Check for default credentials

[vpetersson]

Let's start building out a basic default credentials check. The easiest way to do this is likely to build out a simple check against /etc/shadows for pre-determined hashes.

For instance, we can build out a database of hashes and check them like this:

pi@wott0:~ $ sudo grep "pi:$6$D12eVhKX$00kKcOd8ExXk0ZruVWRQnukJi4CEW7Jg7DAgf3E6umxe4PQn7ac4X4TobozWbBIthsUM26EA7ZY4Ypvv63H121" /etc/shadow 
pi:$6$D12eVhKX$00kKcOd8ExXk0ZruVWRQnukJi4CEW7Jg7DAgf3E6umxe4PQn7ac4X4TobozWbBIthsUM26EA7ZY4Ypvv63H121:17709:0:99999:7:::

[vpetersson]

We also need to:

• Display this in the dashboard
• Display this in 'Recommended Actions' to fix

[a-martynovich]

@vpetersson

• What are pre-determined hashes? How do we gather them? Where do we store them?
• Who should check /etc/shadows: agent or API server? If it's server, then should agent send its whole shadows file to the server?
• What kind of action is a fix? What does agent need to do if instructed?

[vpetersson]

What are pre-determined hashes? How do we gather them? Where do we store them?

Let's start with just that one, then we can build out. There are databases of default passwords that we can use to build this out.

Who should check /etc/shadows: agent or API server? If it's server, then should agent send its whole shadows file to the server?

This must be done by the agent. We can't send that to the server. We also need to be careful about the implementation. We should merely check for hashes, not read and store the entire shadows file.

What kind of action is a fix? What does agent need to do if instructed?

I'm not sure I understand this question.

[a-martynovich]

@vpetersson

Who should check /etc/shadows: agent or API server? If it's server, then should agent send its whole shadows file to the server?

This must be done by the agent. We can't send that to the server. We also need to be careful about the implementation. We should merely check for hashes, not read and store the entire shadows file.

Should we send the entire hash database to the agent then?

What kind of action is a fix? What does agent need to do if instructed?

I'm not sure I understand this question.

In your 2nd comment you wrote "Display this in 'Recommended Actions' to fix". I take it we shouldn't go beyond that, i.e. actually implement a fixing action on agent. Right?

[vpetersson]

@vpetersson

Who should check /etc/shadows: agent or API server? If it's server, then should agent send its whole shadows file to the server?

This must be done by the agent. We can't send that to the server. We also need to be careful about the implementation. We should merely check for hashes, not read and store the entire shadows file.

Should we send the entire has database to the agent then?

Yes, correct.

What kind of action is a fix? What does agent need to do if instructed?

I'm not sure I understand this question.

In your 2nd comment you wrote "Display this in 'Recommended Actions' to fix". I take it we shouldn't go beyond that, i.e. actually implement a fixing action on agent. Right?

Right, for the time being, we should probably just have an action similar to "Default credentials found" etc.

[rptrchv]

@vpetersson Grabbing this one