diff --git a/backend/backend/settings/dev.py b/backend/backend/settings/dev.py
index 78fa67a90..cb1f27cc3 100644
--- a/backend/backend/settings/dev.py
+++ b/backend/backend/settings/dev.py
@@ -25,3 +25,5 @@
IS_DEV = True
EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
+
+ALLOWED_HOSTS = ['*']
diff --git a/backend/device_registry/api_views.py b/backend/device_registry/api_views.py
index ac72f55be..fa90bf435 100644
--- a/backend/device_registry/api_views.py
+++ b/backend/device_registry/api_views.py
@@ -86,6 +86,7 @@ def post(self, request, *args, **kwargs):
device = Device.objects.get(device_id=request.device_id)
device.last_ping = timezone.now()
device.agent_version = data.get('agent_version')
+ device.audit_files = data.get('audit_files', [])
if 'deb_packages' in data:
deb_packages = data['deb_packages']
device.deb_packages_hash = deb_packages['hash']
@@ -132,7 +133,8 @@ def post(self, request, *args, **kwargs):
firewall_state.save()
device.update_trust_score = True
- device.save(update_fields=['last_ping', 'agent_version', 'deb_packages_hash', 'update_trust_score'])
+ device.save(update_fields=['last_ping', 'agent_version', 'audit_files', 'deb_packages_hash',
+ 'update_trust_score'])
if datastore_client:
task_key = datastore_client.key('Ping')
diff --git a/backend/device_registry/migrations/0062_device_audit_files.py b/backend/device_registry/migrations/0062_device_audit_files.py
new file mode 100644
index 000000000..101d55d73
--- /dev/null
+++ b/backend/device_registry/migrations/0062_device_audit_files.py
@@ -0,0 +1,19 @@
+# Generated by Django 2.2.6 on 2019-10-03 06:44
+
+import django.contrib.postgres.fields.jsonb
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+ dependencies = [
+ ('device_registry', '0061_deviceinfo_processes'),
+ ]
+
+ operations = [
+ migrations.AddField(
+ model_name='device',
+ name='audit_files',
+ field=django.contrib.postgres.fields.jsonb.JSONField(blank=True, default=list),
+ ),
+ ]
diff --git a/backend/device_registry/models.py b/backend/device_registry/models.py
index 76a4e389c..2e6305a5c 100644
--- a/backend/device_registry/models.py
+++ b/backend/device_registry/models.py
@@ -68,6 +68,15 @@ class Meta:
unique_together = ['name', 'version', 'arch']
+SSHD_CONFIG_PARAMS_SAFE_VALUES = {
+ 'PermitEmptyPasswords': 'no',
+ 'PermitRootLogin': 'no',
+ 'PasswordAuthentication': 'no',
+ 'AllowAgentForwarding': 'no',
+ 'Protocol': '2'
+}
+
+
class Device(models.Model):
device_id = models.CharField(
max_length=128,
@@ -97,6 +106,17 @@ class Device(models.Model):
update_trust_score = models.BooleanField(default=False, db_index=True)
deb_packages = models.ManyToManyField(DebPackage)
deb_packages_hash = models.CharField(max_length=32, blank=True)
+ audit_files = JSONField(blank=True, default=list)
+
+ def sshd_issues(self):
+ if self.audit_files:
+ for file_info in self.audit_files:
+ if 'sshd' in file_info['name']:
+ issues = []
+ for k, v in file_info['issues'].items():
+ issues.append((k, v, SSHD_CONFIG_PARAMS_SAFE_VALUES[k]))
+ return issues
+ return None
@property
def certificate_expired(self):
diff --git a/backend/device_registry/templates/device_info_security.html b/backend/device_registry/templates/device_info_security.html
index 2bc4e165f..faa3e0853 100644
--- a/backend/device_registry/templates/device_info_security.html
+++ b/backend/device_registry/templates/device_info_security.html
@@ -1,5 +1,6 @@
{% extends "admin_base.html" %}
{% load split_string %}
+{% load misc %}
{% block title %}WoTT - Device Info{% endblock title %}
@@ -58,7 +59,7 @@ Security
{% endif %}
-
+
|
Default Credentials
Security
|
-
- |
- OpenSSH Audit
- |
- Coming soon! |
+
+ | System File Audit |
+
+ {% if object.audit_files %}
+
+
+
+ | Path |
+ Checksum (SHA-256) |
+ Last Modified |
+
+
+ {% for file in object.audit_files %}
+
+ | {{ file.name }} |
+ {{ file.sha256 }} |
+
+ {% if file.last_modified %}{{ file.last_modified|fromunix|timesince }} ago{% endif %} |
+
+ {% endfor %}
+
+ {% endif %}
+ |
-
- |
- Insecure Services
- |
+ Configuration Audit |
+
+ {% with object.sshd_issues as sshd_issues %}
+ {% if sshd_issues %}
+ OpenSSH
+
+ {% for issue in sshd_issues %}
+ - {% include "badge.html" with icon="exclamation-circle" color="danger" %} Consider
+ changing "{{ issue.0 }}" from "{{ issue.1 }}" to "{{ issue.2 }}"
+
+ {% endfor %}
+
+ {% endif %}
+ {% endwith %}
+ |
+
+
+
+ |
+ Insecure Services
+ |
{% with object.insecure_services as services %}
{% if services %}
@@ -105,13 +141,13 @@ Security
|
Logins |
-
- {% if object.deviceinfo.logins %}
- {{ object.deviceinfo.beautified_logins }}
- {% else %}
- No recent login attempts detected.
- {% endif %}
- |
+
+ {% if object.deviceinfo.logins %}
+ {{ object.deviceinfo.beautified_logins }}
+ {% else %}
+ No recent login attempts detected.
+ {% endif %}
+ |
|
diff --git a/backend/device_registry/templatetags/misc.py b/backend/device_registry/templatetags/misc.py
new file mode 100644
index 000000000..7ccbd9d5b
--- /dev/null
+++ b/backend/device_registry/templatetags/misc.py
@@ -0,0 +1,9 @@
+from django import template
+from django.utils import timezone
+
+register = template.Library()
+
+
+@register.filter(name='fromunix')
+def fromunix(value):
+ return timezone.datetime.fromtimestamp(value, timezone.get_default_timezone())
|