Ithy Logo

Scripts for Checking Linux Systems for Misconfiguration and Vulnerabilities

Comprehensive Guide to Securing Your Linux Environment

linux security auditing tools

Key Takeaways

  • Comprehensive Auditing Tools: Utilize robust scripts like Lynis and OpenSCAP for exhaustive system audits.
  • Privilege Escalation Detection: Employ specialized tools such as LinPEAS and Linuxprivchecker.py to identify potential elevation paths.
  • Regular Monitoring and Updates: Maintain system security by regularly updating software and monitoring critical configurations.

Introduction

Ensuring the security of Linux systems is paramount in today's digital landscape, where misconfigurations and vulnerabilities can lead to significant breaches and data losses. Administrators and security professionals must employ a combination of scripts and tools to audit, identify, and mitigate potential risks effectively. This guide delves into the most effective scripts and tools available for checking Linux systems for misconfigurations and vulnerabilities, offering detailed insights into their functionalities, usage, and best practices for implementation.


Comprehensive Auditing Tools

Lynis

Lynis is a widely acclaimed open-source security auditing tool designed for Unix/Linux systems. It performs extensive security checks, identifying vulnerabilities, misconfigurations, and compliance issues. Lynis assesses various system aspects, including user account security, software vulnerabilities, firewall settings, and more.

  • Features:
    • Comprehensive system audits
    • Compliance testing against industry standards
    • Detailed reporting with remediation suggestions
    • Modular architecture for extensibility
  • Usage:
    sudo lynis audit system

    Run the above command to perform a full system audit. Lynis will generate a report highlighting potential security issues and recommendations for improvement.

  • Website: Lynis Official Website

OpenSCAP

OpenSCAP is a robust framework for system security auditing and compliance checking based on the Security Content Automation Protocol (SCAP) standards. It provides a suite of tools for vulnerability scanning and configuration assessment, ensuring systems adhere to defined security policies.

  • Features:
    • Compliance checking against SCAP standards
    • Vulnerability scanning
    • Automated remediation capabilities
    • Support for custom security profiles
  • Usage:
    oscap xccdf eval --profile standard --result result.xml /usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml

    Execute the above command to scan the system against a predefined security profile. The results will be stored in the specified XML file for review.

  • Website: OpenSCAP Official Website

Metasploit Framework

The Metasploit Framework is a powerful penetration testing platform that includes modules for vulnerability scanning and exploitation. It is widely used to identify misconfigurations and vulnerabilities in Linux systems.

  • Features:
    • Extensive library of exploit modules
    • Auxiliary modules for scanning and enumeration
    • Integration with various security tools
    • Automation capabilities through scripting
  • Usage:

    To test for vulnerabilities, you can use specific modules. For example:

    msfconsole
    use auxiliary/scanner/ssh/ssh_login
    set RHOSTS 192.168.1.100
    run

    This script attempts to login via SSH using the provided credentials, helping identify weak authentication configurations.

  • Website: Metasploit Official Website

Privilege Escalation Detection

LinPEAS

LinPEAS is part of the PEASS-ng suite and is designed to enumerate possible privilege escalation paths on Linux systems. It scans for misconfigurations, outdated software, and environment variables that can be exploited to gain elevated privileges.

  • Features:
    • Detects SUID/SGID binaries
    • Identifies writable and executable directories
    • Checks for misconfigured services and cron jobs
    • Analyzes environment variables for sensitive information
  • Usage:
    wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
    chmod +x linpeas.sh
    ./linpeas.sh

    Download the script, make it executable, and run it to perform an exhaustive search for privilege escalation vectors.

  • Repository: PEASS-ng GitHub Repository

LinEnum

LinEnum is a comprehensive privilege escalation and system enumeration script. It scans for a wide range of misconfigurations, world-writable files, and potential privilege escalation vectors, providing detailed insights into system security posture.

  • Features:
    • Checks for world-writable files and directories
    • Examines cron jobs and scheduled tasks
    • Identifies SUID/SGID binaries
    • Analyzes network configurations and open ports
  • Usage:
    wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
    chmod +x LinEnum.sh
    ./LinEnum.sh

    Download the script, assign execution permissions, and execute it to begin the enumeration process.

  • Repository: LinEnum GitHub Repository

Linuxprivchecker.py

Linuxprivchecker.py is a Python-based security audit script compatible with both Python 2.x and 3.x. It systematically scans for common privilege escalation vectors, misconfigured permissions, and potential security issues.

  • Features:
    • Searches for world-writable files
    • Identifies misconfigured permissions
    • Detects clear-text passwords
    • Reports known vulnerable configurations
  • Usage:
    git clone https://github.com/sleventyeleven/linuxprivchecker.git
    cd linuxprivchecker
    python3 linuxprivchecker.py

    Clone the repository, navigate to the directory, and run the script using Python to initiate the security audit.

  • Repository: linuxprivchecker.py GitHub Repository

Beagle-Eyed Mouse Linux Privesc Script

Beagle-Eyed Mouse is tailored to detect misconfigurations that could lead to privilege escalation. It focuses on identifying weak file permissions, vulnerable cron jobs, and other common security oversights.

  • Features:
    • Detects weak file and directory permissions
    • Scans for vulnerable cron jobs
    • Identifies potential environment variable leaks
    • Checks for outdated and vulnerable software packages
  • Usage:
    git clone https://github.com/duck-sec/beadey-eyed-mouse-linux-privesc-script.git
    cd beadey-eyed-mouse-linux-privesc-script
    chmod +x beadey-eyed-mouse.sh
    ./beadey-eyed-mouse.sh

    Clone the repository, navigate to the script directory, grant execution permissions, and run the script to perform the security checks.

  • Repository: Beagle-Eyed Mouse GitHub Repository

Unix-Privesc-Check

Unix-Privesc-Check is a detailed system auditing tool that targets various privilege escalation vectors. It meticulously examines system configurations, file permissions, and service settings to uncover potential security flaws.

  • Features:
    • Identifies weak file permissions
    • Scans for misconfigured services
    • Checks for dangerous SUID/SGID binaries
    • Analyzes vulnerable kernel modules
  • Usage:
    git clone https://github.com/diego-treitos/unix-privesc-check.git
    cd unix-privesc-check
    chmod +x unix-privesc-check.sh
    ./unix-privesc-check.sh

    Clone the repository, navigate to the script directory, provide execution permissions, and execute the script to start the audit.

  • Repository: Unix-Privesc-Check GitHub Repository

Vulnerability Scanners

Linux Exploit Suggester

Linux Exploit Suggester is a script that identifies potential privilege escalation vulnerabilities based on the system's kernel version and installed packages. It cross-references known exploits to suggest possible attack vectors.

  • Features:
    • Compares system kernel against known vulnerabilities
    • Suggests relevant exploits for detected vulnerabilities
    • Supports extensive vulnerability databases
  • Usage:
    git clone https://github.com/mzet-/linux-exploit-suggester.git
    cd linux-exploit-suggester
    ./linux-exploit-suggester.sh

    Clone the repository, navigate to the script directory, and execute the script to receive a list of potential exploits applicable to your system.

  • Repository: Linux Exploit Suggester GitHub Repository

Nuclei

Nuclei is a fast and flexible vulnerability scanner that allows users to create custom templates for detecting a wide range of security issues, including misconfigurations and vulnerabilities. Its high performance makes it suitable for scanning large environments efficiently.

  • Features:
    • Support for custom vulnerability templates
    • High-speed scanning capabilities
    • Integration with continuous integration/continuous deployment (CI/CD) pipelines
    • Comprehensive reporting and alerting
  • Usage:
    git clone https://github.com/projectdiscovery/nuclei.git
    cd nuclei/v2/cmd/nuclei
    go build
    ./nuclei -u https://example.com -t /path/to/templates/

    Clone the repository, build the executable, and run it against target URLs using specified templates to identify vulnerabilities.

  • Repository: Nuclei GitHub Repository

Vuls

Vuls is an advanced vulnerability scanner tailored for Linux and FreeBSD systems. It utilizes multiple vulnerability databases and supports both local and remote scans, providing comprehensive coverage of potential security issues.

  • Features:
    • Supports multiple vulnerability databases
    • Enables concurrent scanning for efficiency
    • Generates detailed HTML reports
    • Integrates with notification systems for alerts
  • Usage:
    wget https://github.com/future-architect/vuls/releases/download/v0.27.1/vuls_0.27.1_linux_amd64.tar.gz
    tar -zxvf vuls_0.27.1_linux_amd64.tar.gz
    ./vuls config

    Download the appropriate version, extract the files, configure the scanner, and execute it to perform vulnerability assessments.

  • Repository: Vuls GitHub Repository

Rootkit Detectors

Chkrootkit

Chkrootkit is a tool specifically designed to detect rootkits on Linux systems. Rootkits are malicious software that can provide unauthorized access and conceal their presence, making them particularly dangerous.

  • Features:
    • Detects known rootkits
    • Checks for malicious backdoors
    • Verifies the integrity of system binaries
    • Reports suspicious processes and network connections
  • Usage:
    sudo apt-get install chkrootkit
    sudo chkrootkit

    Install the tool using the package manager and execute it to scan the system for rootkits and related threats.

  • Website: Chkrootkit Official Website

Sudo Misconfigurations

SUDO_KILLER

SUDO_KILLER is a specialized tool aimed at detecting misconfigurations in the sudoers file that could lead to privilege escalation vulnerabilities. Properly configured sudo access is critical for maintaining system security.

  • Features:
    • Scans for excessive sudo permissions
    • Identifies CVE-related misconfigurations
    • Provides detailed reports on sudo access issues
  • Usage:
    git clone https://github.com/TH3xACE/SUDO_KILLER.git
    cd SUDO_KILLER
    python3 sudo_killer.py

    Clone the repository, navigate to the directory, and run the script using Python to analyze sudo configurations for potential vulnerabilities.

  • Repository: SUDO_KILLER GitHub Repository

System Audit and Hardening

LinuxAudit Script

The LinuxAudit Script is a bash-based tool designed to gather comprehensive information about a Linux system. It aids in the hardening process by checking various system details such as kernel information, user accounts, distribution specifics, running services, and network interfaces.

  • Features:
    • Collects detailed system information
    • Checks for kernel updates and patches
    • Reviews user account configurations
    • Examines running services and network interfaces for security
  • Usage:
    chmod +x LinuxAudit.sh
    ./LinuxAudit.sh

    Grant execution permissions to the script and run it to initiate the system audit process.

  • Repository: LinuxAudit GitHub Repository

PeterMosmans/security-scripts

PeterMosmans/security-scripts is a collection of security scripts designed for analyzing hosts for common misconfigurations and vulnerabilities. These scripts leverage open-source tools to perform generic security tests on one or more hosts, providing detailed outputs to aid in vulnerability assessment.

  • Features:
    • Automated security testing
    • Integration with various open-source security tools
    • Detailed output for in-depth analysis
    • Supports multiple hosts for large-scale assessments
  • Usage:
    git clone https://github.com/PeterMosmans/security-scripts.git
    cd security-scripts
    ./security_audit.sh

    Clone the repository, navigate to the script directory, and execute the audit script to perform security assessments across designated hosts.

  • Repository: PeterMosmans/security-scripts GitHub Repository

Vuls

Vuls stands out as an advanced vulnerability scanner tailored for Linux and FreeBSD systems. It leverages multiple vulnerability databases to provide comprehensive coverage, supporting both local and remote scans to ensure thorough assessments.

  • Features:
    • Integration with various vulnerability databases
    • Concurrent scanning for enhanced efficiency
    • Detailed HTML reporting
    • Notification system integration for real-time alerts
  • Usage:
    wget https://github.com/future-architect/vuls/releases/download/v0.27.1/vuls_0.27.1_linux_amd64.tar.gz
    tar -zxvf vuls_0.27.1_linux_amd64.tar.gz
    ./vuls config

    Download the latest release, extract the archive, configure the scanner, and run it to perform vulnerability assessments on target systems.

  • Repository: Vuls GitHub Repository

File and Directory Permission Validation

Proper file and directory permissions are critical in maintaining system security. Misconfigured permissions can allow unauthorized access or modification of sensitive files, making it essential to regularly audit and validate permissions.

Manual Permission Checks

Using native Linux commands, administrators can manually inspect file permissions to identify and rectify misconfigurations.

  • Find World-Writable Files:
    find / -type f -perm -o+w 2>/dev/null

    This command searches for files that are writable by all users, which can be a significant security risk if not properly managed.

  • Check SUID Binaries:
    find / -user root -perm -4000 -exec ls -ldb {} \;

    Identifies binaries with the SUID bit set, which allows users to execute the binary with the permissions of the file's owner, typically root. Improperly configured SUID binaries can be exploited for privilege escalation.

pspy

pspy is a lightweight monitoring tool that can detect processes without requiring root access. It is particularly useful for identifying misconfigurations in crontab or other services that may lead to unauthorized access or privilege escalation.

  • Features:
    • Monitors process creation in real-time
    • Detects suspicious activities without needing elevated privileges
    • Provides insights into system processes and services
  • Usage:
    wget https://github.com/DominicBreuker/pspy/releases/download/pspy/pspy64
    chmod +x pspy64
    ./pspy64

    Download the appropriate binary, make it executable, and run it to start monitoring system processes for suspicious activities.

  • Repository: pspy GitHub Repository

Network Service Misconfiguration

Network services are often targeted for misconfigurations that can expose systems to unauthorized access or exploitation. Regularly auditing network configurations helps in identifying and mitigating such vulnerabilities.

Nmap

Nmap is a versatile network scanning tool that can be used to detect exposed services and improper configurations. With the use of specific scripts, Nmap can perform in-depth vulnerability assessments of network services.

  • Features:
    • Port scanning and service enumeration
    • Scriptable interaction with services using NSE (Nmap Scripting Engine)
    • Detection of open ports and vulnerable services
    • Support for a wide range of scanning techniques
  • Usage:
    nmap --script vuln -p- 192.168.1.100

    This command scans all ports on the target IP address and uses vulnerability detection scripts to identify potential security issues.

  • Website: Nmap Official Website

Metasploit Framework

In addition to its auditing capabilities, Metasploit can be configured to perform targeted misconfiguration detection using its extensive library of modules.

  • Features:
    • Customizable vulnerability scanning
    • Integration with other security tools for comprehensive assessments
    • Automated exploitation of detected vulnerabilities
  • Usage:
    msfconsole
    use auxiliary/scanner/http/http_version
    set RHOSTS 192.168.1.100
    run

    Utilize specific modules to scan for particular service vulnerabilities, such as detecting outdated HTTP server versions.

  • Website: Metasploit Official Website

Best Practices for Securing Linux Systems

Regularly Update Software

Keeping all software packages and the kernel up to date is crucial in mitigating known vulnerabilities. Regular updates ensure that security patches are applied promptly, reducing the risk of exploitation.

  • Commands for Update:
    • Debian/Ubuntu:
      sudo apt update
      sudo apt upgrade -y
    • Red Hat/CentOS:
      sudo yum update -y
    • Fedora:
      sudo dnf upgrade -y

Restrict Permissions

Properly configuring file and directory permissions minimizes the risk of unauthorized access or modifications. Avoiding world-writable files and limiting the use of SUID/SGID binaries are essential practices.

  • Best Practices:
    • Ensure sensitive files are readable only by privileged users
    • Limit the number of SUID/SGID binaries to what is necessary
    • Regularly audit and adjust permissions based on need

Monitor Cron Jobs

Cron jobs can be a vector for executing malicious scripts if misconfigured. Regularly reviewing and monitoring cron jobs ensures that only authorized tasks are scheduled.

  • Commands for Reviewing Cron Jobs:
    • System-Wide Cron Jobs:
      sudo cat /etc/crontab
    • User-Specific Cron Jobs:
      crontab -l

Use Strong Authentication

Implementing strong passwords and multi-factor authentication (MFA) enhances system security by making unauthorized access significantly more difficult.

  • Best Practices:
    • Enforce complex password policies
    • Implement MFA for critical accounts
    • Use SSH keys with passphrases for remote access

Enable Logging and Monitoring

Continuous monitoring and logging of system activities help in early detection of suspicious behavior and potential breaches. Tools like auditd and syslog are essential for maintaining comprehensive logs.

  • Enable auditd:
    sudo apt install auditd
    sudo systemctl enable auditd
    sudo systemctl start auditd

    Install and enable auditd to start auditing system events.

  • Configure syslog:

    Edit the /etc/rsyslog.conf file to configure logging preferences and ensure that logs are being recorded appropriately.

Firewall Configuration

Properly configured firewalls act as a first line of defense against unauthorized access. Misconfigured firewall rules can expose services to the internet, increasing vulnerability.

  • Using UFW (Uncomplicated Firewall):
    • Enable UFW:
      sudo ufw enable
    • Allow Specific Ports:
      sudo ufw allow ssh
      sudo ufw allow http
      sudo ufw allow https
    • Check Status:
      sudo ufw status verbose

Service Management

Disabling unused services reduces the attack surface of the system. Regularly auditing running services ensures that only necessary services are active.

  • Check Running Services:
    sudo systemctl list-units --type=service
  • Disable Unused Services:
    sudo systemctl disable service_name
    sudo systemctl stop service_name

    Replace service_name with the actual service you intend to disable.


File and Directory Permission Validation

Comprehensive Permission Audits

Regular audits of file and directory permissions are essential to prevent unauthorized access and modifications. Misconfigured permissions can lead to data breaches and system compromises.

  • Identify Sensitive Files:
    find /etc -type f \( -name "*.conf" -o -name "*.key" \) -perm /o+w

    This command searches for configuration and key files within the /etc directory that are writable by others, highlighting potential security risks.

  • Review Home Directory Permissions:

    Ensure that users' home directories do not have overly permissive settings:

    chmod 700 /home/username

    Replace username with the actual user's name to restrict access to their home directory.

  • Monitor SUID/SGID Binaries:
    find / -type f -perm /6000 2>/dev/null

    Lists all files with SUID or SGID bits set, which should be reviewed to ensure they are necessary and secure.


Additional Measures and Manual Checks

Kernel Parameter Hardening

Securing kernel parameters can significantly enhance system security by enforcing strict network and process controls.

  • Disable IP Forwarding:
    echo "net.ipv4.ip_forward = 0" | sudo tee -a /etc/sysctl.conf
    sudo sysctl -p

    This setting prevents the system from forwarding IP packets, reducing the risk of being used as a router for malicious activities.

  • Enable Address Space Layout Randomization (ASLR):
    echo "kernel.randomize_va_space = 2" | sudo tee -a /etc/sysctl.conf
    sudo sysctl -p

    ASLR randomizes memory addresses used by system and application processes, making it harder for attackers to predict memory locations.

Authentication Mechanism Strengthening

Enhancing authentication mechanisms ensures that only authorized users can access the system, thereby protecting against unauthorized access and potential breaches.

  • Configure PAM (Pluggable Authentication Modules):

    Edit PAM configurations to enforce strong authentication policies, such as password complexity and account lockout after multiple failed attempts.

    sudo nano /etc/pam.d/common-password

    Add or modify lines to include modules like pam_pwquality.so to enforce password policies.

  • Implement SSH Hardening:
    • Disable root login via SSH:
      sudo nano /etc/ssh/sshd_config
      PermitRootLogin no
    • Change the default SSH port:
      sudo nano /etc/ssh/sshd_config
      Port 2222

      Replace 2222 with a port number of your choice.

    • Enable SSH key-based authentication and disable password authentication:
      sudo nano /etc/ssh/sshd_config
      PasswordAuthentication no

Logging Configurations

Proper logging configurations ensure that all significant system events are recorded, facilitating monitoring and forensic analysis in the event of a security incident.

  • Configure rsyslog for Remote Logging:
    sudo nano /etc/rsyslog.conf
    *.* @remote-log-server:514
    sudo systemctl restart rsyslog

    Replace remote-log-server with the address of your centralized logging server. This ensures that logs are sent remotely for centralized monitoring and storage.

  • Enable Auditd Rules:
    sudo nano /etc/audit/rules.d/audit.rules
    -w /etc/passwd -p wa -k passwd_changes
    sudo systemctl restart auditd

    This rule monitors changes to the /etc/passwd file, ensuring that any modifications are logged and can be reviewed for unauthorized changes.


References

Implementing these tools and best practices will significantly enhance the security posture of your Linux systems, ensuring that misconfigurations and vulnerabilities are promptly identified and addressed. Regular audits, combined with proactive monitoring and stringent access controls, form the cornerstone of robust Linux system security.


Last updated January 24, 2025
Search Again