tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Changed plugin from python to perl

This commit is contained in:
Enrique Martin 2023-10-05 13:12:45 +02:00
parent 5a7aa609a7
commit 40f097957f
1 changed files with 410 additions and 376 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

770
pandora_agents/unix/plugins/pandora_security_check
View File

@ -1,84 +1,81 @@
#!/usr/bin/python3 #!/usr/bin/perl
# -*- coding: utf-8 -*- ################################################################################
# Author: Enrique Martin Garcia
# Copyright: 2023, PandoraFMS
# Maintainer: Operations department
# Version: 1.0
################################################################################
__author__ = ["Enrique Martin Garcia"] use strict;
__copyright__ = "Copyright 2023, PandoraFMS" use warnings;
__maintainer__ = "Operations department"
__status__ = "Production"
__version__= '1.0'
import sys,os,signal use Getopt::Long;
use File::Basename;
use File::Spec;
use Digest::MD5 qw(md5_hex);
use Scalar::Util 'looks_like_number';
# Define signal handlers
sub sigint_handler {
print STDERR "\nInterrupted by user\n";
exit 0;
}
sub sigterm_handler {
print STDERR "Received SIGTERM signal.\n";
exit 0;
}
$SIG{INT} = \&sigint_handler;
$SIG{TERM} = \&sigterm_handler;
# Add lib dir path # Add lib dir path
lib_dir = os.path.join(os.path.dirname(sys.argv[0]), 'lib') my $lib_dir = File::Spec->catdir(dirname($0), 'lib');
sys.path.insert(0, lib_dir) unshift @INC, $lib_dir;
# Define a function to handle the SIGINT signal
def sigint_handler(signal, frame):
print ('\nInterrupted by user', file=sys.stderr)
sys.exit(0)
signal.signal(signal.SIGINT, sigint_handler)
# Define a function to handle the SIGTERM signal
def sigterm_handler(signum, frame):
print("Received SIGTERM signal.", file=sys.stderr)
sys.exit(0)
signal.signal(signal.SIGTERM, sigterm_handler)
##############################################################
## SPECIFIC PLUGIN CODE
##############################################################
import argparse
import subprocess
import crypt
import hashlib
import pandoraPlugintools as ppt
### ###
# GLOBALS # GLOBALS
################## ##################
# Set modules global values my %options = ();
modules_group='Security'
# Set configuration blocks names my $modules_group = 'Security';
b_ports='PORTS'
b_files='FILES'
b_passwords='PASSWORDS'
blocks = [b_ports, b_files, b_passwords] my $b_ports = 'PORTS';
configuration_block=None my $b_files = 'FILES';
my $b_passwords = 'PASSWORDS';
# Default integrity file is next to script my @blocks = ($b_ports, $b_files, $b_passwords);
integrity_file='/tmp/' + ppt.generate_md5(os.path.abspath(sys.argv[0])) + '.integrity' my $configuration_block;
my $integrity_file = '/tmp/' . md5_hex(File::Spec->rel2abs($0)) . '.integrity';
# Enable all checks by default # Enable all checks by default
check_selinux=1 my $check_selinux = 1;
check_ssh_root_access=1 my $check_ssh_root_access = 1;
check_ssh_root_keys=1 my $check_ssh_root_keys = 1;
check_ports=1 my $check_ports = 1;
check_files=1 my $check_files = 1;
check_passwords=1 my $check_passwords = 1;
# Include all values for checks by default
my $include_defaults = 1;
# Initialize check lists # Initialize check lists
l_ports=[ my @l_ports = (
80, 80,
22 22
] );
my @l_files = (
l_files=[
'/etc/shadow', '/etc/shadow',
'/etc/passwd', '/etc/passwd',
'/etc/hosts', '/etc/hosts',
'/etc/resolv', '/etc/resolv',
'/etc/ssh/sshd_config', '/etc/ssh/sshd_config',
'/etc/rsyslog.conf' '/etc/rsyslog.conf'
] );
l_passwords=[ my @l_passwords = (
'123456', '123456',
'12345678', '12345678',
'123456789', '123456789',
@ -179,379 +176,416 @@ l_passwords=[
'123qwe', '123qwe',
'Pussy', 'Pussy',
'angel1' 'angel1'
] );
### ###
# ARGS PARSER # ARGS PARSER
################## ##################
parser = argparse.ArgumentParser(description='Run several security checks in a Linux system') my $HELP = <<EO_HELP;
parser.add_argument('--check_selinux', Run several security checks in a Linux system
help='Enable/Disable check SElinux module',
choices=[0, 1], Usage: $0
type=int, [-h,--help]
default=check_selinux [--check_selinux {0,1}]
) [--check_ssh_root_access {0,1}]
parser.add_argument('--check_ssh_root_access', [--check_ssh_root_keys {0,1}]
help='Enable/Disable check SSH root access module', [--check_ports {0,1}]
choices=[0, 1], [--check_files {0,1}]
type=int, [--check_passwords {0,1}]
default=check_ssh_root_access [--include_defaults {0,1}]
) [--integrity_file <integrity_file>]
parser.add_argument('--check_ssh_root_keys', [--conf <conf_file>]
help='Enable/Disable check SSH root keys module',
choices=[0, 1], Optional arguments:
type=int, -h, --help Show this help message and exit
default=check_ssh_root_keys --check_selinux {0,1} Enable/Disable check SElinux module
) --check_ssh_root_access {0,1} Enable/Disable check SSH root access module
parser.add_argument('--check_ports', --check_ssh_root_keys {0,1} Enable/Disable check SSH root keys module
help='Enable/Disable check ports module', --check_ports {0,1} Enable/Disable check ports module
choices=[0, 1], --check_files {0,1} Enable/Disable check files module
type=int, --check_passwords {0,1} Enable/Disable check passwords module
default=check_ports --include_defaults {0,1} Enable/Disable default plugin checks for ports, files and passwords
) --integrity_file <integrity_file> Path to integrity check file
parser.add_argument('--check_files', Default: $integrity_file
help='Enable/Disable check files module', --conf <conf_file> Path to plugin configuration file
choices=[0, 1], Available configuration blocks:
type=int, [$b_ports], [$b_files] and [$b_passwords]
default=check_files Content example:
) [$b_ports]
parser.add_argument('--check_passwords', 3306
help='Enable/Disable check passwords module', 443
choices=[0, 1], [$b_files]
type=int, /etc/httpd/httpd.conf
default=check_passwords /etc/my.cnf
) [$b_passwords]
parser.add_argument('--integrity_file', pandora
help='Path to integrity check file (Default: '+integrity_file+')', PANDORA
metavar='<integrity_file>', P4nd0r4
type=str,
default=integrity_file EO_HELP
)
parser.add_argument('--conf', sub help {
help='Path to plugin configuration file', my ($extra_message) = @_;
metavar='<conf_file>', print $HELP;
type=str print $extra_message if defined($extra_message);
) exit 0;
}
sub parse_bool_arg {
my ($arg, $default) = @_;
if (defined $options{$arg}) {
if (looks_like_number($options{$arg}) && ($options{$arg} == 1 || $options{$arg} == 0)) {
return $options{$arg};
} else {
help("Invalid value for argument: $arg\n");
}
} else {
return $default;
}
}
# Parse arguments
GetOptions(
"help|h" => \$options{help},
"check_selinux=s" => \$options{check_selinux},
"check_ssh_root_access=s" => \$options{check_ssh_root_access},
"check_ssh_root_keys=s" => \$options{check_ssh_root_keys},
"check_ports=s" => \$options{check_ports},
"check_files=s" => \$options{check_files},
"check_passwords=s" => \$options{check_passwords},
"include_defaults=s" => \$options{include_defaults},
"integrity_file=s" => \$options{integrity_file},
"conf=s" => \$options{conf}
);
help() if ($options{help});
$check_selinux = parse_bool_arg('check_selinux', $check_selinux);
$check_ssh_root_access = parse_bool_arg('check_ssh_root_access', $check_ssh_root_access);
$check_ssh_root_keys = parse_bool_arg('check_ssh_root_keys', $check_ssh_root_keys);
$check_ports = parse_bool_arg('check_ports', $check_ports);
$check_files = parse_bool_arg('check_files', $check_files);
$check_passwords = parse_bool_arg('check_passwords', $check_passwords);
$include_defaults = parse_bool_arg('include_defaults', $include_defaults);
if (!$include_defaults) {
@l_ports = ();
@l_files = ();
@l_passwords = ();
}
$integrity_file = $options{integrity_file} if defined $options{integrity_file};
parse_configuration($options{conf}) if defined $options{conf};
### ###
# FUNCTIONS # FUNCTIONS
################## ##################
# Parse current configuration block # Function to parse configuration file
def parse_configuration_block(line: str = ''): sub parse_configuration {
global blocks my ($conf_file) = @_;
global configuration_block
for block in blocks: open my $conf_fh, '<', $conf_file or die "Error opening configuration file [$conf_file]: $!\n";
if line=='['+block+']':
configuration_block=block
break
# Parse all configuration file while (my $line = <$conf_fh>) {
def parse_configuration(file: str = ''): chomp $line;
global configuration_block $line =~ s/^\s+//;
$line =~ s/\s+$//;
try: if ($line =~ /^\[($b_ports|$b_files|$b_passwords)\]$/) {
lines = open(file, 'r') $configuration_block = $1;
for line in lines: }
line = line.strip() elsif ($configuration_block) {
if ($configuration_block eq $b_ports) {
# Skip empty lines push @l_ports, $line;
if not line: }
continue elsif ($configuration_block eq $b_files) {
if line == "\n": push @l_files, $line;
continue }
elsif ($configuration_block eq $b_passwords) {
# Set current configuration block push @l_passwords, $line;
parse_configuration_block(line) }
}
# Skip None block
if configuration_block is None:
continue
# Parse PORTS
elif configuration_block==b_ports:
l_ports.append(line)
# Parse FILES
elif configuration_block==b_files:
l_files.append(line)
# Parse PASSWORDS
elif configuration_block==b_passwords:
l_passwords.append(line)
except Exception as e:
print('Error while reading configuration file: '+str(e))
sys.exit(1)
# Print module XML from STDOUT
def print_xml_module(m_name: str = '', m_type: str = '', m_desc: str = '', m_value: str = ''):
module_values = {
'name' : m_name,
'type' : m_type,
'desc' : m_desc,
'value' : m_value,
'module_group' : modules_group
} }
ppt.print_module(ppt.init_module(module_values), True) close $conf_fh;
}
# Function to print module XML to STDOUT
sub print_xml_module {
my ($m_name, $m_type, $m_desc, $m_value) = @_;
print "<module>\n";
print "\t<name><![CDATA[$m_name]]></name>\n";
print "\t<type>$m_type</type>\n";
print "\t<data><![CDATA[$m_value]]></data>\n";
print "\t<description><![CDATA[$m_desc]]></description>\n";
print "\t<module_group>$modules_group</module_group>\n";
print "</module>\n";
}
# Make unique array
sub uniq {
my %seen;
return grep { !$seen{$_}++ } @_;
}
### ###
# MAIN # MAIN
################## ##################
# Parse arguments # Check SELinux status
args = parser.parse_args() if ($check_selinux) {
my $value = 0;
my $desc = 'SELinux is disabled.';
check_selinux=args.check_selinux my $output = `sestatus 2> /dev/null`;
check_ssh_root_access=args.check_ssh_root_access if ($? == 0) {
check_ssh_root_keys=args.check_ssh_root_keys if ($output =~ /SELinux status: enabled/) {
check_ports=args.check_ports $value = 1;
check_files=args.check_files $desc = 'SELinux is enabled.';
check_passwords=args.check_passwords }
integrity_file=args.integrity_file } else {
$value = 0;
$desc = 'Can not determine if SELinux is enabled.';
}
if getattr(args, 'conf', None) is not None: print_xml_module('SELinux status', 'generic_proc', $desc, $value);
parse_configuration(args.conf) }
# Check selinux status
if check_selinux==1:
value = 0
desc = 'SELinux is disabled.'
try:
if 'SELinux status: enabled' in subprocess.check_output(['sestatus'], stderr=subprocess.STDOUT, text=True):
value = 1
desc = 'SELinux is enabled.'
except Exception:
value = 0
desc = 'Can not determine if SELinux is enabled.'
print_xml_module('SELinux status', 'generic_proc', desc, ppt.parse_str(value))
# Check if SSH allows root access # Check if SSH allows root access
if check_ssh_root_access==1: if ($check_ssh_root_access) {
value = 1 my $value = 1;
desc = 'SSH does not allow root access.' my $desc = 'SSH does not allow root access.';
try: my $ssh_config_file = '/etc/ssh/sshd_config';
with open('/etc/ssh/sshd_config', 'r') as ssh_config_file: if (-e $ssh_config_file && open my $ssh_fh, '<', $ssh_config_file) {
for line in ssh_config_file: while (my $line = <$ssh_fh>) {
line = line.strip() chomp $line;
$line =~ s/^\s+//;
$line =~ s/\s+$//;
next if $line =~ /^$/ or $line =~ /^#/;
my ($option, $val) = split /\s+/, $line, 2;
if ($option eq 'PermitRootLogin' && lc($val) ne 'no') {
$value = 0;
$desc = 'SSH config allows root access.';
last;
}
}
close $ssh_fh;
} else {
$value = 0;
$desc = 'Can not read '.$ssh_config_file.' to check if root access allowed.';
}
# Skip empty and commented lines print_xml_module('SSH root access status', 'generic_proc', $desc, $value);
if not line: }
continue
if line == "\n":
continue
if line[0] == "#":
continue
option, val = line.split(maxsplit=1)
if option == 'PermitRootLogin':
if val.lower() != 'no':
value = 0
desc = 'SSH config allows root access.'
break
except FileNotFoundError:
value = 0
desc = 'Can not read /etc/ssh/sshd_config to check if root access allowed.'
except Exception:
value = 0
desc = 'Can not determine if SSH root access is allowed.'
print_xml_module('SSH root access status', 'generic_proc', desc, ppt.parse_str(value))
# Check if /root has SSH keys # Check if /root has SSH keys
if check_ssh_root_keys==1: if ($check_ssh_root_keys) {
value = 1 my $value = 1;
desc = 'SSH root keys not found.' my $desc = 'SSH root keys not found.';
try: my $ssh_keys = {'private' => [], 'public' => []};
ssh_keys = {'private': [], 'public': []}
for root, dirs, files in os.walk('/root/.ssh'): my $ssh_dir = '/root/.ssh';
for filename in files: if (-d $ssh_dir) {
file_path = os.path.join(root, filename) my @files = read_dir($ssh_dir);
with open(file_path, 'r') as file: foreach my $file (@files) {
content = file.read() my $file_path = File::Spec->catfile($ssh_dir, $file);
if '-----BEGIN RSA PRIVATE KEY-----' in content and '-----END RSA PRIVATE KEY-----' in content: my $content = read_file($file_path);
ssh_keys['private'].append(file_path) if ($content =~ /-----BEGIN RSA PRIVATE KEY-----.*?-----END RSA PRIVATE KEY-----/s) {
elif 'ssh-rsa' in content and filename != 'knwon_hosts' and filename != 'authorized_keys': push @{$ssh_keys->{'private'}}, $file_path;
ssh_keys['public'].append(file_path) } elsif ($content =~ /ssh-rsa/ && $file ne 'known_hosts' && $file ne 'authorized_keys') {
push @{$ssh_keys->{'public'}}, $file_path;
}
}
if (@{$ssh_keys->{'private'}} > 0 || @{$ssh_keys->{'public'}} > 0) {
$value = 0;
$desc = "SSH root keys found:\n" . join("\n", @{$ssh_keys->{'private'}}, @{$ssh_keys->{'public'}});
}
}
if len(ssh_keys['private']) > 0 or len(ssh_keys['public']) > 0: print_xml_module('SSH root keys status', 'generic_proc', $desc, $value);
value = 0 }
desc = 'SSH root keys found:\n'+'\n'.join(ssh_keys['private'])+'\n'.join(ssh_keys['public'])
except Exception:
value = 0
desc = 'Can not determine if SSH root keys exist.'
print_xml_module('SSH root keys status', 'generic_proc', desc, ppt.parse_str(value))
# Check authorized ports # Check authorized ports
if check_ports==1: if ($check_ports) {
value = 1 my $value = 1;
desc = 'No unauthorized ports found.' my $desc = 'No unauthorized ports found.';
# Create unique check ports list my @open_ports;
l_ports = list(set(l_ports)) my @not_allowed_ports;
open_ports = [] my @net_tcp_files = ('/proc/net/tcp', '/proc/net/tcp6');
not_allowed_ports = [] foreach my $net_tcp_file (@net_tcp_files) {
if (-e $net_tcp_file && open my $tcp_fh, '<', $net_tcp_file) {
try: while (my $line = <$tcp_fh>) {
for net_tcp_file in ['/proc/net/tcp', '/proc/net/tcp6']: chomp $line;
with open(net_tcp_file, 'r') as tcp_file: my @parts = split /\s+/, $line;
# Skip the first line (header line) if (scalar @parts >= 12) {
next(tcp_file) my $local_address = $parts[1];
my @la_split = (split /:/, $local_address);
for line in tcp_file: if (@la_split > 1){
parts = line.strip().split() my $local_port = hex($la_split[1]);
if len(parts) >= 12: my $state = $parts[3];
local_address = parts[1]
local_port = int(local_address.split(':')[1], 16)
state = parts[3]
# Check if the connection is in state 0A (listening) # Check if the connection is in state 0A (listening)
if state == "0A": if ($state eq "0A") {
open_ports.append(local_port) push @open_ports, $local_port;
}
}
}
}
close $tcp_fh;
}
}
@open_ports = uniq(@open_ports);
# Create unique ports list my %allowed_ports;
open_ports = list(set(open_ports)) foreach my $port (@l_ports) {
$allowed_ports{$port} = 1;
}
except Exception: foreach my $port (@open_ports) {
pass if (!exists $allowed_ports{$port}) {
push @not_allowed_ports, $port;
}
}
for port in open_ports: if (@not_allowed_ports) {
if ppt.parse_int(port) not in l_ports: $value = 0;
not_allowed_ports.append(port) $desc = "Unauthorized ports found:\n" . join("\n", @not_allowed_ports);
}
if len(not_allowed_ports) > 0: print_xml_module('Authorized ports status', 'generic_proc', $desc, $value);
value = 0 }
desc = 'Unauthorized ports found:\n'+'\n'.join(not_allowed_ports)
print_xml_module('Authorized ports status', 'generic_proc', desc, ppt.parse_str(value))
# Check files integrity # Check files integrity
if check_files==1: if ($check_files) {
value = 1 my $value = 1;
desc = 'No changed files found.' my $desc = 'No changed files found.';
my %integrity;
my $can_check_files = 0;
if (-e $integrity_file) {
if (-r $integrity_file && -w $integrity_file) {
# Read integrity file content
open my $integrity_fh, '<', $integrity_file;
while (my $line = <$integrity_fh>) {
chomp $line;
if ($line =~ /^\s*(.*?)=(.*?)\s*$/) {
$integrity{$1} = $2;
}
}
close $integrity_fh;
$can_check_files = 1;
} else {
$value = 0;
$desc = 'Integrity check file can not be read or written: ' . $integrity_file;
}
} else {
if (open my $integrity_fh, '>', $integrity_file) {
close $integrity_fh;
$can_check_files = 1;
} else {
$value = 0;
$desc = 'Integrity check file can not be created: ' . $integrity_file;
}
}
if ($can_check_files) {
# Check each file integrity
my @errored_files;
my @no_integrity_files;
# Create unique check files list # Create unique check files list
l_files = list(set(l_files)) @l_files = uniq(@l_files);
# Check if integrity file can be read and written foreach my $file (@l_files) {
can_check_files=False my $file_key = md5_hex($file);
if os.access(integrity_file, os.R_OK | os.W_OK): if (open my $fh, '<:raw', $file) {
can_check_files=True my $md5 = Digest::MD5->new;
else: $md5->addfile($fh);
# If integrity file doesn't exist, create it my $file_md5 = $md5->hexdigest;
if not os.path.exists(integrity_file): chomp $file_md5;
try: close $fh;
with open(integrity_file, 'w') as f:
can_check_files=True
except Exception:
value=0
desc='Integrity check file can not be created: '+integrity_file
else:
value=0
desc='Integrity check file can not be read or written: '+integrity_file
if can_check_files: if (exists $integrity{$file_key} && $integrity{$file_key} ne $file_md5) {
# Read integrity file content push @no_integrity_files, $file;
integrity = {} }
with open(integrity_file, "r") as f: $integrity{$file_key} = $file_md5;
lines = f.read().splitlines() } else {
for line in lines: push @errored_files, $file;
if len(line.strip()) < 1: }
continue }
else:
option, value = line.strip().split('=', maxsplit=1)
integrity[option.strip()] = value.strip()
# Check each file integrity
errored_files = []
no_integrity_files = []
for file in l_files:
file_key = ppt.generate_md5(file)
try:
with open(file, 'rb') as f:
md5 = hashlib.md5()
# Read the file in chunks to avoid loading the entire file into memory
for chunk in iter(lambda: f.read(4096), b''):
md5.update(chunk)
file_md5 = md5.hexdigest()
if file_key in integrity:
if integrity[file_key] != file_md5:
no_integrity_files.append(file)
integrity[file_key] = file_md5
except Exception:
errored_files.append(file)
# Prepare new integrity file content
integrity_content = ''
for key, val in integrity.items():
integrity_content = integrity_content+key+'='+val+'\n'
# Overwrite integrity file content # Overwrite integrity file content
with open(integrity_file, "w") as f: open my $file_handle, '>', $integrity_file;
f.write(integrity_content) print $file_handle map { "$_=$integrity{$_}\n" } keys %integrity;
close $file_handle;
# Check module status # Check module status
if len(no_integrity_files) > 0: if (@no_integrity_files) {
value = 0 $value = 0;
desc = 'Changed files found:\n'+'\n'.join(no_integrity_files) $desc = "Changed files found:\n" . join("\n", @no_integrity_files);
}
if len(errored_files) > 0: if (@errored_files) {
value = 0 $value = 0;
desc = desc + '\nUnable to check integrity of some files:\n'+'\n'.join(errored_files) $desc .= "\nUnable to check integrity of some files:\n" . join("\n", @errored_files);
}
}
print_xml_module('Files check status', 'generic_proc', desc, ppt.parse_str(value))
print_xml_module('Files check status', 'generic_proc', $desc, $value);
}
# Check weak passwords # Check weak passwords
if check_passwords==1: if ($check_passwords) {
value = 1 my $value = 1;
desc = 'No insecure passwords found.' my $desc = 'No insecure passwords found.';
# Create unique check passwords list # Create unique check passwords list
l_passwords = list(set(l_passwords)) @l_passwords = uniq(@l_passwords);
insecure_users = [] my @insecure_users;
try: my $shadow_file = '/etc/shadow';
with open('/etc/shadow', 'r') as shadow_file: if (-e $shadow_file && -r $shadow_file) {
for line in shadow_file: open my $shadow_fh, '<', $shadow_file;
username, password_hash, *_ = line.strip().split(':') while (my $line = <$shadow_fh>) {
chomp $line;
my ($username, $password_hash, @rest) = split /:/, $line;
# Skip users with no password hash # Skip users with no password hash
if password_hash != "*" and password_hash != "!!" and password_hash != "!locked": if ($password_hash ne "*" && $password_hash ne "!!" && $password_hash ne "!locked") {
for weak_password in l_passwords: foreach my $weak_password (@l_passwords) {
weak_password_hash = crypt.crypt(weak_password, password_hash[:password_hash.rfind('$')]) my $salt = substr($password_hash, 0, rindex($password_hash, '$') + 1);
my $weak_password_hash = crypt($weak_password, $salt);
if weak_password_hash == password_hash: if ($weak_password_hash eq $password_hash) {
insecure_users.append(username) push @insecure_users, $username;
break last;
}
}
}
}
close $shadow_fh;
} else {
$value = 0;
$desc = 'Can not read '.$shadow_file.' to check passwords.';
}
except FileNotFoundError: if (@insecure_users) {
value = 0 $value = 0;
desc = 'Can not read /etc/shadow to check passwords.' $desc = "Users with insecure passwords found:\n" . join("\n", @insecure_users);
except Exception: }
value = 0
desc = 'Can not determine if passwords are strong enough.'
if len(insecure_users) > 0: print_xml_module('Insecure passwords status', 'generic_proc', $desc, $value);
value = 0 }
desc = 'Users with insecure passwords found:\n'+'\n'.join(insecure_users)
print_xml_module('Insecure passwords status', 'generic_proc', desc, ppt.parse_str(value))