def check_conf(self):
logs.INFO("Checking exposure...")
self.check_exposure()
logs.INFO("Checking setting of password...")
self.check_password_setting()
logs.INFO("Checking commands...")
self.check_command()
def __init__(self, file):
super().__init__()
logs.INFO(
"Assuming no configuration property has been changed by CLI or SparkConf object"
)
if file is None:
conf_path = self.get_paths(expected_file=[
"spark-defaults.conf",
])
self.file = os.path.join(conf_path, "spark-defaults.conf")
else:
self.file = file
logs.INFO(f"Evaluating file {self.file}")
self.content = {}
self.parse_content()
def __init__(self, dir=None):
super().__init__()
if dir is None:
self.conf_path = self.get_paths(files_appear=[
"core-site.xml",
"hdfs-site.xml",
"mapred-site.xml",
"yarn-site.xml",
])
else:
self.conf_path = dir
logs.INFO(f"Evaluating directory {self.conf_path}")
self.core_file = os.path.join(self.conf_path, "core-site.xml")
self.core_obj = self.xml_conf_to_obj(self.core_file)
self.hdfs_file = os.path.join(self.conf_path, "hdfs-site.xml")
self.hdfs_obj = self.xml_conf_to_obj(self.hdfs_file)
self.mr_file = os.path.join(self.conf_path, "mapred-site.xml")
self.mr_obj = self.xml_conf_to_obj(self.mr_file)
self.yarn_file = os.path.join(self.conf_path, "yarn-site.xml")
self.yarn_obj = self.xml_conf_to_obj(self.yarn_file)
self.conf_obj = {
**self.core_obj,
**self.hdfs_obj,
**self.mr_obj,
**self.yarn_obj
}
def get_paths(self,
expected_file="",
expected_files=None,
files_appear=None):
result = []
paths = self.enumerate_path()
for path in paths:
if expected_files and (not self.__test_exp_files(
path, expected_files)):
continue
if expected_file != "" and (not utils.exists_file(
path, expected_file)):
continue
if files_appear is not None and (not self.__test_files_appear(
path, files_appear)):
continue
result.append(path)
if len(result) == 0:
logs.ERROR(
"Cannot find configuration file location, please specify")
sys.exit(0)
if len(result) > 1:
logs.ERROR(
"Multiple configuration file locations found (listed below), "
"please specify (e.g. --dir=/etc)")
for k, v in enumerate(result):
logs.INFO(f"[{k}]. {v}")
sys.exit(0)
return result[0]
def check_ssl(self):
logs.INFO("Checking SSL")
if utils.get_item_from_obj(self.conf_obj,
"hadoop.ssl.enabled",
default="false") == "false":
logs.ISSUE("SSL is disabled.")
logs.RECOMMENDATION("hadoop.ssl.enabled = true")
else:
logs.DEBUG("SSL is enabled.")
def __init__(self, dir=None):
super().__init__()
self.conf_path = dir
if not dir:
self.conf_path = self.get_paths(expected_file="redis.conf")
self.conf_file = os.path.join(self.conf_path, 'redis.conf')
logs.INFO(f"Evaluating {self.conf_file}")
self.conf_content = None
self.read_content()
self.combine_include()
def check_nfs_export_range(self):
logs.INFO("Checking export range")
allowed_hosts = utils.get_item_from_obj(self.conf_obj,
"nfs.exports.allowed.hosts",
default="* rw")
if allowed_hosts == "* rw":
logs.ISSUE("NFS is exposed to internet for read and write.")
logs.RECOMMENDATION(" / qualify nfs.exports.allowed.hosts")
else:
logs.DEBUG(
f"NFS host priv: {allowed_hosts}. Evaluate based on the context."
)
def check_registry_ac(self):
logs.INFO("Checking registry access control")
if utils.get_item_from_obj(self.conf_obj,
"hadoop.registry.rm.enabled",
default="false") == "true":
if utils.get_item_from_obj(self.conf_obj,
"hadoop.registry.secure",
default="false") == "false":
logs.ISSUE("registry.secure is not enabled. ")
logs.RECOMMENDATION("hadoop.registry.secure = true")
else:
logs.DEBUG(f"Registry security is enabled.")
else:
logs.DEBUG("Registry is not enabled. ")
def check_web_portal_ac(self):
logs.INFO("Checking web portal access control")
auth_method = utils.get_item_from_obj(
self.conf_obj, "hadoop.http.authentication.type", default="simple")
if auth_method == "simple":
logs.ISSUE("Everyone can access the web portal")
logs.RECOMMENDATION("hadoop.http.authentication.type = kerberos")
if utils.get_item_from_obj(
self.conf_obj,
"hadoop.http.authentication.simple.anonymous.allowed",
default="true") == "true":
logs.ISSUE("Anonymous is allowed to access web portal.")
logs.RECOMMENDATION(
"hadoop.http.authentication.simple.anonymous.allowed = false"
)
else:
logs.DEBUG(f"Authentication method [{auth_method}] enabled")
def check_global_ac(self):
logs.INFO("Checking global access control")
auth_method = utils.get_item_from_obj(self.conf_obj,
"hadoop.security.authentication",
default="simple")
if auth_method == "simple":
logs.ISSUE("Everyone can access the instance")
logs.RECOMMENDATION("hadoop.security.authentication = kerberos")
else:
logs.DEBUG(f"Authentication method [{auth_method}] enabled")
if utils.get_item_from_obj(self.conf_obj,
"hadoop.security.authorization",
default="false") == "false":
logs.ISSUE("Authorization is not enabled")
logs.RECOMMENDATION("hadoop.security.authorization = true")
else:
logs.DEBUG("Authorization enabled")
def xml_conf_to_obj(file):
res = {}
try:
root = xml.etree.ElementTree.parse(file).getroot()
props = root.findall(".//property")
for prop in props:
name = prop.find(".//name").text
try:
value = prop.find(".//value").text
res[name] = value
except AttributeError:
continue
except FileNotFoundError:
logs.INFO(f"{file} not found, skipped.")
except Exception as e:
logs.ERROR(e)
sys.exit(0)
return res
def check_fs_permission(self):
logs.INFO("Checking hdfs permission")
if utils.get_item_from_obj(self.conf_obj,
"dfs.permissions.enabled",
default="true") == "false":
logs.ISSUE(
"HDFS does not have access control. Everyone could conduct CURD operations on the instance."
)
logs.RECOMMENDATION("dfs.permissions.enabled = true")
else:
logs.DEBUG("HDFS permission system is enabled.")
if utils.get_item_from_obj(self.conf_obj,
"dfs.namenode.acls.enabled",
default="false") == "false":
logs.ISSUE("HDFS ACLs is not enabled.")
logs.RECOMMENDATION("dfs.namenode.acls.enabled = true")
else:
logs.DEBUG("HDFS ACLs is enabled.")
def check_conf(self):
logs.INFO("Checking ACL")
self.check_acl()
logs.INFO("Checking XSS")
self.check_xss()
logs.INFO("Checking SSL")
self.check_ssl()
logs.INFO("Checking encryption")
self.check_encryption()
logs.INFO("Checking web ui authentication")
self.check_authentication()
logs.INFO("Checking logging")
self.check_logging()
def check_conf(self):
logs.INFO("Checking authentication...")
self.check_authentication()
logs.INFO("Checking obsolete accounts...")
self.has_obsolete_account()
logs.INFO("Checking useless database...")
self.has_useless_db()
logs.INFO("Checking load file func...")
self.test_load_file()
logs.INFO("Checking global grants...")
self.test_grants()
logs.INFO("Checking database grants...")
self.test_db_grants()
def check_cors(self):
logs.INFO("Checking web portal cross origin policy")
if utils.get_item_from_obj(self.conf_obj,
"hadoop.http.cross-origin.enabled",
default="false") == "true":
allowed_origins = utils.split_ip(
utils.get_item_from_obj(
self.conf_obj,
"hadoop.http.cross-origin.allowed-origins",
default="true"))
if "*" in allowed_origins:
logs.ISSUE("Cross origin is wildcard.")
logs.RECOMMENDATION(
" / qualify hadoop.http.cross-origin.allowed-origins")
else:
logs.DEBUG(
f"CORS is enabled but only allowed to {','.join(allowed_origins)}"
)
else:
logs.DEBUG("CORS is off")
import utils
import logs
if __name__ == "__main__":
logs.INFO()
def ask(c):
logs.INFO(c)
v = input("Type Y/y to perform this action and anything else to skip [Y]")
if v == "Y" or v == "y" or v == "":
return True
return False