passwd

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 11, 2018 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Overview

Package passwd implements a minion that looks for simple issues within /etc/passwd and /etc/shadow files.

It contains functions that allow one to check if users can login without passwords, use weak hashes or are not root, but their uid is 0.

It also checks whether those files have insecure UNIX permissions.

Index

Constants

This section is empty.

Variables

View Source 
var (
	PasswdPermissions = &pb.Advisory{
		Reference:      "passwd_permissions",
		Description:    "/etc/passwd file has permissions that are too wide.",
		Recommendation: "Change the permissions of /etc/passwd to 0644.",
	}
	PasswdEmptyHash = &pb.Advisory{
		Reference:      "passwd_empty_hash",
		Description:    "User has an empty password",
		Recommendation: "Set up a password for the user",
	}
	PasswdWeakHashType = &pb.Advisory{
		Reference:      "passwd_weak_hash_type",
		Description:    "User uses weak hash function for the hash of his password.",
		Recommendation: "Change the hash function to SHA512.",
	}
	PasswdBackdoor = &pb.Advisory{
		Reference:   "passwd_backdoor",
		Description: "A user which is not root has uid 0.",
	}
	ShadowPermissions = &pb.Advisory{
		Reference:      "shadow_permissions",
		Description:    "/etc/shadow file has permissions that are too wide.",
		Recommendation: "Change the permissions of /etc/shadow to 0640.",
	}
	ShadowEmptyHash = &pb.Advisory{
		Reference:      "shadow_empty_hash",
		Description:    "User has an empty password.",
		Recommendation: "Set up a password for the user.",
	}
	ShadowWeakHashType = &pb.Advisory{
		Reference:      "shadow_weak_hash_type",
		Description:    "User uses weak hash for the hash of his password.",
		Recommendation: "Change the hash function to SHA512.",
	}
)

Advisories that are used by the passwdfile Minion.

Functions

func AnalyzePasswd 

func AnalyzePasswd(file *pb.File) ([]*pb.Finding, error)

AnalyzePasswd looks for security issues in the /etc/passwd file and reports them as Findings.

func AnalyzeShadow 

func AnalyzeShadow(file *pb.File) ([]*pb.Finding, error)

AnalyzeShadow looks for security issues in the /etc/shadow file and reports them as Findings.

func ArePasswdPermissionsSecure 

func ArePasswdPermissionsSecure(passwd *pb.FileMetadata) bool

ArePasswdPermissionsSecure checks the permissions of the /etc/passwd file. It returns false when there are issues with the permissions (any of g+w, o+w is set), and true otherwise.

func AreShadowPermissionsSecure 

func AreShadowPermissionsSecure(shadow *pb.FileMetadata) bool

AreShadowPermissionsSecure checks the permissions of the /etc/shadow file. It returns false when there are issues with the permissions (any of g+w, o+w, o+r is set), and true otherwise.

Types

type Days 

type Days int

Days represents time interval measured in days.

func NewDays 

func NewDays(duration string) (Days, error)

NewDays returns Days that represents the number of days given as duration. Returns -1 if given string is empty.

type HashType 

type HashType int

HashType represent a type of hash. 

const (
	MD5 HashType = iota
	BLOWFISH
	SHA256
	SHA512
	DES
)

Various hash types used in /etc/passwd and /etc/shadow files.

type Minion 

type Minion struct{}

Minion is the implementation of minion.Minion interface.

func (*Minion) AnalyzeFiles 

func (m *Minion) AnalyzeFiles(ctx context.Context, req *pb.AnalyzeFilesRequest) (*pb.AnalyzeFilesResponse, error)

AnalyzeFiles looks for /etc/passwd and /etc/shadow files in the AnalyzeFilesRequest. It then returns security issues found in those files as Findings in pb.AnalyzeFilesResponse.

func (*Minion) ListInitialInterests 

func (m *Minion) ListInitialInterests(ctx context.Context, req *pb.ListInitialInterestsRequest) (*pb.ListInitialInterestsResponse, error)

ListInitialInterests returns the initial interests of a Minion.

type PasswordHash 

type PasswordHash string

PasswordHash is a type used to store a hash of password.

func (PasswordHash) GetHashType 

func (hash PasswordHash) GetHashType() HashType

GetHashType returns the type of hash used by the PasswordHash.

func (PasswordHash) IsDisabled 

func (hash PasswordHash) IsDisabled() bool

IsDisabled checks if the password is disabled, which is typically done by prepending the hash with ! or *.

func (PasswordHash) UsesWeakHashing 

func (hash PasswordHash) UsesWeakHashing() bool

UsesWeakHashing checks if the password was hashed using MD5 or DES.

type ShadowInfo 

type ShadowInfo struct {
	Username       string       // Username from /etc/passwd that this information refers to.
	PasswordHash   PasswordHash // Hash of the password, as in `man 3 crypt`.
	LastChangeDate time.Time    // Date of last password change. In /etc/shadow it is a number of days since 01/01/1970. Empty value from /etc/shadow is represented as zero value of time.Time and means that the aging features are disabled. Value of 01/01/1970 means that the user should change the password on the next login.
	MinimumAge     Days         // How long user have to wait before being allowed to change password. -1 and 0 mean that there is no minimum age.
	MaximumAge     Days         // User will have to change the password after that time. -1 means that there are no maximum pasword age, no warning period and no inactivity period.
	WarningPeriod  Days         // Days before password expires during which the user is warned. -1 and 0 mean that there is no warning period.
	InactiveDays   Days         // Days after the password expires during which the user can still log in. -1 means there is no enforcement of an inactivity period.
	ExpirationDate time.Time    // The date of expiration of the account. Zero value means that the account will never expire.
	Reserved       interface{}  // Reserved for future use by the linux standard.
}

ShadowInfo represents en entry (line) from the /etc/shadow file.

func NewShadowInfo 

func NewShadowInfo(line string) (ShadowInfo, error)

NewShadowInfo parses a line in a format of /etc/shadow file and returns it as a ShadowInfo.

type User 

type User struct {
	Username     string       // Just a username.
	PasswordHash PasswordHash // Password field from /etc/passwd, contains 'x' if shadow file is used.
	UID          int          // Id of an user.
	GID          int          // Group id of an user.
	Comment      string       // Comment or a full name.
	Home         string       // Home directory.
	Shell        string       // User command interpreter.
}

User represents data from /etc/passwd and /etc/shadow.

func NewUser 

func NewUser(line string) (User, error)

NewUser parses a line in the format of /etc/passwd and returns it as a User. It returns error if line format or some of the fields are invalid.

func (User) IsBackdooredRoot 

func (u User) IsBackdooredRoot() bool

IsBackdooredRoot checks if the username is not root, but uid is equal to 0.

func (User) UsesShadowFile 

func (u User) UsesShadowFile() bool

UsesShadowFile checks if user's password is stored in /etc/shadow file.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.