Identify security risks in your configurations for databases and big data platforms.
$ git clone https://github.com/shouc/daudit.git && cd daudit
$ python3 -m pip install -r requirements.txt
NoSQL DB:
Relational DB:
- MySQL / MariaDB
- Postgres [TODO]
Other DB:
- Neo4j [TODO]
- Elasticsearch [TODO]
- InfluxDB [TODO]
Big Data Platform:
You can use the following command to print the help message
$ python3 main.py -h
==============================================
_____ _ _
(____ \ /\ | (_)_
_ \ \ / \ _ _ _ | |_| |_
| | | / /\ \| | | |/ || | | _)
| |__/ / |__| | |_| ( (_| | | |__
|_____/|______|\____|\____|_|\___)
https://github.com/shouc/daudit
==============================================
usage: main.py [-h] {redis,mongodb,mysql,hadoop,spark} ...
This is a tool for detecting configuration issues of Redis, MySQL, etc!
positional arguments:
{redis,mongodb,mysql,hadoop,spark}
commands
redis Check configurations of redis
mongodb Check configurations of mongodb
mysql Check configurations of mysql
hadoop Check configurations of hadoop
spark Check configurations of spark
optional arguments:
-h, --help show this help message and exit
$ python3 main.py redis -h
usage: main.py redis [-h] [--dir DIR]
optional arguments:
-h, --help show this help message and exit
--dir DIR the dir of redis configuration files, leave blank if you wish the program to automatically detect the location.
An example of checking Redis with configuration file /etc/redis/redis.conf
$ # both commands are equivalent
$ sudo python3 main.py redis
$ sudo python3 main.py redis --dir /etc/redis
[INFO] Evaluating /etc/redis/redis.conf
[INFO] Checking exposure...
[DEBUG] Redis is only exposed to internal network (127.0.0.1)
[DEBUG] Redis is only exposed to internal network (::1)
[INFO] Checking setting of password...
[ISSUE] No password has been set.
[RECOMM] Consider setting requirepass [your_password] in configuration file(s) based on your context.
[INFO] Checking commands...
[ISSUE] config command is exposed to every user.
[RECOMM] Consider setting rename-command config [UUID] in configuration file(s) based on your context.
[ISSUE] debug command is exposed to every user.
[RECOMM] Consider setting rename-command debug [UUID] in configuration file(s) based on your context.
[ISSUE] shutdown command is exposed to every user.
[RECOMM] Consider setting rename-command shutdown [UUID] in configuration file(s) based on your context.
[ISSUE] flushdb command is exposed to every user.
[RECOMM] Consider setting rename-command flushdb [UUID] in configuration file(s) based on your context.
[ISSUE] flushall command is exposed to every user.
[RECOMM] Consider setting rename-command flushall [UUID] in configuration file(s) based on your context.
[ISSUE] eval command is exposed to every user.
[RECOMM] Consider setting rename-command eval [UUID] in configuration file(s) based on your context.
Checks:
- exposure
- weak/no password
- command renaming
$ python3 main.py mongodb -h
usage: main.py mongodb [-h] [--dir DIR] [--file FILE]
optional arguments:
-h, --help show this help message and exit
--dir DIR the dir of configuration files, leave blank if you wish the program to automatically detect it. (e.g. --dir /etc/)
--file FILE the name of the configuration file, leave blank if you wish the program to automatically detect it. (e.g. --file xxx.conf)
An example of checking MongoDB with configuration file /etc/mongodb.conf
$ # both commands are equivalent
$ sudo python3 main.py mongodb
$ sudo python3 main.py mongodb --dir '/etc' --file mongodb.conf
[INFO] Evaluating /etc/mongodb.conf
[DEBUG] Using MongoDB <= 2.4 conf file format (INI)
[INFO] Checking exposure...
[DEBUG] The instance is only exposed on internal IP: 127.0.0.1
[INFO] Checking setting of authentication...
[ISSUE] No authorization is enabled in configuration file.
[RECOMM] Consider setting auth = true in configuration file(s) based on your context.
[INFO] Checking code execution issue...
[ISSUE] JS code execution is enabled in configuration file.
[RECOMM] Consider setting noscripting = true in configuration file(s) based on your context.
[INFO] Checking object check issue...
[ISSUE] Object check is not enabled in configuration file.
[RECOMM] Consider setting noscripting = true in configuration file(s) based on your context.
Checks:
- exposure
- authorization
- js code execution
- object check
$ python3 main.py mysql -h
usage: main.py mysql [-h] [--password PASSWORD] [--username USERNAME] [--host HOST] [--port PORT]
optional arguments:
-h, --help show this help message and exit
--password PASSWORD Password of root account []
--username USERNAME Username of root account [root]
--host HOST Username of root account [127.0.0.1]
--port PORT Port of MySQL server [3306]
An example of checking MySQL:
$ # both commands are equivalent
$ python3 main.py mysql
$ python3 main.py mysql --host "127.0.0.1" --port 3306 --username root --password ""
[INFO] Checking authentication...
[WARNING] User na3 is exposed to the internet (0.0.0.0)
[INFO] Would you like to perform weak-password check? This may create high traffic load for MySQL server. (i.e. Do not perform this when there is already high traffic.)
Type Y/y to perform this action and anything else to skip [Y]x
[WARNING] User root is exposed to the internet (0.0.0.0)
[INFO] Would you like to perform weak-password check? This may create high traffic load for MySQL server. (i.e. Do not perform this when there is already high traffic.)
Type Y/y to perform this action and anything else to skip [Y]x
[WARNING] User shou is exposed to the internet (0.0.0.0)
[INFO] Would you like to perform weak-password check? This may create high traffic load for MySQL server. (i.e. Do not perform this when there is already high traffic.)
Type Y/y to perform this action and anything else to skip [Y]y
[WARNING] Weak password 123 set by user shou with host %
[INFO] Checking obsolete accounts...
[DEBUG] Obsolete account 'test' is deleted
[DEBUG] Obsolete account '' is deleted
[INFO] Checking useless database...
[DEBUG] All useless DBs are deleted
[INFO] Checking load file func...
[DEBUG] --secure-file-priv is enabled
[INFO] Checking global grants...
[WARNING] Setting references_priv = N is for user shou with host %
...
[DEBUG] Skipping privilege checking for root/internal account
[DEBUG] Skipping privilege checking for root/internal account
[DEBUG] Skipping privilege checking for root/internal account
[DEBUG] Skipping privilege checking for root/internal account
[DEBUG] Skipping privilege checking for root/internal account
[INFO] Checking database grants...
[DEBUG] Skipping database privilege checking for root/internal account
[DEBUG] Skipping database privilege checking for root/internal account
Checks:
- authentication (exposure + weak password)
- obsolete accounts
- useless database
- load file func
- global grants
- db grants
$ python3 main.py hadoop -h
usage: main.py hadoop [-h] [--dir]
optional arguments:
-h, --help show this help message and exit
--dir DIR the dir of configuration files, leave blank if you wish the program to automatically detect it. (e.g. --dir /etc/)
An example of checking Hadoop:
$ # both commands are equivalent
$ python3 main.py hadoop
$ python3 main.py hadoop --dir "/etc/hadoop/"
[INFO] Evaluating directory /etc/hadoop/
[INFO] /etc/hadoop/mapred-site.xml not found, skipped.
[INFO] /etc/hadoop/yarn-site.xml not found, skipped.
[INFO] Checking web portal cross origin policy
[DEBUG] CORS is off
[INFO] Checking SSL
[ISSUE] SSL is disabled.
[RECOMM] Consider setting hadoop.ssl.enabled = true in configuration file(s) based on your context.
[INFO] Checking global access control
[ISSUE] Everyone can access the instance
[RECOMM] Consider setting hadoop.security.authentication = kerberos in configuration file(s) based on your context.
[ISSUE] Authorization is not enabled
[RECOMM] Consider setting hadoop.security.authorization = true in configuration file(s) based on your context.
[INFO] Checking web portal access control
[ISSUE] Everyone can access the web portal
[RECOMM] Consider setting hadoop.http.authentication.type = kerberos in configuration file(s) based on your context.
[ISSUE] Anonymous is allowed to access web portal.
[RECOMM] Consider setting hadoop.http.authentication.simple.anonymous.allowed = false in configuration file(s) based on your context.
[INFO] Checking registry access control
[DEBUG] Registry is not enabled.
[INFO] Checking hdfs permission
[DEBUG] HDFS permission system is enabled.
[ISSUE] HDFS ACLs is not enabled.
[RECOMM] Consider setting dfs.namenode.acls.enabled = true in configuration file(s) based on your context.
[INFO] Checking export range
[ISSUE] NFS is exposed to internet for read and write.
[RECOMM] Consider setting / qualify nfs.exports.allowed.hosts in configuration file(s) based on your context.
Checks:
- CORS policy
- SSL
- global access control
- web portal access control
- registry access control
- hdfs access control
- hdfs exposure
$ python3 main.py spark -h
usage: main.py spark [-h] [--file FILE]
optional arguments:
-h, --help show this help message and exit
--file FILE the name of the configuration file, leave blank if you wish the program to automatically detect it. (e.g. --file /etc/xxx.conf)
An example of checking Spark:
$ # both commands are equivalent
$ python3 main.py spark
$ python3 main.py spark --file "/etc/spark/spark-defaults.conf"
[INFO] Assuming no configuration property has been changed by CLI or SparkConf object
[INFO] Evaluating file /etc/spark/spark-defaults.conf
[INFO] Checking ACL
[ISSUE] Access control not enabled for web portal
[RECOMM] Consider setting spark.acls.enable = true in configuration file(s) based on your context.
[ISSUE] Access control not enabled for history server
[RECOMM] Consider setting spark.history.ui.acls.enable = true in configuration file(s) based on your context.
[INFO] Checking XSS
[DEBUG] XSS protection is enabled
[DEBUG] CORB protection is enabled
[INFO] Checking SSL
[ISSUE] SSL is not enabled
[RECOMM] Consider setting spark.ssl.enable = true in configuration file(s) based on your context.
[INFO] Checking encryption
[ISSUE] Network encryption is not enabled
[RECOMM] Consider setting spark.network.crypto.enable = true in configuration file(s) based on your context.
[ISSUE] Disk encryption is not enabled
[RECOMM] Consider setting spark.io.encryption.enable = true in configuration file(s) based on your context.
[INFO] Checking web ui authentication
[ISSUE] Everyone can visit the instance
[RECOMM] Consider setting spark.authenticate = true in configuration file(s) based on your context.
[INFO] Checking logging
[ISSUE] Logging is not enabled
[RECOMM] Consider setting spark.eventLog.enabled = true in configuration file(s) based on your context.
Checks:
- ACL
- XSS protection
- CORB protection
- SSL
- network encryption
- disk encryption
- web ui authentication
- logging