Linux Training

Linux training for private, public & voluntary sector.

0800 024 8425

City LinUX sample scripts - secscan

NAME

secscan - runs security systems applications on remote servers and raises alerts where problems are found.

SYNOPSIS

secscan [ -a <rootkit:filename>] [ -c <config_file> ] [ -d ] [ -e <rcpt> ] [ -l ] [ -t #] [ -u ] [ -U ] [ -v ] <hostname>

AVAILABILITY

secscan was written as a Bourne shell script which should work equally well on all versions of UNIX and Linux. Unfortunately variables set in nested if statements do not consistently retain their values outside the if construct when using 64bit bash. The script works as expected with ksh.

DESCRIPTION

The purpose of secscan is to check the integrity of security applications on remote hosts before running them. If all is well the remote software tools are run and the output checked to determine whether an alert needs to be raised.

In normal operation secscan will take sha1 checksums of " rkhunter " and " rkhunter.conf " on the remote host and compare them to checksums stored on the invoking " administration " host. If the checksums deviate from the known checksums an alert is raised. by sending e-mail to the root user on the host from which secscan is invoked.

OPTIONS

-a <rootkit:filename>
The -a    option allows a file to be removed from the list of files associated with the prescence of a particular root kit.

This option arises from the use of secscan on a Slackware host where the quite legitimate presence of "/etc/ssh/sshd_config" generates a warning from rkhunter regarding a possible infection by Dica-Kit.

See examples below.

-c <configuration_file>
By default secscan finds the configuration using a default path and <hostname> from the command line i.e. /usr/local/etc/secscan.d/<hostname>.cf ". The -c    option allows a different path to be used, perhaps for testing modifications or to use a common configuration over a number of hosts. The file name <hostname>.cf will be appended to the path. The same path will be used to store the checksums generated. By default the checksums are stored in /usr/local/etc/secscan.d/<hostname>.sha1 .

-d    set debug mode.
The -x option will be set for the shell and a number of break points will be used to allow output to be considered before proceeding.

-e    <recipient>
By default alerts are sent to the root user on the host invoking secscan. The -e    option is used to set a different email recipient for the alerts. It is good practice to set an alias for root in /etc/aliases which will ensure the correct user gets all the systems critical messages. When staff changes occur only this one change to the aliases file will be needed.

-l    Use the <syslog> facility to log the invocation of secscan and the update level (see update options below). Logging script invocations is very useful where regualr reports need to be generated for required for clients or managers,

-t #
Set a tolerance level for warnings generated by rkhunter. Where warnings are routinely issued regarding known issues it useful to be able to disregard them and not generate any alerts.

-u    The script will use shasum on the remote host to generate new checksums for " rkhunter " and it's configuration file " rkhunter.conf ". The checksums will be stored on the host invoking secscan in the file /usr/local/etc/secscan.d/<hostname>.sha1 . The update is loged if the -l    option has been used.

-U    In addition to the checksum updates initiated by the -u option the rkhunter properties database is also updated.

-v    Use verbose mode. Each significant action will be reported to stdout.

<hostname> This is a required parameter and sets the target host name or IP.

EXAMPLES

secscan -l -t 2 -u  boudica

Use /usr/local/etc/secscan.d/boudica.cf to determine which scans to run on the host " boudica" .

Create or update the checksums for the remote executables and their associated configuration files (i.e. rkhunter and rkhunter.conf ).

If there are no more that 2 warnings issued, all is well. If there are more than 2, send urgent email to the root user, on the current (administration) host.

secscan -l -t 2 arthur

Use /usr/local/etc/secscan.d/boudica.cf to determine which scans to run on the host " arthur" .

Compare the checksums for the current instances of the scanning tools and associated configuration files with the checksums held on administration server (the host invoking the secscan command). associated configuration files (i.e. rkhunter and rkhunter.conf ). If the files are not identical send an urgent alert to the locally defined root user and terminate.

If there is no sign of the tools to be invoked being compromised, run them on the remote host.

NB: rkhunter is run first with the --update option to update it's text data files. It is then run again with the --check option to scan the system and generate it's reports.

		
secscan -a Dica-Kit:/etc/ssh/sshd_config merlin

The script will create an amended, temporary version of rkhunter which has had sshd_config removed from the list of files associated with Dica-Kit.

The amended rkhunter will then be run against the host merlin.

BUGS

The script has very little input error checking. Name resolution and network availability is not checked. It is designed to be used with frequently used host names where ssh keys have already been exchanged.

I cobbled together secscan rather quickly in the expectation that a number of software scanning tools would be used but currently rkhunter is the only one and is hard coded. The configuration file is unused, this will change.

There appears to be bug in Slackware 64bit bash shell (see AVAILABILITY above) which causes the script to continue executing after errors which might indicate that the scanning software or configuration files have been compromised. To avoid this problem the korn shell is being used pro temp.

SEE ALSO

chkdf, chkftpd, chkfw.

AUTHOR

Clifford W Fulford, City Linux. Contact fulford@fulford.net or +44 (0)709 229 5385.


The layout and associated style sheets for this page are taken from the World Wide Web Consortium and used here under the W3C software licence.