Giters

klouddb / klouddbshield

KloudDB Shield is a security tool that checks for CIS compliance - Postgres, MySQL and RDS

Home Page:https://klouddb.gitbook.io/klouddb_shield

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

auroraciscis-benchmarkcis-benchmarksmysqlpostgrespostgresqlrds-mysqlrds-postgressecurity

KloudDB_Shield

GitHub Release Go Report Card

How to run this tool on my server ?

Postgres - Please read https://klouddb.io/cis-benchmarks-for-postgres-klouddbshield-1-1/

HBA Scanner - Please read https://klouddb.io/hba-checker-klouddb-shield-1-4/

MySQL - Please read https://klouddb.io/releasing-first-version-of-klouddb-shield-mysql-cis-benchmarks/

RDS - Please read https://klouddb.io/klouddb-shield-1-2-rds-cis-benchmarks/

Currently we check for 94 controls - 40 controls(Postgres) 46 controls(MySQL) and 8 controls(RDS) and we plan to add more checks soon. We tested this tool on CentOS and Ubuntu ( PG 14 and PG13)

NOTE - For some linux commands you might need root/sudo access

You can directly download the package from releases section of repo and install the package (for example - rpm for centos and deb package for Ubuntu etc..) . You also need to edit config file after installing the package(see above mentioned blog post for detailed walkthrough)

# Centos
$ rpm -i <ciscollector file>.rpm

# Debian
$ dpkg -i <ciscollector file>.deb

Usage of ciscollector:
  -r    Run
  -version
        Print version
$ ciscollector -r
Section 1  - Operating system          - 1/6  - 16.67%
Section 2  - Installation and Planning - 4/10 - 40.00%
Section 3  - File Permissions          - 2/9  - 22.22%
Section 4  - General                   - 5/7  - 71.43%
Section 6  - Auditing and Logging      - 2/3  - 66.67%
Section 7  - Authentication            - 4/6  - 66.67%
Section 8  - Network                   - 0/2  - 0.00%
Section 9  - Replication               - 0/2  - 0.00%
Overall Score - 18/45 - 40.00%
secreport.json file generated

How to run locally(without installing a package) ?

Install and run locally the server

$ go build -o ./ciscollector ./cmd/ciscollector
# Edit kshieldconfig.toml at path /etc/klouddbshield/kshieldconfig.toml 
$ ./ciscollector -r

RDS Checks

Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly. NOTE - You need to run this tool from bastion host or from some place where you have access to your RDS instances(It only needs basic aws rds describe priivs and sns read privs )

export AWS_ACCESS_KEY_ID="ASXXXXXXX"
export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
export AWS_SESSION_TOKEN="XXXXXXXXX"
export AWS_REGION="XXXXXXXXX"

Sample config file

Below is sample file - If you are checking for postgres comment out the mysql section or if you are only checking mysql part , comment out the postgres part. Location of the config file is /etc/klouddbshield

NOTE - In old version you will have label in config file as "[database]" instead of "[mysql]"

[mysql]
host="localhost"
port="3306"
# user="root"
# password="mysql111"
maxIdleConn = 2
maxOpenConn = 2

[postgres]
host="localhost" 
port="5432" 
user="postgres"
dbname="postgres"
password="postgres" 
maxIdleConn = 2
maxOpenConn = 2

[app]
debug = true

Contributing

We welcome PRs and Issue Reports

Help

Please reach us at support@klouddb.io

About

KloudDB Shield is a security tool that checks for CIS compliance - Postgres, MySQL and RDS

https://klouddb.gitbook.io/klouddb_shield

auroraciscis-benchmarkcis-benchmarksmysqlpostgrespostgresqlrds-mysqlrds-postgressecurity

License:Other

Languages

Language:Go 98.9%Language:Shell 0.9%Language:Dockerfile 0.1%Language:Makefile 0.1%