Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/linux/gather/enum_protections.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::File

8
  include Msf::Post::Linux::Kernel

9
  include Msf::Post::Linux::System

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Linux Gather Protection Enumeration',

16
        'Description' => %q{

17
          This module checks whether popular system hardening mechanisms are

18
          in place, such as SMEP, SMAP, SELinux, PaX and grsecurity. It also

19
          tries to find installed applications that can be used to hinder,

20
          prevent, or detect attacks, such as tripwire, snort, and apparmor.

21


22
          This module is meant to identify Linux Secure Modules (LSM) in addition

23
          to various antivirus, IDS/IPS, firewalls, sandboxes and other security

24
          related software.

25
        },

26
        'License' => MSF_LICENSE,

27
        'Author' => 'ohdae <bindshell[at]live.com>',

28
        'Platform' => ['linux'],

29
        'SessionTypes' => ['shell', 'meterpreter'],

30
        'Notes' => {

31
          'Stability' => [CRASH_SAFE],

32
          'SideEffects' => [],

33
          'Reliability' => []

34
        }

35
      )

36
    )

37
  end

38


39
  def run

40
    distro = get_sysinfo

41


42
    print_status "Running module against #{session.session_host} [#{get_hostname}]"

43
    print_status 'Info:'

44
    print_status "\t#{distro[:version]}"

45
    print_status "\t#{distro[:kernel]}"

46


47
    print_status 'Finding system protections...'

48
    check_hardening

49


50
    print_status 'Finding installed applications via their executables...'

51
    find_exes

52


53
    print_status 'Finding installed applications via their configuration files...'

54
    find_config

55


56
    if framework.db.active

57
      print_status 'System protections saved to notes.'

58
    end

59
  end

60


61
  def report(data)

62
    report_note(

63
      host: session,

64
      type: 'linux.protection',

65
      data: data,

66
      update: :unique_data

67
    )

68
  end

69


70
  def check_hardening

71
    begin

72
      if aslr_enabled?

73
        r = 'ASLR is enabled'

74
        print_good r

75
        report r

76
      end

77
    rescue RuntimeError => e

78
      vprint_status(e.to_s)

79
    end

80


81
    begin

82
      if exec_shield_enabled?

83
        r = 'Exec-Shield is enabled'

84
        print_good r

85
        report r

86
      end

87
    rescue RuntimeError => e

88
      vprint_status(e.to_s)

89
    end

90


91
    begin

92
      if kaiser_enabled?

93
        r = 'KAISER is enabled'

94
        print_good r

95
        report r

96
      end

97
    rescue RuntimeError => e

98
      vprint_status(e.to_s)

99
    end

100


101
    begin

102
      if smep_enabled?

103
        r = 'SMEP is enabled'

104
        print_good r

105
        report r

106
      end

107
    rescue RuntimeError => e

108
      vprint_status(e.to_s)

109
    end

110


111
    begin

112
      if smap_enabled?

113
        r = 'SMAP is enabled'

114
        print_good r

115
        report r

116
      end

117
    rescue RuntimeError => e

118
      vprint_status(e.to_s)

119
    end

120


121
    begin

122
      if lkrg_installed?

123
        r = 'LKRG is installed'

124
        print_good r

125
        report r

126
      end

127
    rescue RuntimeError => e

128
      vprint_status(e.to_s)

129
    end

130


131
    begin

132
      if grsec_installed?

133
        r = 'grsecurity is installed'

134
        print_good r

135
        report r

136
      end

137
    rescue RuntimeError => e

138
      vprint_status(e.to_s)

139
    end

140


141
    begin

142
      if pax_installed?

143
        r = 'PaX is installed'

144
        print_good r

145
        report r

146
      end

147
    rescue RuntimeError => e

148
      vprint_status(e.to_s)

149
    end

150


151
    begin

152
      if selinux_installed?

153
        if selinux_enforcing?

154
          r = 'SELinux is installed and enforcing'

155
        else

156
          r = 'SELinux is installed, but in permissive mode'

157
        end

158
        print_good r

159
        report r

160
      end

161
    rescue RuntimeError => e

162
      vprint_status(e.to_s)

163
    end

164


165
    begin

166
      if yama_installed?

167
        if yama_enabled?

168
          r = 'Yama is installed and enabled'

169
        else

170
          r = 'Yama is installed, but not enabled'

171
        end

172
        print_good r

173
        report r

174
      end

175
    rescue RuntimeError => e

176
      vprint_status(e.to_s)

177
    end

178
  end

179


180
  def find_exes

181
    apps = {

182
      'aa-status' => 'AppArmor',

183
      'aide' => 'Advanced Intrusion Detection Environment (AIDE)',

184
      'apparmor' => 'AppArmor',

185
      'auditd' => 'auditd',

186
      'avast' => 'Avast',

187
      'bastille' => 'Bastille',

188
      'bulldog' => 'Bulldog',

189
      'chkrootkit' => 'chkrootkit',

190
      'clamav' => 'ClamAV',

191
      'elastic-agent' => 'Elastic Security',

192
      'firejail' => 'Firejail',

193
      'firestarter' => 'Firestarted',

194
      'fw-settings' => 'Uncomplicated FireWall (UFW)',

195
      'getenforce' => 'SELinux',

196
      'gradm' => 'grsecurity',

197
      'gradm2' => 'grsecurity',

198
      'honeyd' => 'Honeyd',

199
      'iptables' => 'iptables',

200
      'jailkit' => 'jailkit',

201
      'logrotate' => 'logrotate',

202
      'logwatch' => 'logwatch',

203
      'lynis' => 'lynis',

204
      'nagios' => 'nagios',

205
      'oz-seccomp' => 'OZ',

206
      'paxctl' => 'PaX',

207
      'paxctld' => 'PaX',

208
      'paxtest' => 'PaX',

209
      'proxychains' => 'ProxyChains',

210
      'psad' => 'psad',

211
      'rkhunter' => 'rkhunter',

212
      'snort' => 'snort',

213
      'tcpdump' => 'tcpdump',

214
      'thpot' => 'thpot',

215
      'tiger' => 'tiger',

216
      'tripwire' => 'tripwire',

217
      'ufw' => 'Uncomplicated FireWall (UFW)',

218
      'wireshark' => 'Wireshark'

219
    }

220


221
    apps.each do |app, appname|

222
      next unless command_exists? app

223


224
      path = cmd_exec "command -v #{app}"

225
      next unless path.start_with? '/'

226


227
      print_good "#{app} found: #{path}"

228
      report "#{appname}: #{path}"

229
    end

230
  end

231


232
  def find_config

233
    apps = {

234
      '/bin/logrhythm' => 'LogRhythm Axon',

235
      '/etc/aide/aide.conf' => 'Advanced Intrusion Detection Environment (AIDE)',

236
      '/etc/chkrootkit' => 'chkrootkit [chkrootkit -q]',

237
      '/etc/clamd.d/scan.conf' => 'ClamAV',

238
      '/etc/fluent-bit' => 'Fluent Bit Log Collector',

239
      '/etc/freshclam.conf' => 'ClamAV',

240
      '/etc/init.d/avast' => 'Avast',

241
      '/etc/init.d/avgd' => 'AVG',

242
      '/etc/init.d/ds_agent' => 'Trend Micro Deep Instinct',

243
      '/etc/init.d/fortisiem-linux-agent' => 'Fortinet FortiSIEM',

244
      '/etc/init.d/kics' => 'Kaspersky Industrial CyberSecurity',

245
      '/etc/init.d/limacharlie' => 'LimaCharlie Agent',

246
      '/etc/init.d/qualys-cloud-agent' => 'Qualys EDR Cloud Agent',

247
      '/etc/init.d/scsm' => 'LogRhythm System Monitor',

248
      '/etc/init.d/sisamdagent' => 'Symantec EDR',

249
      '/etc/init.d/splx' => 'Trend Micro Server Protect',

250
      '/etc/init.d/threatconnect-envsvr' => 'ThreatConnect',

251
      '/etc/logrhythm' => 'LogRhythm Axon',

252
      '/etc/opt/f-secure' => 'WithSecure (F-Secure)',

253
      '/etc/otelcol-sumo/sumologic.yaml' => 'Sumo Logic OTEL Collector',

254
      '/etc/rkhunter.conf' => 'rkhunter',

255
      '/etc/safedog/sdsvrd.conf' => 'Safedog',

256
      '/etc/safedog/server/conf/sdsvrd.conf' => 'Safedog',

257
      '/etc/tripwire' => 'TripWire',

258
      '/opt/COMODO' => 'Comodo AV',

259
      '/opt/CrowdStrike' => 'CrowdStrike',

260
      '/opt/FortiEDRCollector' => 'Fortinet FortiEDR',

261
      '/opt/FortiEDRCollector/scripts/fortiedrconfig.sh' => 'Fortinet FortiEDR',

262
      '/opt/McAfee' => 'FireEye/McAfee/Trellix Agent',

263
      '/opt/SumoCollector' => 'Sumo Logic Cloud SIEM',

264
      '/opt/Symantec' => 'Symantec EDR',

265
      '/opt/Tanium' => 'Tanium',

266
      '/opt/Trellix' => 'FireEye/McAfee/Trellix SIEM Collector',

267
      '/opt/avg' => 'AVG',

268
      '/opt/bitdefender-security-tools/bin/bdconfigure' => 'Bitdefender EDR',

269
      '/opt/cisco/amp/bin/ampcli ' => 'Cisco Secure Endpoint',

270
      '/opt/cisco/amp/bin/ampcli' => 'Cisco Secure Endpoint',

271
      '/opt/cyberark' => 'CyberArk',

272
      '/opt/ds_agent/dsa' => 'Trend Micro Deep Security Agent',

273
      '/opt/f-secure' => 'WithSecure (F-Secure)',

274
      '/opt/fireeye' => 'FireEye/Trellix EDR',

275
      '/opt/fortinet/fortisiem' => 'Fortinet FortiSIEM',

276
      '/opt/isec' => 'FireEye/Trellix Endpoint Security',

277
      '/opt/kaspersky' => 'Kaspersky',

278
      '/opt/logrhythm/scsm' => 'LogRhythm System Monitor',

279
      '/opt/secureworks' => 'Secureworks',

280
      '/opt/sentinelone/bin/sentinelctl' => 'SentinelOne',

281
      '/opt/splunkforwarder' => 'Splunk',

282
      '/opt/threatbook/OneAV' => 'threatbook.OneAV',

283
      '/opt/threatconnect-envsvr/' => 'ThreatConnect',

284
      '/opt/traps/bin/cytool' => 'Palo Alto Networks Cortex XDR',

285
      '/sf/edr/agent/bin/edr_agent' => 'Sangfor EDR',

286
      '/titan/agent/agent_update.sh' => 'Titan Agent',

287
      '/usr/bin/linep' => 'Group-iB XDR Endpoint Agent',

288
      '/usr/bin/oneav_start' => 'threatbook.OneAV',

289
      '/usr/lib/Acronis' => 'Acronis Cyber Protect',

290
      '/usr/lib/symantec/status.sh' => 'Symantec Linux Agent',

291
      '/usr/local/bin/intezer-analyze' => 'Intezer',

292
      '/usr/local/qualys' => 'Qualys EDR Cloud Agent',

293
      '/usr/local/rocketcyber' => 'Kseya RocketCyber',

294
      '/var/lib/avast/Setup/avast.vpsupdate' => 'Avast',

295
      '/var/log/checkpoint' => 'Checkpoint',

296
      '/var/pt' => 'PT Swarm'

297
    }

298


299
    apps.each do |path, appname|

300
      next unless file_exist?(path) || directory?(path)

301


302
      print_good "#{appname} found: #{path}"

303
      report "#{appname}: #{path}"

304
    rescue RuntimeError

305
      print_bad("Unable to determine state of #{appname}")

306
      next

307
    end

308
  end

309
end

310


311