diff --git a/README.md b/README.md index edc5443..7d1f65a 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,2 @@ -|이름|상태 요약|상세 보기| -|---|---|---| -|cmoa-jaeger-master|취약|http://10.10.43.42:8080/cmoa-jaeger-master.txt| -|cmoa-master-1|취약|http://10.10.43.42:8080/cmoa-master-1.txt| -|cmoa-worker1-1|취약|http://10.10.43.42:8080/cmoa-worker1-1.txt| +| 이름 | IP | 상태 요약 | 상세 보기 | +| --- | --- | --- | --- | diff --git a/roles/security_check/files/ubuntu.sh b/roles/security_check/files/ubuntu.sh index 290c037..4cdef4e 100644 --- a/roles/security_check/files/ubuntu.sh +++ b/roles/security_check/files/ubuntu.sh @@ -1,6 +1,6 @@ #!/bin/bash -resultfile="/tmp/$(hostname).txt" +resultfile="Results_$(date '+%F_%H:%M:%S').txt" U_01() { echo "" >> $resultfile 2>&1 @@ -13,7 +13,7 @@ U_01() { telnet_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="telnet" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#telnet_port[@]}; i++)) do - netstat_telnet_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${telnet_port[$i]} " | wc -l` + netstat_telnet_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${telnet_port[$i]} " | wc -l` if [ $netstat_telnet_count -gt 0 ]; then if [ -f /etc/pam.d/login ]; then pam_securetty_so_count=`grep -vE '^#|^\s#' /etc/pam.d/login | grep -i 'pam_securetty.so' | wc -l` @@ -86,7 +86,7 @@ U_01() { ssh_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="ssh" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#ssh_port[@]}; i++)) do - netstat_sshd_enable_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ssh_port[$i]} " | wc -l` + netstat_sshd_enable_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ssh_port[$i]} " | wc -l` if [ $netstat_sshd_enable_count -gt 0 ]; then if [ ${#sshd_config_file[@]} -eq 0 ]; then echo "※ U-01 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 @@ -115,7 +115,7 @@ U_01() { ssh_port=(`grep -vE '^#|^\s#' ${sshd_config_file[$i]} | grep -i 'port' | awk '{print $2}'`) for ((j=0; j<${#ssh_port[@]}; j++)) do - netstat_sshd_enable_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ssh_port[$j]} " | wc -l` + netstat_sshd_enable_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ssh_port[$j]} " | wc -l` if [ $netstat_sshd_enable_count -gt 0 ]; then for ((k=0; k<${#sshd_config_file[@]}; k++)) do @@ -1179,7 +1179,7 @@ U_19() { finger_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="finger" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#finger_port[@]}; i++)) do - netstat_finger_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${finger_port[$i]} " | wc -l` + netstat_finger_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${finger_port[$i]} " | wc -l` if [ $netstat_finger_count -gt 0 ]; then echo "※ U-19 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 echo " finger 서비스가 실행 중입니다." >> $resultfile 2>&1 @@ -1566,7 +1566,7 @@ U_30() { smtp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="smtp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#smtp_port[@]}; i++)) do - netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${smtp_port[$i]} " | wc -l` + netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${smtp_port[$i]} " | wc -l` if [ $netstat_smtp_count -gt 0 ]; then dpkg_sendmail_version=`dpkg -s sendmail 2>/dev/null | grep -i 'version' | awk '{print $2}' | cut -d : -f 2` if [[ $dpkg_sendmail_version != 8.17.1* ]]; then @@ -1601,7 +1601,7 @@ U_31() { smtp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="smtp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#smtp_port[@]}; i++)) do - netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${smtp_port[$i]} " | wc -l` + netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${smtp_port[$i]} " | wc -l` if [ $netstat_smtp_count -gt 0 ]; then sendmailcf_exists_count=`find / -name 'sendmail.cf' -type f 2>/dev/null | wc -l` if [ $sendmailcf_exists_count -gt 0 ]; then @@ -1654,7 +1654,7 @@ U_32() { smtp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="smtp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#smtp_port[@]}; i++)) do - netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${smtp_port[$i]} " | wc -l` + netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${smtp_port[$i]} " | wc -l` if [ $netstat_smtp_count -gt 0 ]; then sendmailcf_exists_count=`find / -name 'sendmail.cf' -type f 2>/dev/null | wc -l` if [ $sendmailcf_exists_count -gt 0 ]; then @@ -2785,7 +2785,7 @@ U_60() { telnet_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="telnet" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#telnet_port[@]}; i++)) do - netstat_telnet_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${telnet_port[$i]} " | wc -l` + netstat_telnet_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${telnet_port[$i]} " | wc -l` if [ $netstat_telnet_count -gt 0 ]; then echo "※ U-60 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 echo " Telnet 서비스가 실행 중입니다." >> $resultfile 2>&1 @@ -2798,7 +2798,7 @@ U_60() { ftp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="ftp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#ftp_port[@]}; i++)) do - netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ftp_port[$i]} " | wc -l` + netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ftp_port[$i]} " | wc -l` if [ $netstat_ftp_count -gt 0 ]; then echo "※ U-60 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 echo " ftp 서비스가 실행 중입니다." >> $resultfile 2>&1 @@ -2818,7 +2818,7 @@ U_60() { telnet_port=(`grep -vE '^#|^\s#' ${vsftpdconf_files[$i]} | grep 'listen_port' | awk -F = '{gsub(" ", "", $0); print $2}'`) for ((j=0; j<${#telnet_port[@]}; j++)) do - if [ `netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${telnet_port[$j]} " | wc -l` -gt 0 ]; then + if [ `netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${telnet_port[$j]} " | wc -l` -gt 0 ]; then echo "※ U-60 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 echo " ftp 서비스가 실행 중입니다." >> $resultfile 2>&1 return 0 @@ -2838,7 +2838,7 @@ U_60() { telnet_port=(`grep -vE '^#|^\s#' ${proftpdconf_files[$i]} | grep 'Port' | awk '{print $2}'`) for ((j=0; j<${#telnet_port[@]}; j++)) do - if [ `netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${telnet_port[$j]} " | wc -l` -gt 0 ]; then + if [ `netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${telnet_port[$j]} " | wc -l` -gt 0 ]; then echo "※ U-60 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 echo " ftp 서비스가 실행 중입니다." >> $resultfile 2>&1 return 0 @@ -2870,7 +2870,7 @@ U_60() { ssh_port=(`grep -vE '^#|^\s#' ${sshdconfig_files[$i]} | grep -i 'Port' | awk '{print $2}'`) for ((j=0; j<${#ssh_port[@]}; j++)) do - netstat_ssh_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ssh_port[$j]} " | wc -l` + netstat_ssh_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ssh_port[$j]} " | wc -l` if [ $netstat_ssh_count -eq 0 ]; then echo "※ U-60 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 echo " SSH 서비스가 비활성화 상태입니다." >> $resultfile 2>&1 @@ -2909,7 +2909,7 @@ U_61() { ftp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="ftp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#ftp_port[@]}; i++)) do - netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ftp_port[$i]} " | wc -l` + netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ftp_port[$i]} " | wc -l` if [ $netstat_ftp_count -gt 0 ]; then echo "※ U-61 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 echo " ftp 서비스가 실행 중입니다." >> $resultfile 2>&1 @@ -2929,7 +2929,7 @@ U_61() { ftp_port=(`grep -vE '^#|^\s#' ${vsftpdconf_files[$i]} | grep 'listen_port' | awk -F = '{gsub(" ", "", $0); print $2}'`) for ((j=0; j<${#ftp_port[@]}; j++)) do - netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ftp_port[$j]} " | wc -l` + netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ftp_port[$j]} " | wc -l` if [ $netstat_ftp_count -gt 0 ]; then echo "※ U-61 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 echo " ftp 서비스가 실행 중입니다." >> $resultfile 2>&1 @@ -2951,7 +2951,7 @@ U_61() { ftp_port=(`grep -vE '^#|^\s#' ${proftpdconf_files[$i]} | grep 'Port' | awk '{print $2}'`) for ((j=0; j<${#ftp_port[@]}; j++)) do - netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ftp_port[$j]} " | wc -l` + netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ftp_port[$j]} " | wc -l` if [ $netstat_ftp_count -gt 0 ]; then echo "※ U-61 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 echo " ftp 서비스가 실행 중입니다." >> $resultfile 2>&1 @@ -3056,7 +3056,7 @@ U_64() { ftp_port=(`grep -vE '^#|^\s#' /etc/services | awk -F " " 'tolower($1)=="ftp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#ftp_port[@]}; i++)) do - netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ftp_port[$i]} " | wc -l` + netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ftp_port[$i]} " | wc -l` if [ $netstat_ftp_count -gt 0 ]; then ((ftp_running_count++)) for ((j=0; j<${#ftpusers_files[@]}; j++)) @@ -3284,7 +3284,7 @@ U_68() { telnet_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="telnet" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#telnet_port[@]}; i++)) do - netstat_telnet_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${telnet_port[$i]} " | wc -l` + netstat_telnet_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${telnet_port[$i]} " | wc -l` if [ $netstat_telnet_count -gt 0 ]; then if [ -f /etc/issue.net ]; then if [ `grep -vE '^ *#|^$' /etc/issue.net | wc -l` -eq 0 ]; then @@ -3321,7 +3321,7 @@ U_68() { ftp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="ftp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#ftp_port[@]}; i++)) do - netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ftp_port[$i]} " | wc -l` + netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ftp_port[$i]} " | wc -l` if [ $netstat_ftp_count -gt 0 ]; then ftpdconf_file_exists_count=0 if [ -f /etc/vsftpd.conf ]; then @@ -3403,7 +3403,7 @@ U_68() { smtp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="smtp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#smtp_port[@]}; i++)) do - netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${smtp_port[$i]} " | wc -l` + netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${smtp_port[$i]} " | wc -l` if [ $netstat_smtp_count -gt 0 ]; then find_sendmailcf_count=`find / -name 'sendmail.cf' -type f 2>/dev/null | wc -l` if [ $find_sendmailcf_count -gt 0 ]; then @@ -3509,7 +3509,7 @@ U_70() { smtp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="smtp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#smtp_port[@]}; i++)) do - netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${smtp_port[$i]} " | wc -l` + netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${smtp_port[$i]} " | wc -l` if [ $netstat_smtp_count -gt 0 ]; then find_sendmailcf_count=`find / -name 'sendmail.cf' -type f 2>/dev/null | wc -l` if [ $find_sendmailcf_count -gt 0 ]; then @@ -3611,7 +3611,7 @@ echo "" > $resultfile 2>&1 echo " 점검일 : `date +'%F %H:%M:%S'`" >> $resultfile 2>&1 echo "##############################################################################" >> $resultfile 2>&1 echo "# #" >> $resultfile 2>&1 -echo "# Ubuntu vulnerability assessment results Version 1.1.1 #" >> $resultfile 2>&1 +echo "# Ubuntu vulnerability assessment results Version 1.1.3 #" >> $resultfile 2>&1 echo "# Copyright (c) 2023 Kim Jei #" >> $resultfile 2>&1 echo "# #" >> $resultfile 2>&1 echo "##############################################################################" >> $resultfile 2>&1 @@ -3621,73 +3621,73 @@ U_02 U_03 U_04 U_05 -U_06 -U_07 -U_08 -U_09 -U_10 -U_11 -U_12 -U_13 -U_14 -U_15 -U_16 -U_17 -U_18 -U_19 -U_20 -U_21 -U_22 -U_23 -U_24 -U_25 -U_26 -U_27 -U_28 -U_29 -U_30 -U_31 -U_32 -U_33 -U_34 -U_35 -U_36 -U_37 -U_38 -U_39 -U_40 -U_41 -U_42 -U_43 -U_44 -U_45 -U_46 -U_47 -U_48 -U_49 -U_50 -U_51 -U_52 -U_53 -U_54 -U_55 -U_56 -U_57 -U_58 -U_59 -U_60 -U_61 -U_62 -U_63 -U_64 -U_65 -U_66 -U_67 -U_68 -U_69 -U_70 -U_71 -U_72 +#U_06 +#U_07 +#U_08 +#U_09 +#U_10 +#U_11 +#U_12 +#U_13 +#U_14 +#U_15 +#U_16 +#U_17 +#U_18 +#U_19 +#U_20 +#U_21 +#U_22 +#U_23 +#U_24 +#U_25 +#U_26 +#U_27 +#U_28 +#U_29 +#U_30 +#U_31 +#U_32 +#U_33 +#U_34 +#U_35 +#U_36 +#U_37 +#U_38 +#U_39 +#U_40 +#U_41 +#U_42 +#U_43 +#U_44 +#U_45 +#U_46 +#U_47 +#U_48 +#U_49 +#U_50 +#U_51 +#U_52 +#U_53 +#U_54 +#U_55 +#U_56 +#U_57 +#U_58 +#U_59 +#U_60 +#U_61 +#U_62 +#U_63 +#U_64 +#U_65 +#U_66 +#U_67 +#U_68 +#U_69 +#U_70 +#U_71 +#U_72 echo "" >> $resultfile 2>&1 echo "================================ 진단 결과 요약 ================================" >> $resultfile 2>&1 diff --git a/roles/security_check/tasks/create_readme.yml b/roles/security_check/tasks/create_readme.yml index 4887898..23bc6d4 100644 --- a/roles/security_check/tasks/create_readme.yml +++ b/roles/security_check/tasks/create_readme.yml @@ -1,5 +1,5 @@ --- -- name: check status +- name: check status [1] shell: | grep -H '☆ 취약 개수 = [1-9]' *.txt | cut -d: -f1 args: @@ -7,8 +7,22 @@ register: check_status when: "'nas' in group_names" +- name: check status [2] + shell: | + grep -H '☆ 취약 개수 = [0]' *.txt | cut -d: -f1 + args: + chdir: /volume1/platform/05_Security_check/ + register: check_ok + when: "'nas' in group_names" + - debug: - msg: "취약점 {{ check_status.stdout_lines }} 발견" + msg: "취약점 {{ item }} 발견" + loop: "{{ check_status.stdout_lines }}" + when: "'nas' in group_names" + +- debug: + msg: "취약점 {{ item }} 양호" + loop: "{{ check_ok.stdout_lines }}" when: "'nas' in group_names" - name: Create README.md diff --git a/roles/security_check/templates/README.md.j2 b/roles/security_check/templates/README.md.j2 index a792705..02f7b7e 100644 --- a/roles/security_check/templates/README.md.j2 +++ b/roles/security_check/templates/README.md.j2 @@ -1,5 +1,8 @@ -|이름|상태 요약|상세 보기| -|---|---|---| -{% for filename in check_status.stdout_lines %} -|{{ filename|splitext|first }}|취약|http://10.10.43.42:8080/{{ filename }}| +| 이름 | IP | 상태 요약 | 상세 보기 | +| --- | --- | --- | --- | +{% for vulnerable in check_status.stdout_lines %} +| {{ vulnerable|splitext|first }} | {{ hostvars[vulnerable|splitext|first]['ansible_host'] }} | 취약 | http://10.10.43.42:8080/{{ vulnerable }} | +{% endfor %} +{% for good in check_ok.stdout_lines %} +| {{ good|splitext|first }} | {{ hostvars[vulnerable|splitext|first]['ansible_host'] }} | 양호 | http://10.10.43.42:8080/{{ good }} | {% endfor %} \ No newline at end of file