HomeAudit/migration_scripts/discovery/targeted_security_discovery.sh

#!/bin/bash
#
# Targeted Security Discovery Script
# Fast collection of security-critical data for migration planning
#

set -euo pipefail

TIMESTAMP=$(date +%Y%m%d_%H%M%S)
HOSTNAME=$(hostname -f)
OUTPUT_DIR="/tmp/security_discovery_${HOSTNAME}_${TIMESTAMP}"
mkdir -p "$OUTPUT_DIR"
LOG_FILE="${OUTPUT_DIR}/security.log"

exec > >(tee -a "$LOG_FILE") 2>&1
echo "Starting Security Discovery on ${HOSTNAME} at $(date)"
echo "Output: $OUTPUT_DIR"
echo "============================================"

# User & Access Control
echo "1. User Accounts & Access"
cat /etc/passwd > "$OUTPUT_DIR/users.txt"
cat /etc/group > "$OUTPUT_DIR/groups.txt"
awk -F: '$3 == 0 {print $1}' /etc/passwd > "$OUTPUT_DIR/root_users.txt"
grep -E '^(sudo|wheel):' /etc/group > "$OUTPUT_DIR/sudo_users.txt" 2>/dev/null || echo "No sudo group found"
who > "$OUTPUT_DIR/current_logins.txt"
last -10 > "$OUTPUT_DIR/last_logins.txt"

# SSH Configuration
echo "2. SSH Configuration"
if [ -f /etc/ssh/sshd_config ]; then
    cp /etc/ssh/sshd_config "$OUTPUT_DIR/"
    grep -E '^(Port|PermitRootLogin|PasswordAuthentication|PubkeyAuthentication|Protocol)' /etc/ssh/sshd_config > "$OUTPUT_DIR/ssh_key_settings.txt"
fi

# Find SSH keys
echo "3. SSH Keys"
find /home -name ".ssh" -type d 2>/dev/null | while read ssh_dir; do
    user=$(echo "$ssh_dir" | cut -d'/' -f3)
    ls -la "$ssh_dir" > "$OUTPUT_DIR/ssh_keys_${user}.txt" 2>/dev/null || true
done
ls -la /root/.ssh/ > "$OUTPUT_DIR/ssh_keys_root.txt" 2>/dev/null || echo "No root SSH keys"

# Firewall & Network Security
echo "4. Firewall Configuration"
if command -v ufw >/dev/null 2>&1; then
    ufw status verbose > "$OUTPUT_DIR/ufw_status.txt" 2>/dev/null || echo "UFW not accessible"
fi
if command -v iptables >/dev/null 2>&1; then
    iptables -L -n -v > "$OUTPUT_DIR/iptables_rules.txt" 2>/dev/null || echo "iptables not accessible"
fi
if command -v firewall-cmd >/dev/null 2>&1; then
    firewall-cmd --list-all > "$OUTPUT_DIR/firewalld_config.txt" 2>/dev/null || echo "firewalld not accessible"
fi

# Open ports and listening services
ss -tuln > "$OUTPUT_DIR/open_ports.txt" 2>/dev/null || netstat -tuln > "$OUTPUT_DIR/open_ports.txt" 2>/dev/null

# Scheduled tasks
echo "5. Scheduled Tasks"
crontab -l > "$OUTPUT_DIR/root_crontab.txt" 2>/dev/null || echo "No root crontab"
if [ -f /etc/crontab ]; then
    cp /etc/crontab "$OUTPUT_DIR/"
fi
if [ -d /etc/cron.d ]; then
    cp -r /etc/cron.d "$OUTPUT_DIR/"
fi

# Check for dangerous SUID files
echo "6. SUID/SGID Files"
find / -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null | head -50 > "$OUTPUT_DIR/suid_files.txt"

# File permissions audit
echo "7. Critical File Permissions"
ls -la /etc/passwd /etc/shadow /etc/sudoers > "$OUTPUT_DIR/critical_file_perms.txt" 2>/dev/null

# Failed login attempts
echo "8. Security Logs"
if [ -f /var/log/auth.log ]; then
    grep "Failed password" /var/log/auth.log | tail -50 > "$OUTPUT_DIR/failed_logins.txt" 2>/dev/null || echo "No failed login entries"
elif [ -f /var/log/secure ]; then
    grep "Failed password" /var/log/secure | tail -50 > "$OUTPUT_DIR/failed_logins.txt" 2>/dev/null || echo "No failed login entries"
fi

# Check for sensitive data in environment
echo "9. Environment Security"
env | grep -i -E "(password|key|secret|token)" > "$OUTPUT_DIR/sensitive_env_vars.txt" 2>/dev/null || echo "No obvious sensitive env vars"

# Package manager security updates
echo "10. Security Updates"
if command -v apt >/dev/null 2>&1; then
    apt list --upgradable 2>/dev/null | grep -i security > "$OUTPUT_DIR/security_updates.txt" || echo "No security updates found"
elif command -v dnf >/dev/null 2>&1; then
    dnf check-update --security > "$OUTPUT_DIR/security_updates.txt" 2>/dev/null || echo "No security updates found"
fi

echo "Security discovery completed at $(date)"
echo "Results in: $OUTPUT_DIR"
ls -la "$OUTPUT_DIR"