Open Source Security Audit (ossa)

A set of non-invasive, lightweight scripts to gather information about open source packages that are being used on LTS versions of Ubuntu for the purpose of a security and support assessment

Downloading the Scripts

git clone https://github.com/canonical/ossa.git

ossa-collector - Gathers information about a remote machine's packages and processes, etc.
ossa-generator - This script processes the information obtained via collector.

Target machine(s): (physical, virtual, container) running Ubuntu 14.04 or later
- A standard user (non-privileged) account on the machine
- An account with ssh access
Source Machine: (physical, virtual, container)
- MacOS, Linux, and Windows 10 with "Windows Subsystem for Linux" (WSL) all work
  - Windows users can make use of powershell, but that is an exercise left to the user

See README.md in each directory for documentation for notes on how to run each script and a description about the information that is collected.

Files Collected	Purpose
/etc/apt/sources.list	To ensure proper package origin is used for assessment
/etc/hostname	To identify hostname of assessed system(s)
/etc/hosts	To identify hostname of assessed system(s)
/etc/lsb-release	To indentify the release of Ubuntu being assessed
/var/lib/apt/lists/*Release	To ensure proper package names/versions are used for assessment
/var/lib/apt/lists/*Packages	To ensure proper package names/versions are used for assessment
/var/lib/dpkg/status	To ensure proper package names/versions are used for assessment
`dpkg -l` output	To ensure proper package names/versions are used for assessment
`apt-cache` policy output	To ensure proper package origin is used for assessment
`snap list` output	To show which snaps are being used on assessed system(s)
`ps -auxwww` output	To help identify which packages are actually being used
`ps -eao pid,ppid,user,stat,etimes,cmd --sort=cmd` output	To help identify which packages are actually being used
`netstat -an` output	To help identify which packages are actually being used