/klouddbshield

KloudDB Shield is a security tool that checks for CIS compliance - Postgres, MySQL and RDS

Primary LanguageGoOtherNOASSERTION

KloudDB_Shield

GitHub Release Go Report Card Go Reference Go Build Go Vuln Check

How to run this tool on my server ?

!! IMPORTANT !! Please refer to https://klouddb.gitbook.io/klouddb_shield for detailed documentation

Currently we check for 94 controls - 40 controls(Postgres) 46 controls(MySQL) and 8 controls(RDS) and we plan to add more checks soon. We tested this tool on CentOS and Ubuntu ( PG 14 and PG13)

NOTE - For some linux commands you might need root/sudo access

You can directly download the package from releases section of repo and install the package (for example - rpm for centos and deb package for Ubuntu etc..) . You also need to edit config file after installing the package(see above mentioned blog post for detailed walkthrough)

# Centos
$ rpm -i <ciscollector file>.rpm

# Debian
$ dpkg -i <ciscollector file>.deb

Usage of ciscollector:
  -r    Run
  -version
        Print version
$ ciscollector -r
Section 1  - Operating system          - 1/6  - 16.67%
Section 2  - Installation and Planning - 4/10 - 40.00%
Section 3  - File Permissions          - 2/9  - 22.22%
Section 4  - General                   - 5/7  - 71.43%
Section 6  - Auditing and Logging      - 2/3  - 66.67%
Section 7  - Authentication            - 4/6  - 66.67%
Section 8  - Network                   - 0/2  - 0.00%
Section 9  - Replication               - 0/2  - 0.00%
Overall Score - 18/45 - 40.00%
secreport.json file generated

How to run locally(without installing a package) ?

Install and run locally the server

$ go build -o ./ciscollector ./cmd/ciscollector
# Edit kshieldconfig.toml at path /etc/klouddbshield/kshieldconfig.toml 
$ ./ciscollector -r

RDS Checks

Make sure you have properly configured your AWS-CLI with a valid Access Key and Region or declare AWS variables properly. NOTE - You need to run this tool from bastion host or from some place where you have access to your RDS instances(It only needs basic aws rds describe priivs and sns read privs )

export AWS_ACCESS_KEY_ID="ASXXXXXXX"
export AWS_SECRET_ACCESS_KEY="XXXXXXXXX"
export AWS_SESSION_TOKEN="XXXXXXXXX"
export AWS_REGION="XXXXXXXXX"

Sample config file

Below is sample file - If you are checking for postgres comment out the mysql section or if you are only checking mysql part , comment out the postgres part. Location of the config file is /etc/klouddbshield

NOTE - In old version you will have label in config file as "[database]" instead of "[mysql]"

[mysql]
host="localhost"
port="3306"
# user="root"
# password="mysql111"
maxIdleConn = 2
maxOpenConn = 2

[postgres]
host="localhost" 
port="5432" 
user="postgres"
dbname="postgres"
password="postgres" 
maxIdleConn = 2
maxOpenConn = 2

[app]
debug = true

Contributing

We welcome PRs and Issue Reports

Help

Please reach us at support@klouddb.io