|
|
@@ -2,6 +2,7 @@
|
|
|
|
|
|
import os
|
|
|
import pwd
|
|
|
+import re
|
|
|
import subprocess
|
|
|
import sys
|
|
|
import glob
|
|
|
@@ -15,7 +16,14 @@ def get_perl_inc():
|
|
|
except FileNotFoundError:
|
|
|
return []
|
|
|
|
|
|
+disRules = list()
|
|
|
+disRules.append(('/etc/apache2/sites-available/*', 'SSLCertificateKeyFile\s+(\S+)'))
|
|
|
+disRules.append(('/etc/dovecot/conf.d/10-ssl.conf', 'ssl_key\s*=\s*<(\S+)'))
|
|
|
+disRules.append(('/etc/nginx/sites-available/*', 'ssl_certificate_key\s+([^;]+);'))
|
|
|
+disRules.append(('/etc/postfix/main.cf', 'smtpd_tls_key_file\s*=\s*(\S+)'))
|
|
|
+
|
|
|
readPatterns = [
|
|
|
+ '/etc/shadow',
|
|
|
'/etc/ssl/*_key',
|
|
|
'~/.ssh/identity',
|
|
|
'~/.ssh/id_dsa',
|
|
|
@@ -40,6 +48,8 @@ readPatterns = [
|
|
|
'~/.python_history',
|
|
|
'~/.bash_history',
|
|
|
'~/.config/sonata/sonatarc',
|
|
|
+ '/etc/graphite/local_settings.py',
|
|
|
+ '/etc/roundcube/config.inc.php',
|
|
|
'/etc/sympa/sympa.conf*',
|
|
|
'/etc/dolibarr/conf.php*',
|
|
|
'/etc/letsencrypt/archive/*/privkey*.pem',
|
|
|
@@ -65,6 +75,7 @@ writePatterns = [
|
|
|
'/etc/profile', # dash shell, bash shell
|
|
|
'/etc/profile.d/*.sh', # dash shell, bash shell
|
|
|
'~/.profile',
|
|
|
+ '~/.config/autostart/*.desktop',
|
|
|
'~/.inputrc',
|
|
|
'/etc/bash.bashrc', # bash shell
|
|
|
'~/.bashrc', # bash shell
|
|
|
@@ -92,9 +103,9 @@ UID_MIN=1000
|
|
|
UID_MAX=60000
|
|
|
|
|
|
homePaths = []
|
|
|
-for pwd in pwd.getpwall():
|
|
|
- if pwd.pw_uid in range(UID_MIN, UID_MAX):
|
|
|
- homePaths.append(pwd.pw_dir)
|
|
|
+for pw in pwd.getpwall():
|
|
|
+ if pw.pw_uid in range(UID_MIN, UID_MAX):
|
|
|
+ homePaths.append(pw.pw_dir)
|
|
|
|
|
|
def patternWalk(pattern):
|
|
|
if pattern == '~' or pattern[:2] == '~/':
|
|
|
@@ -103,6 +114,17 @@ def patternWalk(pattern):
|
|
|
else:
|
|
|
yield from glob.glob(pattern)
|
|
|
|
|
|
+# Discover paths to file with sensible information
|
|
|
+for disRule in disRules:
|
|
|
+ disPattern = disRule[0]
|
|
|
+ disRe = re.compile(disRule[1])
|
|
|
+ for disPath in patternWalk(disPattern):
|
|
|
+ disFile = open(disPath, 'r')
|
|
|
+ for match in re.finditer(disRe, disFile.read()):
|
|
|
+ for group in match.groups():
|
|
|
+ print("discovered %s" % group)
|
|
|
+ readPatterns.append(group)
|
|
|
+
|
|
|
writePatternsParents = [
|
|
|
]
|
|
|
|
|
|
@@ -221,4 +243,12 @@ for strPath in get_perl_inc():
|
|
|
|
|
|
logExceptions('These perl include paths are world-writable', perlpathWriteExceptions)
|
|
|
|
|
|
+# Passwords should be stored in /etc/shadow, not /etc/passwd
|
|
|
+contentExceptions = []
|
|
|
+for pw in pwd.getpwall():
|
|
|
+ if len(pw.pw_passwd) > 0 and pw.pw_passwd != 'x' and pw.pw_passwd != '*' and pw.pw_passwd != '!':
|
|
|
+ contentExceptions.append(Path('/etc/passwd'))
|
|
|
+
|
|
|
+logExceptions('These files contains sensible information', contentExceptions)
|
|
|
+
|
|
|
printExceptions()
|
