Skip to content

Add group manager script for E8 ML1#73

Merged
ben-AI-cybersec merged 1 commit intoRedback-Operations:mainfrom
Anonixiate:add-group-manager
Sep 17, 2025
Merged

Add group manager script for E8 ML1#73
ben-AI-cybersec merged 1 commit intoRedback-Operations:mainfrom
Anonixiate:add-group-manager

Conversation

@Anonixiate
Copy link
Contributor

@Anonixiate Anonixiate commented Sep 12, 2025

Added script for group management; checks for default groups, ensures ACL's are in use, and allows for managing sudoers via either multiple choice or manual entry

@Anonixiate Anonixiate requested review from a team as code owners September 12, 2025 02:23
@github-actions
Copy link

github-actions bot commented Sep 12, 2025

🔒 Security Scan Results

🔒 Security Scan Results
=========================

Bandit Scan Results:
-------------------
Run started:2025-09-12 02:23:34.724984

Test results:
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: ./CVE-Hunter T1_2025/hunter.py:1:0
1	import subprocess
2	import socket
3	import requests

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./CVE-Hunter T1_2025/hunter.py:9:17
8	    try:
9	        output = subprocess.check_output(command_list, stderr=subprocess.DEVNULL)
10	        return output.decode().strip()

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: ./T1_2025/infra/backups/bak/controller/cron-scripts/Backupscript.py:7:0
6	import sys
7	import subprocess
8	from datetime import datetime

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./T1_2025/infra/backups/bak/controller/cron-scripts/Backupscript.py:49:8
48	    try:
49	        subprocess.run(rsync_command, check=True)
50	        with open(last_snapshot_record, 'w') as f:

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b607_start_process_with_partial_path.html
   Location: ./T1_2025/infra/backups/bak/controller/cron-scripts/Backupscript.py:64:12
63	        try:
64	            subprocess.run(["rm", "-rf", oldest_snapshot_path], check=True)
65	            print(f"Deleted oldest snapshot: {oldest_snapshot_path}")

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./T1_2025/infra/backups/bak/controller/cron-scripts/Backupscript.py:64:12
63	        try:
64	            subprocess.run(["rm", "-rf", oldest_snapshot_path], check=True)
65	            print(f"Deleted oldest snapshot: {oldest_snapshot_path}")

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: ./T1_2025/infra/backups/bak/controller/cron-scripts/Backupscript_v2.py:8:0
7	import shutil
8	import subprocess
9	from datetime import datetime

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./T1_2025/infra/backups/bak/controller/cron-scripts/Backupscript_v2.py:62:8
61	    try:
62	        subprocess.run(rsync_command, check=True)
63	        with open(last_snapshot_record, 'w') as f:

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b607_start_process_with_partial_path.html
   Location: ./T1_2025/infra/backups/bak/controller/cron-scripts/Backupscript_v2.py:75:12
74	        try:
75	            subprocess.run(["rm", "-rf", oldest_snapshot_path], check=True)
76	            print(f"Deleted oldest snapshot: {oldest_snapshot_path}")

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./T1_2025/infra/backups/bak/controller/cron-scripts/Backupscript_v2.py:75:12
74	        try:
75	            subprocess.run(["rm", "-rf", oldest_snapshot_path], check=True)
76	            print(f"Deleted oldest snapshot: {oldest_snapshot_path}")

--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'Vumo3117'
   Severity: Low   Confidence: Medium
   CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b105_hardcoded_password_string.html
   Location: ./T1_2025/infra/backups/bak/controller/cron-scripts/email_notify.py:8:22
7	    sender_email = '[email protected]'  # Your email address
8	    sender_password = 'Vumo3117'  # App password if using Gmail with 2FA
9	

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: ./T2_2024/advanced_security_scan.py:7:0
6	from bandit.core import manager as bandit_manager
7	import subprocess
8	

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b607_start_process_with_partial_path.html
   Location: ./T2_2024/advanced_security_scan.py:98:17
97	        logging.info("Running Semgrep analysis...")
98	        result = subprocess.run(['semgrep', '--config', 'auto', self.file_path], capture_output=True, text=True)
99	        if result.returncode != 0:

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./T2_2024/advanced_security_scan.py:98:17
97	        logging.info("Running Semgrep analysis...")
98	        result = subprocess.run(['semgrep', '--config', 'auto', self.file_path], capture_output=True, text=True)
99	        if result.returncode != 0:

--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'django-insecure-p+o(#sfioy$e*&gh_uw7dhoi8swlc0@xc3uu^$qikr80w)*z9d'
   Severity: Low   Confidence: Medium
   CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b105_hardcoded_password_string.html
   Location: ./T3 2023/Environment Backend/backend_server/settings.py:23:13
22	# SECURITY WARNING: keep the secret key used in production secret!
23	SECRET_KEY = 'django-insecure-p+o(#sfioy$e*&gh_uw7dhoi8swlc0@xc3uu^$qikr80w)*z9d'
24	

--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Low
   CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b608_hardcoded_sql_expressions.html
   Location: ./T3 2024/adaptive iam/Azure function/function_app.py:42:16
41	        # Fetch user data from the database
42	        query = f"SELECT * FROM c WHERE c.email = '{email}'"
43	        users = list(users_container.query_items(query=query, enable_cross_partition_query=True))

--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Low
   CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b608_hardcoded_sql_expressions.html
   Location: ./T3 2024/adaptive iam/Azure function/function_app.py:65:22
64	        # Fetch roles
65	        roles_query = f"SELECT * FROM c WHERE c.id IN ('{','.join(user['roles'])}')"
66	        roles = list(roles_container.query_items(query=roles_query, enable_cross_partition_query=True))

--------------------------------------------------
>> Issue: [B113:request_without_timeout] Call to requests without timeout
   Severity: Medium   Confidence: Low
   CWE: CWE-400 (https://cwe.mitre.org/data/definitions/400.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b113_request_without_timeout.html
   Location: ./T3 2024/adaptive iam/app.py:139:19
138	        url = request.form['url']
139	        response = requests.get(url)
140	        if response.status_code == 200:

--------------------------------------------------

Code scanned:
	Total lines of code: 1573
	Total lines skipped (#nosec): 1
	Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 2

Run metrics:
	Total issues (by severity):
		Undefined: 0
		Low: 15
		Medium: 3
		High: 0
	Total issues (by confidence):
		Undefined: 0
		Low: 3
		Medium: 2
		High: 13
Files skipped (1):
	./T1_2025/infra/backups/bak/controller/backend/v1.0.0/endpoints/register.py (syntax error while parsing AST from file)

No critical security issues detected.

The code has passed all critical security checks.

@lperry022 lperry022 self-assigned this Sep 17, 2025
ben-AI-cybersec
ben-AI-cybersec approved these changes Sep 17, 2025
View reviewed changes
Copy link
Member

@ben-AI-cybersec ben-AI-cybersec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks amazing, thanks Kim!

@ben-AI-cybersec ben-AI-cybersec merged commit a22b50e into Redback-Operations:main Sep 17, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ben-AI-cybersec ben-AI-cybersec ben-AI-cybersec approved these changes

Assignees

@lperry022 lperry022

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Anonixiate @ben-AI-cybersec @lperry022