HnTool ------ What is it? ~~~~~~~~~~~ HnTool is an open source (GPLv2) hardening tool for Unix. It scans your system for vulnerabilities or problems in configuration files allowing you to get a quick overview of the security status of your system. To use HnTool download it and run: :: # ./hntool Supported systems ~~~~~~~~~~~~~~~~~ HnTool was already tested and is working on: * Arch Linux * CentOS * Debian * Fedora * Gentoo * Ubuntu If you are using HnTool on a system that is not listed above, please, let us know. How to install ~~~~~~~~~~~~~~ To install HnTool run the following command, as root: :: # python setup.py install --prefix /usr/ --root / How to use ~~~~~~~~~~ Run HnTool with: :: # ./hntool You can also see the hntool(1) manual by typing 'man hntool' at the command line or see the usage help: :: $ hntool -h Understanding the output ~~~~~~~~~~~~~~~~~~~~~~~~ There are 5 types of results: * OK : Means that the item checked is fine and that you do not need to worry * INFO: Means that you should know the item status, but probably it is fine. A port opened, for example. * LOW: Means that a security problem was found, but it does not provides a high risk for your system. * MEDIUM: Things are getting worse and you should start to worry about these itens. * HIGH: You have an important security hole/problem on your system and you should fix it NOW or run and save your life. How can I help? ~~~~~~~~~~~~~~~ There are several ways that you can contribute and help HnTool's development. You can contribute with code, patchs, bugs and feature requests. To report a bug or a feature request for HnTool, file a issue in our Google Code page: http://code.google.com/p/hntool/ If you're reporting a bug, please give concrete examples of how and where the problem occurs. If you've a patch (fixing a bug or a new HnTool module), then you can file an issue on Google Code too: http://code.google.com/p/hntool/issues/list HnTool's source is available on: http://code.google.com/p/hntool/ How to create a module ~~~~~~~~~~~~~~~~~~~~~~ This section documents the innards of HnTool and specifies how to create a new module. The main HnTool program (hntool.py) runs a list of rules defined in __files__ and __services__. * __files__ : defines the rules which process simple files and configs. * __services__ : defines the rules which checks the security on services and daemons. Once your module is finalized, remember to add it to the appropriate array (__files__ or __services__) defined in hntool/__init__.py A sample HnTool module is like this (hntool/ssh.py): :: import os class rule: def short_name(self): return "ssh" def long_name(self): return "Checks security problems on sshd config file" def __init__(self, options): pass def analyze(self, options): check_results = {'ok': [], 'low': [], 'medium': [], 'high': [], 'info': []} ssh_conf_file = ['/etc/ssh/sshd_config', '/etc/sshd_config'] for sshd_conf in ssh_conf_file: if os.path.isfile(sshd_conf): try: fp = open(sshd_conf,'r') except IOError, (errno, strerror): check_results['info'].append('Could not open %s: %s' % (sshd_conf, strerror)) continue lines = [x.strip('\n') for x in fp.readlines()] # Checking if SSH is using the default port if 'Port 22' in lines or '#Port 22' in lines: check_results['low'].append('SSH is using the default port') else: check_results['ok'].append('SSH is not using the default port') # Closing the sshd_config file fp.close() return check_results def type(self): return "files" Mostly, the code is self-explanatory. The following are the list of the methods that each HnTool module must have: * short_name(self) Returns a string containing a short name of the module. Usually,this is the same as the basename of the module file. * long_name(self) Returns a string containing a concise description of the module. This description is used when listing all the rules using hntool -l. * analyze(self) Should return a list comprising in turn of five lists: ok, low, medium, high and info. * type(self) "files" for a module processing simple files and configs "services" for a module processing services and daemons