def _get_files(self):
extensions = [
"aac", "ac3", "avi", "aiff", "bat", "bmp", "exe", "flac", "gif",
"jpeg", "jpg", "mov", "m3u", "m4p", "mp2", "mp3", "mp4", "mpeg4",
"midi", "msi", "ogg", "png", "txt", "sh", "wav", "wma", "vqf"
]
common.warn("Only searching for prohibited files in user directories!")
if "Linux" in plugin.get_os():
directory = "/home"
elif "Windows" in plugin.get_os():
directory = "C:\\Users"
else:
return []
common.info(
"Searching {} for prohibited files. This may take a while...")
files = []
for extension in extensions:
x = glob.glob(os.path.join(directory, "**/*." + extension),
recursive=True)
files.extend(x)
return files
def _create_users(self, users):
for user in users:
common.info("Adding {}...".format(user))
if "Linux" in plugin.get_os():
common.run("useradd -s /bin/bash -m {}".format(user))
common.info("Added user {}".format(user))
elif "Windows" in plugin.get_os():
os.system("net user \"{}\" /add".format(user))
def _get_current_users(self):
if "Linux" in plugin.get_os():
return common.get_current_users()
elif "Windows" in plugin.get_os():
all_users = []
data = list(win32net.NetUserEnum(None, 0))[0]
for piece in data:
all_users.append(piece["name"])
return all_users
def _get_home_directories(self):
if "Windows" in plugin.get_os():
return glob.glob("C:\\Users\\*\\")
elif "Linux" in plugin.get_os():
dir_list = glob.glob("/home/*/")
# This could be damaging so ask first!
if common.input_yesno(
"Would you like to clear the root directory too"):
dir_list.append("/root/")
return dir_list
else:
raise Exception("Unexpected Operating System")
def _set_admin_users(self, users):
common.info("Setting admin users...")
for user in users:
if "Linux" in plugin.get_os():
# list of groups we want to add the user to
admin_roles = ["sudo", "adm"]
# add the admin roles
common.run("usermod -aG {0} {1}".format(
",".join(admin_roles), user))
elif "Windows" in plugin.get_os():
groups = win32net.NetUserGetLocalGroups(None, user)
if "Administrators" not in groups:
os.system(
"net localgroup Administrators \"{}\" /add".format(
user))
def _set_standard_users(self, users):
common.info("Setting standard users...")
for user in users:
if "Linux" in plugin.get_os():
# set only group to be the user's primary group
common.run("usermod -G {0} {0}".format(user))
common.run("usermod -aG users {}".format(user))
common.info("Removed all groups from user {}".format(user))
elif "Windows" in plugin.get_os():
groups = win32net.NetUserGetLocalGroups(None, user)
for group in groups:
if group != "Users":
os.system(
"net localgroup \"{}\" \"{}\" /delete".format(
group, user))
def _set_default_hosts(self):
"""Clears hosts and sets default hostname."""
if "Linux" in plugin.get_os():
hostname = "CADSHOST"
common.backup("/etc/hostname")
with open("/etc/hostname", "w") as out_file:
out_file.write(hostname + "\n")
with open("policies/hosts") as in_file:
text = in_file.read()
hosts = text.format(hostname)
common.backup("/etc/hosts")
with open("/etc/hosts", "w") as out_file:
out_file.write(hosts)
common.run("hostname {}".format(hostname))
else:
with open("policies/hosts.win") as in_file:
text = in_file.read()
path = "C:\\Windows\\System32\\drivers\\etc\\hosts"
# Ah ha, CI, you won't get past this! common.backup(path)
with open(path, "w") as out_file:
out_file.write(text)
def _delete_users(self, users):
for user in users:
common.info("Deleting {}...".format(user))
if "Linux" in plugin.get_os():
# TODO backup user directory
# TODO find any other files elsewhere in the system that user owns
common.run("crontab -r -u {}".format(user))
common.run("userdel -r {}".format(user))
common.info("Deleted user {}".format(user))
elif "Windows" in plugin.get_os():
# TODO remove this
if user in "GuestAdministrator,DefaultAccount,defaultuser0":
continue
try:
win32net.NetUserDel(None, user)
except Exception as ex:
common.error("Error while deleting user {}".format(user),
ex)
def _add_user_js(self):
if "Windows" in plugin.get_os():
home_dir = "C:\\Users"
profile_dir = "AppData\\Roaming\\Mozilla\\Firefox\\profiles"
elif "Linux" in plugin.get_os():
home_dir = "/home/"
profile_dir = ".mozilla/firefox/"
home_dirs = os.listdir(home_dir)
for home in home_dirs:
current_profile_dir = os.path.join(home_dir, home, profile_dir)
if os.path.isdir(current_profile_dir):
common.info("Adding user.js for {}".format(home))
profiles = os.listdir(current_profile_dir)
for profile in profiles:
path = os.path.join(current_profile_dir, profile)
if os.path.isdir(path):
shutil.copy("user.js", path)
def execute(self):
"""Execute plugin."""
if "Linux" in plugin.get_os():
common.backup("/etc/passwd")
common.backup("/etc/group")
common.backup("/etc/shadow")
current_user = common.input_text("What is the current username")
admins = self._get_users("Admin")
# ensures the current user isn't in the admin list
if current_user in admins:
admins.remove(current_user)
standard = self._get_users("Standard")
# ensures the current user isn't in the standard list
if current_user in standard:
standard.remove(current_user)
current_users = self._get_current_users()
common.debug("Found users: {}".format(", ".join(current_users)))
# first we need to get rid of the bad users
bad_users = []
for user in current_users:
if user not in [current_user] + admins + standard:
bad_users.append(user)
self._delete_users(bad_users)
current_users = list(set(current_users) - set(bad_users))
# find new users
new_users = []
for user in admins + standard:
if user not in current_users:
new_users.append(user)
self._create_users(new_users)
# set all users to a standard user
self._set_standard_users(standard)
# set admin users to admin
self._set_admin_users(admins)
# change password to a secure one
common.info("Changing passwords")
for index, user in enumerate([current_user] + admins + standard):
if user != current_user:
# Not sure if we want to do this on the main user
password = "******".format(index)
self._change_password(user, password)
self._set_password_no_expire(user)
self._change_password_on_login(user)
def main():
"""Main function."""
# Need to get plugins first for arguments to function
plugin.find_plugins()
parser = argparse.ArgumentParser(
description="Automatically fixes common security vulnerabilities.",
epilog="Default behaviour is to attempt to run all plugins")
parser.add_argument("--list-plugins",
"-l",
action="store_true",
help="Lists all plugins",
dest="list_plugins")
parser.add_argument("--run-plugin",
"-r",
"-p",
choices=get_plugins(),
nargs="+",
metavar="N",
help="Run specific plugins",
dest="plugins")
parser.add_argument("--run-all",
"-R",
action="store_true",
help="Run all available plugins",
dest="run_all")
parser.add_argument("--disable-root-check",
"--no-root",
"-d",
action="store_true",
help="Disable root check",
dest="no_root_check")
parser.add_argument("--disable-python-check",
action="store_true",
help="Disable Python version check",
dest="disable_python_check")
args = parser.parse_args()
info("Welcome to CentSecure!")
debug("This computer is running {} version {}".format(
plugin.get_os(), plugin.get_os_version()))
if args.list_plugins:
plugins = get_plugins()
for p in plugins:
stdout("- {}".format(p))
sys.exit(0)
if not args.disable_python_check and not _check_python_version():
warn(
"CentSecure requires Python 3.7.x, you are using {}. Use the option --disable-python-check to bypass."
.format(python_version()))
sys.exit(1)
firsttime.run_all()
if args.run_all:
to_run = get_plugins()
elif args.plugins is not None:
to_run = args.plugins
else:
to_run = get_default_plugins()
if is_admin() or args.no_root_check:
debug("Running CentSecure with the following {} plugins: {}".format(
len(to_run), ", ".join(to_run)))
run(to_run)
else:
warn(
"CentSecure should be run as root or administator. Use the option --disable-root-check to bypass."
)
sys.exit(1)
def execute(self):
"""Execute the payload."""
if "Windows" in plugin.get_os():
self._windows()
else:
common.debug("Skipping localisation")
def _set_password_no_expire(self, user):
if "Windows" in plugin.get_os():
# Password has to be set to expire in order to enforce change password on login
os.system(
"wmic useraccount where \"Name='{}'\" set PasswordExpires=true"
.format(user))
def _change_password_on_login(self, user):
if "Linux" in plugin.get_os():
# TODO see if this can be implemented
pass
elif "Windows" in plugin.get_os():
os.system("net user \"{}\" /logonpasswordchg:yes".format(user))
def _change_password(self, user, password):
common.info("Changing password of {0} to {1}".format(user, password))
if "Linux" in plugin.get_os():
common.run_full("echo '{0}:{1}' | chpasswd".format(user, password))
elif "Windows" in plugin.get_os():
os.system("net user \"{}\" \"{}\"".format(user, password))
"""A plugin to manage user accounts."""
import plugin
import common
import sys
import os
try:
import win32net
except ModuleNotFoundError:
if "Windows" in plugin.get_os():
common.warn("The 'win32net' package is required for Windows systems!")
sys.exit(1)
class AccountManagement(plugin.Plugin):
"""A universal plugin to configure users.
Add and remove users and promote to/demote from admin.
"""
name = "Account Management"
os = ["ALL"]
os_version = ["ALL"]
def execute(self):
"""Execute plugin."""
if "Linux" in plugin.get_os():
common.backup("/etc/passwd")
common.backup("/etc/group")
common.backup("/etc/shadow")
