diff --git a/audit/system/plugins/grub.py b/audit/system/plugins/grub.py index 5e91d9e..c7705a4 100644 --- a/audit/system/plugins/grub.py +++ b/audit/system/plugins/grub.py @@ -1,11 +1,8 @@ #!/usr/bin/env python3 -def grub() -> list: - grub = list() - grub.append({ - 'description': 'Boot permission', - 'filename': '/boot/grub/grub.cfg' - 'chmod': 600, - }) +def grub() -> dict: + grub = dict() + grub['description'] = 'Change boot permission' + grub['filename'] = '/boot/grub/grub.cfg' + grub['value'] = 0o600 return grub - diff --git a/core/config.py b/core/config.py index 42ed578..65d493f 100644 --- a/core/config.py +++ b/core/config.py @@ -13,6 +13,7 @@ AUDIT_SYSTEM = [ "postfix", "apache", "localaccount", + "grub", ] AUDIT_APPLICATION = [ @@ -31,6 +32,7 @@ def generateConfig() -> dict: config["system"]["sysctl"] = dict() config["system"]["sysctl"]["sysctl_file"] = "/etc/sysctl.conf" config['system']['localaccount'] = dict() + config['system']['grub'] = dict() config["system"]["exclude_plugins"] = list() # Application config["application"] = dict() diff --git a/core/main.py b/core/main.py index 3f3fe97..42981fc 100644 --- a/core/main.py +++ b/core/main.py @@ -5,6 +5,7 @@ from core.plugins.sysctl import Sysctl from core.plugins.postfix import Postfix from core.plugins.apache import Apache from core.plugins.localaccount import LocalAccount +from core.plugins.grub import Grub from core.report import generateHtmlReport from core.config import AUDIT_SYSTEM, AUDIT_APPLICATION, generateConfig, parsingConfigFile from core.dispatcher import Dispatcher @@ -70,7 +71,6 @@ def main(): audit, configs["system"][audit] ) - if args.audit == "application": print("Auditing the application...") pass @@ -102,5 +102,11 @@ def localaccount(*args) -> dict: account.runAudit() return account.getReports() +@Dispatcher.register_plugins +def grub(*args) -> dict: + grub = Grub(args[1]) + grub.runAudit() + return grub.getReports() + if __name__ == "__main__": main() diff --git a/core/plugins/grub.py b/core/plugins/grub.py new file mode 100644 index 0000000..d5e6849 --- /dev/null +++ b/core/plugins/grub.py @@ -0,0 +1,85 @@ +#!/usr/bin/env python3 + +from os import stat +from os.path import isfile +from audit.system.plugins.grub import grub + + +class Grub: + def __init__(self, arguments): + self._object = grub() + self._reports = dict() + + # Create the report + self._constructReports() + + def runAudit(self): + print("Running test for Grub") + self._analyzingGrub() + + def getReports(self) -> dict: + return self._reports + + def _analyzingGrub(self): + # Check if the file exist + path = self._object['filename'] + try: + if isfile(path): + permission = self._check_permission(path) + + if permission != oct(self._object['value']): + self._reports['result'] = 'failed' + else: + self._reports['result'] = 'success' + self._reports['description'] = self._object['description'] + self._reports['recommand_value'] = self._object['value'] + except FileNotFoundError: + self._reports['grub']['error'] = \ + f'File {path} not found' + + def _check_permission(self, path) -> oct: + """ + In this function, we get the permission of the file + """ + permission = stat(path).st_mode + + octal = 0o000 + # Check user permission + if permission & 0o400: # Read + octal += 0o400 + if permission & 0o200: # Write + octal += 0o200 + if permission & 0o100: # Execute + octal += 0o100 + + # Check group permission + if permission & 0o040: + octal += 0o040 + if permission & 0o020: + octal += 0o020 + if permission & 0o010: + octal += 0o010 + + # Check other permission + if permission & 0o004: + octal += 0o004 + if permission & 0o002: + octal += 0o002 + if permission & 0o001: + octal += 0o001 + + return oct(octal) + + def _constructReports(self): + """ + Construct dictionary for result of the tests + Each entry contains: + Key: + - filename: filename of the test + - line: line of the test + - parse: Display the line where the vulnerabilites has been found + - description: description of the vulnerability + - level: high, medium or low + """ + self._reports = dict() + self._reports['filename'] = self._object['filename'] diff --git a/core/report.py b/core/report.py index 207d187..b89161a 100644 --- a/core/report.py +++ b/core/report.py @@ -50,6 +50,11 @@ def generateHtmlReport(data): _generateAccordion(dataJinja2['profile']['vulnerabilities'], 'profile') if 'pwd_quality' in data['system']['localaccount']: pass + if 'grub' in data['system']: + dataJinja2['grub'] = data['system']['grub'] + dataJinja2['grub']['accordion-id'] = f"accordion-grub-1" + #_generateAccordion(dataJinja2['grub'], 'grub') + print(dataJinja2['grub']) dataJinja2['year'] = '2023' dataJinja2['hostname'] = data['hostname'] diff --git a/reports/templates/apache.html.j2 b/reports/templates/apache.html.j2 index a107073..edac2e3 100644 --- a/reports/templates/apache.html.j2 +++ b/reports/templates/apache.html.j2 @@ -13,7 +13,7 @@ {% endif %} -
+
{{ data['postfix']['vulnerabilities'][item]['description'] }}.
{% if data['postfix']['vulnerabilities'][item]['result'] == 'success' %} diff --git a/reports/templates/grub.html.j2 b/reports/templates/grub.html.j2 new file mode 100644 index 0000000..1c6d49d --- /dev/null +++ b/reports/templates/grub.html.j2 @@ -0,0 +1,39 @@ +

Grub

+ +
+
+

+ +

+
+
+ {{ data['grub']['description'] }}.
+ {% if data['grub']['result'] == 'success' %} +
+
+ 

+                {{ data['grub']['recommand_value'] }}
+
+
+
+ {% else %} + For resolving the issue, add this line in the {{ data['filename'] }} profile: +
+
+ 

+ 	        {{ data['grub']['recommand_value'] }}
+
+
+
+ {% endif %} +
+
+
+
diff --git a/reports/templates/localaccount.html.j2 b/reports/templates/localaccount.html.j2 index f175a56..26c9fb7 100644 --- a/reports/templates/localaccount.html.j2 +++ b/reports/templates/localaccount.html.j2 @@ -13,7 +13,7 @@ {% endif %} -
+
{{ data['profile']['vulnerabilities'][item]['description'] }}.
{% if data['profile']['vulnerabilities'][item]['result'] == 'success' %}