Land #11060, Add checks to post/linux/gather/enum_protections

2018-12-06 20:17:50 -06:00 · 2018-12-06 20:17:50 -06:00 · 71f84fe6a7
parent 7b654409f7 40906e0b36
commit 71f84fe6a7
1 changed files with 96 additions and 28 deletions
--- a/modules/post/linux/gather/enum_protections.rb
+++ b/modules/post/linux/gather/enum_protections.rb
@ -5,20 +5,21 @@

 class MetasploitModule < Msf::Post
  include Msf::Post::File
+  include Msf::Post::Linux::Kernel
  include Msf::Post::Linux::System

  def initialize(info = {})
-    super( update_info( info,
+    super(update_info(info,
      'Name'          => 'Linux Gather Protection Enumeration',
      'Description'   => %q{
-        This module tries to find certain installed applications that can be used
-        to prevent, or detect our attacks, which is done by locating certain
-        binary locations, and see if they are indeed executables.  For example,
-        if we are able to run 'snort' as a command, we assume it's one of the files
-        we are looking for.
+        This module checks whether popular system hardening mechanisms are
+        in place, such as SMEP, SMAP, SELinux, PaX and grsecurity. It also
+        tries to find installed applications that can be used to hinder,
+        prevent, or detect attacks, such as tripwire, snort, and apparmor.

-        This module is meant to cover various antivirus, rootkits, IDS/IPS,
-        firewalls, and other software.
+        This module is meant to identify Linux Secure Modules (LSM) in addition
+        to various antivirus, IDS/IPS, firewalls, sandboxes and other security
+        related software.
      },
      'License'       => MSF_LICENSE,
      'Author'        => 'ohdae <bindshell[at]live.com>',
@ -35,44 +36,111 @@ class MetasploitModule < Msf::Post
    print_status "\t#{distro[:version]}"
    print_status "\t#{distro[:kernel]}"

+    print_status 'Finding system protections...'
+    check_hardening
+
    print_status 'Finding installed applications...'
    find_apps
+
+    if framework.db.active
+      print_status 'System protections saved to notes.'
+    end
  end

-  def which(env_paths, cmd)
-    env_paths.each do |path|
-      cmd_path = "#{path}/#{cmd}"
-      return cmd_path if file_exist? cmd_path
-    end
-    nil
-  end
-
-  def find_apps
-    apps = %w(
-      truecrypt bulldog ufw iptables logrotate logwatch
-      chkrootkit clamav snort tiger firestarter avast lynis
-      rkhunter tcpdump webmin jailkit pwgen proxychains bastille
-      psad wireshark nagios apparmor honeyd thpot
-      aa-status gradm2 getenforce tripwire
-    )
-
-    env_paths = get_path.split ':'
-
-    apps.each do |app|
-      next unless command_exists? app
-
-      path = which env_paths, app
-      next unless path
-
-      print_good "#{app} found: #{path}"
+  def report(data)
    report_note(
      :host   => session,
      :type   => 'linux.protection',
-        :data   => path,
+      :data   => data,
      :update => :unique_data
    )
  end

-    print_status 'Installed applications saved to notes.'
+  def check_hardening
+    if aslr_enabled?
+      r = 'ASLR is enabled'
+      print_good r
+      report r
+    end
+
+    if exec_shield_enabled?
+      r = 'Exec-Shield is enabled'
+      print_good r
+      report r
+    end
+
+    if kaiser_enabled?
+      r = "KAISER is enabled"
+      print_good r
+      report r
+    end
+
+    if smep_enabled?
+      r = "SMEP is enabled"
+      print_good r
+      report r
+    end
+
+    if smap_enabled?
+      r = "SMAP is enabled"
+      print_good r
+      report r
+    end
+
+    if grsec_installed?
+      r = 'grsecurity is installed'
+      print_good r
+      report r
+    end
+
+    if pax_installed?
+      r = 'PaX is installed'
+      print_good r
+      report r
+    end
+
+    if selinux_installed?
+      if selinux_enforcing?
+        r = 'SELinux is installed and enforcing'
+        print_good r
+        report r
+      else
+        r = 'SELinux is installed, but in permissive mode'
+        print_good r
+        report r
+      end
+    end
+
+    if yama_installed?
+      if yama_enabled?
+        r = 'Yama is installed and enabled'
+        print_good r
+        report r
+      else
+        r = 'Yama is installed, but not enabled'
+        print_good r
+        report r
+      end
+    end
+  end
+
+  def find_apps
+    apps = %w(
+      truecrypt bulldog ufw iptables fw-settings logrotate logwatch
+      chkrootkit clamav snort tiger firestarter avast lynis
+      rkhunter tcpdump webmin jailkit pwgen proxychains bastille
+      psad wireshark nagios apparmor oz-seccomp honeyd thpot
+      aa-status gradm gradm2 getenforce aide tripwire paxctl
+    )
+
+    apps.each do |app|
+      next unless command_exists? app
+
+      path = cmd_exec "command -v #{app}"
+      next unless path.start_with? '/'
+
+      print_good "#{app} found: #{path}"
+      report path
+    end
  end
 end