def run(self):
print(u'\n\033[1;33m%s\033[0m' % self.name)
print(u' %s%s' % (align("[1]exe check"), printf(self.exe_check())))
print(u' %s%s' %
(align("[2]shell check"), printf(self.shell_check())))
print(u' %s%s' %
(align("[3]cpu mem check"), printf(self.cpu_mem_check())))
for detail in self.suspicious_proc:
print(u' [*]File:%s[*]Detail:%s' %
(align(detail[0]), detail[1]))
def run(self):
print(u'\n\033[1;33m%s\033[0m' % self.name)
print(u' %s%s' % (align("[1]wtmp check"), printf(self.wtmp_check())))
print(u' %s%s' % (align("[2]utmp check"), printf(self.utmp_check())))
print(u' %s%s' %
(align("[3]lastlog check"), printf(self.lastlog_check())))
print(u' %s%s' %
(align("[4]authlog check"), printf(self.authlog_check())))
for detail in self.suspicious_log:
print(u' [*]File:%s[*]Detail:%s' %
(align(detail[0], width=30), detail[1]))
def utmp_check(self):
if os.path.exists("/var/run/utmp"):
login_list = {}
ini = len(self.suspicious_log)
with open("/var/run/utmp", "rb") as fd:
buf = fd.read()
for entry in readlog(buf):
if re.match(self.ip_regex, entry.host) and (
entry.type == UTmpRecordType.user_process):
identity = (entry.host, entry.user)
if (identity in login_list):
if (entry.sec) > (login_list[identity]):
login_list[identity] = entry.sec
else:
login_list[identity] = entry.sec
#When more than one online,it will warn
if len(login_list) < 2:
return True
for key, value in login_list.items():
value = datetime.datetime.utcfromtimestamp(
int(value)).strftime("%Y-%m-%d %H:%M:%S")
self.suspicious_log.append([
"/var/log/utmp",
"User,addr:%sTime:%s" %
(align(",".join(key), width=30), value)
])
end = len(self.suspicious_log)
return True if ini == end else False
else:
return True
def wtmp_check(self):
login_list = {}
if os.path.exists("/var/log/wtmp"):
ini = len(self.suspicious_log)
with open('/var/log/wtmp', 'rb') as fd:
buf = fd.read()
for entry in readlog(buf):
if re.match(self.ip_regex, entry.host):
#I don't check the internal ip,But u can change this
if re.match(self.ip_internal, entry.host): continue
identity = (entry.host, entry.user)
if (identity in login_list):
if (entry.sec) > (login_list[identity]):
login_list[identity] = entry.sec
else:
login_list[identity] = entry.sec
if len(login_list) < 2:
return True
for key, value in login_list.items():
value = datetime.datetime.utcfromtimestamp(
int(value)).strftime("%Y-%m-%d %H:%M:%S")
self.suspicious_log.append([
"/var/log/wtmp",
"User,addr:%sTime:%s" %
(align(",".join(key), width=30), value)
])
end = len(self.suspicious_log)
return True if ini == end else False
else:
return True
def run(self):
print(u"\n\033[1;33m%s\033[0m" % self.name)
print(u" %s%s" %
(align("[1]root user check"), printf(self.root_check())))
print(u" %s%s" %
(align("[2]empty passwd check"), printf(self.empty_check())))
print(u" %s%s" %
(align("[3]sudoer check"), printf(self.sudo_check())))
print(u" %s%s" %
(align("[4]authorized check"), printf(self.authorized_check())))
print(u" %s%s" %
(align("[5]passwd file check"), printf(self.permission_check())))
for detail in self.suspicious_user:
print(u" [*]File:%sDetail:%s" % (align(detail[0]), detail[1]))
def run(self):
print(u'\n\033[1;33m%s\033[0m' % self.name)
print(u" %s%s" %
(align("[1]History file check"), printf(self.history_files())))
for detail in self.suspicious_history:
print(" [*]File:%sDetail:%s" % (align(detail[0]), detail[1]))
def run(self):
print(u'\n\033[1;33m%s\033[0m' % self.name)
print(u' %s%s' % (align("[1]LD_PRELOAD check"),printf(self.LD_PRELOAD_check())))
print(u' %s%s' % (align("[2]LD_AOUT_PRELOAD check"), printf(self.LD_AOUT_PRELOAD_check())))
print(u' %s%s' % (align("[3]LD_ELF_PRELOAD check"),printf(self.LD_ELF_PRELOAD_check())))
print(u' %s%s' % (align("[4]LD_LIBRARY_PATH check"),printf(self.LD_LIBRARY_PATH_check())))
print(u' %s%s' % (align("[5]PROMPT_COMMAND check"),printf(self.PROMPT_COMMAND_check())))
print(u' %s%s' % (align("[6]Export check"),printf(self.export_check())))
print(u' %s%s' % (align("[7]LD_SO_PRELOAD check"),printf(self.ld_so_preload())))
print(u' %s%s' % (align("[8]Cron check"),printf(self.cron_check())))
print(u' %s%s' % (align("[9]SSH backdoor check"),printf(self.SSH_check())))
print(u' %s%s' % (align("[10]SSH_softlink check"),printf(self.SSH_softlink())))
print(u' %s%s' % (align("[11]SSH wrapper check"),printf(self.SSH_wrapper_check())))
print(u' %s%s' % (align("[12]Inted check"), printf(self.inted_check())))
print(u' %s%s' % (align("[13]Xinted check"),printf(self.xinetd_check())))
print(u' %s%s' % (align("[14]Setuid check"),printf(self.setuid_check())))
print(u' %s%s' % (align("[15]Startup check"),printf(self.startup_check())))
print(u' %s%s' % (align("[16]Alias check"),printf(self.alias_check())))
print(u' %s%s' % (align("[17]Openssh check"),printf(self.openssh_check())))
print(u' %s%s' % (align("[18]Fstab check"),printf(self.fstab_check())))
print(u' %s%s' % (align("[19]Setgid check"),printf(self.setgid_check())))
print(u' %s%s' % (align("[20]PAM check"),printf(self.pam_check())))
for detail in self.suspicious_backdoor:
print(u' [*]File:%s[*]Detail:%s'%(align(detail[0]),detail[1]))