1
2
3 __docformat__ = 'restructuredtext'
4 __version__ = '$Id$'
5
6 import __builtin__
7 from routerdefense.common import *
8
9 from xml import *
10
12 """Generic configuration information storage: IOS version, hostname, switching method, multicast, ipv6."""
14 """Set IOS version, hostname, switching method, multicast and IPv6 variables to None."""
15 self.iosVersion = None
16 self.hostName = None
17 self.switchingMethod = None
18 self.multicast = None
19 self.ipv6 = None
20
22 """Fetch the generic information (IOS version, hostname, switching method, multicast and IPv6) from the Cisco IOS configuration file."""
23 genericCfg = genericInfo()
24 genericCfg.switchingMethod = "Unknown"
25 genericCfg.hostName = "Unknown"
26 genericCfg.iosVersion = "Unknown"
27 try:
28 genericCfg.hostName = search_string(lines, 'hostname').split(' ',1)[1]
29 genericCfg.iosVersion = search_string(lines, 'version').split(' ',1)[1]
30 except AttributeError:
31 raise "No hostname nor version detected in the configuration file."
32
33 if search_string(lines, 'ip cef') is not None:
34 genericCfg.switchingMethod = "CEF"
35 if search_string(lines, 'no ip route-cache') is not None:
36 genericCfg.switchingMethod = "Process switching (CPU)"
37 if search_string(lines, 'ip route-cache') is not None:
38 genericCfg.switchingMethod = "Fast switching"
39 if search_string(lines, 'ip multicast-routing') is not None:
40 genericCfg.multicast = "Enabled"
41 else:
42 genericCfg.multicast = "Disabled"
43 if ( (search_string(lines, 'mls qos') is not None) or (search_re_string(lines, '^ip rsvp bandwith .*$') is not None) ):
44 genericCfg.qos = "Enabled"
45 else:
46 genericCfg.qos = "Disabled"
47 if search_string(lines, 'ipv6 unicast-routing') is not None:
48 genericCfg.ipv6 = "Enabled"
49 else:
50 genericCfg.ipv6 = "Disabled"
51 if search_re_string(lines, '^crypto map \w+$') is not None:
52 genericCfg.ipsec = "Enabled"
53 else:
54 genericCfg.ipsec = "Disabled"
55
56 return genericCfg
57
59 """Detect if the session timeout is disable or too large."""
60 Compliant = True
61 if timeout <= 0:
62 Compliant = False
63 elif timeout >= 180:
64 Compliant = False
65 return Compliant
66
68 """Console port assessment."""
69 try:
70 con0.exec_timeout['cmdInCfg'] = int(search_string(consoleCfg, 'exec-timeout').split(' ',3)[2]) + int(search_string(consoleCfg, 'exec-timeout').split(' ',3)[1]) * 60
71 except AttributeError:
72 con0.exec_timeout['cmdInCfg'] = None
73
74 try:
75 con0.privilegezero['cmdInCfg'] = search_string(consoleCfg, 'privilege 0')
76 con0.privilegezero['loginlocal'] = search_string(consoleCfg, 'login local')
77 except AttributeError:
78 con0.privilegezero['cmdInCfg'] = None
79
80 if con0.privilegezero['cmdInCfg'] is None:
81 if con0.privilegezero['loginlocal'] is None:
82 items = search_xml('consoleprivilegezero')
83 cvssMetrics = str(cvss_score(items[5]))
84 con0.privilegezero = {
85 "must_report": True,
86 "fixImpact": (items[0]),
87 "definition": (items[1]),
88 "threatInfo": (items[2]),
89 "howtofix": (items[3]),
90 "upgrade": (items[4]),
91 "cvss": (cvssMetrics)}
92 else:
93 try:
94 con0.privilegezero['globalusername'] = search_re_string(lines, '^username .* privilege 0$')
95 except AttributeError:
96 pass
97 if con0.privilegezero['globalusername'] is None:
98 items = search_xml('consoleprivilegezero')
99 cvssMetrics = str(cvss_score(items[5]))
100 con0.privilegezero = {
101 "must_report": True,
102 "fixImpact": (items[0]),
103 "definition": (items[1]),
104 "threatInfo": (items[2]),
105 "howtofix": (items[3]),
106 "upgrade": (items[4]),
107 "cvss": (cvssMetrics)}
108 else:
109 con0.privilegezero['must_report'] = False
110 else:
111 con0.privilegezero['must_report'] = False
112
113 if con0.exec_timeout['cmdInCfg'] is not None:
114 Checkexec_timeout(con0.exec_timeout)
115 items = search_xml('consoleExecTimeout')
116 if Checkexec_timeout(con0.exec_timeout['cmdInCfg']) == False:
117 cvssMetrics = str(cvss_score(items[5]))
118 con0.exec_timeout = {
119 "must_report": True,
120 "fixImpact": (items[0]),
121 "definition": (items[1]),
122 "threatInfo": (items[2]),
123 "howtofix": (items[3]),
124 "upgrade": (items[4]),
125 "cvss": (cvssMetrics)}
126 else:
127 con0.exec_timeout['must_report'] = False
128 else:
129 items = search_xml('consoleExecTimeout')
130 cvssMetrics = str(cvss_score(items[5]))
131 con0.exec_timeout = {
132 "must_report": True,
133 "fixImpact": (items[0]),
134 "definition": (items[1]),
135 "threatInfo": (items[2]),
136 "howtofix": (items[3]),
137 "upgrade": (items[4]),
138 "cvss": (cvssMetrics)}
139 try:
140 con0.password = search_string(consoleCfg, 'password').split(' ',2)[2]
141 except AttributeError:
142 con0.password = None
143
144 toBeReturned = ''
145 if con0.privilegezero['must_report'] == True:
146 toBeReturned = con0.privilegezero['definition'] + '\n' + con0.privilegezero['threatInfo'] + '\n\n' + con0.privilegezero['howtofix'] + '\n'
147 if con0.exec_timeout['must_report'] == True:
148 toBeReturned = toBeReturned + con0.exec_timeout['definition'] + '\n' + con0.exec_timeout['threatInfo'] + '\n\n' + con0.exec_timeout['howtofix'] + '\n'
149 return toBeReturned
150
152 """Auxiliary port assessment."""
153 try:
154 aux0.exec_timeout['cmdInCfg'] = int(search_string(auxCfg, 'exec-timeout').split(' ',3)[2]) + int(search_string(auxCfg, 'exec-timeout').split(' ',3)[1]) * 60
155 except AttributeError:
156 aux0.exec_timeout['cmdInCfg'] = None
157
158 try:
159 aux0.transport_input['cmdInCfg'] = search_string(auxCfg, 'transport input none')
160 except AttributeError:
161 aux0.transport_input['cmdInCfg'] = None
162
163 try:
164 aux0.transport_output['cmdInCfg'] = search_string(auxCfg, 'transport output none')
165 except AttributeError:
166 aux0.transport_output['cmdInCfg'] = None
167
168 try:
169 aux0.noExec['cmdInCfg'] = search_string(auxCfg, 'no exec')
170 except AttributeError:
171 aux0.noExec['cmdInCfg'] = None
172
173 items = search_xml('auxExecTimeout')
174 if aux0.exec_timeout['cmdInCfg'] is not None:
175 if Checkexec_timeout(aux0.exec_timeout) == False:
176 cvssMetrics = str(cvss_score(items[5]))
177 aux0.exec_timeout = {
178 "must_report": True,
179 "fixImpact": (items[0]),
180 "definition": (items[1]),
181 "threatInfo": (items[2]),
182 "howtofix": (items[3]),
183 "upgrade": (items[4]),
184 "cvss": (cvssMetrics)}
185 else:
186 aux0.exec_timeout['must_report'] = True
187 else:
188 cvssMetrics = str(cvss_score(items[5]))
189 aux0.exec_timeout = {
190 "must_report": True,
191 "fixImpact": (items[0]),
192 "definition": (items[1]),
193 "threatInfo": (items[2]),
194 "howtofix": (items[3]),
195 "cvss": (cvssMetrics)}
196
197 if aux0.transport_input['cmdInCfg'] is not None:
198 aux0.transport_input['must_report'] = False
199 else:
200 items = search_xml('auxTransportInput')
201 cvssMetrics = str(cvss_score(items[5]))
202 aux0.transport_input = {
203 "must_report": True,
204 "fixImpact": (items[0]),
205 "definition": (items[1]),
206 "threatInfo": (items[2]),
207 "howtofix": (items[3]),
208 "cvss": (cvssMetrics)}
209
210 if aux0.transport_output['cmdInCfg'] is not None:
211 aux0.transport_output['must_report'] = False
212 else:
213 items = search_xml('auxTransportOutput')
214 cvssMetrics = str(cvss_score(items[5]))
215 aux0.transport_output = {
216 "must_report": True,
217 "fixImpact": (items[0]),
218 "definition": (items[1]),
219 "threatInfo": (items[2]),
220 "howtofix": (items[3]),
221 "cvss": (cvssMetrics)}
222
223 if aux0.noExec['cmdInCfg'] is not None:
224 aux0.noExec['must_report'] = False
225 else:
226 items = search_xml('auxNoExec')
227 cvssMetrics = str(cvss_score(items[5]))
228 aux0.noExec = {
229 "must_report": True,
230 "fixImpact": (items[0]),
231 "definition": (items[1]),
232 "threatInfo": (items[2]),
233 "howtofix": (items[3]),
234 "cvss": (cvssMetrics)}
235
236 try:
237 aux0.password = search_string(auxCfg, 'password').split(' ',2)[2]
238 except AttributeError:
239 aux0.password = None
240
241 toBeReturned = ''
242 if aux0.exec_timeout['must_report'] == True:
243 toBeReturned = aux0.exec_timeout['definition'] + '\n' + aux0.exec_timeout['threatInfo'] + '\n\n' + aux0.exec_timeout['howtofix'] + '\n'
244 if aux0.transport_input['must_report'] == True:
245 toBeReturned = toBeReturned + aux0.transport_input['definition'] + '\n' + aux0.transport_input['threatInfo'] + '\n\n' + aux0.transport_input['howtofix'] + '\n'
246 if aux0.transport_output['must_report'] == True:
247 toBeReturned = toBeReturned + aux0.transport_output['definition'] + '\n' + aux0.transport_output['threatInfo'] + '\n\n' + aux0.transport_output['howtofix'] + '\n'
248 if aux0.noExec['must_report'] == True:
249 toBeReturned = toBeReturned + aux0.noExec['definition'] + '\n' + aux0.noExec['threatInfo']+ '\n\n' + aux0.noExec['howtofix'] + '\n'
250
251 return toBeReturned
252
254 """VTY sessions assessment."""
255 try:
256 vty.exec_timeout['cmdInCfg'] = int(search_string(vtyCfg, 'exec-timeout').split(' ',3)[2]) + int(search_string(vtyCfg, 'exec-timeout').split(' ',3)[1]) * 60
257 except AttributeError:
258 vty.exec_timeout['cmdInCfg'] = None
259
260 try:
261 vty.transport_input['cmdInCfg'] = search_re_string(vtyCfg, '^transport input (ssh|none)$')
262 except AttributeError:
263 vty.transport_input['cmdInCfg'] = None
264
265 try:
266 vty.transport_output['cmdInCfg'] = search_re_string(vtyCfg, '^transport output (ssh|none)$')
267 except AttributeError:
268 vty.transport_output['cmdInCfg'] = None
269
270 try:
271 vty.ipv4_access_class['cmdInCfg'] = search_re_string(vtyCfg, 'access-class .* in$')
272 except AttributeError:
273 vty.ipv4_access_class['cmdInCfg'] = None
274
275 if __builtin__.genericCfg.ipv6 == "Enabled":
276 try:
277 vty.ipv6_access_class['cmdInCfg'] = search_re_string(vtyCfg, '^ipv6 access-class .* in$')
278 except AttributeError:
279 vty.ipv6_access_class['cmdInCfg'] = None
280
281 if vty.exec_timeout['cmdInCfg'] is not None:
282 items = search_xml('vtyExecTimeout')
283 if Checkexec_timeout(vty.exec_timeout) == False:
284 cvssMetrics = str(cvss_score(items[5]))
285 vty.exec_timeout = {
286 "must_report": True,
287 "fixImpact": (items[0]),
288 "definition": (items[1]),
289 "threatInfo": (items[2]),
290 "howtofix": (items[3]).strip().replace('[%vtySessionNumbers]', " ".join(vty.sessionNumbers), 2),
291 "upgrade": (items[4]),
292 "cvss": (cvssMetrics)}
293 else:
294 vty.exec_timeout['must_report'] = False
295 else:
296 items = search_xml('vtyExecTimeout')
297 cvssMetrics = str(cvss_score(items[5]))
298 vty.exec_timeout = {
299 "must_report": True,
300 "fixImpact": (items[0]),
301 "definition": (items[1]),
302 "threatInfo": (items[2]),
303 "howtofix": (items[3]).strip().replace('[%vtySessionNumbers]', " ".join(vty.sessionNumbers), 2),
304 "cvss": (cvssMetrics)}
305
306 if vty.transport_input['cmdInCfg'] is not None:
307 vty.transport_input['must_report'] = False
308 else:
309 items = search_xml('vtyTransportInput')
310 cvssMetrics = str(cvss_score(items[5]))
311 vty.transport_input = {
312 "must_report": True,
313 "fixImpact": (items[0]),
314 "definition": (items[1]),
315 "threatInfo": (items[2]),
316 "howtofix": (items[3]).strip().replace('[%vtySessionNumbers]', " ".join(vty.sessionNumbers), 2),
317 "cvss": (cvssMetrics)}
318
319 if vty.transport_output['cmdInCfg'] is not None:
320 vty.transport_output['must_report'] = False
321 else:
322 items = search_xml('vtyTransportOutput')
323 cvssMetrics = str(cvss_score(items[5]))
324 vty.transport_output = {
325 "must_report": True,
326 "fixImpact": (items[0]),
327 "definition": (items[1]),
328 "threatInfo": (items[2]),
329 "howtofix": (items[3]).strip().replace('[%vtySessionNumbers]', " ".join(vty.sessionNumbers), 2),
330 "cvss": (cvssMetrics)}
331
332 if vty.ipv4_access_class['cmdInCfg'] is None:
333 items = search_xml('vtyIPv4AccessClass')
334 cvssMetrics = str(cvss_score(items[5]))
335 vty.ipv4_access_class = {
336 "must_report": True,
337 "fixImpact": (items[0]),
338 "definition": (items[1]),
339 "threatInfo": (items[2]),
340 "howtofix": (items[3]).strip().replace('[%vtySessionNumbers]', " ".join(vty.sessionNumbers), 2),
341 "cvss": (cvssMetrics)}
342 else:
343 accessListNumber = vty.ipv4_access_class['cmdInCfg'].split(' ')[1]
344 verifStdACL = False
345 verifExtACL = False
346
347 verifStdACL = check_std_acl(vtyCfg, accessListNumber)
348 if verifStdACL == False:
349 verifExtACL = check_extd_acl(vtyCfg, accessListNumber)
350
351 if verifStdACL == True or verifStdACL == True :
352 vty.ipv4_access_class['must_report'] = False
353 else:
354 try:
355 mgmtSubnet = __builtin__.ipv4_mgmt_outbound[0][0]
356 except TypeError:
357 mgmtSubnet = ""
358 pass
359 try:
360 mgmtWildcardMask = __builtin__.ipv4_mgmt_outbound[0][3]
361 except TypeError:
362 mgmtWildcardMask = ""
363 pass
364
365 items = search_xml('vtyIPv4AccessClass')
366 cvssMetrics = str(cvss_score(items[5]))
367 vty.ipv4_access_class = {
368 "must_report": True,
369 "fixImpact": (items[0]),
370 "definition": (items[1]),
371 "threatInfo": (items[2]),
372 "howtofix": (items[3].strip().replace('[%ManagementSubnet]', mgmtSubnet, 1)),
373 "howtofix": (items[3].strip().replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)),
374 "howtofix": (items[3]).strip().replace('[%vtySessionNumbers]', " ".join(vty.sessionNumbers), 2),
375 "cvss": (cvssMetrics)}
376
377 if vty.ipv6_access_class['cmdInCfg'] is None:
378 vty.ipv6_access_class['must_report'] = False
379 else:
380 items = search_xml('vtyIPv6AccessClass')
381 cvssMetrics = str(cvss_score(items[5]))
382 vty.ipv6_access_class = {
383 "must_report": True,
384 "fixImpact": (items[0]),
385 "definition": (items[1]),
386 "threatInfo": (items[2]),
387 "howtofix": (items[3]).strip().replace('[%vtySessionNumbers]', " ".join(vty.sessionNumbers), 2),
388 "cvss": (cvssMetrics)}
389
390 try:
391 vty.password = search_string(vtyCfg, 'password').split(' ',2)[2]
392 except AttributeError:
393 vty.password = None
394
395 toBeReturned = ''
396 if vty.exec_timeout['must_report'] == True:
397 toBeReturned = vty.exec_timeout['definition'] + '\n' + vty.exec_timeout['threatInfo'] + '\n\n' + vty.exec_timeout['howtofix'] + '\n'
398 if vty.transport_input['must_report'] == True:
399 toBeReturned = toBeReturned + vty.transport_input['definition'] + '\n' + vty.transport_input['threatInfo'] + '\n\n' + vty.transport_input['howtofix'] + '\n'
400 if vty.transport_output['must_report'] == True:
401 toBeReturned = toBeReturned + vty.transport_output['definition'] + '\n' + vty.transport_output['threatInfo'] + '\n\n' + vty.transport_output['howtofix'] + '\n'
402 if vty.ipv4_access_class['must_report'] == True:
403 toBeReturned = toBeReturned + vty.ipv4_access_class['definition'] + '\n' + vty.ipv4_access_class['threatInfo'] + '\n\n' + vty.ipv4_access_class['howtofix'] + '\n'
404 if vty.ipv6_access_class['must_report'] == True:
405 toBeReturned = toBeReturned + vty.ipv6_access_class['definition'] + '\n' + vty.ipv6_access_class['threatInfo'] + '\n\n' + vty.ipv6_access_class['howtofix'] + '\n'
406
407 return toBeReturned
408
410 """MOTD, EXEC and LOGIN banner assessment."""
411 toBeReturned = ''
412 if bannerType == 0:
413 if len(bannerMotd) == 0:
414 items = search_xml('bannerMOTDconfigured')
415 cvssMetrics = str(cvss_score(items[5]))
416 motd.configured = {
417 "must_report": True,
418 "fixImpact": (items[0]),
419 "definition": (items[1]),
420 "threatInfo": (items[2]),
421 "howtofix": (items[3]),
422 "cvss": (cvssMetrics)}
423 else:
424 if search_string(bannerMotd, __builtin__.genericCfg.hostName) is not None :
425 items = search_xml('bannerMOTDhostnameIncluded')
426 cvssMetrics = str(cvss_score(items[5]))
427 motd.device_hostname = {
428 "must_report": True,
429 "fixImpact": (items[0]),
430 "definition": (items[1]),
431 "threatInfo": (items[2]),
432 "howtofix": (items[3]),
433 "cvss": (cvssMetrics)}
434 if motd.configured['must_report'] == True:
435 toBeReturned = motd.configured['definition'] + '\n' + motd.configured['threatInfo'] + '\n\n' + motd.configured['howtofix'] + '\n'
436 if motd.device_hostname['must_report'] == True:
437 toBeReturned = toBeReturned + motd.device_hostname['definition'] + '\n' + motd.device_hostname['threatInfo'] + '\n\n' + motd.device_hostname['howtofix'] + '\n'
438
439 if bannerType == 1:
440 if len(bannerMotd) == 0:
441 items = search_xml('bannerLOGINconfigured')
442 cvssMetrics = str(cvss_score(items[5]))
443 banLogin.configured = {
444 "must_report": True,
445 "fixImpact": (items[0]),
446 "definition": (items[1]),
447 "threatInfo": (items[2]),
448 "howtofix": (items[3]),
449 "cvss": (cvssMetrics)}
450 else:
451 if search_string(bannerMotd, __builtin__.genericCfg.hostName) is not None :
452 items = search_xml('bannerLOGINhostnameIncluded')
453 cvssMetrics = str(cvss_score(items[5]))
454 banLogin.device_hostname = {
455 "must_report": True,
456 "fixImpact": (items[0]),
457 "definition": (items[1]),
458 "threatInfo": (items[2]),
459 "howtofix": (items[3]),
460 "cvss": (cvssMetrics)}
461 if banLogin.configured['must_report'] == True:
462 toBeReturned = toBeReturned + banLogin.configured['definition'] + '\n' + banLogin.configured['threatInfo'] + '\n\n' + banLogin.configured['howtofix']
463 if banLogin.device_hostname['must_report'] == True:
464 toBeReturned = toBeReturned + banLogin.device_hostname['definition'] + '\n' + banLogin.device_hostname['threatInfo']+ '\n\n' + banLogin.device_hostname['howtofix']
465
466 if bannerType == 2:
467 if len(bannerMotd) == 0:
468 items = search_xml('bannerEXECconfigured')
469 cvssMetrics = str(cvss_score(items[5]))
470 banExec.configured = {
471 "must_report": True,
472 "fixImpact": (items[0]),
473 "definition": (items[1]),
474 "threatInfo": (items[2]),
475 "howtofix": (items[3]),
476 "cvss": (cvssMetrics)}
477 else:
478 if search_string(bannerMotd, __builtin__.genericCfg.hostName) is not None :
479 items = search_xml('bannerEXEChostnameIncluded')
480 cvssMetrics = str(cvss_score(items[5]))
481 banExec.device_hostname = {
482 "must_report": True,
483 "fixImpact": (items[0]),
484 "definition": (items[1]),
485 "threatInfo": (items[2]),
486 "howtofix": (items[3]),
487 "cvss": (cvssMetrics)}
488
489 if banExec.configured['must_report'] == True:
490 toBeReturned = toBeReturned + banExec.configured['definition'] + '\n' + banExec.configured['threatInfo'] + '\n\n' + banExec.configured['howtofix'] + '\n'
491 if banExec.device_hostname['must_report'] == True:
492 toBeReturned = toBeReturned + banExec.device_hostname['definition'] + '\n' + banExec.device_hostname['threatInfo'] + '\n\n' + banExec.device_hostname['howtofix'] + '\n'
493
494 return toBeReturned
495
497 """Generic services assessment: password recovery, tcp/udp small servers, finger, bootp, ..."""
498 try:
499 services.pwd_recovery['cmdInCfg'] = search_string(lines, 'no service password-recovery')
500 except AttributeError:
501 pass
502
503 if services.pwd_recovery['cmdInCfg'] is not None:
504
505 services.pwd_recovery['must_report'] = False
506 else:
507 items = search_xml('pwdRecovery')
508 if __builtin__.iosVersion >= 12.314:
509 cvssMetrics = str(cvss_score(items[5]))
510 services.pwd_recovery = {
511 "must_report": True,
512 "fixImpact": (items[0]),
513 "definition": (items[1]),
514 "threatInfo": (items[2]),
515 "howtofix": (items[3]),
516 "cvss": (cvssMetrics)}
517 else:
518
519 cvssMetrics = str(cvss_score(items[5]))
520 services.pwd_recovery = {
521 "must_report": True,
522 "fixImpact": (items[0]),
523 "definition": (items[1]),
524 "threatInfo": (items[2]),
525 "howtofix": (items[4]),
526 "cvss": (cvssMetrics)}
527
528 try:
529 services.tcp_small_servers['cmdInCfg'] = search_string(lines, 'no service tcp-small-servers')
530 except AttributeError:
531 pass
532
533 if services.tcp_small_servers['cmdInCfg'] is not None:
534 services.tcp_small_servers['must_report'] = False
535 else:
536 items = search_xml('tcpSmallServers')
537 if __builtin__.iosVersion <= 12.0:
538 cvssMetrics = str(cvss_score(items[5]))
539 services.tcp_small_servers = {
540 "must_report": True,
541 "fixImpact": (items[0]),
542 "definition": (items[1]),
543 "threatInfo": (items[2]),
544 "howtofix": (items[3]),
545 "cvss": (cvssMetrics)}
546 else:
547 cvssMetrics = str(cvss_score(items[5]))
548 services.tcp_small_servers = {
549 "must_report": True,
550 "fixImpact": (items[0]),
551 "definition": (items[1]),
552 "threatInfo": (items[2]),
553 "howtofix": (items[4]),
554 "cvss": (cvssMetrics)}
555
556 try:
557 services.udp_small_servers['cmdInCfg'] = search_string(lines, 'no service udp-small-servers')
558 except AttributeError:
559 pass
560
561 if services.udp_small_servers['cmdInCfg'] is not None:
562 services.udp_small_servers['must_report'] = False
563 else:
564 items = search_xml('udpSmallServers')
565 if __builtin__.iosVersion <= 12.0:
566 cvssMetrics = str(cvss_score(items[5]))
567 services.udp_small_servers = {
568 "must_report": True,
569 "fixImpact": (items[0]),
570 "definition": (items[1]),
571 "threatInfo": (items[2]),
572 "howtofix": (items[3]),
573 "cvss": (cvssMetrics)}
574 else:
575 cvssMetrics = str(cvss_score(items[5]))
576 services.udp_small_servers = {
577 "must_report": True,
578 "fixImpact": (items[0]),
579 "definition": (items[1]),
580 "threatInfo": (items[2]),
581 "howtofix": (items[4]),
582 "cvss": (cvssMetrics)}
583
584 try:
585 services.service_finger['cmdInCfg'] = search_string(lines, 'no service finger')
586 except AttributeError:
587 pass
588
589 if services.service_finger['cmdInCfg'] is not None:
590 services.service_finger['must_report'] = False
591 else:
592 items = search_xml('serviceFinger')
593 if __builtin__.iosVersion <= 12.15:
594 cvssMetrics = str(cvss_score(items[5]))
595 services.service_finger = {
596 "must_report": True,
597 "fixImpact": (items[0]),
598 "definition": (items[1]),
599 "threatInfo": (items[2]),
600 "howtofix": (items[3]),
601 "cvss": (cvssMetrics)}
602 else:
603 cvssMetrics = str(cvss_score(items[5]))
604 services.service_finger = {
605 "must_report": True,
606 "fixImpact": (items[0]),
607 "definition": (items[1]),
608 "threatInfo": (items[2]),
609 "howtofix": (items[4]),
610 "cvss": (cvssMetrics)}
611
612 try:
613 services.service_bootps['cmdInCfg'] = search_string(lines, 'no ip bootp server')
614 except AttributeError:
615 pass
616
617 if services.service_bootps['cmdInCfg'] is not None:
618 services.service_bootps['must_report'] = False
619 else:
620 items = search_xml('serviceBootpServer')
621 cvssMetrics = str(cvss_score(items[5]))
622 services.service_bootps = {
623 "must_report": True,
624 "fixImpact": (items[0]),
625 "definition": (items[1]),
626 "threatInfo": (items[2]),
627 "howtofix": (items[3]),
628 "cvss": (cvssMetrics)}
629
630 try:
631 services.service_tcpkeepalive_in['cmdInCfg'] = search_string(lines, 'service tcp-keepalive-in')
632 except AttributeError:
633 pass
634
635 if services.service_tcpkeepalive_in['cmdInCfg'] is not None:
636 services.service_tcpkeepalive_in['must_report'] = False
637 else:
638 items = search_xml('serviceTcpKeepAliveIn')
639 cvssMetrics = str(cvss_score(items[5]))
640 services.service_tcpkeepalive_in = {
641 "must_report": True,
642 "fixImpact": (items[0]),
643 "definition": (items[1]),
644 "threatInfo": (items[2]),
645 "howtofix": (items[3]),
646 "cvss": (cvssMetrics)}
647
648 try:
649 services.service_tcpkeepalive_out['cmdInCfg'] = search_string(lines, 'service tcp-keepalive-out')
650 except AttributeError:
651 pass
652
653 if services.service_tcpkeepalive_out['cmdInCfg'] is not None:
654 services.service_tcpkeepalive_out['must_report'] = False
655 else:
656 items = search_xml('serviceTcpKeepAliveOut')
657 cvssMetrics = str(cvss_score(items[5]))
658 services.service_tcpkeepalive_out = {
659 "must_report": True,
660 "fixImpact": (items[0]),
661 "definition": (items[1]),
662 "threatInfo": (items[2]),
663 "howtofix": (items[3]),
664 "cvss": (cvssMetrics)}
665
666 try:
667 services.service_ipdhcpboot_ignore['cmdInCfg'] = search_string(lines, 'ip dhcp bootp ignore')
668 except AttributeError:
669 pass
670
671 if services.service_ipdhcpboot_ignore['cmdInCfg'] is not None:
672 services.service_ipdhcpboot_ignore['must_report'] = False
673 else:
674 items = search_xml('serviceIpDhcpBootIgnore')
675 if __builtin__.iosVersion <= 12.228:
676 cvssMetrics = str(cvss_score(items[5]))
677 services.service_ipdhcpboot_ignore = {
678 "must_report": True,
679 "fixImpact": (items[0]),
680 "definition": (items[1]),
681 "threatInfo": (items[2]),
682 "howtofix": (items[3]),
683 "cvss": (cvssMetrics)}
684 else:
685 cvssMetrics = str(cvss_score(items[5]))
686 services.service_ipdhcpboot_ignore = {
687 "must_report": True,
688 "fixImpact": (items[0]),
689 "definition": (items[1]),
690 "threatInfo": (items[2]),
691 "howtofix": (items[4]),
692 "cvss": (cvssMetrics)}
693
694 try:
695 services.service_dhcp['cmdInCfg'] = search_string(lines, 'no service dhcp')
696 except AttributeError:
697 pass
698
699 if services.service_dhcp['cmdInCfg'] is not None:
700 services.service_dhcp['must_report'] = False
701 else:
702 items = search_xml('serviceDhcp')
703 cvssMetrics = str(cvss_score(items[5]))
704 services.service_dhcp = {
705 "must_report": True,
706 "fixImpact": (items[0]),
707 "definition": (items[1]),
708 "threatInfo": (items[2]),
709 "howtofix": (items[3]),
710 "cvss": (cvssMetrics)}
711
712 try:
713 services.service_mop['cmdInCfg'] = search_string(lines, 'no service_mop enabled')
714 except AttributeError:
715 pass
716
717 if services.service_mop['cmdInCfg'] is not None:
718 services.service_mop['must_report'] = False
719 else:
720 items = search_xml('Mop')
721 cvssMetrics = str(cvss_score(items[5]))
722 services.service_mop = {
723 "must_report": True,
724 "fixImpact": (items[0]),
725 "definition": (items[1]),
726 "threatInfo": (items[2]),
727 "howtofix": (items[3]),
728 "cvss": (cvssMetrics)}
729
730 try:
731 services.ip_domain_lookup['cmdInCfg'] = search_string(lines, 'no ip domain-lookup')
732 except AttributeError:
733 pass
734
735 if services.ip_domain_lookup['cmdInCfg'] is not None:
736 services.ip_domain_lookup['must_report'] = False
737 else:
738 items = search_xml('ipDomainLookup')
739 cvssMetrics = str(cvss_score(items[5]))
740 services.ip_domain_lookup = {
741 "must_report": True,
742 "fixImpact": (items[0]),
743 "definition": (items[1]),
744 "threatInfo": (items[2]),
745 "howtofix": (items[3]),
746 "cvss": (cvssMetrics)}
747
748 try:
749 services.service_pad['cmdInCfg'] = search_string(lines, 'no service pad')
750 except AttributeError:
751 pass
752
753 if services.service_pad['cmdInCfg'] is not None:
754 services.service_pad['must_report'] = False
755 else:
756 items = search_xml('servicePad')
757 cvssMetrics = str(cvss_score(items[5]))
758 services.service_pad = {
759 "must_report": True,
760 "fixImpact": (items[0]),
761 "definition": (items[1]),
762 "threatInfo": (items[2]),
763 "howtofix": (items[3]),
764 "cvss": (cvssMetrics)}
765
766 try:
767 services.service_http_server['cmdInCfg'] = search_string(lines, 'no ip http server')
768 except AttributeError:
769 pass
770
771 if services.service_http_server['cmdInCfg'] is not None:
772 services.service_http_server['must_report'] = False
773 else:
774 items = search_xml('serviceHttpServer')
775 cvssMetrics = str(cvss_score(items[5]))
776 services.service_http_server = {
777 "must_report": True,
778 "fixImpact": (items[0]),
779 "definition": (items[1]),
780 "threatInfo": (items[2]),
781 "howtofix": (items[3]),
782 "cvss": (cvssMetrics)}
783
784 try:
785 services.service_https_server['cmdInCfg'] = search_string(lines, 'no ip http secure-server')
786 except AttributeError:
787 pass
788
789 if services.service_https_server['cmdInCfg'] is not None:
790 services.service_https_server['must_report'] = False
791 else:
792 items = search_xml('serviceHttpsServer')
793 cvssMetrics = str(cvss_score(items[5]))
794 services.service_https_server = {
795 "must_report": True,
796 "fixImpact": (items[0]),
797 "definition": (items[1]),
798 "threatInfo": (items[2]),
799 "howtofix": (items[3]),
800 "cvss": (cvssMetrics)}
801
802 try:
803 services.service_config['cmdInCfg'] = search_string(lines, 'no service config')
804 except AttributeError:
805 pass
806
807 items = search_xml('serviceConfig')
808 if services.service_config['cmdInCfg'] is not None:
809 services.service_config['must_report'] = False
810 else:
811 cvssMetrics = str(cvss_score(items[5]))
812 services.service_config = {
813 "must_report": True,
814 "fixImpact": (items[0]),
815 "definition": (items[1]),
816 "threatInfo": (items[2]),
817 "howtofix": (items[3]),
818 "cvss": (cvssMetrics)}
819
820 toBeReturned = ''
821 if services.pwd_recovery['must_report'] == True:
822 toBeReturned = services.pwd_recovery['definition'] + '\n' + services.pwd_recovery['threatInfo'] + '\n\n' + services.pwd_recovery['howtofix'] + '\n'
823 if services.tcp_small_servers['must_report'] == True:
824 toBeReturned = toBeReturned + services.tcp_small_servers['definition'] + '\n' + services.tcp_small_servers['threatInfo'] + '\n\n' + services.tcp_small_servers['howtofix'] + '\n'
825 if services.udp_small_servers['must_report'] == True:
826 toBeReturned = toBeReturned + services.udp_small_servers['definition'] + '\n' + services.udp_small_servers['threatInfo'] + '\n\n' + services.udp_small_servers['howtofix'] + '\n'
827 if services.service_finger['must_report'] == True:
828 toBeReturned = toBeReturned + services.service_finger['definition'] + '\n' + services.service_finger['threatInfo'] + '\n\n' + services.service_finger['howtofix'] + '\n'
829 if services.service_bootps['must_report'] == True:
830 toBeReturned = toBeReturned + services.service_bootps['definition'] + '\n' + services.service_bootps['threatInfo'] + '\n\n' + services.service_bootps['howtofix'] + '\n'
831 if services.service_tcpkeepalive_in['must_report'] == True:
832 toBeReturned = toBeReturned + services.service_tcpkeepalive_in['definition'] + '\n' + services.service_tcpkeepalive_in['threatInfo'] + '\n\n' + services.service_tcpkeepalive_in['howtofix'] + '\n'
833 if services.service_tcpkeepalive_out['must_report'] == True:
834 toBeReturned = toBeReturned + services.service_tcpkeepalive_out['definition'] + '\n' + services.service_tcpkeepalive_out['threatInfo'] + '\n\n' + services.service_tcpkeepalive_out['howtofix'] + '\n'
835 if services.service_ipdhcpboot_ignore['must_report'] == True:
836 toBeReturned = toBeReturned + services.service_ipdhcpboot_ignore['definition'] + '\n' + services.service_ipdhcpboot_ignore['threatInfo'] + '\n\n' + services.service_ipdhcpboot_ignore['howtofix'] + '\n'
837 if services.service_dhcp['must_report'] == True:
838 toBeReturned = toBeReturned + services.service_dhcp['definition'] + '\n' + services.service_dhcp['threatInfo'] + '\n\n' + services.service_dhcp['howtofix'] + '\n'
839 if services.service_mop['must_report'] == True:
840 toBeReturned = toBeReturned + services.service_mop['definition'] + '\n' + services.service_mop['threatInfo'] + '\n\n' + services.service_mop['howtofix'] + '\n'
841 if services.ip_domain_lookup['must_report'] == True:
842 toBeReturned = toBeReturned + services.ip_domain_lookup['definition'] + '\n' + services.ip_domain_lookup['threatInfo'] + '\n\n' + services.ip_domain_lookup['howtofix'] + '\n'
843 if services.service_pad['must_report'] == True:
844 toBeReturned = toBeReturned + services.service_pad['definition'] + '\n' + services.service_pad['threatInfo'] + '\n\n' + services.service_pad['howtofix'] + '\n'
845 if services.service_http_server['must_report'] == True:
846 toBeReturned = toBeReturned + services.service_http_server['definition'] + '\n' + services.service_http_server['threatInfo'] + '\n\n' + services.service_http_server['howtofix'] + '\n'
847 if services.service_https_server['must_report'] == True:
848 toBeReturned = toBeReturned + services.service_https_server['definition'] + '\n' + services.service_https_server['threatInfo'] + '\n\n' + services.service_https_server['howtofix'] + '\n'
849 if services.service_config['must_report'] == True:
850 toBeReturned = toBeReturned + services.service_config['definition'] + '\n' + services.service_config['threatInfo'] + '\n\n' + services.service_config['howtofix'] + '\n'
851
852 return toBeReturned
853
855 """Memory and CPU configuration assessment."""
856
857 try:
858 memCpu.scheduler_allocate['cmdInCfg'] = search_string(lines, 'scheduler allocate 4000 400')
859 except AttributeError:
860 pass
861
862 if memCpu.scheduler_allocate['cmdInCfg'] is None:
863 memCpu.scheduler_allocate['must_report'] = True
864
865 try:
866 memCpu.scheduler_interval['cmdInCfg'] = search_string(lines, 'scheduler interval 500')
867 except AttributeError:
868 pass
869
870 if memCpu.scheduler_interval['cmdInCfg'] is None:
871 memCpu.scheduler_interval['must_report'] = True
872
873 if memCpu.scheduler_allocate['must_report'] == True:
874 items = search_xml('schedulerallocate')
875 cvssMetrics = str(cvss_score(items[5]))
876 memCpu.scheduler_allocate = {
877 "must_report": True,
878 "fixImpact": (items[0]),
879 "definition": (items[1]),
880 "threatInfo": (items[2]),
881 "howtofix": (items[3]),
882 "cvss": (cvssMetrics)}
883
884 if memCpu.scheduler_interval['must_report'] == True:
885 items = search_xml('schedulerinterval')
886 cvssMetrics = str(cvss_score(items[5]))
887 memCpu.scheduler_interval = {
888 "must_report": True,
889 "fixImpact": (items[0]),
890 "definition": (items[1]),
891 "threatInfo": (items[2]),
892 "howtofix": (items[3]),
893 "cvss": (cvssMetrics)}
894
895
896 try:
897 memCpu.low_watermark_processor['cmdInCfg'] = search_string(lines, 'memory free low-watermark processor')
898 except AttributeError:
899 pass
900
901 if memCpu.low_watermark_processor['cmdInCfg'] is not None:
902
903 memCpu.low_watermark_processor['must_report'] = False
904 else:
905 items = search_xml('lowWatermarkProcessor')
906 if __builtin__.iosVersion >= 12.34:
907 cvssMetrics = str(cvss_score(items[5]))
908 memCpu.low_watermark_processor = {
909 "must_report": True,
910 "fixImpact": (items[0]),
911 "definition": (items[1]),
912 "threatInfo": (items[2]),
913 "howtofix": (items[3]),
914 "cvss": (cvssMetrics)}
915 else:
916
917 cvssMetrics = str(cvss_score(items[5]))
918 memCpu.low_watermark_processor = {
919 "must_report": True,
920 "fixImpact": (items[0]),
921 "definition": (items[1]),
922 "threatInfo": (items[2]),
923 "howtofix": (items[4]),
924 "cvss": (cvssMetrics)}
925
926 try:
927 memCpu.low_watermark_io['cmdInCfg'] = search_string(lines, 'memory free low-watermark io')
928 except AttributeError:
929 pass
930 if memCpu.low_watermark_io['cmdInCfg'] is not None:
931
932 memCpu.low_watermark_io['must_report'] = False
933 else:
934 items = search_xml('lowWatermarkIo')
935 if __builtin__.iosVersion >= 12.34:
936 cvssMetrics = str(cvss_score(items[5]))
937 memCpu.low_watermark_io = {
938 "must_report": True,
939 "fixImpact": (items[0]),
940 "definition": (items[1]),
941 "threatInfo": (items[2]),
942 "howtofix": (items[3]),
943 "cvss": (cvssMetrics)}
944 else:
945
946 cvssMetrics = str(cvss_score(items[5]))
947 memCpu.low_watermark_io = {
948 "must_report": True,
949 "fixImpact": (items[0]),
950 "definition": (items[1]),
951 "threatInfo": (items[2]),
952 "howtofix": (items[4]),
953 "cvss": (cvssMetrics)}
954
955 try:
956 memCpu.mem_reserve_critical['cmdInCfg'] = search_string(lines, 'memory reserve critical')
957 except AttributeError:
958 pass
959 if memCpu.mem_reserve_critical['cmdInCfg'] is not None:
960
961 memCpu.mem_reserve_critical['must_report'] = False
962 else:
963 items = search_xml('memReserveCritical')
964 if __builtin__.iosVersion >= 12.34:
965 cvssMetrics = str(cvss_score(items[5]))
966 memCpu.mem_reserve_critical = {
967 "must_report": True,
968 "fixImpact": (items[0]),
969 "definition": (items[1]),
970 "threatInfo": (items[2]),
971 "howtofix": (items[3]),
972 "cvss": (cvssMetrics)}
973 else:
974
975 cvssMetrics = str(cvss_score(items[5]))
976 memCpu.mem_reserve_critical = {
977 "must_report": True,
978 "fixImpact": (items[0]),
979 "definition": (items[1]),
980 "threatInfo": (items[2]),
981 "howtofix": (items[4]),
982 "cvss": (cvssMetrics)}
983
984 try:
985 memCpu.mem_reserve_console['cmdInCfg'] = search_string(lines, 'memory reserve console')
986 except AttributeError:
987 pass
988 if memCpu.mem_reserve_console['cmdInCfg'] is not None:
989
990 memCpu.mem_reserve_console['must_report'] = False
991 else:
992 items = search_xml('memReserveConsole')
993 if __builtin__.iosVersion >= 12.34:
994 cvssMetrics = str(cvss_score(items[5]))
995 memCpu.mem_reserve_console = {
996 "must_report": True,
997 "fixImpact": (items[0]),
998 "definition": (items[1]),
999 "threatInfo": (items[2]),
1000 "howtofix": (items[3]),
1001 "cvss": (cvssMetrics)}
1002 else:
1003
1004 cvssMetrics = str(cvss_score(items[5]))
1005 memCpu.mem_reserve_console = {
1006 "must_report": True,
1007 "fixImpact": (items[0]),
1008 "definition": (items[1]),
1009 "threatInfo": (items[2]),
1010 "howtofix": (items[4]),
1011 "cvss": (cvssMetrics)}
1012
1013
1014 try:
1015 memCpu.mem_ignore_overflow_io['cmdInCfg'] = search_string(lines, 'exception memory ignore overflow io')
1016 except AttributeError:
1017 pass
1018 if memCpu.mem_ignore_overflow_io['cmdInCfg'] is not None:
1019
1020 memCpu.mem_ignore_overflow_io['must_report'] = False
1021 else:
1022 items = search_xml('memOverflowIo')
1023 if __builtin__.iosVersion >= 12.38:
1024 cvssMetrics = str(cvss_score(items[5]))
1025 memCpu.mem_ignore_overflow_io = {
1026 "must_report": True,
1027 "fixImpact": (items[0]),
1028 "definition": (items[1]),
1029 "threatInfo": (items[2]),
1030 "howtofix": (items[3]),
1031 "cvss": (cvssMetrics)}
1032 else:
1033
1034 cvssMetrics = str(cvss_score(items[5]))
1035 memCpu.mem_ignore_overflow_io = {
1036 "must_report": True,
1037 "fixImpact": (items[0]),
1038 "definition": (items[1]),
1039 "threatInfo": (items[2]),
1040 "howtofix": (items[4]),
1041 "cvss": (cvssMetrics)}
1042
1043 try:
1044 memCpu.mem_ignore_overflow_cpu['cmdInCfg'] = search_string(lines, 'exception memory ignore overflow processor')
1045 except AttributeError:
1046 pass
1047 if memCpu.mem_ignore_overflow_cpu['cmdInCfg'] is not None:
1048
1049 memCpu.mem_ignore_overflow_cpu['must_report'] = False
1050 else:
1051 items = search_xml('memOverflowProcessor')
1052 if __builtin__.iosVersion >= 12.38:
1053 cvssMetrics = str(cvss_score(items[5]))
1054 memCpu.mem_ignore_overflow_cpu = {
1055 "must_report": True,
1056 "fixImpact": (items[0]),
1057 "definition": (items[1]),
1058 "threatInfo": (items[2]),
1059 "howtofix": (items[3]),
1060 "cvss": (cvssMetrics)}
1061 else:
1062
1063 cvssMetrics = str(cvss_score(items[5]))
1064 memCpu.mem_ignore_overflow_cpu = {
1065 "must_report": True,
1066 "fixImpact": (items[0]),
1067 "definition": (items[1]),
1068 "threatInfo": (items[2]),
1069 "howtofix": (items[4]),
1070 "cvss": (cvssMetrics)}
1071
1072
1073 try:
1074 memCpu.cpu_threshold_notice['cmdSnmpserverTraps'] = search_string(lines, 'snmp-server enable traps cpu threshold')
1075 except AttributeError:
1076 pass
1077 try:
1078 memCpu.cpu_threshold_notice['cmdSnmpserverHost'] = search_re_string(lines, 'snmp-server host .* .* cpu')
1079 except AttributeError:
1080 pass
1081 try:
1082 memCpu.cpu_threshold_notice['cmdCpuThreshold'] = search_re_string(lines, 'process cpu threshold type .* rising .* interval')
1083 except AttributeError:
1084 pass
1085 try:
1086 memCpu.cpu_threshold_notice['cmdCpuStats'] = search_re_string(lines, 'process cpu statistics limit entry-percentage .*')
1087 except AttributeError:
1088 pass
1089
1090 if ((memCpu.cpu_threshold_notice['cmdSnmpserverTraps'] is not None) and (memCpu.cpu_threshold_notice['cmdSnmpserverHost'] is not None) and (memCpu.cpu_threshold_notice['cmdCpuThreshold'] is not None) and (memCpu.cpu_threshold_notice['cmdCpuStats'] is not None) ):
1091 memCpu.cpu_threshold_notice['must_report'] = False
1092 else:
1093 items = search_xml('cpuThresholdNotification')
1094 if __builtin__.iosVersion >= 12.34:
1095 cvssMetrics = str(cvss_score(items[5]))
1096 memCpu.cpu_threshold_notice = {
1097 "must_report": True,
1098 "fixImpact": (items[0]),
1099 "definition": (items[1]),
1100 "threatInfo": (items[2]),
1101 "howtofix": (items[3]),
1102 "cvss": (cvssMetrics)}
1103 else:
1104
1105 cvssMetrics = str(cvss_score(items[5]))
1106 memCpu.cpu_threshold_notice = {
1107 "must_report": True,
1108 "fixImpact": (items[0]),
1109 "definition": (items[1]),
1110 "threatInfo": (items[2]),
1111 "howtofix": (items[4]),
1112 "cvss": (cvssMetrics)}
1113
1114 toBeReturned = ''
1115 if memCpu.scheduler_allocate['must_report'] == True:
1116 toBeReturned = toBeReturned + memCpu.scheduler_allocate['definition'] + '\n' + memCpu.scheduler_allocate['threatInfo'] + '\n\n' + memCpu.scheduler_allocate['howtofix'] + '\n'
1117 if memCpu.scheduler_interval['must_report'] == True:
1118 toBeReturned = toBeReturned + memCpu.scheduler_interval['definition'] + '\n' + memCpu.scheduler_interval['threatInfo'] + '\n\n' + memCpu.scheduler_interval['howtofix'] + '\n'
1119 if memCpu.low_watermark_processor['must_report'] == True:
1120 toBeReturned = memCpu.low_watermark_processor['definition'] + '\n' + memCpu.low_watermark_processor['threatInfo'] + '\n\n' + memCpu.low_watermark_processor['howtofix'] + '\n'
1121 if memCpu.low_watermark_io['must_report'] == True:
1122 toBeReturned = toBeReturned + memCpu.low_watermark_io['definition'] + '\n' + memCpu.low_watermark_io['threatInfo'] + '\n\n' + memCpu.low_watermark_io['howtofix'] + '\n'
1123 if memCpu.mem_reserve_critical['must_report'] == True:
1124 toBeReturned = toBeReturned + memCpu.mem_reserve_critical['definition'] + '\n' + memCpu.mem_reserve_critical['threatInfo'] + '\n\n' + memCpu.mem_reserve_critical['howtofix'] + '\n'
1125 if memCpu.mem_reserve_console['must_report'] == True:
1126 toBeReturned = toBeReturned + memCpu.mem_reserve_console['definition'] + '\n' + memCpu.mem_reserve_console['threatInfo'] + '\n\n' + memCpu.mem_reserve_console['howtofix'] + '\n'
1127 if memCpu.mem_ignore_overflow_io['must_report'] == True:
1128 toBeReturned = toBeReturned + memCpu.mem_ignore_overflow_io['definition'] + '\n' + memCpu.mem_ignore_overflow_io['threatInfo'] + '\n\n' + memCpu.mem_ignore_overflow_io['howtofix'] + '\n'
1129 if memCpu.mem_ignore_overflow_cpu['must_report'] == True:
1130 toBeReturned = toBeReturned + memCpu.mem_ignore_overflow_cpu['definition'] + '\n' + memCpu.mem_ignore_overflow_cpu['threatInfo'] + '\n\n' + memCpu.mem_ignore_overflow_cpu['howtofix'] + '\n'
1131 if memCpu.cpu_threshold_notice['must_report'] == True:
1132 toBeReturned = toBeReturned + memCpu.cpu_threshold_notice['definition'] + '\n' + memCpu.cpu_threshold_notice['threatInfo'] + '\n\n' + memCpu.cpu_threshold_notice['howtofix'] + '\n'
1133
1134 return toBeReturned
1135
1137 """Crashinfo generation configuration assessment."""
1138 try:
1139 crashinfo.crashinfo_max_files['cmdInCfg'] = search_string(lines, 'exception crashinfo maximum files')
1140 except AttributeError:
1141 pass
1142 if crashinfo.crashinfo_max_files['cmdInCfg'] is not None:
1143
1144 crashinfo.crashinfo_max_files['must_report'] = False
1145 else:
1146 items = search_xml('ExceptionMaximumFiles')
1147 cvssMetrics = str(cvss_score(items[5]))
1148 crashinfo.crashinfo_max_files = {
1149 "must_report": True,
1150 "fixImpact": (items[0]),
1151 "definition": (items[1]),
1152 "threatInfo": (items[2]),
1153 "howtofix": (items[3]),
1154 "cvss": (cvssMetrics)}
1155
1156 toBeReturned = ''
1157 if crashinfo.crashinfo_max_files['must_report'] == True:
1158 toBeReturned = crashinfo.crashinfo_max_files['definition'] + '\n' + crashinfo.crashinfo_max_files['threatInfo'] + '\n\n' + crashinfo.crashinfo_max_files['howtofix'] + '\n'
1159 return toBeReturned
1160
1162 """Management plane protection assessment."""
1163
1164 if len(vtyList) == 0:
1165
1166 mpp.mgmt_interfaces['must_report'] = False
1167 mpp.sshserver['must_report'] = False
1168 mpp.scp_server['must_report'] = False
1169 return
1170
1171 for i in range(0, len(vtyCfg)):
1172 for k in range (0, len(vtyCfg[i])):
1173 if search_string(vtyCfg[i][k], 'transport input none') is not None:
1174 mpp.mgmt_interfaces['must_report'] = False
1175 mpp.sshserver['must_report'] = False
1176 mpp.scp_server['must_report'] = False
1177 return
1178 if __builtin__.deviceType == 'router':
1179 try:
1180 mpp.mgmt_interfaces['cpHostCfg'] = search_string(lines, 'control-plane host')
1181 except AttributeError:
1182 pass
1183 try:
1184 mpp.mgmt_interfaces['mgmtIfaceCfg'] = search_re_string(lines, 'management-interface .* allow .*')
1185 except AttributeError:
1186 pass
1187
1188 if mpp.mgmt_interfaces['cpHostCfg'] is not None:
1189 if mpp.mgmt_interfaces['mgmtIfaceCfg'] is not None:
1190 mpp.mgmt_interfaces['must_report'] = False
1191 else:
1192 if __builtin__.iosVersion >= 12.46:
1193 items = search_xml('ManagementPlaneProtection')
1194 cvssMetrics = str(cvss_score(items[5]))
1195 mpp.mgmt_interfaces = {
1196 "must_report": True,
1197 "fixImpact": (items[0]),
1198 "definition": (items[1]),
1199 "threatInfo": (items[2]),
1200 "howtofix": (items[3]),
1201 "cvss": (cvssMetrics)}
1202 else:
1203 items = search_xml('ManagementPlaneProtection')
1204 cvssMetrics = str(cvss_score(items[5]))
1205 mpp.mgmt_interfaces = {
1206 "must_report": True,
1207 "fixImpact": (items[0]),
1208 "definition": (items[1]),
1209 "threatInfo": (items[2]),
1210 "howtofix": (items[4]),
1211 "cvss": (cvssMetrics)}
1212 else:
1213 if __builtin__.iosVersion >= 12.46:
1214 items = search_xml('ManagementPlaneProtection')
1215 cvssMetrics = str(cvss_score(items[5]))
1216 mpp.mgmt_interfaces = {
1217 "must_report": True,
1218 "fixImpact": (items[0]),
1219 "definition": (items[1]),
1220 "threatInfo": (items[2]),
1221 "howtofix": (items[3]),
1222 "cvss": (cvssMetrics)}
1223 else:
1224 items = search_xml('ManagementPlaneProtection')
1225 cvssMetrics = str(cvss_score(items[5]))
1226 mpp.mgmt_interfaces = {
1227 "must_report": True,
1228 "fixImpact": (items[0]),
1229 "definition": (items[1]),
1230 "threatInfo": (items[2]),
1231 "howtofix": (items[4]),
1232 "cvss": (cvssMetrics)}
1233
1234 try:
1235 mpp.ssh_server_timeout['timeout'] = search_string(lines, 'ip ssh time-out')
1236 except AttributeError:
1237 pass
1238 try:
1239 mpp.ssh_server_auth_retries['authRetries'] = search_string(lines, 'ip ssh authentication-retries')
1240 except AttributeError:
1241 pass
1242 try:
1243 mpp.ssh_server_src_interface['sourceinterface'] = search_string(lines, 'ip ssh source-interface')
1244 except AttributeError:
1245 pass
1246
1247 if mpp.ssh_server_timeout['timeout'] is None:
1248 items = search_xml('sshServerTimeout')
1249 cvssMetrics = str(cvss_score(items[5]))
1250 mpp.ssh_server_timeout = {
1251 "must_report": True,
1252 "fixImpact": (items[0]),
1253 "definition": (items[1]),
1254 "threatInfo": (items[2]),
1255 "howtofix": (items[3]),
1256 "cvss": (cvssMetrics)}
1257 else:
1258 mpp.ssh_server_timeout['must_report'] = False
1259
1260 if mpp.ssh_server_auth_retries['authRetries'] is None:
1261 items = search_xml('sshServerAuthretries')
1262 cvssMetrics = str(cvss_score(items[5]))
1263 mpp.ssh_server_auth_retries = {
1264 "must_report": True,
1265 "fixImpact": (items[0]),
1266 "definition": (items[1]),
1267 "threatInfo": (items[2]),
1268 "howtofix": (items[3]),
1269 "cvss": (cvssMetrics)}
1270 else:
1271 mpp.ssh_server_auth_retries['must_report'] = False
1272
1273 if mpp.ssh_server_src_interface['sourceinterface'] is None:
1274 items = search_xml('sshServerSourceIf')
1275 cvssMetrics = str(cvss_score(items[5]))
1276 mpp.ssh_server_src_interface = {
1277 "must_report": True,
1278 "fixImpact": (items[0]),
1279 "definition": (items[1]),
1280 "threatInfo": (items[2]),
1281 "howtofix": (items[3]),
1282 "cvss": (cvssMetrics)}
1283 else:
1284 mpp.ssh_server_src_interface['must_report'] = False
1285
1286 try:
1287 mpp.scp_server['cmdIncfg'] = search_string(lines, 'ip scp server enable')
1288 except AttributeError:
1289 pass
1290
1291 if mpp.scp_server['cmdIncfg'] is None:
1292 items = search_xml('sshSCPServer')
1293 cvssMetrics = str(cvss_score(items[5]))
1294 mpp.scp_server = {
1295 "must_report": True,
1296 "fixImpact": (items[0]),
1297 "definition": (items[1]),
1298 "threatInfo": (items[2]),
1299 "howtofix": (items[3]),
1300 "cvss": (cvssMetrics)}
1301 else:
1302 mpp.scp_server['must_report'] = False
1303
1304 try:
1305 mpp.http_secure_server['cmdIncfg'] = search_string(lines, 'ip http server')
1306 except AttributeError:
1307 pass
1308
1309 if mpp.http_secure_server['cmdIncfg'] is not None:
1310 items = search_xml('HTTPServer')
1311 cvssMetrics = str(cvss_score(items[5]))
1312 mpp.http_secure_server = {
1313 "must_report": True,
1314 "fixImpact": (items[0]),
1315 "definition": (items[1]),
1316 "threatInfo": (items[2]),
1317 "howtofix": (items[3]),
1318 "cvss": (cvssMetrics)}
1319 else:
1320 mpp.http_secure_server['must_report'] = False
1321
1322 try:
1323 mpp.login_bruteforce['blockfor'] = search_string(lines, 'login block-for')
1324 except AttributeError:
1325 pass
1326 try:
1327 mpp.login_bruteforce['delay'] = search_string(lines, 'login delay')
1328 except AttributeError:
1329 pass
1330 try:
1331 mpp.login_bruteforce['quietacl'] = search_string(lines, 'login quiet access-class')
1332 except AttributeError:
1333 pass
1334 try:
1335 mpp.login_bruteforce['faillog'] = search_string(lines, 'login on-failure log every')
1336 except AttributeError:
1337 pass
1338 try:
1339 mpp.login_bruteforce['successlog'] = search_string(lines, 'login on-success log every')
1340 except AttributeError:
1341 pass
1342 login_bruteforceCount = 0
1343 if mpp.login_bruteforce['blockfor'] is not None:
1344 login_bruteforceCount = login_bruteforceCount + 1
1345 if mpp.login_bruteforce['delay'] is not None:
1346 login_bruteforceCount = login_bruteforceCount + 1
1347 if mpp.login_bruteforce['quietacl'] is not None:
1348 login_bruteforceCount = login_bruteforceCount + 1
1349 if mpp.login_bruteforce['faillog'] is not None:
1350 login_bruteforceCount = login_bruteforceCount + 1
1351 if mpp.login_bruteforce['successlog'] is not None:
1352 login_bruteforceCount = login_bruteforceCount + 1
1353
1354 if login_bruteforceCount < 5:
1355 if __builtin__.iosVersion >= 12.34:
1356 items = search_xml('loginBruteforce')
1357 cvssMetrics = str(cvss_score(items[5]))
1358 mpp.login_bruteforce = {
1359 "must_report": True,
1360 "fixImpact": (items[0]),
1361 "definition": (items[1]),
1362 "threatInfo": (items[2]),
1363 "howtofix": (items[3]),
1364 "cvss": (cvssMetrics)}
1365 else:
1366
1367 items = search_xml('loginBruteforce')
1368 cvssMetrics = str(cvss_score(items[5]))
1369 mpp.login_bruteforce = {
1370 "must_report": True,
1371 "fixImpact": (items[0]),
1372 "definition": (items[1]),
1373 "threatInfo": (items[2]),
1374 "howtofix": (items[4]),
1375 "cvss": (cvssMetrics)}
1376 else:
1377 mpp.login_bruteforce['must_report'] = False
1378
1379 toBeReturned = ''
1380 if mpp.mgmt_interfaces['must_report'] == True:
1381 toBeReturned = mpp.mgmt_interfaces['definition'] + '\n' + mpp.mgmt_interfaces['threatInfo'] + '\n\n' + mpp.mgmt_interfaces['howtofix'] + '\n'
1382 if mpp.ssh_server_timeout['must_report'] == True:
1383 toBeReturned = toBeReturned + mpp.ssh_server_timeout['definition'] + '\n' + mpp.ssh_server_timeout['threatInfo'] + '\n\n' + mpp.ssh_server_timeout['howtofix'] + '\n'
1384 if mpp.ssh_server_auth_retries['must_report'] == True:
1385 toBeReturned = toBeReturned + mpp.ssh_server_auth_retries['definition'] + '\n' + mpp.ssh_server_auth_retries['threatInfo'] + '\n\n' + mpp.ssh_server_auth_retries['howtofix'] + '\n'
1386 if mpp.ssh_server_src_interface['must_report'] == True:
1387 toBeReturned = toBeReturned + mpp.ssh_server_src_interface['definition'] + '\n' + mpp.ssh_server_src_interface['threatInfo'] + '\n\n' + mpp.ssh_server_src_interface['howtofix'] + '\n'
1388 if mpp.scp_server['must_report'] == True:
1389 toBeReturned = toBeReturned + mpp.scp_server['definition'] + '\n' + mpp.scp_server['threatInfo'] + '\n\n' + mpp.scp_server['howtofix'] + '\n'
1390 if mpp.http_secure_server['must_report'] == True:
1391 toBeReturned = toBeReturned + mpp.http_secure_server['definition'] + '\n' + mpp.http_secure_server['threatInfo'] + '\n\n' + mpp.http_secure_server['howtofix'] + '\n'
1392 if mpp.login_bruteforce['must_report'] == True:
1393 toBeReturned = toBeReturned + mpp.login_bruteforce['definition'] + '\n' + mpp.login_bruteforce['threatInfo'] + '\n\n' + mpp.login_bruteforce['howtofix'] + '\n'
1394
1395 return toBeReturned
1396
1398 """Access management assessment."""
1399 try:
1400 pwdManagement.enable_secret['cmdInCfg'] = search_string(lines, 'enable secret')
1401 except AttributeError:
1402 pass
1403 if pwdManagement.enable_secret['cmdInCfg'] is not None:
1404
1405 pwdManagement.enable_secret['must_report'] = False
1406 else:
1407 items = search_xml('enable_secret')
1408 cvssMetrics = str(cvss_score(items[5]))
1409 pwdManagement.enable_secret = {
1410 "must_report": True,
1411 "fixImpact": (items[0]),
1412 "definition": (items[1]),
1413 "threatInfo": (items[2]),
1414 "howtofix": (items[3]),
1415 "cvss": (cvssMetrics)}
1416
1417 try:
1418 pwdManagement.service_password_encryption['cmdInCfg'] = search_re_string(lines, '^service password-encryption')
1419 except AttributeError:
1420 pass
1421 if pwdManagement.service_password_encryption['cmdInCfg'] is not None:
1422
1423 pwdManagement.service_password_encryption['must_report'] = False
1424 else:
1425 items = search_xml('servicePasswordEncryption')
1426 cvssMetrics = str(cvss_score(items[5]))
1427 pwdManagement.service_password_encryption = {
1428 "must_report": True,
1429 "fixImpact": (items[0]),
1430 "definition": (items[1]),
1431 "threatInfo": (items[2]),
1432 "howtofix": (items[3]),
1433 "cvss": (cvssMetrics)}
1434
1435 try:
1436 pwdManagement.username_secret['cmdInCfg'] = search_re_string(lines, '^username .* password .*')
1437 except AttributeError:
1438 pass
1439 if pwdManagement.username_secret['cmdInCfg'] is None:
1440
1441 pwdManagement.username_secret['must_report'] = False
1442 else:
1443 items = search_xml('username_secret')
1444 if __builtin__.iosVersion >= 12.28:
1445 cvssMetrics = str(cvss_score(items[5]))
1446 pwdManagement.username_secret = {
1447 "must_report": True,
1448 "fixImpact": (items[0]),
1449 "definition": (items[1]),
1450 "threatInfo": (items[2]),
1451 "howtofix": (items[3]),
1452 "cvss": (cvssMetrics)}
1453 else:
1454 cvssMetrics = str(cvss_score(items[5]))
1455 pwdManagement.username_secret = {
1456 "must_report": True,
1457 "fixImpact": (items[0]),
1458 "definition": (items[1]),
1459 "threatInfo": (items[2]),
1460 "howtofix": (items[4]),
1461 "cvss": (cvssMetrics)}
1462
1463 try:
1464 pwdManagement.retry_lockout['aaa_new_model'] = search_re_string(lines, '^aaa new-model')
1465 except AttributeError:
1466 pass
1467 try:
1468 pwdManagement.retry_lockout['usernames'] = search_re_string(lines, '^username .*')
1469 except AttributeError:
1470 pass
1471 try:
1472 pwdManagement.retry_lockout['maxFail'] = search_string(lines, 'aaa local authentication attempts max-fail')
1473 except AttributeError:
1474 pass
1475 try:
1476 pwdManagement.retry_lockout['aaaAuthLoginLocal'] = search_re_string(lines, 'aaa authentication login default (local|.*) ?local')
1477 except AttributeError:
1478 pass
1479
1480 if ((pwdManagement.retry_lockout['aaa_new_model'] is not None) and (pwdManagement.retry_lockout['maxFail'] is not None) and (pwdManagement.retry_lockout['aaaAuthLoginLocal'] is not None) ):
1481 pwdManagement.retry_lockout['must_report'] = False
1482 elif pwdManagement.retry_lockout['usernames'] is None:
1483 pwdManagement.retry_lockout['must_report'] = False
1484 else:
1485 items = search_xml('retryLockout')
1486 if __builtin__.iosVersion >= 12.314:
1487 cvssMetrics = str(cvss_score(items[5]))
1488 pwdManagement.retry_lockout = {
1489 "must_report": True,
1490 "fixImpact": (items[0]),
1491 "definition": (items[1]),
1492 "threatInfo": (items[2]),
1493 "howtofix": (items[3]),
1494 "cvss": (cvssMetrics)}
1495 else:
1496
1497 cvssMetrics = str(cvss_score(items[5]))
1498 pwdManagement.retry_lockout = {
1499 "must_report": True,
1500 "fixImpact": (items[0]),
1501 "definition": (items[1]),
1502 "threatInfo": (items[2]),
1503 "howtofix": (items[4]),
1504 "cvss": (cvssMetrics)}
1505
1506 toBeReturned = ''
1507 if pwdManagement.enable_secret['must_report'] == True:
1508 toBeReturned = pwdManagement.enable_secret['definition'] + '\n' + pwdManagement.enable_secret['threatInfo'] + '\n\n' + pwdManagement.enable_secret['howtofix'] + '\n'
1509 if pwdManagement.service_password_encryption['must_report'] == True:
1510 toBeReturned = toBeReturned + pwdManagement.service_password_encryption['definition'] + '\n' + pwdManagement.service_password_encryption['threatInfo'] + '\n\n' + pwdManagement.service_password_encryption['howtofix'] + '\n'
1511 if pwdManagement.username_secret['must_report'] == True:
1512 toBeReturned = toBeReturned + pwdManagement.username_secret['definition'] + '\n' + pwdManagement.username_secret['threatInfo'] + '\n\n' + pwdManagement.username_secret['howtofix'] + '\n'
1513 if pwdManagement.retry_lockout['must_report'] == True:
1514 toBeReturned = toBeReturned + pwdManagement.retry_lockout['definition'] + '\n' + pwdManagement.retry_lockout['threatInfo'] + '\n\n' + pwdManagement.retry_lockout['howtofix'] + '\n'
1515
1516 return toBeReturned
1517
1519 """Tacacs+ assessment."""
1520 toBeReturned = ''
1521 try:
1522 tacacs.aaa_new_model['cmdInCfg'] = search_string(lines, 'aaa new-model')
1523 except AttributeError:
1524 pass
1525
1526 if mode == 'Authentication':
1527
1528 try:
1529 tacacs.auth_tacacs['cmdInCfg'] = search_re_string(lines, 'aaa authentication login default (group tacacs\+|.*) ?tacacs\+')
1530 except AttributeError:
1531 pass
1532
1533 try:
1534 tacacs.auth_fallback['cmdInCfg'] = search_re_string(lines, 'aaa authentication login default (group tacacs\+|.*) (enable|local)')
1535 except AttributeError:
1536 pass
1537
1538 if tacacs.aaa_new_model['cmdInCfg'] is None:
1539 items = search_xml('aaa_new_model')
1540 cvssMetrics = str(cvss_score(items[5]))
1541 tacacs.aaa_new_model = {
1542 "must_report": True,
1543 "fixImpact": (items[0]),
1544 "definition": (items[1]),
1545 "threatInfo": (items[2]),
1546 "howtofix": (items[3]),
1547 "cvss": (cvssMetrics)}
1548 else:
1549 tacacs.aaa_new_model['must_report'] = False
1550
1551 if tacacs.auth_tacacs['cmdInCfg'] is None:
1552 items = search_xml('aaaAuthTacacs')
1553 cvssMetrics = str(cvss_score(items[5]))
1554 tacacs.auth_tacacs = {
1555 "must_report": True,
1556 "fixImpact": (items[0]),
1557 "definition": (items[1]),
1558 "threatInfo": (items[2]),
1559 "howtofix": (items[3]),
1560 "cvss": (cvssMetrics)}
1561 else:
1562 tacacs.auth_tacacs['must_report'] = False
1563
1564 if tacacs.auth_fallback['cmdInCfg'] is None:
1565 items = search_xml('aaaAuthTacacsFallback')
1566 cvssMetrics = str(cvss_score(items[5]))
1567 tacacs.auth_fallback = {
1568 "must_report": True,
1569 "fixImpact": (items[0]),
1570 "definition": (items[1]),
1571 "threatInfo": (items[2]),
1572 "howtofix": (items[3]),
1573 "cvss": (cvssMetrics)}
1574 else:
1575 tacacs.auth_fallback['must_report'] = False
1576
1577 elif mode == 'Authorization':
1578
1579 try:
1580 tacacs.auth_exec['cmdInCfg'] = search_string(lines, 'aaa authorization exec default group tacacs none')
1581 except AttributeError:
1582 pass
1583
1584 try:
1585 tacacs.level_0['cmdInCfg'] = search_string(lines, 'aaa authorization commands 0 default group tacacs none')
1586 except AttributeError:
1587 pass
1588
1589 try:
1590 tacacs.level_1['cmdInCfg'] = search_string(lines, 'aaa authorization commands 1 default group tacacs none')
1591 except AttributeError:
1592 pass
1593
1594 try:
1595 tacacs.level_15['cmdInCfg'] = search_string(lines, 'aaa authorization commands 15 default group tacacs none')
1596 except AttributeError:
1597 pass
1598
1599 if tacacs.auth_exec['cmdInCfg'] is None:
1600 items = search_xml('aaaAuthTacacsExec')
1601 cvssMetrics = str(cvss_score(items[5]))
1602 tacacs.auth_exec = {
1603 "must_report": True,
1604 "fixImpact": (items[0]),
1605 "definition": (items[1]),
1606 "threatInfo": (items[2]),
1607 "howtofix": (items[3]),
1608 "cvss": (cvssMetrics)}
1609 else:
1610 tacacs.auth_exec['must_report'] = False
1611
1612 if tacacs.level_0['cmdInCfg'] is None:
1613 items = search_xml('aaaAuthTacacsLevel0')
1614 cvssMetrics = str(cvss_score(items[5]))
1615 tacacs.level_0 = {
1616 "must_report": True,
1617 "fixImpact": (items[0]),
1618 "definition": (items[1]),
1619 "threatInfo": (items[2]),
1620 "howtofix": (items[3]),
1621 "cvss": (cvssMetrics)}
1622 else:
1623 tacacs.level_0['must_report'] = False
1624
1625 if tacacs.level_1['cmdInCfg'] is None:
1626 items = search_xml('aaaAuthTacacsLevel1')
1627 cvssMetrics = str(cvss_score(items[5]))
1628 tacacs.level_1 = {
1629 "must_report": True,
1630 "fixImpact": (items[0]),
1631 "definition": (items[1]),
1632 "threatInfo": (items[2]),
1633 "howtofix": (items[3]),
1634 "cvss": (cvssMetrics)}
1635 else:
1636 tacacs.level_1['must_report'] = False
1637
1638 if tacacs.level_15['cmdInCfg'] is None:
1639 items = search_xml('aaaAuthTacacsLevel15')
1640 cvssMetrics = str(cvss_score(items[5]))
1641 tacacs.level_15 = {
1642 "must_report": True,
1643 "fixImpact": (items[0]),
1644 "definition": (items[1]),
1645 "threatInfo": (items[2]),
1646 "howtofix": (items[3]),
1647 "cvss": (cvssMetrics)}
1648 else:
1649 tacacs.level_15['must_report'] = False
1650
1651 elif mode == 'Accounting':
1652
1653 try:
1654 tacacs.aaa_accounting['cmdInCfg'] = search_string(lines, 'aaa accounting exec default start-stop group tacacs')
1655 except AttributeError:
1656 pass
1657
1658 try:
1659 tacacs.level_0['cmdInCfg'] = search_string(lines, 'aaa accounting commands 0 default start-stop group tacacs')
1660 except AttributeError:
1661 pass
1662
1663 try:
1664 tacacs.level_1['cmdInCfg'] = search_string(lines, 'aaa accounting commands 1 default start-stop group tacacs')
1665 except AttributeError:
1666 pass
1667
1668 try:
1669 tacacs.level_15['cmdInCfg'] = search_string(lines, 'aaa accounting commands 15 default start-stop group tacacs')
1670 except AttributeError:
1671 pass
1672
1673 if tacacs.aaa_accounting['cmdInCfg'] is None:
1674 items = search_xml('aaaAccountingTacacsExec')
1675 cvssMetrics = str(cvss_score(items[5]))
1676 tacacs.aaa_accounting = {
1677 "must_report": True,
1678 "fixImpact": (items[0]),
1679 "definition": (items[1]),
1680 "threatInfo": (items[2]),
1681 "howtofix": (items[3]),
1682 "cvss": (cvssMetrics)}
1683 else:
1684 tacacs.aaa_accounting['must_report'] = False
1685
1686 if tacacs.level_0['cmdInCfg'] is None:
1687 items = search_xml('aaaAccountingTacacsLevel0')
1688 cvssMetrics = str(cvss_score(items[5]))
1689 tacacs.level_0 = {
1690 "must_report": True,
1691 "fixImpact": (items[0]),
1692 "definition": (items[1]),
1693 "threatInfo": (items[2]),
1694 "howtofix": (items[3]),
1695 "cvss": (cvssMetrics)}
1696 else:
1697 tacacs.level_0['must_report'] = False
1698
1699 if tacacs.level_1['cmdInCfg'] is None:
1700 items = search_xml('aaaAccountingTacacsLevel1')
1701 cvssMetrics = str(cvss_score(items[5]))
1702 tacacs.level_1 = {
1703 "must_report": True,
1704 "fixImpact": (items[0]),
1705 "definition": (items[1]),
1706 "threatInfo": (items[2]),
1707 "howtofix": (items[3]),
1708 "cvss": (cvssMetrics)}
1709 else:
1710 tacacs.level_1['must_report'] = False
1711
1712 if tacacs.level_15['cmdInCfg'] is None:
1713 items = search_xml('aaaAccountingTacacsLevel15')
1714 cvssMetrics = str(cvss_score(items[5]))
1715 tacacs.level_15 = {
1716 "must_report": True,
1717 "fixImpact": (items[0]),
1718 "definition": (items[1]),
1719 "threatInfo": (items[2]),
1720 "howtofix": (items[3]),
1721 "cvss": (cvssMetrics)}
1722 else:
1723 tacacs.level_15['must_report'] = False
1724
1725 elif mode == 'RedundantAAA':
1726
1727 countservers = 0
1728 for line in lines:
1729 if search_string(lines, 'tacacs-server host') is not None:
1730 countservers = countservers +1
1731
1732 if countservers >= 2:
1733 tacacs.redundant['must_report'] = False
1734 else:
1735 items = search_xml('aaaTacacsRedundant')
1736 cvssMetrics = str(cvss_score(items[5]))
1737 tacacs.redundant = {
1738 "must_report": True,
1739 "fixImpact": (items[0]),
1740 "definition": (items[1]),
1741 "threatInfo": (items[2]),
1742 "howtofix": (items[3]),
1743 "cvss": (cvssMetrics)}
1744
1745 if mode == 'RedundantAAA':
1746 if tacacs.redundant['must_report'] == True:
1747 toBeReturned = tacacs.redundant['definition'] + '\n' + tacacs.redundant['threatInfo'] + '\n\n' + tacacs.redundant['howtofix'] + '\n'
1748 elif mode == 'Authentication':
1749 if tacacs.aaa_new_model['must_report'] == True:
1750 toBeReturned = toBeReturned + tacacs.aaa_new_model['definition'] + '\n' + tacacs.aaa_new_model['threatInfo'] + '\n\n' + tacacs.aaa_new_model['howtofix'] + '\n'
1751 if tacacs.auth_tacacs['must_report'] == True:
1752 toBeReturned = toBeReturned + tacacs.auth_tacacs['definition'] + '\n' + tacacs.auth_tacacs['threatInfo'] + '\n\n' + tacacs.auth_tacacs['howtofix'] + '\n'
1753 if tacacs.auth_fallback['must_report'] == True:
1754 toBeReturned = toBeReturned + tacacs.auth_fallback['definition'] + '\n' + tacacs.auth_fallback['threatInfo'] + '\n\n' + tacacs.auth_fallback['howtofix'] + '\n'
1755 elif mode == 'Authorization':
1756 if tacacs.auth_exec['must_report'] == True:
1757 toBeReturned = toBeReturned + tacacs.auth_exec['definition'] + '\n' + tacacs.auth_exec['threatInfo'] + '\n\n' + tacacs.auth_exec['howtofix'] + '\n'
1758 if tacacs.level_0['must_report'] == True:
1759 toBeReturned = toBeReturned + tacacs.level_0['definition'] + '\n' + tacacs.level_0['threatInfo'] + '\n\n' + tacacs.level_0['howtofix'] + '\n'
1760 if tacacs.level_1['must_report'] == True:
1761 toBeReturned = toBeReturned + tacacs.level_1['definition'] + '\n' + tacacs.level_1['threatInfo'] + '\n\n' + tacacs.level_1['howtofix'] + '\n'
1762 if tacacs.level_15['must_report'] == True:
1763 toBeReturned = toBeReturned + tacacs.level_15['definition'] + '\n' + tacacs.level_15['threatInfo'] + '\n\n' + tacacs.level_15['howtofix'] + '\n'
1764 elif mode == 'Accounting':
1765 if tacacs.aaa_accounting['must_report'] == True:
1766 toBeReturned = toBeReturned + tacacs.aaa_accounting['definition'] + '\n' + tacacs.aaa_accounting['threatInfo'] + '\n\n' + tacacs.aaa_accounting['howtofix'] + '\n'
1767 if tacacs.level_0['must_report'] == True:
1768 toBeReturned = toBeReturned + tacacs.level_0['definition'] + '\n' + tacacs.level_0['threatInfo'] + '\n\n' + tacacs.level_0['howtofix'] + '\n'
1769 if tacacs.level_1['must_report'] == True:
1770 toBeReturned = toBeReturned + tacacs.level_1['definition'] + '\n' + tacacs.level_1['threatInfo'] + '\n\n' + tacacs.level_1['howtofix'] + '\n'
1771 if tacacs.level_15['must_report'] == True:
1772 toBeReturned = toBeReturned + tacacs.level_15['definition'] + '\n' + tacacs.level_15['threatInfo'] + '\n\n' + tacacs.level_15['howtofix'] + '\n'
1773
1774 return toBeReturned
1775
1777 """SNMP configuration assessment."""
1778 try:
1779 snmp.ro_community['cmdInCfg'] = search_re_string(lines, 'snmp-server community .* (RO|ro)')
1780 except AttributeError:
1781 pass
1782
1783 try:
1784 snmp.rw_community['cmdInCfg'] = search_re_string(lines, 'snmp-server community .* (RW|rw)')
1785 except AttributeError:
1786 pass
1787
1788 try:
1789 snmp.view_ro_community['cmdInCfg'] = search_re_string(lines, 'snmp-server community .* view .* (RO|ro)')
1790 except AttributeError:
1791 pass
1792
1793 try:
1794 snmp.view_rw_community['cmdInCfg'] = search_re_string(lines, 'snmp-server community .* view .* (RW|rw)')
1795 except AttributeError:
1796 pass
1797
1798 try:
1799 snmp.snmp_v3['cmdInCfg'] = search_re_string(lines, 'snmp-server group .* v3 (auth|priv)')
1800 except AttributeError:
1801 pass
1802
1803 try:
1804 mgmtSubnet = __builtin__.ipv4_mgmt_outbound[0][0]
1805 except TypeError:
1806 mgmtSubnet = ""
1807 pass
1808 try:
1809 mgmtWildcardMask = __builtin__.ipv4_mgmt_outbound[0][3]
1810 except TypeError:
1811 mgmtWildcardMask = ""
1812 pass
1813
1814 if snmp.ro_community['cmdInCfg'] is None:
1815
1816 snmp.ro_community['must_report'] = False
1817 snmp.ro_community_acl['must_report'] = False
1818 else:
1819 SNMPcommunity = snmp.ro_community['cmdInCfg'].split(' ')
1820 ROsecure = snmp_community_complexity(SNMPcommunity[2])
1821 if ROsecure == False:
1822 items = search_xml('snmpROcommunityHardened')
1823 cvssMetrics = str(cvss_score(items[5]))
1824 snmp.ro_community = {
1825 "must_report": True,
1826 "fixImpact": (items[0]),
1827 "definition": (items[1]),
1828 "threatInfo": (items[2]),
1829 "howtofix": (items[3].strip() \
1830 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \
1831 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)),
1832 "cvss": (cvssMetrics)}
1833 try:
1834 snmp.ro_community_acl['cmdInCfg'] = search_re_string(lines, 'snmp-server community .* (RO|ro) \d')
1835 except AttributeError:
1836 pass
1837
1838 if snmp.ro_community_acl['cmdInCfg'] is None:
1839 items = search_xml('snmpROcommunityHardenedACL')
1840 cvssMetrics = str(cvss_score(items[5]))
1841 snmp.ro_community_acl = {
1842 "must_report": True,
1843 "fixImpact": (items[0]),
1844 "definition": (items[1]),
1845 "threatInfo": (items[2]),
1846 "howtofix": (items[3].strip() \
1847 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \
1848 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)),
1849 "cvss": (cvssMetrics)}
1850 else:
1851 accessListNumber = snmp.ro_community_acl['cmdInCfg'].split(' ')[4]
1852 if check_std_acl(lines, accessListNumber) == True:
1853 snmp.ro_community_acl['must_report'] = False
1854 else:
1855 items = search_xml('snmpROcommunityHardenedACL')
1856 cvssMetrics = str(cvss_score(items[5]))
1857 snmp.ro_community_acl = {
1858 "must_report": True,
1859 "fixImpact": (items[0]),
1860 "definition": (items[1]),
1861 "threatInfo": (items[2]),
1862 "howtofix": (items[3].strip() \
1863 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \
1864 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)),
1865 "cvss": (cvssMetrics)}
1866
1867 if snmp.rw_community['cmdInCfg'] is None:
1868
1869 snmp.rw_community['must_report'] = False
1870 snmp.rw_community_acl['must_report'] = False
1871 else:
1872 SNMPcommunity = snmp.rw_community['cmdInCfg'].split(' ')
1873 RWsecure = snmp_community_complexity(SNMPcommunity[2])
1874 if RWsecure == False:
1875 items = search_xml('snmpRWcommunityHardened')
1876 cvssMetrics = str(cvss_score(items[5]))
1877 snmp.rw_community = {
1878 "must_report": True,
1879 "fixImpact": (items[0]),
1880 "definition": (items[1]),
1881 "threatInfo": (items[2]),
1882 "howtofix": (items[3].strip() \
1883 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \
1884 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)),
1885 "cvss": (cvssMetrics)}
1886 try:
1887 snmp.rw_community_acl['cmdInCfg'] = search_re_string(lines, 'snmp-server community .* (RW|rw) \d')
1888 except AttributeError:
1889 pass
1890
1891 if snmp.rw_community_acl['cmdInCfg'] is None:
1892 items = search_xml('snmpRWcommunityHardenedACL')
1893 cvssMetrics = str(cvss_score(items[5]))
1894 snmp.rw_community_acl = {
1895 "must_report": True,
1896 "fixImpact": (items[0]),
1897 "definition": (items[1]),
1898 "threatInfo": (items[2]),
1899 "howtofix": (items[3].strip() \
1900 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \
1901 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)),
1902 "cvss": (cvssMetrics)}
1903 else:
1904 accessListNumber = snmp.rw_community_acl['cmdInCfg'].split(' ')[4]
1905 if check_std_acl(lines, accessListNumber) == True:
1906 snmp.rw_community_acl['must_report'] = False
1907 else:
1908 items = search_xml('snmpRWcommunityHardenedACL')
1909 cvssMetrics = str(cvss_score(items[5]))
1910 snmp.rw_community_acl = {
1911 "must_report": True,
1912 "fixImpact": (items[0]),
1913 "definition": (items[1]),
1914 "threatInfo": (items[2]),
1915 "howtofix": (items[3].strip() \
1916 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \
1917 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)),
1918 "cvss": (cvssMetrics)}
1919
1920 if snmp.view_ro_community['cmdInCfg'] is None:
1921
1922 snmp.view_ro_community['must_report'] = False
1923 snmp.view_ro_community_acl['must_report'] = False
1924 else:
1925 SNMPcommunity = snmp.view_ro_community['cmdInCfg'].split(' ')
1926 ROsecure = snmp_community_complexity(SNMPcommunity[2])
1927 if ROsecure == False:
1928 items = search_xml('ViewsnmpROcommunityHardened')
1929 cvssMetrics = str(cvss_score(items[5]))
1930 snmp.view_ro_community = {
1931 "must_report": True,
1932 "fixImpact": (items[0]),
1933 "definition": (items[1]),
1934 "threatInfo": (items[2]),
1935 "howtofix": (items[3].strip() \
1936 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \
1937 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)),
1938 "cvss": (cvssMetrics)}
1939 try:
1940 snmp.view_ro_community_acl['cmdInCfg'] = search_re_string(lines, 'snmp-server community .* view .* (RO|ro) \d')
1941 except AttributeError:
1942 pass
1943
1944 if snmp.view_ro_community_acl['cmdInCfg'] is None:
1945 items = search_xml('ViewsnmpROcommunityHardenedACL')
1946 cvssMetrics = str(cvss_score(items[5]))
1947 snmp.view_ro_community_acl = {
1948 "must_report": True,
1949 "fixImpact": (items[0]),
1950 "definition": (items[1]),
1951 "threatInfo": (items[2]),
1952 "howtofix": (items[3].strip() \
1953 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \
1954 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)),
1955 "cvss": (cvssMetrics)}
1956 else:
1957 accessListNumber = snmp.view_ro_community_acl['cmdInCfg'].split(' ')[4]
1958 if check_std_acl(lines, accessListNumber) == True:
1959 snmp.view_ro_community_acl['must_report'] = False
1960 else:
1961 items = search_xml('ViewsnmpROcommunityHardenedACL')
1962 cvssMetrics = str(cvss_score(items[5]))
1963 snmp.view_ro_community_acl = {
1964 "must_report": True,
1965 "fixImpact": (items[0]),
1966 "definition": (items[1]),
1967 "threatInfo": (items[2]),
1968 "howtofix": (items[3].strip() \
1969 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \
1970 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)),
1971 "cvss": (cvssMetrics)}
1972
1973 if snmp.view_rw_community['cmdInCfg'] is None:
1974
1975 snmp.view_rw_community['must_report'] = False
1976 snmp.view_rw_community_acl['must_report'] = False
1977 else:
1978 SNMPcommunity = snmp.view_rw_community['cmdInCfg'].split(' ')
1979 RWsecure = snmp_community_complexity(SNMPcommunity[2])
1980 if RWsecure == False:
1981 items = search_xml('ViewsnmpRWcommunityHardened')
1982 cvssMetrics = str(cvss_score(items[5]))
1983 snmp.view_rw_community = {
1984 "must_report": True,
1985 "fixImpact": (items[0]),
1986 "definition": (items[1]),
1987 "threatInfo": (items[2]),
1988 "howtofix": (items[3].strip() \
1989 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \
1990 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)),
1991 "cvss": (cvssMetrics)}
1992 try:
1993 snmp.view_rw_community_acl['cmdInCfg'] = search_re_string(lines, 'snmp-server community .* view .* (RW|rw) \d')
1994 except AttributeError:
1995 pass
1996
1997 if snmp.view_rw_community_acl['cmdInCfg'] is None:
1998 items = search_xml('snmpRWcommunityHardenedACL')
1999 cvssMetrics = str(cvss_score(items[5]))
2000 snmp.view_rw_community_acl = {
2001 "must_report": True,
2002 "fixImpact": (items[0]),
2003 "definition": (items[1]),
2004 "threatInfo": (items[2]),
2005 "howtofix": (items[3].strip() \
2006 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \
2007 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)),
2008 "cvss": (cvssMetrics)}
2009 else:
2010 accessListNumber = snmp.view_rw_community_acl['cmdInCfg'].split(' ')[4]
2011 if check_std_acl(lines, accessListNumber) == True:
2012 snmp.view_rw_community_acl['must_report'] = False
2013 else:
2014 items = search_xml('ViewsnmpRWcommunityHardenedACL')
2015 cvssMetrics = str(cvss_score(items[5]))
2016 snmp.view_rw_community_acl = {
2017 "must_report": True,
2018 "fixImpact": (items[0]),
2019 "definition": (items[1]),
2020 "threatInfo": (items[2]),
2021 "howtofix": (items[3].strip() \
2022 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \
2023 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)),
2024 "cvss": (cvssMetrics)}
2025
2026 if snmp.snmp_v3['cmdInCfg'] is None:
2027
2028 items = search_xml('snmpVersion3')
2029 cvssMetrics = str(cvss_score(items[5]))
2030 snmp.snmp_v3 = {
2031 "must_report": True,
2032 "fixImpact": (items[0]),
2033 "definition": (items[1]),
2034 "threatInfo": (items[2]),
2035 "howtofix": (items[3].strip() \
2036 .replace('[%ManagementSubnet]', mgmtSubnet, 1) \
2037 .replace('[%ManagementWildcardMask]', mgmtWildcardMask, 1)),
2038 "cvss": (cvssMetrics)}
2039
2040 else:
2041 snmp.snmp_v3['must_report'] = False
2042
2043 toBeReturned = ''
2044 if snmp.ro_community['must_report'] == True:
2045 toBeReturned = snmp.ro_community['definition'] + '\n' + snmp.ro_community['threatInfo'] + '\n\n' + snmp.ro_community['howtofix'] + '\n'
2046 if snmp.ro_community_acl['must_report'] == True:
2047 toBeReturned = toBeReturned + snmp.ro_community_acl['definition'] + '\n' + snmp.ro_community_acl['threatInfo'] + '\n\n' + snmp.ro_community_acl['howtofix'] + '\n'
2048 if snmp.rw_community['must_report'] == True:
2049 toBeReturned = toBeReturned + snmp.rw_community['definition'] + '\n' + snmp.rw_community['threatInfo'] + '\n\n' + snmp.rw_community['howtofix'] + '\n'
2050 if snmp.rw_community_acl['must_report'] == True:
2051 toBeReturned = toBeReturned + snmp.rw_community_acl['definition'] + '\n' + snmp.rw_community_acl['threatInfo'] + '\n\n' + snmp.rw_community_acl['howtofix'] + '\n'
2052 if snmp.view_ro_community['must_report'] == True:
2053 toBeReturned = toBeReturned + snmp.view_ro_community['definition'] + '\n' + snmp.view_ro_community['threatInfo'] + '\n\n' + snmp.view_ro_community['howtofix'] + '\n'
2054 if snmp.view_ro_community_acl['must_report'] == True:
2055 toBeReturned = toBeReturned + snmp.view_ro_community_acl['definition'] + '\n' + snmp.view_ro_community_acl['threatInfo'] + '\n\n' + snmp.view_ro_community_acl['howtofix'] + '\n'
2056 if snmp.view_rw_community['must_report'] == True:
2057 toBeReturned = toBeReturned + snmp.view_rw_community['definition'] + '\n' + snmp.view_rw_community['threatInfo'] + '\n\n' + snmp.view_rw_community['howtofix'] + '\n'
2058 if snmp.view_rw_community_acl['must_report'] == True:
2059 toBeReturned = toBeReturned + snmp.view_rw_community_acl['definition'] + '\n' + snmp.view_rw_community_acl['threatInfo'] + '\n\n' + snmp.view_rw_community_acl['howtofix'] + '\n'
2060 if snmp.snmp_v3['must_report'] == True:
2061 toBeReturned = toBeReturned + snmp.snmp_v3['definition'] + '\n' + snmp.snmp_v3['threatInfo'] + '\n\n' + snmp.snmp_v3['howtofix'] + '\n'
2062
2063 return toBeReturned
2064
2066 """Syslog assessment."""
2067 try:
2068 syslog.server['cmdInCfg'] = search_string(lines, 'logging host')
2069 except AttributeError:
2070 pass
2071
2072 if syslog.server['cmdInCfg'] is None:
2073
2074 try:
2075 mgmtSubnet = __builtin__.ipv4_mgmt_outbound[0][0]
2076 except TypeError:
2077 mgmtSubnet = ""
2078 pass
2079 try:
2080 mgmtWildcardMask = __builtin__.ipv4_mgmt_outbound[0][3]
2081 except TypeError:
2082 mgmtWildcardMask = ""
2083 pass
2084
2085
2086 items = search_xml('syslogServer')
2087 cvssMetrics = str(cvss_score(items[5]))
2088
2089 if len(mgmtSubnet) > 0:
2090 syslog.server = {
2091 "must_report": True,
2092 "fixImpact": (items[0]),
2093 "definition": (items[1]),
2094 "threatInfo": (items[2]),
2095 "howtofix": (items[3].strip() \
2096 .replace('[%ManagementSyslog]', mgmtSubnet, 1)),
2097 "cvss": (cvssMetrics)}
2098 else:
2099 syslog.server = {
2100 "must_report": True,
2101 "fixImpact": (items[0]),
2102 "definition": (items[1]),
2103 "threatInfo": (items[2]),
2104 "howtofix": (items[3].strip() \
2105 .replace('[%ManagementSyslog]', 'new-syslog-server', 1)),
2106 "cvss": (cvssMetrics)}
2107
2108 else:
2109 syslog.server['must_report'] = False
2110
2111 try:
2112 syslog.level_trap['cmdInCfg'] = search_string(lines, 'logging trap')
2113 except AttributeError:
2114 pass
2115 if syslog.level_trap['cmdInCfg'] is None:
2116
2117 items = search_xml('syslogLevelTrap')
2118 cvssMetrics = str(cvss_score(items[5]))
2119 syslog.level_trap = {
2120 "must_report": True,
2121 "fixImpact": (items[0]),
2122 "definition": (items[1]),
2123 "threatInfo": (items[2]),
2124 "howtofix": (items[3]),
2125 "cvss": (cvssMetrics)}
2126 else:
2127 level = syslog.level_trap['cmdInCfg'].split(' ')[2]
2128 if level.isdigit() == False:
2129 if level.strip().lower() == "emergencies":
2130 level = 0
2131 elif level.strip().lower() == "alerts":
2132 level = 1
2133 elif level.strip().lower() == "critical":
2134 level = 2
2135 elif level.strip().lower() == "errors":
2136 level = 3
2137 elif level.strip().lower() == "warnings":
2138 level = 4
2139 elif level.strip().lower() == "notifications":
2140 level = 5
2141 elif level.strip().lower() == "informational":
2142 level = 6
2143 elif level.strip().lower() == "debugging":
2144 level = 7
2145
2146 if int(level) <= 6:
2147 syslog.level_trap['must_report'] = False
2148 else:
2149 items = search_xml('syslogLevelTrap')
2150 cvssMetrics = str(cvss_score(items[5]))
2151 syslog.level_trap = {
2152 "must_report": True,
2153 "fixImpact": (items[0]),
2154 "definition": (items[1]),
2155 "threatInfo": (items[2]),
2156 "howtofix": (items[3]),
2157 "cvss": (cvssMetrics)}
2158
2159 try:
2160 syslog.level_buffered['cmdInCfg'] = search_re_string(lines, 'logging buffered \d')
2161 except AttributeError:
2162 pass
2163 if syslog.level_buffered['cmdInCfg'] is None:
2164
2165 items = search_xml('syslogLevelBuffered')
2166 cvssMetrics = str(cvss_score(items[5]))
2167 syslog.level_buffered = {
2168 "must_report": True,
2169 "fixImpact": (items[0]),
2170 "definition": (items[1]),
2171 "threatInfo": (items[2]),
2172 "howtofix": (items[3]),
2173 "cvss": (cvssMetrics)}
2174 else:
2175 level = syslog.level_buffered['cmdInCfg'].split(' ')[2]
2176 if int(level) == 6:
2177 syslog.level_buffered['must_report'] = False
2178 else:
2179 items = search_xml('syslogLevelBuffered')
2180 cvssMetrics = str(cvss_score(items[5]))
2181 syslog.level_buffered = {
2182 "must_report": True,
2183 "fixImpact": (items[0]),
2184 "definition": (items[1]),
2185 "threatInfo": (items[2]),
2186 "howtofix": (items[3]),
2187 "cvss": (cvssMetrics)}
2188
2189 try:
2190 syslog.logging_console['cmdInCfg'] = search_string(lines, 'no logging console')
2191 except AttributeError:
2192 pass
2193 if syslog.logging_console['cmdInCfg'] is None:
2194
2195 items = search_xml('syslogConsole')
2196 cvssMetrics = str(cvss_score(items[5]))
2197 syslog.logging_console = {
2198 "must_report": True,
2199 "fixImpact": (items[0]),
2200 "definition": (items[1]),
2201 "threatInfo": (items[2]),
2202 "howtofix": (items[3]),
2203 "cvss": (cvssMetrics)}
2204 else:
2205 syslog.logging_console['must_report'] = False
2206
2207 try:
2208 syslog.logging_monitor['cmdInCfg'] = search_string(lines, 'no logging monitor')
2209 except AttributeError:
2210 pass
2211 if syslog.logging_monitor['cmdInCfg'] is None:
2212
2213 items = search_xml('syslogMonitor')
2214 cvssMetrics = str(cvss_score(items[5]))
2215 syslog.logging_monitor = {
2216 "must_report": True,
2217 "fixImpact": (items[0]),
2218 "definition": (items[1]),
2219 "threatInfo": (items[2]),
2220 "howtofix": (items[3]),
2221 "cvss": (cvssMetrics)}
2222 else:
2223 syslog.logging_monitor['must_report'] = False
2224
2225 try:
2226 syslog.logging_buffered['cmdInCfg'] = search_re_string(lines, 'logging buffered .* .*')
2227 except AttributeError:
2228 pass
2229 if syslog.logging_buffered['cmdInCfg'] is None:
2230
2231 items = search_xml('syslogBuffered')
2232 cvssMetrics = str(cvss_score(items[5]))
2233 syslog.logging_buffered = {
2234 "must_report": True,
2235 "fixImpact": (items[0]),
2236 "definition": (items[1]),
2237 "threatInfo": (items[2]),
2238 "howtofix": (items[3]),
2239 "cvss": (cvssMetrics)}
2240 else:
2241 size = syslog.logging_buffered['cmdInCfg'].split(' ')[2]
2242 level = syslog.logging_buffered['cmdInCfg'].split(' ')[3]
2243 if level.isdigit() == False:
2244 if level.strip().lower() == "emergencies":
2245 level = 0
2246 if level.strip().lower() == "alerts":
2247 level = 1
2248 if level.strip().lower() == "critical":
2249 level = 2
2250 if level.strip().lower() == "errors":
2251 level = 3
2252 if level.strip().lower() == "warnings":
2253 level = 4
2254 if level.strip().lower() == "notification":
2255 level = 5
2256 if level.strip().lower() == "informational":
2257 level = 6
2258 if level.strip().lower() == "debugging":
2259 level = 7
2260 if ( (int(size) >= 16000) and (int(level) == 6) ):
2261 syslog.logging_buffered['must_report'] = False
2262 else:
2263 items = search_xml('syslogBuffered')
2264 cvssMetrics = str(cvss_score(items[5]))
2265 syslog.logging_buffered = {
2266 "must_report": True,
2267 "fixImpact": (items[0]),
2268 "definition": (items[1]),
2269 "threatInfo": (items[2]),
2270 "howtofix": (items[3]),
2271 "cvss": (cvssMetrics)}
2272
2273 try:
2274 syslog.interface['cmdInCfg'] = search_string(lines, 'logging source-interface loopback')
2275 except AttributeError:
2276 pass
2277 if syslog.interface['cmdInCfg'] is None:
2278
2279 items = search_xml('syslogInterface')
2280 cvssMetrics = str(cvss_score(items[5]))
2281 syslog.interface = {
2282 "must_report": True,
2283 "fixImpact": (items[0]),
2284 "definition": (items[1]),
2285 "threatInfo": (items[2]),
2286 "howtofix": (items[3]),
2287 "cvss": (cvssMetrics)}
2288 else:
2289 syslog.interface['must_report'] = False
2290
2291 try:
2292 syslog.timestamp['cmdInCfg'] = search_string(lines, 'service timestamps log datetime msec show-timezone')
2293 except AttributeError:
2294 pass
2295 if syslog.timestamp['cmdInCfg'] is None:
2296
2297 items = search_xml('syslogTimestamp')
2298 cvssMetrics = str(cvss_score(items[5]))
2299 syslog.timestamp = {
2300 "must_report": True,
2301 "fixImpact": (items[0]),
2302 "definition": (items[1]),
2303 "threatInfo": (items[2]),
2304 "howtofix": (items[3]),
2305 "cvss": (cvssMetrics)}
2306 else:
2307 syslog.timestamp['must_report'] = False
2308
2309 if __builtin__.deviceType == 'router':
2310 try:
2311 syslog.server_arp['cmdInCfg'] = search_string(lines, 'logging server-arp')
2312 except AttributeError:
2313 pass
2314 if syslog.server_arp['cmdInCfg'] is None:
2315
2316 if __builtin__.iosVersion >= 12.3:
2317 items = search_xml('syslogserver_arp')
2318 cvssMetrics = str(cvss_score(items[5]))
2319 syslog.server_arp = {
2320 "must_report": True,
2321 "fixImpact": (items[0]),
2322 "definition": (items[1]),
2323 "threatInfo": (items[2]),
2324 "howtofix": (items[3]),
2325 "cvss": (cvssMetrics)}
2326 else:
2327
2328 items = search_xml('syslogserver_arp')
2329 cvssMetrics = str(cvss_score(items[5]))
2330 syslog.server_arp = {
2331 "must_report": True,
2332 "fixImpact": (items[0]),
2333 "definition": (items[1]),
2334 "threatInfo": (items[2]),
2335 "howtofix": (items[4]),
2336 "cvss": (cvssMetrics)}
2337 else:
2338 syslog.server_arp['must_report'] = False
2339
2340 toBeReturned = ''
2341 if syslog.server['must_report'] == True:
2342 toBeReturned = syslog.server['definition'] + '\n' + syslog.server['threatInfo'] + '\n\n' + syslog.server['howtofix'] + '\n'
2343 if syslog.level_trap['must_report'] == True:
2344 toBeReturned = toBeReturned + syslog.level_trap['definition'] + '\n' + syslog.level_trap['threatInfo'] + '\n\n' + syslog.level_trap['howtofix'] + '\n'
2345 if syslog.level_buffered['must_report'] == True:
2346 toBeReturned = toBeReturned + syslog.level_buffered['definition'] + '\n' + syslog.level_buffered['threatInfo'] + '\n\n' + syslog.level_buffered['howtofix'] + '\n'
2347 if syslog.logging_console['must_report'] == True:
2348 toBeReturned = toBeReturned + syslog.logging_console['definition'] + '\n' + syslog.logging_console['threatInfo'] + '\n\n' + syslog.logging_console['howtofix'] + '\n'
2349 if syslog.logging_monitor['must_report'] == True:
2350 toBeReturned = toBeReturned + syslog.logging_monitor['definition'] + '\n' + syslog.logging_monitor['threatInfo'] + '\n\n' + syslog.logging_monitor['howtofix'] + '\n'
2351 if syslog.logging_buffered['must_report'] == True:
2352 toBeReturned = toBeReturned + syslog.logging_buffered['definition'] + '\n' + syslog.logging_buffered['threatInfo'] + '\n\n' + syslog.logging_buffered['howtofix'] + '\n'
2353 if syslog.interface['must_report'] == True:
2354 toBeReturned = toBeReturned + syslog.interface['definition'] + '\n' + syslog.interface['threatInfo'] + '\n\n' + syslog.interface['howtofix'] + '\n'
2355 if syslog.timestamp['must_report'] == True:
2356 toBeReturned = toBeReturned + syslog.timestamp['definition'] + '\n' + syslog.timestamp['threatInfo'] + '\n\n' + syslog.timestamp['howtofix'] + '\n'
2357 if syslog.server_arp['must_report'] == True:
2358 toBeReturned = toBeReturned + syslog.server_arp['definition'] + '\n' + syslog.server_arp['threatInfo'] + '\n\n' + syslog.server_arp['howtofix'] + '\n'
2359
2360 return toBeReturned
2361
2362
2364 """Archive configuration assessment."""
2365 try:
2366 archive.configuration['cmdInCfg'] = search_re_string(lines, '^archive$')
2367 except AttributeError:
2368 pass
2369 if archive.configuration['cmdInCfg'] is not None:
2370
2371 if search_re_string(lines, 'time-period') is not None:
2372 archive.configuration['must_report'] = False
2373 else:
2374 items = search_xml('archiveConfiguration')
2375 if __builtin__.iosVersion >= 12.37:
2376 cvssMetrics = str(cvss_score(items[5]))
2377 archive.configuration = {
2378 "must_report": True,
2379 "fixImpact": (items[0]),
2380 "definition": (items[1]),
2381 "threatInfo": (items[2]),
2382 "howtofix": (items[3]),
2383 "cvss": (cvssMetrics)}
2384 else:
2385
2386 cvssMetrics = str(cvss_score(items[5]))
2387 archive.configuration = {
2388 "must_report": True,
2389 "fixImpact": (items[0]),
2390 "definition": (items[1]),
2391 "threatInfo": (items[2]),
2392 "howtofix": (items[4]),
2393 "cvss": (cvssMetrics)}
2394
2395 try:
2396 archive.exclusive['cmdInCfg'] = search_string(lines, 'configuration mode exclusive auto')
2397 except AttributeError:
2398 pass
2399 if archive.exclusive['cmdInCfg'] is not None:
2400
2401 archive.exclusive['must_report'] = False
2402 else:
2403 items = search_xml('archiveExclusive')
2404 if __builtin__.iosVersion >= 12.314:
2405 cvssMetrics = str(cvss_score(items[5]))
2406 archive.exclusive = {
2407 "must_report": True,
2408 "fixImpact": (items[0]),
2409 "definition": (items[1]),
2410 "threatInfo": (items[2]),
2411 "howtofix": (items[3]),
2412 "cvss": (cvssMetrics)}
2413 else:
2414
2415 cvssMetrics = str(cvss_score(items[5]))
2416 archive.exclusive = {
2417 "must_report": True,
2418 "fixImpact": (items[0]),
2419 "definition": (items[1]),
2420 "threatInfo": (items[2]),
2421 "howtofix": (items[4]),
2422 "cvss": (cvssMetrics)}
2423
2424 try:
2425 archive.secure_boot['cmdInCfg'] = search_string(lines, 'secure boot-image')
2426 except AttributeError:
2427 pass
2428 if archive.secure_boot['cmdInCfg'] is not None:
2429
2430 archive.secure_boot['must_report'] = False
2431 else:
2432 items = search_xml('archiveSecureImage')
2433 if __builtin__.iosVersion >= 12.38:
2434 cvssMetrics = str(cvss_score(items[5]))
2435 archive.secure_boot = {
2436 "must_report": True,
2437 "fixImpact": (items[0]),
2438 "definition": (items[1]),
2439 "threatInfo": (items[2]),
2440 "howtofix": (items[3]),
2441 "cvss": (cvssMetrics)}
2442 else:
2443
2444 cvssMetrics = str(cvss_score(items[5]))
2445 archive.secure_boot = {
2446 "must_report": True,
2447 "fixImpact": (items[0]),
2448 "definition": (items[1]),
2449 "threatInfo": (items[2]),
2450 "howtofix": (items[4]),
2451 "cvss": (cvssMetrics)}
2452
2453 try:
2454 archive.secure_config['cmdInCfg'] = search_string(lines, 'secure boot-config')
2455 except AttributeError:
2456 pass
2457 if archive.secure_config['cmdInCfg'] is not None:
2458
2459 archive.secure_config['must_report'] = False
2460 else:
2461 items = search_xml('archiveSecureConfig')
2462 if __builtin__.iosVersion >= 12.38:
2463 cvssMetrics = str(cvss_score(items[5]))
2464 archive.secure_config = {
2465 "must_report": True,
2466 "fixImpact": (items[0]),
2467 "definition": (items[1]),
2468 "threatInfo": (items[2]),
2469 "howtofix": (items[3]),
2470 "cvss": (cvssMetrics)}
2471 else:
2472
2473 cvssMetrics = str(cvss_score(items[5]))
2474 archive.secure_config = {
2475 "must_report": True,
2476 "fixImpact": (items[0]),
2477 "definition": (items[1]),
2478 "threatInfo": (items[2]),
2479 "howtofix": (items[4]),
2480 "cvss": (cvssMetrics)}
2481
2482 try:
2483 archive.logs['cmdInCfg'] = search_re_string(lines, '^archive$')
2484 except AttributeError:
2485 pass
2486 if archive.logs['cmdInCfg'] is not None:
2487
2488 if ( (search_string(lines, 'hidekeys') is not None) and (search_string(lines, 'logging enable') is not None )):
2489 archive.logs['must_report'] = False
2490 else:
2491 items = search_xml('archiveLogs')
2492 if __builtin__.iosVersion >= 12.34:
2493 cvssMetrics = str(cvss_score(items[5]))
2494 archive.logs = {
2495 "must_report": True,
2496 "fixImpact": (items[0]),
2497 "definition": (items[1]),
2498 "threatInfo": (items[2]),
2499 "howtofix": (items[3]),
2500 "cvss": (cvssMetrics)}
2501 else:
2502
2503 cvssMetrics = str(cvss_score(items[5]))
2504 archive.logs = {
2505 "must_report": True,
2506 "fixImpact": (items[0]),
2507 "definition": (items[1]),
2508 "threatInfo": (items[2]),
2509 "howtofix": (items[4]),
2510 "cvss": (cvssMetrics)}
2511
2512 toBeReturned = ''
2513 if archive.configuration['must_report'] == True:
2514 toBeReturned = archive.configuration['definition'] + '\n' + archive.configuration['threatInfo'] + '\n\n' + archive.configuration['howtofix'] + '\n'
2515 if archive.exclusive['must_report'] == True:
2516 toBeReturned = toBeReturned + archive.exclusive['definition'] + '\n' + archive.exclusive['threatInfo'] + '\n\n' + archive.exclusive['howtofix'] + '\n'
2517 if archive.secure_boot['must_report'] == True:
2518 toBeReturned = toBeReturned + archive.secure_boot['definition'] + '\n' + archive.secure_boot['threatInfo'] + '\n\n' + archive.secure_boot['howtofix'] + '\n'
2519 if archive.secure_config['must_report'] == True:
2520 toBeReturned = toBeReturned + archive.secure_config['definition'] + '\n' + archive.secure_config['threatInfo'] + '\n\n' + archive.secure_config['howtofix'] + '\n'
2521 if archive.logs['must_report'] == True:
2522 toBeReturned = toBeReturned + archive.logs['definition'] + '\n' + archive.logs['threatInfo'] + '\n\n' + archive.logs['howtofix'] + '\n'
2523
2524 return toBeReturned
2525
2527 """ICMP redirects assessments."""
2528 for i in range(0, len(ifaceCfg)):
2529 ipIcmpRedirectsFound = False
2530 for line in ifaceCfg[i].configuration:
2531 if line == 'ip redirects':
2532 if not ifaceCfg[i].name.strip() in icmpRedirects.redirects['enabledIfsFeature']:
2533 if 'Loopback' in ifaceCfg[i].name.strip():
2534 break
2535 icmpRedirects.redirects['enabledIfsFeature'].append(ifaceCfg[i].name.strip())
2536 ipIcmpRedirectsFound = True
2537 if ipIcmpRedirectsFound == False:
2538 if not ifaceCfg[i].name.strip() in icmpRedirects.redirects['disabledIfsFeature']:
2539 if 'Loopback' in ifaceCfg[i].name.strip():
2540 break
2541 icmpRedirects.redirects['disabledIfsFeature'].append(ifaceCfg[i].name.strip())
2542 icmpRedirects.redirects['must_report'] = True
2543
2544 if icmpRedirects.redirects['must_report'] == True:
2545 items = search_xml('ipICMPredirects')
2546 cvssMetrics = str(cvss_score(items[5]))
2547 icmpRedirects.redirects['fixImpact'] = items[0]
2548 icmpRedirects.redirects['definition'] = items[1]
2549 icmpRedirects.redirects['threatInfo'] = items[2]
2550 icmpRedirects.redirects['howtofix'] = items[3]
2551 icmpRedirects.redirects['cvss'] = cvssMetrics
2552
2553 if icmpRedirects.redirects['enabledIfsFeature']:
2554 icmpRedirects.redirects['howtofix'] = \
2555 icmpRedirects.redirects['howtofix'].strip() \
2556 .replace('[%RedirectifsDisabled]', ", " \
2557 .join(icmpRedirects.redirects['enabledIfsFeature']), 1)
2558 else:
2559 icmpRedirects.redirects['howtofix'] = \
2560 icmpRedirects.redirects['howtofix'].strip() \
2561 .replace('[%RedirectifsDisabled]', "None", 1)
2562 if icmpRedirects.redirects['disabledIfsFeature']:
2563 icmpRedirects.redirects['howtofix'] = \
2564 icmpRedirects.redirects['howtofix'].strip() \
2565 .replace('[%RedirectifsEnabled]', ", " \
2566 .join(icmpRedirects.redirects['disabledIfsFeature']), 1)
2567 else:
2568 icmpRedirects.redirects['howtofix'] = \
2569 icmpRedirects.redirects['howtofix'].strip() \
2570 .replace('[%RedirectifsEnabled]', "None", 1)
2571
2572 return icmpRedirects.redirects['definition'] \
2573 + icmpRedirects.redirects['threatInfo'] \
2574 + icmpRedirects.redirects['howtofix']
2575
2576 toBeReturned = ''
2577 if icmpRedirects.redirects['must_report'] == True:
2578 toBeReturned = \
2579 icmpRedirects.redirects['definition'] \
2580 + '\n' + icmpRedirects.redirects['threatInfo'] \
2581 + '\n\n' + icmpRedirects.redirects['howtofix'] + '\n'
2582
2583 return toBeReturned
2584
2585
2587 """ICMP unreachable configuration."""
2588 for i in range(0, len(ifaceCfg)):
2589 for line in ifaceCfg[i].configuration:
2590 ipIcmpUnreachableFound = False
2591 if line == 'no ip unreachables':
2592 if ifaceCfg[i].name.strip() not in icmpUnreachable.unreachable['disabledIfsFeature']:
2593 if 'Loopback' in ifaceCfg[i].name.strip():
2594 break
2595 icmpUnreachable.unreachable['disabledIfsFeature'].append(ifaceCfg[i].name.strip())
2596 ipIcmpUnreachableFound = True
2597 if ipIcmpUnreachableFound == False:
2598 if ifaceCfg[i].name.strip() not in icmpUnreachable.unreachable['enabledIfsFeature']:
2599 if 'Loopback' in ifaceCfg[i].name.strip():
2600 break
2601 icmpUnreachable.unreachable['enabledIfsFeature'].append(ifaceCfg[i].name.strip())
2602 icmpUnreachable.unreachable['must_report'] = True
2603
2604 try:
2605 icmpUnreachable.unreachable['unreachableRate'] = search_string(fullConfig, 'ip icmp rate-limit unreachable')
2606 except AttributeError:
2607 pass
2608 if icmpUnreachable.unreachable['unreachableRate'] is None:
2609 icmpUnreachable.unreachable['must_report'] = True
2610
2611 if icmpUnreachable.unreachable['must_report'] == True:
2612 items = search_xml('ipICMPunreachable')
2613 cvssMetrics = str(cvss_score(items[5]))
2614 icmpUnreachable.unreachable['fixImpact'] = items[0]
2615 icmpUnreachable.unreachable['definition'] = items[1]
2616 icmpUnreachable.unreachable['threatInfo'] = items[2]
2617 icmpUnreachable.unreachable['howtofix'] = items[3]
2618 if icmpUnreachable.unreachable['disabledIfsFeature']:
2619 icmpUnreachable.unreachable['howtofix'] = icmpUnreachable.unreachable['howtofix'].strip().replace('[%UnreachableifsEnabled]', ", ".join(icmpUnreachable.unreachable['disabledIfsFeature']), 1)
2620 else:
2621 icmpUnreachable.unreachable['howtofix'] = icmpUnreachable.unreachable['howtofix'].strip().replace('[%UnreachableifsEnabled]', "None", 1)
2622 if icmpUnreachable.unreachable['enabledIfsFeature']:
2623 icmpUnreachable.unreachable['howtofix'] = icmpUnreachable.unreachable['howtofix'].strip().replace('[%UnreachableifsDisabled]', ", ".join(icmpUnreachable.unreachable['enabledIfsFeature']), 1)
2624 else:
2625 icmpUnreachable.unreachable['howtofix'] = icmpUnreachable.unreachable['howtofix'].strip().replace('[%UnreachableifsDisabled]', "None", 1)
2626
2627
2628 icmpUnreachable.unreachable['cvss'] = cvssMetrics
2629
2630 toBeReturned = ''
2631 if icmpUnreachable.unreachable['must_report'] == True:
2632 toBeReturned = icmpUnreachable.unreachable['definition'] + '\n' + icmpUnreachable.unreachable['threatInfo'] + '\n\n' + icmpUnreachable.unreachable['howtofix'] + '\n'
2633
2634 return toBeReturned
2635
2637 """ARP proxy configuration."""
2638 for i in range(0, len(ifaceCfg)):
2639 for line in ifaceCfg[i].configuration:
2640 proxyArpFound = False
2641 if line == 'no ip proxy-arp':
2642 if ifaceCfg[i].name.strip() not in proxyArp.proxy['enabledIfsFeature']:
2643 if 'Loopback' in ifaceCfg[i].name.strip():
2644 break
2645 proxyArp.proxy['enabledIfsFeature'].append(ifaceCfg[i].name.strip())
2646 proxyArpFound = True
2647 if proxyArpFound == False:
2648 if ifaceCfg[i].name.strip() not in proxyArp.proxy['disabledIfsFeature']:
2649 if 'Loopback' in ifaceCfg[i].name.strip():
2650 break
2651 proxyArp.proxy['disabledIfsFeature'].append(ifaceCfg[i].name.strip())
2652 proxyArp.proxy['must_report'] = True
2653
2654 if proxyArp.proxy['must_report'] == True:
2655 items = search_xml('proxyArp')
2656 cvssMetrics = str(cvss_score(items[5]))
2657 proxyArp.proxy['fixImpact'] = items[0]
2658 proxyArp.proxy['definition'] = items[1]
2659 proxyArp.proxy['threatInfo'] = items[2]
2660 proxyArp.proxy['howtofix'] = items[3]
2661 if proxyArp.proxy['disabledIfsFeature']:
2662 proxyArp.proxy['howtofix'] = proxyArp.proxy['howtofix'].strip().replace('[%ArpifsEnabled]', ", ".join(proxyArp.proxy['disabledIfsFeature']), 1)
2663 else:
2664 proxyArp.proxy['howtofix'] = proxyArp.proxy['howtofix'].strip().replace('[%ArpifsEnabled]', "None", 1)
2665 if proxyArp.proxy['enabledIfsFeature']:
2666 proxyArp.proxy['howtofix'] = proxyArp.proxy['howtofix'].strip().replace('[%ArpifsDisabled]', ", ".join(proxyArp.proxy['enabledIfsFeature']), 1)
2667 else:
2668 proxyArp.proxy['howtofix'] = proxyArp.proxy['howtofix'].strip().replace('[%ArpifsDisabled]', "None", 1)
2669
2670 proxyArp.proxy['cvss'] = cvssMetrics
2671
2672 toBeReturned = ''
2673 if proxyArp.proxy['must_report'] == True:
2674 toBeReturned = proxyArp.proxy['definition'] + '\n' + proxyArp.proxy['threatInfo'] + '\n\n' + proxyArp.proxy['howtofix'] + '\n'
2675
2676 return toBeReturned
2677
2679 """NTP configuration."""
2680 try:
2681 ntp.authentication['authenticate'] = search_string(lines, 'ntp authenticate')
2682 except AttributeError:
2683 pass
2684 try:
2685 ntp.authentication['key'] = search_string(lines, 'ntp authentication-key')
2686 except AttributeError:
2687 pass
2688
2689 if ( (ntp.authentication['authenticate'] is None) or (ntp.authentication['key'] is None) ):
2690 ntp.authentication['must_report'] = True
2691
2692 if ntp.authentication['must_report'] == True:
2693 items = search_xml('ntpAuthentication')
2694 cvssMetrics = str(cvss_score(items[5]))
2695 ntp.authentication = {
2696 "must_report": True,
2697 "fixImpact": (items[0]),
2698 "definition": (items[1]),
2699 "threatInfo": (items[2]),
2700 "howtofix": (items[3]),
2701 "cvss": (cvssMetrics)}
2702
2703 toBeReturned = ''
2704 if ntp.authentication['must_report'] == True:
2705 toBeReturned = ntp.authentication['definition'] + '\n' + ntp.authentication['threatInfo'] + '\n\n' + ntp.authentication['howtofix'] + '\n'
2706
2707 return toBeReturned
2708
2710 """IP options configuration."""
2711
2712 try:
2713 ipoptions.drop['cmdInCfg'] = search_string(lines, 'ip options drop')
2714 except AttributeError:
2715 pass
2716 if ipoptions.drop['cmdInCfg'] is None:
2717 ipoptions.drop['must_report'] = True
2718
2719 if ipoptions.drop['must_report'] == True:
2720 items = search_xml('IPoptions')
2721 cvssMetrics = str(cvss_score(items[5]))
2722 ipoptions.drop = {
2723 "must_report": True,
2724 "fixImpact": (items[0]),
2725 "definition": (items[1]),
2726 "threatInfo": (items[2]),
2727 "howtofix": (items[3]),
2728 "cvss": (cvssMetrics)}
2729
2730 toBeReturned = ''
2731 if ipoptions.drop['must_report'] == True:
2732 toBeReturned = ipoptions.drop['definition'] + '\n' + ipoptions.drop['threatInfo'] + '\n\n' + ipoptions.drop['howtofix'] + '\n'
2733
2734 return toBeReturned
2735
2737 """IPv4 source-routing configuration."""
2738
2739 try:
2740 ipsrcroute.drop['cmdInCfg'] = search_string(lines, 'no ip source-route')
2741 except AttributeError:
2742 pass
2743 if ipsrcroute.drop['cmdInCfg'] is None:
2744 ipsrcroute.drop['must_report'] = True
2745
2746 if ipsrcroute.drop['must_report'] == True:
2747 items = search_xml('IPsourceroute')
2748 cvssMetrics = str(cvss_score(items[5]))
2749 ipsrcroute.drop = {
2750 "must_report": True,
2751 "fixImpact": (items[0]),
2752 "definition": (items[1]),
2753 "threatInfo": (items[2]),
2754 "howtofix": (items[3]),
2755 "cvss": (cvssMetrics)}
2756
2757 toBeReturned = ''
2758 if ipsrcroute.drop['must_report'] == True:
2759 toBeReturned = ipsrcroute.drop['definition'] + '\n' + ipsrcroute.drop['threatInfo'] + '\n\n' + ipsrcroute.drop['howtofix'] + '\n'
2760
2761 return toBeReturned
2762
2764 """ICMP deny configuration."""
2765
2766 try:
2767 denyicmp.filtered['cmdInCfg'] = search_string(lines, 'deny icmp any any')
2768 except AttributeError:
2769 pass
2770 if denyicmp.filtered['cmdInCfg'] is None:
2771 denyicmp.filtered['must_report'] = True
2772
2773 if denyicmp.filtered['must_report'] == True:
2774 items = search_xml('ICMPdeny')
2775 cvssMetrics = str(cvss_score(items[5]))
2776 denyicmp.filtered = {
2777 "must_report": True,
2778 "fixImpact": (items[0]),
2779 "definition": (items[1]),
2780 "threatInfo": (items[2]),
2781 "howtofix": (items[3]),
2782 "cvss": (cvssMetrics)}
2783
2784 toBeReturned = ''
2785 if denyicmp.filtered['must_report'] == True:
2786 toBeReturned = denyicmp.filtered['definition'] + '\n' + denyicmp.filtered['threatInfo'] + '\n\n' + denyicmp.filtered['howtofix'] + '\n'
2787
2788 return toBeReturned
2789
2791 """IPv4 fragments configuration."""
2792
2793 try:
2794 ipfrags.filtered['tcp'] = search_string(lines, 'deny tcp any any fragments')
2795 except AttributeError:
2796 pass
2797 try:
2798 ipfrags.filtered['udp'] = search_string(lines, 'deny udp any any fragments')
2799 except AttributeError:
2800 pass
2801 try:
2802 ipfrags.filtered['icmp'] = search_string(lines, 'deny icmp any any fragments')
2803 except AttributeError:
2804 pass
2805 try:
2806 ipfrags.filtered['ip'] = search_string(lines, 'deny ip any any fragments')
2807 except AttributeError:
2808 pass
2809
2810 if ipfrags.filtered['tcp'] is None:
2811 ipfrags.filtered['must_report'] = True
2812 if ipfrags.filtered['udp'] is None:
2813 ipfrags.filtered['must_report'] = True
2814 if ipfrags.filtered['icmp'] is None:
2815 ipfrags.filtered['must_report'] = True
2816 if ipfrags.filtered['ip'] is None:
2817 ipfrags.filtered['must_report'] = True
2818
2819 if ipfrags.filtered['must_report'] == True:
2820 items = search_xml('IPfrags')
2821 cvssMetrics = str(cvss_score(items[5]))
2822 ipfrags.filtered = {
2823 "must_report": True,
2824 "fixImpact": (items[0]),
2825 "definition": (items[1]),
2826 "threatInfo": (items[2]),
2827 "howtofix": (items[3]),
2828 "cvss": (cvssMetrics)}
2829
2830 toBeReturned = ''
2831 if ipfrags.filtered['must_report'] == True:
2832 toBeReturned = ipfrags.filtered['definition'] + '\n' + ipfrags.filtered['threatInfo'] + '\n\n' + ipfrags.filtered['howtofix'] + '\n'
2833
2834 return toBeReturned
2835
2837 """URPF IPv4 configuration."""
2838 for i in range(0, len(ifaceCfg)):
2839 routedPort = 0
2840 urpfOK = 0
2841 for line in ifaceCfg[i].configuration:
2842 if line.startswith('ip address'):
2843 routedPort = 1
2844 if routedPort == 1:
2845 if line.startswith('ip verify unicast source reachable-via'):
2846 urpfOK = 1
2847 if urpfOK == 0 and routedPort == 1 and 'Loopback' not in ifaceCfg[i].name.strip():
2848 if not ifaceCfg[i].name.strip() in urpf.spoofing['candidates']:
2849 urpf.spoofing['candidates'].append(ifaceCfg[i].name.strip())
2850 urpf.spoofing['must_report'] = True
2851
2852 if urpf.spoofing['must_report'] == True:
2853 items = search_xml('urpf')
2854 cvssMetrics = str(cvss_score(items[5]))
2855 urpf.spoofing['must_report'] = True
2856 urpf.spoofing['fixImpact'] = items[0]
2857 urpf.spoofing['definition'] = items[1]
2858 urpf.spoofing['threatInfo'] = items[2]
2859 urpf.spoofing['howtofix'] = items[3]
2860 urpf.spoofing['cvss'] = cvssMetrics
2861
2862 if urpf.spoofing['candidates']:
2863 urpf.spoofing['howtofix'] = urpf.spoofing['howtofix'].strip().replace('[%URPFCandidates]', ", ".join(urpf.spoofing['candidates']), 1)
2864
2865 return urpf.spoofing['definition'] + '\n' + urpf.spoofing['threatInfo'] + '\n\n' + urpf.spoofing['howtofix'] + '\n'
2866 else:
2867 return "URPF configuration is OK."
2868
2870 "URPF IPv6 configuration."""
2871 for j in range(0, len(ifaceCfg)):
2872 ipv6enable = False
2873 if search_re_string(ifaceCfg[j].configuration, '^ipv6 enable$') is not None:
2874 ipv6enable = True
2875 if ipv6enable == True:
2876 urpfreachable = False
2877 if search_re_string(ifaceCfg[j].configuration, '^ipv6 verify unicast source reachable-via (rx|any)$') is None:
2878 urpfreachable = True
2879 if search_re_string(ifaceCfg[j].configuration, '^ipv6 verify unicast reverse-path$') is None and urpfreachable == True:
2880 urpfv6.spoofing['candidates'].append(ifaceCfg[j].name.strip())
2881 urpfv6.spoofing['must_report'] = True
2882
2883 if urpfv6.spoofing['must_report'] == True:
2884 items = search_xml('urpfv6')
2885 cvssMetrics = str(cvss_score(items[5]))
2886 urpfv6.spoofing['must_report'] = True
2887 urpfv6.spoofing['fixImpact'] = items[0]
2888 urpfv6.spoofing['definition'] = items[1]
2889 urpfv6.spoofing['threatInfo'] = items[2]
2890 urpfv6.spoofing['howtofix'] = items[3]
2891 urpfv6.spoofing['cvss'] = cvssMetrics
2892 if urpfv6.spoofing['candidates']:
2893 urpfv6.spoofing['howtofix'] = urpfv6.spoofing['howtofix'].strip().replace('[%URPFv6Candidates]', ", ".join(urpfv6.spoofing['candidates']), 1)
2894
2895 return urpfv6.spoofing['definition'] + '\n' + urpfv6.spoofing['threatInfo'] + '\n\n' + urpfv6.spoofing['howtofix'] + '\n'
2896 else:
2897 return "URPFv6 configuration is OK."
2898
2900 """IPv6 configuration assessment: RH0, traffic filter."""
2901 denyRH0 = (None)
2902 ACLv6name = (None)
2903 for i in range(0, len(aclIPv6)):
2904 denyRH0 = search_re_string(aclIPv6[i].configuration, '^deny ipv6 .* routing-type 0$')
2905 if denyRH0 is not None:
2906 ACLv6name = aclIPv6[i].name
2907 for j in range(0, len(ifaceCfg)):
2908 ipv6enable = False
2909 if search_re_string(ifaceCfg[j].configuration, '^ipv6 enable$') is not None:
2910 ipv6enable = True
2911 if search_re_string(ifaceCfg[j].configuration, '^ipv6 traffic-filter '+ ACLv6name.strip() +' in$') is None and ipv6enable == True:
2912 ipv6.rh0['Notfiltered'].append(ifaceCfg[j].name.strip())
2913
2914
2915 try:
2916 ipv6.rh0['cmdInCfg'] = search_string(lines, 'no ipv6 source-route')
2917 except AttributeError:
2918 pass
2919
2920 if ipv6.rh0['cmdInCfg'] is None:
2921 if len(ipv6.rh0['Notfiltered']) >= 1:
2922 ipv6.rh0['must_report'] = True
2923
2924 if ipv6.rh0['must_report'] == True:
2925 items = search_xml('IPv6rh0')
2926 cvssMetrics = str(cvss_score(items[5]))
2927 ipv6.rh0 = {
2928 "must_report": True,
2929 "fixImpact": (items[0]),
2930 "definition": (items[1]),
2931 "threatInfo": (items[2]),
2932 "howtofix": (items[3]),
2933 "cvss": (cvssMetrics)}
2934
2935 toBeReturned = ''
2936 if ipv6.rh0['must_report'] == True:
2937 toBeReturned = ipv6.rh0['definition'] + '\n' + ipv6.rh0['threatInfo'] + '\n\n' + ipv6.rh0['howtofix'] + '\n'
2938
2939 return toBeReturned
2940
2942 """IPSec configuration assessment: call admission."""
2943
2944 try:
2945 ipsec.cac_ike['cmdInCfg'] = search_re_string(lines, '^crypto call admission limit ike sa .*$')
2946 except AttributeError:
2947 pass
2948 try:
2949 ipsec.cac_rsc['cmdInCfg'] = search_re_string(lines, '^call admission limit .*$')
2950 except AttributeError:
2951 pass
2952
2953 if ipsec.cac_ike['cmdInCfg'] is None:
2954 ipsec.cac_ike['must_report'] = True
2955
2956 if ipsec.cac_rsc['cmdInCfg'] is None:
2957 ipsec.cac_rsc['must_report'] = True
2958
2959 if ipsec.cac_ike['must_report'] == True:
2960 items = search_xml('IPSECcac_ike')
2961 cvssMetrics = str(cvss_score(items[5]))
2962 ipsec.cac_ike = {
2963 "must_report": True,
2964 "fixImpact": (items[0]),
2965 "definition": (items[1]),
2966 "threatInfo": (items[2]),
2967 "howtofix": (items[3]),
2968 "cvss": (cvssMetrics)}
2969
2970 if ipsec.cac_rsc['must_report'] == True:
2971 items = search_xml('IPSECcac_rsc')
2972 cvssMetrics = str(cvss_score(items[5]))
2973 ipsec.cac_rsc = {
2974 "must_report": True,
2975 "fixImpact": (items[0]),
2976 "definition": (items[1]),
2977 "threatInfo": (items[2]),
2978 "howtofix": (items[3]),
2979 "cvss": (cvssMetrics)}
2980
2981 toBeReturned = ''
2982 if ipsec.cac_ike['must_report'] == True:
2983 toBeReturned = ipsec.cac_ike['definition'] + '\n' + ipsec.cac_ike['threatInfo'] + '\n\n' + ipsec.cac_ike['howtofix'] + '\n'
2984 if ipsec.cac_rsc['must_report'] == True:
2985 toBeReturned = toBeReturned + ipsec.cac_rsc['definition'] + '\n' + ipsec.cac_rsc['threatInfo'] + '\n\n' + ipsec.cac_rsc['howtofix'] + '\n'
2986
2987 return toBeReturned
2988
2990 """TCLShell configuration assessment."""
2991
2992 try:
2993 tclsh.shell['cmdInCfg'] = search_re_string(lines, '^event cli pattern \"tclsh\" .*$')
2994 except AttributeError:
2995 pass
2996 if tclsh.shell['cmdInCfg'] is None:
2997 tclsh.shell['must_report'] = True
2998
2999 if tclsh.shell['must_report'] == True:
3000 items = search_xml('tclsh')
3001 cvssMetrics = str(cvss_score(items[5]))
3002 tclsh.shell = {
3003 "must_report": True,
3004 "fixImpact": (items[0]),
3005 "definition": (items[1]),
3006 "threatInfo": (items[2]),
3007 "howtofix": (items[3]),
3008 "cvss": (cvssMetrics)}
3009
3010 toBeReturned = ''
3011 if tclsh.shell['must_report'] == True:
3012 toBeReturned = tclsh.shell['definition'] + '\n' + tclsh.shell['threatInfo'] + '\n\n' + tclsh.shell['howtofix'] + '\n'
3013
3014 return toBeReturned
3015
3016
3018 """TCP synwait configuration."""
3019
3020 try:
3021 tcp.synwait['cmdInCfg'] = search_re_string(lines, '^ip tcp synwait-time .*$')
3022 except AttributeError:
3023 pass
3024 if tcp.synwait['cmdInCfg'] is None:
3025 tcp.synwait['must_report'] = True
3026 else:
3027 timer = tcp.synwait.split(' ')[3]
3028 if int(timer) <= 15:
3029 tcp.synwait['must_report'] = False
3030 else:
3031 tcp.synwait['must_report'] = True
3032
3033 if tcp.synwait['must_report'] == True:
3034 items = search_xml('tcpsynwait')
3035 cvssMetrics = str(cvss_score(items[5]))
3036 tcp.synwait = {
3037 "must_report": True,
3038 "fixImpact": (items[0]),
3039 "definition": (items[1]),
3040 "threatInfo": (items[2]),
3041 "howtofix": (items[3]),
3042 "cvss": (cvssMetrics)}
3043
3044 toBeReturned = ''
3045 if tcp.synwait['must_report'] == True:
3046 toBeReturned = tcp.synwait['definition'] + '\n' + tcp.synwait['threatInfo'] + '\n\n' + tcp.synwait['howtofix'] + '\n'
3047
3048 return toBeReturned
3049
3051 """Netflow configuration assessment."""
3052
3053 for j in range(0, len(ifaceCfg)):
3054 if search_re_string(ifaceCfg[j].configuration, '^ip flow (ingress|egress)$') is not None:
3055 netflow.v9_security['interfacegress'] = True
3056
3057 if netflow.v9_security['interfacegress'] == True:
3058 try:
3059 netflow.v9_security['fragoffset'] = search_re_string(lines, '^ip flow-capture fragment-offset$')
3060 except AttributeError:
3061 pass
3062 try:
3063 netflow.v9_security['icmp'] = search_re_string(lines, '^ip flow-capture icmp$')
3064 except AttributeError:
3065 pass
3066 try:
3067 netflow.v9_security['ipid'] = search_re_string(lines, '^ip flow-capture ip-id$')
3068 except AttributeError:
3069 pass
3070 try:
3071 netflow.v9_security['macaddr'] = search_re_string(lines, '^ip flow-capture mac-addresses$')
3072 except AttributeError:
3073 pass
3074 try:
3075 netflow.v9_security['packetlen'] = search_re_string(lines, '^ip flow-capture packet-length$')
3076 except AttributeError:
3077 pass
3078 try:
3079 netflow.v9_security['ttl'] = search_re_string(lines, '^ip flow-capture ttl$')
3080 except AttributeError:
3081 pass
3082 try:
3083 netflow.v9_security['vlid'] = search_re_string(lines, '^ip flow-capture vlan-id$')
3084 except AttributeError:
3085 pass
3086
3087 if ( (netflow.v9_security['fragoffset'] is None) or (netflow.v9_security['icmp'] is None) or (netflow.v9_security['ipid'] is None) or (netflow.v9_security['macaddr'] is None) or (netflow.v9_security['packetlen'] is None) or (netflow.v9_security['ttl'] is None) or (netflow.v9_security['vlid'] is None) ):
3088 netflow.v9_security['must_report'] = True
3089
3090 if netflow.v9_security['must_report'] == True:
3091 items = search_xml('netflowV9')
3092 if __builtin__.iosVersion >= 12.42:
3093 cvssMetrics = str(cvss_score(items[5]))
3094 netflow.v9_security = {
3095 "must_report": True,
3096 "fixImpact": (items[0]),
3097 "definition": (items[1]),
3098 "threatInfo": (items[2]),
3099 "howtofix": (items[3]),
3100 "cvss": (cvssMetrics)}
3101 else:
3102
3103 cvssMetrics = str(cvss_score(items[5]))
3104 netflow.v9_security = {
3105 "must_report": True,
3106 "fixImpact": (items[0]),
3107 "definition": (items[1]),
3108 "threatInfo": (items[2]),
3109 "howtofix": (items[4]),
3110 "cvss": (cvssMetrics)}
3111
3112 toBeReturned = ''
3113 if netflow.v9_security['must_report'] == True:
3114 toBeReturned = netflow.v9_security['definition'] + '\n' + netflow.v9_security['threatInfo'] + '\n\n' + netflow.v9_security['howtofix'] + '\n'
3115
3116 return toBeReturned
3117
3119 """QoS configuration assessment. Not ready."""
3120 toBeReturned = ''
3121 return toBeReturned
3122