Example #1
0
 def check_conf(self):
     logs.INFO("Checking exposure...")
     self.check_exposure()
     logs.INFO("Checking setting of password...")
     self.check_password_setting()
     logs.INFO("Checking commands...")
     self.check_command()
Example #2
0
 def __init__(self, file):
     super().__init__()
     logs.INFO(
         "Assuming no configuration property has been changed by CLI or SparkConf object"
     )
     if file is None:
         conf_path = self.get_paths(expected_file=[
             "spark-defaults.conf",
         ])
         self.file = os.path.join(conf_path, "spark-defaults.conf")
     else:
         self.file = file
     logs.INFO(f"Evaluating file {self.file}")
     self.content = {}
     self.parse_content()
Example #3
0
 def __init__(self, dir=None):
     super().__init__()
     if dir is None:
         self.conf_path = self.get_paths(files_appear=[
             "core-site.xml",
             "hdfs-site.xml",
             "mapred-site.xml",
             "yarn-site.xml",
         ])
     else:
         self.conf_path = dir
     logs.INFO(f"Evaluating directory {self.conf_path}")
     self.core_file = os.path.join(self.conf_path, "core-site.xml")
     self.core_obj = self.xml_conf_to_obj(self.core_file)
     self.hdfs_file = os.path.join(self.conf_path, "hdfs-site.xml")
     self.hdfs_obj = self.xml_conf_to_obj(self.hdfs_file)
     self.mr_file = os.path.join(self.conf_path, "mapred-site.xml")
     self.mr_obj = self.xml_conf_to_obj(self.mr_file)
     self.yarn_file = os.path.join(self.conf_path, "yarn-site.xml")
     self.yarn_obj = self.xml_conf_to_obj(self.yarn_file)
     self.conf_obj = {
         **self.core_obj,
         **self.hdfs_obj,
         **self.mr_obj,
         **self.yarn_obj
     }
Example #4
0
 def get_paths(self,
               expected_file="",
               expected_files=None,
               files_appear=None):
     result = []
     paths = self.enumerate_path()
     for path in paths:
         if expected_files and (not self.__test_exp_files(
                 path, expected_files)):
             continue
         if expected_file != "" and (not utils.exists_file(
                 path, expected_file)):
             continue
         if files_appear is not None and (not self.__test_files_appear(
                 path, files_appear)):
             continue
         result.append(path)
     if len(result) == 0:
         logs.ERROR(
             "Cannot find configuration file location, please specify")
         sys.exit(0)
     if len(result) > 1:
         logs.ERROR(
             "Multiple configuration file locations found (listed below), "
             "please specify  (e.g. --dir=/etc)")
         for k, v in enumerate(result):
             logs.INFO(f"[{k}]. {v}")
         sys.exit(0)
     return result[0]
Example #5
0
    def check_ssl(self):
        logs.INFO("Checking SSL")

        if utils.get_item_from_obj(self.conf_obj,
                                   "hadoop.ssl.enabled",
                                   default="false") == "false":
            logs.ISSUE("SSL is disabled.")
            logs.RECOMMENDATION("hadoop.ssl.enabled = true")
        else:
            logs.DEBUG("SSL is enabled.")
Example #6
0
 def __init__(self, dir=None):
     super().__init__()
     self.conf_path = dir
     if not dir:
         self.conf_path = self.get_paths(expected_file="redis.conf")
     self.conf_file = os.path.join(self.conf_path, 'redis.conf')
     logs.INFO(f"Evaluating {self.conf_file}")
     self.conf_content = None
     self.read_content()
     self.combine_include()
Example #7
0
    def check_nfs_export_range(self):
        logs.INFO("Checking export range")

        allowed_hosts = utils.get_item_from_obj(self.conf_obj,
                                                "nfs.exports.allowed.hosts",
                                                default="* rw")
        if allowed_hosts == "* rw":
            logs.ISSUE("NFS is exposed to internet for read and write.")
            logs.RECOMMENDATION(" / qualify nfs.exports.allowed.hosts")
        else:
            logs.DEBUG(
                f"NFS host priv: {allowed_hosts}. Evaluate based on the context."
            )
Example #8
0
    def check_registry_ac(self):
        logs.INFO("Checking registry access control")

        if utils.get_item_from_obj(self.conf_obj,
                                   "hadoop.registry.rm.enabled",
                                   default="false") == "true":
            if utils.get_item_from_obj(self.conf_obj,
                                       "hadoop.registry.secure",
                                       default="false") == "false":
                logs.ISSUE("registry.secure is not enabled. ")
                logs.RECOMMENDATION("hadoop.registry.secure = true")
            else:
                logs.DEBUG(f"Registry security is enabled.")
        else:
            logs.DEBUG("Registry is not enabled. ")
Example #9
0
 def check_web_portal_ac(self):
     logs.INFO("Checking web portal access control")
     auth_method = utils.get_item_from_obj(
         self.conf_obj, "hadoop.http.authentication.type", default="simple")
     if auth_method == "simple":
         logs.ISSUE("Everyone can access the web portal")
         logs.RECOMMENDATION("hadoop.http.authentication.type = kerberos")
         if utils.get_item_from_obj(
                 self.conf_obj,
                 "hadoop.http.authentication.simple.anonymous.allowed",
                 default="true") == "true":
             logs.ISSUE("Anonymous is allowed to access web portal.")
             logs.RECOMMENDATION(
                 "hadoop.http.authentication.simple.anonymous.allowed = false"
             )
     else:
         logs.DEBUG(f"Authentication method [{auth_method}] enabled")
Example #10
0
 def check_global_ac(self):
     logs.INFO("Checking global access control")
     auth_method = utils.get_item_from_obj(self.conf_obj,
                                           "hadoop.security.authentication",
                                           default="simple")
     if auth_method == "simple":
         logs.ISSUE("Everyone can access the instance")
         logs.RECOMMENDATION("hadoop.security.authentication = kerberos")
     else:
         logs.DEBUG(f"Authentication method [{auth_method}] enabled")
     if utils.get_item_from_obj(self.conf_obj,
                                "hadoop.security.authorization",
                                default="false") == "false":
         logs.ISSUE("Authorization is not enabled")
         logs.RECOMMENDATION("hadoop.security.authorization = true")
     else:
         logs.DEBUG("Authorization enabled")
Example #11
0
 def xml_conf_to_obj(file):
     res = {}
     try:
         root = xml.etree.ElementTree.parse(file).getroot()
         props = root.findall(".//property")
         for prop in props:
             name = prop.find(".//name").text
             try:
                 value = prop.find(".//value").text
                 res[name] = value
             except AttributeError:
                 continue
     except FileNotFoundError:
         logs.INFO(f"{file} not found, skipped.")
     except Exception as e:
         logs.ERROR(e)
         sys.exit(0)
     return res
Example #12
0
 def check_fs_permission(self):
     logs.INFO("Checking hdfs permission")
     if utils.get_item_from_obj(self.conf_obj,
                                "dfs.permissions.enabled",
                                default="true") == "false":
         logs.ISSUE(
             "HDFS does not have access control. Everyone could conduct CURD operations on the instance."
         )
         logs.RECOMMENDATION("dfs.permissions.enabled = true")
     else:
         logs.DEBUG("HDFS permission system is enabled.")
     if utils.get_item_from_obj(self.conf_obj,
                                "dfs.namenode.acls.enabled",
                                default="false") == "false":
         logs.ISSUE("HDFS ACLs is not enabled.")
         logs.RECOMMENDATION("dfs.namenode.acls.enabled = true")
     else:
         logs.DEBUG("HDFS ACLs is enabled.")
Example #13
0
 def check_conf(self):
     logs.INFO("Checking ACL")
     self.check_acl()
     logs.INFO("Checking XSS")
     self.check_xss()
     logs.INFO("Checking SSL")
     self.check_ssl()
     logs.INFO("Checking encryption")
     self.check_encryption()
     logs.INFO("Checking web ui authentication")
     self.check_authentication()
     logs.INFO("Checking logging")
     self.check_logging()
Example #14
0
 def check_conf(self):
     logs.INFO("Checking authentication...")
     self.check_authentication()
     logs.INFO("Checking obsolete accounts...")
     self.has_obsolete_account()
     logs.INFO("Checking useless database...")
     self.has_useless_db()
     logs.INFO("Checking load file func...")
     self.test_load_file()
     logs.INFO("Checking global grants...")
     self.test_grants()
     logs.INFO("Checking database grants...")
     self.test_db_grants()
Example #15
0
    def check_cors(self):
        logs.INFO("Checking web portal cross origin policy")

        if utils.get_item_from_obj(self.conf_obj,
                                   "hadoop.http.cross-origin.enabled",
                                   default="false") == "true":
            allowed_origins = utils.split_ip(
                utils.get_item_from_obj(
                    self.conf_obj,
                    "hadoop.http.cross-origin.allowed-origins",
                    default="true"))
            if "*" in allowed_origins:
                logs.ISSUE("Cross origin is wildcard.")
                logs.RECOMMENDATION(
                    " / qualify hadoop.http.cross-origin.allowed-origins")
            else:
                logs.DEBUG(
                    f"CORS is enabled but only allowed to {','.join(allowed_origins)}"
                )
        else:
            logs.DEBUG("CORS is off")
Example #16
0
import utils
import logs

if __name__ == "__main__":
    logs.INFO()
Example #17
0
def ask(c):
    logs.INFO(c)
    v = input("Type Y/y to perform this action and anything else to skip [Y]")
    if v == "Y" or v == "y" or v == "":
        return True
    return False