kastell 2.1.0 → 2.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +50 -0
- package/README.md +1 -1
- package/README.tr.md +1 -1
- package/dist/commands/doctor.d.ts +1 -0
- package/dist/commands/doctor.d.ts.map +1 -1
- package/dist/commands/doctor.js +22 -7
- package/dist/commands/doctor.js.map +1 -1
- package/dist/commands/fix.d.ts +1 -0
- package/dist/commands/fix.d.ts.map +1 -1
- package/dist/commands/fix.js +21 -2
- package/dist/commands/fix.js.map +1 -1
- package/dist/commands/interactive.d.ts.map +1 -1
- package/dist/commands/interactive.js +29 -0
- package/dist/commands/interactive.js.map +1 -1
- package/dist/commands/plugin.d.ts +8 -0
- package/dist/commands/plugin.d.ts.map +1 -0
- package/dist/commands/plugin.js +87 -0
- package/dist/commands/plugin.js.map +1 -0
- package/dist/core/audit/checkIds.d.ts +516 -0
- package/dist/core/audit/checkIds.d.ts.map +1 -0
- package/dist/core/audit/checkIds.js +515 -0
- package/dist/core/audit/checkIds.js.map +1 -0
- package/dist/core/audit/checks/accounts.d.ts.map +1 -1
- package/dist/core/audit/checks/accounts.js +23 -22
- package/dist/core/audit/checks/accounts.js.map +1 -1
- package/dist/core/audit/checks/auth.d.ts.map +1 -1
- package/dist/core/audit/checks/auth.js +23 -22
- package/dist/core/audit/checks/auth.js.map +1 -1
- package/dist/core/audit/checks/backup.d.ts.map +1 -1
- package/dist/core/audit/checks/backup.js +9 -8
- package/dist/core/audit/checks/backup.js.map +1 -1
- package/dist/core/audit/checks/banners.d.ts.map +1 -1
- package/dist/core/audit/checks/banners.js +7 -6
- package/dist/core/audit/checks/banners.js.map +1 -1
- package/dist/core/audit/checks/boot.d.ts.map +1 -1
- package/dist/core/audit/checks/boot.js +12 -11
- package/dist/core/audit/checks/boot.js.map +1 -1
- package/dist/core/audit/checks/cloudmeta.d.ts.map +1 -1
- package/dist/core/audit/checks/cloudmeta.js +7 -6
- package/dist/core/audit/checks/cloudmeta.js.map +1 -1
- package/dist/core/audit/checks/crypto.d.ts +0 -5
- package/dist/core/audit/checks/crypto.d.ts.map +1 -1
- package/dist/core/audit/checks/crypto.js +20 -19
- package/dist/core/audit/checks/crypto.js.map +1 -1
- package/dist/core/audit/checks/ddos.d.ts.map +1 -1
- package/dist/core/audit/checks/ddos.js +9 -8
- package/dist/core/audit/checks/ddos.js.map +1 -1
- package/dist/core/audit/checks/dns.d.ts.map +1 -1
- package/dist/core/audit/checks/dns.js +9 -8
- package/dist/core/audit/checks/dns.js.map +1 -1
- package/dist/core/audit/checks/docker.d.ts.map +1 -1
- package/dist/core/audit/checks/docker.js +65 -64
- package/dist/core/audit/checks/docker.js.map +1 -1
- package/dist/core/audit/checks/fileintegrity.d.ts.map +1 -1
- package/dist/core/audit/checks/fileintegrity.js +11 -10
- package/dist/core/audit/checks/fileintegrity.js.map +1 -1
- package/dist/core/audit/checks/filesystem.d.ts.map +1 -1
- package/dist/core/audit/checks/filesystem.js +21 -20
- package/dist/core/audit/checks/filesystem.js.map +1 -1
- package/dist/core/audit/checks/firewall.d.ts.map +1 -1
- package/dist/core/audit/checks/firewall.js +18 -17
- package/dist/core/audit/checks/firewall.js.map +1 -1
- package/dist/core/audit/checks/httpHeaders.d.ts.map +1 -1
- package/dist/core/audit/checks/httpHeaders.js +7 -6
- package/dist/core/audit/checks/httpHeaders.js.map +1 -1
- package/dist/core/audit/checks/incidentready.d.ts.map +1 -1
- package/dist/core/audit/checks/incidentready.js +13 -12
- package/dist/core/audit/checks/incidentready.js.map +1 -1
- package/dist/core/audit/checks/kernel.d.ts.map +1 -1
- package/dist/core/audit/checks/kernel.js +32 -31
- package/dist/core/audit/checks/kernel.js.map +1 -1
- package/dist/core/audit/checks/logging.d.ts.map +1 -1
- package/dist/core/audit/checks/logging.js +21 -20
- package/dist/core/audit/checks/logging.js.map +1 -1
- package/dist/core/audit/checks/mac.d.ts.map +1 -1
- package/dist/core/audit/checks/mac.js +11 -10
- package/dist/core/audit/checks/mac.js.map +1 -1
- package/dist/core/audit/checks/malware.d.ts.map +1 -1
- package/dist/core/audit/checks/malware.js +12 -11
- package/dist/core/audit/checks/malware.js.map +1 -1
- package/dist/core/audit/checks/memory.d.ts.map +1 -1
- package/dist/core/audit/checks/memory.js +12 -11
- package/dist/core/audit/checks/memory.js.map +1 -1
- package/dist/core/audit/checks/network.d.ts.map +1 -1
- package/dist/core/audit/checks/network.js +22 -21
- package/dist/core/audit/checks/network.js.map +1 -1
- package/dist/core/audit/checks/nginx.d.ts.map +1 -1
- package/dist/core/audit/checks/nginx.js +17 -16
- package/dist/core/audit/checks/nginx.js.map +1 -1
- package/dist/core/audit/checks/resourcelimits.d.ts.map +1 -1
- package/dist/core/audit/checks/resourcelimits.js +9 -8
- package/dist/core/audit/checks/resourcelimits.js.map +1 -1
- package/dist/core/audit/checks/scheduling.d.ts.map +1 -1
- package/dist/core/audit/checks/scheduling.js +13 -12
- package/dist/core/audit/checks/scheduling.js.map +1 -1
- package/dist/core/audit/checks/secrets.d.ts.map +1 -1
- package/dist/core/audit/checks/secrets.js +16 -15
- package/dist/core/audit/checks/secrets.js.map +1 -1
- package/dist/core/audit/checks/services.d.ts.map +1 -1
- package/dist/core/audit/checks/services.js +26 -25
- package/dist/core/audit/checks/services.js.map +1 -1
- package/dist/core/audit/checks/ssh.d.ts.map +1 -1
- package/dist/core/audit/checks/ssh.js +23 -22
- package/dist/core/audit/checks/ssh.js.map +1 -1
- package/dist/core/audit/checks/supplychain.d.ts.map +1 -1
- package/dist/core/audit/checks/supplychain.js +13 -12
- package/dist/core/audit/checks/supplychain.js.map +1 -1
- package/dist/core/audit/checks/time.d.ts.map +1 -1
- package/dist/core/audit/checks/time.js +10 -9
- package/dist/core/audit/checks/time.js.map +1 -1
- package/dist/core/audit/checks/tls.d.ts.map +1 -1
- package/dist/core/audit/checks/tls.js +9 -8
- package/dist/core/audit/checks/tls.js.map +1 -1
- package/dist/core/audit/checks/updates.d.ts.map +1 -1
- package/dist/core/audit/checks/updates.js +12 -11
- package/dist/core/audit/checks/updates.js.map +1 -1
- package/dist/core/audit/compliance/categories/index.d.ts +3 -0
- package/dist/core/audit/compliance/categories/index.d.ts.map +1 -0
- package/dist/core/audit/compliance/categories/index.js +737 -0
- package/dist/core/audit/compliance/categories/index.js.map +1 -0
- package/dist/core/audit/compliance/helpers.d.ts +17 -0
- package/dist/core/audit/compliance/helpers.d.ts.map +1 -0
- package/dist/core/audit/compliance/helpers.js +40 -0
- package/dist/core/audit/compliance/helpers.js.map +1 -0
- package/dist/core/audit/compliance/mapper.d.ts +4 -16
- package/dist/core/audit/compliance/mapper.d.ts.map +1 -1
- package/dist/core/audit/compliance/mapper.js +3 -776
- package/dist/core/audit/compliance/mapper.js.map +1 -1
- package/dist/core/audit/fix-history.d.ts +16 -7
- package/dist/core/audit/fix-history.d.ts.map +1 -1
- package/dist/core/audit/fix-history.js +25 -2
- package/dist/core/audit/fix-history.js.map +1 -1
- package/dist/core/audit/fix.d.ts +17 -2
- package/dist/core/audit/fix.d.ts.map +1 -1
- package/dist/core/audit/fix.js +115 -42
- package/dist/core/audit/fix.js.map +1 -1
- package/dist/core/audit/index.d.ts.map +1 -1
- package/dist/core/audit/index.js +3 -2
- package/dist/core/audit/index.js.map +1 -1
- package/dist/core/audit/snapshot.d.ts.map +1 -1
- package/dist/core/audit/snapshot.js +6 -2
- package/dist/core/audit/snapshot.js.map +1 -1
- package/dist/core/audit/types.d.ts +11 -1
- package/dist/core/audit/types.d.ts.map +1 -1
- package/dist/core/audit/watch.d.ts.map +1 -1
- package/dist/core/audit/watch.js +3 -2
- package/dist/core/audit/watch.js.map +1 -1
- package/dist/core/bot/handlers.d.ts.map +1 -1
- package/dist/core/bot/handlers.js +2 -17
- package/dist/core/bot/handlers.js.map +1 -1
- package/dist/core/completions.d.ts.map +1 -1
- package/dist/core/completions.js +24 -2
- package/dist/core/completions.js.map +1 -1
- package/dist/core/doctor-fix.d.ts +1 -1
- package/dist/core/doctor-fix.d.ts.map +1 -1
- package/dist/core/doctor-fix.js +17 -2
- package/dist/core/doctor-fix.js.map +1 -1
- package/dist/core/doctor.d.ts.map +1 -1
- package/dist/core/doctor.js +2 -1
- package/dist/core/doctor.js.map +1 -1
- package/dist/core/firewall.d.ts +0 -1
- package/dist/core/firewall.d.ts.map +1 -1
- package/dist/core/firewall.js +2 -13
- package/dist/core/firewall.js.map +1 -1
- package/dist/core/manage.d.ts.map +1 -1
- package/dist/core/manage.js +2 -1
- package/dist/core/manage.js.map +1 -1
- package/dist/core/notify.d.ts.map +1 -1
- package/dist/core/notify.js +2 -1
- package/dist/core/notify.js.map +1 -1
- package/dist/core/plugin.d.ts +23 -0
- package/dist/core/plugin.d.ts.map +1 -0
- package/dist/core/plugin.js +107 -0
- package/dist/core/plugin.js.map +1 -0
- package/dist/core/scheduleManager.d.ts +2 -1
- package/dist/core/scheduleManager.d.ts.map +1 -1
- package/dist/core/scheduleManager.js +8 -5
- package/dist/core/scheduleManager.js.map +1 -1
- package/dist/index.js +33 -1
- package/dist/index.js.map +1 -1
- package/dist/mcp/index.js +5 -9
- package/dist/mcp/index.js.map +1 -1
- package/dist/mcp/server.d.ts.map +1 -1
- package/dist/mcp/server.js +16 -2
- package/dist/mcp/server.js.map +1 -1
- package/dist/mcp/tools/serverDoctor.js +1 -1
- package/dist/mcp/tools/serverDoctor.js.map +1 -1
- package/dist/mcp/tools/serverFix.d.ts.map +1 -1
- package/dist/mcp/tools/serverFix.js +3 -0
- package/dist/mcp/tools/serverFix.js.map +1 -1
- package/dist/mcp/tools/serverPlugin.d.ts +12 -0
- package/dist/mcp/tools/serverPlugin.d.ts.map +1 -0
- package/dist/mcp/tools/serverPlugin.js +22 -0
- package/dist/mcp/tools/serverPlugin.js.map +1 -0
- package/dist/plugin/loader.d.ts +10 -0
- package/dist/plugin/loader.d.ts.map +1 -0
- package/dist/plugin/loader.js +88 -0
- package/dist/plugin/loader.js.map +1 -0
- package/dist/plugin/registry.d.ts +16 -0
- package/dist/plugin/registry.d.ts.map +1 -0
- package/dist/plugin/registry.js +99 -0
- package/dist/plugin/registry.js.map +1 -0
- package/dist/plugin/sdk/constants.d.ts +3 -0
- package/dist/plugin/sdk/constants.d.ts.map +1 -0
- package/dist/plugin/sdk/constants.js +3 -0
- package/dist/plugin/sdk/constants.js.map +1 -0
- package/dist/plugin/sdk/types.d.ts +29 -0
- package/dist/plugin/sdk/types.d.ts.map +1 -0
- package/dist/plugin/sdk/types.js +2 -0
- package/dist/plugin/sdk/types.js.map +1 -0
- package/dist/plugin/validate.d.ts +3 -0
- package/dist/plugin/validate.d.ts.map +1 -0
- package/dist/plugin/validate.js +31 -0
- package/dist/plugin/validate.js.map +1 -0
- package/dist/providers/base.d.ts.map +1 -1
- package/dist/providers/base.js +2 -1
- package/dist/providers/base.js.map +1 -1
- package/dist/utils/errorMapper.d.ts.map +1 -1
- package/dist/utils/errorMapper.js +2 -1
- package/dist/utils/errorMapper.js.map +1 -1
- package/dist/utils/errors.d.ts +1 -0
- package/dist/utils/errors.d.ts.map +1 -1
- package/dist/utils/errors.js +3 -0
- package/dist/utils/errors.js.map +1 -1
- package/dist/utils/paths.d.ts +4 -0
- package/dist/utils/paths.d.ts.map +1 -1
- package/dist/utils/paths.js +4 -0
- package/dist/utils/paths.js.map +1 -1
- package/dist/utils/secureWrite.d.ts.map +1 -1
- package/dist/utils/secureWrite.js +2 -1
- package/dist/utils/secureWrite.js.map +1 -1
- package/dist/utils/version.d.ts +4 -0
- package/dist/utils/version.d.ts.map +1 -0
- package/dist/utils/version.js +22 -0
- package/dist/utils/version.js.map +1 -0
- package/dist/utils/yamlConfig.d.ts.map +1 -1
- package/dist/utils/yamlConfig.js +3 -2
- package/dist/utils/yamlConfig.js.map +1 -1
- package/package.json +3 -1
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
* Services security check parser.
|
|
3
3
|
* Detects dangerous legacy services and unnecessary network services.
|
|
4
4
|
*/
|
|
5
|
+
import { CHECK_IDS } from "../checkIds.js";
|
|
5
6
|
/**
|
|
6
7
|
* Check if a specific service status line shows "active".
|
|
7
8
|
* systemctl is-active returns one word per service: active, inactive, unknown, or not-found (on stderr).
|
|
@@ -15,7 +16,7 @@ function isServiceLineActive(output, index) {
|
|
|
15
16
|
const SERVICES_CHECKS = [
|
|
16
17
|
// === Legacy dangerous services (from first systemctl batch) ===
|
|
17
18
|
{
|
|
18
|
-
id:
|
|
19
|
+
id: CHECK_IDS.SERVICES.SVC_NO_TELNET,
|
|
19
20
|
name: "Telnet Service Disabled",
|
|
20
21
|
severity: "critical",
|
|
21
22
|
check: (output) => {
|
|
@@ -31,7 +32,7 @@ const SERVICES_CHECKS = [
|
|
|
31
32
|
explain: "Telnet transmits all data including passwords in cleartext, making it trivially interceptable.",
|
|
32
33
|
},
|
|
33
34
|
{
|
|
34
|
-
id:
|
|
35
|
+
id: CHECK_IDS.SERVICES.SVC_NO_RSH,
|
|
35
36
|
name: "rsh Service Disabled",
|
|
36
37
|
severity: "critical",
|
|
37
38
|
check: (output) => {
|
|
@@ -47,7 +48,7 @@ const SERVICES_CHECKS = [
|
|
|
47
48
|
explain: "Remote Shell (rsh) provides no encryption and uses weak host-based authentication, allowing easy impersonation.",
|
|
48
49
|
},
|
|
49
50
|
{
|
|
50
|
-
id:
|
|
51
|
+
id: CHECK_IDS.SERVICES.SVC_NO_RLOGIN,
|
|
51
52
|
name: "rlogin Service Disabled",
|
|
52
53
|
severity: "warning",
|
|
53
54
|
check: (output) => {
|
|
@@ -63,7 +64,7 @@ const SERVICES_CHECKS = [
|
|
|
63
64
|
explain: "Remote login (rlogin) transmits credentials in cleartext and relies on insecure host trust relationships.",
|
|
64
65
|
},
|
|
65
66
|
{
|
|
66
|
-
id:
|
|
67
|
+
id: CHECK_IDS.SERVICES.SVC_NO_FTP,
|
|
67
68
|
name: "FTP Server Disabled",
|
|
68
69
|
severity: "warning",
|
|
69
70
|
check: (output) => {
|
|
@@ -79,7 +80,7 @@ const SERVICES_CHECKS = [
|
|
|
79
80
|
explain: "FTP transmits credentials and data in cleartext. Use SFTP or SCP over SSH for secure file transfers.",
|
|
80
81
|
},
|
|
81
82
|
{
|
|
82
|
-
id:
|
|
83
|
+
id: CHECK_IDS.SERVICES.SVC_NO_TFTP,
|
|
83
84
|
name: "TFTP Service Disabled",
|
|
84
85
|
severity: "warning",
|
|
85
86
|
check: (output) => {
|
|
@@ -96,7 +97,7 @@ const SERVICES_CHECKS = [
|
|
|
96
97
|
},
|
|
97
98
|
// === Network services (from second systemctl batch) ===
|
|
98
99
|
{
|
|
99
|
-
id:
|
|
100
|
+
id: CHECK_IDS.SERVICES.SVC_NFS_RESTRICTED,
|
|
100
101
|
name: "NFS Server Not Exposed",
|
|
101
102
|
severity: "warning",
|
|
102
103
|
check: (output) => {
|
|
@@ -112,7 +113,7 @@ const SERVICES_CHECKS = [
|
|
|
112
113
|
explain: "NFS shares can expose sensitive files to unauthorized hosts if not properly restricted with exports configuration.",
|
|
113
114
|
},
|
|
114
115
|
{
|
|
115
|
-
id:
|
|
116
|
+
id: CHECK_IDS.SERVICES.SVC_NO_RPCBIND,
|
|
116
117
|
name: "rpcbind Not Running",
|
|
117
118
|
severity: "warning",
|
|
118
119
|
check: (output) => {
|
|
@@ -128,7 +129,7 @@ const SERVICES_CHECKS = [
|
|
|
128
129
|
explain: "rpcbind maps RPC services to ports and is a common target for reconnaissance and amplification attacks.",
|
|
129
130
|
},
|
|
130
131
|
{
|
|
131
|
-
id:
|
|
132
|
+
id: CHECK_IDS.SERVICES.SVC_SAMBA_RESTRICTED,
|
|
132
133
|
name: "Samba Not Exposed",
|
|
133
134
|
severity: "warning",
|
|
134
135
|
check: (output) => {
|
|
@@ -144,7 +145,7 @@ const SERVICES_CHECKS = [
|
|
|
144
145
|
explain: "Samba file sharing on public servers exposes the SMB protocol, which is frequently targeted by ransomware and worms.",
|
|
145
146
|
},
|
|
146
147
|
{
|
|
147
|
-
id:
|
|
148
|
+
id: CHECK_IDS.SERVICES.SVC_NO_AVAHI,
|
|
148
149
|
name: "Avahi Daemon Disabled",
|
|
149
150
|
severity: "info",
|
|
150
151
|
check: (output) => {
|
|
@@ -160,7 +161,7 @@ const SERVICES_CHECKS = [
|
|
|
160
161
|
explain: "Avahi provides mDNS/DNS-SD service discovery intended for desktops, not servers. It increases attack surface unnecessarily.",
|
|
161
162
|
},
|
|
162
163
|
{
|
|
163
|
-
id:
|
|
164
|
+
id: CHECK_IDS.SERVICES.SVC_NO_CUPS,
|
|
164
165
|
name: "CUPS Print Service Disabled",
|
|
165
166
|
severity: "info",
|
|
166
167
|
check: (output) => {
|
|
@@ -176,7 +177,7 @@ const SERVICES_CHECKS = [
|
|
|
176
177
|
explain: "CUPS print service is unnecessary on most servers and has had multiple critical vulnerabilities in recent years.",
|
|
177
178
|
},
|
|
178
179
|
{
|
|
179
|
-
id:
|
|
180
|
+
id: CHECK_IDS.SERVICES.SVC_NO_DHCP_SERVER,
|
|
180
181
|
name: "DHCP Server Disabled",
|
|
181
182
|
severity: "info",
|
|
182
183
|
check: (output) => {
|
|
@@ -192,7 +193,7 @@ const SERVICES_CHECKS = [
|
|
|
192
193
|
explain: "Running a rogue DHCP server on a cloud VPS can disrupt network addressing for other tenants.",
|
|
193
194
|
},
|
|
194
195
|
{
|
|
195
|
-
id:
|
|
196
|
+
id: CHECK_IDS.SERVICES.SVC_NO_DNS_SERVER,
|
|
196
197
|
name: "DNS Server Not Running",
|
|
197
198
|
severity: "info",
|
|
198
199
|
check: (output) => {
|
|
@@ -208,7 +209,7 @@ const SERVICES_CHECKS = [
|
|
|
208
209
|
explain: "An unintended DNS server can be used for DNS amplification attacks and zone information leakage.",
|
|
209
210
|
},
|
|
210
211
|
{
|
|
211
|
-
id:
|
|
212
|
+
id: CHECK_IDS.SERVICES.SVC_NO_SNMP,
|
|
212
213
|
name: "SNMP Service Disabled",
|
|
213
214
|
severity: "warning",
|
|
214
215
|
check: (output) => {
|
|
@@ -224,7 +225,7 @@ const SERVICES_CHECKS = [
|
|
|
224
225
|
explain: "SNMP with default community strings exposes system information and can allow unauthorized configuration changes.",
|
|
225
226
|
},
|
|
226
227
|
{
|
|
227
|
-
id:
|
|
228
|
+
id: CHECK_IDS.SERVICES.SVC_NO_SQUID,
|
|
228
229
|
name: "Squid Proxy Disabled",
|
|
229
230
|
severity: "info",
|
|
230
231
|
check: (output) => {
|
|
@@ -240,7 +241,7 @@ const SERVICES_CHECKS = [
|
|
|
240
241
|
explain: "An open proxy server can be abused to anonymize malicious traffic and may violate hosting provider terms.",
|
|
241
242
|
},
|
|
242
243
|
{
|
|
243
|
-
id:
|
|
244
|
+
id: CHECK_IDS.SERVICES.SVC_NO_XINETD,
|
|
244
245
|
name: "xinetd Service Disabled",
|
|
245
246
|
severity: "warning",
|
|
246
247
|
check: (output) => {
|
|
@@ -256,7 +257,7 @@ const SERVICES_CHECKS = [
|
|
|
256
257
|
explain: "xinetd is a legacy super-server that can spawn insecure services. Modern systemd socket activation is preferred.",
|
|
257
258
|
},
|
|
258
259
|
{
|
|
259
|
-
id:
|
|
260
|
+
id: CHECK_IDS.SERVICES.SVC_NO_YPSERV,
|
|
260
261
|
name: "NIS (ypserv) Disabled",
|
|
261
262
|
severity: "warning",
|
|
262
263
|
check: (output) => {
|
|
@@ -272,7 +273,7 @@ const SERVICES_CHECKS = [
|
|
|
272
273
|
explain: "NIS transmits authentication data in cleartext and is vulnerable to domain-level compromise.",
|
|
273
274
|
},
|
|
274
275
|
{
|
|
275
|
-
id:
|
|
276
|
+
id: CHECK_IDS.SERVICES.SVC_NO_INETD,
|
|
276
277
|
name: "No Dangerous inetd Entries",
|
|
277
278
|
severity: "warning",
|
|
278
279
|
check: (output) => {
|
|
@@ -293,7 +294,7 @@ const SERVICES_CHECKS = [
|
|
|
293
294
|
explain: "The inetd super-server can silently spawn legacy insecure services that bypass systemd management.",
|
|
294
295
|
},
|
|
295
296
|
{
|
|
296
|
-
id:
|
|
297
|
+
id: CHECK_IDS.SERVICES.SVC_NO_CHARGEN,
|
|
297
298
|
name: "chargen Service Disabled",
|
|
298
299
|
severity: "warning",
|
|
299
300
|
check: (output) => {
|
|
@@ -309,7 +310,7 @@ const SERVICES_CHECKS = [
|
|
|
309
310
|
explain: "The chargen service generates character streams and is commonly exploited in amplification DDoS attacks.",
|
|
310
311
|
},
|
|
311
312
|
{
|
|
312
|
-
id:
|
|
313
|
+
id: CHECK_IDS.SERVICES.SVC_NO_DAYTIME,
|
|
313
314
|
name: "daytime Service Disabled",
|
|
314
315
|
severity: "info",
|
|
315
316
|
check: (output) => {
|
|
@@ -325,7 +326,7 @@ const SERVICES_CHECKS = [
|
|
|
325
326
|
explain: "The daytime protocol is obsolete and can be used in amplification attacks against third parties.",
|
|
326
327
|
},
|
|
327
328
|
{
|
|
328
|
-
id:
|
|
329
|
+
id: CHECK_IDS.SERVICES.SVC_NO_DISCARD,
|
|
329
330
|
name: "discard Service Disabled",
|
|
330
331
|
severity: "info",
|
|
331
332
|
check: (output) => {
|
|
@@ -341,7 +342,7 @@ const SERVICES_CHECKS = [
|
|
|
341
342
|
explain: "The discard service silently drops all received data and provides no useful function on modern servers.",
|
|
342
343
|
},
|
|
343
344
|
{
|
|
344
|
-
id:
|
|
345
|
+
id: CHECK_IDS.SERVICES.SVC_NO_ECHO_SVC,
|
|
345
346
|
name: "echo Service Disabled",
|
|
346
347
|
severity: "info",
|
|
347
348
|
check: (output) => {
|
|
@@ -358,7 +359,7 @@ const SERVICES_CHECKS = [
|
|
|
358
359
|
explain: "The echo network service can be paired with chargen to create infinite traffic loops between hosts.",
|
|
359
360
|
},
|
|
360
361
|
{
|
|
361
|
-
id:
|
|
362
|
+
id: CHECK_IDS.SERVICES.SVC_RUNNING_COUNT_REASONABLE,
|
|
362
363
|
name: "Running Service Count Reasonable",
|
|
363
364
|
severity: "info",
|
|
364
365
|
check: (output) => {
|
|
@@ -394,7 +395,7 @@ const SERVICES_CHECKS = [
|
|
|
394
395
|
},
|
|
395
396
|
// NEW checks (Wave 1 gap closure)
|
|
396
397
|
{
|
|
397
|
-
id:
|
|
398
|
+
id: CHECK_IDS.SERVICES.SVC_NO_WILDCARD_LISTENERS,
|
|
398
399
|
name: "No Excessive Wildcard Listeners",
|
|
399
400
|
severity: "warning",
|
|
400
401
|
check: (output) => {
|
|
@@ -433,7 +434,7 @@ const SERVICES_CHECKS = [
|
|
|
433
434
|
explain: "Services listening on 0.0.0.0 accept connections on all network interfaces, increasing attack surface from untrusted networks.",
|
|
434
435
|
},
|
|
435
436
|
{
|
|
436
|
-
id:
|
|
437
|
+
id: CHECK_IDS.SERVICES.SVC_NO_XINETD_SERVICES,
|
|
437
438
|
name: "xinetd Legacy Service Disabled",
|
|
438
439
|
severity: "info",
|
|
439
440
|
check: (output) => {
|
|
@@ -453,7 +454,7 @@ const SERVICES_CHECKS = [
|
|
|
453
454
|
explain: "xinetd is a legacy super-daemon with known security weaknesses; modern systems should use systemd socket activation instead.",
|
|
454
455
|
},
|
|
455
456
|
{
|
|
456
|
-
id:
|
|
457
|
+
id: CHECK_IDS.SERVICES.SVC_NO_WORLD_READABLE_CONFIGS,
|
|
457
458
|
name: "No World-Readable Service Configs",
|
|
458
459
|
severity: "info",
|
|
459
460
|
check: (output) => {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"services.js","sourceRoot":"","sources":["../../../../src/core/audit/checks/services.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAkBH;;;GAGG;AACH,SAAS,mBAAmB,CAAC,MAAc,EAAE,KAAa;IACxD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAChE,IAAI,KAAK,IAAI,KAAK,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,KAAK,QAAQ,CAAC;AAC1C,CAAC;AAED,MAAM,eAAe,GAAuB;IAC1C,iEAAiE;IACjE;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,yBAAyB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,mBAAmB,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;YACxF,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,uBAAuB;aACpE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,0CAA0C;QACzD,UAAU,EAAE,2EAA2E;QACvF,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,gGAAgG;KACnG;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,sBAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,oBAAoB;aAC9D,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,uCAAuC;QACtD,UAAU,EAAE,wEAAwE;QACpF,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,iHAAiH;KACpH;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,yBAAyB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACtD,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,uBAAuB;aACpE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,0CAA0C;QACzD,UAAU,EAAE,mDAAmD;QAC/D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,2GAA2G;KAC9G;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,yBAAyB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,sBAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC7F,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,2BAA2B;aAC5E,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,uCAAuC;QACtD,UAAU,EAAE,mDAAmD;QAC/D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,sGAAsG;KACzG;IACD;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,wBAAwB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,uBAAuB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC7F,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,qBAAqB;aAChE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,wCAAwC;QACvD,UAAU,EAAE,yDAAyD;QACrE,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,uGAAuG;KAC1G;IAED,yDAAyD;IACzD;QACE,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,6BAA6B,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC1D,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,2BAA2B;aAC7E,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,gDAAgD;QAC/D,UAAU,EAAE,2DAA2D;QACvE,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,oHAAoH;KACvH;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,0BAA0B,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACvD,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,wBAAwB;aACvE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,yCAAyC;QACxD,UAAU,EAAE,qDAAqD;QACjE,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,yGAAyG;KAC5G;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,uBAAuB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,uBAAuB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC5F,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,sBAAsB;aACnE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,gDAAgD;QAC/D,UAAU,EAAE,yDAAyD;QACrE,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,sHAAsH;KACzH;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,+BAA+B,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC5D,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC,6BAA6B;aACjF,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,kCAAkC;QACjD,UAAU,EAAE,+DAA+D;QAC3E,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,6HAA6H;KAChI;IACD;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,uBAAuB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,qBAAqB;aACjE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,0CAA0C;QACzD,UAAU,EAAE,+CAA+C;QAC3D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,kHAAkH;KACrH;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,kCAAkC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC/D,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,4BAA4B;aAC/E,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,sCAAsC;QACrD,UAAU,EAAE,qEAAqE;QACjF,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,8FAA8F;KACjG;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,wBAAwB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,wBAAwB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC9F,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,2BAA2B;aAC7E,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,gDAAgD;QAC/D,UAAU,EAAE,iDAAiD;QAC7D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,kGAAkG;KACrG;IACD;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,wBAAwB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACrD,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,qBAAqB;aACjE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,6CAA6C;QAC5D,UAAU,EAAE,iDAAiD;QAC7D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,kHAAkH;KACrH;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,wBAAwB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACrD,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,4BAA4B;aAC/E,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,yCAAyC;QACxD,UAAU,EAAE,iDAAiD;QAC7D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,2GAA2G;KAC9G;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,yBAAyB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACtD,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,uBAAuB;aACrE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,yDAAyD;QACxE,UAAU,EAAE,mDAAmD;QAC/D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,kHAAkH;KACrH;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,yBAAyB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACtD,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,oBAAoB;aAC/D,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,0DAA0D;QACzE,UAAU,EAAE,mDAAmD;QAC/D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,8FAA8F;KACjG;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBACzD,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,uCAAuC,EAAE,CAAC;YACjF,CAAC;YACD,MAAM,SAAS,GAAG,8DAA8D,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC9F,OAAO;gBACL,MAAM,EAAE,CAAC,SAAS;gBAClB,YAAY,EAAE,SAAS;oBACrB,CAAC,CAAC,wCAAwC;oBAC1C,CAAC,CAAC,4BAA4B;aACjC,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,qCAAqC;QACpD,UAAU,EAAE,qDAAqD;QACjE,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,oGAAoG;KACvG;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC3E,OAAO;gBACL,MAAM,EAAE,CAAC,UAAU;gBACnB,YAAY,EAAE,UAAU,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,mBAAmB;aACzE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,2CAA2C;QAC1D,UAAU,EAAE,gEAAgE;QAC5E,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,0GAA0G;KAC7G;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC3E,OAAO;gBACL,MAAM,EAAE,CAAC,UAAU;gBACnB,YAAY,EAAE,UAAU,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,mBAAmB;aACzE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,2CAA2C;QAC1D,UAAU,EAAE,gEAAgE;QAC5E,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,kGAAkG;KACrG;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC3E,OAAO;gBACL,MAAM,EAAE,CAAC,UAAU;gBACnB,YAAY,EAAE,UAAU,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,mBAAmB;aACzE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,2CAA2C;QAC1D,UAAU,EAAE,gEAAgE;QAC5E,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,yGAAyG;KAC5G;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,4DAA4D;YAC5D,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC3E,OAAO;gBACL,MAAM,EAAE,CAAC,UAAU;gBACnB,YAAY,EAAE,UAAU,CAAC,CAAC,CAAC,6BAA6B,CAAC,CAAC,CAAC,wBAAwB;aACpF,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,wCAAwC;QACvD,UAAU,EAAE,8DAA8D;QAC1E,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,qGAAqG;KACxG;IACD;QACE,EAAE,EAAE,8BAA8B;QAClC,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,qEAAqE;YACrE,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,YAAY,GAAkB,IAAI,CAAC;YACvC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC1B,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;oBAClC,oDAAoD;oBACpD,IAAI,GAAG,GAAG,CAAC,IAAI,GAAG,GAAG,GAAG,EAAE,CAAC;wBACzB,YAAY,GAAG,GAAG,CAAC;wBACnB,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;YACD,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;gBAC1B,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,wCAAwC,EAAE,CAAC;YAClF,CAAC;YACD,MAAM,MAAM,GAAG,YAAY,GAAG,EAAE,CAAC;YACjC,OAAO;gBACL,MAAM;gBACN,YAAY,EAAE,MAAM;oBAClB,CAAC,CAAC,GAAG,YAAY,gCAAgC;oBACjD,CAAC,CAAC,GAAG,YAAY,wCAAwC;aAC5D,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,gCAAgC;QAC/C,UAAU,EAAE,sHAAsH;QAClI,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,4GAA4G;KAC/G;IACD,kCAAkC;IAClC;QACE,EAAE,EAAE,2BAA2B;QAC/B,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,qEAAqE;YACrE,6FAA6F;YAC7F,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,aAAa,GAAkB,IAAI,CAAC;YACxC,IAAI,oBAAoB,GAAG,CAAC,CAAC;YAC7B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC1B,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;oBAClC,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG,GAAG,IAAI,EAAE,CAAC;wBAC3B,oBAAoB,EAAE,CAAC;wBACvB,IAAI,oBAAoB,KAAK,CAAC,EAAE,CAAC;4BAC/B,aAAa,GAAG,GAAG,CAAC;4BACpB,MAAM;wBACR,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YACD,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;gBAC3B,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,0CAA0C,EAAE,CAAC;YACpF,CAAC;YACD,MAAM,MAAM,GAAG,aAAa,IAAI,CAAC,CAAC;YAClC,OAAO;gBACL,MAAM;gBACN,YAAY,EAAE,MAAM;oBAClB,CAAC,CAAC,GAAG,aAAa,+CAA+C;oBACjE,CAAC,CAAC,GAAG,aAAa,uDAAuD;aAC5E,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,0CAA0C;QACzD,UAAU,EAAE,mFAAmF;QAC/F,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,gIAAgI;KACnI;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,6DAA6D;YAC7D,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACtE,iEAAiE;YACjE,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,QAAQ,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACjF,MAAM,QAAQ,GAAG,YAAY,IAAI,CAAC,yBAAyB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;YAC1E,OAAO;gBACL,MAAM,EAAE,CAAC,QAAQ;gBACjB,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,uBAAuB;aACtE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,kCAAkC;QACjD,UAAU,EAAE,uEAAuE;QACnF,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,8HAA8H;KACjI;IACD;QACE,EAAE,EAAE,+BAA+B;QACnC,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,iEAAiE;YACjE,8EAA8E;YAC9E,2EAA2E;YAC3E,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACtE,yFAAyF;YACzF,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YAClF,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC3B,OAAO;oBACL,MAAM,EAAE,KAAK;oBACb,YAAY,EAAE,GAAG,WAAW,CAAC,MAAM,yCAAyC;iBAC7E,CAAC;YACJ,CAAC;YACD,sEAAsE;YACtE,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YACzC,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;gBACxB,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,YAAY,EAAE,CAAC;YACtD,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,YAAY,EAAE,CAAC;QACtD,CAAC;QACD,aAAa,EAAE,uDAAuD;QACtE,UAAU,EAAE,qEAAqE;QACjF,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,mIAAmI;KACtI;CACF,CAAC;AAEF,MAAM,CAAC,MAAM,mBAAmB,GAAgB,CAC9C,aAAqB,EACrB,SAAiB,EACH,EAAE;IAChB,MAAM,IAAI,GACR,CAAC,aAAa;QACd,aAAa,CAAC,IAAI,EAAE,KAAK,KAAK;QAC9B,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC;IAEzC,OAAO,eAAe,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACjC,IAAI,IAAI,EAAE,CAAC;YACT,OAAO;gBACL,EAAE,EAAE,GAAG,CAAC,EAAE;gBACV,QAAQ,EAAE,UAAU;gBACpB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,MAAM,EAAE,KAAK;gBACb,YAAY,EAAE,qBAAqB;gBACnC,aAAa,EAAE,GAAG,CAAC,aAAa;gBAChC,UAAU,EAAE,GAAG,CAAC,UAAU;gBAE1B,aAAa,EAAE,GAAG,CAAC,aAAa;gBAChC,OAAO,EAAE,GAAG,CAAC,OAAO;aACrB,CAAC;QACJ,CAAC;QACD,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACnD,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,QAAQ,EAAE,UAAU;YACpB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,MAAM;YACN,YAAY;YACZ,aAAa,EAAE,GAAG,CAAC,aAAa;YAChC,UAAU,EAAE,GAAG,CAAC,UAAU;YAE1B,aAAa,EAAE,GAAG,CAAC,aAAa;YAChC,OAAO,EAAE,GAAG,CAAC,OAAO;SACrB,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC"}
|
|
1
|
+
{"version":3,"file":"services.js","sourceRoot":"","sources":["../../../../src/core/audit/checks/services.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAe3C;;;GAGG;AACH,SAAS,mBAAmB,CAAC,MAAc,EAAE,KAAa;IACxD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAChE,IAAI,KAAK,IAAI,KAAK,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,KAAK,QAAQ,CAAC;AAC1C,CAAC;AAED,MAAM,eAAe,GAAuB;IAC1C,iEAAiE;IACjE;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,aAAa;QACpC,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,yBAAyB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,mBAAmB,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;YACxF,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,uBAAuB;aACpE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,0CAA0C;QACzD,UAAU,EAAE,2EAA2E;QACvF,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,gGAAgG;KACnG;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,UAAU;QACjC,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,sBAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACnD,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,oBAAoB;aAC9D,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,uCAAuC;QACtD,UAAU,EAAE,wEAAwE;QACpF,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,iHAAiH;KACpH;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,aAAa;QACpC,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,yBAAyB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACtD,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,uBAAuB;aACpE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,0CAA0C;QACzD,UAAU,EAAE,mDAAmD;QAC/D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,2GAA2G;KAC9G;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,UAAU;QACjC,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,yBAAyB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,sBAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC7F,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,2BAA2B;aAC5E,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,uCAAuC;QACtD,UAAU,EAAE,mDAAmD;QAC/D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,sGAAsG;KACzG;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,WAAW;QAClC,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,wBAAwB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,uBAAuB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC7F,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,qBAAqB;aAChE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,wCAAwC;QACvD,UAAU,EAAE,yDAAyD;QACrE,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,uGAAuG;KAC1G;IAED,yDAAyD;IACzD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,kBAAkB;QACzC,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,6BAA6B,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC1D,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,2BAA2B;aAC7E,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,gDAAgD;QAC/D,UAAU,EAAE,2DAA2D;QACvE,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,oHAAoH;KACvH;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,cAAc;QACrC,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,0BAA0B,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACvD,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,wBAAwB;aACvE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,yCAAyC;QACxD,UAAU,EAAE,qDAAqD;QACjE,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,yGAAyG;KAC5G;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,oBAAoB;QAC3C,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,uBAAuB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,uBAAuB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC5F,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,sBAAsB;aACnE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,gDAAgD;QAC/D,UAAU,EAAE,yDAAyD;QACrE,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,sHAAsH;KACzH;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,YAAY;QACnC,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,+BAA+B,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC5D,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC,6BAA6B;aACjF,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,kCAAkC;QACjD,UAAU,EAAE,+DAA+D;QAC3E,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,6HAA6H;KAChI;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,WAAW;QAClC,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,uBAAuB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACpD,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,qBAAqB;aACjE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,0CAA0C;QACzD,UAAU,EAAE,+CAA+C;QAC3D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,kHAAkH;KACrH;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,kBAAkB;QACzC,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,kCAAkC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC/D,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,4BAA4B;aAC/E,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,sCAAsC;QACrD,UAAU,EAAE,qEAAqE;QACjF,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,8FAA8F;KACjG;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,iBAAiB;QACxC,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,wBAAwB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,wBAAwB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC9F,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,2BAA2B;aAC7E,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,gDAAgD;QAC/D,UAAU,EAAE,iDAAiD;QAC7D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,kGAAkG;KACrG;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,WAAW;QAClC,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,wBAAwB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACrD,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,qBAAqB;aACjE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,6CAA6C;QAC5D,UAAU,EAAE,iDAAiD;QAC7D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,kHAAkH;KACrH;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,YAAY;QACnC,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,wBAAwB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACrD,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,4BAA4B;aAC/E,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,yCAAyC;QACxD,UAAU,EAAE,iDAAiD;QAC7D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,2GAA2G;KAC9G;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,aAAa;QACpC,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,yBAAyB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACtD,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,uBAAuB;aACrE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,yDAAyD;QACxE,UAAU,EAAE,mDAAmD;QAC/D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,kHAAkH;KACrH;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,aAAa;QACpC,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,MAAM,GAAG,yBAAyB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACtD,OAAO;gBACL,MAAM,EAAE,CAAC,MAAM;gBACf,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,oBAAoB;aAC/D,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,0DAA0D;QACzE,UAAU,EAAE,mDAAmD;QAC/D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,8FAA8F;KACjG;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,YAAY;QACnC,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBACzD,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,uCAAuC,EAAE,CAAC;YACjF,CAAC;YACD,MAAM,SAAS,GAAG,8DAA8D,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC9F,OAAO;gBACL,MAAM,EAAE,CAAC,SAAS;gBAClB,YAAY,EAAE,SAAS;oBACrB,CAAC,CAAC,wCAAwC;oBAC1C,CAAC,CAAC,4BAA4B;aACjC,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,qCAAqC;QACpD,UAAU,EAAE,qDAAqD;QACjE,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,oGAAoG;KACvG;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,cAAc;QACrC,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC3E,OAAO;gBACL,MAAM,EAAE,CAAC,UAAU;gBACnB,YAAY,EAAE,UAAU,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,mBAAmB;aACzE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,2CAA2C;QAC1D,UAAU,EAAE,gEAAgE;QAC5E,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,0GAA0G;KAC7G;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,cAAc;QACrC,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC3E,OAAO;gBACL,MAAM,EAAE,CAAC,UAAU;gBACnB,YAAY,EAAE,UAAU,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,mBAAmB;aACzE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,2CAA2C;QAC1D,UAAU,EAAE,gEAAgE;QAC5E,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,kGAAkG;KACrG;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,cAAc;QACrC,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC3E,OAAO;gBACL,MAAM,EAAE,CAAC,UAAU;gBACnB,YAAY,EAAE,UAAU,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,mBAAmB;aACzE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,2CAA2C;QAC1D,UAAU,EAAE,gEAAgE;QAC5E,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,yGAAyG;KAC5G;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,eAAe;QACtC,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,4DAA4D;YAC5D,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC3E,OAAO;gBACL,MAAM,EAAE,CAAC,UAAU;gBACnB,YAAY,EAAE,UAAU,CAAC,CAAC,CAAC,6BAA6B,CAAC,CAAC,CAAC,wBAAwB;aACpF,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,wCAAwC;QACvD,UAAU,EAAE,8DAA8D;QAC1E,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,qGAAqG;KACxG;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,4BAA4B;QACnD,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,qEAAqE;YACrE,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,YAAY,GAAkB,IAAI,CAAC;YACvC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC1B,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;oBAClC,oDAAoD;oBACpD,IAAI,GAAG,GAAG,CAAC,IAAI,GAAG,GAAG,GAAG,EAAE,CAAC;wBACzB,YAAY,GAAG,GAAG,CAAC;wBACnB,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;YACD,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;gBAC1B,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,wCAAwC,EAAE,CAAC;YAClF,CAAC;YACD,MAAM,MAAM,GAAG,YAAY,GAAG,EAAE,CAAC;YACjC,OAAO;gBACL,MAAM;gBACN,YAAY,EAAE,MAAM;oBAClB,CAAC,CAAC,GAAG,YAAY,gCAAgC;oBACjD,CAAC,CAAC,GAAG,YAAY,wCAAwC;aAC5D,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,gCAAgC;QAC/C,UAAU,EAAE,sHAAsH;QAClI,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,4GAA4G;KAC/G;IACD,kCAAkC;IAClC;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,yBAAyB;QAChD,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,qEAAqE;YACrE,6FAA6F;YAC7F,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACjC,IAAI,aAAa,GAAkB,IAAI,CAAC;YACxC,IAAI,oBAAoB,GAAG,CAAC,CAAC;YAC7B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC1B,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;oBAClC,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG,GAAG,IAAI,EAAE,CAAC;wBAC3B,oBAAoB,EAAE,CAAC;wBACvB,IAAI,oBAAoB,KAAK,CAAC,EAAE,CAAC;4BAC/B,aAAa,GAAG,GAAG,CAAC;4BACpB,MAAM;wBACR,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YACD,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;gBAC3B,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,0CAA0C,EAAE,CAAC;YACpF,CAAC;YACD,MAAM,MAAM,GAAG,aAAa,IAAI,CAAC,CAAC;YAClC,OAAO;gBACL,MAAM;gBACN,YAAY,EAAE,MAAM;oBAClB,CAAC,CAAC,GAAG,aAAa,+CAA+C;oBACjE,CAAC,CAAC,GAAG,aAAa,uDAAuD;aAC5E,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,0CAA0C;QACzD,UAAU,EAAE,mFAAmF;QAC/F,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,gIAAgI;KACnI;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,sBAAsB;QAC7C,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,6DAA6D;YAC7D,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACtE,iEAAiE;YACjE,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,QAAQ,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACjF,MAAM,QAAQ,GAAG,YAAY,IAAI,CAAC,yBAAyB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;YAC1E,OAAO;gBACL,MAAM,EAAE,CAAC,QAAQ;gBACjB,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,uBAAuB;aACtE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,kCAAkC;QACjD,UAAU,EAAE,uEAAuE;QACnF,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,8HAA8H;KACjI;IACD;QACE,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,6BAA6B;QACpD,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,iEAAiE;YACjE,8EAA8E;YAC9E,2EAA2E;YAC3E,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACtE,yFAAyF;YACzF,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YAClF,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC3B,OAAO;oBACL,MAAM,EAAE,KAAK;oBACb,YAAY,EAAE,GAAG,WAAW,CAAC,MAAM,yCAAyC;iBAC7E,CAAC;YACJ,CAAC;YACD,sEAAsE;YACtE,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YACzC,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;gBACxB,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,YAAY,EAAE,CAAC;YACtD,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,YAAY,EAAE,CAAC;QACtD,CAAC;QACD,aAAa,EAAE,uDAAuD;QACtE,UAAU,EAAE,qEAAqE;QACjF,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,mIAAmI;KACtI;CACF,CAAC;AAEF,MAAM,CAAC,MAAM,mBAAmB,GAAgB,CAC9C,aAAqB,EACrB,SAAiB,EACH,EAAE;IAChB,MAAM,IAAI,GACR,CAAC,aAAa;QACd,aAAa,CAAC,IAAI,EAAE,KAAK,KAAK;QAC9B,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC;IAEzC,OAAO,eAAe,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACjC,IAAI,IAAI,EAAE,CAAC;YACT,OAAO;gBACL,EAAE,EAAE,GAAG,CAAC,EAAE;gBACV,QAAQ,EAAE,UAAU;gBACpB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,MAAM,EAAE,KAAK;gBACb,YAAY,EAAE,qBAAqB;gBACnC,aAAa,EAAE,GAAG,CAAC,aAAa;gBAChC,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,aAAa,EAAE,GAAG,CAAC,aAAa;gBAChC,OAAO,EAAE,GAAG,CAAC,OAAO;aACrB,CAAC;QACJ,CAAC;QACD,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACnD,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,QAAQ,EAAE,UAAU;YACpB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,MAAM;YACN,YAAY;YACZ,aAAa,EAAE,GAAG,CAAC,aAAa;YAChC,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,aAAa,EAAE,GAAG,CAAC,aAAa;YAChC,OAAO,EAAE,GAAG,CAAC,OAAO;SACrB,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ssh.d.ts","sourceRoot":"","sources":["../../../../src/core/audit/checks/ssh.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAc,WAAW,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"ssh.d.ts","sourceRoot":"","sources":["../../../../src/core/audit/checks/ssh.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAc,WAAW,EAAE,MAAM,aAAa,CAAC;AAyQ3D,eAAO,MAAM,cAAc,EAAE,WAmC5B,CAAC"}
|
|
@@ -2,9 +2,10 @@
|
|
|
2
2
|
* SSH hardening check parser.
|
|
3
3
|
* Parses sshd -T output into 6 security checks with semantic IDs.
|
|
4
4
|
*/
|
|
5
|
+
import { CHECK_IDS } from "../checkIds.js";
|
|
5
6
|
const SSH_CHECKS = [
|
|
6
7
|
{
|
|
7
|
-
id:
|
|
8
|
+
id: CHECK_IDS.SSH.SSH_PASSWORD_AUTH,
|
|
8
9
|
name: "Password Authentication Disabled",
|
|
9
10
|
severity: "critical",
|
|
10
11
|
key: "passwordauthentication",
|
|
@@ -14,7 +15,7 @@ const SSH_CHECKS = [
|
|
|
14
15
|
explain: "Password authentication allows brute-force attacks. Key-based auth is significantly more secure.",
|
|
15
16
|
},
|
|
16
17
|
{
|
|
17
|
-
id:
|
|
18
|
+
id: CHECK_IDS.SSH.SSH_ROOT_LOGIN,
|
|
18
19
|
name: "Root Login Restricted",
|
|
19
20
|
severity: "critical",
|
|
20
21
|
key: "permitrootlogin",
|
|
@@ -27,7 +28,7 @@ const SSH_CHECKS = [
|
|
|
27
28
|
explain: "Direct root login increases attack surface. Use a regular user with sudo instead.",
|
|
28
29
|
},
|
|
29
30
|
{
|
|
30
|
-
id:
|
|
31
|
+
id: CHECK_IDS.SSH.SSH_EMPTY_PASSWORDS,
|
|
31
32
|
name: "Empty Passwords Denied",
|
|
32
33
|
severity: "critical",
|
|
33
34
|
key: "permitemptypasswords",
|
|
@@ -37,7 +38,7 @@ const SSH_CHECKS = [
|
|
|
37
38
|
explain: "Allowing empty passwords lets anyone log in without credentials.",
|
|
38
39
|
},
|
|
39
40
|
{
|
|
40
|
-
id:
|
|
41
|
+
id: CHECK_IDS.SSH.SSH_PUBKEY_AUTH,
|
|
41
42
|
name: "Public Key Authentication Enabled",
|
|
42
43
|
severity: "warning",
|
|
43
44
|
key: "pubkeyauthentication",
|
|
@@ -47,7 +48,7 @@ const SSH_CHECKS = [
|
|
|
47
48
|
explain: "Public key authentication provides strong cryptographic identity verification.",
|
|
48
49
|
},
|
|
49
50
|
{
|
|
50
|
-
id:
|
|
51
|
+
id: CHECK_IDS.SSH.SSH_MAX_AUTH_TRIES,
|
|
51
52
|
name: "Max Auth Tries Limited",
|
|
52
53
|
severity: "warning",
|
|
53
54
|
key: "maxauthtries",
|
|
@@ -60,7 +61,7 @@ const SSH_CHECKS = [
|
|
|
60
61
|
explain: "Limiting authentication attempts slows down brute-force attacks.",
|
|
61
62
|
},
|
|
62
63
|
{
|
|
63
|
-
id:
|
|
64
|
+
id: CHECK_IDS.SSH.SSH_X11_FORWARDING,
|
|
64
65
|
name: "X11 Forwarding Disabled",
|
|
65
66
|
severity: "info",
|
|
66
67
|
key: "x11forwarding",
|
|
@@ -70,7 +71,7 @@ const SSH_CHECKS = [
|
|
|
70
71
|
explain: "X11 forwarding can be exploited for display hijacking on servers that don't need GUI access.",
|
|
71
72
|
},
|
|
72
73
|
{
|
|
73
|
-
id:
|
|
74
|
+
id: CHECK_IDS.SSH.SSH_CLIENT_ALIVE_INTERVAL,
|
|
74
75
|
name: "Client Alive Interval Configured",
|
|
75
76
|
severity: "warning",
|
|
76
77
|
key: "clientaliveinterval",
|
|
@@ -83,7 +84,7 @@ const SSH_CHECKS = [
|
|
|
83
84
|
explain: "Setting a client alive interval disconnects idle sessions, reducing the risk of session hijacking.",
|
|
84
85
|
},
|
|
85
86
|
{
|
|
86
|
-
id:
|
|
87
|
+
id: CHECK_IDS.SSH.SSH_CLIENT_ALIVE_COUNT,
|
|
87
88
|
name: "Client Alive Count Max Limited",
|
|
88
89
|
severity: "warning",
|
|
89
90
|
key: "clientalivecountmax",
|
|
@@ -96,7 +97,7 @@ const SSH_CHECKS = [
|
|
|
96
97
|
explain: "Limiting alive count ensures unresponsive sessions are terminated after a short time.",
|
|
97
98
|
},
|
|
98
99
|
{
|
|
99
|
-
id:
|
|
100
|
+
id: CHECK_IDS.SSH.SSH_LOGIN_GRACE_TIME,
|
|
100
101
|
name: "Login Grace Time Restricted",
|
|
101
102
|
severity: "warning",
|
|
102
103
|
key: "logingracetime",
|
|
@@ -109,7 +110,7 @@ const SSH_CHECKS = [
|
|
|
109
110
|
explain: "Restricting login grace time limits how long an unauthenticated connection is held open.",
|
|
110
111
|
},
|
|
111
112
|
{
|
|
112
|
-
id:
|
|
113
|
+
id: CHECK_IDS.SSH.SSH_IGNORE_RHOSTS,
|
|
113
114
|
name: "Ignore Rhosts Files",
|
|
114
115
|
severity: "critical",
|
|
115
116
|
key: "ignorerhosts",
|
|
@@ -119,7 +120,7 @@ const SSH_CHECKS = [
|
|
|
119
120
|
explain: "Rhosts-based authentication is insecure and allows host-based trust without cryptographic verification.",
|
|
120
121
|
},
|
|
121
122
|
{
|
|
122
|
-
id:
|
|
123
|
+
id: CHECK_IDS.SSH.SSH_HOSTBASED_AUTH,
|
|
123
124
|
name: "Host-Based Authentication Disabled",
|
|
124
125
|
severity: "critical",
|
|
125
126
|
key: "hostbasedauthentication",
|
|
@@ -129,7 +130,7 @@ const SSH_CHECKS = [
|
|
|
129
130
|
explain: "Host-based authentication trusts remote hosts without user credentials, enabling lateral movement.",
|
|
130
131
|
},
|
|
131
132
|
{
|
|
132
|
-
id:
|
|
133
|
+
id: CHECK_IDS.SSH.SSH_MAX_SESSIONS,
|
|
133
134
|
name: "Max Sessions Limited",
|
|
134
135
|
severity: "warning",
|
|
135
136
|
key: "maxsessions",
|
|
@@ -142,7 +143,7 @@ const SSH_CHECKS = [
|
|
|
142
143
|
explain: "Limiting max sessions per connection prevents resource exhaustion and reduces attack surface.",
|
|
143
144
|
},
|
|
144
145
|
{
|
|
145
|
-
id:
|
|
146
|
+
id: CHECK_IDS.SSH.SSH_USE_DNS,
|
|
146
147
|
name: "DNS Lookup Disabled",
|
|
147
148
|
severity: "info",
|
|
148
149
|
key: "usedns",
|
|
@@ -152,7 +153,7 @@ const SSH_CHECKS = [
|
|
|
152
153
|
explain: "Disabling DNS lookups speeds up SSH connections and avoids DNS-based information disclosure.",
|
|
153
154
|
},
|
|
154
155
|
{
|
|
155
|
-
id:
|
|
156
|
+
id: CHECK_IDS.SSH.SSH_PERMIT_USER_ENV,
|
|
156
157
|
name: "User Environment Passthrough Disabled",
|
|
157
158
|
severity: "warning",
|
|
158
159
|
key: "permituserenvironment",
|
|
@@ -162,7 +163,7 @@ const SSH_CHECKS = [
|
|
|
162
163
|
explain: "Allowing user environment passthrough can be used to bypass security restrictions via environment variables.",
|
|
163
164
|
},
|
|
164
165
|
{
|
|
165
|
-
id:
|
|
166
|
+
id: CHECK_IDS.SSH.SSH_LOG_LEVEL,
|
|
166
167
|
name: "SSH Logging Level Adequate",
|
|
167
168
|
severity: "info",
|
|
168
169
|
key: "loglevel",
|
|
@@ -172,7 +173,7 @@ const SSH_CHECKS = [
|
|
|
172
173
|
explain: "Verbose or INFO logging ensures sufficient detail is captured for security audit and incident response.",
|
|
173
174
|
},
|
|
174
175
|
{
|
|
175
|
-
id:
|
|
176
|
+
id: CHECK_IDS.SSH.SSH_STRONG_CIPHERS,
|
|
176
177
|
name: "No Weak SSH Ciphers",
|
|
177
178
|
severity: "warning",
|
|
178
179
|
key: "ciphers",
|
|
@@ -182,7 +183,7 @@ const SSH_CHECKS = [
|
|
|
182
183
|
explain: "Weak ciphers like 3DES and Blowfish are vulnerable to known cryptographic attacks.",
|
|
183
184
|
},
|
|
184
185
|
{
|
|
185
|
-
id:
|
|
186
|
+
id: CHECK_IDS.SSH.SSH_STRONG_MACS,
|
|
186
187
|
name: "No Weak SSH MACs",
|
|
187
188
|
severity: "warning",
|
|
188
189
|
key: "macs",
|
|
@@ -192,7 +193,7 @@ const SSH_CHECKS = [
|
|
|
192
193
|
explain: "Weak MACs like MD5-based algorithms do not provide sufficient integrity protection for SSH sessions.",
|
|
193
194
|
},
|
|
194
195
|
{
|
|
195
|
-
id:
|
|
196
|
+
id: CHECK_IDS.SSH.SSH_STRONG_KEX,
|
|
196
197
|
name: "No Weak KEX Algorithms",
|
|
197
198
|
severity: "warning",
|
|
198
199
|
key: "kexalgorithms",
|
|
@@ -202,7 +203,7 @@ const SSH_CHECKS = [
|
|
|
202
203
|
explain: "Weak key exchange algorithms based on SHA-1 are vulnerable to collision attacks.",
|
|
203
204
|
},
|
|
204
205
|
{
|
|
205
|
-
id:
|
|
206
|
+
id: CHECK_IDS.SSH.SSH_MAX_STARTUPS,
|
|
206
207
|
name: "MaxStartups Limits Concurrent Unauthenticated Connections",
|
|
207
208
|
severity: "warning",
|
|
208
209
|
key: "maxstartups",
|
|
@@ -216,7 +217,7 @@ const SSH_CHECKS = [
|
|
|
216
217
|
explain: "MaxStartups limits concurrent unauthenticated SSH connections, mitigating brute-force and resource exhaustion attacks.",
|
|
217
218
|
},
|
|
218
219
|
{
|
|
219
|
-
id:
|
|
220
|
+
id: CHECK_IDS.SSH.SSH_STRICT_MODES,
|
|
220
221
|
name: "StrictModes Enabled",
|
|
221
222
|
severity: "warning",
|
|
222
223
|
key: "strictmodes",
|
|
@@ -226,7 +227,7 @@ const SSH_CHECKS = [
|
|
|
226
227
|
explain: "StrictModes checks file permissions on user SSH files before accepting login, preventing exploitation of misconfigured authorized_keys.",
|
|
227
228
|
},
|
|
228
229
|
{
|
|
229
|
-
id:
|
|
230
|
+
id: CHECK_IDS.SSH.SSH_NO_AGENT_FORWARDING,
|
|
230
231
|
name: "SSH Agent Forwarding Disabled",
|
|
231
232
|
severity: "warning",
|
|
232
233
|
key: "allowagentforwarding",
|
|
@@ -236,7 +237,7 @@ const SSH_CHECKS = [
|
|
|
236
237
|
explain: "SSH agent forwarding exposes the authentication agent to the remote server, enabling key theft if the server is compromised.",
|
|
237
238
|
},
|
|
238
239
|
{
|
|
239
|
-
id:
|
|
240
|
+
id: CHECK_IDS.SSH.SSH_PRINT_MOTD,
|
|
240
241
|
name: "PrintMotd Handled by PAM",
|
|
241
242
|
severity: "info",
|
|
242
243
|
key: "printmotd",
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../../src/core/audit/checks/ssh.ts"],"names":[],"mappings":"AAAA;;;GAGG;
|
|
1
|
+
{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../../../src/core/audit/checks/ssh.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAa3C,MAAM,UAAU,GAAkB;IAChC;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,iBAAiB;QACnC,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,wBAAwB;QAC7B,aAAa,EAAE,IAAI;QACnB,UAAU,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,QAAQ;QACjE,UAAU,EAAE,oHAAoH;QAChI,OAAO,EAAE,kGAAkG;KAC5G;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,cAAc;QAChC,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,iBAAiB;QACtB,aAAa,EAAE,yBAAyB;QACxC,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE;YACpB,MAAM,CAAC,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;YAC9B,OAAO,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,mBAAmB,IAAI,CAAC,KAAK,kBAAkB,CAAC;QAC7E,CAAC;QACD,UAAU,EAAE,qHAAqH;QACjI,OAAO,EAAE,mFAAmF;KAC7F;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,mBAAmB;QACrC,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,sBAAsB;QAC3B,aAAa,EAAE,IAAI;QACnB,UAAU,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,QAAQ;QACjE,UAAU,EAAE,gHAAgH;QAC5H,OAAO,EAAE,kEAAkE;KAC5E;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,eAAe;QACjC,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,SAAS;QACnB,GAAG,EAAE,sBAAsB;QAC3B,aAAa,EAAE,KAAK;QACpB,UAAU,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,QAAQ;QACjE,UAAU,EAAE,iHAAiH;QAC7H,OAAO,EAAE,gFAAgF;KAC1F;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,kBAAkB;QACpC,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,SAAS;QACnB,GAAG,EAAE,cAAc;QACnB,aAAa,EAAE,WAAW;QAC1B,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE;YACpB,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YAChC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;QACjC,CAAC;QACD,UAAU,EAAE,+FAA+F;QAC3G,OAAO,EAAE,kEAAkE;KAC5E;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,kBAAkB;QACpC,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,MAAM;QAChB,GAAG,EAAE,eAAe;QACpB,aAAa,EAAE,IAAI;QACnB,UAAU,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,QAAQ;QACjE,UAAU,EAAE,kGAAkG;QAC9G,OAAO,EAAE,8FAA8F;KACxG;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,yBAAyB;QAC3C,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,SAAS;QACnB,GAAG,EAAE,qBAAqB;QAC1B,aAAa,EAAE,wBAAwB;QACvC,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE;YACpB,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YAChC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,GAAG,IAAI,GAAG,CAAC;QAC9C,CAAC;QACD,UAAU,EAAE,+GAA+G;QAC3H,OAAO,EAAE,oGAAoG;KAC9G;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,sBAAsB;QACxC,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,SAAS;QACnB,GAAG,EAAE,qBAAqB;QAC1B,aAAa,EAAE,WAAW;QAC1B,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE;YACpB,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YAChC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;QAC5C,CAAC;QACD,UAAU,EAAE,6GAA6G;QACzH,OAAO,EAAE,uFAAuF;KACjG;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,oBAAoB;QACtC,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,SAAS;QACnB,GAAG,EAAE,gBAAgB;QACrB,aAAa,EAAE,YAAY;QAC3B,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE;YACpB,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YAChC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,GAAG,IAAI,EAAE,CAAC;QAC7C,CAAC;QACD,UAAU,EAAE,oGAAoG;QAChH,OAAO,EAAE,0FAA0F;KACpG;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,iBAAiB;QACnC,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,cAAc;QACnB,aAAa,EAAE,KAAK;QACpB,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,KAAK;QACpD,UAAU,EAAE,iGAAiG;QAC7G,OAAO,EAAE,yGAAyG;KACnH;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,kBAAkB;QACpC,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,yBAAyB;QAC9B,aAAa,EAAE,IAAI;QACnB,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI;QACnD,UAAU,EAAE,sHAAsH;QAClI,OAAO,EAAE,oGAAoG;KAC9G;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,gBAAgB;QAClC,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,SAAS;QACnB,GAAG,EAAE,aAAa;QAClB,aAAa,EAAE,YAAY;QAC3B,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE;YACpB,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YAChC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG,IAAI,EAAE,CAAC;QAC9C,CAAC;QACD,UAAU,EAAE,8FAA8F;QAC1G,OAAO,EAAE,+FAA+F;KACzG;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,WAAW;QAC7B,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,MAAM;QAChB,GAAG,EAAE,QAAQ;QACb,aAAa,EAAE,IAAI;QACnB,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI;QACnD,UAAU,EAAE,oFAAoF;QAChG,OAAO,EAAE,8FAA8F;KACxG;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,mBAAmB;QACrC,IAAI,EAAE,uCAAuC;QAC7C,QAAQ,EAAE,SAAS;QACnB,GAAG,EAAE,uBAAuB;QAC5B,aAAa,EAAE,IAAI;QACnB,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI;QACnD,UAAU,EAAE,kHAAkH;QAC9H,OAAO,EAAE,8GAA8G;KACxH;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,aAAa;QAC/B,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,MAAM;QAChB,GAAG,EAAE,UAAU;QACf,aAAa,EAAE,iBAAiB;QAChC,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;QACxE,UAAU,EAAE,6FAA6F;QACzG,OAAO,EAAE,yGAAyG;KACnH;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,kBAAkB;QACpC,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,SAAS;QACnB,GAAG,EAAE,SAAS;QACd,aAAa,EAAE,iDAAiD;QAChE,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,6BAA6B,CAAC,IAAI,CAAC,KAAK,CAAC;QACjE,UAAU,EAAE,kKAAkK;QAC9K,OAAO,EAAE,oFAAoF;KAC9F;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,eAAe;QACjC,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,SAAS;QACnB,GAAG,EAAE,MAAM;QACX,aAAa,EAAE,6BAA6B;QAC5C,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC;QACtD,UAAU,EAAE,qKAAqK;QACjL,OAAO,EAAE,sGAAsG;KAChH;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,cAAc;QAChC,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,SAAS;QACnB,GAAG,EAAE,eAAe;QACpB,aAAa,EAAE,+EAA+E;QAC9F,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,gEAAgE,CAAC,IAAI,CAAC,KAAK,CAAC;QACpG,UAAU,EAAE,0MAA0M;QACtN,OAAO,EAAE,kFAAkF;KAC5F;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,gBAAgB;QAClC,IAAI,EAAE,2DAA2D;QACjE,QAAQ,EAAE,SAAS;QACnB,GAAG,EAAE,aAAa;QAClB,aAAa,EAAE,oCAAoC;QACnD,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE;YACpB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACrC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;QACtC,CAAC;QACD,UAAU,EAAE,oGAAoG;QAChH,OAAO,EAAE,wHAAwH;KAClI;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,gBAAgB;QAClC,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,SAAS;QACnB,GAAG,EAAE,aAAa;QAClB,aAAa,EAAE,KAAK;QACpB,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,KAAK;QACpD,UAAU,EAAE,+FAA+F;QAC3G,OAAO,EAAE,yIAAyI;KACnJ;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,uBAAuB;QACzC,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,SAAS;QACnB,GAAG,EAAE,sBAAsB;QAC3B,aAAa,EAAE,IAAI;QACnB,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI;QACnD,UAAU,EAAE,gHAAgH;QAC5H,OAAO,EAAE,8HAA8H;KACxI;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,cAAc;QAChC,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,GAAG,EAAE,WAAW;QAChB,aAAa,EAAE,IAAI;QACnB,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI;QACnD,UAAU,EAAE,0FAA0F;QACtG,OAAO,EAAE,6HAA6H;KACvI;CACF,CAAC;AAEF,SAAS,YAAY,CAAC,MAAc,EAAE,GAAW;IAC/C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,QAAQ,GAAG,UAAU,EAAE,IAAI,CAAC,CAAC;IACtD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAClC,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACxC,CAAC;AAED,MAAM,CAAC,MAAM,cAAc,GAAgB,CAAC,aAAqB,EAAE,SAAiB,EAAgB,EAAE;IACpG,MAAM,IAAI,GAAG,CAAC,aAAa,IAAI,aAAa,CAAC,IAAI,EAAE,KAAK,KAAK,IAAI,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;IAE7F,OAAO,UAAU,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QAC5B,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,aAAa,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;QAEjE,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACnB,OAAO;gBACL,EAAE,EAAE,GAAG,CAAC,EAAE;gBACV,QAAQ,EAAE,KAAK;gBACf,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,MAAM,EAAE,KAAK;gBACb,YAAY,EAAE,qBAAqB;gBACnC,aAAa,EAAE,GAAG,CAAC,aAAa;gBAChC,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,aAAa,EAAE,WAAoB;gBACnC,OAAO,EAAE,GAAG,CAAC,OAAO;aACrB,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,GAAG,CAAC,UAAU,CAAC,KAAK,EAAE,GAAG,CAAC,aAAa,CAAC,CAAC;QACxD,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,QAAQ,EAAE,KAAK;YACf,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,MAAM;YACN,YAAY,EAAE,KAAK;YACnB,aAAa,EAAE,GAAG,CAAC,aAAa;YAChC,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,aAAa,EAAE,WAAoB;YACnC,OAAO,EAAE,GAAG,CAAC,OAAO;SACrB,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"supplychain.d.ts","sourceRoot":"","sources":["../../../../src/core/audit/checks/supplychain.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAa,WAAW,EAAoB,MAAM,aAAa,CAAC;AA2S5E,eAAO,MAAM,sBAAsB,EAAE,
|
|
1
|
+
{"version":3,"file":"supplychain.d.ts","sourceRoot":"","sources":["../../../../src/core/audit/checks/supplychain.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAa,WAAW,EAAoB,MAAM,aAAa,CAAC;AA2S5E,eAAO,MAAM,sBAAsB,EAAE,WAuCpC,CAAC"}
|
|
@@ -4,9 +4,10 @@
|
|
|
4
4
|
* unsigned package detection, apt-key deprecation, repo signature
|
|
5
5
|
* verification, and unauthorized source detection.
|
|
6
6
|
*/
|
|
7
|
+
import { CHECK_IDS } from "../checkIds.js";
|
|
7
8
|
const SUPPLY_CHECKS = [
|
|
8
9
|
{
|
|
9
|
-
id:
|
|
10
|
+
id: CHECK_IDS.SUPPLYCHAIN.SUPPLY_APT_HTTPS_REPOS,
|
|
10
11
|
name: "APT Repositories Use HTTPS",
|
|
11
12
|
severity: "critical",
|
|
12
13
|
check: (output) => {
|
|
@@ -28,7 +29,7 @@ const SUPPLY_CHECKS = [
|
|
|
28
29
|
explain: "APT repositories using plain HTTP (not HTTPS) are vulnerable to man-in-the-middle attacks that could inject malicious packages. An attacker between the server and the mirror can replace legitimate packages with trojaned versions.",
|
|
29
30
|
},
|
|
30
31
|
{
|
|
31
|
-
id:
|
|
32
|
+
id: CHECK_IDS.SUPPLYCHAIN.SUPPLY_GPG_KEYS_TRUSTED,
|
|
32
33
|
name: "APT Trusted GPG Keys Present",
|
|
33
34
|
severity: "warning",
|
|
34
35
|
check: (output) => {
|
|
@@ -55,7 +56,7 @@ const SUPPLY_CHECKS = [
|
|
|
55
56
|
explain: "APT package signature verification relies on trusted GPG keys in /etc/apt/trusted.gpg.d/. Without trusted keys, package authenticity cannot be verified and apt may install unsigned or improperly signed packages silently.",
|
|
56
57
|
},
|
|
57
58
|
{
|
|
58
|
-
id:
|
|
59
|
+
id: CHECK_IDS.SUPPLYCHAIN.SUPPLY_NO_UNSIGNED_PACKAGES,
|
|
59
60
|
name: "No Unsigned APT Packages Installed",
|
|
60
61
|
severity: "critical",
|
|
61
62
|
check: (output) => {
|
|
@@ -82,7 +83,7 @@ const SUPPLY_CHECKS = [
|
|
|
82
83
|
explain: "Unsigned packages bypass APT's GPG verification, meaning they were not authenticated by any trusted key. Malicious actors could substitute unsigned packages during download or through compromised mirrors without detection.",
|
|
83
84
|
},
|
|
84
85
|
{
|
|
85
|
-
id:
|
|
86
|
+
id: CHECK_IDS.SUPPLYCHAIN.SUPPLY_APT_KEY_DEPRECATED,
|
|
86
87
|
name: "apt-key Not Used (Deprecated)",
|
|
87
88
|
severity: "warning",
|
|
88
89
|
check: (output) => {
|
|
@@ -105,7 +106,7 @@ const SUPPLY_CHECKS = [
|
|
|
105
106
|
explain: "apt-key is deprecated in Ubuntu 22.04+ and will be removed in future releases. It stores all keys in a single shared keyring (/etc/apt/trusted.gpg), meaning any trusted key can sign any package. Per-repository keys in trusted.gpg.d/ provide isolation.",
|
|
106
107
|
},
|
|
107
108
|
{
|
|
108
|
-
id:
|
|
109
|
+
id: CHECK_IDS.SUPPLYCHAIN.SUPPLY_REPOS_SIGNED,
|
|
109
110
|
name: "APT Repository Metadata Is Signed",
|
|
110
111
|
severity: "warning",
|
|
111
112
|
check: (output) => {
|
|
@@ -125,7 +126,7 @@ const SUPPLY_CHECKS = [
|
|
|
125
126
|
explain: "APT verifies repository metadata (Release/InRelease files) against GPG signatures before downloading package indexes. Unsigned or unverified repository metadata allows a compromised mirror to serve malicious package lists.",
|
|
126
127
|
},
|
|
127
128
|
{
|
|
128
|
-
id:
|
|
129
|
+
id: CHECK_IDS.SUPPLYCHAIN.SUPPLY_GPG_VERIFY_OK,
|
|
129
130
|
name: "GPG Signature Verification Operational",
|
|
130
131
|
severity: "info",
|
|
131
132
|
check: (output) => {
|
|
@@ -145,7 +146,7 @@ const SUPPLY_CHECKS = [
|
|
|
145
146
|
explain: "GPG verification operational status confirms that package signature checks are functioning correctly. Failed verification may indicate expired keys, missing keyrings, or a compromised keyring configuration.",
|
|
146
147
|
},
|
|
147
148
|
{
|
|
148
|
-
id:
|
|
149
|
+
id: CHECK_IDS.SUPPLYCHAIN.SUPPLY_NO_UNAUTH_SOURCES,
|
|
149
150
|
name: "No Unauthorized Package Sources",
|
|
150
151
|
severity: "warning",
|
|
151
152
|
check: (output) => {
|
|
@@ -165,7 +166,7 @@ const SUPPLY_CHECKS = [
|
|
|
165
166
|
explain: "Unauthorized or unexpected package sources in APT configuration may indicate a supply chain compromise or misconfiguration. All package sources should be intentional, official, and properly signed by known keys.",
|
|
166
167
|
},
|
|
167
168
|
{
|
|
168
|
-
id:
|
|
169
|
+
id: CHECK_IDS.SUPPLYCHAIN.SUPPLY_DPKG_AUDIT_CLEAN,
|
|
169
170
|
name: "dpkg Audit Finds No Broken Packages",
|
|
170
171
|
severity: "info",
|
|
171
172
|
check: (output) => {
|
|
@@ -186,7 +187,7 @@ const SUPPLY_CHECKS = [
|
|
|
186
187
|
explain: "Broken or partially installed packages may indicate interrupted updates, package conflicts, or attempted supply chain attacks. dpkg --audit identifies packages in inconsistent states that could be leveraged by attackers or cause service failures.",
|
|
187
188
|
},
|
|
188
189
|
{
|
|
189
|
-
id:
|
|
190
|
+
id: CHECK_IDS.SUPPLYCHAIN.SUPPLY_NO_INSECURE_REPOS,
|
|
190
191
|
name: "No AllowInsecureRepositories or AllowUnauthenticated in APT Config",
|
|
191
192
|
severity: "warning",
|
|
192
193
|
check: (output) => {
|
|
@@ -210,7 +211,7 @@ const SUPPLY_CHECKS = [
|
|
|
210
211
|
explain: "Allowing unauthenticated or insecure repositories enables package tampering via man-in-the-middle attacks.",
|
|
211
212
|
},
|
|
212
213
|
{
|
|
213
|
-
id:
|
|
214
|
+
id: CHECK_IDS.SUPPLYCHAIN.SUPPLY_GPG_KEYS_PRESENT,
|
|
214
215
|
name: "GPG Keys Present for Repository Verification",
|
|
215
216
|
severity: "info",
|
|
216
217
|
check: (output) => {
|
|
@@ -230,7 +231,7 @@ const SUPPLY_CHECKS = [
|
|
|
230
231
|
explain: "GPG keys in the trusted keyring ensure package integrity verification during apt operations.",
|
|
231
232
|
},
|
|
232
233
|
{
|
|
233
|
-
id:
|
|
234
|
+
id: CHECK_IDS.SUPPLYCHAIN.SUPPLY_PACKAGE_VERIFY_CLEAN,
|
|
234
235
|
name: "dpkg Package File Integrity Verified",
|
|
235
236
|
severity: "warning",
|
|
236
237
|
check: (output) => {
|
|
@@ -251,7 +252,7 @@ const SUPPLY_CHECKS = [
|
|
|
251
252
|
explain: "Modified package files may indicate rootkit installation or unauthorized system tampering.",
|
|
252
253
|
},
|
|
253
254
|
{
|
|
254
|
-
id:
|
|
255
|
+
id: CHECK_IDS.SUPPLYCHAIN.SUPPLY_DEBSUMS_INSTALLED,
|
|
255
256
|
name: "debsums Package Integrity Tool Installed",
|
|
256
257
|
severity: "info",
|
|
257
258
|
check: (output) => {
|