Current version: 0.2.4 (23 March 2024) [src]
xyz is a security tool to check a system
for common configuration faults that could cause sensitive information or
interfaces to be exposed, such SSH private keys or GPG secret keys without
passphrases, or service accounts without a password.
The tool can be run unattended from a cron job to generate a system-wide report which can be delivered by email or detected by a monitoring system such as Zabbix.
Many of the 150+ checks are derived from recommendations in Center for Internet Security benchmark documents, though since xyz is intended for use on multiple operating systems - various GNU/Linux distributions, FreeBSD, and OpenBSD - these checks are derived from standard recommendations rather than equivalent to them. xyz is not associated with or endorsed by CIS or any other organisation.
xyz is intended as a risk reduction tool to limit accidental exposure: ideally it should first be run before a server is placed into a production environment, and run regularly thereafter to check that mistakes have not crept in during day-to-day maintenance. It does not look for indicators of compromise and should not be run after an incident. A compromised server should be deleted and rebuilt, and xyz run on the rebuilt system as part of hardening before deployment.
User-defined check and fix actions can be added. By packaging and deploying your own check, fix, and hook functions, embodying your estate's configuration policies, xyz can be extended to serve as a configuration policy compliance tool.
This software is distributed under the terms of the GNU General Public License version 3 or later.
- Source code: xyz-0.2.4.tar.gz [signature]
- Manual for XYZ
- Git repository (at Codeberg)
- Issue tracker (at Codeberg)
To install xyz, follow these steps:
wget https://www.ivarch.com/programs/sources/xyz-0.2.4.tar.gz tar xzf xyz-0.2.4.tar.gz cd xyz-0.2.4 sh ./configure make sudo make install
Comments, bug reports, and patches can be sent using the Issue tracker, or through the Contact Form.
News
0.2.4 - 23 March 2024
- checks for configuration files in user home directories, derived from CIS Debian 12 benchmark section 7.2.10
- adjusted “accounts with GID 0” check to make allowances for RHEL descendants
- added new variable “
osIsRhelDescendant”
0.2.1 - 18 March 2024
- corrected an installer bug which creates the hooks and extensions directories in the wrong place
0.2.0 - 17 March 2024
This release extends XYZ to include over 100 more checks, and includes new options which will assist with future work to add unit tests into the build process.
- checks for password, shadow, group file permissions derived from CIS Debian 12 benchmark section 7.1
- renamed acct_shadow_permission to rights_etcshadow_permissions for consistency
- checks for SSH host private and public key permissions
- checks for audit log and config permissions derived from CIS Debian 12 benchmark section 6.4.4
- checks for listening network ports that are reachable from elsewhere
- new utility functions “
fsHasExecutePermissions”, “fsGroupOrOtherCanRead”, and “fsOtherCanRead” - new options -R, -C, -E, -H to assist with future tests
0.1.0 - 6 March 2024
This release extends XYZ to incorporate dozens of new checks, derived from over 50 CIS recommendations, on top of its original checks for unprotected SSH and GPG private keys. It also adds a more fine-grained exceptions mechanism to allow special cases to be permitted, and a more human-readable (and optionally colourised) report format.
- new “reformat” action to reformat fault reports for human eyes
- new exceptions mechanism to exclude specific results such as allowed private key files
- 80 checks now defined, derived from over 50 CIS benchmark recommendations
- filesystem checks derived from CIS Debian 12 benchmark section 1.1.2
- information leak checks derived from CIS Debian 12 benchmark section 1.6
- file permissions checks derived from CIS Debian 12 benchmark section 2.4.1, 5.1, and others
- user account checks derived from CIS Debian 12 benchmark sections 5.4.2, 7.2, and others
0.0.1 - 1 March 2024
- package and manual created
- extensions framework built
- detection of unprotected SSH private keys
- detection of unprotected GPG secret keys
- detection of /tmp permission and ownership issues
- detection of duplicate root accounts
- detection of system and guest accounts with usable passwords
- detection of user accounts with no home directory
- detection of user accounts with world writable home directory
- detection of root account with empty password