Python scripts used for SOX ITGCs. These scripts are designed to assist in automating user security reviews for Unix based systems and Oracle databases. Other useful audits are included as well.
This project was started to automate user security reviews (and other audits) that may be taken as part of IT General Control testing for SOX compliance. Additional audits may be performed that may be useful to ensure that security controls (taken out of a purely SOX context) are functioning as intended. Automating these audits has the following benefits:
- Allows IT operations staff to focus on tasks more suited to their expertise.
- Increases confidence in the results of the audit by reducing or eliminating human error.
- Allows for "continuous" auditing, giving business leadership confidence that IT controls are being implemented and followed.
- Reduces the level of effort required to execute audit activities, resulting in financial savings.
$ git clone https://github.com/bentleygd/ITGC.git
In order to run the user security review scripts, run:
$ python3 itgc.py [OS]
Audit tests currently exist for: Active Directory (via LDAP), AIX, Linux, Oracle DB and MySQL DB.
usage: itgc.py [-h] os
SOX security reviews
positional arguments: os Linux, AIX, Oracle or MySQL
options: -h, --help show this help message and exit
[main]
ossec = example.domain.com
[mail]
sender = Test@example.com
recipient = thing1@cith.com,thing2@cith.com
server = mailer.example.com
[linux]
admin_groups = sudo,root,adm,blah
exclusions = bob,tom,alice
known_admins = linux_admins.list
pwd_rotate = 365
[aix]
admin_groups = sudo,root,adm,blah
exclusions = flynn,tron
known_admins = aix_admins.list
known_hosts = asdf
[oracle]
db_user = rinzler
exclusions = flynn
known_admins = tron,clu,zuse,quorra
environment = test
[ldap]
url = ldap://host.example.com
bind_dn = CN=some_account,DC=example,DC=com
base_dn = DC=example,DC=com
search_ou = OU=User Accounts,DC=example,DC=com
domain_admins = domain_admins.list
passwd_exp = 365
svc_ou = OU=Service Accounts,DC=example,DC=com
adm_dn = CN=Administrators,CN=Builtin,DC=example,DC=com
[mysql]
db_user = tron
exclusions = flynn,
hosts = test.example.com,
known_admins = clu,quora,flynn,rinzler,tron
See DOCS.md for more detailed documentation.
- Automated security audits for Linux, AIX, MySQL DBs and Oracle DBs.
Oracle DB user accounts are compared to a list of accounts that are retrieved from Active Directory using ldap3. Any DB account that does not have a corresponding active directory account is flagged as an audit finding. A list of local DB accounts must be maintained for exceptions to the audit process (e.g., Oracle). Oracle DB users with the DBA granted role are compared to a list of users that are expected to have the DBA granted role. Any exceptions are noted as an audit finding. Any user that is considered an "air breather" that has SCHEMA_PROF is flagged as an audit finding. Additionally, any account with the DEFAULT profile is flagged as an audit finding as users should receive a distinct DB profile.
MySQL DB user accounts are compared to a list of accounts that are retrieved from Active Directory using ldap3. Any DB account that does not have a corresponding active directory account is flagged as an audit finding. A list of local DB accounts must be maintained for exceptions to the audit process. The accounts should be listed in the configuration file as ['mysql']['exceptions'] MySQL DB users with the all privileges grant with the grant option are compared to a list of users that are expected to have the elevated grant. Any exceptions are noted as an audit finding.
Currently, the audit results are parsed from CSV files and are emailed to an address specified in the [mail] section of the configuration file.
Automated test cases are included and use the pytest framework. Executing the tests is simple:
$ python3 -m pytest -v
This project is licensed under GPLv3.