1
2
3 __docformat__ = 'restructuredtext'
4 __version__ = '$Id$'
5
6 from routerdefense.common import *
7 from routerdefense.metrics import *
8 import inspect
9 import __builtin__
10
11
12 -def add(title, comment):
13 strippedLine = line.lstrip().rstrip()
14 return strippedLine
15
17 """Write header at the beginning of stdout."""
18 header = """
19 ______ _ ______ __
20 | ___ \ | | | _ \ / _|
21 | |_/ /___ _ _| |_ ___ _ __ | | | |___| |_ ___ _ __ ___ ___
22 | // _ \| | | | __/ _ \ '__| | | | / _ \ _/ _ \ '_ \/ __|/ _ \\
23 | |\ \ (_) | |_| | || __/ | | |/ / __/ || __/ | | \__ \ __/
24 \_| \_\___/ \__,_|\__\___|_| |___/ \___|_| \___|_| |_|___/\___|
25
26 =[ Cisco IOS security assessment tool
27 =[ http://code.google.com/p/routerdefense
28 =[ version 2012.1
29
30 """
31 return header;
32
37
39 """Generate the stdout report."""
40 summary = list()
41 vty_already_reported = False
42 try:
43
44 print stdout_banner('Generic information')
45 print ""
46 print " => Hostname: %s" % generic.hostName
47 print " => IOS version: %s" % generic.iosVersion
48 print " => Switching: %s" % generic.switchingMethod
49 print " => Multicast: %s" % generic.multicast
50 print " => QoS: %s" % generic.qos
51 print " => IPv6: %s" % generic.ipv6
52 print " => IPSEC VPN: %s" % generic.ipsec
53
54 print stdout_category_banner('ManagementPlane')
55 summary.append('\nManagement Plane\n')
56 for name in mgmt_plane:
57 counter = 0
58 total = 0
59 if name != 'interface':
60 print stdout_banner(name.long_name)
61 for k,v in inspect.getmembers(name):
62 if isinstance(v, dict):
63 total = total + 1
64 if v['must_report'] == True:
65 counter = counter + 1
66 defn = v['definition'].strip()
67 threatInfo = v['threatInfo'].strip()
68 howtofix = v['howtofix'].strip()
69 fiximpact = v['fixImpact'].strip()
70 cvss = v['cvss'].strip()
71 print stdout_content(
72 defn,
73 threatInfo,
74 howtofix,
75 fiximpact,
76 cvss
77 )
78
79 print '\nNumber of threatInfo(s) to fix: %d/%d' % \
80 (counter, total)
81 if ( (name.long_name == 'Vty lines') and
82 (vty_already_reported == False)):
83 summary.append('%s: %d/%d' % \
84 (name.long_name, counter, total))
85 vty_already_reported = True
86 elif ( (name.long_name == 'Vty lines') and
87 (vty_already_reported == True)):
88 pass
89 else:
90 summary.append('%s: %d/%d' % \
91 (name.long_name, counter, total))
92
93 print stdout_category_banner('ControlPlane')
94 summary.append('\nControl Plane\n')
95 for name in ctrl_plane:
96 total = 0
97 counter = 0
98 if name != 'interface':
99 print stdout_banner(name.long_name)
100 for k,v in inspect.getmembers(name):
101 if isinstance(v, dict):
102 total = total + 1
103 if v['must_report'] == True:
104 counter = counter + 1
105 defn = v['definition'].strip()
106 threatInfo = v['threatInfo'].strip()
107 fiximpact = v['fixImpact'].strip()
108 cvss = v['cvss'].strip()
109 if defn == \
110 'OSPF route filtering in':
111 v['howtofix'] = \
112 v['howtofix'].strip() \
113 .replace('[%ospfPID]', ", " \
114 .join(name.rfilter_in['pid']), 1)
115 v['howtofix'] = \
116 v['howtofix'].strip() \
117 .replace('[%ospfArea]', ", " \
118 .join(name.rfilter_in['area']), 1)
119 elif defn == \
120 'OSPF MD5 authentication':
121 v['howtofix'] = \
122 v['howtofix'].strip() \
123 .replace('[%ospfinterface]', ", " \
124 .join(name.auth_md5['interfaces']), 1)
125 v['howtofix'] = \
126 v['howtofix'].strip() \
127 .replace('[%ospfArea]', ", " \
128 .join(name.auth_md5['area']), 1)
129 v['howtofix'] = \
130 v['howtofix'].strip() \
131 .replace('[%ospfPID]', ", " \
132 .join(name.auth_md5['pid']), 1)
133 elif defn == \
134 'OSPF route filtering out':
135 v['howtofix'] = \
136 v['howtofix'].strip() \
137 .replace('[%ospfPID]', ", " \
138 .join(name.rfilter_out['pid']), 1)
139 v['howtofix'] = \
140 v['howtofix'].strip() \
141 .replace('[%ospfArea]', ", " \
142 .join(name.rfilter_out['area']), 1)
143 elif defn == \
144 'OSPF passive interface default':
145 v['howtofix'] = \
146 v['howtofix'].strip() \
147 .replace('[%ospfInstance]', ", " \
148 .join(name.passive['pid']), 1)
149 elif defn == \
150 'OSPF maximum LSA':
151 v['howtofix'] = \
152 v['howtofix'].strip() \
153 .replace('[%ospfInstance]', ", " \
154 .join(name.maxLSA['pid']), 1)
155 elif defn == \
156 'EIGRP MD5 authentication':
157 v['howtofix'] = \
158 v['howtofix'].strip() \
159 .replace('[%eigrpinterface]', ", " \
160 .join(name.auth_md5['interfaces']), 1)
161 v['howtofix'] = \
162 v['howtofix'].strip() \
163 .replace('[%eigrpAs]', ", " \
164 .join(name.auth_md5['asn']), 1)
165 elif defn == \
166 'EIGRP passive interface default':
167 v['howtofix'] = \
168 v['howtofix'].strip() \
169 .replace('[%eigrpAs]', ", " \
170 .join(name.passive['asn']), 1)
171 elif defn == \
172 'EIGRP route filtering inbound':
173 v['howtofix'] = \
174 v['howtofix'].strip() \
175 .replace('[%eigrpAs]', ", " \
176 .join(name.rfilter_in['asn']), 1)
177 elif defn == \
178 'EIGRP route filtering outbound':
179 v['howtofix'] = \
180 v['howtofix'].strip() \
181 .replace('[%eigrpAs]', ", " \
182 .join(name.rfilter_out['asn']), 1)
183 elif defn == \
184 'RIP MD5 authentication':
185 v['howtofix'] = \
186 v['howtofix'].strip() \
187 .replace('[%ripinterface]', ", " \
188 .join(name.auth_md5['interfaces']), 1)
189 howtofix = v['howtofix']
190 print stdout_content(
191 defn,
192 threatInfo,
193 howtofix,
194 fiximpact,
195 cvss
196 )
197
198 print '\nNumber of threatInfo(s) to fix: %d/%d' % \
199 (counter, total)
200 summary.append('%s: %d/%d' % \
201 (name.long_name, counter, total))
202
203
204 print stdout_category_banner('DataPlane')
205 summary.append('\nData Plane\n')
206
207 for name in data_plane:
208 total = 0
209 counter = 0
210 if name != 'interface':
211 print stdout_banner(name.long_name)
212 for k,v in inspect.getmembers(name):
213 if isinstance(v, dict):
214 total = total + 1
215 if v['must_report'] == True:
216 counter = counter + 1
217 definition = v['definition'].strip()
218 threatInfo = v['threatInfo'].strip()
219 fiximpact = v['fixImpact'].strip()
220 cvss = v['cvss'].strip()
221 if definition == \
222 'Port security violation':
223 v['howtofix'] = \
224 v['howtofix'].strip() \
225 .replace('[%interface]', ", " \
226 .join(name.violation['candidates']), 1)
227 if definition == \
228 'Port security MAC address sticky':
229 v['howtofix'] = \
230 v['howtofix'].strip() \
231 .replace('[%interface]', ", " \
232 .join(name.sticky['candidates']), 1)
233 if definition == \
234 'Port security total maximum MAC addresses':
235 v['howtofix'] = \
236 v['howtofix'].strip() \
237 .replace('[%interface]', ", " \
238 .join( \
239 name.maximum_total['candidates']), 1)
240 if definition == \
241 'Port security access vlan \
242 maximum MAC addresses':
243 v['howtofix'] = \
244 v['howtofix'].strip() \
245 .replace('[%interface]', ", " \
246 .join( \
247 name.maximum_access['candidates']), 1)
248 if definition == \
249 'Port security voice vlan \
250 maximum MAC addresses':
251 v['howtofix'] = \
252 v['howtofix'].strip() \
253 .replace('[%interface]', ", " \
254 .join( \
255 name.maximum_voice['candidates']), 1)
256 if definition == 'DTP negotiation':
257 v['howtofix'] = \
258 v['howtofix'].strip() \
259 .replace('[%interface]', ", " \
260 .join( \
261 name.nonegotiate['candidates']), 1)
262 if definition == 'Flow Control 802.3x':
263 v['howtofix'] = \
264 v['howtofix'].strip() \
265 .replace('[%interface]', ", " \
266 .join( \
267 name.flowcontrol['candidates']), 1)
268 if definition == 'VLAN 1':
269 v['howtofix'] = \
270 v['howtofix'].strip() \
271 .replace('[%interface]', ", " \
272 .join(name.vlan_1['candidates']), 1)
273 if definition == 'Unused ports':
274 v['howtofix'] = \
275 v['howtofix'].strip() \
276 .replace('[%interface]', ", " \
277 .join( \
278 name.unused_ports['candidates']), 1)
279
280 howtofix = v['howtofix']
281 print stdout_content(
282 definition,
283 threatInfo,
284 howtofix,
285 fiximpact,
286 cvss
287 )
288
289 print '\nNumber of threatInfo(s) to fix: %d/%d' % \
290 (counter, total)
291 summary.append('%s: %d/%d' % \
292 (name.long_name, counter, total))
293
294
295
296 print '\n=[ summary ]='
297 for entry in summary:
298 print entry
299
300 except:
301 return "error while genefixImpact stdout audit output."
302
303 return "stdout"
304