Project description
YASAT (Yet Another Stupid Audit Tool) is a simple stupid audit tool.Its goal is to be as simple as possible with minimum binary dependencies (only sed, grep and cut)
Second goal is to document each test with maximum information and links to official documentation.
It do many tests for checking security configuration issue or others good practice.
It checks many software configurations like:
- Apache
- Bind DNS
- CUPS
- PHP
- kernel configuration
- mysql
- network configuration
- openvpn
- Packages update
- samba
- snmpd
- squid
- syslog
- tomcat
- user accounting
- vsftpd
- xinetd
YASAT News
-
15 April 2015 YASAT 839
- Fix crashes when /etc/apache2/envvars is absent. Solve debian bug #756840
- Add more setuid to binaries database. Solve debian bug #756839
- Add jessie to osdetection
- Some internal rewriting of apache plugins (merging of apache_user in apache_conf)
- The firewall plugin could badly detect default policy
- accounting plugin now know blowfish
- Add dovecot plugin
- dovecot plugin test cipherlist and ssl protocols
- dns plugin test for chrooted bind
- dns plugin test if dynamic update are enabled
- dns plugin test if dnssec validation is enabled
- dns plugin now handle better file inclusion
- And still lots of minor enhancement
-
30 April 2014 YASAT 755
Sorry, for these release, no big changes. But this time I take the time to build the packages for Debian.- Fix the "cant shift that many" bug
- Fix the make test
- Lots of internal rewritting
I will try to hold on a release per 3 month.
-
08 july 2013 YASAT 700
Yes!, finaly I found the time to release this version. I have waited too long and so the list of changes is huge
Again I want to thanks all testers.- Check_certificate check for unsecured algorithms like md5
- Check_certificate test RSA key size
- Check certificate used by apache
- Fix debian bug #690636 (logwatch plugin)
- Check cipher list of cyrus
- Check all certificate in firefox/thunderbird certificate store
- Check all certificate in java certificate store
- Check all certificate in openssl
- Handle very old find (4.1.20)
- Begin of work for adding the scanroot options
- New plugin for testing package repository
- General enhancement of all plugins
- New option (\-\-compliance) for printing compliance to the NSA Guide
- New plugin SELinux
- Add the testing of yum repositories
- Check hash methods for system password
- Check for SamHain presence
- Test the crypt method of password protected keys
- Handle better embedded system with less or different binaries (tput, expr, ...) but still lots of work like for OpenWrt
- Detection of OpenWrt
- General enhancement of all plugins
-
21 May 2012 YASAT 526
- Now test the SSLCipherSuite for apache
- Enhancement: Check size of private key
- bug: The availability of echo -e was badly tested
- bug: apache_vhost tested certificate as private key instead of certificate filetype
- bug: apache_vhost could badly analyze order by clause
- typo some advice links was bad
- internal: link tester for advices
- Enhancement: ssh test
- Enhancement: vsftpd test
- Fix some remaining bashism
- Check the presence of Firewire kernel modules
- Correction of some problems with dash and some empty variables (shift: cant shift that many)
- Renamed yasat.sh to yasat
- Lots of spelling fix
- Enhancement: now correctly find the user running bind9 under debian
- Lots of small fix for future Debian Wheezy
-
10 April 2012 YASAT is officially in Debian
YASAT in Debian Great thanks to V. BERNAT for his help. -
29 December 2011 YASAT 456
- add chronyd to known ntpd servers
- add logwatch test from Mr Sande
- add password encryption test for shadow
- add the list of command needed to correct problems reported by yasat in yasat_correct.shell
- More kernel checks
- Check for remote syslog logging
- Check for auditd daemon
- Arch Linux detection and pacman support
- Lots of misc enhancement
- Skip option patch from Mr Sande
- Misc enhancement from Mr Didier
- Lots of known location added to apache_vhosts
- Typo in partition.test
- Misc enhancement
- POSIX CAPS test for setuid binaries
-
11 March 2011 YASAT 400
- YASAT incorrectly searched umask value (thanks to Mikal Sande for report and patch)
- YASAT now have a manpage
- The CheckFile function will now check if the binary tested have SSP and PIE
- Lots of advice spell checking and enhancement by Mikal Sande.
-
04 January 2011 YASAT 385
- Misc modifications of PHP, apache, LDAP, SSH, MySQL
- Initial test of security options of firefox
- Better BIND server test
- Basic support of checking technology behind a vhost (like PHP for testing php_admin_values like open_basedir)
- Test of NFS mount options and NFSD exports options
- Basic test if private key is password protected
-
02 August 2010 YASAT 351
Very minor version. RPM and DEB package are now both available. -
12 July 2010 YASAT 347
- Add CUPS tests
- Add Squid tests
- Add Samba tests
- More tests for mysql, kernel, bind, cyrus
- Minor improvement for apache, package, network, snmp tests
- Add the check-update option to YASAT
- Add a css to html report for better HTML report (add div command and div conf)
- Add test for password visible in mysql_history
- Added Debian Lenny to binaries checks
- And still lots of minor bugs corrections and improvements
-
01 July 2010 first RPM of YASAT
Now, YASAT will be also available also as RPM file. DEB file will follow soon. -
09 June 2010 YASAT in official gentoo portage tree
YASAT is now available under the Gentoo distribution. -
03 June 2010 YASAT 286 is out
Minor release that correct the yasat Makefile -
26 May 2010 YASAT 280 is out
With the release of OpenBSD4.7, i benefited for made a better support of OpenBSD.
YASAT check now for securelevel, encrypted swap and other features.
Lots of enhancement like detection of mod_deflate/gzip for apache,
more kernel test, inetd basic support and more TODOS :D -
02 March 2010 YASAT 247 is out
With this alpha release YASAT better support RedHat and clones. -
12 January 2010.
Another alpha release that corrects some problems under BSD.
Fix some bashisms so that yasat works out of the box under FreeBSD (csh).
Fix also lots of misspelling -
05 January 2010.
Happy new year. 5th alpha available. YASAT is just at 137 TODOs of the beta version. -
1 December 2009.
First alpha release of YASAT would be available soon
14 June 2011 YASAT 421
Screenshots
Download
All available downloads can be found at Sourceforge.net-
Last release Yasat 839
- MD5SUM 56b1ccb6e64fb437470dee2022ea1a40
- SHA1SUM c74e93e20732ac4b7bfea571a96fed1851be083a
-
GPG signature
Check it with
gpg --verify yasat-839.tar.gz.asc yasat-839.tar.gz
My GPG ID is 0x53756A1FC8B243AB
Installation, configuration, supported systems
YASAT has been tested on- Gentoo
- Debian
- Ubuntu
- FreeBSD
- OpenBSD
- RedHat
- CentOS
- ArchLinux
- But should work on all unix even if many tests is linux-oriented...
Official distribution
For a simple installation:
- Simply untar the yasat tarball
- Change directory to yasat directory
- and type ./yasat
- tar xvzf yasat-releasenumber.tar.gz
- cd yasat
Support, bugs, patchs, critics, etc..
Patch, contributions, critics ( even bad:) ) are welcome.You can perhaps find me on channel #yasat on Freenode IRC servers or follow me on twitter @CodingMontjoie
Similar projects
- Tiger Tiger can be found here (dead upstream)
- Lynis Lynis can be found here
- checksecurity checksecurity can be found here
- seccheck Seccheck can be found here (dead upstream)
- sectool Sectool can be found here (dead upstream)
- OpenVAS OpenVAS can be found here
- W3AF W3AF can be found here
- Checksec Checksec can be found here (dead upstream)
- Quick and Dirty CVE Checker (QDCC) Quick and Dirty CVE Checker can be found here
Usefull documents
To be completed- Server hardening checklists
- Securing productions systems
- Gentoo Kernel security guide
- portability issue of basic commands
- Securing debian