The following commands are used to extract information out of a Linux Operating System. While these commands should work with most variants of the LINUX this code has been verified to work with the Debian distribution. If you are running a different variant please inform contact with which variant and version so that the command line code can be verified with your particular version.
The AZAudit.sh bash script can be used to execute all of the necessary commands listed below to export system data that is necessary for our test work. If you are using an older version of Linux then this script may encounter issues, and the following commands in this README are to be used instead.
The following queries may assist you in determining your Linux system general info.
hostnamectl > sysinfo.txt
uname -a > sysinfo.txt
lsb_release -a > sysinfo.txt
cat /etc/*-release > sysinfo.txtThe following query obtains a system-wide configuration file
cp /etc/ssh/sshd_config sshd.config.txtThis command shows default information about all system and user accounts on the system as well as information about the user's last login to the system, and whether their password is locked or login by password disabled.
sudo lslogins -c --time-format iso -o USER,UID,GROUP,GID,PWD-CHANGE,PWD-METHOD,PWD-EMPTY,PWD-LOCK,PWD-DENY,PWD-MIN,PWD-MAX,PWD-WARN,PWD-EXPIR,LAST-LOGIN,SHELL >> LoginSetting.txtThis command will find all accounts including network accounts.
getent passwd > Accounts.txtIf you are running Red Hat Enterprise Linux use the following command.
cp /etc/passwd accounts.txtIf you are running UNIX use the following command.
cat /etc/passwd > accounts.txtThis is to determine if an account is assigned to another group.
getent group > Group.txtIf you are running Red Hat Enterprise Linux use the following command.
cp /etc/group group.txtIf you are running UNIX use the following command.
cat /etc/group > group.txtRun the following query if PAM is required for authentication.
cp /etc/pam.d/password-auth-ac password-auth-ac.txtThis is to determine what groups/accounts can run commands as root.
sudo cat /etc/sudoers > Sudo.txtPlease check the contents of /etc/sudoers and send files referenced by an include directive ("#include" for a single file or "#includedir" for an entire directory). If the referenced file doesn't exist, provide evidence through executing ls -a
These 2 commands will show all accounts and the password settings that are being applied to them. Run both as each command outputs different components of the password settings.
sudo passwd --status --all > PasswordSetting.txtAlternative Commands:
Run if the above command for minimum and maximum password age does not work.
sudo cat /etc/login.defs > PasswordSetting.txtOR
sudo passwd -S -a > PasswordSetting.txtIf you are running Oracle Enterprise Linux Server use the following command. Note: You MUST run this command as root otherwise it will fail.
for u in `cat /etc/passwd | cut -d: -f1 | sort`; do passwd -S $u >> PasswordSetting.txt; doneOR
for u in $(cat /etc/passwd | cut -d: -f1 | sort); do passwd -S $u >> PasswordSetting.txt; doneIf you are running UNIX use the following command. Note: You MUST run this command in the /etc/ folder otherwise it will fail.
passwd -s -a > PasswordSetting.txtThese commands fetch configuration files for Linux services that enforce acocunt lockout after a series of invalid login attempts
cat /etc/security/faillock.conf > sysauth1.txt;cat /etc/pam.d/system-auth > sysauth2.txt;sudo cat /etc/security/pwquality.conf > Pwquality.txtNOTE: If the server does not have a pwquality.conf file, please provide a screenshot of the "find -name pwquality.conf" command showing the file does not exist on the server.
This command is to determine what shells are valid to login to the system.
sudo cat /etc/shells > LoginShells.txt