Axsi Mini Shell
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8">
<title>Toor PrivEsc Audit Report</title>
<style>*{margin:0;padding:0;box-sizing:border-box}
body{background:#0f172a;color:#e2e8f0;font-family:system-ui,sans-serif;padding:32px;line-height:1.6}
code{background:#334155;padding:2px 6px;border-radius:4px;font-size:12px}</style>
</head><body><div style="max-width:960px;margin:0 auto">
<div style="text-align:center;padding:40px 0">
<div style="font-size:13px;color:#64748b;letter-spacing:3px;text-transform:uppercase">Toor PrivEsc Audit v2.0.0</div>
<h1 style="font-size:28px;margin:8px 0">Security Assessment Report</h1>
<div style="color:#64748b;font-size:14px">ubuntu-s-2vcpu-2gb-intel-blr1-01 · 5.4.0-216-generic · 2026-05-15T06:45:30</div>
<div style="width:180px;height:180px;margin:24px auto;position:relative">
<svg width="180" height="180" viewBox="0 0 180 180" style="transform:rotate(-90deg)">
<circle cx="90" cy="90" r="78" fill="none" stroke="#1e293b" stroke-width="12"/>
<circle cx="90" cy="90" r="78" fill="none" stroke="#ef4444" stroke-width="12"
stroke-dasharray="0 490" stroke-linecap="round"/></svg>
<div style="position:absolute;top:50%;left:50%;transform:translate(-50%,-50%);font-size:42px;font-weight:800;color:#ef4444">0</div>
<div style="position:absolute;top:68%;left:50%;transform:translate(-50%,0);font-size:18px;color:#94a3b8">F</div>
</div></div>
<div style="display:flex;gap:16px;justify-content:center;margin:24px 0;flex-wrap:wrap">
<div style="background:#1e293b;padding:16px 24px;border-radius:12px;text-align:center;min-width:100px">
<div style="font-size:28px;font-weight:700;color:#22c55e">43</div>
<div style="font-size:12px;color:#94a3b8;text-transform:uppercase;letter-spacing:1px">Passed</div></div>
<div style="background:#1e293b;padding:16px 24px;border-radius:12px;text-align:center;min-width:100px">
<div style="font-size:28px;font-weight:700;color:#ef4444">9</div>
<div style="font-size:12px;color:#94a3b8;text-transform:uppercase;letter-spacing:1px">Critical</div></div>
<div style="background:#1e293b;padding:16px 24px;border-radius:12px;text-align:center;min-width:100px">
<div style="font-size:28px;font-weight:700;color:#f59e0b">12</div>
<div style="font-size:12px;color:#94a3b8;text-transform:uppercase;letter-spacing:1px">Warnings</div></div>
<div style="background:#1e293b;padding:16px 24px;border-radius:12px;text-align:center;min-width:100px">
<div style="font-size:28px;font-weight:700;color:#64748b">17</div>
<div style="font-size:12px;color:#94a3b8;text-transform:uppercase;letter-spacing:1px">Info</div></div></div>
<div style="font-size:14px;color:#64748b;text-transform:uppercase;letter-spacing:2px;margin:32px 0 12px">All Findings</div>
<div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Kernel: 5.4.0-216-generic</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">INFO</span></div><div style="color:#64748b;font-size:12px">kernel</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Ubuntu 20.04 (focal)</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">INFO</span></div><div style="color:#64748b;font-size:12px">kernel</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #f59e0b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Unprivileged user namespaces enabled</span><span style="background:#f59e0b22;color:#f59e0b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">WARNING</span></div><div style="color:#64748b;font-size:12px">kernel</div><div style="color:#94a3b8;font-size:13px;margin-top:4px;white-space:pre-wrap">kernel.unprivileged_userns_clone=1 — enables OverlayFS-based LPE on unpatched kernels</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>echo 'kernel.unprivileged_userns_clone=0' >> /etc/sysctl.d/99-hardening.conf && sysctl -p</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #ef4444;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Likely vulnerable to Ubuntu OverlayFS LPE (CVE-2021-3493)</span><span style="background:#ef444422;color:#ef4444;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">CRITICAL</span></div><div style="color:#64748b;font-size:12px">kernel</div><div style="color:#94a3b8;font-size:13px;margin-top:4px;white-space:pre-wrap">Kernel 5.4.0-216-generic (Ubuntu 20.04) — unprivileged overlayfs setuid file creation</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>apt update && apt full-upgrade</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #ef4444;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Likely vulnerable to nf_tables anon-set UAF (CVE-2023-32233)</span><span style="background:#ef444422;color:#ef4444;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">CRITICAL</span></div><div style="color:#64748b;font-size:12px">kernel</div><div style="color:#94a3b8;font-size:13px;margin-top:4px;white-space:pre-wrap">Kernel 5.4.0-216-generic in range 5.1–6.3.1 — anonymous netfilter set use-after-free</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>Upgrade kernel: apt update && apt full-upgrade</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #ef4444;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Likely vulnerable to nf_tables OOB write (CVE-2022-1015)</span><span style="background:#ef444422;color:#ef4444;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">CRITICAL</span></div><div style="color:#64748b;font-size:12px">kernel</div><div style="color:#94a3b8;font-size:13px;margin-top:4px;white-space:pre-wrap">Kernel 5.4.0-216-generic in range 5.1–5.17.3 — nft_validate_register_store() bounds check bypass</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>Upgrade kernel: apt update && apt full-upgrade</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #ef4444;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Likely vulnerable to Polkit D-Bus race (CVE-2021-3560)</span><span style="background:#ef444422;color:#ef4444;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">CRITICAL</span></div><div style="color:#64748b;font-size:12px">kernel</div><div style="color:#94a3b8;font-size:13px;margin-top:4px;white-space:pre-wrap">polkit 0.105 < 0.119 + accounts-daemon running — CreateUser auth bypass</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>apt update && apt install -y policykit-1</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">kernel.randomize_va_space = 2 ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">sysctl</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">kernel.kptr_restrict = 1 ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">sysctl</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #f59e0b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">dmesg readable by unprivileged users (info leak)</span><span style="background:#f59e0b22;color:#f59e0b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">WARNING</span></div><div style="color:#64748b;font-size:12px">sysctl</div><div style="color:#94a3b8;font-size:13px;margin-top:4px;white-space:pre-wrap">kernel.dmesg_restrict = 0 (expected eq 1)</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>echo 'kernel.dmesg_restrict = 1' >> /etc/sysctl.d/99-hardening.conf && sysctl -p</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">kernel.perf_event_paranoid = 3 ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">sysctl</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">kernel.yama.ptrace_scope = 1 ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">sysctl</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">fs.protected_hardlinks not available on this kernel</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">INFO</span></div><div style="color:#64748b;font-size:12px">sysctl</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">fs.protected_symlinks not available on this kernel</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">INFO</span></div><div style="color:#64748b;font-size:12px">sysctl</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #f59e0b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">SUID processes can create core dumps (credential leak)</span><span style="background:#f59e0b22;color:#f59e0b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">WARNING</span></div><div style="color:#64748b;font-size:12px">sysctl</div><div style="color:#94a3b8;font-size:13px;margin-top:4px;white-space:pre-wrap">fs.suid_dumpable = 2 (expected eq 0)</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>echo 'fs.suid_dumpable = 0' >> /etc/sysctl.d/99-hardening.conf && sysctl -p</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #f59e0b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Unprivileged eBPF enabled — potential LPE vector</span><span style="background:#f59e0b22;color:#f59e0b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">WARNING</span></div><div style="color:#64748b;font-size:12px">sysctl</div><div style="color:#94a3b8;font-size:13px;margin-top:4px;white-space:pre-wrap">kernel.unprivileged_bpf_disabled = 2 (expected eq 1)</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>echo 'kernel.unprivileged_bpf_disabled = 1' >> /etc/sysctl.d/99-hardening.conf && sysctl -p</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">net.core.bpf_jit_harden not available on this kernel</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">INFO</span></div><div style="color:#64748b;font-size:12px">sysctl</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">KASLR enabled (nokaslr not in /proc/cmdline) ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">sysctl</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">SMEP enabled (CPU flag present) ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">sysctl</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">SMAP enabled (CPU flag present) ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">sysctl</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">PTI: Not affected ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">sysctl</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">spectre_v1: Mitigation: usercopy/swapgs barriers and __user pointer sanitization ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">sysctl</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">spectre_v2: Mitigation: Enhanced / Automatic IBRS; IBPB: conditional; RSB filling; PBRSB-eIBRS: SW sequence; BHI: SW loop, KVM: SW loop ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">sysctl</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">spec_store_bypass: Mitigation: Speculative Store Bypass disabled via prctl and seccomp ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">sysctl</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">SELinux: not present</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">INFO</span></div><div style="color:#64748b;font-size:12px">sysctl</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">AppArmor: enabled (? profiles loaded) ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">sysctl</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Sudo version: 1.8.31</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">INFO</span></div><div style="color:#64748b;font-size:12px">sudo</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #ef4444;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Sudo version may be vulnerable to Baron Samedit (CVE-2021-3156)</span><span style="background:#ef444422;color:#ef4444;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">CRITICAL</span></div><div style="color:#64748b;font-size:12px">sudo</div><div style="color:#94a3b8;font-size:13px;margin-top:4px;white-space:pre-wrap">sudo 1.8.31 — heap overflow via sudoedit -s</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>apt update && apt install -y sudo</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #ef4444;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Sudo may be vulnerable to CVE-2019-14287 (user=\#-1 bypass)</span><span style="background:#ef444422;color:#ef4444;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">CRITICAL</span></div><div style="color:#64748b;font-size:12px">sudo</div><div style="color:#94a3b8;font-size:13px;margin-top:4px;white-space:pre-wrap">sudo 1.8.31 < 1.8.28</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>apt install -y sudo</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #f59e0b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Sudo version vulnerable to CVE-2019-18634 but pwfeedback not detected</span><span style="background:#f59e0b22;color:#f59e0b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">WARNING</span></div><div style="color:#64748b;font-size:12px">sudo</div><div style="color:#94a3b8;font-size:13px;margin-top:4px;white-space:pre-wrap">sudo 1.8.31 — would be exploitable if pwfeedback is added to sudoers</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>apt update && apt install -y sudo</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">sudo -l requires password — passwordless listing unavailable</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">INFO</span></div><div style="color:#64748b;font-size:12px">sudo</div><div style="color:#94a3b8;font-size:13px;margin-top:4px;white-space:pre-wrap">Run 'sudo -l' manually to see full privilege list</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">/etc/sudoers permissions: 440 root root ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">sudo</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Total SUID binaries found: 17 (scanned standard paths)</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">INFO</span></div><div style="color:#64748b;font-size:12px">suid</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Only standard SUID binaries present</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">suid</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">No world-writable SUID/SGID binaries</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">suid</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Total SGID binaries: 11 (scanned standard paths)</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">INFO</span></div><div style="color:#64748b;font-size:12px">suid</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #ef4444;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">24 binary(ies) with dangerous capabilities</span><span style="background:#ef444422;color:#ef4444;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">CRITICAL</span></div><div style="color:#64748b;font-size:12px">caps</div><div style="color:#94a3b8;font-size:13px;margin-top:4px;white-space:pre-wrap">/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9"></span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p</span></div><div style="color:#64748b;font-size:12px"></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9"></span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p</span></div><div style="color:#64748b;font-size:12px"></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9"></span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p</span></div><div style="color:#64748b;font-size:12px"></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9"></span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p</span></div><div style="color:#64748b;font-size:12px"></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9"></span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p</span></div><div style="color:#64748b;font-size:12px"></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9"></span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p</span></div><div style="color:#64748b;font-size:12px"></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9"></span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p</span></div><div style="color:#64748b;font-size:12px"></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9"></span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p</span></div><div style="color:#64748b;font-size:12px"></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">7</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p</span></div><div style="color:#64748b;font-size:12px">Remove capabilities: setcap -r <file></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">All binaries with capabilities: 10</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">INFO</span></div><div style="color:#64748b;font-size:12px">caps</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">/etc/shadow permissions: 640 root:shadow ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">files</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">/etc/passwd permissions: 644 root:root ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">files</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">/etc/gshadow permissions: 640 root:shadow ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">files</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">/etc/sudoers permissions: 440 root:root ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">files</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #f59e0b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Insecure /etc/ssh/sshd_config: mode=644(want 600) </span><span style="background:#f59e0b22;color:#f59e0b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">WARNING</span></div><div style="color:#64748b;font-size:12px">files</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>chmod 600 /etc/ssh/sshd_config && chown root:root /etc/ssh/sshd_config</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">/etc/crontab permissions: 644 root:root ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">files</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">/boot/grub/grub.cfg permissions: 444 root:root ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">files</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">No world-writable directories missing sticky bit</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">files</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">No world-writable files in /etc</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">files</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">PATH directories are not writable</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">path</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Cron directories properly owned/secured</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">cron</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Cron-referenced scripts are not writable</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">cron</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">0 user crontab(s) present</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">INFO</span></div><div style="color:#64748b;font-size:12px">cron</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">12 systemd timer(s) active</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">INFO</span></div><div style="color:#64748b;font-size:12px">cron</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Systemd unit files properly owned</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">systemd</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Systemd ExecStart scripts are not writable</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">systemd</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Only root has UID 0</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">users</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Cannot read /etc/shadow — run as root for full password audit</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">INFO</span></div><div style="color:#64748b;font-size:12px">users</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">System accounts use non-login shells</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">users</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #ef4444;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">SSH PermitRootLogin = yes</span><span style="background:#ef444422;color:#ef4444;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">CRITICAL</span></div><div style="color:#64748b;font-size:12px">ssh</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>Set PermitRootLogin no in /etc/ssh/sshd_config</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">SSH password authentication disabled ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">ssh</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">SSH PermitEmptyPasswords = no ✓</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">ssh</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">No users in lxd group</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">containers</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Users in 'adm' group (log access): syslog — verify necessity</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">INFO</span></div><div style="color:#64748b;font-size:12px">containers</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #f59e0b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">No account lockout policy (brute-force not mitigated)</span><span style="background:#f59e0b22;color:#f59e0b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">WARNING</span></div><div style="color:#64748b;font-size:12px">pam</div><div style="color:#94a3b8;font-size:13px;margin-top:4px;white-space:pre-wrap">No pam_faillock or pam_tally2 found in /etc/pam.d/</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>Configure pam_faillock: authselect enable-feature with-faillock</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #f59e0b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">No password quality requirements configured</span><span style="background:#f59e0b22;color:#f59e0b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">WARNING</span></div><div style="color:#64748b;font-size:12px">pam</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>apt install libpam-pwquality && configure minlen=12 in /etc/security/pwquality.conf</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">No pam_exec/pam_script modules in use</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">pam</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">No global LD_PRELOAD/LD_LIBRARY_PATH</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">env</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Library directories not writable by non-root</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">env</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #f59e0b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">/tmp missing mount options: nosuid nodev noexec </span><span style="background:#f59e0b22;color:#f59e0b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">WARNING</span></div><div style="color:#64748b;font-size:12px">env</div><div style="color:#94a3b8;font-size:13px;margin-top:4px;white-space:pre-wrap">Mount options: rw,relatime</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>Add nosuid,nodev,noexec to /tmp in /etc/fstab and remount</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">/etc/exports not found or not readable — NFS not configured</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">INFO</span></div><div style="color:#64748b;font-size:12px">nfs</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">PolicyKit version: 0.105-26ubuntu1.3 (SUID pkexec: 1)</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">INFO</span></div><div style="color:#64748b;font-size:12px">polkit</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #ef4444;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">pkexec likely vulnerable to PwnKit (CVE-2021-4034)</span><span style="background:#ef444422;color:#ef4444;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">CRITICAL</span></div><div style="color:#64748b;font-size:12px">polkit</div><div style="color:#94a3b8;font-size:13px;margin-top:4px;white-space:pre-wrap">SUID pkexec present; polkit version 0.105-26ubuntu1.3</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>apt update && apt install -y policykit-1</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #f59e0b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">AppArmor loaded but no profiles active</span><span style="background:#f59e0b22;color:#f59e0b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">WARNING</span></div><div style="color:#64748b;font-size:12px">mac</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>aa-enforce /etc/apparmor.d/*</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Unattended security upgrades installed</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">mac</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">No pending security updates</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">packages</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #f59e0b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Compiler/exploitation tools installed: strace ltrace netcat nc tcpdump python3 perl</span><span style="background:#f59e0b22;color:#f59e0b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">WARNING</span></div><div style="color:#64748b;font-size:12px">packages</div><div style="color:#94a3b8;font-size:13px;margin-top:4px;white-space:pre-wrap">These tools assist in exploit compilation and post-exploitation</div><div style="margin-top:6px;padding:8px 12px;background:#0f172a;border-left:3px solid #38bdf8;border-radius:4px;font-size:13px"><b>Fix:</b> <code>Remove on production servers: apt remove gcc gdb strace nmap netcat</code></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">No obvious credentials in shell history</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">creds</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">No obvious credentials in environment</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">creds</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">SSH private key permissions appear correct</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">creds</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #f59e0b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">Executable files in /tmp or /var/tmp</span><span style="background:#f59e0b22;color:#f59e0b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">WARNING</span></div><div style="color:#64748b;font-size:12px">persistence</div><div style="color:#94a3b8;font-size:13px;margin-top:4px;white-space:pre-wrap">/tmp/alfacgiapi/getheader.alfa</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9"></span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">/tmp/.gsusr-33/defunct</span></div><div style="color:#64748b;font-size:12px"></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9"></span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">/tmp/wos.php</span></div><div style="color:#64748b;font-size:12px"></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9"></span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">/tmp/xx/serve</span></div><div style="color:#64748b;font-size:12px"></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9"></span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">/var/tmp/xmrig-6.22.2/xmrig</span></div><div style="color:#64748b;font-size:12px"></div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #64748b;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">3</span><span style="background:#64748b22;color:#64748b;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">/var/tmp/xmrig-6.22.2/SHA256SUMS</span></div><div style="color:#64748b;font-size:12px">Investigate each file; remove if suspicious</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">No encoded payload patterns in cron/systemd</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">persistence</div></div><div style="padding:14px 18px;background:#1e293b;border-radius:8px;border-left:4px solid #22c55e;margin-bottom:8px"><div style="display:flex;justify-content:space-between;align-items:center"><span style="font-weight:600;color:#f1f5f9">No SUID files in temp directories</span><span style="background:#22c55e22;color:#22c55e;padding:2px 10px;border-radius:12px;font-size:12px;font-weight:600">PASS</span></div><div style="color:#64748b;font-size:12px">persistence</div></div>
<div style="margin-top:40px;text-align:center;color:#334155;font-size:12px">
Generated by Toor PrivEsc Audit v2.0.0 — For authorized security testing only</div>
</div></body></html>