Authentication and Access Audit
Authentication and Access Audit
Auditing authentication mechanisms and access controls ensures only authorized users can access systems through SSH. This phase examines user configurations, key management practices, and authentication methods.
Comprehensive authentication audit:
#!/bin/bash
# ssh-auth-audit.sh
# Audit SSH authentication and access controls
AUDIT_DIR="./ssh-auth-audit-$(date +%Y%m%d)"
mkdir -p "$AUDIT_DIR"
# Audit user access
audit_user_access() {
echo "=== SSH User Access Audit ===" > "$AUDIT_DIR/user_access.txt"
# Find all users with SSH access
echo -e "\n[Users with valid shells]" >> "$AUDIT_DIR/user_access.txt"
getent passwd | while IFS=: read -r user pass uid gid gecos home shell; do
if [[ ! "$shell" =~ (nologin|false)$ ]] && [ -d "$home/.ssh" ]; then
echo "User: $user (UID: $uid)" >> "$AUDIT_DIR/user_access.txt"
echo " Home: $home" >> "$AUDIT_DIR/user_access.txt"
echo " Shell: $shell" >> "$AUDIT_DIR/user_access.txt"
# Check SSH directory permissions
if [ -d "$home/.ssh" ]; then
perms=$(stat -c %a "$home/.ssh" 2>/dev/null || stat -f %Lp "$home/.ssh" 2>/dev/null)
echo " .ssh permissions: $perms" >> "$AUDIT_DIR/user_access.txt"
if [ "$perms" != "700" ]; then
echo " WARNING: Incorrect .ssh permissions!" >> "$AUDIT_DIR/user_access.txt"
fi
fi
# Check authorized_keys
if [ -f "$home/.ssh/authorized_keys" ]; then
key_count=$(grep -c "^ssh-" "$home/.ssh/authorized_keys" 2>/dev/null || echo 0)
echo " Authorized keys: $key_count" >> "$AUDIT_DIR/user_access.txt"
# Check key strength
while read -r key; do
if [[ $key =~ ^ssh-rsa ]]; then
key_size=$(echo "$key" | cut -d' ' -f2 | base64 -d 2>/dev/null | wc -c)
key_bits=$((key_size * 8))
if [ $key_bits -lt 2048 ]; then
echo " WARNING: Weak RSA key found ($key_bits bits)" >> "$AUDIT_DIR/user_access.txt"
fi
fi
done < "$home/.ssh/authorized_keys"
fi
echo "" >> "$AUDIT_DIR/user_access.txt"
fi
done
}
# Audit SSH keys
audit_ssh_keys() {
echo "=== SSH Key Audit ===" > "$AUDIT_DIR/key_audit.txt"
# Find all authorized_keys files
echo -e "\n[Authorized Keys Inventory]" >> "$AUDIT_DIR/key_audit.txt"
find /home /root -name "authorized_keys" -type f 2>/dev/null | while read -r keyfile; do
echo -e "\nFile: $keyfile" >> "$AUDIT_DIR/key_audit.txt"
# Check permissions
perms=$(stat -c %a "$keyfile" 2>/dev/null || stat -f %Lp "$keyfile" 2>/dev/null)
owner=$(stat -c %U "$keyfile" 2>/dev/null || stat -f %Su "$keyfile" 2>/dev/null)
echo "Permissions: $perms (Owner: $owner)" >> "$AUDIT_DIR/key_audit.txt"
if [ "$perms" != "600" ] && [ "$perms" != "644" ]; then
echo "WARNING: Insecure permissions on $keyfile" >> "$AUDIT_DIR/key_audit.txt"
fi
# Analyze keys
while IFS= read -r line; do
if [[ $line =~ ^[#[:space:]]*$ ]]; then
continue
fi
# Extract key info
key_type=$(echo "$line" | awk '{print $1}')
key_comment=$(echo "$line" | awk '{print $NF}')
echo " Type: $key_type" >> "$AUDIT_DIR/key_audit.txt"
# Check for command restrictions
if [[ $line =~ command= ]]; then
echo " Restriction: Has command restriction" >> "$AUDIT_DIR/key_audit.txt"
fi
# Check for source restrictions
if [[ $line =~ from= ]]; then
echo " Restriction: Has source IP restriction" >> "$AUDIT_DIR/key_audit.txt"
fi
# Key age check (if comment contains date)
if [[ $key_comment =~ [0-9]{4} ]]; then
echo " Comment: $key_comment" >> "$AUDIT_DIR/key_audit.txt"
fi
done < "$keyfile"
done
}
# Audit authentication methods
audit_auth_methods() {
echo "=== Authentication Methods Audit ===" > "$AUDIT_DIR/auth_methods.txt"
# Check PAM configuration
echo -e "\n[PAM Configuration]" >> "$AUDIT_DIR/auth_methods.txt"
if [ -f /etc/pam.d/sshd ]; then
grep -v "^#" /etc/pam.d/sshd | grep -v "^$" >> "$AUDIT_DIR/auth_methods.txt"
# Check for specific modules
if grep -q "pam_google_authenticator.so" /etc/pam.d/sshd; then
echo -e "\n✓ Two-factor authentication configured (Google Authenticator)" >> "$AUDIT_DIR/auth_methods.txt"
fi
if grep -q "pam_tally2.so" /etc/pam.d/sshd || grep -q "pam_faillock.so" /etc/pam.d/sshd; then
echo "✓ Account lockout configured" >> "$AUDIT_DIR/auth_methods.txt"
else
echo "✗ No account lockout configured" >> "$AUDIT_DIR/auth_methods.txt"
fi
fi
# Check for certificate authentication
echo -e "\n[Certificate Authentication]" >> "$AUDIT_DIR/auth_methods.txt"
if sshd -T | grep -q "trustedusercakeys"; then
ca_file=$(sshd -T | grep "trustedusercakeys" | awk '{print $2}')
echo "✓ Certificate authentication enabled" >> "$AUDIT_DIR/auth_methods.txt"
echo " CA Keys file: $ca_file" >> "$AUDIT_DIR/auth_methods.txt"
if [ -f "$ca_file" ]; then
echo " CA Keys present: $(wc -l < "$ca_file") keys" >> "$AUDIT_DIR/auth_methods.txt"
fi
else
echo "✗ Certificate authentication not configured" >> "$AUDIT_DIR/auth_methods.txt"
fi
}
# Audit sudo access
audit_sudo_access() {
echo "=== Sudo Access via SSH Audit ===" > "$AUDIT_DIR/sudo_audit.txt"
# Check sudoers for NOPASSWD
echo -e "\n[Passwordless Sudo]" >> "$AUDIT_DIR/sudo_audit.txt"
grep -r "NOPASSWD" /etc/sudoers* 2>/dev/null | while read -r line; do
if [[ ! $line =~ ^[#] ]]; then
echo "WARNING: $line" >> "$AUDIT_DIR/sudo_audit.txt"
fi
done
# Check for ALL permissions
echo -e "\n[Unrestricted Sudo]" >> "$AUDIT_DIR/sudo_audit.txt"
grep -r "ALL=(ALL)" /etc/sudoers* 2>/dev/null | while read -r line; do
if [[ ! $line =~ ^[#] ]]; then
echo "Found: $line" >> "$AUDIT_DIR/sudo_audit.txt"
fi
done
}
# Run all audits
echo "Starting SSH authentication audit..."
audit_user_access
audit_ssh_keys
audit_auth_methods
audit_sudo_access
# Generate summary
cat > "$AUDIT_DIR/auth_summary.txt" << EOF
SSH Authentication Audit Summary
================================
Generated: $(date)
Key Statistics:
- Users with SSH access: $(grep -c "^User:" "$AUDIT_DIR/user_access.txt")
- Total authorized_keys files: $(grep -c "^File:" "$AUDIT_DIR/key_audit.txt")
- Weak permissions found: $(grep -c "WARNING: Incorrect" "$AUDIT_DIR/user_access.txt")
- Weak keys found: $(grep -c "WARNING: Weak" "$AUDIT_DIR/user_access.txt")
Review the individual reports for detailed findings.
EOF
echo "Authentication audit complete. Results in $AUDIT_DIR/"