kastell 2.0.0 → 2.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +85 -0
- package/README.md +1 -1
- package/README.tr.md +1 -1
- package/dist/commands/audit.d.ts +3 -0
- package/dist/commands/audit.d.ts.map +1 -1
- package/dist/commands/audit.js +61 -32
- package/dist/commands/audit.js.map +1 -1
- package/dist/commands/config.js +1 -1
- package/dist/commands/config.js.map +1 -1
- package/dist/commands/doctor.d.ts +1 -0
- package/dist/commands/doctor.d.ts.map +1 -1
- package/dist/commands/doctor.js +25 -7
- package/dist/commands/doctor.js.map +1 -1
- package/dist/commands/explain.d.ts +6 -0
- package/dist/commands/explain.d.ts.map +1 -0
- package/dist/commands/explain.js +28 -0
- package/dist/commands/explain.js.map +1 -0
- package/dist/commands/fix.d.ts +2 -0
- package/dist/commands/fix.d.ts.map +1 -1
- package/dist/commands/fix.js +54 -15
- package/dist/commands/fix.js.map +1 -1
- package/dist/commands/fleet.d.ts.map +1 -1
- package/dist/commands/fleet.js +1 -0
- package/dist/commands/fleet.js.map +1 -1
- package/dist/commands/init.d.ts.map +1 -1
- package/dist/commands/init.js +175 -1
- package/dist/commands/init.js.map +1 -1
- package/dist/commands/interactive.d.ts.map +1 -1
- package/dist/commands/interactive.js +59 -1
- package/dist/commands/interactive.js.map +1 -1
- package/dist/commands/plugin.d.ts +8 -0
- package/dist/commands/plugin.d.ts.map +1 -0
- package/dist/commands/plugin.js +87 -0
- package/dist/commands/plugin.js.map +1 -0
- package/dist/commands/regression.d.ts +5 -0
- package/dist/commands/regression.d.ts.map +1 -0
- package/dist/commands/regression.js +40 -0
- package/dist/commands/regression.js.map +1 -0
- package/dist/core/audit/checkIds.d.ts +516 -0
- package/dist/core/audit/checkIds.d.ts.map +1 -0
- package/dist/core/audit/checkIds.js +515 -0
- package/dist/core/audit/checkIds.js.map +1 -0
- package/dist/core/audit/checks/accounts.d.ts.map +1 -1
- package/dist/core/audit/checks/accounts.js +23 -22
- package/dist/core/audit/checks/accounts.js.map +1 -1
- package/dist/core/audit/checks/auth.d.ts.map +1 -1
- package/dist/core/audit/checks/auth.js +23 -22
- package/dist/core/audit/checks/auth.js.map +1 -1
- package/dist/core/audit/checks/backup.d.ts.map +1 -1
- package/dist/core/audit/checks/backup.js +9 -8
- package/dist/core/audit/checks/backup.js.map +1 -1
- package/dist/core/audit/checks/banners.d.ts.map +1 -1
- package/dist/core/audit/checks/banners.js +7 -6
- package/dist/core/audit/checks/banners.js.map +1 -1
- package/dist/core/audit/checks/boot.d.ts.map +1 -1
- package/dist/core/audit/checks/boot.js +12 -11
- package/dist/core/audit/checks/boot.js.map +1 -1
- package/dist/core/audit/checks/cloudmeta.d.ts.map +1 -1
- package/dist/core/audit/checks/cloudmeta.js +7 -6
- package/dist/core/audit/checks/cloudmeta.js.map +1 -1
- package/dist/core/audit/checks/crypto.d.ts +0 -5
- package/dist/core/audit/checks/crypto.d.ts.map +1 -1
- package/dist/core/audit/checks/crypto.js +20 -19
- package/dist/core/audit/checks/crypto.js.map +1 -1
- package/dist/core/audit/checks/ddos.d.ts.map +1 -1
- package/dist/core/audit/checks/ddos.js +9 -8
- package/dist/core/audit/checks/ddos.js.map +1 -1
- package/dist/core/audit/checks/dns.d.ts.map +1 -1
- package/dist/core/audit/checks/dns.js +9 -8
- package/dist/core/audit/checks/dns.js.map +1 -1
- package/dist/core/audit/checks/docker.d.ts.map +1 -1
- package/dist/core/audit/checks/docker.js +65 -64
- package/dist/core/audit/checks/docker.js.map +1 -1
- package/dist/core/audit/checks/fileintegrity.d.ts.map +1 -1
- package/dist/core/audit/checks/fileintegrity.js +11 -10
- package/dist/core/audit/checks/fileintegrity.js.map +1 -1
- package/dist/core/audit/checks/filesystem.d.ts.map +1 -1
- package/dist/core/audit/checks/filesystem.js +21 -20
- package/dist/core/audit/checks/filesystem.js.map +1 -1
- package/dist/core/audit/checks/firewall.d.ts.map +1 -1
- package/dist/core/audit/checks/firewall.js +18 -17
- package/dist/core/audit/checks/firewall.js.map +1 -1
- package/dist/core/audit/checks/httpHeaders.d.ts.map +1 -1
- package/dist/core/audit/checks/httpHeaders.js +7 -6
- package/dist/core/audit/checks/httpHeaders.js.map +1 -1
- package/dist/core/audit/checks/incidentready.d.ts.map +1 -1
- package/dist/core/audit/checks/incidentready.js +13 -12
- package/dist/core/audit/checks/incidentready.js.map +1 -1
- package/dist/core/audit/checks/kernel.d.ts.map +1 -1
- package/dist/core/audit/checks/kernel.js +32 -31
- package/dist/core/audit/checks/kernel.js.map +1 -1
- package/dist/core/audit/checks/logging.d.ts.map +1 -1
- package/dist/core/audit/checks/logging.js +21 -20
- package/dist/core/audit/checks/logging.js.map +1 -1
- package/dist/core/audit/checks/mac.d.ts.map +1 -1
- package/dist/core/audit/checks/mac.js +11 -10
- package/dist/core/audit/checks/mac.js.map +1 -1
- package/dist/core/audit/checks/malware.d.ts.map +1 -1
- package/dist/core/audit/checks/malware.js +12 -11
- package/dist/core/audit/checks/malware.js.map +1 -1
- package/dist/core/audit/checks/memory.d.ts.map +1 -1
- package/dist/core/audit/checks/memory.js +12 -11
- package/dist/core/audit/checks/memory.js.map +1 -1
- package/dist/core/audit/checks/network.d.ts.map +1 -1
- package/dist/core/audit/checks/network.js +22 -21
- package/dist/core/audit/checks/network.js.map +1 -1
- package/dist/core/audit/checks/nginx.d.ts.map +1 -1
- package/dist/core/audit/checks/nginx.js +17 -16
- package/dist/core/audit/checks/nginx.js.map +1 -1
- package/dist/core/audit/checks/resourcelimits.d.ts.map +1 -1
- package/dist/core/audit/checks/resourcelimits.js +9 -8
- package/dist/core/audit/checks/resourcelimits.js.map +1 -1
- package/dist/core/audit/checks/scheduling.d.ts.map +1 -1
- package/dist/core/audit/checks/scheduling.js +13 -12
- package/dist/core/audit/checks/scheduling.js.map +1 -1
- package/dist/core/audit/checks/secrets.d.ts.map +1 -1
- package/dist/core/audit/checks/secrets.js +16 -15
- package/dist/core/audit/checks/secrets.js.map +1 -1
- package/dist/core/audit/checks/services.d.ts.map +1 -1
- package/dist/core/audit/checks/services.js +26 -25
- package/dist/core/audit/checks/services.js.map +1 -1
- package/dist/core/audit/checks/ssh.d.ts.map +1 -1
- package/dist/core/audit/checks/ssh.js +23 -22
- package/dist/core/audit/checks/ssh.js.map +1 -1
- package/dist/core/audit/checks/supplychain.d.ts.map +1 -1
- package/dist/core/audit/checks/supplychain.js +13 -12
- package/dist/core/audit/checks/supplychain.js.map +1 -1
- package/dist/core/audit/checks/time.d.ts.map +1 -1
- package/dist/core/audit/checks/time.js +10 -9
- package/dist/core/audit/checks/time.js.map +1 -1
- package/dist/core/audit/checks/tls.d.ts.map +1 -1
- package/dist/core/audit/checks/tls.js +9 -8
- package/dist/core/audit/checks/tls.js.map +1 -1
- package/dist/core/audit/checks/updates.d.ts.map +1 -1
- package/dist/core/audit/checks/updates.js +12 -11
- package/dist/core/audit/checks/updates.js.map +1 -1
- package/dist/core/audit/compliance/categories/index.d.ts +3 -0
- package/dist/core/audit/compliance/categories/index.d.ts.map +1 -0
- package/dist/core/audit/compliance/categories/index.js +737 -0
- package/dist/core/audit/compliance/categories/index.js.map +1 -0
- package/dist/core/audit/compliance/helpers.d.ts +17 -0
- package/dist/core/audit/compliance/helpers.d.ts.map +1 -0
- package/dist/core/audit/compliance/helpers.js +40 -0
- package/dist/core/audit/compliance/helpers.js.map +1 -0
- package/dist/core/audit/compliance/mapper.d.ts +4 -16
- package/dist/core/audit/compliance/mapper.d.ts.map +1 -1
- package/dist/core/audit/compliance/mapper.js +3 -776
- package/dist/core/audit/compliance/mapper.js.map +1 -1
- package/dist/core/audit/diff.d.ts +12 -1
- package/dist/core/audit/diff.d.ts.map +1 -1
- package/dist/core/audit/diff.js +121 -0
- package/dist/core/audit/diff.js.map +1 -1
- package/dist/core/audit/explainCheck.d.ts +26 -0
- package/dist/core/audit/explainCheck.d.ts.map +1 -0
- package/dist/core/audit/explainCheck.js +165 -0
- package/dist/core/audit/explainCheck.js.map +1 -0
- package/dist/core/audit/fix-history.d.ts +16 -7
- package/dist/core/audit/fix-history.d.ts.map +1 -1
- package/dist/core/audit/fix-history.js +25 -2
- package/dist/core/audit/fix-history.js.map +1 -1
- package/dist/core/audit/fix.d.ts +21 -6
- package/dist/core/audit/fix.d.ts.map +1 -1
- package/dist/core/audit/fix.js +139 -49
- package/dist/core/audit/fix.js.map +1 -1
- package/dist/core/audit/history.d.ts.map +1 -1
- package/dist/core/audit/history.js +2 -1
- package/dist/core/audit/history.js.map +1 -1
- package/dist/core/audit/index.d.ts.map +1 -1
- package/dist/core/audit/index.js +3 -2
- package/dist/core/audit/index.js.map +1 -1
- package/dist/core/audit/listChecks.d.ts +7 -0
- package/dist/core/audit/listChecks.d.ts.map +1 -1
- package/dist/core/audit/listChecks.js +1 -1
- package/dist/core/audit/listChecks.js.map +1 -1
- package/dist/core/audit/regression.d.ts +15 -0
- package/dist/core/audit/regression.d.ts.map +1 -0
- package/dist/core/audit/regression.js +149 -0
- package/dist/core/audit/regression.js.map +1 -0
- package/dist/core/audit/snapshot.d.ts.map +1 -1
- package/dist/core/audit/snapshot.js +91 -29
- package/dist/core/audit/snapshot.js.map +1 -1
- package/dist/core/audit/types.d.ts +63 -1
- package/dist/core/audit/types.d.ts.map +1 -1
- package/dist/core/audit/watch.d.ts.map +1 -1
- package/dist/core/audit/watch.js +3 -2
- package/dist/core/audit/watch.js.map +1 -1
- package/dist/core/bot/handlers.d.ts.map +1 -1
- package/dist/core/bot/handlers.js +9 -18
- package/dist/core/bot/handlers.js.map +1 -1
- package/dist/core/completions.d.ts.map +1 -1
- package/dist/core/completions.js +24 -2
- package/dist/core/completions.js.map +1 -1
- package/dist/core/defaults.d.ts +4 -0
- package/dist/core/defaults.d.ts.map +1 -0
- package/dist/core/defaults.js +34 -0
- package/dist/core/defaults.js.map +1 -0
- package/dist/core/doctor-fix.d.ts +1 -1
- package/dist/core/doctor-fix.d.ts.map +1 -1
- package/dist/core/doctor-fix.js +17 -2
- package/dist/core/doctor-fix.js.map +1 -1
- package/dist/core/doctor.d.ts +4 -0
- package/dist/core/doctor.d.ts.map +1 -1
- package/dist/core/doctor.js +26 -2
- package/dist/core/doctor.js.map +1 -1
- package/dist/core/firewall.d.ts +1 -4
- package/dist/core/firewall.d.ts.map +1 -1
- package/dist/core/firewall.js +19 -25
- package/dist/core/firewall.js.map +1 -1
- package/dist/core/fleet.d.ts +8 -0
- package/dist/core/fleet.d.ts.map +1 -1
- package/dist/core/fleet.js +49 -5
- package/dist/core/fleet.js.map +1 -1
- package/dist/core/manage.d.ts +9 -6
- package/dist/core/manage.d.ts.map +1 -1
- package/dist/core/manage.js +2 -1
- package/dist/core/manage.js.map +1 -1
- package/dist/core/notify.d.ts.map +1 -1
- package/dist/core/notify.js +2 -1
- package/dist/core/notify.js.map +1 -1
- package/dist/core/plugin.d.ts +23 -0
- package/dist/core/plugin.d.ts.map +1 -0
- package/dist/core/plugin.js +107 -0
- package/dist/core/plugin.js.map +1 -0
- package/dist/core/scheduleManager.d.ts +2 -1
- package/dist/core/scheduleManager.d.ts.map +1 -1
- package/dist/core/scheduleManager.js +8 -5
- package/dist/core/scheduleManager.js.map +1 -1
- package/dist/core/status.d.ts +1 -0
- package/dist/core/status.d.ts.map +1 -1
- package/dist/core/status.js +20 -6
- package/dist/core/status.js.map +1 -1
- package/dist/index.js +65 -2
- package/dist/index.js.map +1 -1
- package/dist/mcp/index.js +5 -9
- package/dist/mcp/index.js.map +1 -1
- package/dist/mcp/server.d.ts.map +1 -1
- package/dist/mcp/server.js +44 -2
- package/dist/mcp/server.js.map +1 -1
- package/dist/mcp/tools/serverAudit.d.ts.map +1 -1
- package/dist/mcp/tools/serverAudit.js +15 -0
- package/dist/mcp/tools/serverAudit.js.map +1 -1
- package/dist/mcp/tools/serverCompare.d.ts +15 -0
- package/dist/mcp/tools/serverCompare.d.ts.map +1 -0
- package/dist/mcp/tools/serverCompare.js +43 -0
- package/dist/mcp/tools/serverCompare.js.map +1 -0
- package/dist/mcp/tools/serverDoctor.d.ts.map +1 -1
- package/dist/mcp/tools/serverDoctor.js +2 -1
- package/dist/mcp/tools/serverDoctor.js.map +1 -1
- package/dist/mcp/tools/serverExplain.d.ts +8 -0
- package/dist/mcp/tools/serverExplain.d.ts.map +1 -0
- package/dist/mcp/tools/serverExplain.js +14 -0
- package/dist/mcp/tools/serverExplain.js.map +1 -0
- package/dist/mcp/tools/serverFix.d.ts +2 -0
- package/dist/mcp/tools/serverFix.d.ts.map +1 -1
- package/dist/mcp/tools/serverFix.js +40 -2
- package/dist/mcp/tools/serverFix.js.map +1 -1
- package/dist/mcp/tools/serverFleet.d.ts +2 -0
- package/dist/mcp/tools/serverFleet.d.ts.map +1 -1
- package/dist/mcp/tools/serverFleet.js +10 -1
- package/dist/mcp/tools/serverFleet.js.map +1 -1
- package/dist/mcp/tools/serverManage.d.ts.map +1 -1
- package/dist/mcp/tools/serverManage.js +10 -9
- package/dist/mcp/tools/serverManage.js.map +1 -1
- package/dist/mcp/tools/serverPlugin.d.ts +12 -0
- package/dist/mcp/tools/serverPlugin.d.ts.map +1 -0
- package/dist/mcp/tools/serverPlugin.js +22 -0
- package/dist/mcp/tools/serverPlugin.js.map +1 -0
- package/dist/plugin/loader.d.ts +10 -0
- package/dist/plugin/loader.d.ts.map +1 -0
- package/dist/plugin/loader.js +88 -0
- package/dist/plugin/loader.js.map +1 -0
- package/dist/plugin/registry.d.ts +16 -0
- package/dist/plugin/registry.d.ts.map +1 -0
- package/dist/plugin/registry.js +99 -0
- package/dist/plugin/registry.js.map +1 -0
- package/dist/plugin/sdk/constants.d.ts +3 -0
- package/dist/plugin/sdk/constants.d.ts.map +1 -0
- package/dist/plugin/sdk/constants.js +3 -0
- package/dist/plugin/sdk/constants.js.map +1 -0
- package/dist/plugin/sdk/types.d.ts +29 -0
- package/dist/plugin/sdk/types.d.ts.map +1 -0
- package/dist/plugin/sdk/types.js +2 -0
- package/dist/plugin/sdk/types.js.map +1 -0
- package/dist/plugin/validate.d.ts +3 -0
- package/dist/plugin/validate.d.ts.map +1 -0
- package/dist/plugin/validate.js +31 -0
- package/dist/plugin/validate.js.map +1 -0
- package/dist/providers/base.d.ts.map +1 -1
- package/dist/providers/base.js +2 -1
- package/dist/providers/base.js.map +1 -1
- package/dist/types/index.d.ts +8 -1
- package/dist/types/index.d.ts.map +1 -1
- package/dist/types/index.js +1 -1
- package/dist/types/index.js.map +1 -1
- package/dist/utils/dates.d.ts +3 -0
- package/dist/utils/dates.d.ts.map +1 -0
- package/dist/utils/dates.js +10 -0
- package/dist/utils/dates.js.map +1 -0
- package/dist/utils/errorMapper.d.ts.map +1 -1
- package/dist/utils/errorMapper.js +2 -1
- package/dist/utils/errorMapper.js.map +1 -1
- package/dist/utils/errors.d.ts +1 -0
- package/dist/utils/errors.d.ts.map +1 -1
- package/dist/utils/errors.js +3 -0
- package/dist/utils/errors.js.map +1 -1
- package/dist/utils/migration.d.ts.map +1 -1
- package/dist/utils/migration.js +2 -1
- package/dist/utils/migration.js.map +1 -1
- package/dist/utils/paths.d.ts +4 -0
- package/dist/utils/paths.d.ts.map +1 -1
- package/dist/utils/paths.js +4 -0
- package/dist/utils/paths.js.map +1 -1
- package/dist/utils/prompts.d.ts +6 -0
- package/dist/utils/prompts.d.ts.map +1 -1
- package/dist/utils/prompts.js +11 -0
- package/dist/utils/prompts.js.map +1 -1
- package/dist/utils/{defaults.d.ts → providerConfig.d.ts} +1 -1
- package/dist/utils/providerConfig.d.ts.map +1 -0
- package/dist/utils/{defaults.js → providerConfig.js} +1 -1
- package/dist/utils/providerConfig.js.map +1 -0
- package/dist/utils/secureWrite.d.ts.map +1 -1
- package/dist/utils/secureWrite.js +2 -1
- package/dist/utils/secureWrite.js.map +1 -1
- package/dist/utils/version.d.ts +4 -0
- package/dist/utils/version.d.ts.map +1 -0
- package/dist/utils/version.js +22 -0
- package/dist/utils/version.js.map +1 -0
- package/dist/utils/yamlConfig.d.ts.map +1 -1
- package/dist/utils/yamlConfig.js +3 -2
- package/dist/utils/yamlConfig.js.map +1 -1
- package/package.json +3 -1
- package/dist/utils/defaults.d.ts.map +0 -1
- package/dist/utils/defaults.js.map +0 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"firewall.js","sourceRoot":"","sources":["../../../../src/core/audit/checks/firewall.ts"],"names":[],"mappings":"AAAA;;;GAGG;
|
|
1
|
+
{"version":3,"file":"firewall.js","sourceRoot":"","sources":["../../../../src/core/audit/checks/firewall.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAE3C,kGAAkG;AAClG,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;AAEvD;;;;GAIG;AACH,SAAS,oBAAoB,CAAC,MAAc,EAAE,QAAgB;IAC5D,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,GAAG,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5B,MAAM,aAAa,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC1D,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAC/C,OAAO,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAC/C,CAAC;AAED,MAAM,CAAC,MAAM,mBAAmB,GAAgB,CAAC,aAAqB,EAAE,SAAiB,EAAgB,EAAE;IACzG,MAAM,IAAI,GAAG,CAAC,aAAa,IAAI,aAAa,CAAC,IAAI,EAAE,KAAK,KAAK,IAAI,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;IAC7F,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC;IAEzC,yBAAyB;IACzB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAClD,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,aAAa;QACpC,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,iBAAiB;QACvB,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,QAAQ;QAChB,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU;QAC7E,aAAa,EAAE,QAAQ;QACvB,UAAU,EAAE,YAAY;QACxB,aAAa,EAAE,WAAW;QAC1B,OAAO,EAAE,8EAA8E;KACxF,CAAC;IAEF,+BAA+B;IAC/B,MAAM,YAAY,GAAG,iCAAiC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACpE,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,eAAe;QACtC,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,QAAQ,IAAI,YAAY;QAChC,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,iBAAiB;QACjG,aAAa,EAAE,iBAAiB;QAChC,UAAU,EAAE,2BAA2B;QACvC,aAAa,EAAE,WAAW;QAC1B,OAAO,EAAE,0EAA0E;KACpF,CAAC;IAEF,2BAA2B;IAC3B,MAAM,UAAU,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACtF,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,cAAc;QACrC,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,SAAS;QACnB,MAAM,EAAE,QAAQ,IAAI,UAAU;QAC9B,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,uBAAuB;QACtG,aAAa,EAAE,kCAAkC;QACjD,UAAU,EAAE,kBAAkB;QAC9B,aAAa,EAAE,WAAW;QAC1B,OAAO,EAAE,mFAAmF;KAC7F,CAAC;IAEF,uDAAuD;IACvD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,WAAW,GAAG,KAAK,CAAC;IACxB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;QAC1F,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,IAAI,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;YAC9B,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACjC,WAAW,GAAG,IAAI,CAAC;gBACnB,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IACD,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,eAAe;QACtC,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,SAAS;QACnB,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW;QACnC,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,2CAA2C,CAAC,CAAC,CAAC,oBAAoB;QAC7H,aAAa,EAAE,0CAA0C;QACzD,UAAU,EAAE,iDAAiD;QAC7D,aAAa,EAAE,WAAW;QAC1B,OAAO,EAAE,kFAAkF;KAC5F,CAAC;IAEF,wEAAwE;IACxE,MAAM,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACxE,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,aAAa;QACpC,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,WAAW;QAClC,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,qBAAqB;QACvG,aAAa,EAAE,gCAAgC;QAC/C,UAAU,EAAE,6DAA6D;QACzE,aAAa,EAAE,WAAW;QAC1B,OAAO,EAAE,0EAA0E;KACpF,CAAC;IAGF,4BAA4B;IAC5B,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,iCAAiC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAChF,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,mBAAmB;QAC1C,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,UAAU;QAClB,YAAY,EAAE,UAAU,CAAC,CAAC,CAAC,0BAA0B,CAAC,CAAC,CAAC,uBAAuB;QAC/E,aAAa,EAAE,uCAAuC;QACtD,UAAU,EAAE,4DAA4D;QACxE,aAAa,EAAE,WAAW;QAC1B,OAAO,EAAE,gGAAgG;KAC1G,CAAC;IAEF,4EAA4E;IAC5E,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACvD,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,kBAAkB;QACzC,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,iBAAiB;QACvB,QAAQ,EAAE,SAAS;QACnB,MAAM,EAAE,gBAAgB;QACxB,YAAY,EAAE,gBAAgB,CAAC,CAAC,CAAC,6BAA6B,CAAC,CAAC,CAAC,qBAAqB;QACtF,aAAa,EAAE,yCAAyC;QACxD,UAAU,EAAE,4DAA4D;QACxE,aAAa,EAAE,WAAW;QAC1B,OAAO,EAAE,iFAAiF;KAC3F,CAAC;IAEF,0DAA0D;IAC1D,MAAM,aAAa,GAAG,oBAAoB,CAAC,MAAM,EAAE,sBAAsB,CAAC,IAAI,CAAC,CAAC;IAChF,MAAM,gBAAgB,GAAG,aAAa,GAAG,CAAC,CAAC;IAC3C,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,oBAAoB;QAC3C,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,SAAS;QACnB,MAAM,EAAE,gBAAgB;QACxB,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,wBAAwB,aAAa,EAAE;QACpF,aAAa,EAAE,+CAA+C;QAC9D,UAAU,EAAE,2BAA2B;QACvC,aAAa,EAAE,WAAW;QAC1B,OAAO,EAAE,uFAAuF;KACjG,CAAC;IAEF,sDAAsD;IACtD,MAAM,eAAe,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5F,MAAM,YAAY,GAAG,4BAA4B,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACxE,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,mBAAmB;QAC1C,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,YAAY;QACpB,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,eAAe,CAAC,IAAI,EAAE,IAAI,uBAAuB;QAC9F,aAAa,EAAE,8CAA8C;QAC7D,UAAU,EAAE,wBAAwB;QACpC,aAAa,EAAE,WAAW;QAC1B,OAAO,EAAE,gHAAgH;KAC1H,CAAC;IAEF,oDAAoD;IACpD,MAAM,cAAc,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC7C,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,kBAAkB;QACzC,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,cAAc;QACrC,YAAY,EAAE,cAAc,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,mCAAmC;QAC3F,aAAa,EAAE,2CAA2C;QAC1D,UAAU,EAAE,iEAAiE;QAC7E,aAAa,EAAE,WAAW;QAC1B,OAAO,EAAE,6FAA6F;KACvG,CAAC;IAEF,qDAAqD;IACrD,MAAM,gBAAgB,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC9F,MAAM,mBAAmB,GAAG,2BAA2B,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAC/E,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,sBAAsB;QAC7C,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,mBAAmB;QAC1C,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC,6BAA6B;QAC5H,aAAa,EAAE,uCAAuC;QACtD,UAAU,EAAE,8FAA8F;QAC1G,aAAa,EAAE,WAAW;QAC1B,OAAO,EAAE,qGAAqG;KAC/G,CAAC;IAEF,qCAAqC;IACrC,MAAM,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,MAAM,CAAC,CAAC;IAC5F,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,aAAa;QACpC,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,YAAY;QACpB,YAAY,EAAE,YAAY,CAAC,CAAC,CAAC,2BAA2B,CAAC,CAAC,CAAC,wBAAwB;QACnF,aAAa,EAAE,yCAAyC;QACxD,UAAU,EAAE,yFAAyF;QACrG,aAAa,EAAE,WAAW;QAC1B,OAAO,EAAE,oGAAoG;KAC9G,CAAC;IAEF,2CAA2C;IAC3C,MAAM,iBAAiB,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAChG,MAAM,cAAc,GAAG,4BAA4B,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAC5E,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,qBAAqB;QAC5C,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,SAAS;QACnB,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,cAAc;QACrC,YAAY,EAAE,IAAI;YAChB,CAAC,CAAC,qBAAqB;YACvB,CAAC,CAAC,iBAAiB,CAAC,IAAI,EAAE,IAAI,yBAAyB;QACzD,aAAa,EAAE,gDAAgD;QAC/D,UAAU,EAAE,0BAA0B;QACtC,aAAa,EAAE,WAAW;QAC1B,OAAO,EACL,8HAA8H;KACjI,CAAC;IAEF,2CAA2C;IAC3C,MAAM,aAAa,GAAG,oBAAoB,CAAC,MAAM,EAAE,uBAAuB,CAAC,IAAI,CAAC,CAAC;IACjF,uBAAuB;IACvB,MAAM,kBAAkB,GAAG,sBAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC/D,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,4BAA4B;QACnD,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,kBAAkB,IAAI,aAAa,GAAG,CAAC;QAC9D,YAAY,EAAE,IAAI;YAChB,CAAC,CAAC,qBAAqB;YACvB,CAAC,CAAC,kBAAkB;gBAClB,CAAC,CAAC,0BAA0B;gBAC5B,CAAC,CAAC,0BAA0B,aAAa,EAAE;QAC/C,aAAa,EAAE,kDAAkD;QACjE,UAAU,EAAE,oFAAoF;QAChG,aAAa,EAAE,WAAW;QAC1B,OAAO,EACL,+EAA+E;KAClF,CAAC;IAEF,gDAAgD;IAChD,MAAM,iBAAiB,GAAG,uDAAuD,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC/F,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,qBAAqB;QAC5C,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,SAAS;QACnB,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,iBAAiB;QACzC,YAAY,EAAE,IAAI;YAChB,CAAC,CAAC,qBAAqB;YACvB,CAAC,CAAC,iBAAiB;gBACjB,CAAC,CAAC,+CAA+C;gBACjD,CAAC,CAAC,uCAAuC;QAC7C,aAAa,EAAE,kEAAkE;QACjF,UAAU,EAAE,6EAA6E;QACzF,aAAa,EAAE,WAAW;QAC1B,OAAO,EACL,kHAAkH;KACrH,CAAC;IAEF,6BAA6B;IAC7B,MAAM,YAAY,GAAG,oBAAoB,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;IACzE,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,gBAAgB;QACvC,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,YAAY,KAAK,IAAI,CAAC,CAAC,CAAC,YAAY,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK;QAC5E,YAAY,EAAE,IAAI;YAChB,CAAC,CAAC,qBAAqB;YACvB,CAAC,CAAC,YAAY,KAAK,IAAI;gBACrB,CAAC,CAAC,sBAAsB,YAAY,EAAE;gBACtC,CAAC,CAAC,mCAAmC;QACzC,aAAa,EAAE,2BAA2B;QAC1C,UAAU,EAAE,2IAA2I;QACvJ,aAAa,EAAE,WAAW;QAC1B,OAAO,EAAE,6GAA6G;KACvH,CAAC;IAEF,4CAA4C;IAC5C,MAAM,YAAY,GAAG,oBAAoB,CAAC,MAAM,EAAE,sBAAsB,CAAC,CAAC;IAC1E,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,cAAc;QACrC,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,YAAY,KAAK,IAAI,CAAC,CAAC,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK;QACvE,YAAY,EAAE,IAAI;YAChB,CAAC,CAAC,qBAAqB;YACvB,CAAC,CAAC,YAAY,KAAK,IAAI;gBACrB,CAAC,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,YAAY,0BAA0B,CAAC,CAAC,CAAC,gCAAgC;gBACjG,CAAC,CAAC,iCAAiC;QACvC,aAAa,EAAE,uDAAuD;QACtE,UAAU,EAAE,4EAA4E;QACxF,aAAa,EAAE,WAAW;QAC1B,OAAO,EAAE,+HAA+H;KACzI,CAAC;IAEF,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;AAChH,CAAC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"httpHeaders.d.ts","sourceRoot":"","sources":["../../../../src/core/audit/checks/httpHeaders.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAa,WAAW,EAAoB,MAAM,aAAa,CAAC;AAuH5E,eAAO,MAAM,sBAAsB,EAAE,
|
|
1
|
+
{"version":3,"file":"httpHeaders.d.ts","sourceRoot":"","sources":["../../../../src/core/audit/checks/httpHeaders.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAa,WAAW,EAAoB,MAAM,aAAa,CAAC;AAuH5E,eAAO,MAAM,sBAAsB,EAAE,WA8BpC,CAAC"}
|
|
@@ -3,11 +3,12 @@
|
|
|
3
3
|
* Parses HTTP response headers into 6 security checks.
|
|
4
4
|
* If Nginx is not installed or HTTP is not responding, returns info-level skipped checks (score-neutral).
|
|
5
5
|
*/
|
|
6
|
+
import { CHECK_IDS } from "../checkIds.js";
|
|
6
7
|
import { makeSkippedChecks } from "./shared/skipChecks.js";
|
|
7
8
|
const CATEGORY = "HTTP Security Headers";
|
|
8
9
|
const HTTP_HEADER_CHECKS = [
|
|
9
10
|
{
|
|
10
|
-
id:
|
|
11
|
+
id: CHECK_IDS.HTTPHEADERS.HDR_001,
|
|
11
12
|
name: "X-Frame-Options or CSP frame-ancestors",
|
|
12
13
|
severity: "warning",
|
|
13
14
|
check: (output) => {
|
|
@@ -25,7 +26,7 @@ const HTTP_HEADER_CHECKS = [
|
|
|
25
26
|
explain: "X-Frame-Options or CSP frame-ancestors prevents clickjacking attacks by restricting which sites can embed your pages in iframes. Without this header, attackers can overlay invisible iframes on legitimate sites to hijack user clicks and steal credentials or trigger unintended actions.",
|
|
26
27
|
},
|
|
27
28
|
{
|
|
28
|
-
id:
|
|
29
|
+
id: CHECK_IDS.HTTPHEADERS.HDR_002,
|
|
29
30
|
name: "X-Content-Type-Options: nosniff",
|
|
30
31
|
severity: "warning",
|
|
31
32
|
check: (output) => {
|
|
@@ -40,7 +41,7 @@ const HTTP_HEADER_CHECKS = [
|
|
|
40
41
|
explain: "X-Content-Type-Options: nosniff prevents browsers from MIME-type sniffing, which can turn non-executable MIME types into executable content. Without this header, attackers can exploit MIME confusion to execute malicious scripts disguised as harmless file types like images or stylesheets.",
|
|
41
42
|
},
|
|
42
43
|
{
|
|
43
|
-
id:
|
|
44
|
+
id: CHECK_IDS.HTTPHEADERS.HDR_003,
|
|
44
45
|
name: "Referrer-Policy present",
|
|
45
46
|
severity: "info",
|
|
46
47
|
check: (output) => {
|
|
@@ -55,7 +56,7 @@ const HTTP_HEADER_CHECKS = [
|
|
|
55
56
|
explain: "Referrer-Policy controls how much URL information the browser sends when navigating away from your site. Without this header, full URLs including query parameters, tokens, and internal paths may leak to third-party sites via the Referer header, potentially exposing sensitive data.",
|
|
56
57
|
},
|
|
57
58
|
{
|
|
58
|
-
id:
|
|
59
|
+
id: CHECK_IDS.HTTPHEADERS.HDR_004,
|
|
59
60
|
name: "Permissions-Policy present",
|
|
60
61
|
severity: "info",
|
|
61
62
|
check: (output) => {
|
|
@@ -70,7 +71,7 @@ const HTTP_HEADER_CHECKS = [
|
|
|
70
71
|
explain: "Permissions-Policy restricts which browser features (camera, microphone, geolocation, payment) can be used by your site and embedded iframes. Without this header, malicious scripts or third-party iframes can silently access sensitive device APIs to record audio, track location, or initiate payments.",
|
|
71
72
|
},
|
|
72
73
|
{
|
|
73
|
-
id:
|
|
74
|
+
id: CHECK_IDS.HTTPHEADERS.HDR_005,
|
|
74
75
|
name: "No CORS Wildcard (Access-Control-Allow-Origin)",
|
|
75
76
|
severity: "warning",
|
|
76
77
|
check: (output) => {
|
|
@@ -86,7 +87,7 @@ const HTTP_HEADER_CHECKS = [
|
|
|
86
87
|
explain: "Access-Control-Allow-Origin: * allows any website to make cross-origin requests to your server and read the responses. This enables credential theft, data exfiltration, and CSRF attacks from any malicious site. Always specify exact allowed origins instead of using the wildcard.",
|
|
87
88
|
},
|
|
88
89
|
{
|
|
89
|
-
id:
|
|
90
|
+
id: CHECK_IDS.HTTPHEADERS.HDR_006,
|
|
90
91
|
name: "Content-Security-Policy present",
|
|
91
92
|
severity: "warning",
|
|
92
93
|
check: (output) => {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"httpHeaders.js","sourceRoot":"","sources":["../../../../src/core/audit/checks/httpHeaders.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;
|
|
1
|
+
{"version":3,"file":"httpHeaders.js","sourceRoot":"","sources":["../../../../src/core/audit/checks/httpHeaders.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAa3D,MAAM,QAAQ,GAAG,uBAAuB,CAAC;AAEzC,MAAM,kBAAkB,GAAyB;IAC/C;QACE,EAAE,EAAE,SAAS,CAAC,WAAW,CAAC,OAAO;QACjC,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,sBAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACnD,MAAM,oBAAoB,GAAG,iDAAiD,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC5F,IAAI,MAAM,IAAI,oBAAoB,EAAE,CAAC;gBACnC,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC,6BAA6B,CAAC;gBAC/E,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC;YAC7C,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,qDAAqD,EAAE,CAAC;QAChG,CAAC;QACD,aAAa,EAAE,iEAAiE;QAChF,UAAU,EAAE,qFAAqF;QACjG,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,8RAA8R;KACjS;IACD;QACE,EAAE,EAAE,SAAS,CAAC,WAAW,CAAC,OAAO;QACjC,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,GAAG,GAAG,uCAAuC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACjE,IAAI,GAAG;gBAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,yCAAyC,EAAE,CAAC;YAC1F,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,4DAA4D,EAAE,CAAC;QACvG,CAAC;QACD,aAAa,EAAE,gDAAgD;QAC/D,UAAU,EAAE,yFAAyF;QACrG,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,kSAAkS;KACrS;IACD;QACE,EAAE,EAAE,SAAS,CAAC,WAAW,CAAC,OAAO;QACjC,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,GAAG,GAAG,sBAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAChD,IAAI,GAAG;gBAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,gCAAgC,EAAE,CAAC;YACjF,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,+BAA+B,EAAE,CAAC;QAC1E,CAAC;QACD,aAAa,EAAE,uEAAuE;QACtF,UAAU,EAAE,0GAA0G;QACtH,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,2RAA2R;KAC9R;IACD;QACE,EAAE,EAAE,SAAS,CAAC,WAAW,CAAC,OAAO;QACjC,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,GAAG,GAAG,yBAAyB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACnD,IAAI,GAAG;gBAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,mCAAmC,EAAE,CAAC;YACpF,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,kCAAkC,EAAE,CAAC;QAC7E,CAAC;QACD,aAAa,EAAE,gEAAgE;QAC/E,UAAU,EACR,sHAAsH;QACxH,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,8SAA8S;KACjT;IACD;QACE,EAAE,EAAE,SAAS,CAAC,WAAW,CAAC,OAAO;QACjC,IAAI,EAAE,gDAAgD;QACtD,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,aAAa,GAAG,uCAAuC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC3E,IAAI,aAAa,EAAE,CAAC;gBAClB,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,oDAAoD,EAAE,CAAC;YAC/F,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,yBAAyB,EAAE,CAAC;QACnE,CAAC;QACD,aAAa,EAAE,mEAAmE;QAClF,UAAU,EACR,6GAA6G;QAC/G,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,wRAAwR;KAC3R;IACD;QACE,EAAE,EAAE,SAAS,CAAC,WAAW,CAAC,OAAO;QACjC,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,GAAG,GAAG,8BAA8B,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACxD,IAAI,GAAG;gBAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,wCAAwC,EAAE,CAAC;YACzF,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,uCAAuC,EAAE,CAAC;QAClF,CAAC;QACD,aAAa,EAAE,8DAA8D;QAC7E,UAAU,EACR,uGAAuG;QACzG,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,mTAAmT;KACtT;CACF,CAAC;AAEF,MAAM,CAAC,MAAM,sBAAsB,GAAgB,CACjD,aAAqB,EACrB,SAAiB,EACH,EAAE;IAChB,MAAM,SAAS,GACb,CAAC,aAAa;QACd,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE;QAC3B,aAAa,CAAC,IAAI,EAAE,KAAK,KAAK;QAC9B,aAAa,CAAC,QAAQ,CAAC,qBAAqB,CAAC;QAC7C,aAAa,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;IAEhD,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,iBAAiB,CAAC,kBAAkB,EAAE,QAAQ,EAAE,4CAA4C,CAAC,CAAC;IACvG,CAAC;IAED,OAAO,kBAAkB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACpC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QAC1D,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,QAAQ,EAAE,QAAQ;YAClB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,MAAM;YACN,YAAY;YACZ,aAAa,EAAE,GAAG,CAAC,aAAa;YAChC,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,aAAa,EAAE,GAAG,CAAC,aAAa;YAChC,OAAO,EAAE,GAAG,CAAC,OAAO;SACrB,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"incidentready.d.ts","sourceRoot":"","sources":["../../../../src/core/audit/checks/incidentready.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAa,WAAW,EAAoB,MAAM,aAAa,CAAC;AAoR5E,eAAO,MAAM,wBAAwB,EAAE,
|
|
1
|
+
{"version":3,"file":"incidentready.d.ts","sourceRoot":"","sources":["../../../../src/core/audit/checks/incidentready.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAa,WAAW,EAAoB,MAAM,aAAa,CAAC;AAoR5E,eAAO,MAAM,wBAAwB,EAAE,WAuCtC,CAAC"}
|
|
@@ -3,9 +3,10 @@
|
|
|
3
3
|
* Parses auditd installation/status, audit rules, log forwarding,
|
|
4
4
|
* wtmp/btmp accessibility, and logrotate configuration into 8 security checks.
|
|
5
5
|
*/
|
|
6
|
+
import { CHECK_IDS } from "../checkIds.js";
|
|
6
7
|
const INCIDENT_CHECKS = [
|
|
7
8
|
{
|
|
8
|
-
id:
|
|
9
|
+
id: CHECK_IDS.INCIDENTREADY.INCIDENT_AUDITD_INSTALLED,
|
|
9
10
|
name: "auditd Package Installed",
|
|
10
11
|
severity: "warning",
|
|
11
12
|
check: (output) => {
|
|
@@ -23,7 +24,7 @@ const INCIDENT_CHECKS = [
|
|
|
23
24
|
explain: "auditd is the Linux Audit daemon that records security-relevant events such as file access, system calls, and authentication attempts. Without it, forensic investigation after an incident has no kernel-level audit trail.",
|
|
24
25
|
},
|
|
25
26
|
{
|
|
26
|
-
id:
|
|
27
|
+
id: CHECK_IDS.INCIDENTREADY.INCIDENT_AUDITD_RUNNING,
|
|
27
28
|
name: "auditd Service Running",
|
|
28
29
|
severity: "warning",
|
|
29
30
|
check: (output) => {
|
|
@@ -41,7 +42,7 @@ const INCIDENT_CHECKS = [
|
|
|
41
42
|
explain: "Installing auditd without running it provides no protection. The auditd service must be active to collect audit events in real time, enabling detection of unauthorized access or configuration changes.",
|
|
42
43
|
},
|
|
43
44
|
{
|
|
44
|
-
id:
|
|
45
|
+
id: CHECK_IDS.INCIDENTREADY.INCIDENT_AUDITD_PASSWD_RULE,
|
|
45
46
|
name: "Audit Rule for /etc/passwd",
|
|
46
47
|
severity: "warning",
|
|
47
48
|
check: (output) => {
|
|
@@ -69,7 +70,7 @@ const INCIDENT_CHECKS = [
|
|
|
69
70
|
explain: "An audit rule watching /etc/passwd detects unauthorized user account modifications. Without this rule, an attacker can add backdoor accounts or modify existing ones without leaving any kernel-level audit evidence.",
|
|
70
71
|
},
|
|
71
72
|
{
|
|
72
|
-
id:
|
|
73
|
+
id: CHECK_IDS.INCIDENTREADY.INCIDENT_AUDITD_SUDO_RULE,
|
|
73
74
|
name: "Audit Rule for sudo/sudoers",
|
|
74
75
|
severity: "info",
|
|
75
76
|
check: (output) => {
|
|
@@ -97,7 +98,7 @@ const INCIDENT_CHECKS = [
|
|
|
97
98
|
explain: "Auditing sudoers configuration changes ensures any privilege escalation modifications are recorded. Combined with /etc/passwd monitoring, this forms a baseline identity and access audit trail.",
|
|
98
99
|
},
|
|
99
100
|
{
|
|
100
|
-
id:
|
|
101
|
+
id: CHECK_IDS.INCIDENTREADY.INCIDENT_LOG_FORWARDING,
|
|
101
102
|
name: "Log Forwarding Service Active",
|
|
102
103
|
severity: "info",
|
|
103
104
|
check: (output) => {
|
|
@@ -117,7 +118,7 @@ const INCIDENT_CHECKS = [
|
|
|
117
118
|
explain: "Log forwarding to a remote SIEM or log aggregator ensures that audit logs survive a system compromise. An attacker with root access can delete local logs; remote forwarding preserves the evidence.",
|
|
118
119
|
},
|
|
119
120
|
{
|
|
120
|
-
id:
|
|
121
|
+
id: CHECK_IDS.INCIDENTREADY.INCIDENT_LAST_ACCESSIBLE,
|
|
121
122
|
name: "Login History Accessible (last/wtmp)",
|
|
122
123
|
severity: "info",
|
|
123
124
|
check: (output) => {
|
|
@@ -135,7 +136,7 @@ const INCIDENT_CHECKS = [
|
|
|
135
136
|
explain: "The wtmp file records all login and logout events. During incident response, last command output is the first step to understanding who has accessed the system and when. An inaccessible wtmp impedes forensics.",
|
|
136
137
|
},
|
|
137
138
|
{
|
|
138
|
-
id:
|
|
139
|
+
id: CHECK_IDS.INCIDENTREADY.INCIDENT_LASTB_ACCESSIBLE,
|
|
139
140
|
name: "Failed Login History Accessible (lastb/btmp)",
|
|
140
141
|
severity: "info",
|
|
141
142
|
check: (output) => {
|
|
@@ -153,7 +154,7 @@ const INCIDENT_CHECKS = [
|
|
|
153
154
|
explain: "The btmp file records failed login attempts, which is critical evidence of brute force or credential stuffing attacks. Without it, failed authentication attempts leave no persistent record on the system.",
|
|
154
155
|
},
|
|
155
156
|
{
|
|
156
|
-
id:
|
|
157
|
+
id: CHECK_IDS.INCIDENTREADY.INCIDENT_WTMP_ROTATION,
|
|
157
158
|
name: "wtmp/btmp Log Rotation Configured",
|
|
158
159
|
severity: "info",
|
|
159
160
|
check: (output) => {
|
|
@@ -171,7 +172,7 @@ const INCIDENT_CHECKS = [
|
|
|
171
172
|
explain: "Log rotation for wtmp and btmp prevents unbounded growth that could fill the filesystem. Properly rotated and compressed logs also make historical login analysis feasible during incident investigation.",
|
|
172
173
|
},
|
|
173
174
|
{
|
|
174
|
-
id:
|
|
175
|
+
id: CHECK_IDS.INCIDENTREADY.INCID_WTMP_EXISTS,
|
|
175
176
|
name: "wtmp Login Record File Exists",
|
|
176
177
|
severity: "warning",
|
|
177
178
|
check: (output) => {
|
|
@@ -190,7 +191,7 @@ const INCIDENT_CHECKS = [
|
|
|
190
191
|
explain: "wtmp records all login/logout events; its absence prevents forensic analysis of unauthorized access.",
|
|
191
192
|
},
|
|
192
193
|
{
|
|
193
|
-
id:
|
|
194
|
+
id: CHECK_IDS.INCIDENTREADY.INCID_BTMP_EXISTS,
|
|
194
195
|
name: "btmp Failed Login Record File Exists",
|
|
195
196
|
severity: "warning",
|
|
196
197
|
check: (output) => {
|
|
@@ -209,7 +210,7 @@ const INCIDENT_CHECKS = [
|
|
|
209
210
|
explain: "btmp records failed login attempts; its absence prevents detection of brute-force attack patterns.",
|
|
210
211
|
},
|
|
211
212
|
{
|
|
212
|
-
id:
|
|
213
|
+
id: CHECK_IDS.INCIDENTREADY.INCID_FORENSIC_TOOLS,
|
|
213
214
|
name: "Forensic Tools Pre-installed",
|
|
214
215
|
severity: "info",
|
|
215
216
|
check: (output) => {
|
|
@@ -231,7 +232,7 @@ const INCIDENT_CHECKS = [
|
|
|
231
232
|
explain: "Having forensic tools pre-installed enables rapid incident response without contaminating the compromised system with new package installations.",
|
|
232
233
|
},
|
|
233
234
|
{
|
|
234
|
-
id:
|
|
235
|
+
id: CHECK_IDS.INCIDENTREADY.INCID_LOG_ARCHIVE_EXISTS,
|
|
235
236
|
name: "Recent Archived Log Files Present",
|
|
236
237
|
severity: "info",
|
|
237
238
|
check: (output) => {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"incidentready.js","sourceRoot":"","sources":["../../../../src/core/audit/checks/incidentready.ts"],"names":[],"mappings":"AAAA;;;;GAIG;
|
|
1
|
+
{"version":3,"file":"incidentready.js","sourceRoot":"","sources":["../../../../src/core/audit/checks/incidentready.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAa3C,MAAM,eAAe,GAA4B;IAC/C;QACE,EAAE,EAAE,SAAS,CAAC,aAAa,CAAC,yBAAyB;QACrD,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,IAAI,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBACxC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,qBAAqB,EAAE,CAAC;YAC/D,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAC,EAAE,CAAC;gBAC5C,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,yBAAyB,EAAE,CAAC;YACpE,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,oDAAoD,EAAE,CAAC;QAC/F,CAAC;QACD,aAAa,EAAE,2CAA2C;QAC1D,UAAU,EAAE,mDAAmD;QAC/D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,8NAA8N;KACjO;IACD;QACE,EAAE,EAAE,SAAS,CAAC,aAAa,CAAC,uBAAuB;QACnD,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,IAAI,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBACtC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,sCAAsC,EAAE,CAAC;YAChF,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;gBAC1C,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,+BAA+B,EAAE,CAAC;YAC1E,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,+CAA+C,EAAE,CAAC;QAC1F,CAAC;QACD,aAAa,EAAE,oCAAoC;QACnD,UAAU,EAAE,+BAA+B;QAC3C,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,0MAA0M;KAC7M;IACD;QACE,EAAE,EAAE,SAAS,CAAC,aAAa,CAAC,2BAA2B;QACvD,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,6DAA6D;YAC7D,IAAI,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBACxC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,oDAAoD,EAAE,CAAC;YAC/F,CAAC;YACD,oDAAoD;YACpD,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;YACzD,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,iDAAiD,EAAE,CAAC;YAC5F,CAAC;YACD,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrF,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YACxD,OAAO;gBACL,MAAM,EAAE,aAAa;gBACrB,YAAY,EAAE,aAAa;oBACzB,CAAC,CAAC,mCAAmC;oBACrC,CAAC,CAAC,qCAAqC;aAC1C,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,uCAAuC;QACtD,UAAU,EAAE,0HAA0H;QACtI,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,uNAAuN;KAC1N;IACD;QACE,EAAE,EAAE,SAAS,CAAC,aAAa,CAAC,yBAAyB;QACrD,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,IAAI,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBACxC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,oDAAoD,EAAE,CAAC;YAC/F,CAAC;YACD,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;YACzD,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,iDAAiD,EAAE,CAAC;YAC5F,CAAC;YACD,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrF,MAAM,WAAW,GACf,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC;gBAClC,SAAS,CAAC,QAAQ,CAAC,mBAAmB,CAAC;gBACvC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC7B,OAAO;gBACL,MAAM,EAAE,WAAW;gBACnB,YAAY,EAAE,WAAW;oBACvB,CAAC,CAAC,oCAAoC;oBACtC,CAAC,CAAC,sCAAsC;aAC3C,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,8DAA8D;QAC7E,UAAU,EAAE,0HAA0H;QACtI,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,kMAAkM;KACrM;IACD;QACE,EAAE,EAAE,SAAS,CAAC,aAAa,CAAC,uBAAuB;QACnD,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,kCAAkC;YAClC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;YAC1D,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,0BAA0B,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;YAC9E,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,CAAC,yBAAyB,CAAC,EAAE,CAAC;gBAC/C,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,qCAAqC,EAAE,CAAC;YAChF,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,+CAA+C,EAAE,CAAC;QAC1F,CAAC;QACD,aAAa,EAAE,oEAAoE;QACnF,UAAU,EAAE,8DAA8D;QAC1E,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,sMAAsM;KACzM;IACD;QACE,EAAE,EAAE,SAAS,CAAC,aAAa,CAAC,wBAAwB;QACpD,IAAI,EAAE,sCAAsC;QAC5C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,IAAI,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBACtC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,yCAAyC,EAAE,CAAC;YACnF,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;gBAC1C,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,wDAAwD,EAAE,CAAC;YACnG,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,4CAA4C,EAAE,CAAC;QACvF,CAAC;QACD,aAAa,EAAE,kEAAkE;QACjF,UAAU,EAAE,iFAAiF;QAC7F,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,mNAAmN;KACtN;IACD;QACE,EAAE,EAAE,SAAS,CAAC,aAAa,CAAC,yBAAyB;QACrD,IAAI,EAAE,8CAA8C;QACpD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,IAAI,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;gBACvC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,6CAA6C,EAAE,CAAC;YACvF,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,CAAC;gBAC3C,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,gEAAgE,EAAE,CAAC;YAC3G,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,4CAA4C,EAAE,CAAC;QACvF,CAAC;QACD,aAAa,EAAE,+DAA+D;QAC9E,UAAU,EAAE,iFAAiF;QAC7F,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,6MAA6M;KAChN;IACD;QACE,EAAE,EAAE,SAAS,CAAC,aAAa,CAAC,sBAAsB;QAClD,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,IAAI,MAAM,CAAC,QAAQ,CAAC,0BAA0B,CAAC,EAAE,CAAC;gBAChD,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,gDAAgD,EAAE,CAAC;YAC1F,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,CAAC,8BAA8B,CAAC,EAAE,CAAC;gBACpD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,gDAAgD,EAAE,CAAC;YAC3F,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,qDAAqD,EAAE,CAAC;QAChG,CAAC;QACD,aAAa,EAAE,kDAAkD;QACjE,UAAU,EAAE,0EAA0E;QACtF,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,2MAA2M;KAC9M;IACD;QACE,EAAE,EAAE,SAAS,CAAC,aAAa,CAAC,iBAAiB;QAC7C,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,4CAA4C;YAC5C,MAAM,UAAU,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC9E,OAAO;gBACL,MAAM,EAAE,UAAU;gBAClB,YAAY,EAAE,UAAU;oBACtB,CAAC,CAAC,gDAAgD;oBAClD,CAAC,CAAC,yBAAyB;aAC9B,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,2BAA2B;QAC1C,UAAU,EAAE,iFAAiF;QAC7F,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,sGAAsG;KACzG;IACD;QACE,EAAE,EAAE,SAAS,CAAC,aAAa,CAAC,iBAAiB;QAC7C,IAAI,EAAE,sCAAsC;QAC5C,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,4CAA4C;YAC5C,MAAM,UAAU,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC9E,OAAO;gBACL,MAAM,EAAE,UAAU;gBAClB,YAAY,EAAE,UAAU;oBACtB,CAAC,CAAC,uDAAuD;oBACzD,CAAC,CAAC,yBAAyB;aAC9B,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,2BAA2B;QAC1C,UAAU,EAAE,iFAAiF;QAC7F,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,oGAAoG;KACvG;IACD;QACE,EAAE,EAAE,SAAS,CAAC,aAAa,CAAC,oBAAoB;QAChD,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,qFAAqF;YACrF,MAAM,KAAK,GAAa,EAAE,CAAC;YAC3B,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC;gBAAE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACxD,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC;gBAAE,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC9C,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC7D,OAAO;gBACL,MAAM,EAAE,OAAO;gBACf,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC,yBAAyB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,gBAAgB;aACvF,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,8DAA8D;QAC7E,UAAU,EAAE,kEAAkE;QAC9E,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,kJAAkJ;KACrJ;IACD;QACE,EAAE,EAAE,SAAS,CAAC,aAAa,CAAC,wBAAwB;QACpD,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,+EAA+E;YAC/E,MAAM,iBAAiB,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YAClF,IAAI,iBAAiB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACnC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,wCAAwC,EAAE,CAAC;YACnF,CAAC;YACD,iFAAiF;YACjF,MAAM,KAAK,GAAG,QAAQ,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;YACnF,OAAO;gBACL,MAAM,EAAE,KAAK,GAAG,CAAC;gBACjB,YAAY,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,oCAAoC,CAAC,CAAC,CAAC,4BAA4B;aACtG,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,mDAAmD;QAClE,UAAU,EAAE,mEAAmE;QAC/E,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,mIAAmI;KACtI;CACF,CAAC;AAEF,MAAM,CAAC,MAAM,wBAAwB,GAAgB,CACnD,aAAqB,EACrB,SAAiB,EACH,EAAE;IAChB,MAAM,IAAI,GACR,CAAC,aAAa;QACd,aAAa,CAAC,IAAI,EAAE,KAAK,KAAK;QAC9B,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC;IAEzC,OAAO,eAAe,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACjC,IAAI,IAAI,EAAE,CAAC;YACT,OAAO;gBACL,EAAE,EAAE,GAAG,CAAC,EAAE;gBACV,QAAQ,EAAE,oBAAoB;gBAC9B,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,MAAM,EAAE,KAAK;gBACb,YAAY,EAAE,qBAAqB;gBACnC,aAAa,EAAE,GAAG,CAAC,aAAa;gBAChC,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,aAAa,EAAE,GAAG,CAAC,aAAa;gBAChC,OAAO,EAAE,GAAG,CAAC,OAAO;aACrB,CAAC;QACJ,CAAC;QACD,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACnD,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,QAAQ,EAAE,oBAAoB;YAC9B,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,MAAM;YACN,YAAY;YACZ,aAAa,EAAE,GAAG,CAAC,aAAa;YAChC,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,aAAa,EAAE,GAAG,CAAC,aAAa;YAChC,OAAO,EAAE,GAAG,CAAC,OAAO;SACrB,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"kernel.d.ts","sourceRoot":"","sources":["../../../../src/core/audit/checks/kernel.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAc,WAAW,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"kernel.d.ts","sourceRoot":"","sources":["../../../../src/core/audit/checks/kernel.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAc,WAAW,EAAE,MAAM,aAAa,CAAC;AAI3D,eAAO,MAAM,iBAAiB,EAAE,WAgpB/B,CAAC"}
|
|
@@ -3,13 +3,14 @@
|
|
|
3
3
|
* Parses sysctl values into 5 security checks with semantic IDs.
|
|
4
4
|
*/
|
|
5
5
|
import { extractSysctlValue } from "./shared/sysctl.js";
|
|
6
|
+
import { CHECK_IDS } from "../checkIds.js";
|
|
6
7
|
export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
7
8
|
const isNA = !sectionOutput || sectionOutput.trim() === "N/A" || sectionOutput.trim() === "";
|
|
8
9
|
const output = isNA ? "" : sectionOutput;
|
|
9
10
|
// KRN-01: ASLR (kernel.randomize_va_space = 2)
|
|
10
11
|
const aslr = extractSysctlValue(output, "kernel.randomize_va_space");
|
|
11
12
|
const krn01 = {
|
|
12
|
-
id:
|
|
13
|
+
id: CHECK_IDS.KERNEL.KRN_ASLR_ENABLED,
|
|
13
14
|
category: "Kernel",
|
|
14
15
|
name: "ASLR Enabled (Full)",
|
|
15
16
|
severity: "critical",
|
|
@@ -29,7 +30,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
29
30
|
const coreUsesPid = extractSysctlValue(output, "kernel.core_uses_pid");
|
|
30
31
|
const coreRestricted = suidDumpable === "0" || coreUsesPid === "1";
|
|
31
32
|
const krn02 = {
|
|
32
|
-
id:
|
|
33
|
+
id: CHECK_IDS.KERNEL.KRN_CORE_DUMPS_RESTRICTED,
|
|
33
34
|
category: "Kernel",
|
|
34
35
|
name: "Core Dumps Restricted",
|
|
35
36
|
severity: "warning",
|
|
@@ -52,7 +53,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
52
53
|
const logMartians = extractSysctlValue(output, "net.ipv4.conf.all.log_martians");
|
|
53
54
|
const hardeningPassed = acceptRedirects === "0" && acceptSourceRoute === "0" && logMartians === "1";
|
|
54
55
|
const krn03 = {
|
|
55
|
-
id:
|
|
56
|
+
id: CHECK_IDS.KERNEL.KRN_NETWORK_HARDENING,
|
|
56
57
|
category: "Kernel",
|
|
57
58
|
name: "Network Hardening Sysctls",
|
|
58
59
|
severity: "warning",
|
|
@@ -75,7 +76,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
75
76
|
// KRN-04: Kernel version (basic presence check)
|
|
76
77
|
const kernelVersion = output.match(/(\d+\.\d+\.\d+[-\w]*)/);
|
|
77
78
|
const krn04 = {
|
|
78
|
-
id:
|
|
79
|
+
id: CHECK_IDS.KERNEL.KRN_KERNEL_VERSION,
|
|
79
80
|
category: "Kernel",
|
|
80
81
|
name: "Kernel Version",
|
|
81
82
|
severity: "info",
|
|
@@ -93,7 +94,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
93
94
|
// KRN-05: dmesg restricted (kernel.dmesg_restrict = 1)
|
|
94
95
|
const dmesgRestrict = extractSysctlValue(output, "kernel.dmesg_restrict");
|
|
95
96
|
const krn05 = {
|
|
96
|
-
id:
|
|
97
|
+
id: CHECK_IDS.KERNEL.KRN_DMESG_RESTRICTED,
|
|
97
98
|
category: "Kernel",
|
|
98
99
|
name: "dmesg Restricted",
|
|
99
100
|
severity: "info",
|
|
@@ -111,7 +112,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
111
112
|
// KRN-06: ptrace scope (kernel.yama.ptrace_scope >= 1)
|
|
112
113
|
const ptraceScope = extractSysctlValue(output, "kernel.yama.ptrace_scope");
|
|
113
114
|
const krn06 = {
|
|
114
|
-
id:
|
|
115
|
+
id: CHECK_IDS.KERNEL.KRN_PTRACE_SCOPE,
|
|
115
116
|
category: "Kernel",
|
|
116
117
|
name: "Ptrace Scope Restricted",
|
|
117
118
|
severity: "warning",
|
|
@@ -129,7 +130,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
129
130
|
// KRN-07: kptr restrict (kernel.kptr_restrict >= 1)
|
|
130
131
|
const kptrRestrict = extractSysctlValue(output, "kernel.kptr_restrict");
|
|
131
132
|
const krn07 = {
|
|
132
|
-
id:
|
|
133
|
+
id: CHECK_IDS.KERNEL.KRN_KPTR_RESTRICT,
|
|
133
134
|
category: "Kernel",
|
|
134
135
|
name: "Kernel Pointer Restriction",
|
|
135
136
|
severity: "warning",
|
|
@@ -147,7 +148,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
147
148
|
// KRN-08: perf event paranoid (kernel.perf_event_paranoid >= 2)
|
|
148
149
|
const perfParanoid = extractSysctlValue(output, "kernel.perf_event_paranoid");
|
|
149
150
|
const krn08 = {
|
|
150
|
-
id:
|
|
151
|
+
id: CHECK_IDS.KERNEL.KRN_PERF_PARANOID,
|
|
151
152
|
category: "Kernel",
|
|
152
153
|
name: "Perf Events Restricted",
|
|
153
154
|
severity: "info",
|
|
@@ -165,7 +166,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
165
166
|
// KRN-09: TCP SYN cookies (net.ipv4.tcp_syncookies = 1)
|
|
166
167
|
const synCookiesKrn = extractSysctlValue(output, "net.ipv4.tcp_syncookies");
|
|
167
168
|
const krn09 = {
|
|
168
|
-
id:
|
|
169
|
+
id: CHECK_IDS.KERNEL.KRN_SYN_COOKIES,
|
|
169
170
|
category: "Kernel",
|
|
170
171
|
name: "TCP SYN Cookies Enabled",
|
|
171
172
|
severity: "warning",
|
|
@@ -183,7 +184,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
183
184
|
// KRN-10: IP forwarding disabled (net.ipv4.ip_forward = 0)
|
|
184
185
|
const ipForwardKrn = extractSysctlValue(output, "net.ipv4.ip_forward");
|
|
185
186
|
const krn10 = {
|
|
186
|
-
id:
|
|
187
|
+
id: CHECK_IDS.KERNEL.KRN_IP_FORWARD_DISABLED,
|
|
187
188
|
category: "Kernel",
|
|
188
189
|
name: "IPv4 Forwarding Disabled",
|
|
189
190
|
severity: "warning",
|
|
@@ -202,7 +203,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
202
203
|
// Accepts both strict (1) and loose (2) modes — loose mode is required for Docker bridge networking
|
|
203
204
|
const rpFilter = extractSysctlValue(output, "net.ipv4.conf.all.rp_filter");
|
|
204
205
|
const krn11 = {
|
|
205
|
-
id:
|
|
206
|
+
id: CHECK_IDS.KERNEL.KRN_RP_FILTER,
|
|
206
207
|
category: "Kernel",
|
|
207
208
|
name: "Reverse Path Filtering Enabled",
|
|
208
209
|
severity: "warning",
|
|
@@ -220,7 +221,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
220
221
|
// KRN-12: TCP timestamps (net.ipv4.tcp_timestamps = 0)
|
|
221
222
|
const tcpTimestamps = extractSysctlValue(output, "net.ipv4.tcp_timestamps");
|
|
222
223
|
const krn12 = {
|
|
223
|
-
id:
|
|
224
|
+
id: CHECK_IDS.KERNEL.KRN_TCP_TIMESTAMPS,
|
|
224
225
|
category: "Kernel",
|
|
225
226
|
name: "TCP Timestamps Disabled",
|
|
226
227
|
severity: "info",
|
|
@@ -238,7 +239,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
238
239
|
// KRN-13: ICMP broadcast (net.ipv4.icmp_echo_ignore_broadcasts = 1)
|
|
239
240
|
const icmpBroadcast = extractSysctlValue(output, "net.ipv4.icmp_echo_ignore_broadcasts");
|
|
240
241
|
const krn13 = {
|
|
241
|
-
id:
|
|
242
|
+
id: CHECK_IDS.KERNEL.KRN_ICMP_BROADCAST,
|
|
242
243
|
category: "Kernel",
|
|
243
244
|
name: "ICMP Broadcast Ignored",
|
|
244
245
|
severity: "warning",
|
|
@@ -256,7 +257,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
256
257
|
// KRN-14: IPv6 accept redirects (net.ipv6.conf.all.accept_redirects = 0)
|
|
257
258
|
const ipv6AcceptRedirects = extractSysctlValue(output, "net.ipv6.conf.all.accept_redirects");
|
|
258
259
|
const krn14 = {
|
|
259
|
-
id:
|
|
260
|
+
id: CHECK_IDS.KERNEL.KRN_ACCEPT_REDIRECTS_V6,
|
|
260
261
|
category: "Kernel",
|
|
261
262
|
name: "IPv6 ICMP Redirects Rejected",
|
|
262
263
|
severity: "warning",
|
|
@@ -274,7 +275,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
274
275
|
// KRN-15: BPF unprivileged (kernel.unprivileged_bpf_disabled = 1)
|
|
275
276
|
const bpfUnprivileged = extractSysctlValue(output, "kernel.unprivileged_bpf_disabled");
|
|
276
277
|
const krn15 = {
|
|
277
|
-
id:
|
|
278
|
+
id: CHECK_IDS.KERNEL.KRN_BPF_UNPRIVILEGED,
|
|
278
279
|
category: "Kernel",
|
|
279
280
|
name: "Unprivileged BPF Disabled",
|
|
280
281
|
severity: "warning",
|
|
@@ -292,7 +293,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
292
293
|
// KRN-16: Kernel modules disabled (kernel.modules_disabled = 1)
|
|
293
294
|
const modulesDisabled = extractSysctlValue(output, "kernel.modules_disabled");
|
|
294
295
|
const krn16 = {
|
|
295
|
-
id:
|
|
296
|
+
id: CHECK_IDS.KERNEL.KRN_MODULES_DISABLED,
|
|
296
297
|
category: "Kernel",
|
|
297
298
|
name: "Kernel Module Loading Disabled",
|
|
298
299
|
severity: "info",
|
|
@@ -310,7 +311,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
310
311
|
// KRN-17: IPv6 forwarding disabled (net.ipv6.conf.all.forwarding = 0)
|
|
311
312
|
const ipv6Forward = extractSysctlValue(output, "net.ipv6.conf.all.forwarding");
|
|
312
313
|
const krn17 = {
|
|
313
|
-
id:
|
|
314
|
+
id: CHECK_IDS.KERNEL.KRN_IP_FORWARD_V6,
|
|
314
315
|
category: "Kernel",
|
|
315
316
|
name: "IPv6 Forwarding Disabled",
|
|
316
317
|
severity: "warning",
|
|
@@ -328,7 +329,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
328
329
|
// KRN-18: Send redirects disabled (net.ipv4.conf.all.send_redirects = 0)
|
|
329
330
|
const sendRedirects = extractSysctlValue(output, "net.ipv4.conf.all.send_redirects");
|
|
330
331
|
const krn18 = {
|
|
331
|
-
id:
|
|
332
|
+
id: CHECK_IDS.KERNEL.KRN_SEND_REDIRECTS,
|
|
332
333
|
category: "Kernel",
|
|
333
334
|
name: "ICMP Redirect Sending Disabled",
|
|
334
335
|
severity: "warning",
|
|
@@ -346,7 +347,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
346
347
|
// KRN-19: Secure redirects disabled (net.ipv4.conf.all.secure_redirects = 0)
|
|
347
348
|
const secureRedirects = extractSysctlValue(output, "net.ipv4.conf.all.secure_redirects");
|
|
348
349
|
const krn19 = {
|
|
349
|
-
id:
|
|
350
|
+
id: CHECK_IDS.KERNEL.KRN_SECURE_REDIRECTS,
|
|
350
351
|
category: "Kernel",
|
|
351
352
|
name: "Secure ICMP Redirects Disabled",
|
|
352
353
|
severity: "warning",
|
|
@@ -365,7 +366,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
365
366
|
const sysrq = extractSysctlValue(output, "kernel.sysrq");
|
|
366
367
|
const sysrqVal = sysrq !== null ? parseInt(sysrq, 10) : null;
|
|
367
368
|
const krn20 = {
|
|
368
|
-
id:
|
|
369
|
+
id: CHECK_IDS.KERNEL.KRN_SYSRQ_DISABLED,
|
|
369
370
|
category: "Kernel",
|
|
370
371
|
name: "SysRq Disabled or Restricted",
|
|
371
372
|
severity: "warning",
|
|
@@ -384,7 +385,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
384
385
|
const corePattern = extractSysctlValue(output, "kernel.core_pattern");
|
|
385
386
|
const corePatternSafe = corePattern !== null && !corePattern.startsWith("|");
|
|
386
387
|
const krn21 = {
|
|
387
|
-
id:
|
|
388
|
+
id: CHECK_IDS.KERNEL.KRN_CORE_PATTERN_SAFE,
|
|
388
389
|
category: "Kernel",
|
|
389
390
|
name: "Core Dump Pattern Safe",
|
|
390
391
|
severity: "warning",
|
|
@@ -402,7 +403,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
402
403
|
// KRN-22: Panic on oops (kernel.panic_on_oops = 1)
|
|
403
404
|
const panicOnOops = extractSysctlValue(output, "kernel.panic_on_oops");
|
|
404
405
|
const krn22 = {
|
|
405
|
-
id:
|
|
406
|
+
id: CHECK_IDS.KERNEL.KRN_PANIC_ON_OOPS,
|
|
406
407
|
category: "Kernel",
|
|
407
408
|
name: "Panic on Kernel Oops",
|
|
408
409
|
severity: "info",
|
|
@@ -420,7 +421,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
420
421
|
// KRN-23: NMI watchdog disabled (kernel.nmi_watchdog = 0)
|
|
421
422
|
const nmiWatchdog = extractSysctlValue(output, "kernel.nmi_watchdog");
|
|
422
423
|
const krn23 = {
|
|
423
|
-
id:
|
|
424
|
+
id: CHECK_IDS.KERNEL.KRN_NMI_WATCHDOG_DISABLED,
|
|
424
425
|
category: "Kernel",
|
|
425
426
|
name: "NMI Watchdog Disabled",
|
|
426
427
|
severity: "info",
|
|
@@ -438,7 +439,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
438
439
|
// KRN-24: Unprivileged user namespaces disabled
|
|
439
440
|
const unprivUserns = extractSysctlValue(output, "kernel.unprivileged_userns_clone");
|
|
440
441
|
const krn24 = {
|
|
441
|
-
id:
|
|
442
|
+
id: CHECK_IDS.KERNEL.KRN_UNPRIVILEGED_USERNS,
|
|
442
443
|
category: "Kernel",
|
|
443
444
|
name: "Unprivileged User Namespaces Disabled",
|
|
444
445
|
severity: "warning",
|
|
@@ -460,7 +461,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
460
461
|
// KRN-25: Exec-shield (may not exist on modern kernels)
|
|
461
462
|
const execShield = extractSysctlValue(output, "kernel.exec_shield");
|
|
462
463
|
const krn25 = {
|
|
463
|
-
id:
|
|
464
|
+
id: CHECK_IDS.KERNEL.KRN_EXEC_SHIELD,
|
|
464
465
|
category: "Kernel",
|
|
465
466
|
name: "Exec-Shield or NX Bit Protection",
|
|
466
467
|
severity: "info",
|
|
@@ -492,7 +493,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
492
493
|
}
|
|
493
494
|
}
|
|
494
495
|
const krn26 = {
|
|
495
|
-
id:
|
|
496
|
+
id: CHECK_IDS.KERNEL.KRN_MODULE_BLACKLIST,
|
|
496
497
|
category: "Kernel",
|
|
497
498
|
name: "Blacklisted Filesystem Modules Not Loaded",
|
|
498
499
|
severity: "info",
|
|
@@ -511,7 +512,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
511
512
|
const kernelPanic = extractSysctlValue(output, "kernel.panic");
|
|
512
513
|
const kernelPanicVal = kernelPanic !== null ? parseInt(kernelPanic, 10) : null;
|
|
513
514
|
const krn27 = {
|
|
514
|
-
id:
|
|
515
|
+
id: CHECK_IDS.KERNEL.KRN_PANIC_REBOOT,
|
|
515
516
|
category: "Kernel",
|
|
516
517
|
name: "Kernel Panic Auto-Reboot Configured",
|
|
517
518
|
severity: "info",
|
|
@@ -545,7 +546,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
545
546
|
}
|
|
546
547
|
}
|
|
547
548
|
const krn28 = {
|
|
548
|
-
id:
|
|
549
|
+
id: CHECK_IDS.KERNEL.KRN_SYSCTL_HARDENED,
|
|
549
550
|
category: "Kernel",
|
|
550
551
|
name: "Sysctl Hardening Configs Present",
|
|
551
552
|
severity: "info",
|
|
@@ -568,7 +569,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
568
569
|
const coredumpDisabled = coredumpStorage === "none"
|
|
569
570
|
|| processSizeMax === "0";
|
|
570
571
|
const krn29 = {
|
|
571
|
-
id:
|
|
572
|
+
id: CHECK_IDS.KERNEL.KRN_COREDUMP_SYSTEMD,
|
|
572
573
|
category: "Kernel",
|
|
573
574
|
name: "Systemd Coredumps Disabled",
|
|
574
575
|
severity: "info",
|
|
@@ -588,7 +589,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
588
589
|
const lockdownEnabled = lockdownValue !== null;
|
|
589
590
|
const lockdownLine = output.split("\n").find((l) => /\[none\]|\[integrity\]|\[confidentiality\]/i.test(l));
|
|
590
591
|
const krn30 = {
|
|
591
|
-
id:
|
|
592
|
+
id: CHECK_IDS.KERNEL.KRN_LOCKDOWN_MODE,
|
|
592
593
|
category: "Kernel",
|
|
593
594
|
name: "Kernel Lockdown Mode Enabled",
|
|
594
595
|
severity: "info",
|
|
@@ -604,7 +605,7 @@ export const parseKernelChecks = (sectionOutput, _platform) => {
|
|
|
604
605
|
// KRN-31: BPF JIT hardening (net.core.bpf_jit_harden >= 1)
|
|
605
606
|
const bpfJitHarden = extractSysctlValue(output, "net.core.bpf_jit_harden");
|
|
606
607
|
const krn31 = {
|
|
607
|
-
id:
|
|
608
|
+
id: CHECK_IDS.KERNEL.KRN_BPF_JIT_HARDEN,
|
|
608
609
|
category: "Kernel",
|
|
609
610
|
name: "BPF JIT Hardening Enabled",
|
|
610
611
|
severity: "warning",
|