def run_check(config):
lines = get_lines_from_command("sudo netstat -pltn | grep 0.0.0.0")
lines = lines + get_lines_from_command("sudo netstat -pltn | grep 0\ :::")
unexpected_open_ports = []
for line in lines:
column = str(line).split()
host = column[3]
if host[:3] == ":::":
port = int(host[3:])
host = ":::"
else:
port = int(host.split(":")[1])
host = host.split(":")[0]
name = column[6].split("/")[1]
if port > UNKNOWN_PORT_LIMIT \
and port not in XMPP_PORTS \
and host in EVERY_IPS:
unexpected_open_ports.append("%s (%s)" % (name, str(port)))
if len(unexpected_open_ports) == 0:
return {"status": "SUCCESS"}
else:
return {
"status":
"FAILURE",
"message":
"Some of your servers listen to the 0.0.0.0 host:"
" %s " % ", ".join(unexpected_open_ports)
}
def run_check(config):
is_firewall_up = False
for firewall_name in FIREWALL_NAMES:
lines = get_lines_from_command("ps -ef | grep %s" % firewall_name)
if len(lines) > 2:
is_firewall_up = True
if is_firewall_up:
return {"status": "SUCCESS"}
else:
return {"status": "FAILURE", "message": "No firewall is running."}
def run_check(config):
first_line = get_first_line_from_command("passwd -S")
if "NP" in first_line:
return {"status": "SUCCESS"}
else:
lines = get_lines_from_command("cat /root/.ssh/authorized_keys")
if os.path.exists("/root/.ssh/authorized_keys") and len(lines) > 0:
return {
"status":
"FAILURE",
"message":
"Your root user should not be able to log in with "
"password, only SSH login should be allowed."
}
else:
return {
"status":
"WARNING",
"message":
"Your root user can connect only with root password."
" That's fine but you should consider having a "
"strong password and think about allowing SSH "
"access only."
}
def check_ufw():
lines = get_lines_from_command("sudo ufw status")
return len(lines) > 2 and \
"Status" in lines[0] and \
"inactive" not in lines[0]