Axsi Mini Shell
{
"tool": "toor-privesc-audit",
"version": "2.0.0",
"hostname": "ubuntu-s-2vcpu-2gb-intel-blr1-01",
"kernel": "5.4.0-216-generic",
"scan_date": "2026-05-15T06:45:30+00:00",
"score": 0,
"grade": "F",
"summary": {
"total": 81,
"pass": 43,
"critical": 9,
"warning": 12,
"info": 17
},
"findings": [
{
"severity": "INFO",
"category": "kernel",
"title": "Kernel: 5.4.0-216-generic",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "INFO",
"category": "kernel",
"title": "Ubuntu 20.04 (focal)",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "WARNING",
"category": "kernel",
"title": "Unprivileged user namespaces enabled",
"detail": "kernel.unprivileged_userns_clone=1 \u2014 enables OverlayFS-based LPE on unpatched kernels",
"remediation": "echo 'kernel.unprivileged_userns_clone=0' >> /etc/sysctl.d/99-hardening.conf && sysctl -p",
"weight": 4
},
{
"severity": "CRITICAL",
"category": "kernel",
"title": "Likely vulnerable to Ubuntu OverlayFS LPE (CVE-2021-3493)",
"detail": "Kernel 5.4.0-216-generic (Ubuntu 20.04) \u2014 unprivileged overlayfs setuid file creation",
"remediation": "apt update && apt full-upgrade",
"weight": 9
},
{
"severity": "CRITICAL",
"category": "kernel",
"title": "Likely vulnerable to nf_tables anon-set UAF (CVE-2023-32233)",
"detail": "Kernel 5.4.0-216-generic in range 5.1\u20136.3.1 \u2014 anonymous netfilter set use-after-free",
"remediation": "Upgrade kernel: apt update && apt full-upgrade",
"weight": 9
},
{
"severity": "CRITICAL",
"category": "kernel",
"title": "Likely vulnerable to nf_tables OOB write (CVE-2022-1015)",
"detail": "Kernel 5.4.0-216-generic in range 5.1\u20135.17.3 \u2014 nft_validate_register_store() bounds check bypass",
"remediation": "Upgrade kernel: apt update && apt full-upgrade",
"weight": 9
},
{
"severity": "CRITICAL",
"category": "kernel",
"title": "Likely vulnerable to Polkit D-Bus race (CVE-2021-3560)",
"detail": "polkit 0.105 < 0.119 + accounts-daemon running \u2014 CreateUser auth bypass",
"remediation": "apt update && apt install -y policykit-1",
"weight": 8
},
{
"severity": "PASS",
"category": "sysctl",
"title": "kernel.randomize_va_space = 2 \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "sysctl",
"title": "kernel.kptr_restrict = 1 \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "WARNING",
"category": "sysctl",
"title": "dmesg readable by unprivileged users (info leak)",
"detail": "kernel.dmesg_restrict = 0 (expected eq 1)",
"remediation": "echo 'kernel.dmesg_restrict = 1' >> /etc/sysctl.d/99-hardening.conf && sysctl -p",
"weight": 2
},
{
"severity": "PASS",
"category": "sysctl",
"title": "kernel.perf_event_paranoid = 3 \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "sysctl",
"title": "kernel.yama.ptrace_scope = 1 \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "INFO",
"category": "sysctl",
"title": "fs.protected_hardlinks not available on this kernel",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "INFO",
"category": "sysctl",
"title": "fs.protected_symlinks not available on this kernel",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "WARNING",
"category": "sysctl",
"title": "SUID processes can create core dumps (credential leak)",
"detail": "fs.suid_dumpable = 2 (expected eq 0)",
"remediation": "echo 'fs.suid_dumpable = 0' >> /etc/sysctl.d/99-hardening.conf && sysctl -p",
"weight": 2
},
{
"severity": "WARNING",
"category": "sysctl",
"title": "Unprivileged eBPF enabled \u2014 potential LPE vector",
"detail": "kernel.unprivileged_bpf_disabled = 2 (expected eq 1)",
"remediation": "echo 'kernel.unprivileged_bpf_disabled = 1' >> /etc/sysctl.d/99-hardening.conf && sysctl -p",
"weight": 3
},
{
"severity": "INFO",
"category": "sysctl",
"title": "net.core.bpf_jit_harden not available on this kernel",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "sysctl",
"title": "KASLR enabled (nokaslr not in /proc/cmdline) \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "sysctl",
"title": "SMEP enabled (CPU flag present) \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "sysctl",
"title": "SMAP enabled (CPU flag present) \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "sysctl",
"title": "PTI: Not affected \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "sysctl",
"title": "spectre_v1: Mitigation: usercopy/swapgs barriers and __user pointer sanitization \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "sysctl",
"title": "spectre_v2: Mitigation: Enhanced / Automatic IBRS; IBPB: conditional; RSB filling; PBRSB-eIBRS: SW sequence; BHI: SW loop, KVM: SW loop \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "sysctl",
"title": "spec_store_bypass: Mitigation: Speculative Store Bypass disabled via prctl and seccomp \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "INFO",
"category": "sysctl",
"title": "SELinux: not present",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "sysctl",
"title": "AppArmor: enabled (? profiles loaded) \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "INFO",
"category": "sudo",
"title": "Sudo version: 1.8.31",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "CRITICAL",
"category": "sudo",
"title": "Sudo version may be vulnerable to Baron Samedit (CVE-2021-3156)",
"detail": "sudo 1.8.31 \u2014 heap overflow via sudoedit -s",
"remediation": "apt update && apt install -y sudo",
"weight": 7
},
{
"severity": "CRITICAL",
"category": "sudo",
"title": "Sudo may be vulnerable to CVE-2019-14287 (user=\\#-1 bypass)",
"detail": "sudo 1.8.31 < 1.8.28",
"remediation": "apt install -y sudo",
"weight": 6
},
{
"severity": "WARNING",
"category": "sudo",
"title": "Sudo version vulnerable to CVE-2019-18634 but pwfeedback not detected",
"detail": "sudo 1.8.31 \u2014 would be exploitable if pwfeedback is added to sudoers",
"remediation": "apt update && apt install -y sudo",
"weight": 3
},
{
"severity": "INFO",
"category": "sudo",
"title": "sudo -l requires password \u2014 passwordless listing unavailable",
"detail": "Run 'sudo -l' manually to see full privilege list",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "sudo",
"title": "/etc/sudoers permissions: 440 root root \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "INFO",
"category": "suid",
"title": "Total SUID binaries found: 17 (scanned standard paths)",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "suid",
"title": "Only standard SUID binaries present",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "suid",
"title": "No world-writable SUID/SGID binaries",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "INFO",
"category": "suid",
"title": "Total SGID binaries: 11 (scanned standard paths)",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "CRITICAL",
"category": "caps",
"title": "24 binary(ies) with dangerous capabilities",
"detail": "/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p",
"remediation": "",
"weight": 0
},
{
"severity": "/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p",
"category": "",
"title": "",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p",
"category": "",
"title": "",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p",
"category": "",
"title": "",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p",
"category": "",
"title": "",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p",
"category": "",
"title": "",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p",
"category": "",
"title": "",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p",
"category": "",
"title": "",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p",
"category": "",
"title": "",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p",
"category": "Remove capabilities: setcap -r <file>",
"title": "7",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "INFO",
"category": "caps",
"title": "All binaries with capabilities: 10",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "files",
"title": "/etc/shadow permissions: 640 root:shadow \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "files",
"title": "/etc/passwd permissions: 644 root:root \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "files",
"title": "/etc/gshadow permissions: 640 root:shadow \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "files",
"title": "/etc/sudoers permissions: 440 root:root \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "WARNING",
"category": "files",
"title": "Insecure /etc/ssh/sshd_config: mode=644(want 600) ",
"detail": "",
"remediation": "chmod 600 /etc/ssh/sshd_config && chown root:root /etc/ssh/sshd_config",
"weight": 3
},
{
"severity": "PASS",
"category": "files",
"title": "/etc/crontab permissions: 644 root:root \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "files",
"title": "/boot/grub/grub.cfg permissions: 444 root:root \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "files",
"title": "No world-writable directories missing sticky bit",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "files",
"title": "No world-writable files in /etc",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "path",
"title": "PATH directories are not writable",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "cron",
"title": "Cron directories properly owned/secured",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "cron",
"title": "Cron-referenced scripts are not writable",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "INFO",
"category": "cron",
"title": "0 user crontab(s) present",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "INFO",
"category": "cron",
"title": "12 systemd timer(s) active",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "systemd",
"title": "Systemd unit files properly owned",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "systemd",
"title": "Systemd ExecStart scripts are not writable",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "users",
"title": "Only root has UID 0",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "INFO",
"category": "users",
"title": "Cannot read /etc/shadow \u2014 run as root for full password audit",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "users",
"title": "System accounts use non-login shells",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "CRITICAL",
"category": "ssh",
"title": "SSH PermitRootLogin = yes",
"detail": "",
"remediation": "Set PermitRootLogin no in /etc/ssh/sshd_config",
"weight": 6
},
{
"severity": "PASS",
"category": "ssh",
"title": "SSH password authentication disabled \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "ssh",
"title": "SSH PermitEmptyPasswords = no \u2713",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "containers",
"title": "No users in lxd group",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "INFO",
"category": "containers",
"title": "Users in 'adm' group (log access): syslog \u2014 verify necessity",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "WARNING",
"category": "pam",
"title": "No account lockout policy (brute-force not mitigated)",
"detail": "No pam_faillock or pam_tally2 found in /etc/pam.d/",
"remediation": "Configure pam_faillock: authselect enable-feature with-faillock",
"weight": 3
},
{
"severity": "WARNING",
"category": "pam",
"title": "No password quality requirements configured",
"detail": "",
"remediation": "apt install libpam-pwquality && configure minlen=12 in /etc/security/pwquality.conf",
"weight": 2
},
{
"severity": "PASS",
"category": "pam",
"title": "No pam_exec/pam_script modules in use",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "env",
"title": "No global LD_PRELOAD/LD_LIBRARY_PATH",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "env",
"title": "Library directories not writable by non-root",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "WARNING",
"category": "env",
"title": "/tmp missing mount options: nosuid nodev noexec ",
"detail": "Mount options: rw,relatime",
"remediation": "Add nosuid,nodev,noexec to /tmp in /etc/fstab and remount",
"weight": 3
},
{
"severity": "INFO",
"category": "nfs",
"title": "/etc/exports not found or not readable \u2014 NFS not configured",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "INFO",
"category": "polkit",
"title": "PolicyKit version: 0.105-26ubuntu1.3 (SUID pkexec: 1)",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "CRITICAL",
"category": "polkit",
"title": "pkexec likely vulnerable to PwnKit (CVE-2021-4034)",
"detail": "SUID pkexec present; polkit version 0.105-26ubuntu1.3",
"remediation": "apt update && apt install -y policykit-1",
"weight": 8
},
{
"severity": "WARNING",
"category": "mac",
"title": "AppArmor loaded but no profiles active",
"detail": "",
"remediation": "aa-enforce /etc/apparmor.d/*",
"weight": 3
},
{
"severity": "PASS",
"category": "mac",
"title": "Unattended security upgrades installed",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "packages",
"title": "No pending security updates",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "WARNING",
"category": "packages",
"title": "Compiler/exploitation tools installed: strace ltrace netcat nc tcpdump python3 perl",
"detail": "These tools assist in exploit compilation and post-exploitation",
"remediation": "Remove on production servers: apt remove gcc gdb strace nmap netcat",
"weight": 2
},
{
"severity": "PASS",
"category": "creds",
"title": "No obvious credentials in shell history",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "creds",
"title": "No obvious credentials in environment",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "creds",
"title": "SSH private key permissions appear correct",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "WARNING",
"category": "persistence",
"title": "Executable files in /tmp or /var/tmp",
"detail": "/tmp/alfacgiapi/getheader.alfa",
"remediation": "",
"weight": 0
},
{
"severity": "/tmp/.gsusr-33/defunct",
"category": "",
"title": "",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "/tmp/wos.php",
"category": "",
"title": "",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "/tmp/xx/serve",
"category": "",
"title": "",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "/var/tmp/xmrig-6.22.2/xmrig",
"category": "",
"title": "",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "/var/tmp/xmrig-6.22.2/SHA256SUMS",
"category": "Investigate each file; remove if suspicious",
"title": "3",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "persistence",
"title": "No encoded payload patterns in cron/systemd",
"detail": "",
"remediation": "",
"weight": 0
},
{
"severity": "PASS",
"category": "persistence",
"title": "No SUID files in temp directories",
"detail": "",
"remediation": "",
"weight": 0
}
]
}