diff options
| author | Christian Cleberg <hello@cleberg.net> | 2025-08-02 13:02:43 -0500 |
|---|---|---|
| committer | Christian Cleberg <hello@cleberg.net> | 2025-08-02 13:02:43 -0500 |
| commit | b598a79d270b3a91b0e6d5f3b9dca4aecca2dd4c (patch) | |
| tree | 5faf22af7a20ea6f7639fa3bdbde5210144959e6 /databases | |
| parent | a24b16d1c04f396209d1e80168f5df12e79bc438 (diff) | |
| download | audit-tools-b598a79d270b3a91b0e6d5f3b9dca4aecca2dd4c.tar.gz audit-tools-b598a79d270b3a91b0e6d5f3b9dca4aecca2dd4c.tar.bz2 audit-tools-b598a79d270b3a91b0e6d5f3b9dca4aecca2dd4c.zip | |
fix: convert README.org to README.md
Diffstat (limited to 'databases')
| -rw-r--r-- | databases/mongo/README.md (renamed from databases/mongo/README.org) | 206 | ||||
| -rw-r--r-- | databases/mysql/README.md | 173 | ||||
| -rw-r--r-- | databases/mysql/README.org | 183 | ||||
| -rw-r--r-- | databases/oracle/README.md (renamed from databases/oracle/README.org) | 20 | ||||
| -rw-r--r-- | databases/postgres/README.md | 67 | ||||
| -rw-r--r-- | databases/postgres/README.org | 75 | ||||
| -rw-r--r-- | databases/sql/README.md (renamed from databases/sql/README.org) | 20 |
7 files changed, 362 insertions, 382 deletions
diff --git a/databases/mongo/README.org b/databases/mongo/README.md index 689d37d..99e1c68 100644 --- a/databases/mongo/README.org +++ b/databases/mongo/README.md @@ -1,104 +1,102 @@ -#+title: MongoDB Scripts
-
-* =admins.py=
-
-Dependency:
-
-#+begin_src shell
-pip install pymongo
-#+end_src
-
-#+begin_src python
-python ./admins.py
-#+end_src
-
-Example output:
-
-#+begin_src json
-[
- {
- "_id": "admin.admin",
- "user": "admin",
- "db": "admin",
- "roles": [
- {
- "role": "userAdminAnyDatabase",
- "db": "admin"
- },
- {
- "role": "readWriteAnyDatabase",
- "db": "admin"
- },
- {
- "role": "dbAdminAnyDatabase",
- "db": "admin"
- },
- {
- "role": "clusterAdmin",
- "db": "admin"
- }
- ],
- "credentials": {
- "SCRAM-SHA-1": {
- "iterationCount": 10000,
- "salt": "abc123",
- "storedKey": "storedKeyHash",
- "serverKey": "serverKeyHash"
- },
- "SCRAM-SHA-256": {
- "iterationCount": 15000,
- "salt": "def456",
- "storedKey": "storedKeyHash256",
- "serverKey": "serverKeyHash256"
- }
- }
- },
- {
- "_id": "test.user1",
- "user": "user1",
- "db": "test",
- "roles": [
- {
- "role": "readWrite",
- "db": "test"
- }
- ],
- "credentials": {
- "SCRAM-SHA-1": {
- "iterationCount": 10000,
- "salt": "ghi789",
- "storedKey": "storedKeyHashUser1",
- "serverKey": "serverKeyHashUser1"
- }
- }
- },
- {
- "_id": "test.ldapUser",
- "user": "ldapUser",
- "db": "test",
- "roles": [
- {
- "role": "read",
- "db": "test"
- }
- ],
- "userSource": "ldap"
- },
- {
- "_id": "admin.x509User",
- "user": "x509User",
- "db": "$external",
- "roles": [
- {
- "role": "readWrite",
- "db": "admin"
- }
- ],
- "credentials": {
- "MONGODB-X509": {
- "subject": "CN=x509User,OU=OrgUnit,O=Org,L=City,ST=State,C=Country"
- }
- }
- }
-]
-#+end_src
+# `admins.py` + +Dependency: + +``` shell +pip install pymongo +``` + +``` python +python ./admins.py +``` + +Example output: + +``` json +[ + { + "_id": "admin.admin", + "user": "admin", + "db": "admin", + "roles": [ + { + "role": "userAdminAnyDatabase", + "db": "admin" + }, + { + "role": "readWriteAnyDatabase", + "db": "admin" + }, + { + "role": "dbAdminAnyDatabase", + "db": "admin" + }, + { + "role": "clusterAdmin", + "db": "admin" + } + ], + "credentials": { + "SCRAM-SHA-1": { + "iterationCount": 10000, + "salt": "abc123", + "storedKey": "storedKeyHash", + "serverKey": "serverKeyHash" + }, + "SCRAM-SHA-256": { + "iterationCount": 15000, + "salt": "def456", + "storedKey": "storedKeyHash256", + "serverKey": "serverKeyHash256" + } + } + }, + { + "_id": "test.user1", + "user": "user1", + "db": "test", + "roles": [ + { + "role": "readWrite", + "db": "test" + } + ], + "credentials": { + "SCRAM-SHA-1": { + "iterationCount": 10000, + "salt": "ghi789", + "storedKey": "storedKeyHashUser1", + "serverKey": "serverKeyHashUser1" + } + } + }, + { + "_id": "test.ldapUser", + "user": "ldapUser", + "db": "test", + "roles": [ + { + "role": "read", + "db": "test" + } + ], + "userSource": "ldap" + }, + { + "_id": "admin.x509User", + "user": "x509User", + "db": "$external", + "roles": [ + { + "role": "readWrite", + "db": "admin" + } + ], + "credentials": { + "MONGODB-X509": { + "subject": "CN=x509User,OU=OrgUnit,O=Org,L=City,ST=State,C=Country" + } + } + } +] +``` diff --git a/databases/mysql/README.md b/databases/mysql/README.md new file mode 100644 index 0000000..cc05311 --- /dev/null +++ b/databases/mysql/README.md @@ -0,0 +1,173 @@ +# `mysql_admins.sql` + +``` sql +SELECT * FROM information_schema.user_privileges; +``` + + MySQL [(none)]> SELECT * FROM information_schema.user_privileges; + +--------------------------------+---------------+---------------------------------+--------------+ + | GRANTEE | TABLE_CATALOG | PRIVILEGE_TYPE | IS_GRANTABLE | + +--------------------------------+---------------+---------------------------------+--------------+ + | 'mysql.infoschema'@'localhost' | def | SELECT | NO | + | 'mysql.infoschema'@'localhost' | def | AUDIT_ABORT_EXEMPT | NO | + | 'mysql.infoschema'@'localhost' | def | FIREWALL_EXEMPT | NO | + | 'mysql.infoschema'@'localhost' | def | SYSTEM_USER | NO | + | 'mysql.session'@'localhost' | def | SHUTDOWN | NO | + | 'mysql.session'@'localhost' | def | SUPER | NO | + | 'mysql.session'@'localhost' | def | AUDIT_ABORT_EXEMPT | NO | + | 'mysql.session'@'localhost' | def | AUTHENTICATION_POLICY_ADMIN | NO | + | 'mysql.session'@'localhost' | def | BACKUP_ADMIN | NO | + | 'mysql.session'@'localhost' | def | CLONE_ADMIN | NO | + | 'mysql.session'@'localhost' | def | CONNECTION_ADMIN | NO | + | 'mysql.session'@'localhost' | def | FIREWALL_EXEMPT | NO | + | 'mysql.session'@'localhost' | def | PERSIST_RO_VARIABLES_ADMIN | NO | + | 'mysql.session'@'localhost' | def | SESSION_VARIABLES_ADMIN | NO | + | 'mysql.session'@'localhost' | def | SYSTEM_USER | NO | + | 'mysql.session'@'localhost' | def | SYSTEM_VARIABLES_ADMIN | NO | + | 'mysql.sys'@'localhost' | def | USAGE | NO | + | 'mysql.sys'@'localhost' | def | AUDIT_ABORT_EXEMPT | NO | + | 'mysql.sys'@'localhost' | def | FIREWALL_EXEMPT | NO | + | 'mysql.sys'@'localhost' | def | SYSTEM_USER | NO | + | 'root'@'localhost' | def | SELECT | YES | + | 'root'@'localhost' | def | INSERT | YES | + | 'root'@'localhost' | def | UPDATE | YES | + | 'root'@'localhost' | def | DELETE | YES | + | 'root'@'localhost' | def | CREATE | YES | + | 'root'@'localhost' | def | DROP | YES | + | 'root'@'localhost' | def | RELOAD | YES | + | 'root'@'localhost' | def | SHUTDOWN | YES | + | 'root'@'localhost' | def | PROCESS | YES | + | 'root'@'localhost' | def | FILE | YES | + | 'root'@'localhost' | def | REFERENCES | YES | + | 'root'@'localhost' | def | INDEX | YES | + | 'root'@'localhost' | def | ALTER | YES | + | 'root'@'localhost' | def | SHOW DATABASES | YES | + | 'root'@'localhost' | def | SUPER | YES | + | 'root'@'localhost' | def | CREATE TEMPORARY TABLES | YES | + | 'root'@'localhost' | def | LOCK TABLES | YES | + | 'root'@'localhost' | def | EXECUTE | YES | + | 'root'@'localhost' | def | REPLICATION SLAVE | YES | + | 'root'@'localhost' | def | REPLICATION CLIENT | YES | + | 'root'@'localhost' | def | CREATE VIEW | YES | + | 'root'@'localhost' | def | SHOW VIEW | YES | + | 'root'@'localhost' | def | CREATE ROUTINE | YES | + | 'root'@'localhost' | def | ALTER ROUTINE | YES | + | 'root'@'localhost' | def | CREATE USER | YES | + | 'root'@'localhost' | def | EVENT | YES | + | 'root'@'localhost' | def | TRIGGER | YES | + | 'root'@'localhost' | def | CREATE TABLESPACE | YES | + | 'root'@'localhost' | def | CREATE ROLE | YES | + | 'root'@'localhost' | def | DROP ROLE | YES | + | 'root'@'localhost' | def | ALLOW_NONEXISTENT_DEFINER | YES | + | 'root'@'localhost' | def | APPLICATION_PASSWORD_ADMIN | YES | + | 'root'@'localhost' | def | AUDIT_ABORT_EXEMPT | YES | + | 'root'@'localhost' | def | AUDIT_ADMIN | YES | + | 'root'@'localhost' | def | AUTHENTICATION_POLICY_ADMIN | YES | + | 'root'@'localhost' | def | BACKUP_ADMIN | YES | + | 'root'@'localhost' | def | BINLOG_ADMIN | YES | + | 'root'@'localhost' | def | BINLOG_ENCRYPTION_ADMIN | YES | + | 'root'@'localhost' | def | CLONE_ADMIN | YES | + | 'root'@'localhost' | def | CONNECTION_ADMIN | YES | + | 'root'@'localhost' | def | CREATE_SPATIAL_REFERENCE_SYSTEM | YES | + | 'root'@'localhost' | def | ENCRYPTION_KEY_ADMIN | YES | + | 'root'@'localhost' | def | FIREWALL_EXEMPT | YES | + | 'root'@'localhost' | def | FLUSH_OPTIMIZER_COSTS | YES | + | 'root'@'localhost' | def | FLUSH_PRIVILEGES | YES | + | 'root'@'localhost' | def | FLUSH_STATUS | YES | + | 'root'@'localhost' | def | FLUSH_TABLES | YES | + | 'root'@'localhost' | def | FLUSH_USER_RESOURCES | YES | + | 'root'@'localhost' | def | GROUP_REPLICATION_ADMIN | YES | + | 'root'@'localhost' | def | GROUP_REPLICATION_STREAM | YES | + | 'root'@'localhost' | def | INNODB_REDO_LOG_ARCHIVE | YES | + | 'root'@'localhost' | def | INNODB_REDO_LOG_ENABLE | YES | + | 'root'@'localhost' | def | OPTIMIZE_LOCAL_TABLE | YES | + | 'root'@'localhost' | def | PASSWORDLESS_USER_ADMIN | YES | + | 'root'@'localhost' | def | PERSIST_RO_VARIABLES_ADMIN | YES | + | 'root'@'localhost' | def | REPLICATION_APPLIER | YES | + | 'root'@'localhost' | def | REPLICATION_SLAVE_ADMIN | YES | + | 'root'@'localhost' | def | RESOURCE_GROUP_ADMIN | YES | + | 'root'@'localhost' | def | RESOURCE_GROUP_USER | YES | + | 'root'@'localhost' | def | ROLE_ADMIN | YES | + | 'root'@'localhost' | def | SENSITIVE_VARIABLES_OBSERVER | YES | + | 'root'@'localhost' | def | SERVICE_CONNECTION_ADMIN | YES | + | 'root'@'localhost' | def | SESSION_VARIABLES_ADMIN | YES | + | 'root'@'localhost' | def | SET_ANY_DEFINER | YES | + | 'root'@'localhost' | def | SHOW_ROUTINE | YES | + | 'root'@'localhost' | def | SYSTEM_USER | YES | + | 'root'@'localhost' | def | SYSTEM_VARIABLES_ADMIN | YES | + | 'root'@'localhost' | def | TABLE_ENCRYPTION_ADMIN | YES | + | 'root'@'localhost' | def | TELEMETRY_LOG_ADMIN | YES | + | 'root'@'localhost' | def | TRANSACTION_GTID_TAG | YES | + | 'root'@'localhost' | def | XA_RECOVER_ADMIN | YES | + | 'cmc'@'%' | def | USAGE | NO | + +--------------------------------+---------------+---------------------------------+--------------+ + 92 rows in set (0.001 sec) + +# `passwords.sql` + +``` sql +SELECT user, host, plugin FROM mysql.user; +``` + + mysql> SELECT user, host, plugin FROM mysql.user; + +------------------+-----------+-----------------------+ + | user | host | plugin | + +------------------+-----------+-----------------------+ + | cmc | % | caching_sha2_password | + | mysql.infoschema | localhost | caching_sha2_password | + | mysql.session | localhost | caching_sha2_password | + | mysql.sys | localhost | caching_sha2_password | + | root | localhost | caching_sha2_password | + +------------------+-----------+-----------------------+ + 5 rows in set (0.001 sec) + +``` sql +SHOW GLOBAL VARIABLES LIKE 'validate_password%'; +SHOW VARIABLES LIKE 'validate_password%'; +``` + + mysql> SHOW GLOBAL VARIABLES LIKE 'validate_password%'; + +-------------------------------------------------+--------+ + | Variable_name | Value | + +-------------------------------------------------+--------+ + | validate_password.changed_characters_percentage | 0 | + | validate_password.check_user_name | ON | + | validate_password.dictionary_file | | + | validate_password.length | 8 | + | validate_password.mixed_case_count | 1 | + | validate_password.number_count | 1 | + | validate_password.policy | MEDIUM | + | validate_password.special_char_count | 1 | + +-------------------------------------------------+--------+ + 8 rows in set (0.004 sec) + + mysql> SHOW VARIABLES LIKE 'validate_password%'; + +-------------------------------------------------+--------+ + | Variable_name | Value | + +-------------------------------------------------+--------+ + | validate_password.changed_characters_percentage | 0 | + | validate_password.check_user_name | ON | + | validate_password.dictionary_file | | + | validate_password.length | 8 | + | validate_password.mixed_case_count | 1 | + | validate_password.number_count | 1 | + | validate_password.policy | MEDIUM | + | validate_password.special_char_count | 1 | + +-------------------------------------------------+--------+ + 8 rows in set (0.004 sec) + +``` sql +SELECT * FROM mysql.user +``` + + MySQL [(none)]> SELECT * FROM mysql.user; + +-----------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+------------------------------------------------------------------------+------------------+-----------------------+-------------------+----------------+------------------+----------------+------------------------+---------------------+--------------------------+-----------------+ + | Host | User | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin | authentication_string | password_expired | password_last_changed | password_lifetime | account_locked | Create_role_priv | Drop_role_priv | Password_reuse_history | Password_reuse_time | Password_require_current | User_attributes | + +-----------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+------------------------------------------------------------------------+------------------+-----------------------+-------------------+----------------+------------------+----------------+------------------------+---------------------+--------------------------+-----------------+ + | % | cmc | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | | N | 2025-04-25 16:28:52 | NULL | N | N | N | NULL | NULL | NULL | NULL | + | localhost | mysql.infoschema | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED | N | 2025-04-25 15:51:53 | NULL | Y | N | N | NULL | NULL | NULL | NULL | + | localhost | mysql.session | N | N | N | N | N | N | N | Y | N | N | N | N | N | N | N | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED | N | 2025-04-25 15:51:53 | NULL | Y | N | N | NULL | NULL | NULL | NULL | + | localhost | mysql.sys | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED | N | 2025-04-25 15:51:53 | NULL | Y | N | N | NULL | NULL | NULL | NULL | + | localhost | root | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | | N | 2025-04-25 15:51:53 | NULL | N | Y | Y | NULL | NULL | NULL | NULL | + +-----------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+------------------------------------------------------------------------+------------------+-----------------------+-------------------+----------------+------------------+----------------+------------------------+---------------------+--------------------------+-----------------+ + 5 rows in set (0.005 sec) diff --git a/databases/mysql/README.org b/databases/mysql/README.org deleted file mode 100644 index ce7c438..0000000 --- a/databases/mysql/README.org +++ /dev/null @@ -1,183 +0,0 @@ -#+title: MySQL - -* =mysql_admins.sql= - -#+begin_src sql -SELECT * FROM information_schema.user_privileges; -#+end_src - -#+begin_src -MySQL [(none)]> SELECT * FROM information_schema.user_privileges; -+--------------------------------+---------------+---------------------------------+--------------+ -| GRANTEE | TABLE_CATALOG | PRIVILEGE_TYPE | IS_GRANTABLE | -+--------------------------------+---------------+---------------------------------+--------------+ -| 'mysql.infoschema'@'localhost' | def | SELECT | NO | -| 'mysql.infoschema'@'localhost' | def | AUDIT_ABORT_EXEMPT | NO | -| 'mysql.infoschema'@'localhost' | def | FIREWALL_EXEMPT | NO | -| 'mysql.infoschema'@'localhost' | def | SYSTEM_USER | NO | -| 'mysql.session'@'localhost' | def | SHUTDOWN | NO | -| 'mysql.session'@'localhost' | def | SUPER | NO | -| 'mysql.session'@'localhost' | def | AUDIT_ABORT_EXEMPT | NO | -| 'mysql.session'@'localhost' | def | AUTHENTICATION_POLICY_ADMIN | NO | -| 'mysql.session'@'localhost' | def | BACKUP_ADMIN | NO | -| 'mysql.session'@'localhost' | def | CLONE_ADMIN | NO | -| 'mysql.session'@'localhost' | def | CONNECTION_ADMIN | NO | -| 'mysql.session'@'localhost' | def | FIREWALL_EXEMPT | NO | -| 'mysql.session'@'localhost' | def | PERSIST_RO_VARIABLES_ADMIN | NO | -| 'mysql.session'@'localhost' | def | SESSION_VARIABLES_ADMIN | NO | -| 'mysql.session'@'localhost' | def | SYSTEM_USER | NO | -| 'mysql.session'@'localhost' | def | SYSTEM_VARIABLES_ADMIN | NO | -| 'mysql.sys'@'localhost' | def | USAGE | NO | -| 'mysql.sys'@'localhost' | def | AUDIT_ABORT_EXEMPT | NO | -| 'mysql.sys'@'localhost' | def | FIREWALL_EXEMPT | NO | -| 'mysql.sys'@'localhost' | def | SYSTEM_USER | NO | -| 'root'@'localhost' | def | SELECT | YES | -| 'root'@'localhost' | def | INSERT | YES | -| 'root'@'localhost' | def | UPDATE | YES | -| 'root'@'localhost' | def | DELETE | YES | -| 'root'@'localhost' | def | CREATE | YES | -| 'root'@'localhost' | def | DROP | YES | -| 'root'@'localhost' | def | RELOAD | YES | -| 'root'@'localhost' | def | SHUTDOWN | YES | -| 'root'@'localhost' | def | PROCESS | YES | -| 'root'@'localhost' | def | FILE | YES | -| 'root'@'localhost' | def | REFERENCES | YES | -| 'root'@'localhost' | def | INDEX | YES | -| 'root'@'localhost' | def | ALTER | YES | -| 'root'@'localhost' | def | SHOW DATABASES | YES | -| 'root'@'localhost' | def | SUPER | YES | -| 'root'@'localhost' | def | CREATE TEMPORARY TABLES | YES | -| 'root'@'localhost' | def | LOCK TABLES | YES | -| 'root'@'localhost' | def | EXECUTE | YES | -| 'root'@'localhost' | def | REPLICATION SLAVE | YES | -| 'root'@'localhost' | def | REPLICATION CLIENT | YES | -| 'root'@'localhost' | def | CREATE VIEW | YES | -| 'root'@'localhost' | def | SHOW VIEW | YES | -| 'root'@'localhost' | def | CREATE ROUTINE | YES | -| 'root'@'localhost' | def | ALTER ROUTINE | YES | -| 'root'@'localhost' | def | CREATE USER | YES | -| 'root'@'localhost' | def | EVENT | YES | -| 'root'@'localhost' | def | TRIGGER | YES | -| 'root'@'localhost' | def | CREATE TABLESPACE | YES | -| 'root'@'localhost' | def | CREATE ROLE | YES | -| 'root'@'localhost' | def | DROP ROLE | YES | -| 'root'@'localhost' | def | ALLOW_NONEXISTENT_DEFINER | YES | -| 'root'@'localhost' | def | APPLICATION_PASSWORD_ADMIN | YES | -| 'root'@'localhost' | def | AUDIT_ABORT_EXEMPT | YES | -| 'root'@'localhost' | def | AUDIT_ADMIN | YES | -| 'root'@'localhost' | def | AUTHENTICATION_POLICY_ADMIN | YES | -| 'root'@'localhost' | def | BACKUP_ADMIN | YES | -| 'root'@'localhost' | def | BINLOG_ADMIN | YES | -| 'root'@'localhost' | def | BINLOG_ENCRYPTION_ADMIN | YES | -| 'root'@'localhost' | def | CLONE_ADMIN | YES | -| 'root'@'localhost' | def | CONNECTION_ADMIN | YES | -| 'root'@'localhost' | def | CREATE_SPATIAL_REFERENCE_SYSTEM | YES | -| 'root'@'localhost' | def | ENCRYPTION_KEY_ADMIN | YES | -| 'root'@'localhost' | def | FIREWALL_EXEMPT | YES | -| 'root'@'localhost' | def | FLUSH_OPTIMIZER_COSTS | YES | -| 'root'@'localhost' | def | FLUSH_PRIVILEGES | YES | -| 'root'@'localhost' | def | FLUSH_STATUS | YES | -| 'root'@'localhost' | def | FLUSH_TABLES | YES | -| 'root'@'localhost' | def | FLUSH_USER_RESOURCES | YES | -| 'root'@'localhost' | def | GROUP_REPLICATION_ADMIN | YES | -| 'root'@'localhost' | def | GROUP_REPLICATION_STREAM | YES | -| 'root'@'localhost' | def | INNODB_REDO_LOG_ARCHIVE | YES | -| 'root'@'localhost' | def | INNODB_REDO_LOG_ENABLE | YES | -| 'root'@'localhost' | def | OPTIMIZE_LOCAL_TABLE | YES | -| 'root'@'localhost' | def | PASSWORDLESS_USER_ADMIN | YES | -| 'root'@'localhost' | def | PERSIST_RO_VARIABLES_ADMIN | YES | -| 'root'@'localhost' | def | REPLICATION_APPLIER | YES | -| 'root'@'localhost' | def | REPLICATION_SLAVE_ADMIN | YES | -| 'root'@'localhost' | def | RESOURCE_GROUP_ADMIN | YES | -| 'root'@'localhost' | def | RESOURCE_GROUP_USER | YES | -| 'root'@'localhost' | def | ROLE_ADMIN | YES | -| 'root'@'localhost' | def | SENSITIVE_VARIABLES_OBSERVER | YES | -| 'root'@'localhost' | def | SERVICE_CONNECTION_ADMIN | YES | -| 'root'@'localhost' | def | SESSION_VARIABLES_ADMIN | YES | -| 'root'@'localhost' | def | SET_ANY_DEFINER | YES | -| 'root'@'localhost' | def | SHOW_ROUTINE | YES | -| 'root'@'localhost' | def | SYSTEM_USER | YES | -| 'root'@'localhost' | def | SYSTEM_VARIABLES_ADMIN | YES | -| 'root'@'localhost' | def | TABLE_ENCRYPTION_ADMIN | YES | -| 'root'@'localhost' | def | TELEMETRY_LOG_ADMIN | YES | -| 'root'@'localhost' | def | TRANSACTION_GTID_TAG | YES | -| 'root'@'localhost' | def | XA_RECOVER_ADMIN | YES | -| 'cmc'@'%' | def | USAGE | NO | -+--------------------------------+---------------+---------------------------------+--------------+ -92 rows in set (0.001 sec) -#+end_src - -* =passwords.sql= - -#+begin_src sql -SELECT user, host, plugin FROM mysql.user; -#+end_src - -#+begin_src -mysql> SELECT user, host, plugin FROM mysql.user; -+------------------+-----------+-----------------------+ -| user | host | plugin | -+------------------+-----------+-----------------------+ -| cmc | % | caching_sha2_password | -| mysql.infoschema | localhost | caching_sha2_password | -| mysql.session | localhost | caching_sha2_password | -| mysql.sys | localhost | caching_sha2_password | -| root | localhost | caching_sha2_password | -+------------------+-----------+-----------------------+ -5 rows in set (0.001 sec) -#+end_src - -#+begin_src sql -SHOW GLOBAL VARIABLES LIKE 'validate_password%'; -SHOW VARIABLES LIKE 'validate_password%'; -#+end_src - -#+begin_src -mysql> SHOW GLOBAL VARIABLES LIKE 'validate_password%'; -+-------------------------------------------------+--------+ -| Variable_name | Value | -+-------------------------------------------------+--------+ -| validate_password.changed_characters_percentage | 0 | -| validate_password.check_user_name | ON | -| validate_password.dictionary_file | | -| validate_password.length | 8 | -| validate_password.mixed_case_count | 1 | -| validate_password.number_count | 1 | -| validate_password.policy | MEDIUM | -| validate_password.special_char_count | 1 | -+-------------------------------------------------+--------+ -8 rows in set (0.004 sec) - -mysql> SHOW VARIABLES LIKE 'validate_password%'; -+-------------------------------------------------+--------+ -| Variable_name | Value | -+-------------------------------------------------+--------+ -| validate_password.changed_characters_percentage | 0 | -| validate_password.check_user_name | ON | -| validate_password.dictionary_file | | -| validate_password.length | 8 | -| validate_password.mixed_case_count | 1 | -| validate_password.number_count | 1 | -| validate_password.policy | MEDIUM | -| validate_password.special_char_count | 1 | -+-------------------------------------------------+--------+ -8 rows in set (0.004 sec) -#+end_src - -#+begin_src sql -SELECT * FROM mysql.user -#+end_src - -#+begin_src -MySQL [(none)]> SELECT * FROM mysql.user; -+-----------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+------------------------------------------------------------------------+------------------+-----------------------+-------------------+----------------+------------------+----------------+------------------------+---------------------+--------------------------+-----------------+ -| Host | User | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin | authentication_string | password_expired | password_last_changed | password_lifetime | account_locked | Create_role_priv | Drop_role_priv | Password_reuse_history | Password_reuse_time | Password_require_current | User_attributes | -+-----------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+------------------------------------------------------------------------+------------------+-----------------------+-------------------+----------------+------------------+----------------+------------------------+---------------------+--------------------------+-----------------+ -| % | cmc | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | | N | 2025-04-25 16:28:52 | NULL | N | N | N | NULL | NULL | NULL | NULL | -| localhost | mysql.infoschema | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED | N | 2025-04-25 15:51:53 | NULL | Y | N | N | NULL | NULL | NULL | NULL | -| localhost | mysql.session | N | N | N | N | N | N | N | Y | N | N | N | N | N | N | N | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED | N | 2025-04-25 15:51:53 | NULL | Y | N | N | NULL | NULL | NULL | NULL | -| localhost | mysql.sys | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | $A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED | N | 2025-04-25 15:51:53 | NULL | Y | N | N | NULL | NULL | NULL | NULL | -| localhost | root | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | caching_sha2_password | | N | 2025-04-25 15:51:53 | NULL | N | Y | Y | NULL | NULL | NULL | NULL | -+-----------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+------------------------------------------------------------------------+------------------+-----------------------+-------------------+----------------+------------------+----------------+------------------------+---------------------+--------------------------+-----------------+ -5 rows in set (0.005 sec) -#+end_src diff --git a/databases/oracle/README.org b/databases/oracle/README.md index f2bc680..3afa2e7 100644 --- a/databases/oracle/README.org +++ b/databases/oracle/README.md @@ -1,6 +1,6 @@ -* =oracle_admins.sql= +# `oracle_admins.sql` -#+begin_src sql +``` sql SELECT grantee AS "User", privilege AS "Privilege" @@ -16,9 +16,9 @@ FROM dba_tab_privs WHERE grantee IN (SELECT DISTINCT grantee FROM dba_tab_privs); -#+end_src +``` -#+begin_src text +``` text | User | Privilege | |----------+---------------------| | SCOTT | CREATE SESSION | @@ -39,18 +39,18 @@ WHERE | APP_USER | SELECT ON EMPLOYEES | | APP_USER | INSERT ON EMPLOYEES | | APP_USER | UPDATE ON EMPLOYEES | -#+end_src +``` -* =oracle_admins_alt.sql= +# `oracle_admins_alt.sql` -#+begin_src sql +``` sql SELECT ** FROM sys.dba_role_privs; SELECT ** FROM sys.dba_sys_privs; SELECT ** FROM sys.dba_tab_privs; SELECT ** FROM sys.dba_users; -#+end_src +``` -#+begin_src text +``` text | Grantee | Granted_Role | Admin_Option | |----------+--------------+--------------| | SCOTT | DBA | NO | @@ -78,4 +78,4 @@ SELECT ** FROM sys.dba_users; | SYS | OPEN | SYSTEM | TEMP | | SYSTEM | OPEN | SYSTEM | TEMP | | APP_USER | OPEN | USERS | TEMP | -#+end_src +``` diff --git a/databases/postgres/README.md b/databases/postgres/README.md new file mode 100644 index 0000000..0e4f0fc --- /dev/null +++ b/databases/postgres/README.md @@ -0,0 +1,67 @@ +# `passwords.sql` + +``` sql +SELECT * +FROM pg_settings +WHERE name LIKE 'password_%'; +``` + + | name | setting | unit | category | short_desc | extra_desc | context | vartype | source | min_val | max_val | enumvals | boot_val | reset_val | sourcefile | sourceline | pending_restart | + |---------------------+---------------+------+-------------------------------------------------+-------------------------------------------------+------------+---------+---------+---------+---------+---------+---------------------+---------------+---------------+------------+------------+-----------------| + | password_encryption | scram-sha-256 | | Connections and Authentication / Authentication | Chooses the algorithm for encrypting passwords. | | user | enum | default | | | {md5,scram-sha-256} | scram-sha-256 | scram-sha-256 | | | false | + +``` sql +SELECT + usename AS user_name, + passwd AS password, + valuntil AS valid_until, + useconfig AS user_config +FROM pg_shadow; +``` + + | user_name | password | valid_until | user_config | + |-----------+---------------------------------------------------------------------------------------------------------------------------------------+------------------------+-------------| + | cmc | | | | + | testuser | SCRAM-SHA-256$4096:+NSpEU+8afhJ4BUTkzdKeg==$FGIRcTWr89b42qkLUl4Ntfp4RUpoc3GIpLHqJl/fWZE=:o1UM8YiEj5SLV5l/geMuqXMRi6onWazryn/l+LXYMxU= | 2025-12-31 00:00:00-06 | | + +# `admins.sql` + +``` sql +SELECT + r.rolname AS role_name, + r.rolsuper AS is_superuser, + r.rolinherit AS inherits_privileges, + r.rolcreaterole AS can_create_roles, + r.rolcreatedb AS can_create_db, + r.rolcanlogin AS can_login, + r.rolreplication AS can_replication, + r.rolconnlimit AS connection_limit, + r.rolvaliduntil AS valid_until, + ARRAY( + SELECT b.rolname + FROM pg_auth_members m + JOIN pg_roles b ON (m.roleid = b.oid) + WHERE m.member = r.oid + ) AS member_of +FROM pg_roles r; +``` + + | role_name | is_superuser | inherits_privileges | can_create_roles | can_create_db | can_login | can_replication | connection_limit | valid_until | member_of | + |-----------------------------+--------------+---------------------+------------------+---------------+-----------+-----------------+------------------+------------------------+--------------------------------------------------------------| + | cmc | true | true | true | true | true | true | -1 | | {} | + | pg_database_owner | false | true | false | false | false | false | -1 | | {} | + | pg_read_all_data | false | true | false | false | false | false | -1 | | {} | + | pg_write_all_data | false | true | false | false | false | false | -1 | | {} | + | pg_monitor | false | true | false | false | false | false | -1 | | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables} | + | pg_read_all_settings | false | true | false | false | false | false | -1 | | {} | + | pg_read_all_stats | false | true | false | false | false | false | -1 | | {} | + | pg_stat_scan_tables | false | true | false | false | false | false | -1 | | {} | + | pg_read_server_files | false | true | false | false | false | false | -1 | | {} | + | pg_write_server_files | false | true | false | false | false | false | -1 | | {} | + | pg_execute_server_program | false | true | false | false | false | false | -1 | | {} | + | pg_signal_backend | false | true | false | false | false | false | -1 | | {} | + | pg_checkpoint | false | true | false | false | false | false | -1 | | {} | + | pg_maintain | false | true | false | false | false | false | -1 | | {} | + | pg_use_reserved_connections | false | true | false | false | false | false | -1 | | {} | + | pg_create_subscription | false | true | false | false | false | false | -1 | | {} | + | testuser | false | true | false | false | true | false | -1 | 2025-12-31 00:00:00-06 | {} | diff --git a/databases/postgres/README.org b/databases/postgres/README.org deleted file mode 100644 index e7cd062..0000000 --- a/databases/postgres/README.org +++ /dev/null @@ -1,75 +0,0 @@ -#+title: Postgres - -* =passwords.sql= - -#+begin_src sql -SELECT * -FROM pg_settings -WHERE name LIKE 'password_%'; -#+end_src - -#+begin_src -| name | setting | unit | category | short_desc | extra_desc | context | vartype | source | min_val | max_val | enumvals | boot_val | reset_val | sourcefile | sourceline | pending_restart | -|---------------------+---------------+------+-------------------------------------------------+-------------------------------------------------+------------+---------+---------+---------+---------+---------+---------------------+---------------+---------------+------------+------------+-----------------| -| password_encryption | scram-sha-256 | | Connections and Authentication / Authentication | Chooses the algorithm for encrypting passwords. | | user | enum | default | | | {md5,scram-sha-256} | scram-sha-256 | scram-sha-256 | | | false | -#+end_src - -#+begin_src sql -SELECT - usename AS user_name, - passwd AS password, - valuntil AS valid_until, - useconfig AS user_config -FROM pg_shadow; -#+end_src - -#+begin_src -| user_name | password | valid_until | user_config | -|-----------+---------------------------------------------------------------------------------------------------------------------------------------+------------------------+-------------| -| cmc | | | | -| testuser | SCRAM-SHA-256$4096:+NSpEU+8afhJ4BUTkzdKeg==$FGIRcTWr89b42qkLUl4Ntfp4RUpoc3GIpLHqJl/fWZE=:o1UM8YiEj5SLV5l/geMuqXMRi6onWazryn/l+LXYMxU= | 2025-12-31 00:00:00-06 | | -#+end_src - -* =admins.sql= - -#+begin_src sql -SELECT - r.rolname AS role_name, - r.rolsuper AS is_superuser, - r.rolinherit AS inherits_privileges, - r.rolcreaterole AS can_create_roles, - r.rolcreatedb AS can_create_db, - r.rolcanlogin AS can_login, - r.rolreplication AS can_replication, - r.rolconnlimit AS connection_limit, - r.rolvaliduntil AS valid_until, - ARRAY( - SELECT b.rolname - FROM pg_auth_members m - JOIN pg_roles b ON (m.roleid = b.oid) - WHERE m.member = r.oid - ) AS member_of -FROM pg_roles r; -#+end_src - -#+begin_src -| role_name | is_superuser | inherits_privileges | can_create_roles | can_create_db | can_login | can_replication | connection_limit | valid_until | member_of | -|-----------------------------+--------------+---------------------+------------------+---------------+-----------+-----------------+------------------+------------------------+--------------------------------------------------------------| -| cmc | true | true | true | true | true | true | -1 | | {} | -| pg_database_owner | false | true | false | false | false | false | -1 | | {} | -| pg_read_all_data | false | true | false | false | false | false | -1 | | {} | -| pg_write_all_data | false | true | false | false | false | false | -1 | | {} | -| pg_monitor | false | true | false | false | false | false | -1 | | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables} | -| pg_read_all_settings | false | true | false | false | false | false | -1 | | {} | -| pg_read_all_stats | false | true | false | false | false | false | -1 | | {} | -| pg_stat_scan_tables | false | true | false | false | false | false | -1 | | {} | -| pg_read_server_files | false | true | false | false | false | false | -1 | | {} | -| pg_write_server_files | false | true | false | false | false | false | -1 | | {} | -| pg_execute_server_program | false | true | false | false | false | false | -1 | | {} | -| pg_signal_backend | false | true | false | false | false | false | -1 | | {} | -| pg_checkpoint | false | true | false | false | false | false | -1 | | {} | -| pg_maintain | false | true | false | false | false | false | -1 | | {} | -| pg_use_reserved_connections | false | true | false | false | false | false | -1 | | {} | -| pg_create_subscription | false | true | false | false | false | false | -1 | | {} | -| testuser | false | true | false | false | true | false | -1 | 2025-12-31 00:00:00-06 | {} | -#+end_src diff --git a/databases/sql/README.org b/databases/sql/README.md index 82b8911..3abfa39 100644 --- a/databases/sql/README.org +++ b/databases/sql/README.md @@ -1,10 +1,10 @@ -* =admins.sql= +# `admins.sql` -#+begin_src sql +``` sql :r admins.sql -#+end_src +``` -#+begin_src text +``` text | UserName | UserType | DatabaseUserName | Role | PermissionType | PermissionState | ObjectType | ObjectName | ColumnName | |-------------+--------------+------------------+-----------------+----------------+-----------------+----------------------+--------------------+------------| | SCOTT | SQL User | SCOTT | NULL | SELECT | GRANT | USER_TABLE | EMPLOYEES | NULL | @@ -14,15 +14,15 @@ | APP_USER | Windows User | APP_USER | ApplicationRole | INSERT | GRANT | USER_TABLE | EMPLOYEES | NULL | | {All Users} | {All Users} | {All Users} | public | SELECT | GRANT | USER_TABLE | EMPLOYEES | NULL | | {All Users} | {All Users} | {All Users} | public | EXECUTE | GRANT | SQL_STORED_PROCEDURE | SP_GET_EMPLOYEE | NULL | -#+end_src +``` -* =passwords.py= +# `passwords.py` -#+begin_src shell +``` shell python passwords.py -#+end_src +``` -#+begin_src text +``` text | Name | Type | Check Policy | Check Expiration | Reason | |-------+-----------+--------------+------------------+-----------------------------------------------------------------------------------------------------------------------------------------------| | user1 | SQL_LOGIN | PASS | FAIL | Password policy is enforced. Reviewer to check the assigned policy. Password expiration is not enforced. | @@ -33,4 +33,4 @@ python passwords.py | user6 | SQL_LOGIN | PASS | PASS | Password policy is enforced. Reviewer to check the assigned policy. Password expiration is enforced. Reviewer to check the expiration policy. | | user7 | SQL_LOGIN | PASS | PASS | Password policy is enforced. Reviewer to check the assigned policy. Password expiration is enforced. Reviewer to check the expiration policy. | | user8 | SQL_LOGIN | PASS | PASS | Password policy is enforced. Reviewer to check the assigned policy. Password expiration is enforced. Reviewer to check the expiration policy. | -#+end_src +``` |