sa_8001/security_check
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

README.md Update

Browse Source
This commit is contained in:
ByeonJungHun
2024-01-04 14:12:42 +09:00
parent 280b29cfe1
commit a935339d2f
4 changed files with 114 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@@ -1,5 +1,2 @@
|이름|상태 요약|상세 보기|
|---|---|---|
|cmoa-jaeger-master|취약|http://10.10.43.42:8080/cmoa-jaeger-master.txt|
|cmoa-master-1|취약|http://10.10.43.42:8080/cmoa-master-1.txt|
|cmoa-worker1-1|취약|http://10.10.43.42:8080/cmoa-worker1-1.txt|
| 이름 | IP | 상태 요약 | 상세 보기 |
| --- | --- | --- | --- |

178
roles/security_check/files/ubuntu.sh
View File

@@ -1,6 +1,6 @@
#!/bin/bash
resultfile="/tmp/$(hostname).txt"
resultfile="Results_$(date '+%F_%H:%M:%S').txt"
U_01() {
echo "" >> $resultfile 2>&1
@@ -13,7 +13,7 @@ U_01() {
telnet_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="telnet" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`)
for ((i=0; i<${#telnet_port[@]}; i++))
do
netstat_telnet_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${telnet_port[$i]} " | wc -l`
netstat_telnet_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${telnet_port[$i]} " | wc -l`
if [ $netstat_telnet_count -gt 0 ]; then
if [ -f /etc/pam.d/login ]; then
pam_securetty_so_count=`grep -vE '^#|^\s#' /etc/pam.d/login | grep -i 'pam_securetty.so' | wc -l`
@@ -86,7 +86,7 @@ U_01() {
ssh_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="ssh" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`)
for ((i=0; i<${#ssh_port[@]}; i++))
do
netstat_sshd_enable_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ssh_port[$i]} " | wc -l`
netstat_sshd_enable_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ssh_port[$i]} " | wc -l`
if [ $netstat_sshd_enable_count -gt 0 ]; then
if [ ${#sshd_config_file[@]} -eq 0 ]; then
echo "※ U-01 결과 : 취약(Vulnerable)" >> $resultfile 2>&1
@@ -115,7 +115,7 @@ U_01() {
ssh_port=(`grep -vE '^#|^\s#' ${sshd_config_file[$i]} | grep -i 'port' | awk '{print $2}'`)
for ((j=0; j<${#ssh_port[@]}; j++))
do
netstat_sshd_enable_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ssh_port[$j]} " | wc -l`
netstat_sshd_enable_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ssh_port[$j]} " | wc -l`
if [ $netstat_sshd_enable_count -gt 0 ]; then
for ((k=0; k<${#sshd_config_file[@]}; k++))
do
@@ -1179,7 +1179,7 @@ U_19() {
finger_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="finger" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`)
for ((i=0; i<${#finger_port[@]}; i++))
do
netstat_finger_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${finger_port[$i]} " | wc -l`
netstat_finger_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${finger_port[$i]} " | wc -l`
if [ $netstat_finger_count -gt 0 ]; then
echo "※ U-19 결과 : 취약(Vulnerable)" >> $resultfile 2>&1
echo " finger 서비스가 실행 중입니다." >> $resultfile 2>&1
@@ -1566,7 +1566,7 @@ U_30() {
smtp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="smtp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`)
for ((i=0; i<${#smtp_port[@]}; i++))
do
netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${smtp_port[$i]} " | wc -l`
netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${smtp_port[$i]} " | wc -l`
if [ $netstat_smtp_count -gt 0 ]; then
dpkg_sendmail_version=`dpkg -s sendmail 2>/dev/null | grep -i 'version' | awk '{print $2}' | cut -d : -f 2`
if [[ $dpkg_sendmail_version != 8.17.1* ]]; then
@@ -1601,7 +1601,7 @@ U_31() {
smtp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="smtp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`)
for ((i=0; i<${#smtp_port[@]}; i++))
do
netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${smtp_port[$i]} " | wc -l`
netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${smtp_port[$i]} " | wc -l`
if [ $netstat_smtp_count -gt 0 ]; then
sendmailcf_exists_count=`find / -name 'sendmail.cf' -type f 2>/dev/null | wc -l`
if [ $sendmailcf_exists_count -gt 0 ]; then
@@ -1654,7 +1654,7 @@ U_32() {
smtp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="smtp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`)
for ((i=0; i<${#smtp_port[@]}; i++))
do
netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${smtp_port[$i]} " | wc -l`
netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${smtp_port[$i]} " | wc -l`
if [ $netstat_smtp_count -gt 0 ]; then
sendmailcf_exists_count=`find / -name 'sendmail.cf' -type f 2>/dev/null | wc -l`
if [ $sendmailcf_exists_count -gt 0 ]; then
@@ -2785,7 +2785,7 @@ U_60() {
telnet_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="telnet" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`)
for ((i=0; i<${#telnet_port[@]}; i++))
do
netstat_telnet_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${telnet_port[$i]} " | wc -l`
netstat_telnet_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${telnet_port[$i]} " | wc -l`
if [ $netstat_telnet_count -gt 0 ]; then
echo "※ U-60 결과 : 취약(Vulnerable)" >> $resultfile 2>&1
echo " Telnet 서비스가 실행 중입니다." >> $resultfile 2>&1
@@ -2798,7 +2798,7 @@ U_60() {
ftp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="ftp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`)
for ((i=0; i<${#ftp_port[@]}; i++))
do
netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ftp_port[$i]} " | wc -l`
netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ftp_port[$i]} " | wc -l`
if [ $netstat_ftp_count -gt 0 ]; then
echo "※ U-60 결과 : 취약(Vulnerable)" >> $resultfile 2>&1
echo " ftp 서비스가 실행 중입니다." >> $resultfile 2>&1
@@ -2818,7 +2818,7 @@ U_60() {
telnet_port=(`grep -vE '^#|^\s#' ${vsftpdconf_files[$i]} | grep 'listen_port' | awk -F = '{gsub(" ", "", $0); print $2}'`)
for ((j=0; j<${#telnet_port[@]}; j++))
do
if [ `netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${telnet_port[$j]} " | wc -l` -gt 0 ]; then
if [ `netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${telnet_port[$j]} " | wc -l` -gt 0 ]; then
echo "※ U-60 결과 : 취약(Vulnerable)" >> $resultfile 2>&1
echo " ftp 서비스가 실행 중입니다." >> $resultfile 2>&1
return 0
@@ -2838,7 +2838,7 @@ U_60() {
telnet_port=(`grep -vE '^#|^\s#' ${proftpdconf_files[$i]} | grep 'Port' | awk '{print $2}'`)
for ((j=0; j<${#telnet_port[@]}; j++))
do
if [ `netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${telnet_port[$j]} " | wc -l` -gt 0 ]; then
if [ `netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${telnet_port[$j]} " | wc -l` -gt 0 ]; then
echo "※ U-60 결과 : 취약(Vulnerable)" >> $resultfile 2>&1
echo " ftp 서비스가 실행 중입니다." >> $resultfile 2>&1
return 0
@@ -2870,7 +2870,7 @@ U_60() {
ssh_port=(`grep -vE '^#|^\s#' ${sshdconfig_files[$i]} | grep -i 'Port' | awk '{print $2}'`)
for ((j=0; j<${#ssh_port[@]}; j++))
do
netstat_ssh_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ssh_port[$j]} " | wc -l`
netstat_ssh_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ssh_port[$j]} " | wc -l`
if [ $netstat_ssh_count -eq 0 ]; then
echo "※ U-60 결과 : 취약(Vulnerable)" >> $resultfile 2>&1
echo " SSH 서비스가 비활성화 상태입니다." >> $resultfile 2>&1
@@ -2909,7 +2909,7 @@ U_61() {
ftp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="ftp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`)
for ((i=0; i<${#ftp_port[@]}; i++))
do
netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ftp_port[$i]} " | wc -l`
netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ftp_port[$i]} " | wc -l`
if [ $netstat_ftp_count -gt 0 ]; then
echo "※ U-61 결과 : 취약(Vulnerable)" >> $resultfile 2>&1
echo " ftp 서비스가 실행 중입니다." >> $resultfile 2>&1
@@ -2929,7 +2929,7 @@ U_61() {
ftp_port=(`grep -vE '^#|^\s#' ${vsftpdconf_files[$i]} | grep 'listen_port' | awk -F = '{gsub(" ", "", $0); print $2}'`)
for ((j=0; j<${#ftp_port[@]}; j++))
do
netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ftp_port[$j]} " | wc -l`
netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ftp_port[$j]} " | wc -l`
if [ $netstat_ftp_count -gt 0 ]; then
echo "※ U-61 결과 : 취약(Vulnerable)" >> $resultfile 2>&1
echo " ftp 서비스가 실행 중입니다." >> $resultfile 2>&1
@@ -2951,7 +2951,7 @@ U_61() {
ftp_port=(`grep -vE '^#|^\s#' ${proftpdconf_files[$i]} | grep 'Port' | awk '{print $2}'`)
for ((j=0; j<${#ftp_port[@]}; j++))
do
netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ftp_port[$j]} " | wc -l`
netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ftp_port[$j]} " | wc -l`
if [ $netstat_ftp_count -gt 0 ]; then
echo "※ U-61 결과 : 취약(Vulnerable)" >> $resultfile 2>&1
echo " ftp 서비스가 실행 중입니다." >> $resultfile 2>&1
@@ -3056,7 +3056,7 @@ U_64() {
ftp_port=(`grep -vE '^#|^\s#' /etc/services | awk -F " " 'tolower($1)=="ftp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`)
for ((i=0; i<${#ftp_port[@]}; i++))
do
netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ftp_port[$i]} " | wc -l`
netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ftp_port[$i]} " | wc -l`
if [ $netstat_ftp_count -gt 0 ]; then
((ftp_running_count++))
for ((j=0; j<${#ftpusers_files[@]}; j++))
@@ -3284,7 +3284,7 @@ U_68() {
telnet_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="telnet" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`)
for ((i=0; i<${#telnet_port[@]}; i++))
do
netstat_telnet_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${telnet_port[$i]} " | wc -l`
netstat_telnet_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${telnet_port[$i]} " | wc -l`
if [ $netstat_telnet_count -gt 0 ]; then
if [ -f /etc/issue.net ]; then
if [ `grep -vE '^ *#|^$' /etc/issue.net | wc -l` -eq 0 ]; then
@@ -3321,7 +3321,7 @@ U_68() {
ftp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="ftp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`)
for ((i=0; i<${#ftp_port[@]}; i++))
do
netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ftp_port[$i]} " | wc -l`
netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ftp_port[$i]} " | wc -l`
if [ $netstat_ftp_count -gt 0 ]; then
ftpdconf_file_exists_count=0
if [ -f /etc/vsftpd.conf ]; then
@@ -3403,7 +3403,7 @@ U_68() {
smtp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="smtp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`)
for ((i=0; i<${#smtp_port[@]}; i++))
do
netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${smtp_port[$i]} " | wc -l`
netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${smtp_port[$i]} " | wc -l`
if [ $netstat_smtp_count -gt 0 ]; then
find_sendmailcf_count=`find / -name 'sendmail.cf' -type f 2>/dev/null | wc -l`
if [ $find_sendmailcf_count -gt 0 ]; then
@@ -3509,7 +3509,7 @@ U_70() {
smtp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="smtp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`)
for ((i=0; i<${#smtp_port[@]}; i++))
do
netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${smtp_port[$i]} " | wc -l`
netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${smtp_port[$i]} " | wc -l`
if [ $netstat_smtp_count -gt 0 ]; then
find_sendmailcf_count=`find / -name 'sendmail.cf' -type f 2>/dev/null | wc -l`
if [ $find_sendmailcf_count -gt 0 ]; then
@@ -3611,7 +3611,7 @@ echo "" > $resultfile 2>&1
echo " 점검일 : `date +'%F %H:%M:%S'`" >> $resultfile 2>&1
echo "##############################################################################" >> $resultfile 2>&1
echo "# #" >> $resultfile 2>&1
echo "# Ubuntu vulnerability assessment results Version 1.1.1 #" >> $resultfile 2>&1
echo "# Ubuntu vulnerability assessment results Version 1.1.3 #" >> $resultfile 2>&1
echo "# Copyright (c) 2023 Kim Jei #" >> $resultfile 2>&1
echo "# #" >> $resultfile 2>&1
echo "##############################################################################" >> $resultfile 2>&1
@@ -3621,73 +3621,73 @@ U_02
U_03
U_04
U_05
U_06
U_07
U_08
U_09
U_10
U_11
U_12
U_13
U_14
U_15
U_16
U_17
U_18
U_19
U_20
U_21
U_22
U_23
U_24
U_25
U_26
U_27
U_28
U_29
U_30
U_31
U_32
U_33
U_34
U_35
U_36
U_37
U_38
U_39
U_40
U_41
U_42
U_43
U_44
U_45
U_46
U_47
U_48
U_49
U_50
U_51
U_52
U_53
U_54
U_55
U_56
U_57
U_58
U_59
U_60
U_61
U_62
U_63
U_64
U_65
U_66
U_67
U_68
U_69
U_70
U_71
U_72
#U_06
#U_07
#U_08
#U_09
#U_10
#U_11
#U_12
#U_13
#U_14
#U_15
#U_16
#U_17
#U_18
#U_19
#U_20
#U_21
#U_22
#U_23
#U_24
#U_25
#U_26
#U_27
#U_28
#U_29
#U_30
#U_31
#U_32
#U_33
#U_34
#U_35
#U_36
#U_37
#U_38
#U_39
#U_40
#U_41
#U_42
#U_43
#U_44
#U_45
#U_46
#U_47
#U_48
#U_49
#U_50
#U_51
#U_52
#U_53
#U_54
#U_55
#U_56
#U_57
#U_58
#U_59
#U_60
#U_61
#U_62
#U_63
#U_64
#U_65
#U_66
#U_67
#U_68
#U_69
#U_70
#U_71
#U_72
echo "" >> $resultfile 2>&1
echo "================================ 진단 결과 요약 ================================" >> $resultfile 2>&1

18
roles/security_check/tasks/create_readme.yml
View File

@@ -1,5 +1,5 @@
---
- name: check status
- name: check status [1]
shell: |
grep -H '☆ 취약 개수 = [1-9]' *.txt | cut -d: -f1
args:
@@ -7,8 +7,22 @@
register: check_status
when: "'nas' in group_names"
- name: check status [2]
shell: |
grep -H '☆ 취약 개수 = [0]' *.txt | cut -d: -f1
args:
chdir: /volume1/platform/05_Security_check/
register: check_ok
when: "'nas' in group_names"
- debug:
msg: "취약점 {{ check_status.stdout_lines }} 발견"
msg: "취약점 {{ item }} 발견"
loop: "{{ check_status.stdout_lines }}"
when: "'nas' in group_names"
- debug:
msg: "취약점 {{ item }} 양호"
loop: "{{ check_ok.stdout_lines }}"
when: "'nas' in group_names"
- name: Create README.md

11
roles/security_check/templates/README.md.j2
View File

@@ -1,5 +1,8 @@
|이름|상태 요약|상세 보기|
|---|---|---|
{% for filename in check_status.stdout_lines %}
|{{ filename|splitext|first }}|취약|http://10.10.43.42:8080/{{ filename }}|
| 이름 | IP | 상태 요약 | 상세 보기 |
| --- | --- | --- | --- |
{% for vulnerable in check_status.stdout_lines %}
| {{ vulnerable|splitext|first }} | {{ hostvars[vulnerable|splitext|first]['ansible_host'] }} | 취약 | http://10.10.43.42:8080/{{ vulnerable }} |
{% endfor %}
{% for good in check_ok.stdout_lines %}
| {{ good|splitext|first }} | {{ hostvars[vulnerable|splitext|first]['ansible_host'] }} | 양호 | http://10.10.43.42:8080/{{ good }} |
{% endfor %}