Axsi Mini Shell
TOOR PRIVESC AUDIT v2.0.0 — SECURITY REPORT
==================================================
Date : Fri 15 May 2026 06:45:30 AM UTC
Hostname : ubuntu-s-2vcpu-2gb-intel-blr1-01 Kernel: 5.4.0-216-generic
Score : 0/100 Grade: F
Summary : Pass=43 Critical=9 Warning=12 Info=17
[INFO ] [kernel ] Kernel: 5.4.0-216-generic
[INFO ] [kernel ] Ubuntu 20.04 (focal)
[WARNING ] [kernel ] Unprivileged user namespaces enabled
Detail: kernel.unprivileged_userns_clone=1 — enables OverlayFS-based LPE on unpatched kernels
Fix: echo 'kernel.unprivileged_userns_clone=0' >> /etc/sysctl.d/99-hardening.conf && sysctl -p
[CRITICAL] [kernel ] Likely vulnerable to Ubuntu OverlayFS LPE (CVE-2021-3493)
Detail: Kernel 5.4.0-216-generic (Ubuntu 20.04) — unprivileged overlayfs setuid file creation
Fix: apt update && apt full-upgrade
[CRITICAL] [kernel ] Likely vulnerable to nf_tables anon-set UAF (CVE-2023-32233)
Detail: Kernel 5.4.0-216-generic in range 5.1–6.3.1 — anonymous netfilter set use-after-free
Fix: Upgrade kernel: apt update && apt full-upgrade
[CRITICAL] [kernel ] Likely vulnerable to nf_tables OOB write (CVE-2022-1015)
Detail: Kernel 5.4.0-216-generic in range 5.1–5.17.3 — nft_validate_register_store() bounds check bypass
Fix: Upgrade kernel: apt update && apt full-upgrade
[CRITICAL] [kernel ] Likely vulnerable to Polkit D-Bus race (CVE-2021-3560)
Detail: polkit 0.105 < 0.119 + accounts-daemon running — CreateUser auth bypass
Fix: apt update && apt install -y policykit-1
[PASS ] [sysctl ] kernel.randomize_va_space = 2 ✓
[PASS ] [sysctl ] kernel.kptr_restrict = 1 ✓
[WARNING ] [sysctl ] dmesg readable by unprivileged users (info leak)
Detail: kernel.dmesg_restrict = 0 (expected eq 1)
Fix: echo 'kernel.dmesg_restrict = 1' >> /etc/sysctl.d/99-hardening.conf && sysctl -p
[PASS ] [sysctl ] kernel.perf_event_paranoid = 3 ✓
[PASS ] [sysctl ] kernel.yama.ptrace_scope = 1 ✓
[INFO ] [sysctl ] fs.protected_hardlinks not available on this kernel
[INFO ] [sysctl ] fs.protected_symlinks not available on this kernel
[WARNING ] [sysctl ] SUID processes can create core dumps (credential leak)
Detail: fs.suid_dumpable = 2 (expected eq 0)
Fix: echo 'fs.suid_dumpable = 0' >> /etc/sysctl.d/99-hardening.conf && sysctl -p
[WARNING ] [sysctl ] Unprivileged eBPF enabled — potential LPE vector
Detail: kernel.unprivileged_bpf_disabled = 2 (expected eq 1)
Fix: echo 'kernel.unprivileged_bpf_disabled = 1' >> /etc/sysctl.d/99-hardening.conf && sysctl -p
[INFO ] [sysctl ] net.core.bpf_jit_harden not available on this kernel
[PASS ] [sysctl ] KASLR enabled (nokaslr not in /proc/cmdline) ✓
[PASS ] [sysctl ] SMEP enabled (CPU flag present) ✓
[PASS ] [sysctl ] SMAP enabled (CPU flag present) ✓
[PASS ] [sysctl ] PTI: Not affected ✓
[PASS ] [sysctl ] spectre_v1: Mitigation: usercopy/swapgs barriers and __user pointer sanitization ✓
[PASS ] [sysctl ] spectre_v2: Mitigation: Enhanced / Automatic IBRS; IBPB: conditional; RSB filling; PBRSB-eIBRS: SW sequence; BHI: SW loop, KVM: SW loop ✓
[PASS ] [sysctl ] spec_store_bypass: Mitigation: Speculative Store Bypass disabled via prctl and seccomp ✓
[INFO ] [sysctl ] SELinux: not present
[PASS ] [sysctl ] AppArmor: enabled (? profiles loaded) ✓
[INFO ] [sudo ] Sudo version: 1.8.31
[CRITICAL] [sudo ] Sudo version may be vulnerable to Baron Samedit (CVE-2021-3156)
Detail: sudo 1.8.31 — heap overflow via sudoedit -s
Fix: apt update && apt install -y sudo
[CRITICAL] [sudo ] Sudo may be vulnerable to CVE-2019-14287 (user=\#-1 bypass)
Detail: sudo 1.8.31 < 1.8.28
Fix: apt install -y sudo
[WARNING ] [sudo ] Sudo version vulnerable to CVE-2019-18634 but pwfeedback not detected
Detail: sudo 1.8.31 — would be exploitable if pwfeedback is added to sudoers
Fix: apt update && apt install -y sudo
[INFO ] [sudo ] sudo -l requires password — passwordless listing unavailable
Detail: Run 'sudo -l' manually to see full privilege list
[PASS ] [sudo ] /etc/sudoers permissions: 440 root root ✓
[INFO ] [suid ] Total SUID binaries found: 17 (scanned standard paths)
[PASS ] [suid ] Only standard SUID binaries present
[PASS ] [suid ] No world-writable SUID/SGID binaries
[INFO ] [suid ] Total SGID binaries: 11 (scanned standard paths)
[CRITICAL] [caps ] 24 binary(ies) with dangerous capabilities
Detail: /snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p
[/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p] [ ]
[/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p] [ ]
[/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p] [ ]
[/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p] [ ]
[/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p] [ ]
[/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p] [ ]
[/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p] [ ]
[/snap/snapd/26865/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p] [ ]
[/snap/snapd/26382/usr/lib/snapd/snap-confine = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource+p] [Remove capabilities: setcap -r <file>] 7
[INFO ] [caps ] All binaries with capabilities: 10
[PASS ] [files ] /etc/shadow permissions: 640 root:shadow ✓
[PASS ] [files ] /etc/passwd permissions: 644 root:root ✓
[PASS ] [files ] /etc/gshadow permissions: 640 root:shadow ✓
[PASS ] [files ] /etc/sudoers permissions: 440 root:root ✓
[WARNING ] [files ] Insecure /etc/ssh/sshd_config: mode=644(want 600)
Fix: chmod 600 /etc/ssh/sshd_config && chown root:root /etc/ssh/sshd_config
[PASS ] [files ] /etc/crontab permissions: 644 root:root ✓
[PASS ] [files ] /boot/grub/grub.cfg permissions: 444 root:root ✓
[PASS ] [files ] No world-writable directories missing sticky bit
[PASS ] [files ] No world-writable files in /etc
[PASS ] [path ] PATH directories are not writable
[PASS ] [cron ] Cron directories properly owned/secured
[PASS ] [cron ] Cron-referenced scripts are not writable
[INFO ] [cron ] 0 user crontab(s) present
[INFO ] [cron ] 12 systemd timer(s) active
[PASS ] [systemd ] Systemd unit files properly owned
[PASS ] [systemd ] Systemd ExecStart scripts are not writable
[PASS ] [users ] Only root has UID 0
[INFO ] [users ] Cannot read /etc/shadow — run as root for full password audit
[PASS ] [users ] System accounts use non-login shells
[CRITICAL] [ssh ] SSH PermitRootLogin = yes
Fix: Set PermitRootLogin no in /etc/ssh/sshd_config
[PASS ] [ssh ] SSH password authentication disabled ✓
[PASS ] [ssh ] SSH PermitEmptyPasswords = no ✓
[PASS ] [containers ] No users in lxd group
[INFO ] [containers ] Users in 'adm' group (log access): syslog — verify necessity
[WARNING ] [pam ] No account lockout policy (brute-force not mitigated)
Detail: No pam_faillock or pam_tally2 found in /etc/pam.d/
Fix: Configure pam_faillock: authselect enable-feature with-faillock
[WARNING ] [pam ] No password quality requirements configured
Fix: apt install libpam-pwquality && configure minlen=12 in /etc/security/pwquality.conf
[PASS ] [pam ] No pam_exec/pam_script modules in use
[PASS ] [env ] No global LD_PRELOAD/LD_LIBRARY_PATH
[PASS ] [env ] Library directories not writable by non-root
[WARNING ] [env ] /tmp missing mount options: nosuid nodev noexec
Detail: Mount options: rw,relatime
Fix: Add nosuid,nodev,noexec to /tmp in /etc/fstab and remount
[INFO ] [nfs ] /etc/exports not found or not readable — NFS not configured
[INFO ] [polkit ] PolicyKit version: 0.105-26ubuntu1.3 (SUID pkexec: 1)
[CRITICAL] [polkit ] pkexec likely vulnerable to PwnKit (CVE-2021-4034)
Detail: SUID pkexec present; polkit version 0.105-26ubuntu1.3
Fix: apt update && apt install -y policykit-1
[WARNING ] [mac ] AppArmor loaded but no profiles active
Fix: aa-enforce /etc/apparmor.d/*
[PASS ] [mac ] Unattended security upgrades installed
[PASS ] [packages ] No pending security updates
[WARNING ] [packages ] Compiler/exploitation tools installed: strace ltrace netcat nc tcpdump python3 perl
Detail: These tools assist in exploit compilation and post-exploitation
Fix: Remove on production servers: apt remove gcc gdb strace nmap netcat
[PASS ] [creds ] No obvious credentials in shell history
[PASS ] [creds ] No obvious credentials in environment
[PASS ] [creds ] SSH private key permissions appear correct
[WARNING ] [persistence ] Executable files in /tmp or /var/tmp
Detail: /tmp/alfacgiapi/getheader.alfa
[/tmp/.gsusr-33/defunct] [ ]
[/tmp/wos.php] [ ]
[/tmp/xx/serve] [ ]
[/var/tmp/xmrig-6.22.2/xmrig] [ ]
[/var/tmp/xmrig-6.22.2/SHA256SUMS] [Investigate each file; remove if suspicious] 3
[PASS ] [persistence ] No encoded payload patterns in cron/systemd
[PASS ] [persistence ] No SUID files in temp directories