Thursday, 12 July 2012

'Expect' Scripts to Perform Build Reviews of Linux/Unix Hosts

A host implementation review, more commonly known as a build review, can provide systems administrators with a comprehensive picture of the security of their build. Typically, a review allows the client to gain assurance of internal build standards and also meet external compliance requirements by assessing the following areas:

  • Patch management and software updating processes
  • User management, password and account policies
  • Operating system security parameters
  • Permissions on sensitive file system areas
  • Third party software installations, their permissions and configuration

A comprehensive host implementation review will consider objective standards, such as those issued by the Center for Internet Security (CIS), as well as a client's own policies and build standards. Deviations from best practice and from internal standards, should be highlighted and reported upon, together with recommendations for improvements to the design.

From a tester's perspective, much of the build review can be automated. Tools such as Nessus will report missing patches, and if given an appropriate audit script, will conduct the majority of CIS benchmark checks against the host. 

If performing a review of Windows hosts, automated checks combined with various inbuilt Active Directory tools (Resultant Set of Policy - RSoP) and manual verification can allow for a comprehensive audit with little technical effort - though contextualising the business risk of course remains the challenging aspect of such an engagement.

Linux and Unix hosts however, often present more of a technical challenge. The location and contents of configuration files often vary significantly between distributions, hosts are often individually managed rather than centrally (as would be the case in an Active Directory environment), and it is harder to verify results from automated tools on a large number of hosts without significant effort. Essentially, manual verification is limited to SSHing into each machine in turn, which is often infeasible if dealing with a large number of hosts.

SSH of course will allow commands to be run on a remote host, but in a foreign environment the remote hosts will not be configured for public key cryptography, requiring an element of interaction with SSH to firstly accept the connection, and secondly to enter the password. Again, not ideal if you have a large number of hosts.

Luckily, there is a scripting language designed just for this type of scenario where user interaction is required - 'Expect'. Expect (http://en.wikipedia.org/wiki/Expect) is a Unix automation tool based on Tcl and is perfect for SSH/Telnet/FTP interaction when dealing with a number of hosts. The language is a little tricky at first, but once you get a basic understanding of the syntax, it's fairly easy to put together a number of tasks into a script without too much effort. A simple example of sending a command, and waiting ('expecting') a response is shown below:

Elevating Privileges within an Expect script:
send "sudo -s\n"
expect -re "(\\$|>|#) $" {}

Now it's possible to perform a full build audit using Expect to enter all the commands that you'd normally have to sit there typing. I normally tar/gzip a copy of the whole /etc directory, perform a full recursive ls and run a number of find commands to identify weak file permissions. I also perform a few host forensic commands whilst on the host, such as netstat, ifconfig and the like to gain a snapshot of the current running state during the audit. The script I use for generic Linux hosts can be downloaded here (find the corresponding Solaris script here) and is designed to scp the interesting files from the host back to the auditor's machine without any user interaction.

Finally, I run this against a list of hosts/IP addresses with the following wrapper:

#!/bin/bash
while read line
do
/opt/scripts/audit.sh $line username mysecretpassword
done

These scripts are not designed to perform a full automated audit of a host, rather pull the evidence to backup findings from automated tools such as Nessus. It also allows site-wide password audits to be conducted with a couple of lines of code:

find . -name shadow -exec cat {} \; | grep ':' | sort -u > /tmp/shadow-all
/opt/john/john --wordlist=dict.txt /tmp/shadow-all

Feel free to customise the scripts as you see fit. As always, feed back any comments and improvements in the comments section below.

No comments:

Post a Comment