bdraco / addon_securityadvisor Goto Github PK

Need to research how to detect these.

BAD = No protection
WARN= Apache level protection
GOOD = Any Kernel or FS level protection.

https://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242-p23.html#post1397221

Steps to reproduce:

Install the latest EDGE build.
Create an account.
Set the shell to normal shell via WHM >> Account Functions >> Manage Shell Access.
Go to WHM >> Security Center >> Security Advisor.
Notice that there is no warning about un-jailed users.

Just documenting suggestions submitted by others so we don't lose them.

• cPAddons (I've been playing with these)
• ERROR: installed into user's docroots but not installed in WHM
• ERROR: deprecated cPAddons installed in a user's docroots.
• ERROR: version installed in a user's docroot does not match current
  WHM version
• ERROR: WHM version of cPAddon is not latest version on httpupdate mirrors

We can still recommend ClamAV be installed if it is not up to date with the latest definitions.

mysql -e 'drop user ""'

The above, according to the docs, will fail if ANSI_QUOTES is enabled. (cf. https://dev.mysql.com/doc/refman/5.6/en/string-literals.html)

It should work to change it to:

mysql -e "drop user ''"

• Switch to static interface that displays the result of
  the last scan,
• Add a button to perform a scan and uses comet to load the
  scan results into the interface. The way it's organized now you have to
  avoid doing any time-consuming checks since the interface wont render
  until they're all complete.
• Add the ability to sort result types so we're not left with one large page containing hundreds of results. (sort by type, exclude "pass" results, etc)

Just documenting suggestions submitted by others so we don't lose them.

• ERROR: Any installed that are out of date
• ERROR: Any deprecated WHM plugins are still installed.

Just documenting suggestions submitted by others so we don't lose them.

• ERROR: Tomcat is installed (current version is EOL, runs as shared user)
• ERROR: Mono is installed (current version is EOL, runs as shared user?)
• WARN: Mod_security not installed (warning since the hosting provider
  may have a separate WAF)
• ERROR: Any caching PHP extensions installed (allow various kinds of
  cache poisoning to take over other sites depending on the configuration.)
• ERROR: PHP4 installed on the system (EOL, numerous CVEs)
• ERROR: PHP 5.[012] installed on the system (EOL, numerous CVEs)
• ERROR: PHP 5.3 or 5.4 installed on the system with any version other
  than the latest.

DONE - ERROR: Apache 1 installed (EOL, CVEs)
DONE - ERROR: Apache 2.0 installed (Near EOL, upstream support is spotty)

• ERROR: Apache 2.2/2.4 is installed other than the latest version

Special attention to kernel and openssh* packages?

http://docs.cpanel.net/twiki/bin/view/AllDocumentation/WHMDocs/SecuringYourServer

The suggestions in our docs should be split off into logical sections, but I'm opening this case now to ensure we review the doc and incorporate all of our suggested best practices into the security advisor. Once they've all been added to a feature request or implemented, I'll close this item.

Just documenting suggestions submitted by others so we don't lose them.

• ERROR: entropychat is enabled (need to open fogbugz cases to document
  the problems here)
• ERROR: scgi-bin wrapper is in use (haven't ever heard a good reason
  why this is even in the product.)
• WARN: hooks of any type are installed (standardized, pre/post scripts,
  etc)

Just documenting suggestions submitted by others so we don't lose them.

• ERROR: MySQL configured to listen for remote connections and not
  configured to use SSL
• ERROR: MySQL grants allowing remote users do not require SSL
• WARN: MySQL accepting remote connections with SSL configured

Just documenting suggestions submitted by others so we don't lose them.

• something that reviews settings that may affect incoming and outgoing spam prevention and detection such as header additions and whether it's setup optimally. Especially the latter, as the headers of outgoing messages are often how I've caught account level AND root level compromises.

Just documenting suggestions submitted by others so we don't lose them.

• ERROR: WHM/cPanel/Webmail/webdav not configured to require SSL
• ERROR: POP/IMAP/SMTP not configured to require SSL prior to authentication
• ERROR: FTP enabled and does not REQUIRE ssl

Just documenting suggestions submitted by others so we don't lose them.

• WARN: cpsources.conf is not tracking httpupdate.cpanel.net
• ERROR: cPanel updates are tracking 11.30
• ERROR: cPanel updates are tracking a 4 digit version number
• ERROR: cPanel updates set to manual and installed version is out of date
• WARN: cPanel updates set to manual and installed version is up to date
• WARN: cPanel updates are tracking a 2 digit tier instead of a named tier
• WARN: custom versions installed for any cPanel managed RPMs.

If you load the screen with locale set to Arabic, the date stuff will “jump” off to the left once it’s done.

for non-dbmapped dbs

Just documenting suggestions submitted by others so we don't lose them.

• ERROR: Latest kernel updates from CentOS/RedHat/CloudLinux are not
  installed.
• ERROR: Running kernel is not the same as the newest kernel on the system.
• ERROR: OS Updates are disabled/manual
• ERROR: Other OS Updates are available
• ERROR: OS Updates are tracking a specific point release rather than
  the major release.