Similar to the question here, https://serverfault.com/questions/387111/inventory-or-audit-installed-linux-software, I would like to obtain ideas about commands that should be ran across various Linux/Unix distributions to audit installed software. It should cover at a minimum the following use cases:
- Software installed from packages
- Software installed from source
- Software that is installed to an unknown or unexpected location
Additionally, it should work on CentOS/RedHat, SuSE, and Macintosh OS. Some of the ideas that I have thought about in relation to obtaining the software installed include the following; however, I am not sure how practical they might be.
- Listing the running processes and making inferences from the output
- Listing the listening or open ports and making inferences from the output
- Running various CLI commands and trying to make sense of the output
- Performing a dump or listing of the installed packages from the native package manager
- Perform a find command to look for particular files or file names, perhaps even config files to assume that certain software exists
The ultimate goal is to have commands that can be used and store the resulting output to a file. I would use this to run against various machines, either locally on the machine or via SSH, for auditing, record keeping, and determining which hosts are vulnerable to particularly announced vulnerabilities.
Best Answer
For CentOS/RedHat and SuSE there is one thing in common: They all use RPM as package format. So one thing to do is a
rpm -Va- store the result as baseline and compare it later on (if you want to check for unwanted changes).This is quite file intensive, as every file of every rpm is being checked.
To just list what is installed - use
rpm -qaor do a corresponding snmp-bulkwalk on the hr-resources software-installed tree (should even work on mac, if snmp is enabled there).Another Idea is to use HIDS (host based intrusion detection system) - examples are
aide,fam,samhain, ...As for running processes - the output of
netstat -tulnpis interesting. You can parse what processes are associated.The manually installed part ("from source") is hard to cover. Best approach here is IMHO is to set up a policy that forbids such things (at least in production). Alternatively it has to be enforced that these programs have to be registered manually in an inventory-db.