Current version: 0.2.10 (26 December 2024) [src]
The xyz security tool checks a
system for common configuration faults that could cause sensitive
information or interfaces to be exposed, such as SSH private keys or GPG
secret keys without passphrases, or service accounts without a password.
It can be run unattended from a cron job to generate a system-wide report which can be delivered by email or detected by a monitoring system such as Zabbix.
Many of the 150+ checks are derived from recommendations in Center for Internet Security benchmark documents, though since xyz is intended for use on multiple operating systems - various GNU/Linux distributions, FreeBSD, and OpenBSD - these checks are derived from standard recommendations rather than equivalent to them. xyz is not associated with or endorsed by CIS or any other organisation.
Use xyz as a risk reduction tool to limit accidental exposure: run it first before a server is placed into a production environment, and then run it regularly thereafter to check that mistakes have not crept in during day-to-day maintenance. It does not look for indicators of compromise and should not be run after an incident. A compromised server should be deleted and rebuilt, and xyz run on the rebuilt system as part of hardening before deployment.
This tool is built to be lightweight. It complements more in-depth tools such as OpenSCAP rather than attempting to replace them.
User-defined check and fix actions can be added. By packaging and deploying your own check, fix, and hook functions, embodying your estate's configuration policies, xyz can be extended to serve as a configuration policy compliance tool.
For example, regular xyz checks could be run to ensure that configuration changes made by other tools such as Ansible or Puppet have had the desired effect and have not introduced regressions.
This software is distributed under the terms of the GNU General Public License version 3 or later.
- Source code: xyz-0.2.10.tar.gz [signature]
- Manual for XYZ
- Git repository (at Codeberg)
- Issue tracker (at Codeberg)
To install xyz, follow these steps:
wget https://www.ivarch.com/programs/sources/ xyz-0.2.10.tar.gz tar xzf xyz-0.2.10.tar.gz cd xyz-0.2.10 sh ./configure make sudo make install
Comments, bug reports, and patches can be sent using the Issue tracker, or through the Contact Form.
News
0.2.10 - 26 December 2024
- feature: new –until option so that ignore and exception-add entries can be given an expiry time
- feature: new –delay option to add a random startup delay when running from cron
- feature: checks for unnecessary Linux kernel modules, derived from CIS Debian 12 benchmark section 1.1.1
- feature: new variables kernelName, kernelRelease, and startStamp
- feature: new info action, to show information about the system
- fix: correct the parsing of “–option=VALUE” option syntax
0.2.4 - 23 March 2024
- feature: checks for configuration files in user home directories, derived from CIS Debian 12 benchmark section 7.2.10
- feature: added new variable osIsRhelDescendant
- fix: adjusted “accounts with GID 0” check to make allowances for RHEL descendants
0.2.1 - 18 March 2024
- fix: corrected an installer bug which creates the hooks and extensions directories in the wrong place
0.2.0 - 17 March 2024
This release extends XYZ to include over 100 more checks, and includes new options which will assist with future work to add unit tests into the build process.
- checks for password, shadow, group file permissions derived from CIS Debian 12 benchmark section 7.1
- renamed acct_shadow_permission to rights_etcshadow_permissions for consistency
- checks for SSH host private and public key permissions
- checks for audit log and config permissions derived from CIS Debian 12 benchmark section 6.4.4
- checks for listening network ports that are reachable from elsewhere
- new utility functions fsHasExecutePermissions, fsGroupOrOtherCanRead, and fsOtherCanRead
- new options -R, -C, -E, -H to assist with future tests
0.1.0 - 6 March 2024
This release extends XYZ to incorporate dozens of new checks, derived from over 50 CIS recommendations, on top of its original checks for unprotected SSH and GPG private keys. It also adds a more fine-grained exceptions mechanism to allow special cases to be permitted, and a more human-readable (and optionally colourised) report format.
- new reformat action to reformat fault reports for human eyes
- new exceptions mechanism to exclude specific results such as allowed private key files
- 80 checks now defined, derived from over 50 CIS benchmark recommendations
- filesystem checks derived from CIS Debian 12 benchmark section 1.1.2
- information leak checks derived from CIS Debian 12 benchmark section 1.6
- file permissions checks derived from CIS Debian 12 benchmark section 2.4.1, 5.1, and others
- user account checks derived from CIS Debian 12 benchmark sections 5.4.2, 7.2, and others
0.0.1 - 1 March 2024
- package and manual created
- extensions framework built
- detection of unprotected SSH private keys
- detection of unprotected GPG secret keys
- detection of /tmp permission and ownership issues
- detection of duplicate root accounts
- detection of system and guest accounts with usable passwords
- detection of user accounts with no home directory
- detection of user accounts with world writable home directory
- detection of root account with empty password