diff options
| author | Christian Cleberg <hello@cleberg.net> | 2025-05-06 21:31:46 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-05-06 21:31:46 -0500 |
| commit | 95bf612c338dec8235e89ca6a1d9e5e8cad3f997 (patch) | |
| tree | 82cfd62fb145b7b686d4ae825ab2c2436343e590 /databases/passwords | |
| parent | d62f25007470fe546e0f9d2e38a26e84146f72c5 (diff) | |
| download | audit-tools-95bf612c338dec8235e89ca6a1d9e5e8cad3f997.tar.gz audit-tools-95bf612c338dec8235e89ca6a1d9e5e8cad3f997.tar.bz2 audit-tools-95bf612c338dec8235e89ca6a1d9e5e8cad3f997.zip | |
reorganize db dir (#6)
Diffstat (limited to 'databases/passwords')
| -rw-r--r-- | databases/passwords/mysql/README.org | 76 | ||||
| -rw-r--r-- | databases/passwords/mysql/passwords.sql | 13 | ||||
| -rw-r--r-- | databases/passwords/postgres/README.org | 31 | ||||
| -rw-r--r-- | databases/passwords/postgres/passwords.sql | 18 | ||||
| -rw-r--r-- | databases/passwords/sql/data.csv | 9 | ||||
| -rw-r--r-- | databases/passwords/sql/get_data.sql | 30 | ||||
| -rw-r--r-- | databases/passwords/sql/test.py | 80 |
7 files changed, 0 insertions, 257 deletions
diff --git a/databases/passwords/mysql/README.org b/databases/passwords/mysql/README.org deleted file mode 100644 index b843bd1..0000000 --- a/databases/passwords/mysql/README.org +++ /dev/null @@ -1,76 +0,0 @@ -#+title: MySQL Passwords - -* =mysql_admins.sql= - -#+begin_src sql -SELECT user, host, plugin FROM mysql.user; -#+end_src - -#+begin_src -mysql> SELECT user, host, plugin FROM mysql.user; -+------------------+-----------+-----------------------+ -| user | host | plugin | -+------------------+-----------+-----------------------+ -| cmc | % | caching_sha2_password | -| mysql.infoschema | localhost | caching_sha2_password | -| mysql.session | localhost | caching_sha2_password | -| mysql.sys | localhost | caching_sha2_password | -| root | localhost | caching_sha2_password | -+------------------+-----------+-----------------------+ -5 rows in set (0.001 sec) -#+end_src - -#+begin_src sql -SHOW GLOBAL VARIABLES LIKE 'validate_password%'; -SHOW VARIABLES LIKE 'validate_password%'; -#+end_src - -#+begin_src -mysql> SHOW GLOBAL VARIABLES LIKE 'validate_password%'; -+-------------------------------------------------+--------+ -| Variable_name | Value | -+-------------------------------------------------+--------+ -| validate_password.changed_characters_percentage | 0 | -| validate_password.check_user_name | ON | -| validate_password.dictionary_file | | -| validate_password.length | 8 | -| validate_password.mixed_case_count | 1 | -| validate_password.number_count | 1 | -| validate_password.policy | MEDIUM | -| validate_password.special_char_count | 1 | -+-------------------------------------------------+--------+ -8 rows in set (0.004 sec) - -mysql> SHOW VARIABLES LIKE 'validate_password%'; -+-------------------------------------------------+--------+ -| Variable_name | Value | -+-------------------------------------------------+--------+ -| validate_password.changed_characters_percentage | 0 | -| validate_password.check_user_name | ON | -| validate_password.dictionary_file | | -| validate_password.length | 8 | -| validate_password.mixed_case_count | 1 | -| validate_password.number_count | 1 | -| validate_password.policy | MEDIUM | -| validate_password.special_char_count | 1 | -+-------------------------------------------------+--------+ -8 rows in set (0.004 sec) -#+end_src - -#+begin_src sql -SELECT * FROM mysql.user -#+end_src - -#+begin_src -MySQL [(none)]> SELECT * FROM mysql.user; -+-----------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+------------------------------------------------------------------------+------------------+-----------------------+-------------------+----------------+------------------+----------------+------------------------+---------------------+--------------------------+-----------------+ -| Host | User | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin | authentication_string | password_expired | password_last_changed | password_lifetime | account_locked | Create_role_priv | Drop_role_priv | Password_reuse_history | Password_reuse_time | Password_require_current | User_attributes | -+-----------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+------------------------------------------------------------------------+------------------+-----------------------+-------------------+----------------+------------------+----------------+------------------------+---------------------+--------------------------+-----------------+ -| % | cmc | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | | N | 2025-04-25 16:28:52 | NULL | N | N | N | NULL | NULL | NULL | NULL | -| localhost | mysql.infoschema | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED | N | 2025-04-25 15:51:53 | NULL | Y | N | N | NULL | NULL | NULL | NULL | -| localhost | mysql.session | N | N | N | N | N | N | N | Y | N | N | N | N | N | N | N | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED | N | 2025-04-25 15:51:53 | NULL | Y | N | N | NULL | NULL | NULL | NULL | -| localhost | mysql.sys | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED | N | 2025-04-25 15:51:53 | NULL | Y | N | N | NULL | NULL | NULL | NULL | -| localhost | root | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | | N | 2025-04-25 15:51:53 | NULL | N | Y | Y | NULL | NULL | NULL | NULL | -+-----------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+------------------------------------------------------------------------+------------------+-----------------------+-------------------+----------------+------------------+----------------+------------------------+---------------------+--------------------------+-----------------+ -5 rows in set (0.005 sec) -#+end_src diff --git a/databases/passwords/mysql/passwords.sql b/databases/passwords/mysql/passwords.sql deleted file mode 100644 index 1a5bf81..0000000 --- a/databases/passwords/mysql/passwords.sql +++ /dev/null @@ -1,13 +0,0 @@ --- NOTE: Please review the server's "my.cnf" file for default values;
--- OR: run the "SHOW [GLOBAL | SESSION] VARIABLES" command(s) on the database.
-
--- Authentication methods only
-SELECT user, host, plugin FROM mysql.user;
-
--- Default password configuration only
-SHOW GLOBAL VARIABLES LIKE 'validate_password%';
-SHOW VARIABLES LIKE 'validate_password%';
-
--- Authentication methods and MySQL password configurations
--- Reference: https://mariadb.com/kb/en/mysql-user-table/
-SELECT * FROM mysql.user
diff --git a/databases/passwords/postgres/README.org b/databases/passwords/postgres/README.org deleted file mode 100644 index 694aa4e..0000000 --- a/databases/passwords/postgres/README.org +++ /dev/null @@ -1,31 +0,0 @@ -#+title: Postgres Passwords - -* =passwords.sql= - -#+begin_src sql -SELECT * -FROM pg_settings -WHERE name LIKE 'password_%'; -#+end_src - -#+begin_src -| name | setting | unit | category | short_desc | extra_desc | context | vartype | source | min_val | max_val | enumvals | boot_val | reset_val | sourcefile | sourceline | pending_restart | -|---------------------+---------------+------+-------------------------------------------------+-------------------------------------------------+------------+---------+---------+---------+---------+---------+---------------------+---------------+---------------+------------+------------+-----------------| -| password_encryption | scram-sha-256 | | Connections and Authentication / Authentication | Chooses the algorithm for encrypting passwords. | | user | enum | default | | | {md5,scram-sha-256} | scram-sha-256 | scram-sha-256 | | | false | -#+end_src - -#+begin_src sql -SELECT - usename AS user_name, - passwd AS password, - valuntil AS valid_until, - useconfig AS user_config -FROM pg_shadow; -#+end_src - -#+begin_src -| user_name | password | valid_until | user_config | -|-----------+---------------------------------------------------------------------------------------------------------------------------------------+------------------------+-------------| -| cmc | | | | -| testuser | SCRAM-SHA-256$4096:+NSpEU+8afhJ4BUTkzdKeg==$FGIRcTWr89b42qkLUl4Ntfp4RUpoc3GIpLHqJl/fWZE=:o1UM8YiEj5SLV5l/geMuqXMRi6onWazryn/l+LXYMxU= | 2025-12-31 00:00:00-06 | | -#+end_src diff --git a/databases/passwords/postgres/passwords.sql b/databases/passwords/postgres/passwords.sql deleted file mode 100644 index cb81cd6..0000000 --- a/databases/passwords/postgres/passwords.sql +++ /dev/null @@ -1,18 +0,0 @@ --- References:
--- : https://www.postgresql.org/docs/current/view-pg-shadow.html
--- : https://www.postgresql.org/docs/current/auth-password.html
--- : https://www.postgresql.org/docs/current/auth-password.html#AUTH-PASSWORD-ENCRYPTION
--- : https://www.postgresql.org/docs/current/runtime-config.html
-
--- Defined password configuration
-SELECT *
-FROM pg_settings
-WHERE name LIKE 'password_%';
-
--- Users and their password configurations
-SELECT
- usename AS user_name,
- passwd AS password,
- valuntil AS valid_until,
- useconfig AS user_config
-FROM pg_shadow;
\ No newline at end of file diff --git a/databases/passwords/sql/data.csv b/databases/passwords/sql/data.csv deleted file mode 100644 index fc925ea..0000000 --- a/databases/passwords/sql/data.csv +++ /dev/null @@ -1,9 +0,0 @@ -name,principal_id,sid,type,type_desc,is_disabled,create_date,modify_date,default_database_name,default_language_name,credential_id,is_policy_checked,is_expiration_checked,password_hash,IsMustChange,IsLocked,LockoutTime,PasswordLastSetTime,IsExpired,BadPasswordCount,BadPasswordTime,HistoryLength -user1,1,,S,SQL_LOGIN,0,2023-01-15 10:35:00,2023-01-15 10:35:00,master,us_english,NULL,1,0,0x01004086CEB6772AE2356381B9B069D4E02C0185D5A06CFA3822,0,0,,2023-01-15 10:35:00,0,0,,5 -user2,267,,S,SQL_LOGIN,0,2023-02-20 20:49:00,2023-02-20 20:49:00,master,us_english,NULL,0,0,0x01003E3A7A6F88A8F548540ECB2043946AC2545120424CCD8782,1,0,,2023-02-20 20:49:00,0,1,2023-02-20 20:50:00,3 -user3,268,,S,SQL_LOGIN,0,2023-03-10 11:20:00,2023-03-10 11:20:00,secondary,us_english,NULL,1,0,0x010042516769FBC191A67840731CB36B41EFDACC97BE8264281F,0,0,,2023-03-10 11:20:00,0,0,,4 -user4,269,,S,SQL_LOGIN,0,2023-04-01 10:40:00,2023-04-01 11:32:00,secondary,us_english,NULL,1,0,0x01005F3B351B26E2DB7C7FD3C7ED02B3FD2EDC09BB2BF13DA3E5,0,1,2023-04-01 11:32:00,2023-04-01 10:40:00,0,3,2023-04-01 11:30:00,2 -user5,270,,S,SQL_LOGIN,0,2023-05-05 12:33:00,2023-05-05 12:33:00,master,us_english,NULL,1,0,0x0100AE15D55972BB3D6C6283921711CD4A208747888BEEFED71B,0,0,,2023-05-05 12:33:00,0,0,,6 -user6,272,,S,SQL_LOGIN,0,2023-06-15 11:46:00,2023-06-15 11:46:00,secondary,us_english,NULL,1,1,0x0100F12FAE790FCE0FF356A0948211AE4052653503E1BBC28FAB,0,0,,2023-06-15 11:46:00,0,0,,7 -user7,279,,S,SQL_LOGIN,0,2023-07-20 12:50:00,2023-07-20 12:50:00,secondary,us_english,NULL,1,1,0x01004856A222264E62219236AB6AC7E5B622F1E53D1CCA2AF9B8,0,0,,2023-07-20 12:50:00,0,0,,8 -user8,284,,S,SQL_LOGIN,0,2023-08-25 13:56:00,2023-08-25 13:56:00,master,us_english,NULL,1,1,0x0100723BEDBE69779CD3087C0E60AD69C33CC7E969F78DA2498A,0,0,,2023-08-25 13:56:00,0,0,,9
\ No newline at end of file diff --git a/databases/passwords/sql/get_data.sql b/databases/passwords/sql/get_data.sql deleted file mode 100644 index b5bef36..0000000 --- a/databases/passwords/sql/get_data.sql +++ /dev/null @@ -1,30 +0,0 @@ -/* -References: -1. https://learn.microsoft.com/en-us/sql/relational-databases/security/password-policy -2. https://learn.microsoft.com/en-us/sql/t-sql/functions/loginproperty-transact-sql -*/ - -SELECT - name, - principal_id, - sid, - type, - type_desc, - is_disabled, - create_date, - modify_date, - default_database_name, - default_language_name, - credential_id, - is_policy_checked, - is_expiration_checked, - password_hash, - LOGINPROPERTY(name, 'IsMustChange') AS IsMustChange, - LOGINPROPERTY(name, 'IsLocked') AS IsLocked, - LOGINPROPERTY(name, 'LockoutTime') AS LockoutTime, - LOGINPROPERTY(name, 'PasswordLastSetTime') AS PasswordLastSetTime, - LOGINPROPERTY(name, 'IsExpired') AS IsExpired, - LOGINPROPERTY(name, 'BadPasswordCount') AS BadPasswordCount, - LOGINPROPERTY(name, 'BadPasswordTime') AS BadPasswordTime, - LOGINPROPERTY(name, 'HistoryLength') AS HistoryLength -FROM sys.sql_logins; diff --git a/databases/passwords/sql/test.py b/databases/passwords/sql/test.py deleted file mode 100644 index 81c1138..0000000 --- a/databases/passwords/sql/test.py +++ /dev/null @@ -1,80 +0,0 @@ -""" -Checks SQL Server user data for compliance with Windows policies. -""" - -# Import packages -import pandas as pd - -# Load the data into a pandas DataFrame -df_input = pd.read_csv("./data.csv") - - -# Function to apply rules and generate report -def apply_rules_and_report(df): - """ - Apply defined rules against the input data. - - Parameters: - df (pandas.DataFrame): SQL login data - - Returns: - report (list): List of dictionaries containing test results - """ - report = [] - for _, row in df.iterrows(): - result = { - "Name": row["name"], - "Type Check": "", - "Policy Check": "", - "Expiration Check": "", - "Reason": "", - } - - # Check the type_desc - if row["type_desc"] == "SQL_LOGIN": - result["Type Check"] = "SQL_LOGIN" - elif row["type_desc"] == "WINDOWS_LOGIN": - result["Type Check"] = "N/A" - result["Reason"] = "Refer to Windows password policy." - else: - result["Type Check"] = "Manual Review" - result["Reason"] = "Reviewer to manually review." - - # Check if password policy is enforced - if row["is_policy_checked"] == 1: - result["Policy Check"] = "PASS" - result["Reason"] += """Password policy is enforced. Reviewer to - check the assigned policy.""" - else: - result["Policy Check"] = "FAIL" - result["Reason"] += "Password policy is not enforced." - - # Check if password expiration is enforced - if row["is_expiration_checked"] == 1: - result["Expiration Check"] = "PASS" - result["Reason"] += """Password expiration is enforced. Reviewer to - check the expiration policy.""" - else: - result["Expiration Check"] = "FAIL" - result["Reason"] += "Password expiration is not enforced." - - report.append(result) - - return report - - -# Main function to run the script -def main(): - """ - Apply defined rules against the input data and print the results. - """ - # Apply rules and generate report - report = apply_rules_and_report(df_input) - report_df = pd.DataFrame(report) - - # Print the report - print(report_df) - - -if __name__ == "__main__": - main() |