Documentation ¶
Overview ¶
Package passwd implements a minion that looks for simple issues within /etc/passwd and /etc/shadow files.
It contains functions that allow one to check if users can login without passwords, use weak hashes or are not root, but their uid is 0.
It also checks whether those files have insecure UNIX permissions.
Index ¶
- Variables
- func AnalyzePasswd(file *pb.File) ([]*pb.Finding, error)
- func AnalyzeShadow(file *pb.File) ([]*pb.Finding, error)
- func ArePasswdPermissionsSecure(passwd *pb.FileMetadata) bool
- func AreShadowPermissionsSecure(shadow *pb.FileMetadata) bool
- type Days
- type HashType
- type Minion
- type PasswordHash
- type ShadowInfo
- type User
Constants ¶
This section is empty.
Variables ¶
var ( PasswdPermissions = &pb.Advisory{ Reference: "passwd_permissions", Description: "/etc/passwd file has permissions that are too wide.", Recommendation: "Change the permissions of /etc/passwd to 0644.", } PasswdEmptyHash = &pb.Advisory{ Reference: "passwd_empty_hash", Description: "User has an empty password", Recommendation: "Set up a password for the user", } PasswdWeakHashType = &pb.Advisory{ Reference: "passwd_weak_hash_type", Description: "User uses weak hash function for the hash of his password.", Recommendation: "Change the hash function to SHA512.", } PasswdBackdoor = &pb.Advisory{ Reference: "passwd_backdoor", Description: "A user which is not root has uid 0.", } ShadowPermissions = &pb.Advisory{ Reference: "shadow_permissions", Description: "/etc/shadow file has permissions that are too wide.", Recommendation: "Change the permissions of /etc/shadow to 0640.", } ShadowEmptyHash = &pb.Advisory{ Reference: "shadow_empty_hash", Description: "User has an empty password.", Recommendation: "Set up a password for the user.", } ShadowWeakHashType = &pb.Advisory{ Reference: "shadow_weak_hash_type", Description: "User uses weak hash for the hash of his password.", Recommendation: "Change the hash function to SHA512.", } )
Advisories that are used by the passwdfile Minion.
Functions ¶
func AnalyzePasswd ¶
AnalyzePasswd looks for security issues in the /etc/passwd file and reports them as Findings.
func AnalyzeShadow ¶
AnalyzeShadow looks for security issues in the /etc/shadow file and reports them as Findings.
func ArePasswdPermissionsSecure ¶
func ArePasswdPermissionsSecure(passwd *pb.FileMetadata) bool
ArePasswdPermissionsSecure checks the permissions of the /etc/passwd file. It returns false when there are issues with the permissions (any of g+w, o+w is set), and true otherwise.
func AreShadowPermissionsSecure ¶
func AreShadowPermissionsSecure(shadow *pb.FileMetadata) bool
AreShadowPermissionsSecure checks the permissions of the /etc/shadow file. It returns false when there are issues with the permissions (any of g+w, o+w, o+r is set), and true otherwise.
Types ¶
type Minion ¶
type Minion struct{}
Minion is the implementation of minion.Minion interface.
func (*Minion) AnalyzeFiles ¶
func (m *Minion) AnalyzeFiles(ctx context.Context, req *pb.AnalyzeFilesRequest) (*pb.AnalyzeFilesResponse, error)
AnalyzeFiles looks for /etc/passwd and /etc/shadow files in the AnalyzeFilesRequest. It then returns security issues found in those files as Findings in pb.AnalyzeFilesResponse.
func (*Minion) ListInitialInterests ¶
func (m *Minion) ListInitialInterests(ctx context.Context, req *pb.ListInitialInterestsRequest) (*pb.ListInitialInterestsResponse, error)
ListInitialInterests returns the initial interests of a Minion.
type PasswordHash ¶
type PasswordHash string
PasswordHash is a type used to store a hash of password.
func (PasswordHash) GetHashType ¶
func (hash PasswordHash) GetHashType() HashType
GetHashType returns the type of hash used by the PasswordHash.
func (PasswordHash) IsDisabled ¶
func (hash PasswordHash) IsDisabled() bool
IsDisabled checks if the password is disabled, which is typically done by prepending the hash with ! or *.
func (PasswordHash) UsesWeakHashing ¶
func (hash PasswordHash) UsesWeakHashing() bool
UsesWeakHashing checks if the password was hashed using MD5 or DES.
type ShadowInfo ¶
type ShadowInfo struct { Username string // Username from /etc/passwd that this information refers to. PasswordHash PasswordHash // Hash of the password, as in `man 3 crypt`. LastChangeDate time.Time // Date of last password change. In /etc/shadow it is a number of days since 01/01/1970. Empty value from /etc/shadow is represented as zero value of time.Time and means that the aging features are disabled. Value of 01/01/1970 means that the user should change the password on the next login. MinimumAge Days // How long user have to wait before being allowed to change password. -1 and 0 mean that there is no minimum age. MaximumAge Days // User will have to change the password after that time. -1 means that there are no maximum pasword age, no warning period and no inactivity period. WarningPeriod Days // Days before password expires during which the user is warned. -1 and 0 mean that there is no warning period. InactiveDays Days // Days after the password expires during which the user can still log in. -1 means there is no enforcement of an inactivity period. ExpirationDate time.Time // The date of expiration of the account. Zero value means that the account will never expire. Reserved interface{} // Reserved for future use by the linux standard. }
ShadowInfo represents en entry (line) from the /etc/shadow file.
func NewShadowInfo ¶
func NewShadowInfo(line string) (ShadowInfo, error)
NewShadowInfo parses a line in a format of /etc/shadow file and returns it as a ShadowInfo.
type User ¶
type User struct { Username string // Just a username. PasswordHash PasswordHash // Password field from /etc/passwd, contains 'x' if shadow file is used. UID int // Id of an user. GID int // Group id of an user. Comment string // Comment or a full name. Home string // Home directory. Shell string // User command interpreter. }
User represents data from /etc/passwd and /etc/shadow.
func NewUser ¶
NewUser parses a line in the format of /etc/passwd and returns it as a User. It returns error if line format or some of the fields are invalid.
func (User) IsBackdooredRoot ¶
IsBackdooredRoot checks if the username is not root, but uid is equal to 0.
func (User) UsesShadowFile ¶
UsesShadowFile checks if user's password is stored in /etc/shadow file.