Airflowscan – Checklist And Tools For Increasing Security Of Apache Airflow

Checklist and tools for increasing security of Apache Airflow.DISCLAIMERThis project NOT AFFILIATED with the Apache Foundation and the Airflow project, and is not endorsed by them.ContentsThe purpose of this project is provide tools to increase security of Apache Airflow. installations. This projects provides the following tools:Configuration file with hardened settings – see hardened_airflow.cfg.Security checklist for hardening default installations – see CHECKLIST.MD.Static analysis tool to check Airflow configuration files for insecure settings.JSON schema document used for validation by the static analysis tool – see airflow_cfg.schemaInformation for the Static Analysis Tool (airflowscan)The static analysis tool can check an Airflow configuration file for settings related to security. The tool convers the config file to JSON, and then uses a JSON Schema to do the validation.RequirementsPython 3 is required and you can find all required modules in the requirements.txt file. Only tested on Python 3.7 but should work on other 3.x releases. No plans to 2.x support at this time.InstallationYou can install this via PIP as follows:pip install airflowscanairflowscanTo download and run manually, do the following:git clone https://github.com/nightwatchcybersecurity/airflowscan.gitcd airflowscanpip -r requirements.txtpython -m airflowscan.cliHow to useTo scan a configuration file, do the following command:airflowscan scan some_airflow.cfgReporting bugs and feature requestsPlease use the GitHub issue tracker to report issues or suggest features: https://github.com/nightwatchcybersecurity/airflowscanYou can also send emai to research /at/ nightwatchcybersecurity [dot] comDownload Airflowscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/9rsGerchFug/airflowscan-checklist-and-tools-for.html

grapheneX – Automated System Hardening Framework

grapheneXIn computing, hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, the removal of unnecessary software, unnecessary usernames or logins, and the disabling or removal of unnecessary services.Although the current technology tries to design systems as safe as possible, security flaws and situations that can lead to vulnerabilities caused by unconscious use and missing configurations still exist. The user must be knowledgeable about the technical side of system architecture and should be aware of the importance of securing his/her system from vulnerabilities like this. Unfortunately, it’s not possible to know all the details about hardening and necessary commands for every ordinary user and the hardening remains to be a technical issue due to the difficulty of understanding operating system internals. Therefore there are hardening checklists that contain various commands and rules of the specified operating system available such as trimstray/linux-hardening-checklist & Windows Server Hardening Checklist on the internet for providing a set of commands with their sections and of course simplifying the concept for the end user. But still, the user must know the commands and apply the hardening manually depending on the system. That’s where the grapheneX exactly comes in play.The project name is derived from the ‘graphene’. Graphene is a one-atom-thick layer of carbon atoms arranged in a hexagonal lattice. In proportion to its thickness, it is about 100 times stronger than the strongest steel.grapheneX project aims to provide a framework for securing the system with hardening commands automatically. It’s designed for the end user as well as the Linux and Windows developers due to the interface options. (interactive shell/web interface) In addition to that, grapheneX can be used to secure a web server/application.Hardening commands and the scopes of those commands are referred to modules and the namespaces in the project. They exist at the modules.json file after installation. ($PYPATH/site-packages/graphenex/modules.json) Additionally, it’s possible to add, edit or remove modules and namespaces. Also, the hardening operation can be automated with the presets that contain a list of modules.Currently, grapheneX support the hardening sections below. Each of these namespaces contains more than one module.FirewallUserNetworkServicesKernelFilesystemOtherInstallationYou can install grapheneX with pip. Usually this is the easiest way:pip install graphenexAlso it’s possible to run the setup.py for installation as follows:python setup.py install The commands below can be used for testing the project without installation:cd grapheneXpipenv installpipenv run python -m graphenexDependenciesFlask-SocketIO FlaskcoloredlogsterminaltablesPyInquirerUsageCommand Line Argumentsusage: grapheneX [-h] [-v] [-w] [–open] [host:port]positional arguments: host:port host and port to run the web interfaceoptional arguments: -h, –help show this help message and exit -v, –version show version information -w, –web run the grapheneX web server –open open browser on web server startInteractive ShellExecute the grapheneX.py in order to start the interactive shell.Animated gifs and screenshots added for demonstration and include the test execution of the unversioned grapheneX. Use grapheneX or python -m graphenex command for the execution.grapheneX currently supports Python3.7Project’s some functions (such as hardening) might not work without root access. So consider running the grapheneX with sudo/administrative access.Web InterfaceExecute the grapheneX.py with the -w or –web argument in order to start the web server.The default host and port value are 0.0.0.0:8080. It can be changed via the host:port argument as shown below.python grapheneX.py -w 192.168.1.36:8090Use –open argument to open the browser after the server start.python grapheneX.py -w –openCLI Commands Command Description back Go back from namespace or module clear Clear the terminal exit Exit interactive shell harden Execute the hardening command help List available commands with “help" or show detailed help with "help " info Show information about the module list List available hardening modules manage Add, edit or delete module preset Show/execute the hardening module presets search Search for modules switch Switch between modules or namespaces use Use a hardening module web Start the grapheneX web server helphelp or ? shows the commands list above.help [CMD] shows the detailed usage of given command.listShow the available modules in a table. For example:switchswitch command can be used to switch to a namespace or use a module. It’s helpful if you want to see a list of modules in a namespace.switch [NAMESPACE]Supports autocomplete for namespaces.Also, using the switch command like this is possible:switch [NAMESPACE]/[MODULE]It’s the equivalent of the use command in this situation.useServes the purpose of selecting a hardening module.use [MODULE]Supports autocomplete for modules.infoShows information (namespace, description, OS command) about the selected module.hardenExecutes the hardening command of the selected module.presetgrapheneX has presets that contain particular modules for automating the hardening operation. Presets can be customized with the modules.json file and they can contain any supported module. preset command shows the available module presets and preset [PRESET] runs the hardening commands in a preset.An example preset command output is shown above. Below, a preset that contains 2 modules is selected and hardening modules executed.preset command supports autocomplete for preset names. Also, it supports an option for asking permission between each hardening command execution so that the user knows what he/she is doing.Adding module presetsPresets are stored in the presets element inside the modules.json file. This JSON file can be edited for updating the presets."presets": [ { "name": "Preset_1", "modules": [ "namespace1/Module_Name1", "namespace2/Module_Name2", ], "target_os": "linux/win" }, { "name": "Preset_2", "modules": [ "namespace/All" ], "target_os": "linux/win" } ]namespace/All means every hardening command in that namespace will be executed.searchsearch [QUERY]managemanage command allows to add, edit or remove modules.Adding modules with manageFollow the instructions for adding a new module. Choose the ‘new’ option in the namespace prompt for creating a new namespace.Adding modules manuallygrapheneX stores the modules and namespaces in modules.json file. It will show up as a new module when a new element is created in this JSON file. An example element is given below."namespace": [ { "name": "Module_Name", "desc": "This is the module description.", "command": "echo ‘hardening command’", "require_superuser": "True/False", "target_os": "linux/win" } ]It’s recommended to add modules from CLI or the Web interface other than editing the modules.json file.Editing modulesChoose the edit option after the manage command for the editing the module properties.Or edit the modules.json manually.Removing modulesChoosing the remove option in the manage menu will be enough for removing the specified module. It’s also possible to remove the module from modules.json manually.webStarts the grapheneX web server with the optional host:port argument.web [host:port]backGo back from selected namespace or module.clearClear terminalexitExit interactive shellWebMost of the command line features are accessible with the Web interface.Namespaces & ModulesIt’s easy to switch between namespaces and see details of modules.HardeningJust click run under the module properties for executing the hardening command.Adding ModulesThere’s a menu available in the web interface for adding new modules.ScreenshotsTODO(s)Add new modules for Linux and Windows.Download grapheneX

Link: http://www.kitploit.com/2019/07/graphenex-automated-system-hardening.html

JShielder v2.4 – Hardening Script For Linux Servers/ Secure LAMP-LEMP Deployer/ CIS Benchmark G

JSHielder is an Open Source Bash Script developed to help SysAdmin and developers secure there Linux Servers in which they will be deploying any web application or services. This tool automates the process of installing all the necessary packages to host a web application and Hardening a Linux server with little interaction from the user. Newly added script follows CIS Benchmark Guidance to establish a Secure configuration posture for Linux systems.This tool is a Bash Script that hardens the Linux Server security automatically and the steps followed are:Configures a HostnameReconfigures the TimezoneUpdates the entire SystemCreates a New Admin user so you can manage your server safely without the need of doing remote connections with root.Helps user Generate Secure RSA Keys, so that remote access to your server is done exclusive from your local pc and no Conventional passwordConfigures, Optimize and secures the SSH Server (Some Settings Following CIS Benchmark)Configures IPTABLES Rules to protect the server from common attacksDisables unused FileSystems and Network protocolsProtects the server against Brute Force attacks by installing a configuring fail2banInstalls and Configure Artillery as a Honeypot, Monitoring, Blocking and Alerting toolInstalls PortSentryInstall, configure, and optimize MySQLInstall the Apache Web ServerInstall, configure and secure PHPSecure Apache via configuration file and with installation of the Modules ModSecurity, ModEvasive, Qos and SpamHausSecures NginX with the Installation of ModSecurity NginX moduleInstalls RootKit HunterSecures Root Home and Grub Configuration FilesInstalls Unhide to help Detect Malicious Hidden ProcessesInstalls Tiger, A Security Auditing and Intrusion Prevention systemRestrict Access to Apache Config FilesDisables CompilersCreates Daily Cron job for System UpdatesKernel Hardening via sysctl configuration File (Tweaked)/tmp Directory HardeningPSAD IDS installationEnables Process AccountingEnables Unattended UpgradesMOTD and Banners for Unauthorized accessDisables USB Support for Improved Security (Optional)Configures a Restrictive Default UMASKConfigures and enables AuditdConfigures Auditd rules following CIS BenchmarkSysstat installArpWatch installAdditional Hardening steps following CIS BenchmarkSecures CronAutomates the process of setting a GRUB Bootloader PasswordSecures Boot SettingsSets Secure File Permissions for Critical System Files#NEW!!LEMP Deployment with ModSecurityCIS Benchmark JShielder Script AddedSeparate Hardening Script Following CIS Benchmark Guidance https://www.cisecurity.org/benchmark/ubuntu_linux/To Run the tool./jshielder.shAs the Root userIssuesHaving Problems, please open a New Issue for JShielder on Github.Distro AvailabilityUbuntu Server 16.04LTSUbuntu Server 18.04LTSChangeLogv2.4 Added LEMP Deployment with ModSecurityv2.3 More Hardening steps Following some CIS Benchmark items for LAMP Deployerv2.2.1 Removed suhosing installation on Ubuntu 16.04, Fixed MySQL Configuration, GRUB Bootloader Setup function, Server IP now obtain via ip route to not rely on interface namingv2.2 Added new Hardening option following CIS Benchmark Guidancev2.1 Hardened SSH Configuration, Tweaked Kernel Security Config, Fixed iptables rules not loading on Boot. Added auditd, sysstat, arpwatch install.v2.0 More Deployment Options, Selection Menu, PHP Suhosin installation, Cleaner Code,v1.0 – New CodeDeveloped by Jason Sotohttps://www.jasonsoto.comhttps://github.com/jsitechTwitter = @JsiTechDownload JShielder

Link: http://feedproxy.google.com/~r/PentestTools/~3/Be1UlUqJu1E/jshielder-v24-hardening-script-for.html

Lynis 2.7.5 – Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.Supported operating systemsThe tool has almost no dependencies, therefore it runs on almost all Unix-based systems and versions, including:AIXFreeBSDHP-UXLinuxMac OSNetBSDOpenBSDSolarisand othersIt even runs on systems like the Raspberry Pi and several storage devices!Installation optionalLynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use “./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). How it worksLynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.StepsDetermine operating systemSearch for available tools and utilitiesCheck for Lynis updateRun tests from enabled pluginsRun security tests per categoryReport status of security scanBesides the data displayed on the screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.Opportunistic ScanningLynis scanning is opportunistic: it uses what it can find.For example, if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers an SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates so they can be scanned later as well.In-depth security scansBy performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!Use casesSince Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:Security auditingCompliance testing (e.g. PCI, HIPAA, SOx)Vulnerability detection and scanningSystem hardeningResources used for testingMany other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.Best practicesCISNISTNSAOpenSCAP dataVendor guides and recommendations (e.g. Debian Gentoo, Red Hat)Lynis PluginsPlugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.ChangelogUpgrade note## Lynis 2.7.5 (2019-06-24)### Added- Danish translation- Slackware end-of-life information- Detect BSD-style (rc.d) init in Linux systems- Detection of Bro and Suricata (IDS)### Changed- Corrected end-of-life entries for CentOS 5 and 6- AUTH-9204 – change name to check in /etc/passwd file for QNAP devices- AUTH-9268 – AIX enhancement to use correct find statement- FILE-6310 – Filter on correct field for AIX- NETW-3012 – set ss command as preferred option for Linux and changed output format- List of PHP ini file locations has been extended- Removed several pieces of the code as part of cleanup and code health- Extended helpDownload Lynis 2.7.5

Link: http://feedproxy.google.com/~r/PentestTools/~3/gBCubq1rp1w/lynis-275-security-auditing-tool-for.html

Sniffglue – Secure Multithreaded Packet Sniffer

sniffglue is a network sniffer written in rust. Network packets are parsed concurrently using a thread pool to utilize all cpu cores. Project goals are that you can run sniffglue securely on untrusted networks and that it must not crash when processing packets. The output should be as useful as possible by default.Usagesniffglue enp0s25InstallationThere is an official package available for archlinux:pacman -S sniffglueTo build from source, make sure you have libpcap and libseccomp installed, Debian/Ubuntu: libpcap-dev libseccomp-dev, Archlinux: libpcap libseccomp.cargo install sniffglueProtocolsethernetipv4ipv6arptcpudpicmphttptlsdnsdhcpcjdns eth beaconsssdpdropbox beacons802.11DockerYou can build sniffglue as a docker image to debug container setups. The image is currently about 11.1MB. It is recommended to push it to your own registry.docker build -t sniffglue .docker run -it –init –rm –net=host sniffglue eth0SecurityTo report a security issue please contact kpcyrd on ircs://irc.hackint.org.SeccompTo ensure a compromised process doesn’t compromise the system, sniffglue uses seccomp to restrict the syscalls that can be used after the process started. This is done in two stages, first at the very beginning (directly after env_logger initialized) and once after the sniffer has been setup, but before packets are read from the network.HardeningDuring the second stage, there’s also some general hardening that is applied before all unneeded syscalls are finally disabled. Those are system specific, so a configuration file is read from /etc/sniffglue.conf. This config file specifies an empty directory for chroot and an unprivileged account in user that is used to drop root privileges.boxxy-rsThis project includes a small boxxy-rs based shell that can be used to explore the sandbox at various stages during and after initialization. This is also used by travis to ensure the sandbox actually blocks syscalls.cargo run –example boxxyReproducible buildsThis project is tested using reprotest. Currently the following variations are excluded:-time – needed because the crates.io cert expires in the future-domain_host – requires root for unshare(2) and has been excludedDon’t forget to install the build dependencies.ci/reprotest.shFuzzingThe packet processing of sniffglue can be fuzzed using cargo-fuzz. Everything you should need is provided in the fuzz/ directory that is distributed along with its source code. Please note that this program links to libpcap which is not included in the current fuzzing configuration.cargo fuzz run read_packetDownload Sniffglue

Link: http://feedproxy.google.com/~r/PentestTools/~3/MRP1DzlWgw4/sniffglue-secure-multithreaded-packet.html

H2T – Scans A Website And Suggests Security Headers To Apply

h2t is a simple tool to help sysadmins to hardening their websites.Until now h2t checks the website headers and recommends how to make it better.DependencesPython 3coloramarequestsInstall$ git clone https://github.com/gildasio/h2t$ cd h2t$ pip install -r requirements.txt$ ./h2t.py -hUsageh2t has subcommands: list and scan.$ ./h2t.py -husage: h2t.py [-h] {list,l,scan,s} …h2t – HTTP Hardening Toolpositional arguments: {list,l,scan,s} sub-command help list (l) show a list of available headers in h2t catalog (that can be used in scan subcommand -H option) scan (s) scan url to hardening headersoptional arguments: -h, –help show this help message and exitList SubcommandThe list subcommand lists all headers cataloged in h2t and can show informations about it as a description, links for more information and for how to’s.$ ./h2t.py list -husage: h2t.py list [-h] [-p PRINT [PRINT …]] [-B] [-a | -H HEADERS [HEADERS …]]optional arguments: -h, –help show this help message and exit -p PRINT [PRINT …], –print PRINT [PRINT …] a list of additional information about the headers to print. For now there are two options: description and refs (you can use either or both) -B, –no-banner don’t print the h2t banner -a, –all list all available headers [default] -H HEADERS [HEADERS …], –headers HEADERS [HEADERS …] a list of headers to look for in the h2t catalogScan SubcommandThe scan subcommand perform a scan in a website looking for their headers.$ ./h2t.py scan -husage: h2t.py scan [-h] [-v] [-a] [-g] [-b] [-H HEADERS [HEADERS …]] [-p PRINT [PRINT …]] [-i IGNORE_HEADERS [IGNORE_HEADERS …]] [-B] [-E] [-n] [-u USER_AGENT] [-r | -s] urlpositional arguments: url url to look foroptional arguments: -h, –help show this help message and exit -v, –verbose increase output verbosity: -v print response headers, -vv print response and request headers -a, –all scan all cataloged headers [default] -g, –good scan good headers only -b, –bad scan bad headers only -H HEADERS [HEADERS …], –headers HEADERS [HEADERS …] scan only these headers (see available in list sub- command) -p PRINT [PRINT …], –print PRINT [PRINT …] a list of additional information about the headers to print. For now there are two options: description and refs (you can use either or both) -i IGNORE_HEADERS [IGNORE_HEADERS …], –ignore-headers IGNORE_HEADERS [IGNORE_HEADERS …] a list of headers to ignore in the results -B, –no-banner don’t print the h2t banner -E, –no-explanation don’t print the h2t output explanation -o {normal,csv,json}, –output {normal,csv,json} choose which output format to use (available: normal, csv, json) -n, –no-redirect don’t follow http redirects -u USER_AGENT, –user-agent USER_AGENT set user agent to scan request -k, –insecure don’t verify SSL certificate as valid -r, –recommendation output only recommendations [default] -s, –status output actual status (eg: existent headers only)OutputFor now the output is only in normal mode. Understant it as follows:[+] Red Headers are bad headers that open a breach on your website or maybe show a lots of information. We recommend fix it.[+] Yellow Headers are good headers that is not applied on your website. We recommend apply them.[-] Green Headers are good headers that is already used in your website. It’s shown when use -s flag.Example:Cookie HTTP Only would be good to be appliedCookie over SSL/TLS would be good to be appliedServer header would be good to be removedReferrer-Policy would be good to be appliedX-Frame-Options is already in use, nothing to do hereX-XSS-Protection is already in use, nothing to do hereScreenshotsList h2t catalogScan from fileScan urlScan verboseHeaders informationDownload H2T

Link: http://feedproxy.google.com/~r/PentestTools/~3/LaZLa7zlv9k/h2t-scans-website-and-suggests-security.html

Lynis 2.7.3 – Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.Supported operating systemsThe tool has almost no dependencies, therefore it runs on almost all Unix-based systems and versions, including:AIXFreeBSDHP-UXLinuxMac OSNetBSDOpenBSDSolarisand othersIt even runs on systems like the Raspberry Pi and several storage devices!Installation optionalLynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use “./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). How it worksLynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.StepsDetermine operating systemSearch for available tools and utilitiesCheck for Lynis updateRun tests from enabled pluginsRun security tests per categoryReport status of security scanBesides the data displayed on the screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.Opportunistic ScanningLynis scanning is opportunistic: it uses what it can find.For example, if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers an SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates so they can be scanned later as well.In-depth security scansBy performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!Use casesSince Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:Security auditingCompliance testing (e.g. PCI, HIPAA, SOx)Vulnerability detection and scanningSystem hardeningResources used for testingMany other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.Best practicesCISNISTNSAOpenSCAP dataVendor guides and recommendations (e.g. Debian Gentoo, Red Hat)Lynis PluginsPlugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.ChangelogUpgrade note## Lynis 2.7.3 (2019-03-21)### Added- Detection for Lynis being scheduled (e.g. cronjob)### Changed- HTTP-6624 – Improved logging for test- KRNL-5820 – Changed color for default fs.suid_dumpable value- LOGG-2154 – Adjusted test to search in configuration file correctly- NETW-3015 – Added support for ip binary- SQD-3610 – Description of test changed- SQD-3613 – Corrected description in code- SSH-7408 – Increased values for MaxAuthRetries- Improvements to allow tailored tool tips in future- Corrected detection of blkid binary- Minor textual changes and cleanupsDownload Lynis 2.7.2

Link: http://feedproxy.google.com/~r/PentestTools/~3/SfDf5sliFYA/lynis-273-security-auditing-tool-for.html

Hayat – Auditing & Hardening Script For Google Cloud Platform

Hayat is a auditing & hardening script for Google Cloud Platform services such as:Identity & Access ManagementNetworkingVirtual MachinesStorageCloud SQL InstancesKubernetes Clustersfor now.Identity & Access ManagementEnsure that corporate login credentials are used instead of Gmail accounts.Ensure that there are only GCP-managed service account keys for each service account.Ensure that ServiceAccount has no Admin privileges.Ensure that IAM users are not assigned Service Account User role at project level.NetworkingEnsure the default network does not exist in a project.Ensure legacy networks does not exists for a project.Ensure that DNSSEC is enabled for Cloud DNS.Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC.Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC.Ensure that RDP access is restricted from the Internet.Ensure Private Google Access is enabled for all subnetwork in VPC Network.Ensure VPC Flow logs is enabled for every subnet in VPC Network.Virtual MachinesEnsure that instances are not configured to use the default service account with full access to all Cloud APIs.Ensure “Block Project-wide SSH keys" enabled for VM instances.Ensure oslogin is enabled for a Project.Ensure ‘Enable connecting to serial ports’ is not enabled for VM Instance.Ensure that IP forwarding is not enabled on Instances.StorageEnsure that Cloud Storage bucket is not anonymously or publicly accessible.Ensure that logging is enabled for Cloud storage bucket.Cloud SQL Database ServicesEnsure that Cloud SQL database instance requires all incoming connections to use SSL.Ensure that Cloud SQL database Instances are not open to the world.Ensure that MySql database instance does not allow anyone to connect with administrative privileges.Ensure that MySQL Database Instance does not allows root login from any host.Kubernetes EngineEnsure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters.Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters.Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters.Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters.Ensure Kubernetes Clusters are configured with Labels.Ensure Kubernetes web UI / Dashboard is disabled.Ensure Automatic node repair is enabled for Kubernetes Clusters.Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes.RequirementsHayat has been written in bash script using gcloud and it’s compatible with Linux and OSX.Usagegit clone https://github.com/DenizParlak/Hayat.git && cd Hayat && chmod +x hayat.sh && ./hayat.shYou can use with specific functions, e.g if you want to scan just Kubernetes Cluster:./hayat.sh –only-kubernetesScreenshotsDownload Hayat

Link: http://feedproxy.google.com/~r/PentestTools/~3/eanL2lSrxVg/hayat-auditing-hardening-script-for.html

Lynis 2.7.0 – Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.Supported operating systemsThe tool has almost no dependencies, therefore it runs on almost all Unix-based systems and versions, including:AIXFreeBSDHP-UXLinuxMac OSNetBSDOpenBSDSolarisand othersIt even runs on systems like the Raspberry Pi and several storage devices!Installation optionalLynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use “./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). How it worksLynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.StepsDetermine operating systemSearch for available tools and utilitiesCheck for Lynis updateRun tests from enabled pluginsRun security tests per categoryReport status of security scanBesides the data displayed on the screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.Opportunistic ScanningLynis scanning is opportunistic: it uses what it can find.For example, if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers an SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates so they can be scanned later as well.In-depth security scansBy performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!Use casesSince Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:Security auditingCompliance testing (e.g. PCI, HIPAA, SOx)Vulnerability detection and scanningSystem hardeningResources used for testingMany other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.Best practicesCISNISTNSAOpenSCAP dataVendor guides and recommendations (e.g. Debian Gentoo, Red Hat)Lynis PluginsPlugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.ChangelogUpgrade note## Lynis 2.7.0 (2018-10-26)### Added- MACF-6240 – Detection of TOMOYO binary- MACF-6242 – Status of TOMOYO framework- SSH-7406 – OpenSSH server version detection- TOOL-5160 – Check active OSSEC analysis daemon### Changed- Changed several warning labels on screen- AUTH-9308 – More generic sulogin for systemd rescue.service- OS detection now ignores quotes for getting the OS ID.Download Lynis 2.7.0

Link: http://feedproxy.google.com/~r/PentestTools/~3/1jxxIa_coK4/lynis-270-security-auditing-tool-for.html

Lynis 2.6.8 – Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.Supported operating systemsThe tool has almost no dependencies, therefore it runs on almost all Unix-based systems and versions, including:AIXFreeBSDHP-UXLinuxMac OSNetBSDOpenBSDSolarisand othersIt even runs on systems like the Raspberry Pi and several storage devices!Installation optionalLynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use “./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). How it worksLynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.StepsDetermine operating systemSearch for available tools and utilitiesCheck for Lynis updateRun tests from enabled pluginsRun security tests per categoryReport status of security scanBesides the data displayed on the screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.Opportunistic ScanningLynis scanning is opportunistic: it uses what it can find.For example, if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers an SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates so they can be scanned later as well.In-depth security scansBy performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!Use casesSince Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:Security auditingCompliance testing (e.g. PCI, HIPAA, SOx)Vulnerability detection and scanningSystem hardeningResources used for testingMany other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.Best practicesCISNISTNSAOpenSCAP dataVendor guides and recommendations (e.g. Debian Gentoo, Red Hat)Lynis PluginsPlugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.ChangelogUpgrade note## Lynis 2.6.8 (2018-08-23)### Changed- BOOT-5104 – improved parsing of boot parameters to init process- PHP-2372 – test all PHP files for expose_php and improved logging- Alpine Linux detection for Docker audit- Docker check now tests also for CMD, ENTRYPOINT, and USER configuration- Improved display in Docker output for showing which keys are used for signingDownload Lynis 2.6.8

Link: http://feedproxy.google.com/~r/PentestTools/~3/crZYwFyGbEM/lynis-268-security-auditing-tool-for.html