Esempi in Python per console

Esempio n. 1

def run(config_content):
    information = CommandHistoryInfo(config_content)

    console(4)
    console(0, "开始历史命令安全检查")
    if len(information.history_status['evil_content']) == 0:
        console(1, "命令历史正常")
    else:
        for content in information.history_status['evil_content']:
            content = content.replace('\n', '')
            console(3, f"存在恶意命令：{content}")

    console(4)

    del information

Esempio n. 2

File: main.py Progetto: xalxl/HostSecurity

def check(config_content):
    # 系统信息
    SysInfo.run()

    pool = Pool(4)
    missions = {}

    # 系统初始化项检查
    if config_content['System']['enable'] == 1:
        missions[System.run] =  config_content['System']

    # 账户信息检查
    if config_content['Account']['enable'] == 1:
        missions[Account.run]= config_content['Account']

    # 文件扫描
    if config_content['File']['enable'] == 1:
        missions[File.run] = config_content['File']

    # 用户历史命令分析
    if config_content['CommandHistory']['enable'] == 1:
        missions[CommandHistory.run] = config_content['CommandHistory']

    # 进程分析
    if config_content['Process']['enable'] == 1:
        missions[Process.run] = config_content['Process']

    # 网络
    if config_content['NetWork']['enable'] == 1:
        missions[NetWork.run] = config_content['NetWork']

    # 后门分析
    if config_content['Backdoor']['enable'] == 1:
        missions[Backdoor.run] = config_content['Backdoor']

    for key,value in missions.items():
        pool.apply_async(key, (value,))


    pool.close()
    pool.join()
    console(4)
    console(0,"检查完毕")
    console(4)

Esempio n. 3

File: File.py Progetto: Quinn-Yan/HostSecurity

def run(config_content):
    information = FileInfo(config_content)

    console(4)
    console(0, "开始文件安全检查")

    console(0, "指定时间内主机上所有增加或改动过的文件：")
    for file in information.moved_files['moved_files']:
        console(2, "此文件被添加或修改过：" + file)
    console(1, f"指定时间内一共 {information.moved_files['file_count']} 处文件被增加或改动")

    console(0, "检查系统重要可执行文件Hash值：")
    if 'error_message' in information.command_status.keys():
        console(3, "出现错误：" + information.command_status['error_message'])
    else:
        if len(information.command_status['unexist_command']) == 0 and len(
                information.command_status['unsafe_command']) == 0:
            console(1, "命令哈希值全部正常")
        else:
            # for command in information.command_status['safe_command']:
            #     console(1,f" {command} 命令正常")
            for command in information.command_status['prelink_command']:
                console(2, f" {command} 由prelink服务更新过 请手动检查")
            for command in information.command_status['unexist_command']:
                console(2, f" {command} 命令不存在 请手动修改配置文件")
            for command in information.command_status['unsafe_command']:
                console(3, f" {command} 命令哈希值不正确 可能存在被替换的风险 请手动排查或更新数据配置")

    console(0, "检查系统上可能存在的恶意文件：")
    if len(information.system_integrity['evil_file']) == 0:
        console(1, "未检测出关键文件存在恶意特征")
    else:
        for file in information.system_integrity['evil_file']:
            console(3, f"存在恶意文件：{file} . ")
        # for file in information.system_integrity['wrong_file']:
        #     console(2,f"文件查询出错：{file} . 可能文件无权限打开或文件为空或文件太大")

    console(0, "检查系统临时文件目录：")
    if len(information.tmp_file_status['evil_file']) == 0:
        console(1, "未检测出关键文件存在恶意特征")
    else:
        for file in information.tmp_file_status['evil_file']:
            console(3, f"存在恶意文件：{file} . ")
        # for file in information.tmp_file_status['wrong_file']:
        #     console(2,f"文件查询出错：{file} . 可能文件无权限打开或文件为空或文件太大")

    console(0, "检查系统各用户目录：")
    if len(information.user_file_status['evil_file']) == 0:
        console(1, "未检测出关键文件存在恶意特征")
    else:
        for file in information.user_file_status['evil_file']:
            console(3, f"存在恶意文件：{file} . ")
        # for file in information.user_file_status['wrong_file']:
        #     console(2,f"文件查询出错：{file} . 可能文件无权限打开或文件为空或文件太大")

    console(0, "检查系统可疑隐藏文件：")
    if len(information.hide_files_status['evil_file']) == 0:
        console(1, "未发现可疑隐藏文件")
    else:
        for file in information.hide_files_status['evil_file']:
            console(3, f"存在可疑隐藏文件：{file}")

    console(4)

    del information

Esempio n. 4

File: System.py Progetto: Quinn-Yan/HostSecurity

def run(config_content):
    information = System(config_content)

    console(4)
    console(0,"开始系统初始化项检查")
    console(0,"开始检查系统Alias：")

    if len(information.alias_status['error_message']) != 0:
        for error_message in information.alias_status['error_message']:
            console(2,error_message)

    if len(information.alias_status['evil_alias']) != 0:
        for result in information.alias_status['evil_alias']:
            console(3,f"发现异常Alias  所属文件 : {result.belongfile}  .  命令为 : {result.content}")
    else:
        console(1,"未发现异常Alias")
    console(4)

    del information

Esempio n. 5

File: Process.py Progetto: Quinn-Yan/HostSecurity

def run(config_content):
    information = ProcessInfo(config_content)

    console(4)
    console(0,"开始进程安全检测")
    console(0,"开始分析占用CPU高的进程：")
    if len(information.cpu_status) == 0:
        console(1,"进程使用CPU正常")
    else:
        for info in information.cpu_status:
            console(3,f"存在超过CPU阈值的进程。所属用户为 {info[0]} . 进程号为 {info[1]} . 占用CPU率为 {info[2]} . 对应命令为 {info[4]} .")

    console(0,"开始分析占用内存高的进程：")
    if len(information.memory_status) == 0:
        console(1,"进程使用CPU正常")
    else:
        for info in information.memory_status:
            console(3,f"存在超过CPU阈值的进程。所属用户为 {info[0]} . 进程号为 {info[1]} . 占用内存率为 {info[2]} . 对应命令为 {info[4]} .")

    console(0,"开始隐藏进程检查：")
    if len(information.hidden_processes) == 0:
        console(1,"未发现隐藏进程")
    else:
        for info in information.hidden_processes:
            console(3,f"发现隐藏进程 进程号为 {info} . 建议人工检查 /proc/{info}/ .")

    console(0,"开始检查是否存在反弹Shell进程")
    if len(information.reverse_shell_status) == 0:
        console(1,"未发现反弹Shell进程")
    else:
        for key,value in information.reverse_shell_status.items():
            console(3,f"发现反弹Shell进程 进程路径 {key} . 进程号为 {value[0]} . 内容为 {value[1]}")
    
    console(0,"开始分析进程的执行文件：")
    if len(information.exe_file_status) == 0:
        console(1,"未发现进程恶意执行文件")
    else:
        for key,value in information.exe_file_status.items():
            console(3,f"发现进程恶意执行文件 进程名： {key} . 内容为 ： {value}")
    console(4)

    del information

Esempio n. 6

def run(config_content):
    information = AccountInfo(config_content)

    console(4)
    console(0, '开始检查账户安全')

    console(0, "检查账户安全：")
    if len(information.special_accounts["evil_users"]) != 0:
        console(3, "检测到UID为0的非root账户：")
        for evil_user in information.special_accounts["evil_users"]:
            console(3, f"{evil_user} 为存在于主机上的UID为0的用户")
    else:
        console(1, "不存在UID为0的非root账户")

    if information.special_accounts['status'] == 0:
        console(3, f"出现错误：{information.special_accounts['exception']}")
    else:
        if len(information.special_accounts["empty_users"]) != 0:
            console(3, "检测存在空口令账户：")
            for evil_user in information.special_accounts["empty_users"]:
                console(3, f"{evil_user} 为存在于主机上的空口令账户")
        else:
            console(1, "不存在空口令账户")

    console(0, '检查口令策略相关信息：')
    if information.password_policy['status'] == 0:
        console(2, f"未检测到存在口令策略 {information.password_policy['filepath']} 存在")
    else:
        if information.password_policy['pass_max'] and int(
                information.password_policy['pass_max']) <= int(
                    config_content['policy']['pass_max']):
            console(
                1,
                f"口令最大生存周期符合要求 现周期为：{information.password_policy['pass_max']}")
        else:
            console(
                2,
                f"口令最大生存周期不符合要求，建议小于等于{config_content['policy']['pass_max']}天 现周期为：{information.password_policy['pass_max']}"
            )

        if information.password_policy['pass_min'] and int(
                information.password_policy['pass_min']) >= int(
                    config_content['policy']['pass_min']):
            console(
                1,
                f"口令最小更改时间符合要求 现周期为：{information.password_policy['pass_min']}")
        else:
            console(
                2,
                f"口令最小更改时间不符合要求，建议大于等于{config_content['policy']['pass_min']}天 现周期为：{information.password_policy['pass_min']}"
            )

        if information.password_policy['pass_len'] and int(
                information.password_policy['pass_len']) <= int(
                    config_content['policy']['pass_len']):
            console(
                1,
                f"口令最小长度符合要求 现周期为：{information.password_policy['pass_len']}")
        else:
            console(
                2,
                f"口令最小长度不符合要求，建议大于等于{config_content['policy']['pass_len']}天 现周期为：{information.password_policy['pass_len']}"
            )

        if information.password_policy['pass_age'] and int(
                information.password_policy['pass_age']) >= int(
                    config_content['policy']['pass_age']):
            console(
                1,
                f"口令过期警告时间符合要求 现周期为：{information.password_policy['pass_age']}")
        else:
            console(
                2,
                f"口令过期警告时间不符合要求，建议小于等于{config_content['policy']['pass_age']}天并小于口令最大生存周期 现周期为：{information.password_policy['pass_age']}"
            )

    console(0, '检查账号自动注销设置：')
    if information.TMOUT['status'] == 0:
        console(2, f"未检测到存在口令策略 {information.TMOUT['filepath']} 存在")
    else:
        if information.TMOUT['TMOUT_Time']:
            if int(information.TMOUT['TMOUT_Time']) < int(
                    config_content['TMOUT']['timeout']):
                console(1,
                        f"账号自动注销设置符合要求，时间为{information.TMOUT['TMOUT_Time']}")
            else:
                console(2,
                        f"账号自动注销设置不符合要求，时间为{information.TMOUT['TMOUT_Time']}")
        else:
            console(2, f"未设置TMOUT账号自动注销")

    console(0, "检查当前登陆的用户：")
    if information.current_user['status'] == 0:
        console(1, '当前没有登陆的用户')
    else:
        for userinfo in information.current_user:
            console(
                2,
                f"当前登陆的用户为：{userinfo['current_user']} . 登陆时间为 {current_user['login_time']} . 登陆来源为： {current_user['remote_ip']} ."
            )

    console(0, "检查当前sudo用户")
    if information.sudo_status['status'] == 0:
        console(1, "未发现sudo权限用户")
    else:
        for key, value in information.sudo_status['data'].items():
            console(2,
                    f"发现sudo权限用户 文件 {value['file']} . 用户 {value['content']} ")

    console(0, "开始检查免密登录公钥情况")
    if information.authorized_keys_status['status'] == 0:
        console(1, "免密登录公钥情况正常")
    else:
        for key, value in information.authorized_keys_status['data']:
            console(2,
                    f"发现免密登陆证书 路径：{value['file']} . 客户端 {value['content']} ")

    console(0, "开始检查密码文件权限情况")
    if information.passwd_file_status['status'] == 0:
        console(1, "密码文件权限情况正常")
    else:
        for key, value in information.passwd_file_status['data']:
            console(2, f"{value['file']}文件权限情况不正常 权限为 {value['content']}")

    console(4)

    del information

Esempio n. 7

def run(config_content):
    information = BackdoorInfo(config_content)

    console(4)
    console(0, "开始后门检测")
    console(0, "检测环境变量")
    if information.PATHBackdoor['status'] == 0:
        console(1, "未发现环境变量后门")
    else:
        for key_1, content in information.PATHBackdoor['data'].items():
            for key_2, value_2 in content.items():
                if type(value_2) == dict:
                    for key_3, value_3 in value_2.items():
                        console(
                            3,
                            f"发现环境变量后门 后门类型 {content['tag']} . 文件 {value_3['file']} . 内容 {value_3['content']} . 请人工检查"
                        )

    console(0, "开始检测ld.so.preload后门：")
    if information.ld_so_preload['status'] == 0:
        console(1, "未发现ld.so.preload后门")
    else:
        for key, value in information.ld_so_preload['data'].items():
            console(
                3,
                f"发现ld.so.preload后门 文件位置 {value['file']} . 内容 {value['content']}"
            )

    console(0, "开始检测定时任务后门")
    if information.cron_status['status'] == 0:
        console(1, "未发现定时任务后门")
    else:
        for key, value in information.cron_status['data'].items():
            console(3,
                    f"发现定时任务后门 文件位置 {value['file']} . 内容 {value['content']}")

    console(0, "开始检测SSH Server wrapper后门")
    if information.ssh_wrapper['status'] == 0:
        console(1, "未检测到SSH Server wrapper后门")
    else:
        console(3, "检测到SSH Server wrapper后门 。文件位于 /usr/sbin/sshd")

    console(0, "开始检测系统启动项")
    if information.init_status['status'] == 0:
        console(1, "未发现异常系统启动项")
    else:
        for key, value in information.init_status['data'].items():
            console(3,
                    f"发现异常系统启动项 文件 {value['file']} . 内容 {value['content']} .")

    console(0, "开始检测SUID提权后门")
    if information.suid_stauts['status'] == 0:
        console(1, "未检测到SUID提权后门")
    else:
        for key, value in information.suid_stauts['data'].items():
            console(3, f"检测到SUID提权后门 内容为 {value['content']}")
    console(4)

    del information

Esempio n. 8

def run(config_content):
    information = NetWorkInfo(config_content)

    console(4)
    console(0, "开始网络分析：")

    console(0, "开始网络链接检测")
    if information.network_link['status'] == 0:
        console(1, "未发现建立远程通信的链接")
    else:
        for key, value in information.network_link['data'].items():
            if value['IP_Information']['status'] == 1:
                if value['IP_Information']['Overseas'] == 1:
                    console(
                        3,
                        f"紧急！！！发现境外远程通信链接 链接方式为 {value['LinkMethod']} IP和端口为 {value['IP']}:{value['Port']} 进程PID为 {value['PID']} 详细IP信息为 国家 {value['IP_Information']['Country']} 城市 {value['IP_Information']['City']} 所属运营商 {value['IP_Information']['ISP']}"
                    )
                else:
                    console(
                        3,
                        f"发现远程通信链接 链接方式为 {value['LinkMethod']} IP和端口为 {value['IP']}:{value['Port']} 进程PID为 {value['PID']} 详细IP信息为 国家 {value['IP_Information']['Country']} 城市 {value['IP_Information']['City']} 所属运营商 {value['IP_Information']['ISP']}"
                    )
            else:
                console(
                    3,
                    f"发现远程通信链接 链接方式为 {value['LinkMethod']} IP和端口为 {value['IP']}:{value['Port']} 进程PID为 {value['PID']}"
                )

    console(0, "开始网卡是否开启混杂模式检测")
    if information.network_promisc['status'] == 1:
        console(2, "检测到网卡开启混杂模式")
    else:
        console(1, "网卡未开启混杂模式")
    console(4)

    del information

Esempio n. 9

def run():
    information = sysinfo()
    console(4)
    console(0, "系统信息：")
    console(1, "主机名 : " + information.hostname)
    console(1, "内核版本 : " + information.sys_version)
    console(1, "系统版本 : " + information.host_version)
    console(1, "系统架构 : " + information.arch)

    if information.remote_ip == "NETWORKERROR":
        console(3, "公网IP： 未联网或网络不通畅，无法显示公网IP")
    else:
        console(1, "公网IP：" + information.remote_ip)

    console(4)

    del information