HxHippy

Security Audit

Daily security checks and audit routine.

Last updated: 2025-01-15

Security Audit

Daily security checks and audit routine.

Quick Security Check

# Failed logins
grep "Failed password" /var/log/auth.log | tail -10

# Root logins
grep "session opened for user root" /var/log/auth.log

# Listening ports
ss -tuln | grep -v 127.0.0.1

Authentication Audit

Failed Logins

# Count failed logins by IP
grep "Failed password" /var/log/auth.log | \
    awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | head -10

# Failed logins today
grep "Failed password" /var/log/auth.log | grep "$(date +%b %d)"

# Invalid users
grep "Invalid user" /var/log/auth.log | tail -10

Successful Logins

# Recent successful logins
last -a | head -20

# SSH accepted
grep "Accepted" /var/log/auth.log | tail -10

# Currently logged in
who
w

sudo Usage

# sudo commands
grep "sudo:" /var/log/auth.log | tail -20

# Failed sudo attempts
grep "authentication failure" /var/log/auth.log | grep sudo

System Audit

User Accounts

# Users with shells
grep -v "nologin\|false" /etc/passwd

# Users with UID 0 (besides root)
awk -F: '($3 == 0) {print}' /etc/passwd

# Empty passwords
sudo awk -F: '($2 == "") {print $1}' /etc/shadow

# Recent password changes
for user in $(cut -d: -f1 /etc/passwd); do
    chage -l $user 2>/dev/null | grep "Last password change"
done

File Permissions

# World-writable files
find / -type f -perm -002 -ls 2>/dev/null | head -20

# SUID files
find / -type f -perm -4000 -ls 2>/dev/null

# SGID files
find / -type f -perm -2000 -ls 2>/dev/null

# Unowned files
find / -nouser -o -nogroup 2>/dev/null | head -20

Network Audit

Open Ports

# All listening ports
ss -tuln

# External facing only
ss -tuln | grep -v "127.0.0.1"

# Port to process mapping
sudo ss -tulnp

Firewall Status

# UFW status
sudo ufw status verbose

# iptables rules
sudo iptables -L -n

# Recent blocked
grep -i "blocked" /var/log/ufw.log | tail -10

Security Tools

fail2ban Status

# Overall status
sudo fail2ban-client status

# SSH jail
sudo fail2ban-client status sshd

# Banned IPs
sudo fail2ban-client get sshd banned

ClamAV Scan

# Quick scan of critical dirs
clamscan -ri /home /var/www 2>/dev/null

# Check definitions age
sigtool --info /var/lib/clamav/main.cvd

Update Status

# Available updates
apt list --upgradable 2>/dev/null | head -20

# Security updates
apt list --upgradable 2>/dev/null | grep -i security

# Last update
stat /var/cache/apt/pkgcache.bin

Daily Audit Script

#!/bin/bash
echo "=== Security Audit $(date) ==="

echo -e "\n--- Failed Logins (last 24h) ---"
grep "Failed password" /var/log/auth.log | \
    grep "$(date +%b %d)" | wc -l

echo -e "\n--- Top Failed IPs ---"
grep "Failed password" /var/log/auth.log | \
    awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | head -5

echo -e "\n--- Banned IPs ---"
sudo fail2ban-client status sshd 2>/dev/null | grep "Banned IP"

echo -e "\n--- Open Ports ---"
ss -tuln | grep -v "127.0.0.1" | tail -10

echo -e "\n--- Security Updates ---"
apt list --upgradable 2>/dev/null | grep -c security

echo -e "\n--- Done ---"

Audit Checklist

Check Frequency Command
Failed logins Daily grep "Failed password"
Open ports Daily ss -tuln
fail2ban Daily fail2ban-client status
Updates Daily apt list --upgradable
Permissions Weekly find / -perm
Users Weekly cat /etc/passwd
intermediate Daily Operations Updated 2025-01-15
  • security
  • audit
  • daily check
  • vulnerability
  • compliance