Esempio n. 1
0
    def check_registry_ac(self):
        logs.INFO("Checking registry access control")

        if utils.get_item_from_obj(self.conf_obj,
                                   "hadoop.registry.rm.enabled",
                                   default="false") == "true":
            if utils.get_item_from_obj(self.conf_obj,
                                       "hadoop.registry.secure",
                                       default="false") == "false":
                logs.ISSUE("registry.secure is not enabled. ")
                logs.RECOMMENDATION("hadoop.registry.secure = true")
            else:
                logs.DEBUG(f"Registry security is enabled.")
        else:
            logs.DEBUG("Registry is not enabled. ")
Esempio n. 2
0
    def check_encryption(self):
        if utils.get_item_from_obj(self.content,
                                   "spark.network.crypto.enabled",
                                   default="false") == "false":
            logs.ISSUE("Network encryption is not enabled")
            logs.RECOMMENDATION("spark.network.crypto.enable = true")
        else:
            logs.DEBUG('Network encryption is enabled')

        if utils.get_item_from_obj(self.content,
                                   "spark.io.encryption.enabled",
                                   default="false") == "false":
            logs.ISSUE("Disk encryption is not enabled")
            logs.RECOMMENDATION("spark.io.encryption.enable = true")
        else:
            logs.DEBUG('Disk encryption is enabled')
Esempio n. 3
0
    def check_acl(self):
        if utils.get_item_from_obj(self.content,
                                   "spark.acls.enable",
                                   default="false") == "false":
            logs.ISSUE("Access control not enabled for web portal")
            logs.RECOMMENDATION("spark.acls.enable = true")
        else:
            logs.DEBUG("Access control is enabled for web portal")

        if utils.get_item_from_obj(self.content,
                                   "spark.history.ui.acls.enable",
                                   default="false") == "false":
            logs.ISSUE("Access control not enabled for history server")
            logs.RECOMMENDATION("spark.history.ui.acls.enable = true")
        else:
            logs.DEBUG("Access control is enabled for history server")
Esempio n. 4
0
    def check_xss(self):
        if utils.get_item_from_obj(self.content,
                                   "spark.ui.xXssProtection",
                                   default="1;mode=block") == "0":
            logs.ISSUE("XSS protection is not enabled")
            logs.RECOMMENDATION("spark.ui.xXssProtection = 1")
        else:
            logs.DEBUG('XSS protection is enabled')

        if utils.get_item_from_obj(self.content,
                                   "spark.ui.xContentTypeOptions.enabled",
                                   default="true") == "false":
            logs.ISSUE("CORB protection is not enabled")
            logs.RECOMMENDATION("spark.ui.xContentTypeOptions.enabled = true")
        else:
            logs.DEBUG('CORB protection is enabled')
Esempio n. 5
0
 def check_ssl(self):
     if utils.get_item_from_obj(self.content,
                                "spark.ssl.enabled",
                                default="false") == "false":
         logs.ISSUE("SSL is not enabled")
         logs.RECOMMENDATION("spark.ssl.enable = true")
     else:
         logs.DEBUG('SSL is enabled')
Esempio n. 6
0
 def check_authentication(self):
     if utils.get_item_from_obj(self.content,
                                "spark.authenticate",
                                default="false") == "false":
         logs.ISSUE("Everyone can visit the instance")
         logs.RECOMMENDATION("spark.authenticate = true")
     else:
         logs.DEBUG("Authentication is enabled")
         password = utils.get_item_from_obj(self.content,
                                            "spark.authenticate.secret",
                                            default="")
         if utils.check_pwd(password):
             logs.DEBUG('Password is strong')
         else:
             logs.ISSUE('Password could be easily guessed.')
             logs.RECOMMENDATION(
                 "spark.authenticate.secret [stronger passwor]")
Esempio n. 7
0
 def check_logging(self):
     if utils.get_item_from_obj(self.content,
                                "spark.eventLog.enabled",
                                default="false") == "false":
         logs.ISSUE("Logging is not enabled")
         logs.RECOMMENDATION("spark.eventLog.enabled = true")
     else:
         logs.DEBUG('Logging is enabled')
Esempio n. 8
0
 def check_web_portal_ac(self):
     logs.INFO("Checking web portal access control")
     auth_method = utils.get_item_from_obj(
         self.conf_obj, "hadoop.http.authentication.type", default="simple")
     if auth_method == "simple":
         logs.ISSUE("Everyone can access the web portal")
         logs.RECOMMENDATION("hadoop.http.authentication.type = kerberos")
         if utils.get_item_from_obj(
                 self.conf_obj,
                 "hadoop.http.authentication.simple.anonymous.allowed",
                 default="true") == "true":
             logs.ISSUE("Anonymous is allowed to access web portal.")
             logs.RECOMMENDATION(
                 "hadoop.http.authentication.simple.anonymous.allowed = false"
             )
     else:
         logs.DEBUG(f"Authentication method [{auth_method}] enabled")
Esempio n. 9
0
 def check_global_ac(self):
     logs.INFO("Checking global access control")
     auth_method = utils.get_item_from_obj(self.conf_obj,
                                           "hadoop.security.authentication",
                                           default="simple")
     if auth_method == "simple":
         logs.ISSUE("Everyone can access the instance")
         logs.RECOMMENDATION("hadoop.security.authentication = kerberos")
     else:
         logs.DEBUG(f"Authentication method [{auth_method}] enabled")
     if utils.get_item_from_obj(self.conf_obj,
                                "hadoop.security.authorization",
                                default="false") == "false":
         logs.ISSUE("Authorization is not enabled")
         logs.RECOMMENDATION("hadoop.security.authorization = true")
     else:
         logs.DEBUG("Authorization enabled")
Esempio n. 10
0
 def check_fs_permission(self):
     logs.INFO("Checking hdfs permission")
     if utils.get_item_from_obj(self.conf_obj,
                                "dfs.permissions.enabled",
                                default="true") == "false":
         logs.ISSUE(
             "HDFS does not have access control. Everyone could conduct CURD operations on the instance."
         )
         logs.RECOMMENDATION("dfs.permissions.enabled = true")
     else:
         logs.DEBUG("HDFS permission system is enabled.")
     if utils.get_item_from_obj(self.conf_obj,
                                "dfs.namenode.acls.enabled",
                                default="false") == "false":
         logs.ISSUE("HDFS ACLs is not enabled.")
         logs.RECOMMENDATION("dfs.namenode.acls.enabled = true")
     else:
         logs.DEBUG("HDFS ACLs is enabled.")
Esempio n. 11
0
    def check_ssl(self):
        logs.INFO("Checking SSL")

        if utils.get_item_from_obj(self.conf_obj,
                                   "hadoop.ssl.enabled",
                                   default="false") == "false":
            logs.ISSUE("SSL is disabled.")
            logs.RECOMMENDATION("hadoop.ssl.enabled = true")
        else:
            logs.DEBUG("SSL is enabled.")
Esempio n. 12
0
    def check_cors(self):
        logs.INFO("Checking web portal cross origin policy")

        if utils.get_item_from_obj(self.conf_obj,
                                   "hadoop.http.cross-origin.enabled",
                                   default="false") == "true":
            allowed_origins = utils.split_ip(
                utils.get_item_from_obj(
                    self.conf_obj,
                    "hadoop.http.cross-origin.allowed-origins",
                    default="true"))
            if "*" in allowed_origins:
                logs.ISSUE("Cross origin is wildcard.")
                logs.RECOMMENDATION(
                    " / qualify hadoop.http.cross-origin.allowed-origins")
            else:
                logs.DEBUG(
                    f"CORS is enabled but only allowed to {','.join(allowed_origins)}"
                )
        else:
            logs.DEBUG("CORS is off")
Esempio n. 13
0
    def check_nfs_export_range(self):
        logs.INFO("Checking export range")

        allowed_hosts = utils.get_item_from_obj(self.conf_obj,
                                                "nfs.exports.allowed.hosts",
                                                default="* rw")
        if allowed_hosts == "* rw":
            logs.ISSUE("NFS is exposed to internet for read and write.")
            logs.RECOMMENDATION(" / qualify nfs.exports.allowed.hosts")
        else:
            logs.DEBUG(
                f"NFS host priv: {allowed_hosts}. Evaluate based on the context."
            )