Audit

Shell Script Uploaded Feb 16, 2026 by pagetelegram 2 views 8.36 KB
BASH Scripts
SH audit.sh
#!/bin/bash

# Security Audit Script
# Performs comprehensive system intrusion detection checks
# Usage: ./audit.sh

LOGFILE="audit.log"
TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')

# Initialize log file
echo "========================================" > "$LOGFILE"
echo "Security Audit Report" >> "$LOGFILE"
echo "Started: $TIMESTAMP" >> "$LOGFILE"
echo "Hostname: $(hostname)" >> "$LOGFILE"
echo "Kernel: $(uname -r)" >> "$LOGFILE"
echo "========================================" >> "$LOGFILE"
echo "" >> "$LOGFILE"

# Function to log section headers
log_section() {
    echo "" >> "$LOGFILE"
    echo "========================================" >> "$LOGFILE"
    echo "$1" >> "$LOGFILE"
    echo "========================================" >> "$LOGFILE"
}

# Function to log with timestamp
log() {
    echo "[$(date '+%H:%M:%S')] $1" >> "$LOGFILE"
}

# 1. Check for Chrome/Chromium installations
log_section "1. CHROME/CHROMIUM CHECK"
log "Checking for Chrome/Chromium binaries..."
which google-chrome chromium-browser chromium chrome 2>/dev/null >> "$LOGFILE" || echo "No Chrome/Chromium found in PATH" >> "$LOGFILE"

log "Checking installed Chrome packages..."
dpkg -l | grep -i "chrome\|chromium" 2>/dev/null >> "$LOGFILE" || echo "No Chrome packages installed" >> "$LOGFILE"

log "Checking for Chrome processes..."
ps aux | grep -i "chrome\|chromium" | grep -v grep >> "$LOGFILE" || echo "No Chrome processes running" >> "$LOGFILE"

# 2. Search for TeamViewer/Remote Access Tools
log_section "2. TEAMVIEWER AND REMOTE ACCESS CHECK"
log "Searching for TeamViewer processes..."
ps aux | grep -iE "teamviewer|tvnserver|vnc|anydesk|remote" | grep -v grep >> "$LOGFILE" || echo "No obvious remote access processes found" >> "$LOGFILE"

log "Checking for TeamViewer binaries..."
which teamviewer teamviewerd 2>/dev/null >> "$LOGFILE" || echo "No TeamViewer binaries in PATH" >> "$LOGFILE"

log "Checking for remote access packages..."
dpkg -l | grep -iE "teamviewer|anydesk|vnc" 2>/dev/null >> "$LOGFILE" || echo "No remote access packages found" >> "$LOGFILE"

log "Searching for TeamViewer installations..."
find /opt /usr/local -name "*teamviewer*" -o -name "*TeamViewer*" 2>/dev/null >> "$LOGFILE" || echo "No TeamViewer installations found in /opt or /usr/local" >> "$LOGFILE"

# 3. Review Running Processes
log_section "3. RUNNING PROCESSES ANALYSIS"
log "Top 30 CPU-consuming processes:"
ps aux --sort=-%cpu | head -31 >> "$LOGFILE"

log "Checking for processes with high CPU usage (>50%):"
ps aux | awk '{if ($3 > 50.0) print}' >> "$LOGFILE" || echo "No high CPU processes found" >> "$LOGFILE"

log "Checking for suspicious process names:"
ps aux | awk '{print $11}' | sort -u | grep -E "^\[|^-|\^\." | head -20 >> "$LOGFILE"

# 4. Network Connections Analysis
log_section "4. NETWORK CONNECTIONS"
log "Listening TCP/UDP ports:"
ss -tuln 2>/dev/null >> "$LOGFILE" || netstat -tuln 2>/dev/null >> "$LOGFILE"

log "Listening ports with process information:"
ss -tulpn 2>/dev/null >> "$LOGFILE" || echo "Cannot get process info (requires elevated privileges)" >> "$LOGFILE"

log "Established connections (top 20):"
ss -tunap 2>/dev/null | grep ESTAB | head -20 >> "$LOGFILE" || ss -tuna | grep ESTAB | head -20 >> "$LOGFILE"

log "Checking for remote desktop ports (VNC:5900, RDP:3389, TeamViewer:4899):"
ss -tunap 2>/dev/null | grep -E "5900|3389|4899|5800" >> "$LOGFILE" || echo "No common remote desktop ports listening" >> "$LOGFILE"

# 5. Authentication and Login History
log_section "5. AUTHENTICATION AND LOGIN HISTORY"
log "Recent user logins (last 20):"
last -20 >> "$LOGFILE"

log "Currently logged in users:"
w >> "$LOGFILE"
who >> "$LOGFILE"

log "Failed login attempts:"
lastb -20 2>/dev/null >> "$LOGFILE" || echo "Cannot access failed login log (requires sudo)" >> "$LOGFILE"

log "SSH service status:"
systemctl status ssh 2>/dev/null >> "$LOGFILE" || systemctl status sshd 2>/dev/null >> "$LOGFILE" || echo "SSH service not installed/running" >> "$LOGFILE"

log "Checking if SSH server is installed:"
dpkg -l | grep -iE "ssh-server|openssh-server" >> "$LOGFILE" || echo "No SSH server installed" >> "$LOGFILE"

log "SSH authentication logs (last 30 entries):"
grep -i "failed\|failure\|invalid user\|authentication failure" /var/log/auth.log 2>/dev/null | tail -30 >> "$LOGFILE" || echo "Cannot access auth.log (requires sudo)" >> "$LOGFILE"

# 6. Scheduled Tasks and Cron Jobs
log_section "6. SCHEDULED TASKS AND CRON JOBS"
log "User crontab:"
crontab -l 2>/dev/null >> "$LOGFILE" || echo "No user crontab" >> "$LOGFILE"

log "System cron directories:"
ls -la /etc/cron.* 2>/dev/null >> "$LOGFILE"

log "Systemd timers:"
systemctl list-timers --all --no-pager >> "$LOGFILE"

log "User autostart applications:"
ls -la ~/.config/autostart/ 2>/dev/null >> "$LOGFILE" || echo "No autostart directory" >> "$LOGFILE"

# 7. Recently Modified System Files
log_section "7. RECENTLY MODIFIED FILES"
log "Recent files in /tmp (last 2 days):"
find /tmp -type f -mtime -2 2>/dev/null | head -30 >> "$LOGFILE"

log "Recent files in /var/tmp (last 7 days):"
find /var/tmp -type f -mtime -7 2>/dev/null | head -30 >> "$LOGFILE"

log "Files in /dev/shm:"
find /dev/shm -type f 2>/dev/null >> "$LOGFILE"

log "Recent hidden files in home directory (last 7 days):"
find ~ -name ".*" -type f -mtime -7 2>/dev/null | grep -v ".cache\|.local/share\|.mozilla\|.config" | head -30 >> "$LOGFILE"

log "Recently modified systemd units (last 30 days):"
find /etc/systemd/system -type f -mtime -30 2>/dev/null >> "$LOGFILE"

log "Recent downloads (last 7 days):"
find ~/Downloads -type f -mtime -7 2>/dev/null | head -20 >> "$LOGFILE"

# 8. Kernel Modules and Rootkit Indicators
log_section "8. KERNEL MODULES AND ROOTKIT INDICATORS"
log "Loaded kernel modules (first 50):"
lsmod | head -50 >> "$LOGFILE"

log "Checking for ld.so.preload (library injection):"
ls -la /etc/ld.so.preload 2>/dev/null >> "$LOGFILE" || echo "No ld.so.preload file (normal)" >> "$LOGFILE"

log "Checking modules_disabled setting:"
cat /proc/sys/kernel/modules_disabled 2>/dev/null >> "$LOGFILE" || echo "modules_disabled not set" >> "$LOGFILE"

log "Checking for rootkit scanner tools:"
which rkhunter chkrootkit 2>/dev/null >> "$LOGFILE" || echo "No rootkit scanners installed" >> "$LOGFILE"

log "Checking init scripts:"
ls -la /etc/rc*.d/ 2>/dev/null | head -50 >> "$LOGFILE"

log "Checking for SUID/SGID files in home directory:"
find /home -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null >> "$LOGFILE" || echo "No SUID/SGID files found in /home" >> "$LOGFILE"

log "Failed systemd services:"
systemctl list-units --state=failed --no-pager >> "$LOGFILE"

log "Kernel messages for suspicious activity:"
dmesg 2>/dev/null | grep -i "suspicious\|rootkit\|compromised\|backdoor" | tail -10 >> "$LOGFILE" || echo "Cannot read dmesg or no suspicious entries found" >> "$LOGFILE"

# 9. SSH Configuration Check
log_section "9. SSH CONFIGURATION"
log "User .ssh directory:"
ls -la ~/.ssh 2>/dev/null >> "$LOGFILE" || echo "No .ssh directory" >> "$LOGFILE"

log "SSH authorized_keys:"
cat ~/.ssh/authorized_keys 2>/dev/null >> "$LOGFILE" || echo "No authorized_keys file" >> "$LOGFILE"

log "Root .ssh directory:"
ls -la /root/.ssh 2>/dev/null >> "$LOGFILE" || echo "Cannot access root .ssh directory (requires sudo)" >> "$LOGFILE"

# 10. System Information
log_section "10. SYSTEM INFORMATION"
log "System uptime:"
uptime >> "$LOGFILE"

log "Disk usage:"
df -h >> "$LOGFILE"

log "Memory usage:"
free -h >> "$LOGFILE"

log "Network interfaces:"
ip addr show >> "$LOGFILE"

# Summary
log_section "AUDIT COMPLETE"
echo "Audit completed at: $(date '+%Y-%m-%d %H:%M:%S')" >> "$LOGFILE"
echo "Log file: $LOGFILE" >> "$LOGFILE"
echo "" >> "$LOGFILE"

# Display summary to console
echo "=========================================="
echo "Security Audit Complete"
echo "=========================================="
echo "Log file saved to: $LOGFILE"
echo ""
echo "Quick Summary:"
echo "- Chrome installed: $(which google-chrome chromium-browser chromium chrome 2>/dev/null > /dev/null && echo 'YES' || echo 'NO')"
echo "- TeamViewer found: $(which teamviewer teamviewerd 2>/dev/null > /dev/null && echo 'YES' || echo 'NO')"
echo "- SSH server running: $(systemctl is-active ssh 2>/dev/null || systemctl is-active sshd 2>/dev/null || echo 'NO')"
echo "- Listening ports: $(ss -tuln 2>/dev/null | grep LISTEN | wc -l)"
echo "- Failed services: $(systemctl list-units --state=failed --no-legend | wc -l)"
echo ""
echo "Review the full log at: $LOGFILE"
echo "=========================================="
Download SH
← Back to SH