Suggestions & Considerations for Script Outcomes #6
Comments
|
Hey @KyTechInc thank you for opening the ticket!
Totally agree. Fixed!
I like this idea but it's a tricky one to get right. Like you said, we cannot infer intent. I think this would serve best as an INFO state, which currently does not exist, but I'd like to add.
Can you elaborate on which protocols are insecure? These can be a WARN at the very least (another state I'd like to add!)
Didn't know this. What would be the check in this case? |
|
I like those states WARN and INFO. Cause ya we can't infer use but I find often times people will cover security related to their use case but may not be fully aware of all ports that are open. Plus, sometimes some VPS providers leave other ports open for their infa use tools or services that may not be within the normal scope. So I think a INFO > List of open ports and let the user do with that info as needed. As for the WARN > Insecure ports. I was thinking of stuff like they have 21/FTP or 25/SMTP open. Regardless of intent, these are the insecure (non-HTTPS/TLS) versions of the protocol OR there is a replacement protocol that is secure. 22 (SFTP) or 990 FTPS and 465/587 Secure SMTP. I think its safe to say that even with a purposeful use case for using 21/25 over these secure options (thinking about legacy support), that still puts the system at risk of attacks without further measures in place. As for the Ubuntu Pro, there is a CLI built into Ubuntu (16.04 LTS, 18.04 LTS, 20.04 LTS or 22.04 LTS). You could do a check for those distro versions because frankly, if your doing a security audit and running in "PROD" you should be using the LTS distro version. You can run a check for the Pro version in use and if its not installed/enabled it will return an error: pro --version
34~24.04You could also check for the status of the installed tool set that makes up the Pro suite: pro status
SERVICE ENTITLED STATUS DESCRIPTION
anbox-cloud yes disabled Scalable Android in the cloud
esm-apps yes enabled Expanded Security Maintenance for Applications
esm-infra yes enabled Expanded Security Maintenance for Infrastructure
landscape yes disabled Management and administration tool for Ubuntu
livepatch yes enabled Canonical Livepatch service
realtime-kernel* yes disabled Ubuntu kernel with PREEMPT_RT patches integrated
* Service has variants
For a list of all Ubuntu Pro services and variants, run 'pro status --all'
Enable services with: pro enable <service>
Account: [email protected]
Subscription: Ubuntu Pro - free personal subscription***Note: This command does output PII with the account email at the bottom esm-apps, esm-infra and livepatch are the bare minimum required to have the expanded CVE package installed work from the Pro repo. You can also do cool things too like check the package count on the machine and see how many have an update available that would be covered by the Pro repo. (I believe this can be done without registering): pro security-status --esm-apps
1919 packages installed:
10 packages from Ubuntu Universe/Multiverse repository
Ubuntu Pro with 'esm-apps' enabled provides security updates for
Universe/Multiverse packages until 2030 and has 1 pending security update.
Run 'pro help esm-apps' to learn more
Package names in bold currently have an available update
with 'esm-apps' enabled
Packages:
ansible python3-argcomplete python3-kerberos python3-libcloud
python3-ntlm-auth python3-requests-kerberos python3-requests-ntlm
python3-selinux python3-winrm python3-xmltodictAlso, if you were to put together some sort of opinionated list of the top or most exploited CVE's, think like Wordpress, NGINX, SSL, etc. You could run a "Top 10 CVE" check using the Pro CLI: pro fix CVE-2021-3583
CVE-2021-3583:
A flaw was found in Ansible, where a user's controller is vulnerable to
template injection. This issue can occur through facts used in the template
if the user is trying to put templates in multi-line YAML strings and the
facts being handled do not routinely include special template characters.
This flaw allows attackers to perform command injection, which discloses
sensitive information. The highest threat from this vulnerability is to
confidentiality and integrity.
https://ubuntu.com/security/CVE-2021-3583
1 affected source package is installed: ansible
(1/1) ansible:
A fix is available in Ubuntu Pro with `esm-apps` enabled.
The update is not installed because this system is not attached to a subscription.And if this system has the fix applied already: pro fix CVE-2021-3583
CVE-2021-3583: Ansible vulnerabilities
- https://ubuntu.com/security/CVE-2021-3583
No affected source packages are installed.
✔ CVE-2021-3583 does not affect your system.The Ubuntu Pro case is def a cool tool but obviously only applies to Ubuntu based systems and also I would still probably suggest it being a WARN or some sort of special category as it is an additional "product" to install and not core to all VPS's setups. I would however suggest the top 10 CVE list (or whatever number you come to) being part of the scoring system. No reason to have top tier exploited holes in a PROD system. |
|
Great explanation Ky, thank you. I think the ports suggestion is fantastic, I'll work on adding it in the near future. Interestingly, I don't have Pro, yet the pro commands are working: Any idea why this might be? |
|
Sorry, stepped away for family time during the holidays. I think since the Pro CLI comes pre installed on the system a lot of the commands will return info or results but to take action you need to have an active subscription for the machine. And again, this is free for 5 machines. Your return shows all the features as "AVAILABLE", where as mine shows with "ENTITLED" and STATUS": pro status
SERVICE ENTITLED STATUS DESCRIPTION
anbox-cloud yes disabled Scalable Android in the cloud
esm-apps yes enabled Expanded Security Maintenance for Applications
esm-infra yes enabled Expanded Security Maintenance for Infrastructure
landscape yes disabled Management and administration tool for Ubuntu
livepatch yes enabled Canonical Livepatch service
realtime-kernel* yes disabled Ubuntu kernel with PREEMPT_RT patches integrated
* Service has variants
For a list of all Ubuntu Pro services and variants, run 'pro status --all'
Enable services with: pro enable <service>This is a good thing though cause you it seems you could get results back from those CVE checks to provide warn statuses without the user having an active Pro subscription. |
Had a couple thoughts on enhancements / suggestions /considerations to check with the script.
1. Changing the % count to 100% when all top line checks pass:
e.g - I've tested on a couple VPS's of mine which get a pass in all stages but I have skips in the child elements of the SSH Security section. This is due to me using my VPS providers FW UI to block any traffic on port 22 aside from connections from my home static IP. As well, I also sometimes setup a VPN tunnel (CloudFlare) to my VPS's, in which case ssh (and all other ports) for inbound are blocked. I think its fine to show the child elements as skips but in this case it shouldn't hurt the % score stat, seeing as if you can't hit port 22, it really doesn't matter what is setup. Only case(s) i can see this not handling is if someone has mapped the ssh service to a random or different port. (see 2 for handling that)
2. Related to 1, adding in a port map scan to tag open ports.
If your are after a zero deps or install approach, you could use the
ss(Socket Statistics) command which is built-in on debian/ubuntu systems. Or nmap if installing a tool as part of the script is ok. This might be more of an FYI section as we can't infer intent or purpose for a port being open. But highlighting common exploited ports, DB ports and ports outside the normal collections (80, 433, 22, etc) or highlighting inherently insecure version of certain protocols, like 21, 25, etc.3. Suggestion/Check for Ubuntu Pro subscription (Ubuntu only)
Ubuntu Pro is free for up to 5 machines and when installed it empowers your
apt updatewith an expanded repository list of CVE update fixes that are not part of the normal (non-Pro) updates out of the box. All of the current script checks and ones listed above can all be for not if a bad actor can get in due to a exploited CVE that is bypassing said guards.I think thats all for now. If I think of anything else I will try to update!
The text was updated successfully, but these errors were encountered: