GithubHelp home page GithubHelp logo

secant's Introduction

Secant

Secant is a security cloud assessment framework that is used to check security characteristics of virtual machines and their images. The framework instantiates the machine in a contained environment and runs a set of security probes against it. The probes combine external and internal checks and aim at typical configuration error or vulnerabilities commonly misused by Internet attackers.

Secant is developed for the environment of EGI and its Application Database but can be used in other environments as well.

Enabled probes

  • open_ports - The probe lists open ports exposed by the machine. The probes doesn't consider any open port as insecure, it's used to check the machine is available over the network and provides a list of services that is used by other probes.
  • ntp_amp - Certain configurations of the NTP service makes it possible for the attacker to mount an amplification attack that greatly increases the efficiency of the attack. Since the traffic originates from the NTP server it might hit badly the service owner. The probe checks that the risky configuration is not available to the Internet.
  • ssh_auth - Password-based authentication is prone to a range of attacks, it's recommended to be disabled.
  • ssh_passwd - The probe performs a dictionary attack over SSH and check a number of combinations of known passwords and usernames. The test resembles malicious activities that are very common on the Internet.
  • lynis_test - Lynis is a tool that checks a number of security characteristics of the machine. The probe runs the Lynis command and returns the results. The outcome isn't interpreted and sometimes may suggest precautions that are out of scope for the purpose of the tested machine. The machine must enable remote access in order to run the probe.
  • pakiti_test - The probe uses the EGI Pakiti service to detect packages that haven't been updated. If they expose a vulnerability tagged important for EGI, the probes returns with an error. The machine must enable remote access in order to run the probe.

How it works

The assessment process consists of performing a set of steps.

Steps

  1. Create virtual machine from image and run it in isolated environment (without internet connection).

  2. Run set of probes.

  3. Report status of security scan.

  4. Make assessment using report and predefined rules.

During the entire assessment process details about the process are stored in a log file (path can be specified in secant.conf). When the process is successfully ended, findings can be find in a report file and assessment results in a result file.

The development work is co-funded by the EOSC-hub project (Horizon 2020) under Grant number 777536.

secant's People

Contributors

brucellino avatar havrilaj avatar kouril avatar yanovskyy avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

kbahaxor olivierh59500 arjuneng05 cys3c awesome-security havrilaj adamnugraha 5l1v3r1 mmg1

secant's Issues

Consider human-readable, re-usable assertions

Hello !

Nice work on Secant ! I would like to make a suggestion to make it easier for people to check their applications before pushing to the AppDB. You could use TestInfra or even better InSpec.

For example implement the SSH assertion as follows :

With TestInfra (:snake:)

def ssh_password_test(host): 
  f = host.file('{{ sshd_config_path }}/{{ sshd_config }}`)

    assert sshd_config_file.exists
    assert not sshd_config_file.contains('PasswordAuthentication no')

Similarly with InSpec (:gem:)

title 'SSHD configuration'

# you add controls here
control 'ssh_config' do                        # A unique ID for this control
  impact 0.7                                # The criticality, if this control fails.
  title 'SSH password authentication'             # A human-readable title
  desc 'SSH server should be configured to not use password authentication'
  describe file('/etc/ssh') do                  # The actual test
    it { should be_directory }
  end
  
  describe file('/etc/ssh/sshd_config') do
    it { should be_file }
  end

  describe sshd_config('/etc/ssh/sshd_config') do
    its('PasswordAuthentication') { should be_in ["no", nil] }
  end
end

Would you be amenable to a PR ?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.