pandorafms/pandora_plugins/basic_security
fbsanchez 722bc86381 Opensource plugins added to pandorafms 2017-11-14 15:17:27 +01:00
..
README Opensource plugins added to pandorafms 2017-11-14 15:17:27 +01:00
basic_security_v2 Opensource plugins added to pandorafms 2017-11-14 15:17:27 +01:00
john.conf Opensource plugins added to pandorafms 2017-11-14 15:17:27 +01:00
john_32 Opensource plugins added to pandorafms 2017-11-14 15:17:27 +01:00
john_64 Opensource plugins added to pandorafms 2017-11-14 15:17:27 +01:00
password-list Opensource plugins added to pandorafms 2017-11-14 15:17:27 +01:00

README

Linux security monitoring Plugin for Pandora FMS
v1.0, 8th June 2016

Copyright (c) 2016 Sancho Lerena
Licensed and distributed under BSD Licence.

Checkout more information about Pandora FMS monitoring at http://pandorafms.com

ABOUT THIS PLUGIN 
=================

This plugin is intended to run ONLY on modern Linux boxes. It's ready to run on 64 & 32 bits. 
It contains a custom build of John the ripper 1.8 + Contrib patches with 32&64 static binaries. The main concept of the plugin is to be monolothic, detect what can be hardened and try to solve differences between distros without asking nothing to the admin, so deployment could be the same for any system, ignoring versions, distro or architecture. 

This plugin will check:

 1. User password audit check, using dictionary (provided) with the
    500 most common used passwords. This usually don't take more than a few seconds. If you have hundred of users, probably need to customize the plugin execution to be executed only each 2-6 hours. You can customize the password dictionary just adding your organization typical password in the file "basic_security/password-list".
 2. Check SSH on default port 
 3. Check FTP on default port 
 4. Check SSH to allow root access
 5. Verify if is there a MySQL running without root password defined.

In the future we want to expand it's features to include file hashing check, detect bruteforce attacks by analyzing logs, improve hardening check on root enviroment, etc. Keep updated to see what's new in the next months.

USAGE
=====

1. Copy contents of tarball in a directory (Usually p.e /etc/pandora/plugins which should be linked to /usr/share/pandora_agent/plugins)

	tar xvzf /tmp/linux_basic_security.tar.gz /etc/pandora/plugins

2. Edit your pandora_agent.conf and define a custom plugin call:

	module_plugin /usr/share/pandora_agent/plugins/basic_security/basic_security

3. Restart the agent. It should report several modules with the information, all starting with SEC[xxxx].


DEPENDENCIES
============

You need to have "john the ripper" installed on your server. We provide CentOS binaries (compatible with Redhat) due the imposibility to install john easily in CentOS servers. Password audit is by the way one of the most important checks you can do to assure your system security.

With SUSE:

	zypper install john

With Debian/Ubuntu

	apt-get install install john

TESTING
=======

Just call the plugin from commandline (you need root) to see if reports any error.

This has been tested on:

-Centos 6.7 32 bits
-Centos 6.7 64 bits
-Centos 7.1 64 bits
-Suse 11.3 64 Bit
-Ubuntu 14.x 64 Bit

It contains a static build of john for 32 and 64 bits tested on Centos 6.7 and Centos 7, but
we cannot give you any WARRANTIES!. If doesnt work for you, get a running John package.