Security Tools

About

These are tools for reporting and alerting about security information and events on linux systems. The focus is on gathering and annotating authentication, authorization and system configuration information and reporting and alerting based on this information.

Together, these tools provide means for:

• Reviewing and hardening system security.
• Reporting of security configuration problems and alerting of changes in configuration.
• Reporting of user privileges and alerting of changes in privileges.
• Intrusion detection.

The tools are written as separate unix tools that read and write from / to standard output. These can be combined to produce the desired result.

Some examples of possible usage scenarios:

• Generate a report of all user permissions (unix, mysql, etc).
• Generate email alerts when a new open port is detected on a system.
• Generate email alerts when users are created, modified or deleted.

Overview of tools

• sec-gather-iptables: Output firewall rules
• sec-gather-listenports: Output listening services / ports
• sec-gather-misconfigs: Scan for common security misconfigurations
• sec-gather-mysqlusers: Output MySQL users and privileges
• sec-gather-openvpnusers: Output OpenVPN client certificate status
• sec-gather-portscan: Output open ports detected through a portscan of a host
• sec-gather-unixgroups: Output unix groups and their members
• sec-gather-unixsessions: Output info on login sessions
• sec-gather-unixusers: Output unix users and their details
• sec-gather-http-headers: Output HTTP security headers for URLs
• sec-gather-sslscan: Output SSL / TLS protocol and ciphers for ports
• sec-gather-perms: Output files and dirs with dangerous permissions
• sec-diff: Output changes in sec-gather-* script output since last time
• sec-report: Generate HTML and PDF reports from gathered info
• sec-mail: Send alerts and reports.

Installation

Fetch the latest static binary distribution from the releases and:

$ tar -vxzf sec-tools*.tar.gz
$ cd sec-tools
$ sudo bash -c ". build.sla && install"

This will install all the tools and the manual pages.

Gather scripts

The gather tools gather information and output JSON. Example usage:

sec-gather-listenports --no-local --annotate listenports-annotation.json

The JSON output would look something like:

{
  "listenports": {
    "8000": {
      "pid": 30925, 
      "remote_address": "0.0.0.0", 
      "recv_queue": 0, 
      "verified": false, 
      "service": "Unknown", 
      "remote_port": 0, 
      "proto": "tcp", 
      "local_port": 8000, 
      "state": "LISTEN", 
      "prog": "python2.7", 
      "local_address": "127.0.0.1", 
      "send_queue": 0
    }
  }
}

The gather script generally provide options for additional filtering and manual annotations of gathered information. Reports to convert the JSON output to HTML are provided in the reports directory. By default you can find it in /usr/local/lib/sec-tools/reports/

For more information, check out the manual pages.

Diffing and alerting

The sec-diff tool can be used to diff JSON output from a sec-gather script with a previous run.

For example:

$ sec-gather-listenports | sec-diff /var/cache/sec-tools/listenports.state

This will store the listening ports in /var/cache/sec-tools/listenports.state. The first run, it will report nothing. The next time it's run, a new listening port has appeared, and sec-diff reports about it:

$ sec-gather-listenports | sec-diff /var/cache/sec-tools/listenports.state

  - Added to "listenports":

    "8888": {
      "recv_queue": 0, 
      "verified": false, 
      "service": "Unknown", 
      "remote_port": 0, 
      "proto": "tcp", 
      "pid": 3747, 
      "remote_address": "0.0.0.0", 
      "local_port": 8888, 
      "state": "LISTEN", 
      "prog": "nc", 
      "local_address": "0.0.0.0", 
      "send_queue": 0
    }

If nothing changed, the output will be empty.

This can be used to alert about changes in listening services, unix users or any other gather script. To do so, you can use the sec-mail script:

$ sec-gather-listenports | \
  sec-diff /var/cache/sec-tools/listenports | \
  mail -t security@example.org --subject "Listening services changed on $(hostname -f)"

You can exclude certain paths from being reported about. For example:

# Exclude all items starting with 'listenports.53'
sec-gather-listenports | sec-diff --exclude listenports.53 listenports.state

# Exclude all PID changes for all ports.
sec-gather-listenports | sec-diff --exclude listenports.*.pid listenports.state

# Exclude all PID and Prog changes for all ports
sec-gather-listenports | sec-diff --exclude listenports.*.pid,listenports.*.prog listenports.state

For more information, check out the manual pages for each tool:

• sec-diff
• sec-mail

Reporting

The sec-report tool renders a Mako template to HTML. The output is written to stdout and can be used to generate a PDF with a tool like html2pdf. For an example, see the example report.

Reports can JSON from STDIN or files through ASSET params. You can either write your own reports (see the examples dir) or use a pre-made one from the reports directory.

Example usage:

# One-off report of listening ports
$ sudo sec-gather-listenports | sec-report sec-gather-listenports.tpl

# Generate some host information using sec-gather- scripts and generate a
# host report.
$ mkdir out
$ sudo sec-gather-listenports > out/listenports
$ sudo sec-gather-misconfigs > out/misconfigs
$ sudo sec-gather-mysqlusers > out/mysqlusers
$ sec-report --title "Security report for $(hostname -f)" host_report.tpl out/* > host_report.html

For more information, check out the manual page:

• sec-report

License

Sec-tools are Open Source and released under the GNU AGPLv3 (GNU Affero General Public License v3.0). See the LICENSE file in this repo for more information.