def check_registry_ac(self): logs.INFO("Checking registry access control") if utils.get_item_from_obj(self.conf_obj, "hadoop.registry.rm.enabled", default="false") == "true": if utils.get_item_from_obj(self.conf_obj, "hadoop.registry.secure", default="false") == "false": logs.ISSUE("registry.secure is not enabled. ") logs.RECOMMENDATION("hadoop.registry.secure = true") else: logs.DEBUG(f"Registry security is enabled.") else: logs.DEBUG("Registry is not enabled. ")
def check_encryption(self): if utils.get_item_from_obj(self.content, "spark.network.crypto.enabled", default="false") == "false": logs.ISSUE("Network encryption is not enabled") logs.RECOMMENDATION("spark.network.crypto.enable = true") else: logs.DEBUG('Network encryption is enabled') if utils.get_item_from_obj(self.content, "spark.io.encryption.enabled", default="false") == "false": logs.ISSUE("Disk encryption is not enabled") logs.RECOMMENDATION("spark.io.encryption.enable = true") else: logs.DEBUG('Disk encryption is enabled')
def check_acl(self): if utils.get_item_from_obj(self.content, "spark.acls.enable", default="false") == "false": logs.ISSUE("Access control not enabled for web portal") logs.RECOMMENDATION("spark.acls.enable = true") else: logs.DEBUG("Access control is enabled for web portal") if utils.get_item_from_obj(self.content, "spark.history.ui.acls.enable", default="false") == "false": logs.ISSUE("Access control not enabled for history server") logs.RECOMMENDATION("spark.history.ui.acls.enable = true") else: logs.DEBUG("Access control is enabled for history server")
def check_xss(self): if utils.get_item_from_obj(self.content, "spark.ui.xXssProtection", default="1;mode=block") == "0": logs.ISSUE("XSS protection is not enabled") logs.RECOMMENDATION("spark.ui.xXssProtection = 1") else: logs.DEBUG('XSS protection is enabled') if utils.get_item_from_obj(self.content, "spark.ui.xContentTypeOptions.enabled", default="true") == "false": logs.ISSUE("CORB protection is not enabled") logs.RECOMMENDATION("spark.ui.xContentTypeOptions.enabled = true") else: logs.DEBUG('CORB protection is enabled')
def check_ssl(self): if utils.get_item_from_obj(self.content, "spark.ssl.enabled", default="false") == "false": logs.ISSUE("SSL is not enabled") logs.RECOMMENDATION("spark.ssl.enable = true") else: logs.DEBUG('SSL is enabled')
def check_authentication(self): if utils.get_item_from_obj(self.content, "spark.authenticate", default="false") == "false": logs.ISSUE("Everyone can visit the instance") logs.RECOMMENDATION("spark.authenticate = true") else: logs.DEBUG("Authentication is enabled") password = utils.get_item_from_obj(self.content, "spark.authenticate.secret", default="") if utils.check_pwd(password): logs.DEBUG('Password is strong') else: logs.ISSUE('Password could be easily guessed.') logs.RECOMMENDATION( "spark.authenticate.secret [stronger passwor]")
def check_logging(self): if utils.get_item_from_obj(self.content, "spark.eventLog.enabled", default="false") == "false": logs.ISSUE("Logging is not enabled") logs.RECOMMENDATION("spark.eventLog.enabled = true") else: logs.DEBUG('Logging is enabled')
def check_web_portal_ac(self): logs.INFO("Checking web portal access control") auth_method = utils.get_item_from_obj( self.conf_obj, "hadoop.http.authentication.type", default="simple") if auth_method == "simple": logs.ISSUE("Everyone can access the web portal") logs.RECOMMENDATION("hadoop.http.authentication.type = kerberos") if utils.get_item_from_obj( self.conf_obj, "hadoop.http.authentication.simple.anonymous.allowed", default="true") == "true": logs.ISSUE("Anonymous is allowed to access web portal.") logs.RECOMMENDATION( "hadoop.http.authentication.simple.anonymous.allowed = false" ) else: logs.DEBUG(f"Authentication method [{auth_method}] enabled")
def check_global_ac(self): logs.INFO("Checking global access control") auth_method = utils.get_item_from_obj(self.conf_obj, "hadoop.security.authentication", default="simple") if auth_method == "simple": logs.ISSUE("Everyone can access the instance") logs.RECOMMENDATION("hadoop.security.authentication = kerberos") else: logs.DEBUG(f"Authentication method [{auth_method}] enabled") if utils.get_item_from_obj(self.conf_obj, "hadoop.security.authorization", default="false") == "false": logs.ISSUE("Authorization is not enabled") logs.RECOMMENDATION("hadoop.security.authorization = true") else: logs.DEBUG("Authorization enabled")
def check_fs_permission(self): logs.INFO("Checking hdfs permission") if utils.get_item_from_obj(self.conf_obj, "dfs.permissions.enabled", default="true") == "false": logs.ISSUE( "HDFS does not have access control. Everyone could conduct CURD operations on the instance." ) logs.RECOMMENDATION("dfs.permissions.enabled = true") else: logs.DEBUG("HDFS permission system is enabled.") if utils.get_item_from_obj(self.conf_obj, "dfs.namenode.acls.enabled", default="false") == "false": logs.ISSUE("HDFS ACLs is not enabled.") logs.RECOMMENDATION("dfs.namenode.acls.enabled = true") else: logs.DEBUG("HDFS ACLs is enabled.")
def check_ssl(self): logs.INFO("Checking SSL") if utils.get_item_from_obj(self.conf_obj, "hadoop.ssl.enabled", default="false") == "false": logs.ISSUE("SSL is disabled.") logs.RECOMMENDATION("hadoop.ssl.enabled = true") else: logs.DEBUG("SSL is enabled.")
def check_cors(self): logs.INFO("Checking web portal cross origin policy") if utils.get_item_from_obj(self.conf_obj, "hadoop.http.cross-origin.enabled", default="false") == "true": allowed_origins = utils.split_ip( utils.get_item_from_obj( self.conf_obj, "hadoop.http.cross-origin.allowed-origins", default="true")) if "*" in allowed_origins: logs.ISSUE("Cross origin is wildcard.") logs.RECOMMENDATION( " / qualify hadoop.http.cross-origin.allowed-origins") else: logs.DEBUG( f"CORS is enabled but only allowed to {','.join(allowed_origins)}" ) else: logs.DEBUG("CORS is off")
def check_nfs_export_range(self): logs.INFO("Checking export range") allowed_hosts = utils.get_item_from_obj(self.conf_obj, "nfs.exports.allowed.hosts", default="* rw") if allowed_hosts == "* rw": logs.ISSUE("NFS is exposed to internet for read and write.") logs.RECOMMENDATION(" / qualify nfs.exports.allowed.hosts") else: logs.DEBUG( f"NFS host priv: {allowed_hosts}. Evaluate based on the context." )