!274 增加高危端口扫描基线项

Merge pull request !274 from a-alpha/alpha-dev
2023-07-20 03:35:14 +00:00 · 2023-07-20 03:35:14 +00:00 · 7e38773063
parent d07d64afc2 99f490b169
commit 7e38773063
6 changed files with 248 additions and 0 deletions
--- a/data/BaseLine/LocalServices/check_high_risk_port/check_high_risk_port/check_high_risk_port.py
+++ b/data/BaseLine/LocalServices/check_high_risk_port/check_high_risk_port/check_high_risk_port.py
@ -0,0 +1,76 @@
+import socket
+
+import os
+import sys
+################################
+# 常量
+
+# for get_env_lang()
+STR_GET_ENV_LANG_ZH     = "语言环境为中文"
+STR_GET_ENV_LANG_EN     = "语言环境为英文"
+STR_GET_ENV_LANG_UNKNOW = "语言环境未知"
+
+# for is_root()
+STR_IS_ROOT_TRUE  = "当前用户为root权限"
+STR_IS_ROOT_FALSE = "当前用户没有root权限"
+
+################################
+# 环境检查函数
+
+def get_env_lang():
+#    lang = os.getenv("LANG")
+#    if lang.startswith("zh"):
+#        return STR_GET_ENV_LANG_ZH
+#    elif lang.startswith("en"):
+#        return STR_GET_ENV_LANG_EN
+#    else:
+#        return STR_GET_ENV_LANG_UNKNOW
+#
+    if arg_lang == "zh":
+        return STR_GET_ENV_LANG_ZH
+    elif arg_lang == "en":
+        return STR_GET_ENV_LANG_EN
+    else:
+        return STR_GET_ENV_LANG_UNKNOW
+
+def is_root():
+    if os.geteuid() == 0:
+        print(STR_IS_ROOT_TRUE)
+        return True
+    else:
+        print(STR_IS_ROOT_FALSE)
+        return False
+
+################################
+# 辅助函数
+def l_print(zh_str, en_str) :
+    if STR_GET_ENV_LANG_ZH == get_env_lang() :
+        print(zh_str);
+    else :
+        print(en_str);
+
+################################
+# 功能函数
+
+# 不开启高危端口检查
+def check_high_risk_port(ip):
+    # s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    # s.settimeout(2)
+    high_risk_ports = [21, 23, 25, 111, 427]
+    for port in high_risk_ports:
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.settimeout(2)
+        try:
+            s.connect((ip, port))
+            l_print(f"[WARNING] {ip} 存在高危端口 {port}",
+                    f"[WARNING] High risk port {port} is open for {ip}")
+        except Exception:
+            l_print(f"[OK] {ip} 没有存在高危端口 {port}",
+                    f"[OK] High risk port {port} don't open for {ip}")
+            pass
+        s.close()
+
+if __name__ == '__main__':
+    arg_lang = sys.argv[1]
+
+    check_high_risk_port("127.0.0.1")
--- a/data/BaseLine/LocalServices/check_high_risk_port/check_high_risk_port/check_high_risk_port.yaml
+++ b/data/BaseLine/LocalServices/check_high_risk_port/check_high_risk_port/check_high_risk_port.yaml
@ -0,0 +1,23 @@
+FormatVer: 20230518
+Id: check_high_risk_port
+Belong: baseline
+SiteInfo:
+    Name: 本地服务检测 -- 检测高危端口开放情况
+Power : 
+SiteRequests:
+    Implement: 
+        ImArray:
+            - Inter : python3
+              InterArgs :
+              Exec : check_high_risk_port.py
+              Args : 
+                - zh
+        Inter:
+            - "[WARNING]" 
+        Condition: None
+RepairArgs:
+    - Inter : python3
+      InterArgs :
+      Exec : fix_high_risk_port.py
+      Args : 
+      RepairPower: root  # root权限或者普通用户权限
--- a/data/BaseLine/LocalServices/check_high_risk_port/check_high_risk_port/check_high_risk_port_631.py
+++ b/data/BaseLine/LocalServices/check_high_risk_port/check_high_risk_port/check_high_risk_port_631.py
@ -0,0 +1,92 @@
+import socket
+
+import os
+import sys
+################################
+# 常量
+
+# for get_env_lang()
+STR_GET_ENV_LANG_ZH     = "语言环境为中文"
+STR_GET_ENV_LANG_EN     = "语言环境为英文"
+STR_GET_ENV_LANG_UNKNOW = "语言环境未知"
+
+# for is_root()
+STR_IS_ROOT_TRUE  = "当前用户为root权限"
+STR_IS_ROOT_FALSE = "当前用户没有root权限"
+
+################################
+# 环境检查函数
+
+def get_env_lang():
+#    lang = os.getenv("LANG")
+#    if lang.startswith("zh"):
+#        return STR_GET_ENV_LANG_ZH
+#    elif lang.startswith("en"):
+#        return STR_GET_ENV_LANG_EN
+#    else:
+#        return STR_GET_ENV_LANG_UNKNOW
+#
+    if arg_lang == "zh":
+        return STR_GET_ENV_LANG_ZH
+    elif arg_lang == "en":
+        return STR_GET_ENV_LANG_EN
+    else:
+        return STR_GET_ENV_LANG_UNKNOW
+
+def is_root():
+    if os.geteuid() == 0:
+        print(STR_IS_ROOT_TRUE)
+        return True
+    else:
+        print(STR_IS_ROOT_FALSE)
+        return False
+
+################################
+# 辅助函数
+def l_print(zh_str, en_str) :
+    if STR_GET_ENV_LANG_ZH == get_env_lang() :
+        print(zh_str);
+    else :
+        print(en_str);
+
+################################
+# 功能函数
+
+<<<<<<< HEAD:data/BaseLine/LocalServices/check_high_risk_port/check_high_risk_port/check_high_risk_port_631.py
+# 631高危端口检查
+def check_cups_risk_port(port):
+    try:
+        output = subprocess.check_output("grep -e 'Listen localhost:631' -e 'Listen 127.0.0.1:631' /etc/cups/cupsd.conf", shell=True)
+        output = output.decode('utf-8').strip()
+        l_print(f"[OK] 没有存在高危端口 {port}",
+                f"[OK] High risk port {port} don't open")
+    except:
+        l_print(f"[WARNING] 存在高危端口 {port}",
+                f"[WARNING] High risk port {port} is open")
+if __name__ == '__main__':
+    arg_lang = sys.argv[1]
+    check_cups_risk_port(631)
+=======
+# 不开启高危端口检查
+def check_high_risk_port(ip):
+    # s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    # s.settimeout(2)
+    high_risk_ports = [21, 23, 25, 111, 427, 631]
+    for port in high_risk_ports:
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.settimeout(2)
+        try:
+            s.connect((ip, port))
+            l_print(f"[WARNING] {ip} 存在高危端口 {port}",
+                    f"[WARNING] High risk port {port} is open for {ip}")
+        except Exception:
+            l_print(f"[OK] {ip} 没有存在高危端口 {port}",
+                    f"[OK] High risk port {port} don't open for {ip}")
+            pass
+        s.close()
+
+if __name__ == '__main__':
+    arg_lang = sys.argv[1]
+
+    check_high_risk_port("127.0.0.1")
+>>>>>>> c11dd98599d071adcb05d4be1477ed12e06c3b4e:data/BaseLine/LocalServices/highRiskPort/check_high_risk_port/check_high_risk_port.py
--- a/data/BaseLine/LocalServices/check_high_risk_port/check_high_risk_port/check_high_risk_port_631.yaml
+++ b/data/BaseLine/LocalServices/check_high_risk_port/check_high_risk_port/check_high_risk_port_631.yaml
@ -0,0 +1,23 @@
+FormatVer: 20230518
+Id: check_high_risk_port_631
+Belong: baseline
+SiteInfo:
+    Name: 本地服务检测 -- 检测高危端口开放情况
+Power : root
+SiteRequests:
+    Implement: 
+        ImArray:
+            - Inter : python3
+              InterArgs :
+              Exec : check_high_risk_port_631.py
+              Args : 
+                - zh
+        Inter:
+            - "[WARNING]" 
+        Condition: None
+RepairArgs:
+    - Inter : python3
+      InterArgs :
+      Exec : fix_high_risk_port.py
+      Args : 
+      RepairPower: root  # root权限或者普通用户权限
--- a/data/BaseLine/LocalServices/check_high_risk_port/check_high_risk_port/fix_high_risk_port.py
+++ b/data/BaseLine/LocalServices/check_high_risk_port/check_high_risk_port/fix_high_risk_port.py
@ -0,0 +1,18 @@
+from distutils import command
+# [OK]为修复成功
+# 执行修复脚本权限需要root权限执行
+
+import os
+
+def fix_high_risk_port(port):
+    command="sudo iptables -A INPUT -p tcp --dport " + port + " -j DROP"
+    os.system(command)
+    print("[OK] "+port + " fix pass")
+
+if __name__ == '__main__':
+    # 文件权限检查
+    fix_high_risk_port("21")
+    fix_high_risk_port("23")
+    fix_high_risk_port("25")
+    fix_high_risk_port("111")
+    fix_high_risk_port("427")
--- a/data/BaseLine/LocalServices/check_high_risk_port/check_high_risk_port/fix_high_risk_port_631.py
+++ b/data/BaseLine/LocalServices/check_high_risk_port/check_high_risk_port/fix_high_risk_port_631.py
@ -0,0 +1,16 @@
+from distutils import command
+# [OK]为修复成功
+# 执行修复脚本权限需要root权限执行
+
+# 修复高危端口631
+import subprocess
+
+def fix_631():
+    cmd = "sed -i 's/.*631/Listen localhost:631/g' /etc/cups/cupsd.conf"
+    subprocess.run(cmd, shell=True, check=True)
+    cmd = "sudo systemctl restart cups"
+    subprocess.run(cmd, shell=True, check=True)
+    print('[OK] 631 fix suff')
+    
+if __name__ == '__main__':
+    fix_631()