Euler Guardian: generic Linux operating system risk assessment tool for openEuler community
gitee: https://gitee.com/openeuler-competition/summer2021-110
Firstly, finish configuration before using.
This configuration is not obliged if you only use emergency response module.
chmod +x config.sh
su
./config.sh
This configuration is not obliged when you do not send emails to inform users.
vi /etc/ssmtp/ssmtp.conf # root privilidge is needed
Change the file like this
root=username@gmail.com
mailhub=smtp.gmail.com:465
rewriteDomain=gmail.com
AuthUser=username
AuthPass=authcode
FromLineOverride=YES
UseTLS=YES
Notice: When sending an email, the fromAddr should be the address you set in configuration
color | info |
---|---|
blue | process display |
default | information display |
green | normal |
yellow | low risk |
red | high risk |
purple | suggestion to repair |
Normalize CSS from:
https://necolas.github.io/normalize.css/8.0.1/normalize.css
This module should be run as root. Reports will be generated after scanning.
Usage:
-h help
-f sender email addr
-t receiver email addr
There are 4 reports generated in total.
Pre operations
check current id, should be run as root
check SetUID
delete s.txt left by the previous scan if there is any
System information check.
Security policy check.
if SELinux is Used
Limitation of resources
Check user information
hostname
id
if passwords are stored as hash
last login users
Password configuration
Days for a password to expire: PASS_MAX_DAYS
Min days to wait after last change of password: PASS_MIN_DAYS
Min length of password: PASS_MIN_LEN
Days to receive warning before password expiration: PASS_WARN_AGE
Days password has been used (to do)
PAM Cracklib provides with the ability to control complexity of password.
password: password complexity policy
(Usually N < 0)
option | information |
---|---|
retry | retry times |
difok | character changes in the new password that differentiate it from the old password |
minlen | The minimum acceptable size for the new password |
ucredit | (N >= 0) the maximum credit for having upper case letters in the new password |
(N < 0) the minimum number of upper case letters in a new password. | |
lcredit | (N >= 0) the maximum credit for having lower case letters in the new password |
(N < 0) the minimum number of lower case letters in a new password | |
dcredit | (N >= 0) the maximum credit for having digits in the new password |
(N < 0) the minimum number of digits in a new password | |
dictpath | Path to the cracklib dictionaries |
File check
Search for all the files in the OS with s perm
Search for files having 777 perm without group belonged to
Search for orphan files
unusual modules loaded to kernel
Linux Auditing System
For CentOS etc: audit, audit-libs
Fpr debian etc: auditd
Security reinforce for openEuler OS: (to do)
Using OVAL files and oscap, scan secure configuration and CVEs of the OS.
SSG database from:
https://github.com/ComplianceAsCode/content
https://oval.cisecurity.org/repository/download
https://security-metadata.canonical.com
https://www.redhat.com/security/data/oval/v2/
Send email to user.
Automatical emergency response after intrusion
An HTML report can be generated according to the scan results.
The report will be in the format of chart
Basic check
iptables: firewall rules
open TCP and UDP ports
init.d services
$PATH
unusual modules loaded to kernel
tmpArr[]:
0 | 1 | 2 |
---|---|---|
Module | Size | Used by |
Check changed files
0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 |
---|---|---|---|---|---|---|---|---|---|
COMMAND | PID | USER | FD | TYPE | DEVICE | SIZE/OFF | NLINK | NODE | NAME |
atime: Access timestamp, which indicates the last time a file was accessed.
ctime : Change timestamp, which refers to the last time some metadata related to the file was changed.
mtime: Modified timestamp, which is the last time a file's contents were modified.
If there are processes using CPU more than n%
Check hidden processes and sort
Check wget
in history
Check ssh
in history
Check ssh brute-force as root
If root
is the only root user
Users without passwords
Users that are able to login
Last login of all users
crontab files of root
cron backdoor
Webshell check based on files, supporting php, asp and jsp
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。