Awesome

DAudit

Identify security risks in your configurations for databases and big data platforms.

Output

Installation

$ git clone https://github.com/shouc/daudit.git && cd daudit
$ python3 -m pip install -r requirements.txt

Supported Softwares

NoSQL DB:

Redis
MongoDB
CouchDB [TODO]
Cassandra [TODO]
HBase [TODO]
LevelDB [TODO]

Relational DB:

MySQL / MariaDB
Postgres [TODO]

Other DB:

Neo4j [TODO]
Elasticsearch [TODO]
InfluxDB [TODO]

Big Data Platform:

Hadoop
Spark

Usage

You can use the following command to print the help message

$ python3 main.py -h
==============================================
      _____                   _ _      
     (____ \   /\            | (_)_    
      _   \ \ /  \  _   _  _ | |_| |_  
     | |   | / /\ \| | | |/ || | |  _) 
     | |__/ / |__| | |_| ( (_| | | |__ 
     |_____/|______|\____|\____|_|\___)
      https://github.com/shouc/daudit
==============================================

usage: main.py [-h] {redis,mongodb,mysql,hadoop,spark} ...

This is a tool for detecting configuration issues of Redis, MySQL, etc!

positional arguments:
  {redis,mongodb,mysql,hadoop,spark}
                        commands
    redis               Check configurations of redis
    mongodb             Check configurations of mongodb
    mysql               Check configurations of mysql
    hadoop              Check configurations of hadoop
    spark               Check configurations of spark

optional arguments:
  -h, --help  show this help message and exit

Redis

Advisory

$ python3 main.py redis -h
usage: main.py redis [-h] [--dir DIR]

optional arguments:
  -h, --help  show this help message and exit
  --dir DIR   the dir of redis configuration files, leave blank if you wish the program to automatically detect the location.

An example of checking Redis with configuration file /etc/redis/redis.conf

$ # both commands are equivalent
$ sudo python3 main.py redis
$ sudo python3 main.py redis --dir /etc/redis 
[INFO]    Evaluating /etc/redis/redis.conf
[INFO]    Checking exposure...
[DEBUG]   Redis is only exposed to internal network (127.0.0.1)
[DEBUG]   Redis is only exposed to internal network (::1)
[INFO]    Checking setting of password...
[ISSUE]   No password has been set. 
[RECOMM]  Consider setting requirepass [your_password] in configuration file(s) based on your context.
[INFO]    Checking commands...
[ISSUE]   config command is exposed to every user.
[RECOMM]  Consider setting rename-command config [UUID] in configuration file(s) based on your context.
[ISSUE]   debug command is exposed to every user.
[RECOMM]  Consider setting rename-command debug [UUID] in configuration file(s) based on your context.
[ISSUE]   shutdown command is exposed to every user.
[RECOMM]  Consider setting rename-command shutdown [UUID] in configuration file(s) based on your context.
[ISSUE]   flushdb command is exposed to every user.
[RECOMM]  Consider setting rename-command flushdb [UUID] in configuration file(s) based on your context.
[ISSUE]   flushall command is exposed to every user.
[RECOMM]  Consider setting rename-command flushall [UUID] in configuration file(s) based on your context.
[ISSUE]   eval command is exposed to every user.
[RECOMM]  Consider setting rename-command eval [UUID] in configuration file(s) based on your context.

Checks:

exposure
weak/no password
command renaming

MongoDB

Advisory

$ python3 main.py mongodb -h
usage: main.py mongodb [-h] [--dir DIR] [--file FILE]

optional arguments:
  -h, --help   show this help message and exit
  --dir DIR    the dir of configuration files, leave blank if you wish the program to automatically detect it. (e.g. --dir /etc/)
  --file FILE  the name of the configuration file, leave blank if you wish the program to automatically detect it. (e.g. --file xxx.conf)

An example of checking MongoDB with configuration file /etc/mongodb.conf

$ # both commands are equivalent
$ sudo python3 main.py mongodb
$ sudo python3 main.py mongodb --dir '/etc' --file mongodb.conf 
[INFO]    Evaluating /etc/mongodb.conf
[DEBUG]   Using MongoDB <= 2.4 conf file format (INI)
[INFO]    Checking exposure...
[DEBUG]   The instance is only exposed on internal IP: 127.0.0.1
[INFO]    Checking setting of authentication...
[ISSUE]   No authorization is enabled in configuration file. 
[RECOMM]  Consider setting auth = true in configuration file(s) based on your context.
[INFO]    Checking code execution issue...
[ISSUE]   JS code execution is enabled in configuration file.
[RECOMM]  Consider setting noscripting = true in configuration file(s) based on your context.
[INFO]    Checking object check issue...
[ISSUE]   Object check is not enabled in configuration file.
[RECOMM]  Consider setting noscripting = true in configuration file(s) based on your context.

Checks:

exposure
authorization
js code execution
object check

MySQL / MariaDB

$ python3 main.py mysql -h
usage: main.py mysql [-h] [--password PASSWORD] [--username USERNAME] [--host HOST] [--port PORT]

optional arguments:
  -h, --help           show this help message and exit
  --password PASSWORD  Password of root account []
  --username USERNAME  Username of root account [root]
  --host HOST          Username of root account [127.0.0.1]
  --port PORT          Port of MySQL server [3306]

An example of checking MySQL:

$ # both commands are equivalent
$ python3 main.py mysql
$ python3 main.py mysql --host "127.0.0.1" --port 3306 --username root --password ""
[INFO]    Checking authentication...
[WARNING] User na3 is exposed to the internet (0.0.0.0)
[INFO]    Would you like to perform weak-password check? This may create high traffic load for MySQL server. (i.e. Do not perform this when there is already high traffic.)
Type Y/y to perform this action and anything else to skip [Y]x
[WARNING] User root is exposed to the internet (0.0.0.0)
[INFO]    Would you like to perform weak-password check? This may create high traffic load for MySQL server. (i.e. Do not perform this when there is already high traffic.)
Type Y/y to perform this action and anything else to skip [Y]x
[WARNING] User shou is exposed to the internet (0.0.0.0)
[INFO]    Would you like to perform weak-password check? This may create high traffic load for MySQL server. (i.e. Do not perform this when there is already high traffic.)
Type Y/y to perform this action and anything else to skip [Y]y
[WARNING] Weak password 123 set by user shou with host %
[INFO]    Checking obsolete accounts...
[DEBUG]   Obsolete account 'test' is deleted
[DEBUG]   Obsolete account '' is deleted
[INFO]    Checking useless database...
[DEBUG]   All useless DBs are deleted
[INFO]    Checking load file func...
[DEBUG]   --secure-file-priv is enabled
[INFO]    Checking global grants...
[WARNING] Setting references_priv = N is for user shou with host %
...
[DEBUG]   Skipping privilege checking for root/internal account
[DEBUG]   Skipping privilege checking for root/internal account
[DEBUG]   Skipping privilege checking for root/internal account
[DEBUG]   Skipping privilege checking for root/internal account
[DEBUG]   Skipping privilege checking for root/internal account
[INFO]    Checking database grants...
[DEBUG]   Skipping database privilege checking for root/internal account
[DEBUG]   Skipping database privilege checking for root/internal account

Checks:

authentication (exposure + weak password)
obsolete accounts
useless database
load file func
global grants
db grants

Hadoop

$ python3 main.py hadoop -h
usage: main.py hadoop [-h] [--dir]

optional arguments:
  -h, --help           show this help message and exit
  --dir DIR    the dir of configuration files, leave blank if you wish the program to automatically detect it. (e.g. --dir /etc/)

An example of checking Hadoop:

$ # both commands are equivalent
$ python3 main.py hadoop
$ python3 main.py hadoop --dir "/etc/hadoop/"
[INFO]    Evaluating directory /etc/hadoop/
[INFO]    /etc/hadoop/mapred-site.xml not found, skipped.
[INFO]    /etc/hadoop/yarn-site.xml not found, skipped.
[INFO]    Checking web portal cross origin policy
[DEBUG]   CORS is off
[INFO]    Checking SSL
[ISSUE]   SSL is disabled.
[RECOMM]  Consider setting hadoop.ssl.enabled = true in configuration file(s) based on your context.
[INFO]    Checking global access control
[ISSUE]   Everyone can access the instance
[RECOMM]  Consider setting hadoop.security.authentication = kerberos in configuration file(s) based on your context.
[ISSUE]   Authorization is not enabled
[RECOMM]  Consider setting hadoop.security.authorization = true in configuration file(s) based on your context.
[INFO]    Checking web portal access control
[ISSUE]   Everyone can access the web portal
[RECOMM]  Consider setting hadoop.http.authentication.type = kerberos in configuration file(s) based on your context.
[ISSUE]   Anonymous is allowed to access web portal.
[RECOMM]  Consider setting hadoop.http.authentication.simple.anonymous.allowed = false in configuration file(s) based on your context.
[INFO]    Checking registry access control
[DEBUG]   Registry is not enabled. 
[INFO]    Checking hdfs permission
[DEBUG]   HDFS permission system is enabled.
[ISSUE]   HDFS ACLs is not enabled.
[RECOMM]  Consider setting dfs.namenode.acls.enabled = true in configuration file(s) based on your context.
[INFO]    Checking export range
[ISSUE]   NFS is exposed to internet for read and write.
[RECOMM]  Consider setting  / qualify nfs.exports.allowed.hosts in configuration file(s) based on your context.

Checks:

CORS policy
SSL
global access control
web portal access control
registry access control
hdfs access control
hdfs exposure

Spark

Advisory

$ python3 main.py spark -h
usage: main.py spark [-h] [--file FILE]

optional arguments:
  -h, --help   show this help message and exit
  --file FILE  the name of the configuration file, leave blank if you wish the program to automatically detect it. (e.g. --file /etc/xxx.conf)

An example of checking Spark:

$ # both commands are equivalent
$ python3 main.py spark
$ python3 main.py spark --file "/etc/spark/spark-defaults.conf"
[INFO]    Assuming no configuration property has been changed by CLI or SparkConf object
[INFO]    Evaluating file /etc/spark/spark-defaults.conf
[INFO]    Checking ACL
[ISSUE]   Access control not enabled for web portal
[RECOMM]  Consider setting spark.acls.enable = true in configuration file(s) based on your context.
[ISSUE]   Access control not enabled for history server
[RECOMM]  Consider setting spark.history.ui.acls.enable = true in configuration file(s) based on your context.
[INFO]    Checking XSS
[DEBUG]   XSS protection is enabled
[DEBUG]   CORB protection is enabled
[INFO]    Checking SSL
[ISSUE]   SSL is not enabled
[RECOMM]  Consider setting spark.ssl.enable = true in configuration file(s) based on your context.
[INFO]    Checking encryption
[ISSUE]   Network encryption is not enabled
[RECOMM]  Consider setting spark.network.crypto.enable = true in configuration file(s) based on your context.
[ISSUE]   Disk encryption is not enabled
[RECOMM]  Consider setting spark.io.encryption.enable = true in configuration file(s) based on your context.
[INFO]    Checking web ui authentication
[ISSUE]   Everyone can visit the instance
[RECOMM]  Consider setting spark.authenticate = true in configuration file(s) based on your context.
[INFO]    Checking logging
[ISSUE]   Logging is not enabled
[RECOMM]  Consider setting spark.eventLog.enabled = true in configuration file(s) based on your context.

Checks:

ACL
XSS protection
CORB protection
SSL
network encryption
disk encryption
web ui authentication
logging