Sunday, August 12, 2012

AIX oneliners for auditing

Locked Accounts

#sudo cat /etc/security/user | grep -iE '\:|account_locked'|grep -iv '*'

Last password change date
#for a in `cut -f1 -d: /etc/passwd | grep -v '\+' `;do echo $a; /usr/bin/sudo /usr/lbin/getprpw $a; done|cut -f9 -d ','

NFS shares:
#/usr/bin/sudo cat /etc/exports||echo 'file not found'

Inactive Accounts:
#/usr/bin/sudo lsuser -a id ALL | awk '{ print $(NF-1) }' |while read user ; do sudo lssec -f /etc/security/lastlog -s $user -a time_last_login;done

Last password change date:
#/usr/bin/sudo lsuser -a id ALL | awk '{ print $(NF-1) }' |while read user ; do sudo lssec -f /etc/security/passwd -s $user -a lastupdate;done

All SNMP strings:
#/usr/bin/sudo cat /etc/snmpd.conf|grep -iE '^[a-z][A-Z]'

Default SNMP

#sudo cat /etc/snmpd.conf | grep -iE 'community|public|private' |grep -iv '# '

List of services:
#/usr/bin/sudo cat /etc/services |grep -iE '^[a-z][A-Z]'

Users with uid=0, gid=0
 #cat /etc/passwd | grep ':0:'
#cat /etc/group | grep ':0:'

Check if auditing service is running:
#/usr/bin/sudo ps -ef |grep auditd|grep -v 'grep'||echo 'not enabled'

List of sudoer:
#/usr/bin/sudo cat /etc/sudoers|grep -iE '^[a-z][A-Z]'

unmask value

sudo lssec -f /etc/security/user -s default -a umask

List of users:
sudo cat /etc/passwd|cut -d ':' -f1

account/password policy:
sudo lssec -f /etc/security/user -s default -a maxage
sudo lssec -f /etc/security/user -s default -a maxexpired
sudo lssec -f /etc/security/user -s default -a minalpha
sudo lssec -f /etc/security/user -s default -a minother
sudo lssec -f /etc/security/user -s default -a minlen
sudo lssec -f /etc/security/user -s default -a mindiff
sudo cat /etc/security/user | grep -iE '\:|loginretries'
sudo cat /etc/security/user | grep -iE '\:|histsize'
sudo cat /etc/profile |grep -i 'tmout'
sudo cat /etc/security/user | grep -iE '\:|histexpire'
sudo cat /etc/security/user | grep -iE '\:|pwdwarntime'
sudo cat /etc/security/user | grep -iE '\:|maxrepeats'

Login Delay
sudo cat /etc/security/login.cfg | grep -i 'logindelay'

Log Login attempts:
sudo ls -l /var/adm/ /etc/security |grep -iE 'loginlog|sulog|failedlogin'

cat /etc/services


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)