Package routerdefense :: Package engines :: Module main
[hide private]
[frames] | no frames]

Source Code for Module routerdefense.engines.main

   1  # -*- coding: iso-8859-1 -*- 
   2   
   3  __docformat__ = 'restructuredtext' 
   4  __version__ = '$Id$' 
   5   
   6  import __builtin__ 
   7  from routerdefense.common import * 
   8   
   9  from xml import * 
  10   
11 -class genericInfo:
12 """Generic configuration information storage: IOS version, hostname, switching method, multicast, ipv6."""
13 - def __init__(self):
14 """Set IOS version, hostname, switching method, multicast and IPv6 variables to None.""" 15 self.iosVersion = None 16 self.hostName = None 17 self.switchingMethod = None 18 self.multicast = None 19 self.ipv6 = None
20
21 -def addBasicInfo(lines):
22 """Fetch the generic information (IOS version, hostname, switching method, multicast and IPv6) from the Cisco IOS configuration file.""" 23 genericCfg = genericInfo() 24 genericCfg.switchingMethod = "Unknown" 25 genericCfg.hostName = "Unknown" 26 genericCfg.iosVersion = "Unknown" 27 try: 28 genericCfg.hostName = search_string(lines, 'hostname').split(' ',1)[1] 29 genericCfg.iosVersion = search_string(lines, 'version').split(' ',1)[1] 30 except AttributeError: 31 raise "No hostname nor version detected in the configuration file." 32 33 if search_string(lines, 'ip cef') is not None: 34 genericCfg.switchingMethod = "CEF" 35 if search_string(lines, 'no ip route-cache') is not None: 36 genericCfg.switchingMethod = "Process switching (CPU)" 37 if search_string(lines, 'ip route-cache') is not None: 38 genericCfg.switchingMethod = "Fast switching" 39 if search_string(lines, 'ip multicast-routing') is not None: 40 genericCfg.multicast = "Enabled" 41 else: 42 genericCfg.multicast = "Disabled" 43 if ( (search_string(lines, 'mls qos') is not None) or (search_re_string(lines, '^ip rsvp bandwith .*$') is not None) ): 44 genericCfg.qos = "Enabled" 45 else: 46 genericCfg.qos = "Disabled" 47 if search_string(lines, 'ipv6 unicast-routing') is not None: 48 genericCfg.ipv6 = "Enabled" 49 else: 50 genericCfg.ipv6 = "Disabled" 51 if search_re_string(lines, '^crypto map \w+$') is not None: 52 genericCfg.ipsec = "Enabled" 53 else: 54 genericCfg.ipsec = "Disabled" 55 56 return genericCfg
57
58 -def Checkexec_timeout(timeout):
59 """Detect if the session timeout is disable or too large.""" 60 Compliant = True 61 if timeout <= 0: 62 Compliant = False 63 elif timeout >= 180: 64 Compliant = False 65 return Compliant
66
67 -def engine_console(consoleCfg,con0,lines):
68 """Console port assessment.""" 69 try: 70 con0.exec_timeout['cmdInCfg'] = int(search_string(consoleCfg, 'exec-timeout').split(' ',3)[2]) + int(search_string(consoleCfg, 'exec-timeout').split(' ',3)[1]) * 60 71 except AttributeError: 72 con0.exec_timeout['cmdInCfg'] = None 73 74 try: 75 con0.privilegezero['cmdInCfg'] = search_string(consoleCfg, 'privilege 0') 76 con0.privilegezero['loginlocal'] = search_string(consoleCfg, 'login local') 77 except AttributeError: 78 con0.privilegezero['cmdInCfg'] = None 79 80 if con0.privilegezero['cmdInCfg'] is None: 81 if con0.privilegezero['loginlocal'] is None: 82 items = search_xml('consoleprivilegezero') 83 cvssMetrics = str(cvss_score(items[5])) 84 con0.privilegezero = { 85 "must_report": True, 86 "fixImpact": (items[0]), 87 "definition": (items[1]), 88 "threatInfo": (items[2]), 89 "howtofix": (items[3]), 90 "upgrade": (items[4]), 91 "cvss": (cvssMetrics)} 92 else: 93 try: 94 con0.privilegezero['globalusername'] = search_re_string(lines, '^username .* privilege 0$') 95 except AttributeError: 96 pass 97 if con0.privilegezero['globalusername'] is None: 98 items = search_xml('consoleprivilegezero') 99 cvssMetrics = str(cvss_score(items[5])) 100 con0.privilegezero = { 101 "must_report": True, 102 "fixImpact": (items[0]), 103 "definition": (items[1]), 104 "threatInfo": (items[2]), 105 "howtofix": (items[3]), 106 "upgrade": (items[4]), 107 "cvss": (cvssMetrics)} 108 else: 109 con0.privilegezero['must_report'] = False 110 else: 111 con0.privilegezero['must_report'] = False 112 113 if con0.exec_timeout['cmdInCfg'] is not None: 114 Checkexec_timeout(con0.exec_timeout) 115 items = search_xml('consoleExecTimeout') 116 if Checkexec_timeout(con0.exec_timeout['cmdInCfg']) == False: 117 cvssMetrics = str(cvss_score(items[5])) 118 con0.exec_timeout = { 119 "must_report": True, 120 "fixImpact": (items[0]), 121 "definition": (items[1]), 122 "threatInfo": (items[2]), 123 "howtofix": (items[3]), 124 "upgrade": (items[4]), 125 "cvss": (cvssMetrics)} 126 else: 127 con0.exec_timeout['must_report'] = False 128 else: 129 items = search_xml('consoleExecTimeout') 130 cvssMetrics = str(cvss_score(items[5])) 131 con0.exec_timeout = { 132 "must_report": True, 133 "fixImpact": (items[0]), 134 "definition": (items[1]), 135 "threatInfo": (items[2]), 136 "howtofix": (items[3]), 137 "upgrade": (items[4]), 138 "cvss": (cvssMetrics)} 139 try: 140 con0.password = search_string(consoleCfg, 'password').split(' ',2)[2] 141 except AttributeError: 142 con0.password = None 143 144 toBeReturned = '' 145 if con0.privilegezero['must_report'] == True: 146 toBeReturned = con0.privilegezero['definition'] + '\n' + con0.privilegezero['threatInfo'] + '\n\n' + con0.privilegezero['howtofix'] + '\n' 147 if con0.exec_timeout['must_report'] == True: 148 toBeReturned = toBeReturned + con0.exec_timeout['definition'] + '\n' + con0.exec_timeout['threatInfo'] + '\n\n' + con0.exec_timeout['howtofix'] + '\n' 149 return toBeReturned
150
151 -def engine_aux(auxCfg,aux0):
152 """Auxiliary port assessment.""" 153 try: 154 aux0.exec_timeout['cmdInCfg'] = int(search_string(auxCfg, 'exec-timeout').split(' ',3)[2]) + int(search_string(auxCfg, 'exec-timeout').split(' ',3)[1]) * 60 155 except AttributeError: 156 aux0.exec_timeout['cmdInCfg'] = None 157 158 try: 159 aux0.transport_input['cmdInCfg'] = search_string(auxCfg, 'transport input none') 160 except AttributeError: 161 aux0.transport_input['cmdInCfg'] = None 162 163 try: 164 aux0.transport_output['cmdInCfg'] = search_string(auxCfg, 'transport output none') 165 except AttributeError: 166 aux0.transport_output['cmdInCfg'] = None 167 168 try: 169 aux0.noExec['cmdInCfg'] = search_string(auxCfg, 'no exec') 170 except AttributeError: 171 aux0.noExec['cmdInCfg'] = None 172 173 items = search_xml('auxExecTimeout') 174 if aux0.exec_timeout['cmdInCfg'] is not None: 175 if Checkexec_timeout(aux0.exec_timeout) == False: 176 cvssMetrics = str(cvss_score(items[5])) 177 aux0.exec_timeout = { 178 "must_report": True, 179 "fixImpact": (items[0]), 180 "definition": (items[1]), 181 "threatInfo": (items[2]), 182 "howtofix": (items[3]), 183 "upgrade": (items[4]), 184 "cvss": (cvssMetrics)} 185 else: 186 aux0.exec_timeout['must_report'] = True 187 else: 188 cvssMetrics = str(cvss_score(items[5])) 189 aux0.exec_timeout = { 190 "must_report": True, 191 "fixImpact": (items[0]), 192 "definition": (items[1]), 193 "threatInfo": (items[2]), 194 "howtofix": (items[3]), 195 "cvss": (cvssMetrics)} 196 197 if aux0.transport_input['cmdInCfg'] is not None: 198 aux0.transport_input['must_report'] = False 199 else: 200 items = search_xml('auxTransportInput') 201 cvssMetrics = str(cvss_score(items[5])) 202 aux0.transport_input = { 203 "must_report": True, 204 "fixImpact": (items[0]), 205 "definition": (items[1]), 206 "threatInfo": (items[2]), 207 "howtofix": (items[3]), 208 "cvss": (cvssMetrics)} 209 210 if aux0.transport_output['cmdInCfg'] is not None: 211 aux0.transport_output['must_report'] = False 212 else: 213 items = search_xml('auxTransportOutput') 214 cvssMetrics = str(cvss_score(items[5])) 215 aux0.transport_output = { 216 "must_report": True, 217 "fixImpact": (items[0]), 218 "definition": (items[1]), 219 "threatInfo": (items[2]), 220 "howtofix": (items[3]), 221 "cvss": (cvssMetrics)} 222 223 if aux0.noExec['cmdInCfg'] is not None: 224 aux0.noExec['must_report'] = False 225 else: 226 items = search_xml('auxNoExec') 227 cvssMetrics = str(cvss_score(items[5])) 228 aux0.noExec = { 229 "must_report": True, 230 "fixImpact": (items[0]), 231 "definition": (items[1]), 232 "threatInfo": (items[2]), 233 "howtofix": (items[3]), 234 "cvss": (cvssMetrics)} 235 236 try: 237 aux0.password = search_string(auxCfg, 'password').split(' ',2)[2] 238 except AttributeError: 239 aux0.password = None 240 241 toBeReturned = '' 242 if aux0.exec_timeout['must_report'] == True: 243 toBeReturned = aux0.exec_timeout['definition'] + '\n' + aux0.exec_timeout['threatInfo'] + '\n\n' + aux0.exec_timeout['howtofix'] + '\n' 244 if aux0.transport_input['must_report'] == True: 245 toBeReturned = toBeReturned + aux0.transport_input['definition'] + '\n' + aux0.transport_input['threatInfo'] + '\n\n' + aux0.transport_input['howtofix'] + '\n' 246 if aux0.transport_output['must_report'] == True: 247 toBeReturned = toBeReturned + aux0.transport_output['definition'] + '\n' + aux0.transport_output['threatInfo'] + '\n\n' + aux0.transport_output['howtofix'] + '\n' 248 if aux0.noExec['must_report'] == True: 249 toBeReturned = toBeReturned + aux0.noExec['definition'] + '\n' + aux0.noExec['threatInfo']+ '\n\n' + aux0.noExec['howtofix'] + '\n' 250 251 return toBeReturned
252
253 -def engine_vty(vtyCfg,vty):
254 """VTY sessions assessment.""" 255 try: 256 vty.exec_timeout['cmdInCfg'] = int(search_string(vtyCfg, 'exec-timeout').split(' ',3)[2]) + int(search_string(vtyCfg, 'exec-timeout').split(' ',3)[1]) * 60 257 except AttributeError: 258 vty.exec_timeout['cmdInCfg'] = None 259 260 try: 261 vty.transport_input['cmdInCfg'] = search_re_string(vtyCfg, '^transport input (ssh|none)$') 262 except AttributeError: 263 vty.transport_input['cmdInCfg'] = None 264 265 try: 266 vty.transport_output['cmdInCfg'] = search_re_string(vtyCfg, '^transport output (ssh|none)$') 267 except AttributeError: 268 vty.transport_output['cmdInCfg'] = None 269 270 try: 271 vty.ipv4_access_class['cmdInCfg'] = search_re_string(vtyCfg, 'access-class .* in$') 272 except AttributeError: 273 vty.ipv4_access_class['cmdInCfg'] = None 274 275 if __builtin__.genericCfg.ipv6 == "Enabled": 276 try: 277 vty.ipv6_access_class['cmdInCfg'] = search_re_string(vtyCfg, '^ipv6 access-class .* in$') 278 except AttributeError: 279 vty.ipv6_access_class['cmdInCfg'] = None 280 281 if vty.exec_timeout['cmdInCfg'] is not None: 282 items = search_xml('vtyExecTimeout') 283 if Checkexec_timeout(vty.exec_timeout) == False: 284 cvssMetrics = str(cvss_score(items[5])) 285 vty.exec_timeout = { 286 "must_report": True, 287 "fixImpact": (items[0]), 288 "definition": (items[1]), 289 "threatInfo": (items[2]), 290 "howtofix": (items[3]).strip().replace('[%vtySessionNumbers]', " ".join(vty.sessionNumbers), 2), 291 "upgrade": (items[4]), 292 "cvss": (cvssMetrics)} 293 else: 294 vty.exec_timeout['must_report'] = False 295 else: 296 items = search_xml('vtyExecTimeout') 297 cvssMetrics = str(cvss_score(items[5])) 298 vty.exec_timeout = { 299 "must_report": True, 300 "fixImpact": (items[0]), 301 "definition": (items[1]), 302 "threatInfo": (items[2]), 303 "howtofix": (items[3]).strip().replace('[%vtySessionNumbers]', " ".join(vty.sessionNumbers), 2), 304 "cvss": (cvssMetrics)} 305 306 if vty.transport_input['cmdInCfg'] is not None: 307 vty.transport_input['must_report'] = False 308 else: 309 items = search_xml('vtyTransportInput') 310 cvssMetrics = str(cvss_score(items[5])) 311 vty.transport_input = { 312 "must_report": True, 313 "fixImpact": (items[0]), 314 "definition": (items[1]), 315 "threatInfo": (items[2]), 316 "howtofix": (items[3]).strip().replace('[%vtySessionNumbers]', " ".join(vty.sessionNumbers), 2), 317 "cvss": (cvssMetrics)} 318 319 if vty.transport_output['cmdInCfg'] is not None: 320 vty.transport_output['must_report'] = False 321 else: 322 items = search_xml('vtyTransportOutput') 323 cvssMetrics = str(cvss_score(items[5])) 324 vty.transport_output = { 325 "must_report": True, 326 "fixImpact": (items[0]), 327 "definition": (items[1]), 328 "threatInfo": (items[2]), 329 "howtofix": (items[3]).strip().replace('[%vtySessionNumbers]', " ".join(vty.sessionNumbers), 2), 330 "cvss": (cvssMetrics)} 331 332 if vty.ipv4_access_class['cmdInCfg'] is None: 333 items = search_xml('vtyIPv4AccessClass') 334 cvssMetrics = str(cvss_score(items[5])) 335 vty.ipv4_access_class = { 336 "must_report": True, 337 "fixImpact": (items[0]), 338 "definition": (items[1]), 339 "threatInfo": (items[2]), 340 "howtofix": (items[3]).strip().replace('[%vtySessionNumbers]', " ".join(vty.sessionNumbers), 2), 341 "cvss": (cvssMetrics)} 342 else: 343 accessListNumber = vty.ipv4_access_class['cmdInCfg'].split(' ')[1] 344 verifStdACL = False 345 verifExtACL = False 346 347 verifStdACL = check_std_acl(vtyCfg, accessListNumber) 348 if verifStdACL == False: 349 verifExtACL = check_extd_acl(vtyCfg, accessListNumber) 350 351 if verifStdACL == True or verifStdACL == True : 352 vty.ipv4_access_class['must_report'] = False 353 else: 354 try: 355 mgmtSubnet = __builtin__.ipv4_mgmt_outbound[0][0] 356 except TypeError: 357 mgmtSubnet = "" 358 pass 359 try: 360 mgmtWildcardMask = __builtin__.ipv4_mgmt_outbound[0][3] 361 except TypeError: 362 mgmtWildcardMask = "" 363 pass 364 365 items = search_xml('vtyIPv4AccessClass') 366 cvssMetrics = str(cvss_score(items[5])) 367 vty.ipv4_access_class = { 368 "must_report": True, 369 "fixImpact": (items[0]), 370 "definition": (items[1]), 371 "threatInfo": (items[2]), 372 "howtofix": (items[3].strip().replace('[%ManagementSubnet]', mgmtSubnet, 1)), 373 "howtofix": (items[3].strip().replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)), 374 "howtofix": (items[3]).strip().replace('[%vtySessionNumbers]', " ".join(vty.sessionNumbers), 2), 375 "cvss": (cvssMetrics)} 376 377 if vty.ipv6_access_class['cmdInCfg'] is None: 378 vty.ipv6_access_class['must_report'] = False 379 else: 380 items = search_xml('vtyIPv6AccessClass') 381 cvssMetrics = str(cvss_score(items[5])) 382 vty.ipv6_access_class = { 383 "must_report": True, 384 "fixImpact": (items[0]), 385 "definition": (items[1]), 386 "threatInfo": (items[2]), 387 "howtofix": (items[3]).strip().replace('[%vtySessionNumbers]', " ".join(vty.sessionNumbers), 2), 388 "cvss": (cvssMetrics)} 389 390 try: 391 vty.password = search_string(vtyCfg, 'password').split(' ',2)[2] 392 except AttributeError: 393 vty.password = None 394 395 toBeReturned = '' 396 if vty.exec_timeout['must_report'] == True: 397 toBeReturned = vty.exec_timeout['definition'] + '\n' + vty.exec_timeout['threatInfo'] + '\n\n' + vty.exec_timeout['howtofix'] + '\n' 398 if vty.transport_input['must_report'] == True: 399 toBeReturned = toBeReturned + vty.transport_input['definition'] + '\n' + vty.transport_input['threatInfo'] + '\n\n' + vty.transport_input['howtofix'] + '\n' 400 if vty.transport_output['must_report'] == True: 401 toBeReturned = toBeReturned + vty.transport_output['definition'] + '\n' + vty.transport_output['threatInfo'] + '\n\n' + vty.transport_output['howtofix'] + '\n' 402 if vty.ipv4_access_class['must_report'] == True: 403 toBeReturned = toBeReturned + vty.ipv4_access_class['definition'] + '\n' + vty.ipv4_access_class['threatInfo'] + '\n\n' + vty.ipv4_access_class['howtofix'] + '\n' 404 if vty.ipv6_access_class['must_report'] == True: 405 toBeReturned = toBeReturned + vty.ipv6_access_class['definition'] + '\n' + vty.ipv6_access_class['threatInfo'] + '\n\n' + vty.ipv6_access_class['howtofix'] + '\n' 406 407 return toBeReturned
408
409 -def engine_banner(bannerMotd, motd, bannerType):
410 """MOTD, EXEC and LOGIN banner assessment.""" 411 toBeReturned = '' 412 if bannerType == 0: 413 if len(bannerMotd) == 0: 414 items = search_xml('bannerMOTDconfigured') 415 cvssMetrics = str(cvss_score(items[5])) 416 motd.configured = { 417 "must_report": True, 418 "fixImpact": (items[0]), 419 "definition": (items[1]), 420 "threatInfo": (items[2]), 421 "howtofix": (items[3]), 422 "cvss": (cvssMetrics)} 423 else: 424 if search_string(bannerMotd, __builtin__.genericCfg.hostName) is not None : 425 items = search_xml('bannerMOTDhostnameIncluded') 426 cvssMetrics = str(cvss_score(items[5])) 427 motd.device_hostname = { 428 "must_report": True, 429 "fixImpact": (items[0]), 430 "definition": (items[1]), 431 "threatInfo": (items[2]), 432 "howtofix": (items[3]), 433 "cvss": (cvssMetrics)} 434 if motd.configured['must_report'] == True: 435 toBeReturned = motd.configured['definition'] + '\n' + motd.configured['threatInfo'] + '\n\n' + motd.configured['howtofix'] + '\n' 436 if motd.device_hostname['must_report'] == True: 437 toBeReturned = toBeReturned + motd.device_hostname['definition'] + '\n' + motd.device_hostname['threatInfo'] + '\n\n' + motd.device_hostname['howtofix'] + '\n' 438 439 if bannerType == 1: 440 if len(bannerMotd) == 0: 441 items = search_xml('bannerLOGINconfigured') 442 cvssMetrics = str(cvss_score(items[5])) 443 banLogin.configured = { 444 "must_report": True, 445 "fixImpact": (items[0]), 446 "definition": (items[1]), 447 "threatInfo": (items[2]), 448 "howtofix": (items[3]), 449 "cvss": (cvssMetrics)} 450 else: 451 if search_string(bannerMotd, __builtin__.genericCfg.hostName) is not None : 452 items = search_xml('bannerLOGINhostnameIncluded') 453 cvssMetrics = str(cvss_score(items[5])) 454 banLogin.device_hostname = { 455 "must_report": True, 456 "fixImpact": (items[0]), 457 "definition": (items[1]), 458 "threatInfo": (items[2]), 459 "howtofix": (items[3]), 460 "cvss": (cvssMetrics)} 461 if banLogin.configured['must_report'] == True: 462 toBeReturned = toBeReturned + banLogin.configured['definition'] + '\n' + banLogin.configured['threatInfo'] + '\n\n' + banLogin.configured['howtofix'] 463 if banLogin.device_hostname['must_report'] == True: 464 toBeReturned = toBeReturned + banLogin.device_hostname['definition'] + '\n' + banLogin.device_hostname['threatInfo']+ '\n\n' + banLogin.device_hostname['howtofix'] 465 466 if bannerType == 2: 467 if len(bannerMotd) == 0: 468 items = search_xml('bannerEXECconfigured') 469 cvssMetrics = str(cvss_score(items[5])) 470 banExec.configured = { 471 "must_report": True, 472 "fixImpact": (items[0]), 473 "definition": (items[1]), 474 "threatInfo": (items[2]), 475 "howtofix": (items[3]), 476 "cvss": (cvssMetrics)} 477 else: 478 if search_string(bannerMotd, __builtin__.genericCfg.hostName) is not None : 479 items = search_xml('bannerEXEChostnameIncluded') 480 cvssMetrics = str(cvss_score(items[5])) 481 banExec.device_hostname = { 482 "must_report": True, 483 "fixImpact": (items[0]), 484 "definition": (items[1]), 485 "threatInfo": (items[2]), 486 "howtofix": (items[3]), 487 "cvss": (cvssMetrics)} 488 489 if banExec.configured['must_report'] == True: 490 toBeReturned = toBeReturned + banExec.configured['definition'] + '\n' + banExec.configured['threatInfo'] + '\n\n' + banExec.configured['howtofix'] + '\n' 491 if banExec.device_hostname['must_report'] == True: 492 toBeReturned = toBeReturned + banExec.device_hostname['definition'] + '\n' + banExec.device_hostname['threatInfo'] + '\n\n' + banExec.device_hostname['howtofix'] + '\n' 493 494 return toBeReturned
495
496 -def engine_services(lines, services):
497 """Generic services assessment: password recovery, tcp/udp small servers, finger, bootp, ...""" 498 try: 499 services.pwd_recovery['cmdInCfg'] = search_string(lines, 'no service password-recovery') 500 except AttributeError: 501 pass 502 503 if services.pwd_recovery['cmdInCfg'] is not None: 504 # feature already configured 505 services.pwd_recovery['must_report'] = False 506 else: 507 items = search_xml('pwdRecovery') 508 if __builtin__.iosVersion >= 12.314: 509 cvssMetrics = str(cvss_score(items[5])) 510 services.pwd_recovery = { 511 "must_report": True, 512 "fixImpact": (items[0]), 513 "definition": (items[1]), 514 "threatInfo": (items[2]), 515 "howtofix": (items[3]), 516 "cvss": (cvssMetrics)} 517 else: 518 # upgrade to >= 12.314 to get the feature 519 cvssMetrics = str(cvss_score(items[5])) 520 services.pwd_recovery = { 521 "must_report": True, 522 "fixImpact": (items[0]), 523 "definition": (items[1]), 524 "threatInfo": (items[2]), 525 "howtofix": (items[4]), 526 "cvss": (cvssMetrics)} 527 528 try: 529 services.tcp_small_servers['cmdInCfg'] = search_string(lines, 'no service tcp-small-servers') 530 except AttributeError: 531 pass 532 533 if services.tcp_small_servers['cmdInCfg'] is not None: 534 services.tcp_small_servers['must_report'] = False 535 else: 536 items = search_xml('tcpSmallServers') 537 if __builtin__.iosVersion <= 12.0: 538 cvssMetrics = str(cvss_score(items[5])) 539 services.tcp_small_servers = { 540 "must_report": True, 541 "fixImpact": (items[0]), 542 "definition": (items[1]), 543 "threatInfo": (items[2]), 544 "howtofix": (items[3]), 545 "cvss": (cvssMetrics)} 546 else: 547 cvssMetrics = str(cvss_score(items[5])) 548 services.tcp_small_servers = { 549 "must_report": True, 550 "fixImpact": (items[0]), 551 "definition": (items[1]), 552 "threatInfo": (items[2]), 553 "howtofix": (items[4]), 554 "cvss": (cvssMetrics)} 555 556 try: 557 services.udp_small_servers['cmdInCfg'] = search_string(lines, 'no service udp-small-servers') 558 except AttributeError: 559 pass 560 561 if services.udp_small_servers['cmdInCfg'] is not None: 562 services.udp_small_servers['must_report'] = False 563 else: 564 items = search_xml('udpSmallServers') 565 if __builtin__.iosVersion <= 12.0: 566 cvssMetrics = str(cvss_score(items[5])) 567 services.udp_small_servers = { 568 "must_report": True, 569 "fixImpact": (items[0]), 570 "definition": (items[1]), 571 "threatInfo": (items[2]), 572 "howtofix": (items[3]), 573 "cvss": (cvssMetrics)} 574 else: 575 cvssMetrics = str(cvss_score(items[5])) 576 services.udp_small_servers = { 577 "must_report": True, 578 "fixImpact": (items[0]), 579 "definition": (items[1]), 580 "threatInfo": (items[2]), 581 "howtofix": (items[4]), 582 "cvss": (cvssMetrics)} 583 584 try: 585 services.service_finger['cmdInCfg'] = search_string(lines, 'no service finger') 586 except AttributeError: 587 pass 588 589 if services.service_finger['cmdInCfg'] is not None: 590 services.service_finger['must_report'] = False 591 else: 592 items = search_xml('serviceFinger') 593 if __builtin__.iosVersion <= 12.15: 594 cvssMetrics = str(cvss_score(items[5])) 595 services.service_finger = { 596 "must_report": True, 597 "fixImpact": (items[0]), 598 "definition": (items[1]), 599 "threatInfo": (items[2]), 600 "howtofix": (items[3]), 601 "cvss": (cvssMetrics)} 602 else: 603 cvssMetrics = str(cvss_score(items[5])) 604 services.service_finger = { 605 "must_report": True, 606 "fixImpact": (items[0]), 607 "definition": (items[1]), 608 "threatInfo": (items[2]), 609 "howtofix": (items[4]), 610 "cvss": (cvssMetrics)} 611 612 try: 613 services.service_bootps['cmdInCfg'] = search_string(lines, 'no ip bootp server') 614 except AttributeError: 615 pass 616 617 if services.service_bootps['cmdInCfg'] is not None: 618 services.service_bootps['must_report'] = False 619 else: 620 items = search_xml('serviceBootpServer') 621 cvssMetrics = str(cvss_score(items[5])) 622 services.service_bootps = { 623 "must_report": True, 624 "fixImpact": (items[0]), 625 "definition": (items[1]), 626 "threatInfo": (items[2]), 627 "howtofix": (items[3]), 628 "cvss": (cvssMetrics)} 629 630 try: 631 services.service_tcpkeepalive_in['cmdInCfg'] = search_string(lines, 'service tcp-keepalive-in') 632 except AttributeError: 633 pass 634 635 if services.service_tcpkeepalive_in['cmdInCfg'] is not None: 636 services.service_tcpkeepalive_in['must_report'] = False 637 else: 638 items = search_xml('serviceTcpKeepAliveIn') 639 cvssMetrics = str(cvss_score(items[5])) 640 services.service_tcpkeepalive_in = { 641 "must_report": True, 642 "fixImpact": (items[0]), 643 "definition": (items[1]), 644 "threatInfo": (items[2]), 645 "howtofix": (items[3]), 646 "cvss": (cvssMetrics)} 647 648 try: 649 services.service_tcpkeepalive_out['cmdInCfg'] = search_string(lines, 'service tcp-keepalive-out') 650 except AttributeError: 651 pass 652 653 if services.service_tcpkeepalive_out['cmdInCfg'] is not None: 654 services.service_tcpkeepalive_out['must_report'] = False 655 else: 656 items = search_xml('serviceTcpKeepAliveOut') 657 cvssMetrics = str(cvss_score(items[5])) 658 services.service_tcpkeepalive_out = { 659 "must_report": True, 660 "fixImpact": (items[0]), 661 "definition": (items[1]), 662 "threatInfo": (items[2]), 663 "howtofix": (items[3]), 664 "cvss": (cvssMetrics)} 665 666 try: 667 services.service_ipdhcpboot_ignore['cmdInCfg'] = search_string(lines, 'ip dhcp bootp ignore') 668 except AttributeError: 669 pass 670 671 if services.service_ipdhcpboot_ignore['cmdInCfg'] is not None: 672 services.service_ipdhcpboot_ignore['must_report'] = False 673 else: 674 items = search_xml('serviceIpDhcpBootIgnore') 675 if __builtin__.iosVersion <= 12.228: 676 cvssMetrics = str(cvss_score(items[5])) 677 services.service_ipdhcpboot_ignore = { 678 "must_report": True, 679 "fixImpact": (items[0]), 680 "definition": (items[1]), 681 "threatInfo": (items[2]), 682 "howtofix": (items[3]), 683 "cvss": (cvssMetrics)} 684 else: 685 cvssMetrics = str(cvss_score(items[5])) 686 services.service_ipdhcpboot_ignore = { 687 "must_report": True, 688 "fixImpact": (items[0]), 689 "definition": (items[1]), 690 "threatInfo": (items[2]), 691 "howtofix": (items[4]), 692 "cvss": (cvssMetrics)} 693 694 try: 695 services.service_dhcp['cmdInCfg'] = search_string(lines, 'no service dhcp') 696 except AttributeError: 697 pass 698 699 if services.service_dhcp['cmdInCfg'] is not None: 700 services.service_dhcp['must_report'] = False 701 else: 702 items = search_xml('serviceDhcp') 703 cvssMetrics = str(cvss_score(items[5])) 704 services.service_dhcp = { 705 "must_report": True, 706 "fixImpact": (items[0]), 707 "definition": (items[1]), 708 "threatInfo": (items[2]), 709 "howtofix": (items[3]), 710 "cvss": (cvssMetrics)} 711 712 try: 713 services.service_mop['cmdInCfg'] = search_string(lines, 'no service_mop enabled') 714 except AttributeError: 715 pass 716 717 if services.service_mop['cmdInCfg'] is not None: 718 services.service_mop['must_report'] = False 719 else: 720 items = search_xml('Mop') 721 cvssMetrics = str(cvss_score(items[5])) 722 services.service_mop = { 723 "must_report": True, 724 "fixImpact": (items[0]), 725 "definition": (items[1]), 726 "threatInfo": (items[2]), 727 "howtofix": (items[3]), 728 "cvss": (cvssMetrics)} 729 730 try: 731 services.ip_domain_lookup['cmdInCfg'] = search_string(lines, 'no ip domain-lookup') 732 except AttributeError: 733 pass 734 735 if services.ip_domain_lookup['cmdInCfg'] is not None: 736 services.ip_domain_lookup['must_report'] = False 737 else: 738 items = search_xml('ipDomainLookup') 739 cvssMetrics = str(cvss_score(items[5])) 740 services.ip_domain_lookup = { 741 "must_report": True, 742 "fixImpact": (items[0]), 743 "definition": (items[1]), 744 "threatInfo": (items[2]), 745 "howtofix": (items[3]), 746 "cvss": (cvssMetrics)} 747 748 try: 749 services.service_pad['cmdInCfg'] = search_string(lines, 'no service pad') 750 except AttributeError: 751 pass 752 753 if services.service_pad['cmdInCfg'] is not None: 754 services.service_pad['must_report'] = False 755 else: 756 items = search_xml('servicePad') 757 cvssMetrics = str(cvss_score(items[5])) 758 services.service_pad = { 759 "must_report": True, 760 "fixImpact": (items[0]), 761 "definition": (items[1]), 762 "threatInfo": (items[2]), 763 "howtofix": (items[3]), 764 "cvss": (cvssMetrics)} 765 766 try: 767 services.service_http_server['cmdInCfg'] = search_string(lines, 'no ip http server') 768 except AttributeError: 769 pass 770 771 if services.service_http_server['cmdInCfg'] is not None: 772 services.service_http_server['must_report'] = False 773 else: 774 items = search_xml('serviceHttpServer') 775 cvssMetrics = str(cvss_score(items[5])) 776 services.service_http_server = { 777 "must_report": True, 778 "fixImpact": (items[0]), 779 "definition": (items[1]), 780 "threatInfo": (items[2]), 781 "howtofix": (items[3]), 782 "cvss": (cvssMetrics)} 783 784 try: 785 services.service_https_server['cmdInCfg'] = search_string(lines, 'no ip http secure-server') 786 except AttributeError: 787 pass 788 789 if services.service_https_server['cmdInCfg'] is not None: 790 services.service_https_server['must_report'] = False 791 else: 792 items = search_xml('serviceHttpsServer') 793 cvssMetrics = str(cvss_score(items[5])) 794 services.service_https_server = { 795 "must_report": True, 796 "fixImpact": (items[0]), 797 "definition": (items[1]), 798 "threatInfo": (items[2]), 799 "howtofix": (items[3]), 800 "cvss": (cvssMetrics)} 801 802 try: 803 services.service_config['cmdInCfg'] = search_string(lines, 'no service config') 804 except AttributeError: 805 pass 806 807 items = search_xml('serviceConfig') 808 if services.service_config['cmdInCfg'] is not None: 809 services.service_config['must_report'] = False 810 else: 811 cvssMetrics = str(cvss_score(items[5])) 812 services.service_config = { 813 "must_report": True, 814 "fixImpact": (items[0]), 815 "definition": (items[1]), 816 "threatInfo": (items[2]), 817 "howtofix": (items[3]), 818 "cvss": (cvssMetrics)} 819 820 toBeReturned = '' 821 if services.pwd_recovery['must_report'] == True: 822 toBeReturned = services.pwd_recovery['definition'] + '\n' + services.pwd_recovery['threatInfo'] + '\n\n' + services.pwd_recovery['howtofix'] + '\n' 823 if services.tcp_small_servers['must_report'] == True: 824 toBeReturned = toBeReturned + services.tcp_small_servers['definition'] + '\n' + services.tcp_small_servers['threatInfo'] + '\n\n' + services.tcp_small_servers['howtofix'] + '\n' 825 if services.udp_small_servers['must_report'] == True: 826 toBeReturned = toBeReturned + services.udp_small_servers['definition'] + '\n' + services.udp_small_servers['threatInfo'] + '\n\n' + services.udp_small_servers['howtofix'] + '\n' 827 if services.service_finger['must_report'] == True: 828 toBeReturned = toBeReturned + services.service_finger['definition'] + '\n' + services.service_finger['threatInfo'] + '\n\n' + services.service_finger['howtofix'] + '\n' 829 if services.service_bootps['must_report'] == True: 830 toBeReturned = toBeReturned + services.service_bootps['definition'] + '\n' + services.service_bootps['threatInfo'] + '\n\n' + services.service_bootps['howtofix'] + '\n' 831 if services.service_tcpkeepalive_in['must_report'] == True: 832 toBeReturned = toBeReturned + services.service_tcpkeepalive_in['definition'] + '\n' + services.service_tcpkeepalive_in['threatInfo'] + '\n\n' + services.service_tcpkeepalive_in['howtofix'] + '\n' 833 if services.service_tcpkeepalive_out['must_report'] == True: 834 toBeReturned = toBeReturned + services.service_tcpkeepalive_out['definition'] + '\n' + services.service_tcpkeepalive_out['threatInfo'] + '\n\n' + services.service_tcpkeepalive_out['howtofix'] + '\n' 835 if services.service_ipdhcpboot_ignore['must_report'] == True: 836 toBeReturned = toBeReturned + services.service_ipdhcpboot_ignore['definition'] + '\n' + services.service_ipdhcpboot_ignore['threatInfo'] + '\n\n' + services.service_ipdhcpboot_ignore['howtofix'] + '\n' 837 if services.service_dhcp['must_report'] == True: 838 toBeReturned = toBeReturned + services.service_dhcp['definition'] + '\n' + services.service_dhcp['threatInfo'] + '\n\n' + services.service_dhcp['howtofix'] + '\n' 839 if services.service_mop['must_report'] == True: 840 toBeReturned = toBeReturned + services.service_mop['definition'] + '\n' + services.service_mop['threatInfo'] + '\n\n' + services.service_mop['howtofix'] + '\n' 841 if services.ip_domain_lookup['must_report'] == True: 842 toBeReturned = toBeReturned + services.ip_domain_lookup['definition'] + '\n' + services.ip_domain_lookup['threatInfo'] + '\n\n' + services.ip_domain_lookup['howtofix'] + '\n' 843 if services.service_pad['must_report'] == True: 844 toBeReturned = toBeReturned + services.service_pad['definition'] + '\n' + services.service_pad['threatInfo'] + '\n\n' + services.service_pad['howtofix'] + '\n' 845 if services.service_http_server['must_report'] == True: 846 toBeReturned = toBeReturned + services.service_http_server['definition'] + '\n' + services.service_http_server['threatInfo'] + '\n\n' + services.service_http_server['howtofix'] + '\n' 847 if services.service_https_server['must_report'] == True: 848 toBeReturned = toBeReturned + services.service_https_server['definition'] + '\n' + services.service_https_server['threatInfo'] + '\n\n' + services.service_https_server['howtofix'] + '\n' 849 if services.service_config['must_report'] == True: 850 toBeReturned = toBeReturned + services.service_config['definition'] + '\n' + services.service_config['threatInfo'] + '\n\n' + services.service_config['howtofix'] + '\n' 851 852 return toBeReturned
853
854 -def engine_mem_cpu(lines, memCpu):
855 """Memory and CPU configuration assessment.""" 856 857 try: 858 memCpu.scheduler_allocate['cmdInCfg'] = search_string(lines, 'scheduler allocate 4000 400') 859 except AttributeError: 860 pass 861 862 if memCpu.scheduler_allocate['cmdInCfg'] is None: 863 memCpu.scheduler_allocate['must_report'] = True 864 865 try: 866 memCpu.scheduler_interval['cmdInCfg'] = search_string(lines, 'scheduler interval 500') 867 except AttributeError: 868 pass 869 870 if memCpu.scheduler_interval['cmdInCfg'] is None: 871 memCpu.scheduler_interval['must_report'] = True 872 873 if memCpu.scheduler_allocate['must_report'] == True: 874 items = search_xml('schedulerallocate') 875 cvssMetrics = str(cvss_score(items[5])) 876 memCpu.scheduler_allocate = { 877 "must_report": True, 878 "fixImpact": (items[0]), 879 "definition": (items[1]), 880 "threatInfo": (items[2]), 881 "howtofix": (items[3]), 882 "cvss": (cvssMetrics)} 883 884 if memCpu.scheduler_interval['must_report'] == True: 885 items = search_xml('schedulerinterval') 886 cvssMetrics = str(cvss_score(items[5])) 887 memCpu.scheduler_interval = { 888 "must_report": True, 889 "fixImpact": (items[0]), 890 "definition": (items[1]), 891 "threatInfo": (items[2]), 892 "howtofix": (items[3]), 893 "cvss": (cvssMetrics)} 894 895 896 try: 897 memCpu.low_watermark_processor['cmdInCfg'] = search_string(lines, 'memory free low-watermark processor') 898 except AttributeError: 899 pass 900 901 if memCpu.low_watermark_processor['cmdInCfg'] is not None: 902 # feature already configured 903 memCpu.low_watermark_processor['must_report'] = False 904 else: 905 items = search_xml('lowWatermarkProcessor') 906 if __builtin__.iosVersion >= 12.34: 907 cvssMetrics = str(cvss_score(items[5])) 908 memCpu.low_watermark_processor = { 909 "must_report": True, 910 "fixImpact": (items[0]), 911 "definition": (items[1]), 912 "threatInfo": (items[2]), 913 "howtofix": (items[3]), 914 "cvss": (cvssMetrics)} 915 else: 916 # upgrade to >= 12.34 to get the feature 917 cvssMetrics = str(cvss_score(items[5])) 918 memCpu.low_watermark_processor = { 919 "must_report": True, 920 "fixImpact": (items[0]), 921 "definition": (items[1]), 922 "threatInfo": (items[2]), 923 "howtofix": (items[4]), 924 "cvss": (cvssMetrics)} 925 926 try: 927 memCpu.low_watermark_io['cmdInCfg'] = search_string(lines, 'memory free low-watermark io') 928 except AttributeError: 929 pass 930 if memCpu.low_watermark_io['cmdInCfg'] is not None: 931 # feature already configured 932 memCpu.low_watermark_io['must_report'] = False 933 else: 934 items = search_xml('lowWatermarkIo') 935 if __builtin__.iosVersion >= 12.34: 936 cvssMetrics = str(cvss_score(items[5])) 937 memCpu.low_watermark_io = { 938 "must_report": True, 939 "fixImpact": (items[0]), 940 "definition": (items[1]), 941 "threatInfo": (items[2]), 942 "howtofix": (items[3]), 943 "cvss": (cvssMetrics)} 944 else: 945 # upgrade to >= 12.34 to get the feature 946 cvssMetrics = str(cvss_score(items[5])) 947 memCpu.low_watermark_io = { 948 "must_report": True, 949 "fixImpact": (items[0]), 950 "definition": (items[1]), 951 "threatInfo": (items[2]), 952 "howtofix": (items[4]), 953 "cvss": (cvssMetrics)} 954 955 try: 956 memCpu.mem_reserve_critical['cmdInCfg'] = search_string(lines, 'memory reserve critical') 957 except AttributeError: 958 pass 959 if memCpu.mem_reserve_critical['cmdInCfg'] is not None: 960 # feature already configured 961 memCpu.mem_reserve_critical['must_report'] = False 962 else: 963 items = search_xml('memReserveCritical') 964 if __builtin__.iosVersion >= 12.34: 965 cvssMetrics = str(cvss_score(items[5])) 966 memCpu.mem_reserve_critical = { 967 "must_report": True, 968 "fixImpact": (items[0]), 969 "definition": (items[1]), 970 "threatInfo": (items[2]), 971 "howtofix": (items[3]), 972 "cvss": (cvssMetrics)} 973 else: 974 # upgrade to >= 12.34 to get the feature 975 cvssMetrics = str(cvss_score(items[5])) 976 memCpu.mem_reserve_critical = { 977 "must_report": True, 978 "fixImpact": (items[0]), 979 "definition": (items[1]), 980 "threatInfo": (items[2]), 981 "howtofix": (items[4]), 982 "cvss": (cvssMetrics)} 983 984 try: 985 memCpu.mem_reserve_console['cmdInCfg'] = search_string(lines, 'memory reserve console') 986 except AttributeError: 987 pass 988 if memCpu.mem_reserve_console['cmdInCfg'] is not None: 989 # feature already configured 990 memCpu.mem_reserve_console['must_report'] = False 991 else: 992 items = search_xml('memReserveConsole') 993 if __builtin__.iosVersion >= 12.34: 994 cvssMetrics = str(cvss_score(items[5])) 995 memCpu.mem_reserve_console = { 996 "must_report": True, 997 "fixImpact": (items[0]), 998 "definition": (items[1]), 999 "threatInfo": (items[2]), 1000 "howtofix": (items[3]), 1001 "cvss": (cvssMetrics)} 1002 else: 1003 # upgrade to >= 12.34 to get the feature 1004 cvssMetrics = str(cvss_score(items[5])) 1005 memCpu.mem_reserve_console = { 1006 "must_report": True, 1007 "fixImpact": (items[0]), 1008 "definition": (items[1]), 1009 "threatInfo": (items[2]), 1010 "howtofix": (items[4]), 1011 "cvss": (cvssMetrics)} 1012 1013 1014 try: 1015 memCpu.mem_ignore_overflow_io['cmdInCfg'] = search_string(lines, 'exception memory ignore overflow io') 1016 except AttributeError: 1017 pass 1018 if memCpu.mem_ignore_overflow_io['cmdInCfg'] is not None: 1019 # feature already configured 1020 memCpu.mem_ignore_overflow_io['must_report'] = False 1021 else: 1022 items = search_xml('memOverflowIo') 1023 if __builtin__.iosVersion >= 12.38: 1024 cvssMetrics = str(cvss_score(items[5])) 1025 memCpu.mem_ignore_overflow_io = { 1026 "must_report": True, 1027 "fixImpact": (items[0]), 1028 "definition": (items[1]), 1029 "threatInfo": (items[2]), 1030 "howtofix": (items[3]), 1031 "cvss": (cvssMetrics)} 1032 else: 1033 # upgrade to >= 12.38 to get the feature 1034 cvssMetrics = str(cvss_score(items[5])) 1035 memCpu.mem_ignore_overflow_io = { 1036 "must_report": True, 1037 "fixImpact": (items[0]), 1038 "definition": (items[1]), 1039 "threatInfo": (items[2]), 1040 "howtofix": (items[4]), 1041 "cvss": (cvssMetrics)} 1042 1043 try: 1044 memCpu.mem_ignore_overflow_cpu['cmdInCfg'] = search_string(lines, 'exception memory ignore overflow processor') 1045 except AttributeError: 1046 pass 1047 if memCpu.mem_ignore_overflow_cpu['cmdInCfg'] is not None: 1048 # feature already configured 1049 memCpu.mem_ignore_overflow_cpu['must_report'] = False 1050 else: 1051 items = search_xml('memOverflowProcessor') 1052 if __builtin__.iosVersion >= 12.38: 1053 cvssMetrics = str(cvss_score(items[5])) 1054 memCpu.mem_ignore_overflow_cpu = { 1055 "must_report": True, 1056 "fixImpact": (items[0]), 1057 "definition": (items[1]), 1058 "threatInfo": (items[2]), 1059 "howtofix": (items[3]), 1060 "cvss": (cvssMetrics)} 1061 else: 1062 # upgrade to >= 12.38 to get the feature 1063 cvssMetrics = str(cvss_score(items[5])) 1064 memCpu.mem_ignore_overflow_cpu = { 1065 "must_report": True, 1066 "fixImpact": (items[0]), 1067 "definition": (items[1]), 1068 "threatInfo": (items[2]), 1069 "howtofix": (items[4]), 1070 "cvss": (cvssMetrics)} 1071 1072 1073 try: 1074 memCpu.cpu_threshold_notice['cmdSnmpserverTraps'] = search_string(lines, 'snmp-server enable traps cpu threshold') 1075 except AttributeError: 1076 pass 1077 try: 1078 memCpu.cpu_threshold_notice['cmdSnmpserverHost'] = search_re_string(lines, 'snmp-server host .* .* cpu') 1079 except AttributeError: 1080 pass 1081 try: 1082 memCpu.cpu_threshold_notice['cmdCpuThreshold'] = search_re_string(lines, 'process cpu threshold type .* rising .* interval') 1083 except AttributeError: 1084 pass 1085 try: 1086 memCpu.cpu_threshold_notice['cmdCpuStats'] = search_re_string(lines, 'process cpu statistics limit entry-percentage .*') 1087 except AttributeError: 1088 pass 1089 1090 if ((memCpu.cpu_threshold_notice['cmdSnmpserverTraps'] is not None) and (memCpu.cpu_threshold_notice['cmdSnmpserverHost'] is not None) and (memCpu.cpu_threshold_notice['cmdCpuThreshold'] is not None) and (memCpu.cpu_threshold_notice['cmdCpuStats'] is not None) ): 1091 memCpu.cpu_threshold_notice['must_report'] = False 1092 else: 1093 items = search_xml('cpuThresholdNotification') 1094 if __builtin__.iosVersion >= 12.34: 1095 cvssMetrics = str(cvss_score(items[5])) 1096 memCpu.cpu_threshold_notice = { 1097 "must_report": True, 1098 "fixImpact": (items[0]), 1099 "definition": (items[1]), 1100 "threatInfo": (items[2]), 1101 "howtofix": (items[3]), 1102 "cvss": (cvssMetrics)} 1103 else: 1104 # upgrade to >= 12.34 to get the feature 1105 cvssMetrics = str(cvss_score(items[5])) 1106 memCpu.cpu_threshold_notice = { 1107 "must_report": True, 1108 "fixImpact": (items[0]), 1109 "definition": (items[1]), 1110 "threatInfo": (items[2]), 1111 "howtofix": (items[4]), 1112 "cvss": (cvssMetrics)} 1113 1114 toBeReturned = '' 1115 if memCpu.scheduler_allocate['must_report'] == True: 1116 toBeReturned = toBeReturned + memCpu.scheduler_allocate['definition'] + '\n' + memCpu.scheduler_allocate['threatInfo'] + '\n\n' + memCpu.scheduler_allocate['howtofix'] + '\n' 1117 if memCpu.scheduler_interval['must_report'] == True: 1118 toBeReturned = toBeReturned + memCpu.scheduler_interval['definition'] + '\n' + memCpu.scheduler_interval['threatInfo'] + '\n\n' + memCpu.scheduler_interval['howtofix'] + '\n' 1119 if memCpu.low_watermark_processor['must_report'] == True: 1120 toBeReturned = memCpu.low_watermark_processor['definition'] + '\n' + memCpu.low_watermark_processor['threatInfo'] + '\n\n' + memCpu.low_watermark_processor['howtofix'] + '\n' 1121 if memCpu.low_watermark_io['must_report'] == True: 1122 toBeReturned = toBeReturned + memCpu.low_watermark_io['definition'] + '\n' + memCpu.low_watermark_io['threatInfo'] + '\n\n' + memCpu.low_watermark_io['howtofix'] + '\n' 1123 if memCpu.mem_reserve_critical['must_report'] == True: 1124 toBeReturned = toBeReturned + memCpu.mem_reserve_critical['definition'] + '\n' + memCpu.mem_reserve_critical['threatInfo'] + '\n\n' + memCpu.mem_reserve_critical['howtofix'] + '\n' 1125 if memCpu.mem_reserve_console['must_report'] == True: 1126 toBeReturned = toBeReturned + memCpu.mem_reserve_console['definition'] + '\n' + memCpu.mem_reserve_console['threatInfo'] + '\n\n' + memCpu.mem_reserve_console['howtofix'] + '\n' 1127 if memCpu.mem_ignore_overflow_io['must_report'] == True: 1128 toBeReturned = toBeReturned + memCpu.mem_ignore_overflow_io['definition'] + '\n' + memCpu.mem_ignore_overflow_io['threatInfo'] + '\n\n' + memCpu.mem_ignore_overflow_io['howtofix'] + '\n' 1129 if memCpu.mem_ignore_overflow_cpu['must_report'] == True: 1130 toBeReturned = toBeReturned + memCpu.mem_ignore_overflow_cpu['definition'] + '\n' + memCpu.mem_ignore_overflow_cpu['threatInfo'] + '\n\n' + memCpu.mem_ignore_overflow_cpu['howtofix'] + '\n' 1131 if memCpu.cpu_threshold_notice['must_report'] == True: 1132 toBeReturned = toBeReturned + memCpu.cpu_threshold_notice['definition'] + '\n' + memCpu.cpu_threshold_notice['threatInfo'] + '\n\n' + memCpu.cpu_threshold_notice['howtofix'] + '\n' 1133 1134 return toBeReturned
1135
1136 -def engine_crashinfo(lines, crashinfo):
1137 """Crashinfo generation configuration assessment.""" 1138 try: 1139 crashinfo.crashinfo_max_files['cmdInCfg'] = search_string(lines, 'exception crashinfo maximum files') 1140 except AttributeError: 1141 pass 1142 if crashinfo.crashinfo_max_files['cmdInCfg'] is not None: 1143 # feature already configured 1144 crashinfo.crashinfo_max_files['must_report'] = False 1145 else: 1146 items = search_xml('ExceptionMaximumFiles') 1147 cvssMetrics = str(cvss_score(items[5])) 1148 crashinfo.crashinfo_max_files = { 1149 "must_report": True, 1150 "fixImpact": (items[0]), 1151 "definition": (items[1]), 1152 "threatInfo": (items[2]), 1153 "howtofix": (items[3]), 1154 "cvss": (cvssMetrics)} 1155 1156 toBeReturned = '' 1157 if crashinfo.crashinfo_max_files['must_report'] == True: 1158 toBeReturned = crashinfo.crashinfo_max_files['definition'] + '\n' + crashinfo.crashinfo_max_files['threatInfo'] + '\n\n' + crashinfo.crashinfo_max_files['howtofix'] + '\n' 1159 return toBeReturned
1160
1161 -def engine_mpp(lines, vtyList, vtyCfg, mpp):
1162 """Management plane protection assessment.""" 1163 1164 if len(vtyList) == 0: 1165 # if all vty are removed 1166 mpp.mgmt_interfaces['must_report'] = False 1167 mpp.sshserver['must_report'] = False 1168 mpp.scp_server['must_report'] = False 1169 return 1170 1171 for i in range(0, len(vtyCfg)): 1172 for k in range (0, len(vtyCfg[i])): 1173 if search_string(vtyCfg[i][k], 'transport input none') is not None: 1174 mpp.mgmt_interfaces['must_report'] = False 1175 mpp.sshserver['must_report'] = False 1176 mpp.scp_server['must_report'] = False 1177 return 1178 if __builtin__.deviceType == 'router': 1179 try: 1180 mpp.mgmt_interfaces['cpHostCfg'] = search_string(lines, 'control-plane host') 1181 except AttributeError: 1182 pass 1183 try: 1184 mpp.mgmt_interfaces['mgmtIfaceCfg'] = search_re_string(lines, 'management-interface .* allow .*') 1185 except AttributeError: 1186 pass 1187 1188 if mpp.mgmt_interfaces['cpHostCfg'] is not None: 1189 if mpp.mgmt_interfaces['mgmtIfaceCfg'] is not None: 1190 mpp.mgmt_interfaces['must_report'] = False 1191 else: 1192 if __builtin__.iosVersion >= 12.46: 1193 items = search_xml('ManagementPlaneProtection') 1194 cvssMetrics = str(cvss_score(items[5])) 1195 mpp.mgmt_interfaces = { 1196 "must_report": True, 1197 "fixImpact": (items[0]), 1198 "definition": (items[1]), 1199 "threatInfo": (items[2]), 1200 "howtofix": (items[3]), 1201 "cvss": (cvssMetrics)} 1202 else: 1203 items = search_xml('ManagementPlaneProtection') 1204 cvssMetrics = str(cvss_score(items[5])) 1205 mpp.mgmt_interfaces = { 1206 "must_report": True, 1207 "fixImpact": (items[0]), 1208 "definition": (items[1]), 1209 "threatInfo": (items[2]), 1210 "howtofix": (items[4]), 1211 "cvss": (cvssMetrics)} 1212 else: 1213 if __builtin__.iosVersion >= 12.46: 1214 items = search_xml('ManagementPlaneProtection') 1215 cvssMetrics = str(cvss_score(items[5])) 1216 mpp.mgmt_interfaces = { 1217 "must_report": True, 1218 "fixImpact": (items[0]), 1219 "definition": (items[1]), 1220 "threatInfo": (items[2]), 1221 "howtofix": (items[3]), 1222 "cvss": (cvssMetrics)} 1223 else: 1224 items = search_xml('ManagementPlaneProtection') 1225 cvssMetrics = str(cvss_score(items[5])) 1226 mpp.mgmt_interfaces = { 1227 "must_report": True, 1228 "fixImpact": (items[0]), 1229 "definition": (items[1]), 1230 "threatInfo": (items[2]), 1231 "howtofix": (items[4]), 1232 "cvss": (cvssMetrics)} 1233 1234 try: 1235 mpp.ssh_server_timeout['timeout'] = search_string(lines, 'ip ssh time-out') 1236 except AttributeError: 1237 pass 1238 try: 1239 mpp.ssh_server_auth_retries['authRetries'] = search_string(lines, 'ip ssh authentication-retries') 1240 except AttributeError: 1241 pass 1242 try: 1243 mpp.ssh_server_src_interface['sourceinterface'] = search_string(lines, 'ip ssh source-interface') 1244 except AttributeError: 1245 pass 1246 1247 if mpp.ssh_server_timeout['timeout'] is None: 1248 items = search_xml('sshServerTimeout') 1249 cvssMetrics = str(cvss_score(items[5])) 1250 mpp.ssh_server_timeout = { 1251 "must_report": True, 1252 "fixImpact": (items[0]), 1253 "definition": (items[1]), 1254 "threatInfo": (items[2]), 1255 "howtofix": (items[3]), 1256 "cvss": (cvssMetrics)} 1257 else: 1258 mpp.ssh_server_timeout['must_report'] = False 1259 1260 if mpp.ssh_server_auth_retries['authRetries'] is None: 1261 items = search_xml('sshServerAuthretries') 1262 cvssMetrics = str(cvss_score(items[5])) 1263 mpp.ssh_server_auth_retries = { 1264 "must_report": True, 1265 "fixImpact": (items[0]), 1266 "definition": (items[1]), 1267 "threatInfo": (items[2]), 1268 "howtofix": (items[3]), 1269 "cvss": (cvssMetrics)} 1270 else: 1271 mpp.ssh_server_auth_retries['must_report'] = False 1272 1273 if mpp.ssh_server_src_interface['sourceinterface'] is None: 1274 items = search_xml('sshServerSourceIf') 1275 cvssMetrics = str(cvss_score(items[5])) 1276 mpp.ssh_server_src_interface = { 1277 "must_report": True, 1278 "fixImpact": (items[0]), 1279 "definition": (items[1]), 1280 "threatInfo": (items[2]), 1281 "howtofix": (items[3]), 1282 "cvss": (cvssMetrics)} 1283 else: 1284 mpp.ssh_server_src_interface['must_report'] = False 1285 1286 try: 1287 mpp.scp_server['cmdIncfg'] = search_string(lines, 'ip scp server enable') 1288 except AttributeError: 1289 pass 1290 1291 if mpp.scp_server['cmdIncfg'] is None: 1292 items = search_xml('sshSCPServer') 1293 cvssMetrics = str(cvss_score(items[5])) 1294 mpp.scp_server = { 1295 "must_report": True, 1296 "fixImpact": (items[0]), 1297 "definition": (items[1]), 1298 "threatInfo": (items[2]), 1299 "howtofix": (items[3]), 1300 "cvss": (cvssMetrics)} 1301 else: 1302 mpp.scp_server['must_report'] = False 1303 1304 try: 1305 mpp.http_secure_server['cmdIncfg'] = search_string(lines, 'ip http server') 1306 except AttributeError: 1307 pass 1308 1309 if mpp.http_secure_server['cmdIncfg'] is not None: 1310 items = search_xml('HTTPServer') 1311 cvssMetrics = str(cvss_score(items[5])) 1312 mpp.http_secure_server = { 1313 "must_report": True, 1314 "fixImpact": (items[0]), 1315 "definition": (items[1]), 1316 "threatInfo": (items[2]), 1317 "howtofix": (items[3]), 1318 "cvss": (cvssMetrics)} 1319 else: 1320 mpp.http_secure_server['must_report'] = False 1321 1322 try: 1323 mpp.login_bruteforce['blockfor'] = search_string(lines, 'login block-for') 1324 except AttributeError: 1325 pass 1326 try: 1327 mpp.login_bruteforce['delay'] = search_string(lines, 'login delay') 1328 except AttributeError: 1329 pass 1330 try: 1331 mpp.login_bruteforce['quietacl'] = search_string(lines, 'login quiet access-class') 1332 except AttributeError: 1333 pass 1334 try: 1335 mpp.login_bruteforce['faillog'] = search_string(lines, 'login on-failure log every') 1336 except AttributeError: 1337 pass 1338 try: 1339 mpp.login_bruteforce['successlog'] = search_string(lines, 'login on-success log every') 1340 except AttributeError: 1341 pass 1342 login_bruteforceCount = 0 1343 if mpp.login_bruteforce['blockfor'] is not None: 1344 login_bruteforceCount = login_bruteforceCount + 1 1345 if mpp.login_bruteforce['delay'] is not None: 1346 login_bruteforceCount = login_bruteforceCount + 1 1347 if mpp.login_bruteforce['quietacl'] is not None: 1348 login_bruteforceCount = login_bruteforceCount + 1 1349 if mpp.login_bruteforce['faillog'] is not None: 1350 login_bruteforceCount = login_bruteforceCount + 1 1351 if mpp.login_bruteforce['successlog'] is not None: 1352 login_bruteforceCount = login_bruteforceCount + 1 1353 1354 if login_bruteforceCount < 5: 1355 if __builtin__.iosVersion >= 12.34: 1356 items = search_xml('loginBruteforce') 1357 cvssMetrics = str(cvss_score(items[5])) 1358 mpp.login_bruteforce = { 1359 "must_report": True, 1360 "fixImpact": (items[0]), 1361 "definition": (items[1]), 1362 "threatInfo": (items[2]), 1363 "howtofix": (items[3]), 1364 "cvss": (cvssMetrics)} 1365 else: 1366 # upgrade to >= 12.3.4 to get the feature 1367 items = search_xml('loginBruteforce') 1368 cvssMetrics = str(cvss_score(items[5])) 1369 mpp.login_bruteforce = { 1370 "must_report": True, 1371 "fixImpact": (items[0]), 1372 "definition": (items[1]), 1373 "threatInfo": (items[2]), 1374 "howtofix": (items[4]), 1375 "cvss": (cvssMetrics)} 1376 else: 1377 mpp.login_bruteforce['must_report'] = False 1378 1379 toBeReturned = '' 1380 if mpp.mgmt_interfaces['must_report'] == True: 1381 toBeReturned = mpp.mgmt_interfaces['definition'] + '\n' + mpp.mgmt_interfaces['threatInfo'] + '\n\n' + mpp.mgmt_interfaces['howtofix'] + '\n' 1382 if mpp.ssh_server_timeout['must_report'] == True: 1383 toBeReturned = toBeReturned + mpp.ssh_server_timeout['definition'] + '\n' + mpp.ssh_server_timeout['threatInfo'] + '\n\n' + mpp.ssh_server_timeout['howtofix'] + '\n' 1384 if mpp.ssh_server_auth_retries['must_report'] == True: 1385 toBeReturned = toBeReturned + mpp.ssh_server_auth_retries['definition'] + '\n' + mpp.ssh_server_auth_retries['threatInfo'] + '\n\n' + mpp.ssh_server_auth_retries['howtofix'] + '\n' 1386 if mpp.ssh_server_src_interface['must_report'] == True: 1387 toBeReturned = toBeReturned + mpp.ssh_server_src_interface['definition'] + '\n' + mpp.ssh_server_src_interface['threatInfo'] + '\n\n' + mpp.ssh_server_src_interface['howtofix'] + '\n' 1388 if mpp.scp_server['must_report'] == True: 1389 toBeReturned = toBeReturned + mpp.scp_server['definition'] + '\n' + mpp.scp_server['threatInfo'] + '\n\n' + mpp.scp_server['howtofix'] + '\n' 1390 if mpp.http_secure_server['must_report'] == True: 1391 toBeReturned = toBeReturned + mpp.http_secure_server['definition'] + '\n' + mpp.http_secure_server['threatInfo'] + '\n\n' + mpp.http_secure_server['howtofix'] + '\n' 1392 if mpp.login_bruteforce['must_report'] == True: 1393 toBeReturned = toBeReturned + mpp.login_bruteforce['definition'] + '\n' + mpp.login_bruteforce['threatInfo'] + '\n\n' + mpp.login_bruteforce['howtofix'] + '\n' 1394 1395 return toBeReturned
1396
1397 -def engine_password_management(lines, pwdManagement):
1398 """Access management assessment.""" 1399 try: 1400 pwdManagement.enable_secret['cmdInCfg'] = search_string(lines, 'enable secret') 1401 except AttributeError: 1402 pass 1403 if pwdManagement.enable_secret['cmdInCfg'] is not None: 1404 # feature already configured 1405 pwdManagement.enable_secret['must_report'] = False 1406 else: 1407 items = search_xml('enable_secret') 1408 cvssMetrics = str(cvss_score(items[5])) 1409 pwdManagement.enable_secret = { 1410 "must_report": True, 1411 "fixImpact": (items[0]), 1412 "definition": (items[1]), 1413 "threatInfo": (items[2]), 1414 "howtofix": (items[3]), 1415 "cvss": (cvssMetrics)} 1416 1417 try: 1418 pwdManagement.service_password_encryption['cmdInCfg'] = search_re_string(lines, '^service password-encryption') 1419 except AttributeError: 1420 pass 1421 if pwdManagement.service_password_encryption['cmdInCfg'] is not None: 1422 # feature already configured 1423 pwdManagement.service_password_encryption['must_report'] = False 1424 else: 1425 items = search_xml('servicePasswordEncryption') 1426 cvssMetrics = str(cvss_score(items[5])) 1427 pwdManagement.service_password_encryption = { 1428 "must_report": True, 1429 "fixImpact": (items[0]), 1430 "definition": (items[1]), 1431 "threatInfo": (items[2]), 1432 "howtofix": (items[3]), 1433 "cvss": (cvssMetrics)} 1434 1435 try: 1436 pwdManagement.username_secret['cmdInCfg'] = search_re_string(lines, '^username .* password .*') 1437 except AttributeError: 1438 pass 1439 if pwdManagement.username_secret['cmdInCfg'] is None: 1440 # feature already configured or not used 1441 pwdManagement.username_secret['must_report'] = False 1442 else: 1443 items = search_xml('username_secret') 1444 if __builtin__.iosVersion >= 12.28: 1445 cvssMetrics = str(cvss_score(items[5])) 1446 pwdManagement.username_secret = { 1447 "must_report": True, 1448 "fixImpact": (items[0]), 1449 "definition": (items[1]), 1450 "threatInfo": (items[2]), 1451 "howtofix": (items[3]), 1452 "cvss": (cvssMetrics)} 1453 else: 1454 cvssMetrics = str(cvss_score(items[5])) 1455 pwdManagement.username_secret = { 1456 "must_report": True, 1457 "fixImpact": (items[0]), 1458 "definition": (items[1]), 1459 "threatInfo": (items[2]), 1460 "howtofix": (items[4]), 1461 "cvss": (cvssMetrics)} 1462 1463 try: 1464 pwdManagement.retry_lockout['aaa_new_model'] = search_re_string(lines, '^aaa new-model') 1465 except AttributeError: 1466 pass 1467 try: 1468 pwdManagement.retry_lockout['usernames'] = search_re_string(lines, '^username .*') 1469 except AttributeError: 1470 pass 1471 try: 1472 pwdManagement.retry_lockout['maxFail'] = search_string(lines, 'aaa local authentication attempts max-fail') 1473 except AttributeError: 1474 pass 1475 try: 1476 pwdManagement.retry_lockout['aaaAuthLoginLocal'] = search_re_string(lines, 'aaa authentication login default (local|.*) ?local') 1477 except AttributeError: 1478 pass 1479 1480 if ((pwdManagement.retry_lockout['aaa_new_model'] is not None) and (pwdManagement.retry_lockout['maxFail'] is not None) and (pwdManagement.retry_lockout['aaaAuthLoginLocal'] is not None) ): 1481 pwdManagement.retry_lockout['must_report'] = False 1482 elif pwdManagement.retry_lockout['usernames'] is None: 1483 pwdManagement.retry_lockout['must_report'] = False 1484 else: 1485 items = search_xml('retryLockout') 1486 if __builtin__.iosVersion >= 12.314: 1487 cvssMetrics = str(cvss_score(items[5])) 1488 pwdManagement.retry_lockout = { 1489 "must_report": True, 1490 "fixImpact": (items[0]), 1491 "definition": (items[1]), 1492 "threatInfo": (items[2]), 1493 "howtofix": (items[3]), 1494 "cvss": (cvssMetrics)} 1495 else: 1496 # upgrade to >= 12.314 to get the feature 1497 cvssMetrics = str(cvss_score(items[5])) 1498 pwdManagement.retry_lockout = { 1499 "must_report": True, 1500 "fixImpact": (items[0]), 1501 "definition": (items[1]), 1502 "threatInfo": (items[2]), 1503 "howtofix": (items[4]), 1504 "cvss": (cvssMetrics)} 1505 1506 toBeReturned = '' 1507 if pwdManagement.enable_secret['must_report'] == True: 1508 toBeReturned = pwdManagement.enable_secret['definition'] + '\n' + pwdManagement.enable_secret['threatInfo'] + '\n\n' + pwdManagement.enable_secret['howtofix'] + '\n' 1509 if pwdManagement.service_password_encryption['must_report'] == True: 1510 toBeReturned = toBeReturned + pwdManagement.service_password_encryption['definition'] + '\n' + pwdManagement.service_password_encryption['threatInfo'] + '\n\n' + pwdManagement.service_password_encryption['howtofix'] + '\n' 1511 if pwdManagement.username_secret['must_report'] == True: 1512 toBeReturned = toBeReturned + pwdManagement.username_secret['definition'] + '\n' + pwdManagement.username_secret['threatInfo'] + '\n\n' + pwdManagement.username_secret['howtofix'] + '\n' 1513 if pwdManagement.retry_lockout['must_report'] == True: 1514 toBeReturned = toBeReturned + pwdManagement.retry_lockout['definition'] + '\n' + pwdManagement.retry_lockout['threatInfo'] + '\n\n' + pwdManagement.retry_lockout['howtofix'] + '\n' 1515 1516 return toBeReturned
1517
1518 -def engine_tacacs(lines, tacacs, mode):
1519 """Tacacs+ assessment.""" 1520 toBeReturned = '' 1521 try: 1522 tacacs.aaa_new_model['cmdInCfg'] = search_string(lines, 'aaa new-model') 1523 except AttributeError: 1524 pass 1525 1526 if mode == 'Authentication': 1527 1528 try: 1529 tacacs.auth_tacacs['cmdInCfg'] = search_re_string(lines, 'aaa authentication login default (group tacacs\+|.*) ?tacacs\+') 1530 except AttributeError: 1531 pass 1532 1533 try: 1534 tacacs.auth_fallback['cmdInCfg'] = search_re_string(lines, 'aaa authentication login default (group tacacs\+|.*) (enable|local)') 1535 except AttributeError: 1536 pass 1537 1538 if tacacs.aaa_new_model['cmdInCfg'] is None: 1539 items = search_xml('aaa_new_model') 1540 cvssMetrics = str(cvss_score(items[5])) 1541 tacacs.aaa_new_model = { 1542 "must_report": True, 1543 "fixImpact": (items[0]), 1544 "definition": (items[1]), 1545 "threatInfo": (items[2]), 1546 "howtofix": (items[3]), 1547 "cvss": (cvssMetrics)} 1548 else: 1549 tacacs.aaa_new_model['must_report'] = False 1550 1551 if tacacs.auth_tacacs['cmdInCfg'] is None: 1552 items = search_xml('aaaAuthTacacs') 1553 cvssMetrics = str(cvss_score(items[5])) 1554 tacacs.auth_tacacs = { 1555 "must_report": True, 1556 "fixImpact": (items[0]), 1557 "definition": (items[1]), 1558 "threatInfo": (items[2]), 1559 "howtofix": (items[3]), 1560 "cvss": (cvssMetrics)} 1561 else: 1562 tacacs.auth_tacacs['must_report'] = False 1563 1564 if tacacs.auth_fallback['cmdInCfg'] is None: 1565 items = search_xml('aaaAuthTacacsFallback') 1566 cvssMetrics = str(cvss_score(items[5])) 1567 tacacs.auth_fallback = { 1568 "must_report": True, 1569 "fixImpact": (items[0]), 1570 "definition": (items[1]), 1571 "threatInfo": (items[2]), 1572 "howtofix": (items[3]), 1573 "cvss": (cvssMetrics)} 1574 else: 1575 tacacs.auth_fallback['must_report'] = False 1576 1577 elif mode == 'Authorization': 1578 1579 try: 1580 tacacs.auth_exec['cmdInCfg'] = search_string(lines, 'aaa authorization exec default group tacacs none') 1581 except AttributeError: 1582 pass 1583 1584 try: 1585 tacacs.level_0['cmdInCfg'] = search_string(lines, 'aaa authorization commands 0 default group tacacs none') 1586 except AttributeError: 1587 pass 1588 1589 try: 1590 tacacs.level_1['cmdInCfg'] = search_string(lines, 'aaa authorization commands 1 default group tacacs none') 1591 except AttributeError: 1592 pass 1593 1594 try: 1595 tacacs.level_15['cmdInCfg'] = search_string(lines, 'aaa authorization commands 15 default group tacacs none') 1596 except AttributeError: 1597 pass 1598 1599 if tacacs.auth_exec['cmdInCfg'] is None: 1600 items = search_xml('aaaAuthTacacsExec') 1601 cvssMetrics = str(cvss_score(items[5])) 1602 tacacs.auth_exec = { 1603 "must_report": True, 1604 "fixImpact": (items[0]), 1605 "definition": (items[1]), 1606 "threatInfo": (items[2]), 1607 "howtofix": (items[3]), 1608 "cvss": (cvssMetrics)} 1609 else: 1610 tacacs.auth_exec['must_report'] = False 1611 1612 if tacacs.level_0['cmdInCfg'] is None: 1613 items = search_xml('aaaAuthTacacsLevel0') 1614 cvssMetrics = str(cvss_score(items[5])) 1615 tacacs.level_0 = { 1616 "must_report": True, 1617 "fixImpact": (items[0]), 1618 "definition": (items[1]), 1619 "threatInfo": (items[2]), 1620 "howtofix": (items[3]), 1621 "cvss": (cvssMetrics)} 1622 else: 1623 tacacs.level_0['must_report'] = False 1624 1625 if tacacs.level_1['cmdInCfg'] is None: 1626 items = search_xml('aaaAuthTacacsLevel1') 1627 cvssMetrics = str(cvss_score(items[5])) 1628 tacacs.level_1 = { 1629 "must_report": True, 1630 "fixImpact": (items[0]), 1631 "definition": (items[1]), 1632 "threatInfo": (items[2]), 1633 "howtofix": (items[3]), 1634 "cvss": (cvssMetrics)} 1635 else: 1636 tacacs.level_1['must_report'] = False 1637 1638 if tacacs.level_15['cmdInCfg'] is None: 1639 items = search_xml('aaaAuthTacacsLevel15') 1640 cvssMetrics = str(cvss_score(items[5])) 1641 tacacs.level_15 = { 1642 "must_report": True, 1643 "fixImpact": (items[0]), 1644 "definition": (items[1]), 1645 "threatInfo": (items[2]), 1646 "howtofix": (items[3]), 1647 "cvss": (cvssMetrics)} 1648 else: 1649 tacacs.level_15['must_report'] = False 1650 1651 elif mode == 'Accounting': 1652 1653 try: 1654 tacacs.aaa_accounting['cmdInCfg'] = search_string(lines, 'aaa accounting exec default start-stop group tacacs') 1655 except AttributeError: 1656 pass 1657 1658 try: 1659 tacacs.level_0['cmdInCfg'] = search_string(lines, 'aaa accounting commands 0 default start-stop group tacacs') 1660 except AttributeError: 1661 pass 1662 1663 try: 1664 tacacs.level_1['cmdInCfg'] = search_string(lines, 'aaa accounting commands 1 default start-stop group tacacs') 1665 except AttributeError: 1666 pass 1667 1668 try: 1669 tacacs.level_15['cmdInCfg'] = search_string(lines, 'aaa accounting commands 15 default start-stop group tacacs') 1670 except AttributeError: 1671 pass 1672 1673 if tacacs.aaa_accounting['cmdInCfg'] is None: 1674 items = search_xml('aaaAccountingTacacsExec') 1675 cvssMetrics = str(cvss_score(items[5])) 1676 tacacs.aaa_accounting = { 1677 "must_report": True, 1678 "fixImpact": (items[0]), 1679 "definition": (items[1]), 1680 "threatInfo": (items[2]), 1681 "howtofix": (items[3]), 1682 "cvss": (cvssMetrics)} 1683 else: 1684 tacacs.aaa_accounting['must_report'] = False 1685 1686 if tacacs.level_0['cmdInCfg'] is None: 1687 items = search_xml('aaaAccountingTacacsLevel0') 1688 cvssMetrics = str(cvss_score(items[5])) 1689 tacacs.level_0 = { 1690 "must_report": True, 1691 "fixImpact": (items[0]), 1692 "definition": (items[1]), 1693 "threatInfo": (items[2]), 1694 "howtofix": (items[3]), 1695 "cvss": (cvssMetrics)} 1696 else: 1697 tacacs.level_0['must_report'] = False 1698 1699 if tacacs.level_1['cmdInCfg'] is None: 1700 items = search_xml('aaaAccountingTacacsLevel1') 1701 cvssMetrics = str(cvss_score(items[5])) 1702 tacacs.level_1 = { 1703 "must_report": True, 1704 "fixImpact": (items[0]), 1705 "definition": (items[1]), 1706 "threatInfo": (items[2]), 1707 "howtofix": (items[3]), 1708 "cvss": (cvssMetrics)} 1709 else: 1710 tacacs.level_1['must_report'] = False 1711 1712 if tacacs.level_15['cmdInCfg'] is None: 1713 items = search_xml('aaaAccountingTacacsLevel15') 1714 cvssMetrics = str(cvss_score(items[5])) 1715 tacacs.level_15 = { 1716 "must_report": True, 1717 "fixImpact": (items[0]), 1718 "definition": (items[1]), 1719 "threatInfo": (items[2]), 1720 "howtofix": (items[3]), 1721 "cvss": (cvssMetrics)} 1722 else: 1723 tacacs.level_15['must_report'] = False 1724 1725 elif mode == 'RedundantAAA': 1726 1727 countservers = 0 1728 for line in lines: 1729 if search_string(lines, 'tacacs-server host') is not None: 1730 countservers = countservers +1 1731 1732 if countservers >= 2: 1733 tacacs.redundant['must_report'] = False 1734 else: 1735 items = search_xml('aaaTacacsRedundant') 1736 cvssMetrics = str(cvss_score(items[5])) 1737 tacacs.redundant = { 1738 "must_report": True, 1739 "fixImpact": (items[0]), 1740 "definition": (items[1]), 1741 "threatInfo": (items[2]), 1742 "howtofix": (items[3]), 1743 "cvss": (cvssMetrics)} 1744 1745 if mode == 'RedundantAAA': 1746 if tacacs.redundant['must_report'] == True: 1747 toBeReturned = tacacs.redundant['definition'] + '\n' + tacacs.redundant['threatInfo'] + '\n\n' + tacacs.redundant['howtofix'] + '\n' 1748 elif mode == 'Authentication': 1749 if tacacs.aaa_new_model['must_report'] == True: 1750 toBeReturned = toBeReturned + tacacs.aaa_new_model['definition'] + '\n' + tacacs.aaa_new_model['threatInfo'] + '\n\n' + tacacs.aaa_new_model['howtofix'] + '\n' 1751 if tacacs.auth_tacacs['must_report'] == True: 1752 toBeReturned = toBeReturned + tacacs.auth_tacacs['definition'] + '\n' + tacacs.auth_tacacs['threatInfo'] + '\n\n' + tacacs.auth_tacacs['howtofix'] + '\n' 1753 if tacacs.auth_fallback['must_report'] == True: 1754 toBeReturned = toBeReturned + tacacs.auth_fallback['definition'] + '\n' + tacacs.auth_fallback['threatInfo'] + '\n\n' + tacacs.auth_fallback['howtofix'] + '\n' 1755 elif mode == 'Authorization': 1756 if tacacs.auth_exec['must_report'] == True: 1757 toBeReturned = toBeReturned + tacacs.auth_exec['definition'] + '\n' + tacacs.auth_exec['threatInfo'] + '\n\n' + tacacs.auth_exec['howtofix'] + '\n' 1758 if tacacs.level_0['must_report'] == True: 1759 toBeReturned = toBeReturned + tacacs.level_0['definition'] + '\n' + tacacs.level_0['threatInfo'] + '\n\n' + tacacs.level_0['howtofix'] + '\n' 1760 if tacacs.level_1['must_report'] == True: 1761 toBeReturned = toBeReturned + tacacs.level_1['definition'] + '\n' + tacacs.level_1['threatInfo'] + '\n\n' + tacacs.level_1['howtofix'] + '\n' 1762 if tacacs.level_15['must_report'] == True: 1763 toBeReturned = toBeReturned + tacacs.level_15['definition'] + '\n' + tacacs.level_15['threatInfo'] + '\n\n' + tacacs.level_15['howtofix'] + '\n' 1764 elif mode == 'Accounting': 1765 if tacacs.aaa_accounting['must_report'] == True: 1766 toBeReturned = toBeReturned + tacacs.aaa_accounting['definition'] + '\n' + tacacs.aaa_accounting['threatInfo'] + '\n\n' + tacacs.aaa_accounting['howtofix'] + '\n' 1767 if tacacs.level_0['must_report'] == True: 1768 toBeReturned = toBeReturned + tacacs.level_0['definition'] + '\n' + tacacs.level_0['threatInfo'] + '\n\n' + tacacs.level_0['howtofix'] + '\n' 1769 if tacacs.level_1['must_report'] == True: 1770 toBeReturned = toBeReturned + tacacs.level_1['definition'] + '\n' + tacacs.level_1['threatInfo'] + '\n\n' + tacacs.level_1['howtofix'] + '\n' 1771 if tacacs.level_15['must_report'] == True: 1772 toBeReturned = toBeReturned + tacacs.level_15['definition'] + '\n' + tacacs.level_15['threatInfo'] + '\n\n' + tacacs.level_15['howtofix'] + '\n' 1773 1774 return toBeReturned
1775
1776 -def engine_snmp(lines, snmp):
1777 """SNMP configuration assessment.""" 1778 try: 1779 snmp.ro_community['cmdInCfg'] = search_re_string(lines, 'snmp-server community .* (RO|ro)') 1780 except AttributeError: 1781 pass 1782 1783 try: 1784 snmp.rw_community['cmdInCfg'] = search_re_string(lines, 'snmp-server community .* (RW|rw)') 1785 except AttributeError: 1786 pass 1787 1788 try: 1789 snmp.view_ro_community['cmdInCfg'] = search_re_string(lines, 'snmp-server community .* view .* (RO|ro)') 1790 except AttributeError: 1791 pass 1792 1793 try: 1794 snmp.view_rw_community['cmdInCfg'] = search_re_string(lines, 'snmp-server community .* view .* (RW|rw)') 1795 except AttributeError: 1796 pass 1797 1798 try: 1799 snmp.snmp_v3['cmdInCfg'] = search_re_string(lines, 'snmp-server group .* v3 (auth|priv)') 1800 except AttributeError: 1801 pass 1802 1803 try: 1804 mgmtSubnet = __builtin__.ipv4_mgmt_outbound[0][0] 1805 except TypeError: 1806 mgmtSubnet = "" 1807 pass 1808 try: 1809 mgmtWildcardMask = __builtin__.ipv4_mgmt_outbound[0][3] 1810 except TypeError: 1811 mgmtWildcardMask = "" 1812 pass 1813 1814 if snmp.ro_community['cmdInCfg'] is None: 1815 # feature not configured 1816 snmp.ro_community['must_report'] = False 1817 snmp.ro_community_acl['must_report'] = False 1818 else: 1819 SNMPcommunity = snmp.ro_community['cmdInCfg'].split(' ') 1820 ROsecure = snmp_community_complexity(SNMPcommunity[2]) 1821 if ROsecure == False: 1822 items = search_xml('snmpROcommunityHardened') 1823 cvssMetrics = str(cvss_score(items[5])) 1824 snmp.ro_community = { 1825 "must_report": True, 1826 "fixImpact": (items[0]), 1827 "definition": (items[1]), 1828 "threatInfo": (items[2]), 1829 "howtofix": (items[3].strip() \ 1830 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \ 1831 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)), 1832 "cvss": (cvssMetrics)} 1833 try: 1834 snmp.ro_community_acl['cmdInCfg'] = search_re_string(lines, 'snmp-server community .* (RO|ro) \d') 1835 except AttributeError: 1836 pass 1837 1838 if snmp.ro_community_acl['cmdInCfg'] is None: 1839 items = search_xml('snmpROcommunityHardenedACL') 1840 cvssMetrics = str(cvss_score(items[5])) 1841 snmp.ro_community_acl = { 1842 "must_report": True, 1843 "fixImpact": (items[0]), 1844 "definition": (items[1]), 1845 "threatInfo": (items[2]), 1846 "howtofix": (items[3].strip() \ 1847 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \ 1848 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)), 1849 "cvss": (cvssMetrics)} 1850 else: 1851 accessListNumber = snmp.ro_community_acl['cmdInCfg'].split(' ')[4] 1852 if check_std_acl(lines, accessListNumber) == True: 1853 snmp.ro_community_acl['must_report'] = False 1854 else: 1855 items = search_xml('snmpROcommunityHardenedACL') 1856 cvssMetrics = str(cvss_score(items[5])) 1857 snmp.ro_community_acl = { 1858 "must_report": True, 1859 "fixImpact": (items[0]), 1860 "definition": (items[1]), 1861 "threatInfo": (items[2]), 1862 "howtofix": (items[3].strip() \ 1863 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \ 1864 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)), 1865 "cvss": (cvssMetrics)} 1866 1867 if snmp.rw_community['cmdInCfg'] is None: 1868 # feature not configured 1869 snmp.rw_community['must_report'] = False 1870 snmp.rw_community_acl['must_report'] = False 1871 else: 1872 SNMPcommunity = snmp.rw_community['cmdInCfg'].split(' ') 1873 RWsecure = snmp_community_complexity(SNMPcommunity[2]) 1874 if RWsecure == False: 1875 items = search_xml('snmpRWcommunityHardened') 1876 cvssMetrics = str(cvss_score(items[5])) 1877 snmp.rw_community = { 1878 "must_report": True, 1879 "fixImpact": (items[0]), 1880 "definition": (items[1]), 1881 "threatInfo": (items[2]), 1882 "howtofix": (items[3].strip() \ 1883 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \ 1884 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)), 1885 "cvss": (cvssMetrics)} 1886 try: 1887 snmp.rw_community_acl['cmdInCfg'] = search_re_string(lines, 'snmp-server community .* (RW|rw) \d') 1888 except AttributeError: 1889 pass 1890 1891 if snmp.rw_community_acl['cmdInCfg'] is None: 1892 items = search_xml('snmpRWcommunityHardenedACL') 1893 cvssMetrics = str(cvss_score(items[5])) 1894 snmp.rw_community_acl = { 1895 "must_report": True, 1896 "fixImpact": (items[0]), 1897 "definition": (items[1]), 1898 "threatInfo": (items[2]), 1899 "howtofix": (items[3].strip() \ 1900 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \ 1901 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)), 1902 "cvss": (cvssMetrics)} 1903 else: 1904 accessListNumber = snmp.rw_community_acl['cmdInCfg'].split(' ')[4] 1905 if check_std_acl(lines, accessListNumber) == True: 1906 snmp.rw_community_acl['must_report'] = False 1907 else: 1908 items = search_xml('snmpRWcommunityHardenedACL') 1909 cvssMetrics = str(cvss_score(items[5])) 1910 snmp.rw_community_acl = { 1911 "must_report": True, 1912 "fixImpact": (items[0]), 1913 "definition": (items[1]), 1914 "threatInfo": (items[2]), 1915 "howtofix": (items[3].strip() \ 1916 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \ 1917 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)), 1918 "cvss": (cvssMetrics)} 1919 1920 if snmp.view_ro_community['cmdInCfg'] is None: 1921 # feature not configured 1922 snmp.view_ro_community['must_report'] = False 1923 snmp.view_ro_community_acl['must_report'] = False 1924 else: 1925 SNMPcommunity = snmp.view_ro_community['cmdInCfg'].split(' ') 1926 ROsecure = snmp_community_complexity(SNMPcommunity[2]) 1927 if ROsecure == False: 1928 items = search_xml('ViewsnmpROcommunityHardened') 1929 cvssMetrics = str(cvss_score(items[5])) 1930 snmp.view_ro_community = { 1931 "must_report": True, 1932 "fixImpact": (items[0]), 1933 "definition": (items[1]), 1934 "threatInfo": (items[2]), 1935 "howtofix": (items[3].strip() \ 1936 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \ 1937 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)), 1938 "cvss": (cvssMetrics)} 1939 try: 1940 snmp.view_ro_community_acl['cmdInCfg'] = search_re_string(lines, 'snmp-server community .* view .* (RO|ro) \d') 1941 except AttributeError: 1942 pass 1943 1944 if snmp.view_ro_community_acl['cmdInCfg'] is None: 1945 items = search_xml('ViewsnmpROcommunityHardenedACL') 1946 cvssMetrics = str(cvss_score(items[5])) 1947 snmp.view_ro_community_acl = { 1948 "must_report": True, 1949 "fixImpact": (items[0]), 1950 "definition": (items[1]), 1951 "threatInfo": (items[2]), 1952 "howtofix": (items[3].strip() \ 1953 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \ 1954 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)), 1955 "cvss": (cvssMetrics)} 1956 else: 1957 accessListNumber = snmp.view_ro_community_acl['cmdInCfg'].split(' ')[4] 1958 if check_std_acl(lines, accessListNumber) == True: 1959 snmp.view_ro_community_acl['must_report'] = False 1960 else: 1961 items = search_xml('ViewsnmpROcommunityHardenedACL') 1962 cvssMetrics = str(cvss_score(items[5])) 1963 snmp.view_ro_community_acl = { 1964 "must_report": True, 1965 "fixImpact": (items[0]), 1966 "definition": (items[1]), 1967 "threatInfo": (items[2]), 1968 "howtofix": (items[3].strip() \ 1969 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \ 1970 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)), 1971 "cvss": (cvssMetrics)} 1972 1973 if snmp.view_rw_community['cmdInCfg'] is None: 1974 # feature not configured 1975 snmp.view_rw_community['must_report'] = False 1976 snmp.view_rw_community_acl['must_report'] = False 1977 else: 1978 SNMPcommunity = snmp.view_rw_community['cmdInCfg'].split(' ') 1979 RWsecure = snmp_community_complexity(SNMPcommunity[2]) 1980 if RWsecure == False: 1981 items = search_xml('ViewsnmpRWcommunityHardened') 1982 cvssMetrics = str(cvss_score(items[5])) 1983 snmp.view_rw_community = { 1984 "must_report": True, 1985 "fixImpact": (items[0]), 1986 "definition": (items[1]), 1987 "threatInfo": (items[2]), 1988 "howtofix": (items[3].strip() \ 1989 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \ 1990 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)), 1991 "cvss": (cvssMetrics)} 1992 try: 1993 snmp.view_rw_community_acl['cmdInCfg'] = search_re_string(lines, 'snmp-server community .* view .* (RW|rw) \d') 1994 except AttributeError: 1995 pass 1996 1997 if snmp.view_rw_community_acl['cmdInCfg'] is None: 1998 items = search_xml('snmpRWcommunityHardenedACL') 1999 cvssMetrics = str(cvss_score(items[5])) 2000 snmp.view_rw_community_acl = { 2001 "must_report": True, 2002 "fixImpact": (items[0]), 2003 "definition": (items[1]), 2004 "threatInfo": (items[2]), 2005 "howtofix": (items[3].strip() \ 2006 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \ 2007 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)), 2008 "cvss": (cvssMetrics)} 2009 else: 2010 accessListNumber = snmp.view_rw_community_acl['cmdInCfg'].split(' ')[4] 2011 if check_std_acl(lines, accessListNumber) == True: 2012 snmp.view_rw_community_acl['must_report'] = False 2013 else: 2014 items = search_xml('ViewsnmpRWcommunityHardenedACL') 2015 cvssMetrics = str(cvss_score(items[5])) 2016 snmp.view_rw_community_acl = { 2017 "must_report": True, 2018 "fixImpact": (items[0]), 2019 "definition": (items[1]), 2020 "threatInfo": (items[2]), 2021 "howtofix": (items[3].strip() \ 2022 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \ 2023 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)), 2024 "cvss": (cvssMetrics)} 2025 2026 if snmp.snmp_v3['cmdInCfg'] is None: 2027 # feature not configured 2028 items = search_xml('snmpVersion3') 2029 cvssMetrics = str(cvss_score(items[5])) 2030 snmp.snmp_v3 = { 2031 "must_report": True, 2032 "fixImpact": (items[0]), 2033 "definition": (items[1]), 2034 "threatInfo": (items[2]), 2035 "howtofix": (items[3].strip() \ 2036 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \ 2037 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)), 2038 "cvss": (cvssMetrics)} 2039 2040 else: 2041 snmp.snmp_v3['must_report'] = False 2042 2043 toBeReturned = '' 2044 if snmp.ro_community['must_report'] == True: 2045 toBeReturned = snmp.ro_community['definition'] + '\n' + snmp.ro_community['threatInfo'] + '\n\n' + snmp.ro_community['howtofix'] + '\n' 2046 if snmp.ro_community_acl['must_report'] == True: 2047 toBeReturned = toBeReturned + snmp.ro_community_acl['definition'] + '\n' + snmp.ro_community_acl['threatInfo'] + '\n\n' + snmp.ro_community_acl['howtofix'] + '\n' 2048 if snmp.rw_community['must_report'] == True: 2049 toBeReturned = toBeReturned + snmp.rw_community['definition'] + '\n' + snmp.rw_community['threatInfo'] + '\n\n' + snmp.rw_community['howtofix'] + '\n' 2050 if snmp.rw_community_acl['must_report'] == True: 2051 toBeReturned = toBeReturned + snmp.rw_community_acl['definition'] + '\n' + snmp.rw_community_acl['threatInfo'] + '\n\n' + snmp.rw_community_acl['howtofix'] + '\n' 2052 if snmp.view_ro_community['must_report'] == True: 2053 toBeReturned = toBeReturned + snmp.view_ro_community['definition'] + '\n' + snmp.view_ro_community['threatInfo'] + '\n\n' + snmp.view_ro_community['howtofix'] + '\n' 2054 if snmp.view_ro_community_acl['must_report'] == True: 2055 toBeReturned = toBeReturned + snmp.view_ro_community_acl['definition'] + '\n' + snmp.view_ro_community_acl['threatInfo'] + '\n\n' + snmp.view_ro_community_acl['howtofix'] + '\n' 2056 if snmp.view_rw_community['must_report'] == True: 2057 toBeReturned = toBeReturned + snmp.view_rw_community['definition'] + '\n' + snmp.view_rw_community['threatInfo'] + '\n\n' + snmp.view_rw_community['howtofix'] + '\n' 2058 if snmp.view_rw_community_acl['must_report'] == True: 2059 toBeReturned = toBeReturned + snmp.view_rw_community_acl['definition'] + '\n' + snmp.view_rw_community_acl['threatInfo'] + '\n\n' + snmp.view_rw_community_acl['howtofix'] + '\n' 2060 if snmp.snmp_v3['must_report'] == True: 2061 toBeReturned = toBeReturned + snmp.snmp_v3['definition'] + '\n' + snmp.snmp_v3['threatInfo'] + '\n\n' + snmp.snmp_v3['howtofix'] + '\n' 2062 2063 return toBeReturned
2064
2065 -def engine_syslog(lines, syslog):
2066 """Syslog assessment.""" 2067 try: 2068 syslog.server['cmdInCfg'] = search_string(lines, 'logging host') 2069 except AttributeError: 2070 pass 2071 2072 if syslog.server['cmdInCfg'] is None: 2073 # feature not configured 2074 try: 2075 mgmtSubnet = __builtin__.ipv4_mgmt_outbound[0][0] 2076 except TypeError: 2077 mgmtSubnet = "" 2078 pass 2079 try: 2080 mgmtWildcardMask = __builtin__.ipv4_mgmt_outbound[0][3] 2081 except TypeError: 2082 mgmtWildcardMask = "" 2083 pass 2084 2085 2086 items = search_xml('syslogServer') 2087 cvssMetrics = str(cvss_score(items[5])) 2088 2089 if len(mgmtSubnet) > 0: 2090 syslog.server = { 2091 "must_report": True, 2092 "fixImpact": (items[0]), 2093 "definition": (items[1]), 2094 "threatInfo": (items[2]), 2095 "howtofix": (items[3].strip() \ 2096 .replace('[%ManagementSyslog]', mgmtSubnet, 1)), 2097 "cvss": (cvssMetrics)} 2098 else: 2099 syslog.server = { 2100 "must_report": True, 2101 "fixImpact": (items[0]), 2102 "definition": (items[1]), 2103 "threatInfo": (items[2]), 2104 "howtofix": (items[3].strip() \ 2105 .replace('[%ManagementSyslog]', 'new-syslog-server', 1)), 2106 "cvss": (cvssMetrics)} 2107 2108 else: 2109 syslog.server['must_report'] = False 2110 2111 try: 2112 syslog.level_trap['cmdInCfg'] = search_string(lines, 'logging trap') 2113 except AttributeError: 2114 pass 2115 if syslog.level_trap['cmdInCfg'] is None: 2116 # feature not configured 2117 items = search_xml('syslogLevelTrap') 2118 cvssMetrics = str(cvss_score(items[5])) 2119 syslog.level_trap = { 2120 "must_report": True, 2121 "fixImpact": (items[0]), 2122 "definition": (items[1]), 2123 "threatInfo": (items[2]), 2124 "howtofix": (items[3]), 2125 "cvss": (cvssMetrics)} 2126 else: 2127 level = syslog.level_trap['cmdInCfg'].split(' ')[2] 2128 if level.isdigit() == False: 2129 if level.strip().lower() == "emergencies": 2130 level = 0 2131 elif level.strip().lower() == "alerts": 2132 level = 1 2133 elif level.strip().lower() == "critical": 2134 level = 2 2135 elif level.strip().lower() == "errors": 2136 level = 3 2137 elif level.strip().lower() == "warnings": 2138 level = 4 2139 elif level.strip().lower() == "notifications": 2140 level = 5 2141 elif level.strip().lower() == "informational": 2142 level = 6 2143 elif level.strip().lower() == "debugging": 2144 level = 7 2145 2146 if int(level) <= 6: 2147 syslog.level_trap['must_report'] = False 2148 else: 2149 items = search_xml('syslogLevelTrap') 2150 cvssMetrics = str(cvss_score(items[5])) 2151 syslog.level_trap = { 2152 "must_report": True, 2153 "fixImpact": (items[0]), 2154 "definition": (items[1]), 2155 "threatInfo": (items[2]), 2156 "howtofix": (items[3]), 2157 "cvss": (cvssMetrics)} 2158 2159 try: 2160 syslog.level_buffered['cmdInCfg'] = search_re_string(lines, 'logging buffered \d') 2161 except AttributeError: 2162 pass 2163 if syslog.level_buffered['cmdInCfg'] is None: 2164 # feature not configured 2165 items = search_xml('syslogLevelBuffered') 2166 cvssMetrics = str(cvss_score(items[5])) 2167 syslog.level_buffered = { 2168 "must_report": True, 2169 "fixImpact": (items[0]), 2170 "definition": (items[1]), 2171 "threatInfo": (items[2]), 2172 "howtofix": (items[3]), 2173 "cvss": (cvssMetrics)} 2174 else: 2175 level = syslog.level_buffered['cmdInCfg'].split(' ')[2] 2176 if int(level) == 6: 2177 syslog.level_buffered['must_report'] = False 2178 else: 2179 items = search_xml('syslogLevelBuffered') 2180 cvssMetrics = str(cvss_score(items[5])) 2181 syslog.level_buffered = { 2182 "must_report": True, 2183 "fixImpact": (items[0]), 2184 "definition": (items[1]), 2185 "threatInfo": (items[2]), 2186 "howtofix": (items[3]), 2187 "cvss": (cvssMetrics)} 2188 2189 try: 2190 syslog.logging_console['cmdInCfg'] = search_string(lines, 'no logging console') 2191 except AttributeError: 2192 pass 2193 if syslog.logging_console['cmdInCfg'] is None: 2194 # feature not configured 2195 items = search_xml('syslogConsole') 2196 cvssMetrics = str(cvss_score(items[5])) 2197 syslog.logging_console = { 2198 "must_report": True, 2199 "fixImpact": (items[0]), 2200 "definition": (items[1]), 2201 "threatInfo": (items[2]), 2202 "howtofix": (items[3]), 2203 "cvss": (cvssMetrics)} 2204 else: 2205 syslog.logging_console['must_report'] = False 2206 2207 try: 2208 syslog.logging_monitor['cmdInCfg'] = search_string(lines, 'no logging monitor') 2209 except AttributeError: 2210 pass 2211 if syslog.logging_monitor['cmdInCfg'] is None: 2212 # feature not configured 2213 items = search_xml('syslogMonitor') 2214 cvssMetrics = str(cvss_score(items[5])) 2215 syslog.logging_monitor = { 2216 "must_report": True, 2217 "fixImpact": (items[0]), 2218 "definition": (items[1]), 2219 "threatInfo": (items[2]), 2220 "howtofix": (items[3]), 2221 "cvss": (cvssMetrics)} 2222 else: 2223 syslog.logging_monitor['must_report'] = False 2224 2225 try: 2226 syslog.logging_buffered['cmdInCfg'] = search_re_string(lines, 'logging buffered .* .*') 2227 except AttributeError: 2228 pass 2229 if syslog.logging_buffered['cmdInCfg'] is None: 2230 # feature not configured 2231 items = search_xml('syslogBuffered') 2232 cvssMetrics = str(cvss_score(items[5])) 2233 syslog.logging_buffered = { 2234 "must_report": True, 2235 "fixImpact": (items[0]), 2236 "definition": (items[1]), 2237 "threatInfo": (items[2]), 2238 "howtofix": (items[3]), 2239 "cvss": (cvssMetrics)} 2240 else: 2241 size = syslog.logging_buffered['cmdInCfg'].split(' ')[2] 2242 level = syslog.logging_buffered['cmdInCfg'].split(' ')[3] 2243 if level.isdigit() == False: 2244 if level.strip().lower() == "emergencies": 2245 level = 0 2246 if level.strip().lower() == "alerts": 2247 level = 1 2248 if level.strip().lower() == "critical": 2249 level = 2 2250 if level.strip().lower() == "errors": 2251 level = 3 2252 if level.strip().lower() == "warnings": 2253 level = 4 2254 if level.strip().lower() == "notification": 2255 level = 5 2256 if level.strip().lower() == "informational": 2257 level = 6 2258 if level.strip().lower() == "debugging": 2259 level = 7 2260 if ( (int(size) >= 16000) and (int(level) == 6) ): 2261 syslog.logging_buffered['must_report'] = False 2262 else: 2263 items = search_xml('syslogBuffered') 2264 cvssMetrics = str(cvss_score(items[5])) 2265 syslog.logging_buffered = { 2266 "must_report": True, 2267 "fixImpact": (items[0]), 2268 "definition": (items[1]), 2269 "threatInfo": (items[2]), 2270 "howtofix": (items[3]), 2271 "cvss": (cvssMetrics)} 2272 2273 try: 2274 syslog.interface['cmdInCfg'] = search_string(lines, 'logging source-interface loopback') 2275 except AttributeError: 2276 pass 2277 if syslog.interface['cmdInCfg'] is None: 2278 # feature not configured 2279 items = search_xml('syslogInterface') 2280 cvssMetrics = str(cvss_score(items[5])) 2281 syslog.interface = { 2282 "must_report": True, 2283 "fixImpact": (items[0]), 2284 "definition": (items[1]), 2285 "threatInfo": (items[2]), 2286 "howtofix": (items[3]), 2287 "cvss": (cvssMetrics)} 2288 else: 2289 syslog.interface['must_report'] = False 2290 2291 try: 2292 syslog.timestamp['cmdInCfg'] = search_string(lines, 'service timestamps log datetime msec show-timezone') 2293 except AttributeError: 2294 pass 2295 if syslog.timestamp['cmdInCfg'] is None: 2296 # feature not configured 2297 items = search_xml('syslogTimestamp') 2298 cvssMetrics = str(cvss_score(items[5])) 2299 syslog.timestamp = { 2300 "must_report": True, 2301 "fixImpact": (items[0]), 2302 "definition": (items[1]), 2303 "threatInfo": (items[2]), 2304 "howtofix": (items[3]), 2305 "cvss": (cvssMetrics)} 2306 else: 2307 syslog.timestamp['must_report'] = False 2308 2309 if __builtin__.deviceType == 'router': 2310 try: 2311 syslog.server_arp['cmdInCfg'] = search_string(lines, 'logging server-arp') 2312 except AttributeError: 2313 pass 2314 if syslog.server_arp['cmdInCfg'] is None: 2315 # feature not configured 2316 if __builtin__.iosVersion >= 12.3: 2317 items = search_xml('syslogserver_arp') 2318 cvssMetrics = str(cvss_score(items[5])) 2319 syslog.server_arp = { 2320 "must_report": True, 2321 "fixImpact": (items[0]), 2322 "definition": (items[1]), 2323 "threatInfo": (items[2]), 2324 "howtofix": (items[3]), 2325 "cvss": (cvssMetrics)} 2326 else: 2327 # upgrade to >= 12.3 to get the feature 2328 items = search_xml('syslogserver_arp') 2329 cvssMetrics = str(cvss_score(items[5])) 2330 syslog.server_arp = { 2331 "must_report": True, 2332 "fixImpact": (items[0]), 2333 "definition": (items[1]), 2334 "threatInfo": (items[2]), 2335 "howtofix": (items[4]), 2336 "cvss": (cvssMetrics)} 2337 else: 2338 syslog.server_arp['must_report'] = False 2339 2340 toBeReturned = '' 2341 if syslog.server['must_report'] == True: 2342 toBeReturned = syslog.server['definition'] + '\n' + syslog.server['threatInfo'] + '\n\n' + syslog.server['howtofix'] + '\n' 2343 if syslog.level_trap['must_report'] == True: 2344 toBeReturned = toBeReturned + syslog.level_trap['definition'] + '\n' + syslog.level_trap['threatInfo'] + '\n\n' + syslog.level_trap['howtofix'] + '\n' 2345 if syslog.level_buffered['must_report'] == True: 2346 toBeReturned = toBeReturned + syslog.level_buffered['definition'] + '\n' + syslog.level_buffered['threatInfo'] + '\n\n' + syslog.level_buffered['howtofix'] + '\n' 2347 if syslog.logging_console['must_report'] == True: 2348 toBeReturned = toBeReturned + syslog.logging_console['definition'] + '\n' + syslog.logging_console['threatInfo'] + '\n\n' + syslog.logging_console['howtofix'] + '\n' 2349 if syslog.logging_monitor['must_report'] == True: 2350 toBeReturned = toBeReturned + syslog.logging_monitor['definition'] + '\n' + syslog.logging_monitor['threatInfo'] + '\n\n' + syslog.logging_monitor['howtofix'] + '\n' 2351 if syslog.logging_buffered['must_report'] == True: 2352 toBeReturned = toBeReturned + syslog.logging_buffered['definition'] + '\n' + syslog.logging_buffered['threatInfo'] + '\n\n' + syslog.logging_buffered['howtofix'] + '\n' 2353 if syslog.interface['must_report'] == True: 2354 toBeReturned = toBeReturned + syslog.interface['definition'] + '\n' + syslog.interface['threatInfo'] + '\n\n' + syslog.interface['howtofix'] + '\n' 2355 if syslog.timestamp['must_report'] == True: 2356 toBeReturned = toBeReturned + syslog.timestamp['definition'] + '\n' + syslog.timestamp['threatInfo'] + '\n\n' + syslog.timestamp['howtofix'] + '\n' 2357 if syslog.server_arp['must_report'] == True: 2358 toBeReturned = toBeReturned + syslog.server_arp['definition'] + '\n' + syslog.server_arp['threatInfo'] + '\n\n' + syslog.server_arp['howtofix'] + '\n' 2359 2360 return toBeReturned
2361 2362
2363 -def engine_archive(lines, archive):
2364 """Archive configuration assessment.""" 2365 try: 2366 archive.configuration['cmdInCfg'] = search_re_string(lines, '^archive$') 2367 except AttributeError: 2368 pass 2369 if archive.configuration['cmdInCfg'] is not None: 2370 # feature already configured 2371 if search_re_string(lines, 'time-period') is not None: 2372 archive.configuration['must_report'] = False 2373 else: 2374 items = search_xml('archiveConfiguration') 2375 if __builtin__.iosVersion >= 12.37: 2376 cvssMetrics = str(cvss_score(items[5])) 2377 archive.configuration = { 2378 "must_report": True, 2379 "fixImpact": (items[0]), 2380 "definition": (items[1]), 2381 "threatInfo": (items[2]), 2382 "howtofix": (items[3]), 2383 "cvss": (cvssMetrics)} 2384 else: 2385 # upgrade to >= 12.37 to get the feature 2386 cvssMetrics = str(cvss_score(items[5])) 2387 archive.configuration = { 2388 "must_report": True, 2389 "fixImpact": (items[0]), 2390 "definition": (items[1]), 2391 "threatInfo": (items[2]), 2392 "howtofix": (items[4]), 2393 "cvss": (cvssMetrics)} 2394 2395 try: 2396 archive.exclusive['cmdInCfg'] = search_string(lines, 'configuration mode exclusive auto') 2397 except AttributeError: 2398 pass 2399 if archive.exclusive['cmdInCfg'] is not None: 2400 # feature already configured 2401 archive.exclusive['must_report'] = False 2402 else: 2403 items = search_xml('archiveExclusive') 2404 if __builtin__.iosVersion >= 12.314: 2405 cvssMetrics = str(cvss_score(items[5])) 2406 archive.exclusive = { 2407 "must_report": True, 2408 "fixImpact": (items[0]), 2409 "definition": (items[1]), 2410 "threatInfo": (items[2]), 2411 "howtofix": (items[3]), 2412 "cvss": (cvssMetrics)} 2413 else: 2414 # upgrade to >= 12.314 to get the feature 2415 cvssMetrics = str(cvss_score(items[5])) 2416 archive.exclusive = { 2417 "must_report": True, 2418 "fixImpact": (items[0]), 2419 "definition": (items[1]), 2420 "threatInfo": (items[2]), 2421 "howtofix": (items[4]), 2422 "cvss": (cvssMetrics)} 2423 2424 try: 2425 archive.secure_boot['cmdInCfg'] = search_string(lines, 'secure boot-image') 2426 except AttributeError: 2427 pass 2428 if archive.secure_boot['cmdInCfg'] is not None: 2429 # feature already configured 2430 archive.secure_boot['must_report'] = False 2431 else: 2432 items = search_xml('archiveSecureImage') 2433 if __builtin__.iosVersion >= 12.38: 2434 cvssMetrics = str(cvss_score(items[5])) 2435 archive.secure_boot = { 2436 "must_report": True, 2437 "fixImpact": (items[0]), 2438 "definition": (items[1]), 2439 "threatInfo": (items[2]), 2440 "howtofix": (items[3]), 2441 "cvss": (cvssMetrics)} 2442 else: 2443 # upgrade to >= 12.38 to get the feature 2444 cvssMetrics = str(cvss_score(items[5])) 2445 archive.secure_boot = { 2446 "must_report": True, 2447 "fixImpact": (items[0]), 2448 "definition": (items[1]), 2449 "threatInfo": (items[2]), 2450 "howtofix": (items[4]), 2451 "cvss": (cvssMetrics)} 2452 2453 try: 2454 archive.secure_config['cmdInCfg'] = search_string(lines, 'secure boot-config') 2455 except AttributeError: 2456 pass 2457 if archive.secure_config['cmdInCfg'] is not None: 2458 # feature already configured 2459 archive.secure_config['must_report'] = False 2460 else: 2461 items = search_xml('archiveSecureConfig') 2462 if __builtin__.iosVersion >= 12.38: 2463 cvssMetrics = str(cvss_score(items[5])) 2464 archive.secure_config = { 2465 "must_report": True, 2466 "fixImpact": (items[0]), 2467 "definition": (items[1]), 2468 "threatInfo": (items[2]), 2469 "howtofix": (items[3]), 2470 "cvss": (cvssMetrics)} 2471 else: 2472 # upgrade to >= 12.38 to get the feature 2473 cvssMetrics = str(cvss_score(items[5])) 2474 archive.secure_config = { 2475 "must_report": True, 2476 "fixImpact": (items[0]), 2477 "definition": (items[1]), 2478 "threatInfo": (items[2]), 2479 "howtofix": (items[4]), 2480 "cvss": (cvssMetrics)} 2481 2482 try: 2483 archive.logs['cmdInCfg'] = search_re_string(lines, '^archive$') 2484 except AttributeError: 2485 pass 2486 if archive.logs['cmdInCfg'] is not None: 2487 # feature already configured 2488 if ( (search_string(lines, 'hidekeys') is not None) and (search_string(lines, 'logging enable') is not None )): 2489 archive.logs['must_report'] = False 2490 else: 2491 items = search_xml('archiveLogs') 2492 if __builtin__.iosVersion >= 12.34: 2493 cvssMetrics = str(cvss_score(items[5])) 2494 archive.logs = { 2495 "must_report": True, 2496 "fixImpact": (items[0]), 2497 "definition": (items[1]), 2498 "threatInfo": (items[2]), 2499 "howtofix": (items[3]), 2500 "cvss": (cvssMetrics)} 2501 else: 2502 # upgrade to >= 12.34 to get the feature 2503 cvssMetrics = str(cvss_score(items[5])) 2504 archive.logs = { 2505 "must_report": True, 2506 "fixImpact": (items[0]), 2507 "definition": (items[1]), 2508 "threatInfo": (items[2]), 2509 "howtofix": (items[4]), 2510 "cvss": (cvssMetrics)} 2511 2512 toBeReturned = '' 2513 if archive.configuration['must_report'] == True: 2514 toBeReturned = archive.configuration['definition'] + '\n' + archive.configuration['threatInfo'] + '\n\n' + archive.configuration['howtofix'] + '\n' 2515 if archive.exclusive['must_report'] == True: 2516 toBeReturned = toBeReturned + archive.exclusive['definition'] + '\n' + archive.exclusive['threatInfo'] + '\n\n' + archive.exclusive['howtofix'] + '\n' 2517 if archive.secure_boot['must_report'] == True: 2518 toBeReturned = toBeReturned + archive.secure_boot['definition'] + '\n' + archive.secure_boot['threatInfo'] + '\n\n' + archive.secure_boot['howtofix'] + '\n' 2519 if archive.secure_config['must_report'] == True: 2520 toBeReturned = toBeReturned + archive.secure_config['definition'] + '\n' + archive.secure_config['threatInfo'] + '\n\n' + archive.secure_config['howtofix'] + '\n' 2521 if archive.logs['must_report'] == True: 2522 toBeReturned = toBeReturned + archive.logs['definition'] + '\n' + archive.logs['threatInfo'] + '\n\n' + archive.logs['howtofix'] + '\n' 2523 2524 return toBeReturned
2525
2526 -def engine_icmp_redirects(icmpRedirects, fullConfig, ifaceCfg):
2527 """ICMP redirects assessments.""" 2528 for i in range(0, len(ifaceCfg)): 2529 ipIcmpRedirectsFound = False 2530 for line in ifaceCfg[i].configuration: 2531 if line == 'ip redirects': 2532 if not ifaceCfg[i].name.strip() in icmpRedirects.redirects['enabledIfsFeature']: 2533 if 'Loopback' in ifaceCfg[i].name.strip(): 2534 break 2535 icmpRedirects.redirects['enabledIfsFeature'].append(ifaceCfg[i].name.strip()) 2536 ipIcmpRedirectsFound = True 2537 if ipIcmpRedirectsFound == False: 2538 if not ifaceCfg[i].name.strip() in icmpRedirects.redirects['disabledIfsFeature']: 2539 if 'Loopback' in ifaceCfg[i].name.strip(): 2540 break 2541 icmpRedirects.redirects['disabledIfsFeature'].append(ifaceCfg[i].name.strip()) 2542 icmpRedirects.redirects['must_report'] = True 2543 2544 if icmpRedirects.redirects['must_report'] == True: 2545 items = search_xml('ipICMPredirects') 2546 cvssMetrics = str(cvss_score(items[5])) 2547 icmpRedirects.redirects['fixImpact'] = items[0] 2548 icmpRedirects.redirects['definition'] = items[1] 2549 icmpRedirects.redirects['threatInfo'] = items[2] 2550 icmpRedirects.redirects['howtofix'] = items[3] 2551 icmpRedirects.redirects['cvss'] = cvssMetrics 2552 2553 if icmpRedirects.redirects['enabledIfsFeature']: 2554 icmpRedirects.redirects['howtofix'] = \ 2555 icmpRedirects.redirects['howtofix'].strip() \ 2556 .replace('[%RedirectifsDisabled]', ", " \ 2557 .join(icmpRedirects.redirects['enabledIfsFeature']), 1) 2558 else: 2559 icmpRedirects.redirects['howtofix'] = \ 2560 icmpRedirects.redirects['howtofix'].strip() \ 2561 .replace('[%RedirectifsDisabled]', "None", 1) 2562 if icmpRedirects.redirects['disabledIfsFeature']: 2563 icmpRedirects.redirects['howtofix'] = \ 2564 icmpRedirects.redirects['howtofix'].strip() \ 2565 .replace('[%RedirectifsEnabled]', ", " \ 2566 .join(icmpRedirects.redirects['disabledIfsFeature']), 1) 2567 else: 2568 icmpRedirects.redirects['howtofix'] = \ 2569 icmpRedirects.redirects['howtofix'].strip() \ 2570 .replace('[%RedirectifsEnabled]', "None", 1) 2571 2572 return icmpRedirects.redirects['definition'] \ 2573 + icmpRedirects.redirects['threatInfo'] \ 2574 + icmpRedirects.redirects['howtofix'] 2575 2576 toBeReturned = '' 2577 if icmpRedirects.redirects['must_report'] == True: 2578 toBeReturned = \ 2579 icmpRedirects.redirects['definition'] \ 2580 + '\n' + icmpRedirects.redirects['threatInfo'] \ 2581 + '\n\n' + icmpRedirects.redirects['howtofix'] + '\n' 2582 2583 return toBeReturned
2584 2585
2586 -def engine_icmp_unreach(icmpUnreachable, fullConfig, ifaceCfg):
2587 """ICMP unreachable configuration.""" 2588 for i in range(0, len(ifaceCfg)): 2589 for line in ifaceCfg[i].configuration: 2590 ipIcmpUnreachableFound = False 2591 if line == 'no ip unreachables': 2592 if ifaceCfg[i].name.strip() not in icmpUnreachable.unreachable['disabledIfsFeature']: 2593 if 'Loopback' in ifaceCfg[i].name.strip(): 2594 break 2595 icmpUnreachable.unreachable['disabledIfsFeature'].append(ifaceCfg[i].name.strip()) 2596 ipIcmpUnreachableFound = True 2597 if ipIcmpUnreachableFound == False: 2598 if ifaceCfg[i].name.strip() not in icmpUnreachable.unreachable['enabledIfsFeature']: 2599 if 'Loopback' in ifaceCfg[i].name.strip(): 2600 break 2601 icmpUnreachable.unreachable['enabledIfsFeature'].append(ifaceCfg[i].name.strip()) 2602 icmpUnreachable.unreachable['must_report'] = True 2603 2604 try: 2605 icmpUnreachable.unreachable['unreachableRate'] = search_string(fullConfig, 'ip icmp rate-limit unreachable') 2606 except AttributeError: 2607 pass 2608 if icmpUnreachable.unreachable['unreachableRate'] is None: 2609 icmpUnreachable.unreachable['must_report'] = True 2610 2611 if icmpUnreachable.unreachable['must_report'] == True: 2612 items = search_xml('ipICMPunreachable') 2613 cvssMetrics = str(cvss_score(items[5])) 2614 icmpUnreachable.unreachable['fixImpact'] = items[0] 2615 icmpUnreachable.unreachable['definition'] = items[1] 2616 icmpUnreachable.unreachable['threatInfo'] = items[2] 2617 icmpUnreachable.unreachable['howtofix'] = items[3] 2618 if icmpUnreachable.unreachable['disabledIfsFeature']: 2619 icmpUnreachable.unreachable['howtofix'] = icmpUnreachable.unreachable['howtofix'].strip().replace('[%UnreachableifsEnabled]', ", ".join(icmpUnreachable.unreachable['disabledIfsFeature']), 1) 2620 else: 2621 icmpUnreachable.unreachable['howtofix'] = icmpUnreachable.unreachable['howtofix'].strip().replace('[%UnreachableifsEnabled]', "None", 1) 2622 if icmpUnreachable.unreachable['enabledIfsFeature']: 2623 icmpUnreachable.unreachable['howtofix'] = icmpUnreachable.unreachable['howtofix'].strip().replace('[%UnreachableifsDisabled]', ", ".join(icmpUnreachable.unreachable['enabledIfsFeature']), 1) 2624 else: 2625 icmpUnreachable.unreachable['howtofix'] = icmpUnreachable.unreachable['howtofix'].strip().replace('[%UnreachableifsDisabled]', "None", 1) 2626 2627 2628 icmpUnreachable.unreachable['cvss'] = cvssMetrics 2629 2630 toBeReturned = '' 2631 if icmpUnreachable.unreachable['must_report'] == True: 2632 toBeReturned = icmpUnreachable.unreachable['definition'] + '\n' + icmpUnreachable.unreachable['threatInfo'] + '\n\n' + icmpUnreachable.unreachable['howtofix'] + '\n' 2633 2634 return toBeReturned
2635
2636 -def engine_arp_proxy(proxyArp, fullConfig, ifaceCfg):
2637 """ARP proxy configuration.""" 2638 for i in range(0, len(ifaceCfg)): 2639 for line in ifaceCfg[i].configuration: 2640 proxyArpFound = False 2641 if line == 'no ip proxy-arp': 2642 if ifaceCfg[i].name.strip() not in proxyArp.proxy['enabledIfsFeature']: 2643 if 'Loopback' in ifaceCfg[i].name.strip(): 2644 break 2645 proxyArp.proxy['enabledIfsFeature'].append(ifaceCfg[i].name.strip()) 2646 proxyArpFound = True 2647 if proxyArpFound == False: 2648 if ifaceCfg[i].name.strip() not in proxyArp.proxy['disabledIfsFeature']: 2649 if 'Loopback' in ifaceCfg[i].name.strip(): 2650 break 2651 proxyArp.proxy['disabledIfsFeature'].append(ifaceCfg[i].name.strip()) 2652 proxyArp.proxy['must_report'] = True 2653 2654 if proxyArp.proxy['must_report'] == True: 2655 items = search_xml('proxyArp') 2656 cvssMetrics = str(cvss_score(items[5])) 2657 proxyArp.proxy['fixImpact'] = items[0] 2658 proxyArp.proxy['definition'] = items[1] 2659 proxyArp.proxy['threatInfo'] = items[2] 2660 proxyArp.proxy['howtofix'] = items[3] 2661 if proxyArp.proxy['disabledIfsFeature']: 2662 proxyArp.proxy['howtofix'] = proxyArp.proxy['howtofix'].strip().replace('[%ArpifsEnabled]', ", ".join(proxyArp.proxy['disabledIfsFeature']), 1) 2663 else: 2664 proxyArp.proxy['howtofix'] = proxyArp.proxy['howtofix'].strip().replace('[%ArpifsEnabled]', "None", 1) 2665 if proxyArp.proxy['enabledIfsFeature']: 2666 proxyArp.proxy['howtofix'] = proxyArp.proxy['howtofix'].strip().replace('[%ArpifsDisabled]', ", ".join(proxyArp.proxy['enabledIfsFeature']), 1) 2667 else: 2668 proxyArp.proxy['howtofix'] = proxyArp.proxy['howtofix'].strip().replace('[%ArpifsDisabled]', "None", 1) 2669 2670 proxyArp.proxy['cvss'] = cvssMetrics 2671 2672 toBeReturned = '' 2673 if proxyArp.proxy['must_report'] == True: 2674 toBeReturned = proxyArp.proxy['definition'] + '\n' + proxyArp.proxy['threatInfo'] + '\n\n' + proxyArp.proxy['howtofix'] + '\n' 2675 2676 return toBeReturned
2677
2678 -def engine_ntp(lines, ntp):
2679 """NTP configuration.""" 2680 try: 2681 ntp.authentication['authenticate'] = search_string(lines, 'ntp authenticate') 2682 except AttributeError: 2683 pass 2684 try: 2685 ntp.authentication['key'] = search_string(lines, 'ntp authentication-key') 2686 except AttributeError: 2687 pass 2688 2689 if ( (ntp.authentication['authenticate'] is None) or (ntp.authentication['key'] is None) ): 2690 ntp.authentication['must_report'] = True 2691 2692 if ntp.authentication['must_report'] == True: 2693 items = search_xml('ntpAuthentication') 2694 cvssMetrics = str(cvss_score(items[5])) 2695 ntp.authentication = { 2696 "must_report": True, 2697 "fixImpact": (items[0]), 2698 "definition": (items[1]), 2699 "threatInfo": (items[2]), 2700 "howtofix": (items[3]), 2701 "cvss": (cvssMetrics)} 2702 2703 toBeReturned = '' 2704 if ntp.authentication['must_report'] == True: 2705 toBeReturned = ntp.authentication['definition'] + '\n' + ntp.authentication['threatInfo'] + '\n\n' + ntp.authentication['howtofix'] + '\n' 2706 2707 return toBeReturned
2708
2709 -def engine_ip_options(lines, ipoptions):
2710 """IP options configuration.""" 2711 2712 try: 2713 ipoptions.drop['cmdInCfg'] = search_string(lines, 'ip options drop') 2714 except AttributeError: 2715 pass 2716 if ipoptions.drop['cmdInCfg'] is None: 2717 ipoptions.drop['must_report'] = True 2718 2719 if ipoptions.drop['must_report'] == True: 2720 items = search_xml('IPoptions') 2721 cvssMetrics = str(cvss_score(items[5])) 2722 ipoptions.drop = { 2723 "must_report": True, 2724 "fixImpact": (items[0]), 2725 "definition": (items[1]), 2726 "threatInfo": (items[2]), 2727 "howtofix": (items[3]), 2728 "cvss": (cvssMetrics)} 2729 2730 toBeReturned = '' 2731 if ipoptions.drop['must_report'] == True: 2732 toBeReturned = ipoptions.drop['definition'] + '\n' + ipoptions.drop['threatInfo'] + '\n\n' + ipoptions.drop['howtofix'] + '\n' 2733 2734 return toBeReturned
2735
2736 -def engine_ip_src_route(lines, ipsrcroute):
2737 """IPv4 source-routing configuration.""" 2738 2739 try: 2740 ipsrcroute.drop['cmdInCfg'] = search_string(lines, 'no ip source-route') 2741 except AttributeError: 2742 pass 2743 if ipsrcroute.drop['cmdInCfg'] is None: 2744 ipsrcroute.drop['must_report'] = True 2745 2746 if ipsrcroute.drop['must_report'] == True: 2747 items = search_xml('IPsourceroute') 2748 cvssMetrics = str(cvss_score(items[5])) 2749 ipsrcroute.drop = { 2750 "must_report": True, 2751 "fixImpact": (items[0]), 2752 "definition": (items[1]), 2753 "threatInfo": (items[2]), 2754 "howtofix": (items[3]), 2755 "cvss": (cvssMetrics)} 2756 2757 toBeReturned = '' 2758 if ipsrcroute.drop['must_report'] == True: 2759 toBeReturned = ipsrcroute.drop['definition'] + '\n' + ipsrcroute.drop['threatInfo'] + '\n\n' + ipsrcroute.drop['howtofix'] + '\n' 2760 2761 return toBeReturned
2762
2763 -def engine_icmp_deny(lines, denyicmp):
2764 """ICMP deny configuration.""" 2765 2766 try: 2767 denyicmp.filtered['cmdInCfg'] = search_string(lines, 'deny icmp any any') 2768 except AttributeError: 2769 pass 2770 if denyicmp.filtered['cmdInCfg'] is None: 2771 denyicmp.filtered['must_report'] = True 2772 2773 if denyicmp.filtered['must_report'] == True: 2774 items = search_xml('ICMPdeny') 2775 cvssMetrics = str(cvss_score(items[5])) 2776 denyicmp.filtered = { 2777 "must_report": True, 2778 "fixImpact": (items[0]), 2779 "definition": (items[1]), 2780 "threatInfo": (items[2]), 2781 "howtofix": (items[3]), 2782 "cvss": (cvssMetrics)} 2783 2784 toBeReturned = '' 2785 if denyicmp.filtered['must_report'] == True: 2786 toBeReturned = denyicmp.filtered['definition'] + '\n' + denyicmp.filtered['threatInfo'] + '\n\n' + denyicmp.filtered['howtofix'] + '\n' 2787 2788 return toBeReturned
2789
2790 -def engine_ipfrags(lines, ipfrags):
2791 """IPv4 fragments configuration.""" 2792 2793 try: 2794 ipfrags.filtered['tcp'] = search_string(lines, 'deny tcp any any fragments') 2795 except AttributeError: 2796 pass 2797 try: 2798 ipfrags.filtered['udp'] = search_string(lines, 'deny udp any any fragments') 2799 except AttributeError: 2800 pass 2801 try: 2802 ipfrags.filtered['icmp'] = search_string(lines, 'deny icmp any any fragments') 2803 except AttributeError: 2804 pass 2805 try: 2806 ipfrags.filtered['ip'] = search_string(lines, 'deny ip any any fragments') 2807 except AttributeError: 2808 pass 2809 2810 if ipfrags.filtered['tcp'] is None: 2811 ipfrags.filtered['must_report'] = True 2812 if ipfrags.filtered['udp'] is None: 2813 ipfrags.filtered['must_report'] = True 2814 if ipfrags.filtered['icmp'] is None: 2815 ipfrags.filtered['must_report'] = True 2816 if ipfrags.filtered['ip'] is None: 2817 ipfrags.filtered['must_report'] = True 2818 2819 if ipfrags.filtered['must_report'] == True: 2820 items = search_xml('IPfrags') 2821 cvssMetrics = str(cvss_score(items[5])) 2822 ipfrags.filtered = { 2823 "must_report": True, 2824 "fixImpact": (items[0]), 2825 "definition": (items[1]), 2826 "threatInfo": (items[2]), 2827 "howtofix": (items[3]), 2828 "cvss": (cvssMetrics)} 2829 2830 toBeReturned = '' 2831 if ipfrags.filtered['must_report'] == True: 2832 toBeReturned = ipfrags.filtered['definition'] + '\n' + ipfrags.filtered['threatInfo'] + '\n\n' + ipfrags.filtered['howtofix'] + '\n' 2833 2834 return toBeReturned
2835
2836 -def engine_urpf(lines, urpf, ifaceCfg):
2837 """URPF IPv4 configuration.""" 2838 for i in range(0, len(ifaceCfg)): 2839 routedPort = 0 2840 urpfOK = 0 2841 for line in ifaceCfg[i].configuration: 2842 if line.startswith('ip address'): 2843 routedPort = 1 2844 if routedPort == 1: 2845 if line.startswith('ip verify unicast source reachable-via'): 2846 urpfOK = 1 2847 if urpfOK == 0 and routedPort == 1 and 'Loopback' not in ifaceCfg[i].name.strip(): 2848 if not ifaceCfg[i].name.strip() in urpf.spoofing['candidates']: 2849 urpf.spoofing['candidates'].append(ifaceCfg[i].name.strip()) 2850 urpf.spoofing['must_report'] = True 2851 2852 if urpf.spoofing['must_report'] == True: 2853 items = search_xml('urpf') 2854 cvssMetrics = str(cvss_score(items[5])) 2855 urpf.spoofing['must_report'] = True 2856 urpf.spoofing['fixImpact'] = items[0] 2857 urpf.spoofing['definition'] = items[1] 2858 urpf.spoofing['threatInfo'] = items[2] 2859 urpf.spoofing['howtofix'] = items[3] 2860 urpf.spoofing['cvss'] = cvssMetrics 2861 2862 if urpf.spoofing['candidates']: 2863 urpf.spoofing['howtofix'] = urpf.spoofing['howtofix'].strip().replace('[%URPFCandidates]', ", ".join(urpf.spoofing['candidates']), 1) 2864 2865 return urpf.spoofing['definition'] + '\n' + urpf.spoofing['threatInfo'] + '\n\n' + urpf.spoofing['howtofix'] + '\n' 2866 else: 2867 return "URPF configuration is OK."
2868
2869 -def engine_urpfv6(lines, urpfv6, ifaceCfg):
2870 "URPF IPv6 configuration.""" 2871 for j in range(0, len(ifaceCfg)): 2872 ipv6enable = False 2873 if search_re_string(ifaceCfg[j].configuration, '^ipv6 enable$') is not None: 2874 ipv6enable = True 2875 if ipv6enable == True: 2876 urpfreachable = False 2877 if search_re_string(ifaceCfg[j].configuration, '^ipv6 verify unicast source reachable-via (rx|any)$') is None: 2878 urpfreachable = True 2879 if search_re_string(ifaceCfg[j].configuration, '^ipv6 verify unicast reverse-path$') is None and urpfreachable == True: 2880 urpfv6.spoofing['candidates'].append(ifaceCfg[j].name.strip()) 2881 urpfv6.spoofing['must_report'] = True 2882 2883 if urpfv6.spoofing['must_report'] == True: 2884 items = search_xml('urpfv6') 2885 cvssMetrics = str(cvss_score(items[5])) 2886 urpfv6.spoofing['must_report'] = True 2887 urpfv6.spoofing['fixImpact'] = items[0] 2888 urpfv6.spoofing['definition'] = items[1] 2889 urpfv6.spoofing['threatInfo'] = items[2] 2890 urpfv6.spoofing['howtofix'] = items[3] 2891 urpfv6.spoofing['cvss'] = cvssMetrics 2892 if urpfv6.spoofing['candidates']: 2893 urpfv6.spoofing['howtofix'] = urpfv6.spoofing['howtofix'].strip().replace('[%URPFv6Candidates]', ", ".join(urpfv6.spoofing['candidates']), 1) 2894 2895 return urpfv6.spoofing['definition'] + '\n' + urpfv6.spoofing['threatInfo'] + '\n\n' + urpfv6.spoofing['howtofix'] + '\n' 2896 else: 2897 return "URPFv6 configuration is OK."
2898
2899 -def engine_ipv6(lines, ipv6, aclIPv6, ifaceCfg):
2900 """IPv6 configuration assessment: RH0, traffic filter.""" 2901 denyRH0 = (None) 2902 ACLv6name = (None) 2903 for i in range(0, len(aclIPv6)): 2904 denyRH0 = search_re_string(aclIPv6[i].configuration, '^deny ipv6 .* routing-type 0$') 2905 if denyRH0 is not None: 2906 ACLv6name = aclIPv6[i].name 2907 for j in range(0, len(ifaceCfg)): 2908 ipv6enable = False 2909 if search_re_string(ifaceCfg[j].configuration, '^ipv6 enable$') is not None: 2910 ipv6enable = True 2911 if search_re_string(ifaceCfg[j].configuration, '^ipv6 traffic-filter '+ ACLv6name.strip() +' in$') is None and ipv6enable == True: 2912 ipv6.rh0['Notfiltered'].append(ifaceCfg[j].name.strip()) 2913 2914 2915 try: 2916 ipv6.rh0['cmdInCfg'] = search_string(lines, 'no ipv6 source-route') 2917 except AttributeError: 2918 pass 2919 2920 if ipv6.rh0['cmdInCfg'] is None: 2921 if len(ipv6.rh0['Notfiltered']) >= 1: 2922 ipv6.rh0['must_report'] = True 2923 2924 if ipv6.rh0['must_report'] == True: 2925 items = search_xml('IPv6rh0') 2926 cvssMetrics = str(cvss_score(items[5])) 2927 ipv6.rh0 = { 2928 "must_report": True, 2929 "fixImpact": (items[0]), 2930 "definition": (items[1]), 2931 "threatInfo": (items[2]), 2932 "howtofix": (items[3]), 2933 "cvss": (cvssMetrics)} 2934 2935 toBeReturned = '' 2936 if ipv6.rh0['must_report'] == True: 2937 toBeReturned = ipv6.rh0['definition'] + '\n' + ipv6.rh0['threatInfo'] + '\n\n' + ipv6.rh0['howtofix'] + '\n' 2938 2939 return toBeReturned
2940
2941 -def engine_ipsec(lines, ipsec):
2942 """IPSec configuration assessment: call admission.""" 2943 2944 try: 2945 ipsec.cac_ike['cmdInCfg'] = search_re_string(lines, '^crypto call admission limit ike sa .*$') 2946 except AttributeError: 2947 pass 2948 try: 2949 ipsec.cac_rsc['cmdInCfg'] = search_re_string(lines, '^call admission limit .*$') 2950 except AttributeError: 2951 pass 2952 2953 if ipsec.cac_ike['cmdInCfg'] is None: 2954 ipsec.cac_ike['must_report'] = True 2955 2956 if ipsec.cac_rsc['cmdInCfg'] is None: 2957 ipsec.cac_rsc['must_report'] = True 2958 2959 if ipsec.cac_ike['must_report'] == True: 2960 items = search_xml('IPSECcac_ike') 2961 cvssMetrics = str(cvss_score(items[5])) 2962 ipsec.cac_ike = { 2963 "must_report": True, 2964 "fixImpact": (items[0]), 2965 "definition": (items[1]), 2966 "threatInfo": (items[2]), 2967 "howtofix": (items[3]), 2968 "cvss": (cvssMetrics)} 2969 2970 if ipsec.cac_rsc['must_report'] == True: 2971 items = search_xml('IPSECcac_rsc') 2972 cvssMetrics = str(cvss_score(items[5])) 2973 ipsec.cac_rsc = { 2974 "must_report": True, 2975 "fixImpact": (items[0]), 2976 "definition": (items[1]), 2977 "threatInfo": (items[2]), 2978 "howtofix": (items[3]), 2979 "cvss": (cvssMetrics)} 2980 2981 toBeReturned = '' 2982 if ipsec.cac_ike['must_report'] == True: 2983 toBeReturned = ipsec.cac_ike['definition'] + '\n' + ipsec.cac_ike['threatInfo'] + '\n\n' + ipsec.cac_ike['howtofix'] + '\n' 2984 if ipsec.cac_rsc['must_report'] == True: 2985 toBeReturned = toBeReturned + ipsec.cac_rsc['definition'] + '\n' + ipsec.cac_rsc['threatInfo'] + '\n\n' + ipsec.cac_rsc['howtofix'] + '\n' 2986 2987 return toBeReturned
2988
2989 -def engine_tclsh(lines, tclsh):
2990 """TCLShell configuration assessment.""" 2991 2992 try: 2993 tclsh.shell['cmdInCfg'] = search_re_string(lines, '^event cli pattern \"tclsh\" .*$') 2994 except AttributeError: 2995 pass 2996 if tclsh.shell['cmdInCfg'] is None: 2997 tclsh.shell['must_report'] = True 2998 2999 if tclsh.shell['must_report'] == True: 3000 items = search_xml('tclsh') 3001 cvssMetrics = str(cvss_score(items[5])) 3002 tclsh.shell = { 3003 "must_report": True, 3004 "fixImpact": (items[0]), 3005 "definition": (items[1]), 3006 "threatInfo": (items[2]), 3007 "howtofix": (items[3]), 3008 "cvss": (cvssMetrics)} 3009 3010 toBeReturned = '' 3011 if tclsh.shell['must_report'] == True: 3012 toBeReturned = tclsh.shell['definition'] + '\n' + tclsh.shell['threatInfo'] + '\n\n' + tclsh.shell['howtofix'] + '\n' 3013 3014 return toBeReturned
3015 3016
3017 -def engine_tcp(lines, tcp):
3018 """TCP synwait configuration.""" 3019 3020 try: 3021 tcp.synwait['cmdInCfg'] = search_re_string(lines, '^ip tcp synwait-time .*$') 3022 except AttributeError: 3023 pass 3024 if tcp.synwait['cmdInCfg'] is None: 3025 tcp.synwait['must_report'] = True 3026 else: 3027 timer = tcp.synwait.split(' ')[3] 3028 if int(timer) <= 15: 3029 tcp.synwait['must_report'] = False 3030 else: 3031 tcp.synwait['must_report'] = True 3032 3033 if tcp.synwait['must_report'] == True: 3034 items = search_xml('tcpsynwait') 3035 cvssMetrics = str(cvss_score(items[5])) 3036 tcp.synwait = { 3037 "must_report": True, 3038 "fixImpact": (items[0]), 3039 "definition": (items[1]), 3040 "threatInfo": (items[2]), 3041 "howtofix": (items[3]), 3042 "cvss": (cvssMetrics)} 3043 3044 toBeReturned = '' 3045 if tcp.synwait['must_report'] == True: 3046 toBeReturned = tcp.synwait['definition'] + '\n' + tcp.synwait['threatInfo'] + '\n\n' + tcp.synwait['howtofix'] + '\n' 3047 3048 return toBeReturned
3049
3050 -def engine_netflow(lines, netflow, ifaceCfg):
3051 """Netflow configuration assessment.""" 3052 3053 for j in range(0, len(ifaceCfg)): 3054 if search_re_string(ifaceCfg[j].configuration, '^ip flow (ingress|egress)$') is not None: 3055 netflow.v9_security['interfacegress'] = True 3056 3057 if netflow.v9_security['interfacegress'] == True: 3058 try: 3059 netflow.v9_security['fragoffset'] = search_re_string(lines, '^ip flow-capture fragment-offset$') 3060 except AttributeError: 3061 pass 3062 try: 3063 netflow.v9_security['icmp'] = search_re_string(lines, '^ip flow-capture icmp$') 3064 except AttributeError: 3065 pass 3066 try: 3067 netflow.v9_security['ipid'] = search_re_string(lines, '^ip flow-capture ip-id$') 3068 except AttributeError: 3069 pass 3070 try: 3071 netflow.v9_security['macaddr'] = search_re_string(lines, '^ip flow-capture mac-addresses$') 3072 except AttributeError: 3073 pass 3074 try: 3075 netflow.v9_security['packetlen'] = search_re_string(lines, '^ip flow-capture packet-length$') 3076 except AttributeError: 3077 pass 3078 try: 3079 netflow.v9_security['ttl'] = search_re_string(lines, '^ip flow-capture ttl$') 3080 except AttributeError: 3081 pass 3082 try: 3083 netflow.v9_security['vlid'] = search_re_string(lines, '^ip flow-capture vlan-id$') 3084 except AttributeError: 3085 pass 3086 3087 if ( (netflow.v9_security['fragoffset'] is None) or (netflow.v9_security['icmp'] is None) or (netflow.v9_security['ipid'] is None) or (netflow.v9_security['macaddr'] is None) or (netflow.v9_security['packetlen'] is None) or (netflow.v9_security['ttl'] is None) or (netflow.v9_security['vlid'] is None) ): 3088 netflow.v9_security['must_report'] = True 3089 3090 if netflow.v9_security['must_report'] == True: 3091 items = search_xml('netflowV9') 3092 if __builtin__.iosVersion >= 12.42: 3093 cvssMetrics = str(cvss_score(items[5])) 3094 netflow.v9_security = { 3095 "must_report": True, 3096 "fixImpact": (items[0]), 3097 "definition": (items[1]), 3098 "threatInfo": (items[2]), 3099 "howtofix": (items[3]), 3100 "cvss": (cvssMetrics)} 3101 else: 3102 # upgrade to >= 12.42 to get the feature (including L3 fragment-offset) 3103 cvssMetrics = str(cvss_score(items[5])) 3104 netflow.v9_security = { 3105 "must_report": True, 3106 "fixImpact": (items[0]), 3107 "definition": (items[1]), 3108 "threatInfo": (items[2]), 3109 "howtofix": (items[4]), 3110 "cvss": (cvssMetrics)} 3111 3112 toBeReturned = '' 3113 if netflow.v9_security['must_report'] == True: 3114 toBeReturned = netflow.v9_security['definition'] + '\n' + netflow.v9_security['threatInfo'] + '\n\n' + netflow.v9_security['howtofix'] + '\n' 3115 3116 return toBeReturned
3117
3118 -def engine_qos(lines, qos, ifaceCfg):
3119 """QoS configuration assessment. Not ready.""" 3120 toBeReturned = '' 3121 return toBeReturned
3122