From 5757ec94ca82dc20fa7ba6d355b6c0e28ee6683c Mon Sep 17 00:00:00 2001 From: gbucchino Date: Thu, 14 Sep 2023 16:30:48 +0200 Subject: [PATCH] Update tmpl and parsing apache --- audit/system/plugins/grub.py | 1 + audit/system/plugins/localaccount.py | 1 + core/plugins/apache.py | 14 ++++---- core/plugins/grub.py | 1 + core/plugins/localaccount.py | 2 ++ core/plugins/postfix.py | 2 ++ core/report.py | 12 ++++--- reports/reports_2023_06_07.html | 1 - reports/reports_2023_06_08.html | 1 - reports/templates/apache.html.j2 | 44 ++++++++++++++++---------- reports/templates/grub.html.j2 | 32 +++++++++++-------- reports/templates/localaccount.html.j2 | 40 +++++++++++++---------- reports/templates/postfix.html.j2 | 28 +++++++++------- reports/templates/sysctl.html.j2 | 30 +++++++++++------- 14 files changed, 127 insertions(+), 82 deletions(-) delete mode 100644 reports/reports_2023_06_07.html delete mode 100644 reports/reports_2023_06_08.html diff --git a/audit/system/plugins/grub.py b/audit/system/plugins/grub.py index 174fdd7..c29229a 100644 --- a/audit/system/plugins/grub.py +++ b/audit/system/plugins/grub.py @@ -6,4 +6,5 @@ def grub() -> dict: grub['filename'] = '/boot/grub/grub.cfg' grub['value'] = 0o600 grub['resolve'] = 'chmod 600 /boot/grub/grub.cfg' + grub['level'] = 'medium' return grub diff --git a/audit/system/plugins/localaccount.py b/audit/system/plugins/localaccount.py index 6e59ed1..6df7f78 100644 --- a/audit/system/plugins/localaccount.py +++ b/audit/system/plugins/localaccount.py @@ -6,6 +6,7 @@ def profile() -> dict: profile['flag'] = 'TMOUT' profile['value'] = 600 profile['filename'] = '/etc/profile' + profile['level'] = 'low' return profile def password_quality() -> list: diff --git a/core/plugins/apache.py b/core/plugins/apache.py index 08b35d6..c927678 100644 --- a/core/plugins/apache.py +++ b/core/plugins/apache.py @@ -28,12 +28,14 @@ class Apache: def _runParsing(self): # Check if the file exist path = f"{self._apache_directory}/sites-available" - #if isdir(self._apache_directory): - # for site in listdir(path): - # with open(f"{path}/{site}", 'rb') as f: - # self._parseFile(f) - #else: - # self._reports["apache"]["test"] = "No directory found" + if isdir(path): + self._reports['audit'] = True + for site in listdir(path): + with open(f"{path}/{site}", 'rb') as f: + self._parseFile(f) + else: + self._reports['audit'] = False + self._reports["msg"] = "No directory found" def _parseFile(self, fdata): data = fdata.read() diff --git a/core/plugins/grub.py b/core/plugins/grub.py index e82921b..096794c 100644 --- a/core/plugins/grub.py +++ b/core/plugins/grub.py @@ -33,6 +33,7 @@ class Grub: else: self._reports['result'] = 'success' self._reports['description'] = self._object['description'] + self._reports['level'] = self._object['level'] self._reports['current_value'] = permission[2:] except FileNotFoundError: self._reports['grub']['error'] = \ diff --git a/core/plugins/localaccount.py b/core/plugins/localaccount.py index e1367f7..92d574b 100644 --- a/core/plugins/localaccount.py +++ b/core/plugins/localaccount.py @@ -50,12 +50,14 @@ class LocalAccount: self._reports['profile']['vulnerabilities'] = dict() self._reports['profile']['vulnerabilities'][self._profile['flag']] = dict() self._reports['profile']['vulnerabilities'][self._profile['flag']]["result"] = "success" + self._reports['profile']['vulnerabilities'][self._profile['flag']]['level'] = self._profile['level'] self._reports['profile']['vulnerabilities'][self._profile['flag']]["description"] = self._profile['description'] self._reports['profile']['vulnerabilities'][self._profile['flag']]["flagFound"] = lineFound else: self._reports['profile']['vulnerabilities'] = dict() self._reports['profile']['vulnerabilities'][self._profile['flag']] = dict() self._reports['profile']['vulnerabilities'][self._profile['flag']]["result"] = "failed" + self._reports['profile']['vulnerabilities'][self._profile['flag']]['level'] = self._profile['level'] self._reports['profile']['vulnerabilities'][self._profile["flag"]]["recommand_value"] = self._profile["value"] self._reports['profile']['vulnerabilities'][self._profile['flag']]["description"] = self._profile['description'] self._reports['profile']['vulnerabilities'][self._profile['flag']]["flag"] = self._profile['flag'] diff --git a/core/plugins/postfix.py b/core/plugins/postfix.py index 45d3406..0f0a7c0 100644 --- a/core/plugins/postfix.py +++ b/core/plugins/postfix.py @@ -56,11 +56,13 @@ class Postfix: if res: self._reports["postfix"][obj['flag']] = dict() self._reports["postfix"][obj['flag']]["result"] = "success" + self._reports["postfix"][obj['flag']]["level"] = obj['level'] self._reports["postfix"][obj['flag']]["description"] = obj['description'] self._reports["postfix"][obj['flag']]["flagFound"] = line else: self._reports["postfix"][obj['flag']] = dict() self._reports["postfix"][obj['flag']]["result"] = "failed" + self._reports["postfix"][obj['flag']]["level"] = obj['level'] self._reports["postfix"][obj["flag"]]["recommand_value"] = obj["value"] self._reports["postfix"][obj['flag']]["description"] = obj['description'] self._reports["postfix"][obj['flag']]["flag"] = obj['flag'] diff --git a/core/report.py b/core/report.py index c2adcc5..9c61e50 100644 --- a/core/report.py +++ b/core/report.py @@ -20,7 +20,6 @@ def generateHtmlReport(data): body = str() for plugin in data['system']: - #print(plugin) dataJinja2['plugins'].append(f"{plugin}.html.j2") if 'postfix' in data['system']: @@ -39,11 +38,15 @@ def generateHtmlReport(data): _generateAccordion(dataJinja2['sysctl']['file']['sysctl'], 'sysctl') if 'apache' in data['system']: - pass + if data['system']['apache']['audit']: + dataJinja2['apache'] = data['system']['apache'] + else: + dataJinja2['apache'] = data['system']['apache'] if 'localaccount' in data['system']: if 'profile' in data['system']['localaccount']: dataJinja2['profile'] = dict() + #dataJinja2['profile']['level'] = data['system']['localaccount']['profile']['level'] dataJinja2['profile']['filename'] = data['system']['localaccount']['profile']['filename'] dataJinja2['profile']['vulnerabilities'] = data['system']['localaccount']['profile']['vulnerabilities'] @@ -60,11 +63,12 @@ def generateHtmlReport(data): dataJinja2['release'] = data['release'] rdr = tmplIndex.render(data=dataJinja2) - with open(f"reports/reports_{today}.html", "w") as f: + hostname = data['hostname'].lower() + with open(f"reports/reports_{hostname}_{today}.html", "w") as f: f.write(rdr) print("The report is generated at this location: " \ - f"reports/reports_{today}.html") + f"reports/reports_{hostname}_{today}.html") def _generateAccordion(obj, parent): index = 1 diff --git a/reports/reports_2023_06_07.html b/reports/reports_2023_06_07.html deleted file mode 100644 index 6d62042..0000000 --- a/reports/reports_2023_06_07.html +++ /dev/null @@ -1 +0,0 @@ -

Reports of 2023_06_07

Sysctl

File

/etc/sysctl.conf

kernel.unprivileged_userns_clone

Results:

net.ipv4.conf.all.forwarding

Results:

net.ipv4.conf.all.accept_redirects

Results:

net.ipv4.conf.all.accept_source_route

Results:

net.ipv4.conf.default.accept_source_route

Results:

net.ipv4.conf.all.secure_redirects

Results:

net.ipv4.conf.default.secure_redirects

Results:

net.ipv4.conf.all.log_martians

Results:

net.ipv4.conf.default.log_martians

Results:

net.ipv4.tcp_syncookies

Results:

net.ipv4.ip_forward

Results:

net.ipv4.conf.all.send_redirects

Results:

net.ipv4.conf.default.send_redirects

Results:

net.ipv4.conf.all.rp_filter

Results:

net.ipv4.conf.default.rp_filter

Results:

net.ipv6.conf.all.forwarding

Results:

net.ipv6.conf.all.accept_redirects

Results:

net.ipv6.conf.default.accept_redirects

Results:

net.ipv6.conf.all.accept_ra

Results:

net.ipv6.conf.default.accept_ra

Results:

net.ipv6.conf.all.accept_source_route

Results:

net.ipv6.conf.default.accept_source_route

Results:

net.ipv6.conf.all.secure_redirects

Results:

net.ipv6.conf.default.secure_redirects

Results:

/etc/sysctl.conf

kernel.unprivileged_userns_clone

Results:

net.ipv4.conf.all.forwarding

Results:

net.ipv4.conf.all.accept_redirects

Results:

net.ipv4.conf.all.accept_source_route

Results:

net.ipv4.conf.default.accept_source_route

Results:

net.ipv4.conf.all.secure_redirects

Results:

net.ipv4.conf.default.secure_redirects

Results:

net.ipv4.conf.all.log_martians

Results:

net.ipv4.conf.default.log_martians

Results:

net.ipv4.tcp_syncookies

Results:

net.ipv4.ip_forward

Results:

net.ipv4.conf.all.send_redirects

Results:

net.ipv4.conf.default.send_redirects

Results:

net.ipv4.conf.all.rp_filter

Results:

net.ipv4.conf.default.rp_filter

Results:

net.ipv6.conf.all.forwarding

Results:

net.ipv6.conf.all.accept_redirects

Results:

net.ipv6.conf.default.accept_redirects

Results:

net.ipv6.conf.all.accept_ra

Results:

net.ipv6.conf.default.accept_ra

Results:

net.ipv6.conf.all.accept_source_route

Results:

net.ipv6.conf.default.accept_source_route

Results:

net.ipv6.conf.all.secure_redirects

Results:

net.ipv6.conf.default.secure_redirects

Results:

Sysctl

File

/etc/sysctl.conf

kernel.unprivileged_userns_clone

Results:

net.ipv4.conf.all.forwarding

Results:

net.ipv4.conf.all.accept_redirects

Results:

net.ipv4.conf.all.accept_source_route

Results:

net.ipv4.conf.default.accept_source_route

Results:

net.ipv4.conf.all.secure_redirects

Results:

net.ipv4.conf.default.secure_redirects

Results:

net.ipv4.conf.all.log_martians

Results:

net.ipv4.conf.default.log_martians

Results:

net.ipv4.tcp_syncookies

Results:

net.ipv4.ip_forward

Results:

net.ipv4.conf.all.send_redirects

Results:

net.ipv4.conf.default.send_redirects

Results:

net.ipv4.conf.all.rp_filter

Results:

net.ipv4.conf.default.rp_filter

Results:

net.ipv6.conf.all.forwarding

Results:

net.ipv6.conf.all.accept_redirects

Results:

net.ipv6.conf.default.accept_redirects

Results:

net.ipv6.conf.all.accept_ra

Results:

net.ipv6.conf.default.accept_ra

Results:

net.ipv6.conf.all.accept_source_route

Results:

net.ipv6.conf.default.accept_source_route

Results:

net.ipv6.conf.all.secure_redirects

Results:

net.ipv6.conf.default.secure_redirects

Results:

/etc/sysctl.conf

kernel.unprivileged_userns_clone

Results:

net.ipv4.conf.all.forwarding

Results:

net.ipv4.conf.all.accept_redirects

Results:

net.ipv4.conf.all.accept_source_route

Results:

net.ipv4.conf.default.accept_source_route

Results:

net.ipv4.conf.all.secure_redirects

Results:

net.ipv4.conf.default.secure_redirects

Results:

net.ipv4.conf.all.log_martians

Results:

net.ipv4.conf.default.log_martians

Results:

net.ipv4.tcp_syncookies

Results:

net.ipv4.ip_forward

Results:

net.ipv4.conf.all.send_redirects

Results:

net.ipv4.conf.default.send_redirects

Results:

net.ipv4.conf.all.rp_filter

Results:

net.ipv4.conf.default.rp_filter

Results:

net.ipv6.conf.all.forwarding

Results:

net.ipv6.conf.all.accept_redirects

Results:

net.ipv6.conf.default.accept_redirects

Results:

net.ipv6.conf.all.accept_ra

Results:

net.ipv6.conf.default.accept_ra

Results:

net.ipv6.conf.all.accept_source_route

Results:

net.ipv6.conf.default.accept_source_route

Results:

net.ipv6.conf.all.secure_redirects

Results:

net.ipv6.conf.default.secure_redirects

Results:
\ No newline at end of file diff --git a/reports/reports_2023_06_08.html b/reports/reports_2023_06_08.html deleted file mode 100644 index 53a7651..0000000 --- a/reports/reports_2023_06_08.html +++ /dev/null @@ -1 +0,0 @@ -

Reports of 2023_06_08

Sysctl

File

/etc/sysctl.conf

kernel.unprivileged_userns_clone

Results:

net.ipv4.conf.all.forwarding

Results:

net.ipv4.conf.all.accept_redirects

Results:

net.ipv4.conf.all.accept_source_route

Results:

net.ipv4.conf.default.accept_source_route

Results:

net.ipv4.conf.all.secure_redirects

Results:

net.ipv4.conf.default.secure_redirects

Results:

net.ipv4.conf.all.log_martians

Results:

net.ipv4.conf.default.log_martians

Results:

net.ipv4.tcp_syncookies

Results:

net.ipv4.ip_forward

Results:

net.ipv4.conf.all.send_redirects

Results:

net.ipv4.conf.default.send_redirects

Results:

net.ipv4.conf.all.rp_filter

Results:

net.ipv4.conf.default.rp_filter

Results:

net.ipv6.conf.all.forwarding

Results:

net.ipv6.conf.all.accept_redirects

Results:

net.ipv6.conf.default.accept_redirects

Results:

net.ipv6.conf.all.accept_ra

Results:

net.ipv6.conf.default.accept_ra

Results:

net.ipv6.conf.all.accept_source_route

Results:

net.ipv6.conf.default.accept_source_route

Results:

net.ipv6.conf.all.secure_redirects

Results:

net.ipv6.conf.default.secure_redirects

Results:

/etc/sysctl.conf

kernel.unprivileged_userns_clone

Results:

net.ipv4.conf.all.forwarding

Results:

net.ipv4.conf.all.accept_redirects

Results:

net.ipv4.conf.all.accept_source_route

Results:

net.ipv4.conf.default.accept_source_route

Results:

net.ipv4.conf.all.secure_redirects

Results:

net.ipv4.conf.default.secure_redirects

Results:

net.ipv4.conf.all.log_martians

Results:

net.ipv4.conf.default.log_martians

Results:

net.ipv4.tcp_syncookies

Results:

net.ipv4.ip_forward

Results:

net.ipv4.conf.all.send_redirects

Results:

net.ipv4.conf.default.send_redirects

Results:

net.ipv4.conf.all.rp_filter

Results:

net.ipv4.conf.default.rp_filter

Results:

net.ipv6.conf.all.forwarding

Results:

net.ipv6.conf.all.accept_redirects

Results:

net.ipv6.conf.default.accept_redirects

Results:

net.ipv6.conf.all.accept_ra

Results:

net.ipv6.conf.default.accept_ra

Results:

net.ipv6.conf.all.accept_source_route

Results:

net.ipv6.conf.default.accept_source_route

Results:

net.ipv6.conf.all.secure_redirects

Results:

net.ipv6.conf.default.secure_redirects

Results:

Sysctl

File

/etc/sysctl.conf

kernel.unprivileged_userns_clone

Results:

net.ipv4.conf.all.forwarding

Results:

net.ipv4.conf.all.accept_redirects

Results:

net.ipv4.conf.all.accept_source_route

Results:

net.ipv4.conf.default.accept_source_route

Results:

net.ipv4.conf.all.secure_redirects

Results:

net.ipv4.conf.default.secure_redirects

Results:

net.ipv4.conf.all.log_martians

Results:

net.ipv4.conf.default.log_martians

Results:

net.ipv4.tcp_syncookies

Results:

net.ipv4.ip_forward

Results:

net.ipv4.conf.all.send_redirects

Results:

net.ipv4.conf.default.send_redirects

Results:

net.ipv4.conf.all.rp_filter

Results:

net.ipv4.conf.default.rp_filter

Results:

net.ipv6.conf.all.forwarding

Results:

net.ipv6.conf.all.accept_redirects

Results:

net.ipv6.conf.default.accept_redirects

Results:

net.ipv6.conf.all.accept_ra

Results:

net.ipv6.conf.default.accept_ra

Results:

net.ipv6.conf.all.accept_source_route

Results:

net.ipv6.conf.default.accept_source_route

Results:

net.ipv6.conf.all.secure_redirects

Results:

net.ipv6.conf.default.secure_redirects

Results:

/etc/sysctl.conf

kernel.unprivileged_userns_clone

Results:

net.ipv4.conf.all.forwarding

Results:

net.ipv4.conf.all.accept_redirects

Results:

net.ipv4.conf.all.accept_source_route

Results:

net.ipv4.conf.default.accept_source_route

Results:

net.ipv4.conf.all.secure_redirects

Results:

net.ipv4.conf.default.secure_redirects

Results:

net.ipv4.conf.all.log_martians

Results:

net.ipv4.conf.default.log_martians

Results:

net.ipv4.tcp_syncookies

Results:

net.ipv4.ip_forward

Results:

net.ipv4.conf.all.send_redirects

Results:

net.ipv4.conf.default.send_redirects

Results:

net.ipv4.conf.all.rp_filter

Results:

net.ipv4.conf.default.rp_filter

Results:

net.ipv6.conf.all.forwarding

Results:

net.ipv6.conf.all.accept_redirects

Results:

net.ipv6.conf.default.accept_redirects

Results:

net.ipv6.conf.all.accept_ra

Results:

net.ipv6.conf.default.accept_ra

Results:

net.ipv6.conf.all.accept_source_route

Results:

net.ipv6.conf.default.accept_source_route

Results:

net.ipv6.conf.all.secure_redirects

Results:

net.ipv6.conf.default.secure_redirects

Results:
\ No newline at end of file diff --git a/reports/templates/apache.html.j2 b/reports/templates/apache.html.j2 index edac2e3..d175f60 100644 --- a/reports/templates/apache.html.j2 +++ b/reports/templates/apache.html.j2 @@ -1,7 +1,8 @@

Apache

+{% if data['apache']['audit'] %} {% for item in data['postfix']['vulnerabilities'] %} -
+

-
+
+ {% else %} - For resolving the issue, add this line in the {{ data['postfix']['filename'] }} vulnerabilities: -
-
- 

-            {% for value in data['postfix']['vulnerabilities'][item]['recommand_value'] %}
- 	          {{ data['postfix']['vulnerabilities'][item]['flag'] }} = {{ value }}
-            {% endfor %}
-
-
-
+ For resolving the issue, add this line in the {{ data['postfix']['filename'] }} vulnerabilities: +
+
+ 

+                {% for value in data['postfix']['vulnerabilities'][item]['recommand_value'] %}
+ 	              {{ data['postfix']['vulnerabilities'][item]['flag'] }} = {{ value }}
+                {% endfor %}
+
+
+
{% endif %} - - - - + + {% if 'id' in data['postfix']['vulnerabilities'][item] %} + linked with the {{ data['postfix']['vulnerabilities'][item]['id'] }} + {% endif %} + + + + + {% endfor %} + +{% else %} +{{ data['apache']['msg'] }} +{% endif %} diff --git a/reports/templates/grub.html.j2 b/reports/templates/grub.html.j2 index 3e909ad..ffd7c73 100644 --- a/reports/templates/grub.html.j2 +++ b/reports/templates/grub.html.j2 @@ -1,15 +1,16 @@

Grub

-
+

@@ -22,8 +23,8 @@ 

             {{ data['grub']['current_value'] }}
-
-
+
+
{% else %} For resolving the issue, change the permission of the file:
@@ -31,10 +32,15 @@ 

  	        {{ data['grub']['resolve'] }}
-
- + + {% endif %} - - - - + + {% if 'id' in data['grub'] %} + linked with the {{ data['grub']['id'] }} + {% endif %} + + + + + diff --git a/reports/templates/localaccount.html.j2 b/reports/templates/localaccount.html.j2 index 26c9fb7..d0befc2 100644 --- a/reports/templates/localaccount.html.j2 +++ b/reports/templates/localaccount.html.j2 @@ -1,29 +1,30 @@

Profile

{% for item in data['profile']['vulnerabilities'] %} -
+

{{ data['profile']['vulnerabilities'][item]['description'] }}.
{% if data['profile']['vulnerabilities'][item]['result'] == 'success' %} -
-
- 

-                {{ data['profile']['vulnerabilities'][item]['flagFound'] }}
-
-
-
+
+
+ 

+               {{ data['profile']['vulnerabilities'][item]['flagFound'] }}
+
+
+
{% else %} For resolving the issue, add this line in the {{ data['filename'] }} profile:
@@ -31,11 +32,16 @@ 

  	        {{ data['profile']['vulnerabilities'][item]['flag'] }} = {{ data['profile']['vulnerabilities'][item]['recommand_value'] }}
-
-
+
+
{% endif %} -
-
- - + + {% if 'id' in data['profile']['vulnerabilities']['item'] %} + Linked with the {{ data['profile']['vulnerabilities'][item]['id'] }} + {% endif %} + + + + + {% endfor %} diff --git a/reports/templates/postfix.html.j2 b/reports/templates/postfix.html.j2 index 2cc2694..a54d872 100644 --- a/reports/templates/postfix.html.j2 +++ b/reports/templates/postfix.html.j2 @@ -1,16 +1,17 @@

Postfix

{% for item in data['postfix']['vulnerabilities'] %} -
+

@@ -22,8 +23,8 @@ 

                 {{ data['postfix']['vulnerabilities'][item]['flagFound'] }}
-
-
+
+
{% else %} For resolving the issue, add this line in the {{ data['postfix']['filename'] }} vulnerabilities:
@@ -33,11 +34,16 @@ {{ data['postfix']['vulnerabilities'][item]['flag'] }} = {{ value }} {% endfor %} -
- + + {% endif %} - - - - + + {% if 'id' in data['postfix']['vulnerabilities'][item] %} + linked with the {{ data['postfix']['vulnerabilities'][item]['id'] }} + {% endif %} + + + + + {% endfor %} diff --git a/reports/templates/sysctl.html.j2 b/reports/templates/sysctl.html.j2 index c5b92da..947318c 100644 --- a/reports/templates/sysctl.html.j2 +++ b/reports/templates/sysctl.html.j2 @@ -11,21 +11,27 @@ {% elif data['sysctl']['file']['sysctl'][item]['result']['result'] == 'success' %} {{ data['sysctl']['file']['sysctl'][item]['result']['result'] }} {% endif %} + {{ data['sysctl']['file']['sysctl'][item]['level'] }}
{{ data['sysctl']['file']['sysctl'][item]['description'] }}.
- For resolving the issue, add this line in the {{ data['sysctl']['file']['filename'] }} file: -
-
- 

- 	    {{ data['sysctl']['file']['sysctl'][item]['flag'] }} = {{ data['sysctl']['file']['sysctl'][item]['value'] }}
-
-
-
-
-
- - + For resolving the issue, add this line in the {{ data['sysctl']['file']['filename'] }} file: +
+
+ 

+ 	        {{ data['sysctl']['file']['sysctl'][item]['flag'] }} = {{ data['sysctl']['file']['sysctl'][item]['value'] }}
+
+
+
+ + {% if 'id' in data['sysctl']['file']['sysctl'][item] %} + Linked with the {{ data['sysctl']['file']['sysctl'][item]['id'] }} + {% endif %} + + + + + {% endfor %}