NAME
secscan
- runs security systems applications on remote servers and raises alerts
where problems are found.
SYNOPSIS
secscan
[ -a <rootkit:filename>] [
-c
<config_file>
] [
-d
] [
-e
<rcpt>
]
[
-l
] [
-t
#] [
-u
] [
-U
] [
-v
]
<hostname>
AVAILABILITY
secscan
was written as a Bourne shell script which should work equally well on all
versions of UNIX
and Linux. Unfortunately variables set in nested if statements do not
consistently retain their values outside the if construct when using 64bit
bash.
The script works as expected with ksh.
DESCRIPTION
The purpose of
secscan
is to check the integrity of security applications
on remote hosts before running them. If all is well the remote
software tools are run and the output checked to determine whether an
alert needs to be raised.
In normal operation
secscan
will take
sha1
checksums of "
rkhunter
" and "
rkhunter.conf
" on the remote host
and compare them to checksums stored on the invoking "
administration
"
host. If the checksums deviate from the known checksums an alert is raised.
by sending e-mail to the
root
user on the host from which
secscan
is invoked.
OPTIONS
-a
<rootkit:filename>
The
-a
option allows a file to be removed from the list of files associated with the
prescence of a particular root kit.
This option arises from the use of
secscan
on a
Slackware
host where the quite legitimate presence of
"/etc/ssh/sshd_config"
generates a warning from
rkhunter
regarding a possible infection by
Dica-Kit.
See examples below.
-c
<configuration_file>
By default
secscan
finds the configuration using a default path and
<hostname>
from the command line i.e.
/usr/local/etc/secscan.d/<hostname>.cf
". The
-c
option allows a different path to be used, perhaps for testing modifications
or to use a common configuration over a number of hosts. The file name
<hostname>.cf
will be appended to the path. The same path will be used to store the
checksums generated. By default the checksums are stored in
/usr/local/etc/secscan.d/<hostname>.sha1
.
-d
set debug mode.
The
-x
option will be set for the shell and a number of break points will be used to
allow output to be considered before proceeding.
-e
<recipient>
By default alerts are sent to the
root
user on the host invoking
secscan.
The
-e
option is used to set a different email recipient for the alerts. It is good
practice to set an alias for root in
/etc/aliases
which will ensure the correct user gets all the systems critical messages.
When staff changes occur only this one change to the
aliases
file will
be needed.
-l
Use the
<syslog>
facility to log the invocation of
secscan
and the
update
level (see update options below). Logging script invocations is very useful
where regualr reports need to be generated for required for clients or managers,
-t #
Set a tolerance level for warnings generated by
rkhunter.
Where warnings are routinely issued regarding known issues it useful to be
able to disregard them and not generate any alerts.
-u
The script will use
shasum
on the remote host to generate new checksums for "
rkhunter
" and it's
configuration file "
rkhunter.conf
". The checksums will
be stored on the host invoking
secscan
in the file
/usr/local/etc/secscan.d/<hostname>.sha1
. The update is
loged if the
-l
option has been used.
-U
In addition to the checksum updates initiated by the
-u
option the
rkhunter
properties database is also updated.
-v
Use verbose mode. Each significant action will be reported to
stdout.
<hostname>
This is a required parameter and sets the target host name or IP.
EXAMPLES
secscan -l -t 2 -u boudica
Use
/usr/local/etc/secscan.d/boudica.cf
to determine which scans to run on the host "
boudica"
.
Create or update the checksums for the remote executables and their
associated configuration files (i.e.
rkhunter
and
rkhunter.conf
).
If there are no more that 2 warnings issued, all is well. If there are
more than 2, send urgent email to the root user, on the current
(administration) host.
Use
/usr/local/etc/secscan.d/boudica.cf
to determine which scans to run on the host "
arthur"
.
Compare the checksums for the current instances of the scanning tools
and associated configuration files with the checksums held on administration
server (the host invoking the secscan command).
associated configuration files (i.e.
rkhunter
and
rkhunter.conf
). If the files are not identical
send an urgent alert to the locally defined
root
user and terminate.
If there is no sign of the tools to be invoked being compromised, run them
on the remote host.
NB:
rkhunter
is run first with the
--update
option to update it's text data files. It is then run again with the
--check
option to scan the system and generate it's reports.
secscan -a Dica-Kit:/etc/ssh/sshd_config merlin
The script will create an amended, temporary version of
rkhunter
which has had
sshd_config
removed from the list of files associated with
Dica-Kit.
The amended
rkhunter
will then be run against the host
merlin.
BUGS
The script has very little input error checking. Name resolution and
network availability is not checked. It is designed to be used
with frequently used host names where
ssh
keys have already been exchanged.
I cobbled together
secscan
rather quickly in the expectation that
a number of software scanning tools would be used but currently
rkhunter
is the only one and is hard coded. The configuration file is unused, this
will change.
There appears to be bug in Slackware 64bit
bash
shell (see
AVAILABILITY
above) which causes the script to continue executing
after errors which might indicate that the scanning software or configuration
files have been compromised. To avoid this problem the
korn
shell is being used pro temp.
SEE ALSO
chkdf,
chkftpd,
chkfw.
AUTHOR
Clifford W Fulford, City Linux. Contact fulford@fulford.net or +44 (0)709 229 5385.
