valid modules: System Network Security Logging Users K8sMaster K8sWorker Docker WorldFiles
-w Disable the WorldFiles module (this check can take a long time on systems
with lots of network-attached storage such as NFS mounts).
-h this help
NOTE: This script must be run as ROOT
The most common usage is:
sudo ./kpnixaudit.sh
Although your auditor may ask you to run only certain modules (e.g.):
sudo ./kpnixaudit.sh -m System -m Security
The end result is a text file named as hostname.txt
. Your auditor will ask you to upload all of the files from the identified sample as a ZIP to the Online Audit Manager portal.