secant: Security Cloud Assessment Tool
Secant is a security cloud assessment framework that is used to check the security characteristics of virtual machines and their images. The framework instantiates the machine in a contained environment and runs a set of security probes against it. The probes combine external and internal checks and aim at typical configuration error or vulnerabilities commonly misused by Internet attackers.
Secant is developed for the environment of EGI and its Application Database but can be used in other environments as well.
- open_ports – The probe lists open ports exposed by the machine. The probes don’t consider any open port as insecure, it’s used to check the machine is available over the network and provides a list of services that are used by other probes.
- ntp_amp – Certain configurations of the NTP service makes it possible for the attacker to mount an amplification attack that greatly increases the efficiency of the attack. Since the traffic originates from the NTP server it might hit badly the service owner. The probe checks that the risky configuration is not available to the Internet.
- ssh_auth – Password-based authentication is prone to a range of attacks, it’s recommended to be disabled.
- ssh_passwd – The probe performs a dictionary attack over SSH and checks a number of combinations of known passwords and usernames. The test resembles malicious activities that are very common on the Internet.
- lynis_test – Lynis is a tool that checks a number of security characteristics of the machine. The probe runs the Lynis command and returns the results. The outcome isn’t interpreted and sometimes may suggest precautions that are out of scope for the purpose of the tested machine. The machine must enable remote access in order to run the probe.
- pakiti_test – The probe uses the EGI Pakiti service to detect packages that haven’t been updated. If they expose a vulnerability tagged important for EGI, the probes return with an error. The machine must enable remote access in order to run the probe.
How it works
The assessment process consists of performing a set of steps.
- Create a virtual machine from an image and run it in an isolated environment (without internet connection).
- Run set of probes.
- Report status of security scan.
- Make assessment using the report and predefined rules.
During the entire assessment process details about the process are stored in a log file (path can be specified in secant.conf). When the process is successfully ended, findings can be found in a report file and assessment results in a result file.
git clone https://github.com/CESNET/secant.git
Copyright (C) 2015