Skip to main content
  1. All Posts/

otseca

Tools Shell

Open source security auditing tool to search and dump system configuration.


<p>
  </a>
</p>

<p>
  <a rel="nofollow noopener" target="_blank" href="#introduction">Introduction</a>  |  <br /> <a rel="nofollow noopener" target="_blank" href="#description">Description</a>  |  <br /> <a rel="nofollow noopener" target="_blank" href="#requirements">Requirements</a>  |  <br /> <a rel="nofollow noopener" target="_blank" href="#output">Output</a>  |  <br /> <a rel="nofollow noopener" target="_blank" href="#parameters">Parameters</a>  |  <br /> <a rel="nofollow noopener" target="_blank" href="#reports">Reports</a>  |  <br /> <a rel="nofollow noopener" target="_blank" href="#how-it-works">How it works</a>  |  <br /> <a rel="nofollow noopener" target="_blank" href="#other">Other</a>
</p>

<p>
  Created by<br /> <a rel="nofollow noopener" target="_blank" href="https://twitter.com/trimstray">trimstray</a> and<br /> contributors
</p>

<h2 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-introduction" class="anchor" aria-hidden="true" href="#introduction"></a>Introduction
</h2>

<h3 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-the-main-goal" class="anchor" aria-hidden="true" href="#the-main-goal"></a>The main goal
</h3>

<p>
  The main assumption of creating this tool was <strong>easier</strong> and <strong>faster</strong> delivery of <strong>commands sets</strong> to be performed on customer environments. As a result of such a scan I wanted to get the most useful information about system components that will be subjected to penetration tests and audits at a later time.
</p>

<h3 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-for-whom" class="anchor" aria-hidden="true" href="#for-whom"></a>For whom
</h3>

<p>
  <strong>Otseca</strong> facilitates collection of many important information about a given system.<br /> It is useful for:
</p>

<p>
      ☑️ system administrators<br />     ☑️ security researchers<br />     ☑️ security professionals<br />     ☑️ pentesters<br />     ☑️ hackers
</p>

<h3 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-how-to-use" class="anchor" aria-hidden="true" href="#how-to-use"></a>How To Use
</h3>

<p>
  It&#8217;s simple:
</p>

<pre># Clone this repository

git clone https://github.com/trimstray/otseca

Go into the repository>

Go into the repository #

cd otseca

Install>

Install #

./setup.sh install

Run the app>

Run the app #

otseca –ignore-failed –tasks system,network –output /tmp/report

<blockquote>
  <ul dir="auto">
    <li>
      symlink to <code>bin/otseca</code> is placed in <code>/usr/local/bin</code>
    </li>
    <li>
      man page is placed in <code>/usr/local/man/man8</code>
    </li>
  </ul>
</blockquote>

<blockquote>
  <p>
    <strong>Hint 1</strong><br /> If you do not want the script to be stopped after encountering errors add <code>--ignore-failed</code> script param.
  </p>
</blockquote>

<blockquote>
  <p>
    <strong>Hint 2</strong><br /> Only selected tasks using the <code>--tasks &lt;task_1,task_2,task_n&gt;</code> script param.
  </p>
</blockquote>

<h2 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-description" class="anchor" aria-hidden="true" href="#description"></a>Description
</h2>

<p>
  <strong>Otseca</strong> is a open source security auditing tool to search and dump system configuration. It allows you to generate reports in <strong>HTML</strong> or <strong>RAW-HTML</strong> formats.<br /> The basic goal is to get as much information about the scanned system as possible for later analysis. <strong>Otseca</strong> contains many predefined commands, however, nothing prevents you from creating your own according to your needs. In addition, it automates the entire information gathering process.<br /> After the scan finishes, a report is generated to examine specific nooks of the system.
</p>

<h2 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-requirements" class="anchor" aria-hidden="true" href="#requirements"></a>Requirements
</h2>

<p>
  This tool working with:
</p>

<ul dir="auto">
  <li>
    <strong>GNU/Linux</strong> (testing on Debian and CentOS)
  </li>
  <li>
    <strong>Bash</strong> (testing on 4.4.19)
  </li>
</ul>

<p>
  Also you will need <strong>root access</strong>.
</p>

<h2 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-output" class="anchor" aria-hidden="true" href="#output"></a>Output
</h2>

<p>
  An exemplary result of the process of collecting information from the local system:
</p>

<h2 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-parameters" class="anchor" aria-hidden="true" href="#parameters"></a>Parameters
</h2>

<p>
  Below is a list of available options:
</p>

<pre>  Usage:
otseca &lt;option|long-option&gt;

Examples: otseca –help otseca –format html otseca –format html –ignore-failed otseca –format raw-html –tasks system,network

Options: –help show this message -f|–format <key> set output format (key: html/raw-html) -t|–tasks <key> set specific task to do (key: system, kernel, permissions, services, network, distro, external) -o|–output <path> set path to output directory report –show-errors show stderr to output –ignore-failed do not exit with nonzero on commands failed

<h2 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-reports" class="anchor" aria-hidden="true" href="#reports"></a>Reports
</h2>

<p>
  <strong>Otseca</strong> generates reports in html (js, css and other) or raw-html (pure html) formats.
</p>

<blockquote>
  <p>
    Default path for reports is <code>{project}/data/output</code> directory. If you want to change it, add the <code>--output &lt;path&gt;</code> option to call the script.
  </p>
</blockquote>

<h3 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-main-page-indexhtml" class="anchor" aria-hidden="true" href="#main-page-indexhtml"></a>Main page (index.html)
</h3>

<p>
  It&#8217;s the main file which contains a list of reports such as system or network.
</p>

<h3 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-tasks-reports" class="anchor" aria-hidden="true" href="#tasks-reports"></a>Tasks reports
</h3>

<p>
  The report that can be performed consists of the following sections (stacks):
</p>

<ul dir="auto">
  <li>
    <strong>system</strong> &#8211; dump info from system commands (output file: system.all.log.html)
  </li>
  <li>
    <strong>kernel</strong> &#8211; dump info about kernel params (output file: kernel.all.log.html)
  </li>
  <li>
    <strong>permissions</strong> &#8211; dump info about permissions (output file: permissions.all.log.html)
  </li>
  <li>
    <strong>services</strong> &#8211; dump info about system services (output file: services.all.log.html)
  </li>
  <li>
    <strong>network</strong> &#8211; dump info from network layer (output file: network.all.log.html)
  </li>
  <li>
    <strong>distro</strong> &#8211; dump info about specific distribution (output file: distro.all.log.html)
  </li>
  <li>
    <strong>external</strong> &#8211; all external, also user tasks or included from <code>etc/</code> directory (output file: external.all.log.html)
  </li>
</ul>

<p>
  HTML reports consist of the following blocks (example):
</p>

<h2 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-how-it-works" class="anchor" aria-hidden="true" href="#how-it-works"></a>How it works
</h2>

<h3 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-tasks" class="anchor" aria-hidden="true" href="#tasks"></a>Tasks
</h3>

<p>
  <strong>Otseca</strong> divides his work into <strong>tasks</strong>. Each sets of tasks performs defined commands (eg. from the file <code>etc/otseca.conf</code>). By default six tasks are available: <strong>system</strong>, <strong>kernel</strong>, <strong>permissions</strong>, <strong>services</strong>, <strong>network</strong>, <strong>distro</strong> and <strong>external</strong>.<br /> By default, all tasks are performed but you can specify them with the <code>--tasks</code> parameter giving one or many tasks as an argument. For example:
</p>

<pre>otseca --ignore-failed --tasks system,kernel</pre>

<h3 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-commands" class="anchor" aria-hidden="true" href="#commands"></a>Commands
</h3>

<p>
  They are actual <strong>commands</strong> executed from the configuration file grouped into tasks.<br /> Here is an example of a network task containing several built-in commands:
</p>

<pre>NETWORK_STACK=(

“_exec hostname -f” “_exec ifconfig -a” “_exec iwconfig” “_exec netstat -tunap” “_exec netstat -rn” “_exec iptables -nL -v” “_exec iptables -nL -v -t nat” “_exec iptables -S” “_exec lsof -ni”

)

<h3 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-submodules" class="anchor" aria-hidden="true" href="#submodules"></a>Submodules
</h3>

<p>
  <strong>Submodules</strong> are built-in functions that perform the commands described above. Here is submodules list:
</p>

<ul dir="auto">
  <li>
    <strong>_exec</strong> &#8211; init standard commands, eg. <code>_exec ls -l /etc/rsyslog.conf</code>
  </li>
  <li>
    <strong>_grep</strong> &#8211; is responsible for searching for strings in files, eg. <code>_grep max_log_file /etc/audit/auditd.conf</code>
  </li>
  <li>
    <strong>_stat</strong> &#8211; collects information about files, eg. <code>_stat /etc/ssh/sshd_config</code>
  </li>
  <li>
    <strong>_sysctl</strong> &#8211; compares the values of the kernel parameters, eg. <code>_sysctl fs.suid_dumpable 1</code>
  </li>
  <li>
    <strong>_systemctl</strong> &#8211; checks the operation of services, eg. <code>_systemctl httpd</code>
  </li>
</ul>

<h3 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-output-states" class="anchor" aria-hidden="true" href="#output-states"></a>Output states
</h3>

<p>
  <strong>Otseca</strong> supports three output (response) states:
</p>

<ul dir="auto">
  <li>
    <strong>DONE</strong> &#8211; informs that the command was executed correctly, most often it says that you did not find what you are looking for which is good information. The report is marked in <strong>green</strong>:</p> <ul dir="auto">
      <li>
        from console output:
      </li>
      <li>
        from report output:
      </li>
    </ul>
  </li>
  
  <li>
    <strong>WARN</strong> &#8211; informs that the command was not executed correctly (syntax error, no command, file not found etc.). The report is marked in <strong>yellow</strong>:</p> <ul dir="auto">
      <li>
        from console output:
      </li>
      <li>
        from report output:
      </li>
    </ul>
  </li>
  
  <li>
    <strong>TRUE</strong> &#8211; informs that the command was executed correctly and found what we were looking for, e.g. too wide permissions for the file <code>/etc/sudoers</code>. The report is marked in <strong>red</strong>:</p> <ul dir="auto">
      <li>
        from console output:
      </li>
      <li>
        from report output:
      </li>
    </ul>
  </li>
</ul>

<h2 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-other" class="anchor" aria-hidden="true" href="#other"></a>Other
</h2>

<h3 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-contributing" class="anchor" aria-hidden="true" href="#contributing"></a>Contributing
</h3>

<p>
  See <strong>this</strong>.
</p>

<h3 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-project-architecture" class="anchor" aria-hidden="true" href="#project-architecture"></a>Project architecture
</h3>

<p>
  See <strong>this</strong>.
</p>

<h2 dir="auto">
  <a rel="nofollow noopener" target="_blank" id="user-content-license" class="anchor" aria-hidden="true" href="#license"></a>License
</h2>

<p>
  GPLv3 : <a rel="nofollow noopener" target="_blank" href="http://www.gnu.org/licenses/">http://www.gnu.org/licenses/</a><br /> <strong>Free software, Yeah!</strong><br />
</p>