Network Firewall Auditor and Checker for Linux
Posted 12-07-2011 at 11:54 AM by sudhagud
On a day to day work load, starting one with simple task to complex multiple tasks, IT System Administrators and all other personnel who look after the IT Data Centre and IT Infrastructure, sometimes find that they have to run a multiple command set, that to for simple information. In recent times the Desktop GUI and the relative backend tools that make the Linux System have advanced well, but for remote system administration, unlike Windows where RDT can be used, Sysadmin's prefer a shell and a command line interface for its simplicity and speed.
Keeping that in mind this bash script was written to simplify the task where a Linux system needs to be audited and network details and information presented in a readable form. This script brings various aspects of the networking sub-system like firewall, network services, ports open, gateways etc. into a single file in a very readable form set.
The hard working Sysadmin will find this a handy tool as it creates a audit file with additional information along with the above shown screen.
Script Dependencies: The following utils and tools need be available and are usually available in the default install of all current known Linux Distributions.
GREP, NETSTAT, LSOF, WHICH, SED, LSPCI, IP, SS, HOSTNAME, UNAME, AWK
Works beautifully and hard for the Sysadmin and generates easy to comprehend information out of the various network settings.
Compatibility: Was put to test on current right, left and centre popular distributions and found OK with the following.
Debian
OpenSUSE
Ubuntu
CentOS
Fedora
Download: Copy it to your favourite folder and use it as any other bash script.
net-audit-checker-v05
===============================================================================
===============================================================================
Usage: ./netadtchk-v05 -h
Screen shot of its output:
http://imageshack.us/photo/my-images...uditorv05.gif/
Linux is a excellent OS and when scripts and tools like this are in hand work become more fun.
Please let me know how you find it and ask if you have any queries.
- Bellamkonda Sudhakar
Keeping that in mind this bash script was written to simplify the task where a Linux system needs to be audited and network details and information presented in a readable form. This script brings various aspects of the networking sub-system like firewall, network services, ports open, gateways etc. into a single file in a very readable form set.
The hard working Sysadmin will find this a handy tool as it creates a audit file with additional information along with the above shown screen.
Script Dependencies: The following utils and tools need be available and are usually available in the default install of all current known Linux Distributions.
GREP, NETSTAT, LSOF, WHICH, SED, LSPCI, IP, SS, HOSTNAME, UNAME, AWK
Works beautifully and hard for the Sysadmin and generates easy to comprehend information out of the various network settings.
Compatibility: Was put to test on current right, left and centre popular distributions and found OK with the following.
Debian
OpenSUSE
Ubuntu
CentOS
Fedora
Download: Copy it to your favourite folder and use it as any other bash script.
net-audit-checker-v05
===============================================================================
Code:
#!/bin/bash ################################################################## # # Script to check / audit systems process using network resources # and report a detailed info from various system file, process and # outputs # ################################################################## # # Author: Bellamkonda Sudhakar # License: GNU GPL v3 ################################################################## VERSION=0.5 ################################################################## AUDITFL=`hostname -s` CHKPID="/var/run/netaudchk-ppid" FLWPID="/var/run/netaudchk-fpid" TMPFD="/tmp/netadtchk" TMPFL1="tmpfl1" TMPFL2="tmpfl2" TMPFL3="tmpfl3" OPSYS=`uname -o` OPKER=`uname -s` OPDST=`uname -r` HSTNM=$AUDITFL FLTC="tcpflen" FWTSTIN="fwtest.in" FETSTOUT="fwtest.out" HNIC=`lspci | grep -ic ethernet` VNIC=`ip -d link | grep ^[0-9] | awk '{ print $2 }' | sed 's/://' | grep -vi "lo" | grep -vc "eth"` LNIC=`ip -d link | grep ^[0-9] | awk '{ print $2 }' | sed 's/://' | grep -ic "lo"` TNIC=`expr $HNIC + $VNIC + $LNIC` IP4E=`ip -d addr | grep -ic inet` IP6E=`ip -d addr | grep -ic inet6` TTCP=`ss -t | wc -l` TTCPL=`ss -t -l | wc -l` TTCPC=`ss -t -a | wc -l` IPFW=`cat /proc/sys/net/ipv4/ip_forward` IPMQ=`cat /proc/sys/net/ipv4/ip_dynaddr` IPPROC="" MJR=${OPDST:0:1} MIR=${OPDST:2:1} FWILBIN="None" FWON="Off" FWIN="False" FWOT="False" FWFW="False" FWMQ="False" NMSR=`grep nameserver /etc/resolv.conf | grep -v ^# | head -1 | awk '{ print $2 } '` DFGW=`ip route | grep default | sed 's/default\|proto\|static//g'` ################################################################### # Functions function lpnt { for r in {1..80..1} do printf "%c" $1 done printf "\n" } # ################################################################### function cleanup { rm -f $CHKPID rm -f $FLWPID } ################################################################### function create_workspace { mkdir $TMPFD } ################################################################### function remove_workspace { rm -Rf $TMPFD } ################################################################### function pause { echo -n "Press enter to continue..." read } ################################################################### function line { echo >> $TMPFD/$AUDITFL } ################################################################### #Main Program if [ $UID -ne 0 ] then echo echo "No root previleges" exit 0 fi if [ "$1" == "-c" ] then cleanup echo "PID files removed" exit 0 fi if [ "$1" == "-h" ] then echo echo "Usage: " echo "netadtchk [option]" echo " -a All" echo " -h Help" echo " -c Clear PID files" echo " no option prints the summery information to the stdout and into the /tmp/netadtchk/$AUDITFL file." echo exit 0 fi if [ -f $CHKPID ] then echo " Net Auditor running with PID `cat $CHKPID`" echo " To clear the PID files use the -c option" exit 0 else echo $$ > $CHKPID fi # # if [ -d $TMPFD ] then remove_workspace create_workspace else create_workspace fi # case "$MJR" in "2" ) case "$MIR" in "0" | "1" ) FWILBIN="ipfwadm"; IPPROC="ip_[mfp][ao][rs][wqt][qha]*";; "2" | "3" ) FWILBIN="ipchains"; IPPROC="ip_[fm][wa][cns]*";; * ) FWILBIN="iptables"; IPPROC="ip_tables*";; esac;; "3" ) FWILBIN="iptables"; IPPROC="ip_table*";; * ) FWILBIN="Unknown";; esac if [ $IP4E ]; then IPV="IPV4"; fi if [ $IP6E ]; then IPV=$IPV"/IPV6"; fi FWILPROC1=`ls /proc/net/$IPPROC 2>/dev/null | grep -c ip_tables` FWILPROC2=`which $FWILBIN 2>/dev/null | grep -c $FWILBIN` if [ $FWILPROC1 -ne 0 -a $FWILPROC2 -ne 0 ] ; then FWILSTAT="IP_Tables"; else FWILSTAT="None"; fi # if [ $FWILBIN == "iptables" ] then $FWILBIN -L | grep -i chain > $TMPFD/$TMPFL1 for C in `awk ' { print $2 } ' $TMPFD/$TMPFL1` do if [ $C == "INPUT" ] then if [ `$FWILBIN -L $C | grep -wc 'all\|tcp\|udp'` -gt 0 ] ; then FWIN="True"; fi fi if [ $C == "OUTPUT" ] then if [ `$FWILBIN -L $C | grep -wc 'all\|tcp\|udp'` -gt 0 ] ; then FWOT="True"; fi fi if [ $C == "FORWARD" ] then if [ `$FWILBIN -L $C | grep -wc 'all\|tcp\|udp'` -gt 0 ] ; then FWFW="True"; fi fi done fi # FWR=`$FWILBIN -L | sed '/^$/d' | grep -iv chain | grep -ivc "target\|source\|destination"` if [ $FWR -gt 0 -a $FWIN == "True" ] ; then FWON="On"; fi # printf "%12s %12s %20s %20s %9s\n" "Hostname" "OS" "Kernel" "Release" "IPV" >> $TMPFD/$AUDITFL printf "%12s %12s %20s %20s %9s\n\n" "$AUDITFL" "$OPSYS" "$OPKER" "$OPDST" "$IPV" >> $TMPFD/$AUDITFL # printf "%15s%12s%20s%20s%25s\n" "FW Binary" "Forwarding" "Masquerading" "1st Name Srv" "Default Gateway" >> $TMPFD/$AUDITFL printf "%15s%12s%20s%20s%25s\n\n" "$FWILBIN" "$IPFW" "$IPMQ" "$NMSR" "$DFGW" >> $TMPFD/$AUDITFL # printf "%14s%14s%14s%14s%14s\n" "FW Status" "FW In" "FW Out" "FW Forward" "FW Masq" >> $TMPFD/$AUDITFL printf "%14s%14s%14s%14s%14s\n" "$FWON" "$FWIN" "$FWOT" "$FWFW" "$FWMQ" >> $TMPFD/$AUDITFL # printf "\n%15s %15s %20s\n" "Type" "Name" "IP Details" >> $TMPFD/$AUDITFL for N in `ip -d link | grep ^[0-9] | awk '{ print $2 }' | sed 's/://'` do case "$N" in "lo" ) TYPE="Loopback";; "eth0" | "eth1" | "eth2" | "eth3" | "eth4" | "eth5" ) TYPE="Hardware";; * ) TYPE="Virtual/Other" esac IPDET=`ifconfig $N | grep -w "inet"` printf "%15s %15s %s\n" "$TYPE" "$N" "$IPDET" >> $TMPFD/$AUDITFL done line echo "Routes:" >> $TMPFD/$AUDITFL netstat -rn >> $TMPFD/$AUDITFL line ss -nl4 | awk ' { print $3 } ' | grep -iv local | sed 's/*/0.0.0.0/g' > $TMPFD/$TMPFL1 ss -nl6 | awk ' { print $3 } ' | grep -iv local | sed 's/\(.*\)\:/\1 /' > $TMPFD/$TMPFL2 sed -i 's/\:/ /g' $TMPFD/$TMPFL1 sort $TMPFD/$TMPFL1 > $TMPFD/$TMPFL3 sort $TMPFD/$TMPFL2 >> $TMPFD/$TMPFL3 echo "This system has `expr $TTCPL - 1` Listening Sockets (IPv4/IPv6) at TCP/Ports: " >> $TMPFD/$AUDITFL cp $TMPFD/$TMPFL3 $TMPFD/$FLTC # # for P in `awk ' { print $2 } ' $TMPFD/$FLTC` do PP=$PP$P, lsof -i tcp:$P | grep LISTEN | awk -v P=$P -v TMPFL=$TMPFD/$TMPFL3 ' { printf " %12s %12s %20s\n", P, $1, $2 >> TMPFL } ' done echo "$PP details" >> $TMPFD/$AUDITFL sort -g -k3 $TMPFD/$TMPFL3 > $TMPFD/$TMPFL2 awk -v TMPFL3=$TMPFD/$TMPFL3 ' BEGIN { } { if(cf != $2) printf "%12s %12s %20s\n", $1, $2, $3 > TMPFL3 cf = $2 } END { } ' $TMPFD/$TMPFL2 line lsof -i tcp:$PP | grep LISTEN | sort -d > $TMPFD/$TMPFL2 awk -v TMPFL1=$TMPFD/$TMPFL1 ' BEGIN { } { if(cf != $1) print $1, $2, $9 > TMPFL1 cf = $1 } END { } ' $TMPFD/$TMPFL2 printf "%5s %10s %8s %30s %20s %s\n" "PID" "Process" "Port" "As per /proc" "As per Which" "Working Dir" >> $TMPFD/$AUDITFL for ID in `awk ' { print $2 } ' $TMPFD/$TMPFL1` do PROCEXE=`ls -l --full-time /proc/$ID/exe | awk ' { print $11 } '` PROCPWS=`ls -l --full-time /proc/$ID/cwd | awk ' { print $11 } '` PROC=`awk -v P=$ID ' { if (P == $2) print $1 } ' $TMPFD/$TMPFL1` WPROC=`which 2>/dev/null $PROC` P=`awk -v ID=$ID ' BEGIN { } { if (ID == $3) print $1 } END { } ' $TMPFD/$TMPFL3` printf "%5s %10s %8s %30s %20s %s\n" "$ID" "$PROC" "$P" "-$PROCEXE" "-$WPROC" "-$PROCPWS" >> $TMPFD/$AUDITFL done line netstat -tulnp | grep LISTEN | awk ' { print $4, $7 } ' | sed 's/\(.*\)\:/\1 /' | sed 's/\// /g' > $TMPFD/$TMPFL1 printf "%20s %8s %8s %20s\n" "IP" "PORT" "PID" "PROCESS" >> $TMPFD/$AUDITFL awk ' { printf "%20s %8s %8s %20s\n", $1, $2, $3, $4 } ' $TMPFD/$TMPFL1 >> $TMPFD/$AUDITFL line lpnt "#" >> $TMPFD/$AUDITFL ################################################################## ## Print details from Audit file clear cat $TMPFD/$AUDITFL echo "Complete Information is stored at $TMPFD/$AUDITFL" if [ "$1" == "-a" ] then echo "All TCP Listening Process Details" >> $TMPFD/$AUDITFL netstat -tunlp | grep -v udp >> $TMPFD/$AUDITFL line echo "ALL UDP Listening Process Details" >> $TMPFD/$AUDITFL netstat -tunlp | grep -v tcp >> $TMPFD/$AUDITFL line echo "Current established connections - NETSTAT" >> $TMPFD/$AUDITFL netstat -tunap >> $TMPFD/$AUDITFL line echo "Current established connections - SS" >> $TMPFD/$AUDITFL ss -o state established >> $TMPFD/$AUDITFL line lpnt "#" >> $TMPFD/$AUDITFL fi # cleanup exit 0 # ###################################################################
Usage: ./netadtchk-v05 -h
Screen shot of its output:
http://imageshack.us/photo/my-images...uditorv05.gif/
Linux is a excellent OS and when scripts and tools like this are in hand work become more fun.
Please let me know how you find it and ask if you have any queries.
- Bellamkonda Sudhakar
Total Comments 0