Created
March 10, 2025 14:13
-
-
Save dot-mike/1243f8ff0173e86f53d36806cdd818c3 to your computer and use it in GitHub Desktop.
Ubuntu system evidence collection script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Evidence Collection Script | |
| # Gathers system and application information for auditing | |
| # ====================== CONFIGURATION SECTION ====================== | |
| # Configure services to check here | |
| SERVICES_TO_CHECK=( | |
| #"glusterd" | |
| ) | |
| # Configure evidence collection output | |
| LOGFILE="datacollection.log" | |
| ZIP_FILE="system_evidence.zip" | |
| CSV_REPORT="system_report.csv" | |
| # ====================== END CONFIGURATION ====================== | |
| REQUIRED_COMMANDS=( | |
| "zip" | |
| ) | |
| check_dependencies() { | |
| local missing_deps=0 | |
| echo "[*] Checking required dependencies..." | |
| for cmd in "${REQUIRED_COMMANDS[@]}"; do | |
| if ! command -v "$cmd" &>/dev/null; then | |
| echo "[!] Error: Required command '$cmd' is not installed or not in PATH" | |
| missing_deps=$((missing_deps + 1)) | |
| fi | |
| done | |
| if [ $missing_deps -gt 0 ]; then | |
| echo "[!] Missing $missing_deps required dependencies. Please install them first." | |
| exit 1 | |
| else | |
| echo "[+] All required dependencies are available" | |
| fi | |
| } | |
| check_dependencies | |
| SCRIPT_DIR="$(dirname "$(readlink -f "$0")")" | |
| TEMP_DIR=$(mktemp -d) | |
| if [[ $EUID != 0 ]]; then | |
| echo "[!] This script must be run with root privileges!" | |
| exit 255 | |
| fi | |
| touch "$TEMP_DIR/$LOGFILE" | |
| collect_evidence() { | |
| local description=$1 | |
| local command=$2 | |
| local filename=$3 | |
| echo "[+] Collecting $description" | |
| echo "[+] $description" >> "$TEMP_DIR/$LOGFILE" | |
| echo "Command: $command" >> "$TEMP_DIR/$LOGFILE" | |
| eval "$command" > "$TEMP_DIR/$filename" | |
| echo "[+] Saved to $TEMP_DIR/$filename" | |
| echo "---------------------------------" >> "$TEMP_DIR/$LOGFILE" | |
| } | |
| declare -A compliance_details | |
| get_compliance_details() { | |
| # System information | |
| compliance_details[OS_Pretty_Name]="$(grep PRETTY_NAME /etc/os-release | cut -d '=' -f2 | tr -d '"')" | |
| compliance_details[Kernel_Version]="$(uname -r)" | |
| compliance_details[Timezone]="$(timedatectl | grep 'Time zone' | awk '{print $3}')" | |
| compliance_details[Hostname]="$(hostname)" | |
| compliance_details[Uptime]="$(uptime -p)" | |
| compliance_details[CPU_Cores]="$(nproc)" | |
| compliance_details[RAM_Total]="$(free -h | awk '/^Mem:/ {print $2}')" | |
| compliance_details[Free_Disk_Root]="$(df -h / | awk 'NR==2 {print $4}')" | |
| # Full Evidence Collection | |
| collect_evidence "CPU Information" "lscpu" "cpu_info.txt" | |
| collect_evidence "Memory Information" "cat /proc/meminfo" "memory_info.txt" | |
| collect_evidence "Disk Usage" "df -h" "disk_usage.txt" | |
| collect_evidence "Partitions" "lsblk" "partitions.txt" | |
| collect_evidence "Disk UUIDs" "ls -lh /dev/disk/by-uuid/" "disk_uuids.txt" | |
| collect_evidence "Volume Groups" "vgdisplay" "volume_groups.txt" | |
| collect_evidence "Logical Volumes" "lvdisplay" "logical_volumes.txt" | |
| collect_evidence "Physical Volumes" "pvdisplay" "physical_volumes.txt" | |
| collect_evidence "IP Addresses" "ip a" "ip_addresses.txt" | |
| collect_evidence "Routing Table" "ip r" "routing_table.txt" | |
| collect_evidence "Listening Ports" "ss -tulnp" "listening_ports.txt" | |
| collect_evidence "User List" "cat /etc/passwd" "user_list.txt" | |
| collect_evidence "Group List" "cat /etc/group" "group_list.txt" | |
| collect_evidence "Running Services" "systemctl list-units --type=service --state=running" "running_services.txt" | |
| collect_evidence "Installed Packages" "dpkg -l" "installed_packages.txt" | |
| for service in "${SERVICES_TO_CHECK[@]}"; do | |
| check_service_status "$service" | |
| done | |
| compliance_details[Last_Boot]="$(who -b | awk '{print $3, $4}' 2>/dev/null || echo 'Unknown')" | |
| compliance_details[System_Load]="$(uptime | awk -F'load average:' '{print $2}' 2>/dev/null || echo 'Unknown')" | |
| compliance_details[Last_Updated]="$(date -r /var/log/apt/history.log 2>/dev/null || echo 'Unknown')" | |
| compliance_details[Firewall_Status]="$(systemctl is-active ufw 2>/dev/null || echo 'Inactive/Not installed')" | |
| } | |
| check_service_status() { | |
| local service=$1 | |
| if systemctl is-enabled --quiet "$service" 2>/dev/null; then | |
| compliance_details["${service}_Status"]="Enabled" | |
| compliance_details["${service}_Active"]="$(systemctl is-active "$service" 2>/dev/null || echo 'Unknown')" | |
| else | |
| compliance_details["${service}_Status"]="Disabled/Not installed" | |
| compliance_details["${service}_Active"]="Inactive" | |
| fi | |
| } | |
| generate_text_report() { | |
| REPORT_FILE="$TEMP_DIR/compliance_report.txt" | |
| echo "Generating text report..." | |
| echo "SYSTEM EVIDENCE REPORT - $(date '+%Y-%m-%d %H:%M:%S')" > "$REPORT_FILE" | |
| echo "=================================================" >> "$REPORT_FILE" | |
| echo "" >> "$REPORT_FILE" | |
| for key in "${!compliance_details[@]}"; do | |
| echo "%%%--- ${key}:" >> "$REPORT_FILE" | |
| echo "${compliance_details[$key]}" >> "$REPORT_FILE" | |
| echo "" >> "$REPORT_FILE" | |
| done | |
| } | |
| generate_csv() { | |
| TEMP_CSV_FILE="$TEMP_DIR/compliance_report.csv" | |
| FINAL_CSV_FILE="$SCRIPT_DIR/$CSV_REPORT" | |
| echo "# System Evidence Report generated on $(date '+%Y-%m-%d %H:%M:%S')" > "$TEMP_CSV_FILE" | |
| echo "Key,Value" >> "$TEMP_CSV_FILE" | |
| echo "# System Information" >> "$TEMP_CSV_FILE" | |
| for key in "OS_Pretty_Name" "Kernel_Version" "Hostname" "Timezone" "Uptime" "Last_Boot" "System_Load"; do | |
| echo "$key,\"${compliance_details[$key]}\"" >> "$TEMP_CSV_FILE" | |
| done | |
| echo "# Hardware Information" >> "$TEMP_CSV_FILE" | |
| for key in "CPU_Cores" "RAM_Total" "Free_Disk_Root"; do | |
| echo "$key,\"${compliance_details[$key]}\"" >> "$TEMP_CSV_FILE" | |
| done | |
| echo "# Service Status" >> "$TEMP_CSV_FILE" | |
| for service in "${SERVICES_TO_CHECK[@]}"; do | |
| echo "${service}_Status,\"${compliance_details["${service}_Status"]}\"" >> "$TEMP_CSV_FILE" | |
| echo "${service}_Active,\"${compliance_details["${service}_Active"]}\"" >> "$TEMP_CSV_FILE" | |
| done | |
| cp "$TEMP_CSV_FILE" "$FINAL_CSV_FILE" | |
| echo "[+] CSV report saved to $FINAL_CSV_FILE" | |
| } | |
| handle_error() { | |
| local exit_code=$? | |
| local line_number=$1 | |
| if [ $exit_code -ne 0 ]; then | |
| echo "[!] Error on line $line_number: Command exited with status $exit_code" | tee -a "$TEMP_DIR/$LOGFILE" | |
| fi | |
| } | |
| trap 'handle_error $LINENO' ERR | |
| get_compliance_details | |
| echo "[+] Collecting system details completed" | |
| # Generate individual files for each data point | |
| for key in "${!compliance_details[@]}"; do | |
| echo "[+] Processing $key" | |
| echo "${compliance_details[$key]}" > "$TEMP_DIR/${key}.txt" | |
| echo "$key: ${compliance_details[$key]}" >> "$TEMP_DIR/$LOGFILE" | |
| echo "---------------------------------" >> "$TEMP_DIR/$LOGFILE" | |
| done | |
| generate_text_report | |
| generate_csv | |
| echo "[+] Reports generated successfully" | |
| echo "[+] Creating archive..." | |
| zip -r "$SCRIPT_DIR/$ZIP_FILE" "$TEMP_DIR" > /dev/null 2>&1 | |
| echo "[+] Evidence collection complete" | |
| echo "[+] Logs and reports saved in $SCRIPT_DIR/$ZIP_FILE" | |
| echo "[+] CSV report saved separately at $SCRIPT_DIR/$CSV_REPORT" | |
| rm -rf "$TEMP_DIR" | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment