def check_registry_ac(self):
logs.INFO("Checking registry access control")
if utils.get_item_from_obj(self.conf_obj,
"hadoop.registry.rm.enabled",
default="false") == "true":
if utils.get_item_from_obj(self.conf_obj,
"hadoop.registry.secure",
default="false") == "false":
logs.ISSUE("registry.secure is not enabled. ")
logs.RECOMMENDATION("hadoop.registry.secure = true")
else:
logs.DEBUG(f"Registry security is enabled.")
else:
logs.DEBUG("Registry is not enabled. ")
def check_xss(self):
if utils.get_item_from_obj(self.content,
"spark.ui.xXssProtection",
default="1;mode=block") == "0":
logs.ISSUE("XSS protection is not enabled")
logs.RECOMMENDATION("spark.ui.xXssProtection = 1")
else:
logs.DEBUG('XSS protection is enabled')
if utils.get_item_from_obj(self.content,
"spark.ui.xContentTypeOptions.enabled",
default="true") == "false":
logs.ISSUE("CORB protection is not enabled")
logs.RECOMMENDATION("spark.ui.xContentTypeOptions.enabled = true")
else:
logs.DEBUG('CORB protection is enabled')
def check_acl(self):
if utils.get_item_from_obj(self.content,
"spark.acls.enable",
default="false") == "false":
logs.ISSUE("Access control not enabled for web portal")
logs.RECOMMENDATION("spark.acls.enable = true")
else:
logs.DEBUG("Access control is enabled for web portal")
if utils.get_item_from_obj(self.content,
"spark.history.ui.acls.enable",
default="false") == "false":
logs.ISSUE("Access control not enabled for history server")
logs.RECOMMENDATION("spark.history.ui.acls.enable = true")
else:
logs.DEBUG("Access control is enabled for history server")
def check_authentication(self):
if self.conn is None:
self.connect()
self.cursor.execute("SELECT host, user FROM mysql.user")
weak_passwords = utils.get_weak_passwords()
for u in self.cursor.fetchall():
if "%" in u[0]:
logs.WARN(f"User {u[1]} is exposed to the internet (0.0.0.0)")
else:
if utils.is_internal(u[0]):
continue
else:
logs.WARN(f"User {u[1]} is exposed to external IP {u[0]}")
if utils.ask("Would you like to perform weak-password check? This may create high traffic load "
"for MySQL server. (i.e. Do not perform this when there is already high traffic.)"):
flag = True
for password in weak_passwords:
try:
conn = pymysql.connect(host=self.__host,
user=u[1],
passwd=password,
port=self.__port)
logs.WARN(f"Weak password {password} set by user {u[1]} with host {u[0]}")
conn.close()
flag = False
break
except pymysql.err.OperationalError:
pass
except pymysql.err.InternalError as e:
pass
if flag:
logs.DEBUG(f"No weak password is used by user {u[1]} with host {u[0]}")
def check_encryption(self):
if utils.get_item_from_obj(self.content,
"spark.network.crypto.enabled",
default="false") == "false":
logs.ISSUE("Network encryption is not enabled")
logs.RECOMMENDATION("spark.network.crypto.enable = true")
else:
logs.DEBUG('Network encryption is enabled')
if utils.get_item_from_obj(self.content,
"spark.io.encryption.enabled",
default="false") == "false":
logs.ISSUE("Disk encryption is not enabled")
logs.RECOMMENDATION("spark.io.encryption.enable = true")
else:
logs.DEBUG('Disk encryption is enabled')
def test_load_file(self):
if self.conn is None:
self.connect()
try:
self.cursor.execute("SELECT HEX(LOAD_FILE('/etc/passwd')) INTO DUMPFILE '/tmp/test'")
logs.WARN("--secure-file-priv is not enabled")
except pymysql.err.InternalError:
logs.DEBUG("--secure-file-priv is enabled")
def check_global_ac(self):
logs.INFO("Checking global access control")
auth_method = utils.get_item_from_obj(self.conf_obj,
"hadoop.security.authentication",
default="simple")
if auth_method == "simple":
logs.ISSUE("Everyone can access the instance")
logs.RECOMMENDATION("hadoop.security.authentication = kerberos")
else:
logs.DEBUG(f"Authentication method [{auth_method}] enabled")
if utils.get_item_from_obj(self.conf_obj,
"hadoop.security.authorization",
default="false") == "false":
logs.ISSUE("Authorization is not enabled")
logs.RECOMMENDATION("hadoop.security.authorization = true")
else:
logs.DEBUG("Authorization enabled")
def check_authentication(self):
if utils.get_item_from_obj(self.content,
"spark.authenticate",
default="false") == "false":
logs.ISSUE("Everyone can visit the instance")
logs.RECOMMENDATION("spark.authenticate = true")
else:
logs.DEBUG("Authentication is enabled")
password = utils.get_item_from_obj(self.content,
"spark.authenticate.secret",
default="")
if utils.check_pwd(password):
logs.DEBUG('Password is strong')
else:
logs.ISSUE('Password could be easily guessed.')
logs.RECOMMENDATION(
"spark.authenticate.secret [stronger passwor]")
def check_ssl(self):
if utils.get_item_from_obj(self.content,
"spark.ssl.enabled",
default="false") == "false":
logs.ISSUE("SSL is not enabled")
logs.RECOMMENDATION("spark.ssl.enable = true")
else:
logs.DEBUG('SSL is enabled')
def check_logging(self):
if utils.get_item_from_obj(self.content,
"spark.eventLog.enabled",
default="false") == "false":
logs.ISSUE("Logging is not enabled")
logs.RECOMMENDATION("spark.eventLog.enabled = true")
else:
logs.DEBUG('Logging is enabled')
def has_obsolete_account(self):
if self.conn is None:
self.connect()
for u in ["test", ""]:
res = self.cursor.execute(f"SELECT * FROM mysql.user WHERE user='******'")
if res > 0:
logs.WARN(f"Found one possible obsolete account '{u}'")
else:
logs.DEBUG(f"Obsolete account '{u}' is deleted")
def check_fs_permission(self):
logs.INFO("Checking hdfs permission")
if utils.get_item_from_obj(self.conf_obj,
"dfs.permissions.enabled",
default="true") == "false":
logs.ISSUE(
"HDFS does not have access control. Everyone could conduct CURD operations on the instance."
)
logs.RECOMMENDATION("dfs.permissions.enabled = true")
else:
logs.DEBUG("HDFS permission system is enabled.")
if utils.get_item_from_obj(self.conf_obj,
"dfs.namenode.acls.enabled",
default="false") == "false":
logs.ISSUE("HDFS ACLs is not enabled.")
logs.RECOMMENDATION("dfs.namenode.acls.enabled = true")
else:
logs.DEBUG("HDFS ACLs is enabled.")
def check_ssl(self):
logs.INFO("Checking SSL")
if utils.get_item_from_obj(self.conf_obj,
"hadoop.ssl.enabled",
default="false") == "false":
logs.ISSUE("SSL is disabled.")
logs.RECOMMENDATION("hadoop.ssl.enabled = true")
else:
logs.DEBUG("SSL is enabled.")
def check_exposure(self):
try:
ips = self.ip_extraction()[0].split()
for ip in ips:
if not utils.is_internal(ip):
logs.ISSUE(f"Redis is set to be exposed to the internet ({ip}).")
logs.RECOMMENDATION("bind [internal_ip]")
else:
logs.DEBUG(f"Redis is only exposed to internal network ({ip})")
except IndexError:
logs.ERROR("No IP is extracted from config file. Is the config file correct?")
def has_useless_db(self):
if self.cursor is None:
self.connect()
self.cursor.execute("SHOW DATABASES")
flag = True
for data in self.cursor.fetchall():
if data[0] in ["test"]:
logs.WARN(f"Have useless DB {data[0]}")
flag = False
if flag:
logs.DEBUG(f"All useless DBs are deleted")
def check_cors(self):
logs.INFO("Checking web portal cross origin policy")
if utils.get_item_from_obj(self.conf_obj,
"hadoop.http.cross-origin.enabled",
default="false") == "true":
allowed_origins = utils.split_ip(
utils.get_item_from_obj(
self.conf_obj,
"hadoop.http.cross-origin.allowed-origins",
default="true"))
if "*" in allowed_origins:
logs.ISSUE("Cross origin is wildcard.")
logs.RECOMMENDATION(
" / qualify hadoop.http.cross-origin.allowed-origins")
else:
logs.DEBUG(
f"CORS is enabled but only allowed to {','.join(allowed_origins)}"
)
else:
logs.DEBUG("CORS is off")
def check_password_setting(self):
if not len(self.password_extraction()):
logs.ISSUE("No password has been set. ")
logs.RECOMMENDATION("requirepass [your_password]")
return 0
password = self.password_extraction()[0]
if utils.check_pwd(password):
logs.DEBUG('Password is strong')
else:
logs.ISSUE('Password could be easily guessed.')
logs.RECOMMENDATION("requirepass [stronger passwor]")
def check_command(self):
rename_settings = self.config_extraction()
for i in ["config", "debug", "shutdown", "flushdb", "flushall", "eval"]:
if i not in rename_settings:
logs.ISSUE(f"{i} command is exposed to every user.")
logs.RECOMMENDATION(f"rename-command {i} [UUID]")
else:
if utils.check_normal_pwd(rename_settings[i]) or rename_settings[i] == '""':
logs.DEBUG('Config command is protected by random string or disabled')
else:
logs.ISSUE(f'{i} command\' new name could be easily guessed. ')
logs.RECOMMENDATION(f"rename-command {i} [UUID]")
def check_nfs_export_range(self):
logs.INFO("Checking export range")
allowed_hosts = utils.get_item_from_obj(self.conf_obj,
"nfs.exports.allowed.hosts",
default="* rw")
if allowed_hosts == "* rw":
logs.ISSUE("NFS is exposed to internet for read and write.")
logs.RECOMMENDATION(" / qualify nfs.exports.allowed.hosts")
else:
logs.DEBUG(
f"NFS host priv: {allowed_hosts}. Evaluate based on the context."
)
def test_grants(self):
if self.cursor is None:
self.connect()
available_privs = [
"grant_priv",
"references_priv",
"alter_routine_priv",
"create_routine_priv",
"file_priv",
"create_tmp_table_priv",
"lock_tables_priv",
"execute_priv",
"create_user_priv",
"process_priv",
"reload_priv",
"repl_slave_priv",
"repl_client_priv",
"show_db_priv",
"shutdown_priv",
"super_priv"
]
self.cursor.execute("SELECT user, host, "
"grant_priv, "
"references_priv, "
"alter_routine_priv, "
"create_routine_priv, "
"file_priv,"
"create_tmp_table_priv, "
"lock_tables_priv, "
"execute_priv, "
"create_user_priv, "
"process_priv,"
"reload_priv, "
"repl_slave_priv, "
"repl_client_priv, "
"show_db_priv, "
"shutdown_priv, "
"super_priv "
"FROM mysql.user ")
result = self.cursor.fetchall()
for row in result:
if self.is_trivial_username(row[0]) and (row[1] == "localhost" or row[1] == "127.0.0.1"):
logs.DEBUG("Skipping privilege checking for root/internal account")
continue
for k,v in enumerate(row):
if k == 0 or k == 1:
continue
if v == 'Y':
logs.WARN(f'Setting {available_privs[k-2]} = N is for user {row[0]} with host {row[1]}')
def check_web_portal_ac(self):
logs.INFO("Checking web portal access control")
auth_method = utils.get_item_from_obj(
self.conf_obj, "hadoop.http.authentication.type", default="simple")
if auth_method == "simple":
logs.ISSUE("Everyone can access the web portal")
logs.RECOMMENDATION("hadoop.http.authentication.type = kerberos")
if utils.get_item_from_obj(
self.conf_obj,
"hadoop.http.authentication.simple.anonymous.allowed",
default="true") == "true":
logs.ISSUE("Anonymous is allowed to access web portal.")
logs.RECOMMENDATION(
"hadoop.http.authentication.simple.anonymous.allowed = false"
)
else:
logs.DEBUG(f"Authentication method [{auth_method}] enabled")
