[hntool] push by linux.r...@gmail.com - Adding MySQL module on 2011-01-16 01:29 GMT

0 views
Skip to first unread message

hnt...@googlecode.com

unread,
Jan 15, 2011, 8:30:11 PM1/15/11
to hnt...@googlegroups.com
Revision: be02cdb7f9
Author: Rafael Gomes <rafae...@techfree.com.br>
Date: Sat Jan 15 17:28:35 2011
Log: Adding MySQL module
http://code.google.com/p/hntool/source/detail?r=be02cdb7f9

Added:
/HnTool/modules/mysql.py
Modified:
/HnTool/modules/__init__.py

=======================================
--- /dev/null
+++ /HnTool/modules/mysql.py Sat Jan 15 17:28:35 2011
@@ -0,0 +1,190 @@
+# -*- coding: utf-8 -*-
+#
+# HnTool rules - mysql
+# Copyright (C) 2010 Rafael Gomes <rafae...@techfree.com.br>
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA
+#
+
+# To do : Include code to check when sintax that there isn't in conf
+
+import os
+import commands
+import getpass
+from HnTool.modules.rule import MasterRule
+
+# Review this module. Improve the code
+
+
+class Rule(MasterRule):
+
+ def __init__(self, options):
+ MasterRule.__init__(self, options)
+ self.short_name = "mysql"
+ self.long_name = "Checks security problems on MySQL config file"
+ self.type = "config"
+ self.required_files = ['/etc/my.cnf', '/etc/mysql/my.cnf']
+
+ options.add_option(
+ '--mysql_conf',
+ action='append',
+ dest='mysql_conf',
+ help='adds a mysql conf file to the list of files to' +
+ ' analize')
+
+ options.add_option(
+ '--require_mysql_root',
+ action='store_true',
+ dest='require_mysql_root_password',
+ help='require the mysql root password to analize')
+
+ def requires(self):
+ return self.required_files
+
+ def mysql_command(self, mysql_echo, mysql_grep, mysql_root_password):
+ cod_return, mysql_return = commands.getstatusoutput("LC_ALL=C
echo " +
+ mysql_echo + "| mysql -u root --password=" +
+ mysql_root_password + "| grep " + mysql_grep)
+ cod_return = str(cod_return)
+ return cod_return, mysql_return
+
+ def analyze(self, options):
+ """ Analyze MySQL config file searching for harmful settings"""
+
+ require_mysql_root_password = options.require_mysql_root_password
+ check_results = self.check_results
+ mysql_conf_files = self.required_files
+
+ # Checking default mysql password
+ mysql_echo = "'show variables;'"
+ mysql_grep = 'log'
+ cod_return, mysql_return = self.mysql_command(
+ mysql_echo, mysql_grep, '')
+
+ if not '0' in cod_return:
+ check_results['low'].append(
+ 'Some error in Mysql Daemon, please verify and try again')
+ else:
+ if not 'log' in mysql_return:
+ check_results['ok'].append(
+ 'No default password, please use ' +
+ '--require_mysql_root to put mysql root password')
+ default_password = False
+ else:
+ check_results['high'].append(
+ 'Default password (Change Now)')
+ default_password = True
+
+ if require_mysql_root_password:
+ mysql_root_password = getpass.getpass('Root password '
+
+ 'for MySQL: ')
+
+ # Checking if there is password to check
+ if not default_password and not
require_mysql_root_password:
+ check_results['info'].append('HnTool can not check ' +
+ 'without mysql root password ' +
+ '(Please use --require_mysql_root ' +
+ 'with correct password)')
+ else:
+
+ # Checking if Local Infile is using harmful conf
+ mysql_echo = "'show variables;'"
+ mysql_grep = 'infile'
+ cod_return, mysql_return = self.mysql_command(
+ mysql_echo, mysql_grep, mysql_root_password)
+
+ if 'ERROR' in mysql_return:
+ check_results['info'].append(
+ 'Wrong password (Please use --require_mysql_root '
+
+ 'with correct password)')
+ else:
+
+ if not 'ON' in mysql_return:
+ check_results['ok'].append(
+ 'Local infile is not using harmful conf')
+ else:
+ check_results['medium'].append(
+ 'Local infile is using harmful conf (put OFF)')
+
+ # Checking if there is anonymous users
+ mysql_echo = "\"select * from mysql.user \
+ where user='';\""
+ foo, anonymous_return = commands.getstatusoutput(
+ "LC_ALL=C echo " + mysql_echo + "| mysql -u root "
+
+ "--password=" + mysql_root_password)
+
+ if '' in anonymous_return:
+ check_results['ok'].append(
+ 'There is not any anonymous users')
+ else:
+ check_results['medium'].append(
+ 'There is anonymous users (Delete then)')
+
+ # Checking if there is default database
+ mysql_echo = "'show databases;'"
+
+ # TODO We need implement way to check a list
+ # of all tables return
+ #mysql_grep = "''"
+ #mysql_return = self.mysql_command(
+ #mysql_echo, mysql_grep)
+ mysql_default_tables = ['test']
+ mysql_default_table_flag = False
+
+ for mysql_default_table in mysql_default_tables:
+
+ mysql_grep = mysql_default_table
+ cod_return, mysql_return = self.mysql_command(
+ mysql_echo, mysql_grep, mysql_root_password)
+
+ if mysql_default_table in mysql_return:
+ check_results['medium'].append(
+ 'Default table ' +
+ mysql_default_table +
+ ' found (Delete that table)')
+ mysql_default_table_flag = True
+
+ if not mysql_default_table_flag:
+ check_results['ok'].append(
+ 'Any default table found')
+
+ # File handler
+
+ if options.mysql_conf:
+ for f in options.mysql_conf:
+ mysql_conf_files.append(f)
+
+ mysql_conf_file_found = False
+ for mysql_conf in mysql_conf_files:
+ if os.path.isfile(mysql_conf):
+ mysql_conf_file_found = True
+ fp = None
+
+ try:
+ fp = open(mysql_conf, 'r')
+ except IOError, (errno, strerror):
+ check_results['info'].append(
+ 'Could not open %s: %s' % (mysql_conf, strerror))
+ continue
+
+ lines = [x.strip('\n') for x in fp.readlines()]
+ fp.close()
+
+
+ # If there is, closing the mysql_config file
+ if not mysql_conf_file_found:
+ check_results['info'].append(
+ 'Could not find MySQL\'s configuration files')
+
+ return check_results
=======================================
--- /HnTool/modules/__init__.py Tue Sep 14 18:55:12 2010
+++ /HnTool/modules/__init__.py Sat Jan 15 17:28:35 2011
@@ -19,6 +19,6 @@
#

__files__ =
['authentication', 'filesystems', 'php', 'remote', 'system-wide', 'tools']
-__services__ =
['apache', 'proftpd', 'ports', 'postgresql', 'ssh', 'vsftpd']
+__services__ =
['apache', 'proftpd', 'ports', 'postgresql', 'ssh', 'vsftpd', 'mysql']

__all__ = __files__ + __services__

Reply all
Reply to author
Forward
0 new messages