Axsi Mini Shell

Current Path : /tmp/toor_audit_20260515_064509/
Upload File
Current File : //tmp/toor_audit_20260515_064509/findings.tsv

INFO	kernel	Kernel: 5.4.0-216-generic			0
INFO	kernel	Ubuntu 20.04 (focal)			0
WARNING	kernel	Unprivileged user namespaces enabled	kernel.unprivileged_userns_clone=1 — enables OverlayFS-based LPE on unpatched kernels	echo 'kernel.unprivileged_userns_clone=0' >> /etc/sysctl.d/99-hardening.conf && sysctl -p	4
CRITICAL	kernel	Likely vulnerable to Ubuntu OverlayFS LPE (CVE-2021-3493)	Kernel 5.4.0-216-generic (Ubuntu 20.04) — unprivileged overlayfs setuid file creation	apt update && apt full-upgrade	9
CRITICAL	kernel	Likely vulnerable to nf_tables anon-set UAF (CVE-2023-32233)	Kernel 5.4.0-216-generic in range 5.1–6.3.1 — anonymous netfilter set use-after-free	Upgrade kernel: apt update && apt full-upgrade	9
CRITICAL	kernel	Likely vulnerable to nf_tables OOB write (CVE-2022-1015)	Kernel 5.4.0-216-generic in range 5.1–5.17.3 — nft_validate_register_store() bounds check bypass	Upgrade kernel: apt update && apt full-upgrade	9
CRITICAL	kernel	Likely vulnerable to Polkit D-Bus race (CVE-2021-3560)	polkit 0.105 < 0.119 + accounts-daemon running — CreateUser auth bypass	apt update && apt install -y policykit-1	8
PASS	sysctl	kernel.randomize_va_space = 2 ✓			0
PASS	sysctl	kernel.kptr_restrict = 1 ✓			0
WARNING	sysctl	dmesg readable by unprivileged users (info leak)	kernel.dmesg_restrict = 0 (expected eq 1)	echo 'kernel.dmesg_restrict = 1' >> /etc/sysctl.d/99-hardening.conf && sysctl -p	2
PASS	sysctl	kernel.perf_event_paranoid = 3 ✓			0
PASS	sysctl	kernel.yama.ptrace_scope = 1 ✓			0
INFO	sysctl	fs.protected_hardlinks not available on this kernel			0
INFO	sysctl	fs.protected_symlinks not available on this kernel			0
WARNING	sysctl	SUID processes can create core dumps (credential leak)	fs.suid_dumpable = 2 (expected eq 0)	echo 'fs.suid_dumpable = 0' >> /etc/sysctl.d/99-hardening.conf && sysctl -p	2
WARNING	sysctl	Unprivileged eBPF enabled — potential LPE vector	kernel.unprivileged_bpf_disabled = 2 (expected eq 1)	echo 'kernel.unprivileged_bpf_disabled = 1' >> /etc/sysctl.d/99-hardening.conf && sysctl -p	3
INFO	sysctl	net.core.bpf_jit_harden not available on this kernel			0
PASS	sysctl	KASLR enabled (nokaslr not in /proc/cmdline) ✓			0
PASS	sysctl	SMEP enabled (CPU flag present) ✓			0
PASS	sysctl	SMAP enabled (CPU flag present) ✓			0
PASS	sysctl	PTI: Not affected ✓			0
PASS	sysctl	spectre_v1: Mitigation: usercopy/swapgs barriers and __user pointer sanitization ✓			0
PASS	sysctl	spectre_v2: Mitigation: Enhanced / Automatic IBRS; IBPB: conditional; RSB filling; PBRSB-eIBRS: SW sequence; BHI: SW loop, KVM: SW loop ✓			0
PASS	sysctl	spec_store_bypass: Mitigation: Speculative Store Bypass disabled via prctl and seccomp ✓			0
INFO	sysctl	SELinux: not present			0
PASS	sysctl	AppArmor: enabled (? profiles loaded) ✓			0
INFO	sudo	Sudo version: 1.8.31			0
CRITICAL	sudo	Sudo version may be vulnerable to Baron Samedit (CVE-2021-3156)	sudo 1.8.31 — heap overflow via sudoedit -s	apt update && apt install -y sudo	7
CRITICAL	sudo	Sudo may be vulnerable to CVE-2019-14287 (user=\#-1 bypass)	sudo 1.8.31 < 1.8.28	apt install -y sudo	6
WARNING	sudo	Sudo version vulnerable to CVE-2019-18634 but pwfeedback not detected	sudo 1.8.31 — would be exploitable if pwfeedback is added to sudoers	apt update && apt install -y sudo	3
INFO	sudo	sudo -l requires password — passwordless listing unavailable	Run 'sudo -l' manually to see full privilege list		0
PASS	sudo	/etc/sudoers permissions: 440 root root ✓			0
INFO	suid	Total SUID binaries found: 17 (scanned standard paths)			0
PASS	suid	Only standard SUID binaries present			0
PASS	suid	No world-writable SUID/SGID binaries			0
INFO	suid	Total SGID binaries: 11 (scanned standard paths)			0
CRITICAL	caps	24 binary(ies) with dangerous capabilities	/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p
/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p
/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p
/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p
/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p
/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p
/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p
/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p
/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p
/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p	Remove capabilities: setcap -r <file>	7
INFO	caps	All binaries with capabilities: 10			0
PASS	files	/etc/shadow permissions: 640 root:shadow ✓			0
PASS	files	/etc/passwd permissions: 644 root:root ✓			0
PASS	files	/etc/gshadow permissions: 640 root:shadow ✓			0
PASS	files	/etc/sudoers permissions: 440 root:root ✓			0
WARNING	files	Insecure /etc/ssh/sshd_config: mode=644(want 600) 		chmod 600 /etc/ssh/sshd_config && chown root:root /etc/ssh/sshd_config	3
PASS	files	/etc/crontab permissions: 644 root:root ✓			0
PASS	files	/boot/grub/grub.cfg permissions: 444 root:root ✓			0
PASS	files	No world-writable directories missing sticky bit			0
PASS	files	No world-writable files in /etc			0
PASS	path	PATH directories are not writable			0
PASS	cron	Cron directories properly owned/secured			0
PASS	cron	Cron-referenced scripts are not writable			0
INFO	cron	0 user crontab(s) present			0
INFO	cron	12 systemd timer(s) active			0
PASS	systemd	Systemd unit files properly owned			0
PASS	systemd	Systemd ExecStart scripts are not writable			0
PASS	users	Only root has UID 0			0
INFO	users	Cannot read /etc/shadow — run as root for full password audit			0
PASS	users	System accounts use non-login shells			0
CRITICAL	ssh	SSH PermitRootLogin = yes		Set PermitRootLogin no in /etc/ssh/sshd_config	6
PASS	ssh	SSH password authentication disabled ✓			0
PASS	ssh	SSH PermitEmptyPasswords = no ✓			0
PASS	containers	No users in lxd group			0
INFO	containers	Users in 'adm' group (log access): syslog — verify necessity			0
WARNING	pam	No account lockout policy (brute-force not mitigated)	No pam_faillock or pam_tally2 found in /etc/pam.d/	Configure pam_faillock: authselect enable-feature with-faillock	3
WARNING	pam	No password quality requirements configured		apt install libpam-pwquality && configure minlen=12 in /etc/security/pwquality.conf	2
PASS	pam	No pam_exec/pam_script modules in use			0
PASS	env	No global LD_PRELOAD/LD_LIBRARY_PATH			0
PASS	env	Library directories not writable by non-root			0
WARNING	env	/tmp missing mount options: nosuid nodev noexec 	Mount options: rw,relatime	Add nosuid,nodev,noexec to /tmp in /etc/fstab and remount	3
INFO	nfs	/etc/exports not found or not readable — NFS not configured			0
INFO	polkit	PolicyKit version: 0.105-26ubuntu1.3 (SUID pkexec: 1)			0
CRITICAL	polkit	pkexec likely vulnerable to PwnKit (CVE-2021-4034)	SUID pkexec present; polkit version 0.105-26ubuntu1.3	apt update && apt install -y policykit-1	8
WARNING	mac	AppArmor loaded but no profiles active		aa-enforce /etc/apparmor.d/*	3
PASS	mac	Unattended security upgrades installed			0
PASS	packages	No pending security updates			0
WARNING	packages	Compiler/exploitation tools installed: strace ltrace netcat nc tcpdump python3 perl	These tools assist in exploit compilation and post-exploitation	Remove on production servers: apt remove gcc gdb strace nmap netcat	2
PASS	creds	No obvious credentials in shell history			0
PASS	creds	No obvious credentials in environment			0
PASS	creds	SSH private key permissions appear correct			0
WARNING	persistence	Executable files in /tmp or /var/tmp	/tmp/alfacgiapi/getheader.alfa
/tmp/.gsusr-33/defunct
/tmp/wos.php
/tmp/xx/serve
/var/tmp/xmrig-6.22.2/xmrig
/var/tmp/xmrig-6.22.2/SHA256SUMS	Investigate each file; remove if suspicious	3
PASS	persistence	No encoded payload patterns in cron/systemd			0
PASS	persistence	No SUID files in temp directories			0