def run_check(config): lines = get_lines_from_command("sudo netstat -pltn | grep 0.0.0.0") lines = lines + get_lines_from_command("sudo netstat -pltn | grep 0\ :::") unexpected_open_ports = [] for line in lines: column = str(line).split() host = column[3] if host[:3] == ":::": port = int(host[3:]) host = ":::" else: port = int(host.split(":")[1]) host = host.split(":")[0] name = column[6].split("/")[1] if port > UNKNOWN_PORT_LIMIT \ and port not in XMPP_PORTS \ and host in EVERY_IPS: unexpected_open_ports.append("%s (%s)" % (name, str(port))) if len(unexpected_open_ports) == 0: return {"status": "SUCCESS"} else: return { "status": "FAILURE", "message": "Some of your servers listen to the 0.0.0.0 host:" " %s " % ", ".join(unexpected_open_ports) }
def run_check(config): is_firewall_up = False for firewall_name in FIREWALL_NAMES: lines = get_lines_from_command("ps -ef | grep %s" % firewall_name) if len(lines) > 2: is_firewall_up = True if is_firewall_up: return {"status": "SUCCESS"} else: return {"status": "FAILURE", "message": "No firewall is running."}
def run_check(config): first_line = get_first_line_from_command("passwd -S") if "NP" in first_line: return {"status": "SUCCESS"} else: lines = get_lines_from_command("cat /root/.ssh/authorized_keys") if os.path.exists("/root/.ssh/authorized_keys") and len(lines) > 0: return { "status": "FAILURE", "message": "Your root user should not be able to log in with " "password, only SSH login should be allowed." } else: return { "status": "WARNING", "message": "Your root user can connect only with root password." " That's fine but you should consider having a " "strong password and think about allowing SSH " "access only." }
def check_ufw(): lines = get_lines_from_command("sudo ufw status") return len(lines) > 2 and \ "Status" in lines[0] and \ "inactive" not in lines[0]