Package routerdefense :: Package engines :: Module layer2
[hide private]
[frames] | no frames]

Source Code for Module routerdefense.engines.layer2

  1  # -*- coding: iso-8859-1 -*- 
  2   
  3  __docformat__ = 'restructuredtext' 
  4  __version__ = '$Id$' 
  5   
  6  import __builtin__ 
  7  from routerdefense.common import * 
  8   
  9  from xml import * 
 10   
11 -def engine_port_security(lines, portsecurity, ifaceCfg):
12 """Port security configuration.""" 13 for i in range(0, len(ifaceCfg)): 14 if search_re_string(ifaceCfg[i].configuration, '^switchport access vlan .*$') is not None: 15 if search_re_string(ifaceCfg[i].configuration,'switchport port-security maximum .* vlan access') is None: 16 portsecurity.maximum_access['candidates'].append(ifaceCfg[i].name.strip()) 17 portsecurity.maximum_access['must_report'] = True 18 if search_re_string(ifaceCfg[i].configuration, '^switchport voice vlan .*$') is not None: 19 if search_re_string(ifaceCfg[i].configuration,'switchport port-security maximum .* vlan voice') is None: 20 portsecurity.maximum_voice['candidates'].append(ifaceCfg[i].name.strip()) 21 portsecurity.maximum_voice['must_report'] = True 22 for line in ifaceCfg[i].configuration: 23 if line.find('switchport mode access') != -1: 24 break 25 if line.find('switchport port-security violation') == -1: 26 if not ifaceCfg[i].name.strip() in portsecurity.violation['candidates']: 27 if not 'Vlan' or not 'Loopback' in ifaceCfg[i].name.strip(): 28 portsecurity.violation['candidates'].append(ifaceCfg[i].name.strip()) 29 portsecurity.violation['must_report'] = True 30 if line.find('switchport port-security mac-address sticky') == -1: 31 if not ifaceCfg[i].name.strip() in portsecurity.sticky['candidates']: 32 if not 'Vlan' or not 'Loopback' in ifaceCfg[i].name.strip(): 33 portsecurity.sticky['candidates'].append(ifaceCfg[i].name.strip()) 34 portsecurity.sticky['must_report'] = True 35 if re.search('^switchport port-security maximum .*$', line) is None: 36 if not ifaceCfg[i].name.strip() in portsecurity.maximum_total['candidates']: 37 if not 'Vlan' or not 'Loopback' in ifaceCfg[i].name.strip(): 38 portsecurity.maximum_total['candidates'].append(ifaceCfg[i].name.strip()) 39 portsecurity.maximum_total['must_report'] = True 40 41 42 if portsecurity.violation['must_report'] == True: 43 items = search_xml('portsecurityViolation') 44 cvssMetrics = str(cvss_score(items[5])) 45 portsecurity.violation = { 46 "candidates": portsecurity.violation['candidates'], 47 "must_report": True, 48 "fixImpact": (items[0]), 49 "definition": (items[1]), 50 "threatInfo": (items[2]), 51 "howtofix": (items[3].strip().replace('[%interface]', ", ".join(portsecurity.violation['candidates']), 1)), 52 "cvss": (cvssMetrics)} 53 54 if portsecurity.sticky['must_report'] == True: 55 items = search_xml('portsecuritySticky') 56 cvssMetrics = str(cvss_score(items[5])) 57 portsecurity.sticky = { 58 "candidates": portsecurity.sticky['candidates'], 59 "must_report": True, 60 "fixImpact": (items[0]), 61 "definition": (items[1]), 62 "threatInfo": (items[2]), 63 "howtofix": (items[3].strip().replace('[%interface]', ", ".join(portsecurity.violation['candidates']), 1)), 64 "cvss": (cvssMetrics)} 65 66 if portsecurity.maximum_total['must_report'] == True: 67 items = search_xml('portsecurityMaximumTotal') 68 cvssMetrics = str(cvss_score(items[5])) 69 portsecurity.maximum_total = { 70 "candidates": portsecurity.maximum_total['candidates'], 71 "must_report": True, 72 "fixImpact": (items[0]), 73 "definition": (items[1]), 74 "threatInfo": (items[2]), 75 "howtofix": (items[3].strip().replace('[%interface]', ", ".join(portsecurity.violation['candidates']), 1)), 76 "cvss": (cvssMetrics)} 77 78 if portsecurity.maximum_access['must_report'] == True: 79 items = search_xml('portsecurityMaximumAccess') 80 cvssMetrics = str(cvss_score(items[5])) 81 portsecurity.maximum_access = { 82 "candidates": portsecurity.maximum_access['candidates'], 83 "must_report": True, 84 "fixImpact": (items[0]), 85 "definition": (items[1]), 86 "threatInfo": (items[2]), 87 "howtofix": (items[3].strip().replace('[%interface]', ", ".join(portsecurity.violation['candidates']), 1)), 88 "cvss": (cvssMetrics)} 89 90 if portsecurity.maximum_voice['must_report'] == True: 91 items = search_xml('portsecurityMaximumVoice') 92 cvssMetrics = str(cvss_score(items[5])) 93 portsecurity.maximum_voice = { 94 "candidates": portsecurity.maximum_voice['candidates'], 95 "must_report": True, 96 "fixImpact": (items[0]), 97 "definition": (items[1]), 98 "threatInfo": (items[2]), 99 "howtofix": (items[3].strip().replace('[%interface]', ", ".join(portsecurity.violation['candidates']), 1)), 100 "cvss": (cvssMetrics)} 101 102 toBeReturned = '' 103 if portsecurity.sticky['must_report'] == True: 104 toBeReturned = portsecurity.sticky['definition'] + '\n' + portsecurity.sticky['threatInfo'] + '\n\n' + portsecurity.sticky['howtofix'] + '\n' 105 if portsecurity.violation['must_report'] == True: 106 toBeReturned = toBeReturned + portsecurity.violation['definition'] + '\n' + portsecurity.violation['threatInfo'] + '\n\n' + portsecurity.violation['howtofix'] + '\n' 107 if portsecurity.maximum_total['must_report'] == True: 108 toBeReturned = toBeReturned + portsecurity.maximum_total['definition'] + '\n' + portsecurity.maximum_total['threatInfo'] + '\n\n' + portsecurity.maximum_total['howtofix'] + '\n' 109 if portsecurity.maximum_access['must_report'] == True: 110 toBeReturned = toBeReturned + portsecurity.maximum_access['definition'] + '\n' + portsecurity.maximum_access['threatInfo'] + '\n\n' + portsecurity.maximum_access['howtofix'] + '\n' 111 if portsecurity.maximum_voice['must_report'] == True: 112 toBeReturned = toBeReturned + portsecurity.maximum_voice['definition'] + '\n' + portsecurity.maximum_voice['threatInfo'] + '\n\n' + portsecurity.maximum_voice['howtofix'] + '\n' 113 114 return toBeReturned
115
116 -def engine_layer2(lines, level2protocols, ifaceCfg):
117 """Level 2 protocols configuration assessment: spanning-tree, dot1x, flow-control, unused ports, UDLD.""" 118 119 #if search_re_string(lines,'^vtp domain .*$') is not None: 120 #if search_re_string(lines,'^vtp password .*$') is None and search_re_string(lines,'^vtp mode transparent$') is not None: 121 #level2protocols.vtp_secure['must_report'] = True 122 123 if __builtin__.deviceType != 'router' and search_re_string(lines,'^spanning-tree portfast bpdu_guard default$') is None: 124 level2protocols.bpdu_guard['must_report'] = True 125 126 if __builtin__.deviceType == 'switch' and search_re_string(lines,'^dot1x system-auth-control$') is None: 127 level2protocols.dot1x['must_report'] = True 128 129 for i in range(0, len(ifaceCfg)): 130 if search_re_string(ifaceCfg[i].configuration, '^switchport mode (access|trunk)$') is not None: 131 if search_re_string(ifaceCfg[i].configuration,'^switchport nonegotiate$') is None: 132 level2protocols.nonegotiate['candidates'].append(ifaceCfg[i].name.strip()) 133 level2protocols.nonegotiate['must_report'] = True 134 elif search_re_string(ifaceCfg[i].configuration,'^switchport access vlan 1$') is not None: 135 level2protocols.vlan_1['candidates'].append(ifaceCfg[i].name.strip()) 136 level2protocols.vlan_1['must_report'] = True 137 138 if search_re_string(ifaceCfg[i].configuration, '^flowcontrol receive off$') is None: 139 if not 'Loopback' in ifaceCfg[i].name.strip() and not 'Vlan' in ifaceCfg[i].name.strip(): 140 level2protocols.flowcontrol['candidates'].append(ifaceCfg[i].name.strip()) 141 level2protocols.flowcontrol['must_report'] = True 142 143 if search_re_string(ifaceCfg[i].configuration, '^shutdown$') is not None: 144 if search_re_string(ifaceCfg[i].configuration,'^switchport access vlan 999$') is None: 145 if __builtin__.deviceType == 'switch': 146 level2protocols.unused_ports['candidates'].append(ifaceCfg[i].name.strip()) 147 level2protocols.unused_ports['must_report'] = True 148 149 try: 150 level2protocols.udld['cmdInCfg'] = search_string(lines, 'no udld enable') 151 except AttributeError: 152 pass 153 154 if level2protocols.udld['cmdInCfg'] is None: 155 level2protocols.udld['must_report'] = True 156 157 if level2protocols.nonegotiate['must_report'] == True: 158 items = search_xml('nonegotiate') 159 cvssMetrics = str(cvss_score(items[5])) 160 level2protocols.nonegotiate = { 161 "candidates": level2protocols.nonegotiate['candidates'], 162 "must_report": True, 163 "fixImpact": (items[0]), 164 "definition": (items[1]), 165 "threatInfo": (items[2]), 166 "howtofix": (items[3]), 167 "cvss": (cvssMetrics)} 168 169 if level2protocols.flowcontrol['must_report'] == True: 170 items = search_xml('flowcontrol') 171 cvssMetrics = str(cvss_score(items[5])) 172 level2protocols.flowcontrol = { 173 "candidates": level2protocols.flowcontrol['candidates'], 174 "must_report": True, 175 "fixImpact": (items[0]), 176 "definition": (items[1]), 177 "threatInfo": (items[2]), 178 "howtofix": (items[3]), 179 "cvss": (cvssMetrics)} 180 181 if level2protocols.udld['must_report'] == True: 182 items = search_xml('udld') 183 cvssMetrics = str(cvss_score(items[5])) 184 level2protocols.udld = { 185 "must_report": True, 186 "fixImpact": (items[0]), 187 "definition": (items[1]), 188 "threatInfo": (items[2]), 189 "howtofix": (items[3]), 190 "cvss": (cvssMetrics)} 191 192 if level2protocols.vlan_1['must_report'] == True: 193 items = search_xml('vlan_1') 194 cvssMetrics = str(cvss_score(items[5])) 195 level2protocols.vlan_1 = { 196 "candidates": level2protocols.vlan_1['candidates'], 197 "must_report": True, 198 "fixImpact": (items[0]), 199 "definition": (items[1]), 200 "threatInfo": (items[2]), 201 "howtofix": (items[3]), 202 "cvss": (cvssMetrics)} 203 204 if (level2protocols.unused_ports['must_report'] == True): 205 items = search_xml('unused_ports') 206 cvssMetrics = str(cvss_score(items[5])) 207 level2protocols.unused_ports = { 208 "candidates": level2protocols.unused_ports['candidates'], 209 "must_report": True, 210 "fixImpact": (items[0]), 211 "definition": (items[1]), 212 "threatInfo": (items[2]), 213 "howtofix": (items[3]), 214 "cvss": (cvssMetrics)} 215 216 """ 217 if level2protocols.vtp_secure['must_report'] == True: 218 items = search_xml('vtp_secure') 219 cvssMetrics = str(cvss_score(items[5])) 220 level2protocols.vtp_secure = { 221 "must_report": True, 222 "fixImpact": (items[0]), 223 "definition": (items[1]), 224 "threatInfo": (items[2]), 225 "howtofix": (items[3]), 226 "cvss": (cvssMetrics)} 227 """ 228 if level2protocols.bpdu_guard['must_report'] == True: 229 items = search_xml('bpduguard') 230 cvssMetrics = str(cvss_score(items[5])) 231 level2protocols.bpdu_guard = { 232 "must_report": True, 233 "fixImpact": (items[0]), 234 "definition": (items[1]), 235 "threatInfo": (items[2]), 236 "howtofix": (items[3]), 237 "cvss": (cvssMetrics)} 238 239 if level2protocols.stp_root['must_report'] == True: 240 items = search_xml('stproot') 241 cvssMetrics = str(cvss_score(items[5])) 242 level2protocols.stp_root = { 243 "must_report": True, 244 "fixImpact": (items[0]), 245 "definition": (items[1]), 246 "threatInfo": (items[2]), 247 "howtofix": (items[3]), 248 "cvss": (cvssMetrics)} 249 250 if level2protocols.dot1x['must_report'] == True: 251 items = search_xml('dot1x') 252 cvssMetrics = str(cvss_score(items[5])) 253 level2protocols.dot1x = { 254 "must_report": True, 255 "fixImpact": (items[0]), 256 "definition": (items[1]), 257 "threatInfo": (items[2]), 258 "howtofix": (items[3]), 259 "cvss": (cvssMetrics)} 260 261 toBeReturned = '' 262 if level2protocols.nonegotiate['must_report'] == True: 263 toBeReturned = level2protocols.nonegotiate['definition'] + '\n' + level2protocols.nonegotiate['threatInfo'] + '\n\n' + level2protocols.nonegotiate['howtofix'] + '\n' 264 if level2protocols.flowcontrol['must_report'] == True: 265 toBeReturned = toBeReturned + level2protocols.flowcontrol['definition'] + '\n' + level2protocols.flowcontrol['threatInfo'] + '\n\n' + level2protocols.flowcontrol['howtofix'] + '\n' 266 if level2protocols.udld['must_report'] == True: 267 toBeReturned = toBeReturned + level2protocols.udld['definition'] + '\n' + level2protocols.udld['threatInfo'] + '\n\n' + level2protocols.udld['howtofix'] + '\n' 268 if level2protocols.vlan_1['must_report'] == True: 269 toBeReturned = toBeReturned + level2protocols.vlan_1['definition'] + '\n' + level2protocols.vlan_1['threatInfo'] + '\n\n' + level2protocols.vlan_1['howtofix'] + '\n' 270 if level2protocols.unused_ports['must_report'] == True: 271 toBeReturned = toBeReturned + level2protocols.unused_ports['definition'] + '\n' + level2protocols.unused_ports['threatInfo'] + '\n\n' + level2protocols.unused_ports['howtofix'] + '\n' 272 if level2protocols.vtp_secure['must_report'] == True: 273 toBeReturned = toBeReturned + level2protocols.vtp_secure['definition'] + '\n' + level2protocols.vtp_secure['threatInfo'] + '\n\n' + level2protocols.vtp_secure['howtofix'] + '\n' 274 if level2protocols.bpdu_guard['must_report'] == True: 275 toBeReturned = toBeReturned + level2protocols.bpdu_guard['definition'] + '\n' + level2protocols.bpdu_guard['threatInfo'] + '\n\n' + level2protocols.bpdu_guard['howtofix'] + '\n' 276 if level2protocols.stp_root['must_report'] == True: 277 toBeReturned = toBeReturned + level2protocols.stp_root['definition'] + '\n' + level2protocols.stp_root['threatInfo'] + '\n\n' + level2protocols.stp_root['howtofix'] + '\n' 278 if level2protocols.dot1x['must_report'] == True: 279 toBeReturned = toBeReturned + level2protocols.dot1x['definition'] + '\n' + level2protocols.dot1x['threatInfo'] + '\n\n' + level2protocols.dot1x['howtofix'] + '\n' 280 281 return toBeReturned
282
283 -def engine_cdp(cdpConfiguration, fullConfig, ifaceCfg):
284 """CDP services assessment.""" 285 globalCdpFound = False 286 noCdpEnableFound = False 287 for line in fullConfig: 288 if line == 'cdp run': 289 globalCdpFound = True 290 elif line == 'no cdp run': 291 globalCdpFound = False 292 cdpConfiguration.cdp['globalCdp'] = globalCdpFound 293 294 for i in range(0, len(ifaceCfg)): 295 for line in ifaceCfg[i].configuration: 296 if line == 'no cdp enable': 297 if not 'Loopback' in ifaceCfg[i].name.strip() and not 'Vlan' in ifaceCfg[i].name.strip(): 298 cdpConfiguration.cdp['disabledIfsCdp'].append(ifaceCfg[i].name.strip()) 299 noCdpEnableFound = True 300 if noCdpEnableFound == False: 301 if not 'Loopback' in ifaceCfg[i].name.strip() and not 'Vlan' in ifaceCfg[i].name.strip(): 302 cdpConfiguration.cdp['enabledIfsCdp'].append(ifaceCfg[i].name.strip()) 303 304 if ( (cdpConfiguration.cdp['globalCdp'] == True) or (cdpConfiguration.cdp['enabledIfsCdp']) ): 305 items = search_xml('serviceCDP') 306 cvssMetrics = str(cvss_score(items[5])) 307 cdpConfiguration.cdp['must_report'] = True 308 cdpConfiguration.cdp['fixImpact'] = items[0] 309 cdpConfiguration.cdp['definition'] = items[1] 310 cdpConfiguration.cdp['threatInfo'] = items[2] 311 cdpConfiguration.cdp['howtofix'] = items[3] 312 cdpConfiguration.cdp['howtofix'] = cdpConfiguration.cdp['howtofix'].strip().replace('[%CdpifsEnabled]', ", ".join(cdpConfiguration.cdp['enabledIfsCdp']), 1) 313 cdpConfiguration.cdp['howtofix'] = cdpConfiguration.cdp['howtofix'].strip().replace('[%CdpifsDisabled]', ", ".join(cdpConfiguration.cdp['disabledIfsCdp']), 1) 314 cdpConfiguration.cdp['cvss'] = cvssMetrics 315 316 return cdpConfiguration.cdp['definition'] + '\n' + cdpConfiguration.cdp['threatInfo'] + '\n\n' + cdpConfiguration.cdp['howtofix'] + '\n'
317
318 -def engine_lldp(lldpConfiguration, fullConfig, ifaceCfg):
319 """LLDP services assessment.""" 320 globalLldpFound = True 321 for line in fullConfig: 322 if line == 'lldp run global' or line == 'lldp run': 323 globalLldpFound = True 324 elif line == 'no lldp run global' or line == 'no lldp run': 325 globalLldpFound = False 326 lldpConfiguration.lldp['globalLldp'] = globalLldpFound 327 for i in range(0, len(ifaceCfg)): 328 lldpTransmit = True 329 lldpReceive = True 330 for line in ifaceCfg[i].configuration: 331 if line == 'no lldp transmit': 332 lldpTransmit = False 333 if line == 'no lldp receive': 334 lldpReceive = False 335 if lldpTransmit == True: 336 if not 'Loopback' in ifaceCfg[i].name.strip() and not 'Vlan' in ifaceCfg[i].name.strip(): 337 lldpConfiguration.lldp['enabledTransmitLldp'].append(ifaceCfg[i].name.strip()) 338 if lldpReceive == True: 339 if not 'Loopback' in ifaceCfg[i].name.strip() and not 'Vlan' in ifaceCfg[i].name.strip(): 340 lldpConfiguration.lldp['enabledReceiveLldp'].append(ifaceCfg[i].name.strip()) 341 if lldpTransmit == False and lldpReceive == False: 342 if not 'Loopback' in ifaceCfg[i].name.strip() and not 'Vlan' in ifaceCfg[i].name.strip(): 343 lldpConfiguration.lldp['disabledIfsLldp'].append(ifaceCfg[i].name.strip()) 344 345 ToBeReturned = 'LLDP is OK.' 346 if ( (lldpConfiguration.lldp['globalLldp'] == True) or (lldpConfiguration.lldp['enabledTransmitLldp']) or (lldpConfiguration.lldp['enabledReceiveLldp']) ): 347 if __builtin__.iosVersion >= 12.237: 348 items = search_xml('serviceLLDP') 349 cvssMetrics = str(cvss_score(items[5])) 350 lldpConfiguration.lldp['must_report'] = True 351 lldpConfiguration.lldp['fixImpact'] = items[0] 352 lldpConfiguration.lldp['definition'] = items[1] 353 lldpConfiguration.lldp['threatInfo'] = items[2] 354 lldpConfiguration.lldp['howtofix'] = items[3] 355 356 if lldpConfiguration.lldp['enabledTransmitLldp']: 357 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpEnabledTx]', ", ".join(lldpConfiguration.lldp['enabledTransmitLldp']), 1) 358 else: 359 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpEnabledTx]', "None", 1) 360 if lldpConfiguration.lldp['enabledReceiveLldp']: 361 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpEnabledRx]', ", ".join(lldpConfiguration.lldp['enabledReceiveLldp']), 1) 362 else: 363 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpEnabledRx]', "None", 1) 364 if lldpConfiguration.lldp['disabledIfsLldp']: 365 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpifsDisabled]', ", ".join(lldpConfiguration.lldp['disabledIfsLldp']), 1) 366 else: 367 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpifsDisabled]', "None", 1) 368 369 lldpConfiguration.lldp['cvss'] = cvssMetrics 370 371 ToBeReturned = lldpConfiguration.lldp['definition'] + '\n' + lldpConfiguration.lldp['threatInfo'] + '\n\n' + lldpConfiguration.lldp['howtofix'] + '\n' 372 return ToBeReturned 373 elif __builtin__.iosVersion is None: 374 items = search_xml('serviceLLDP') 375 cvssMetrics = str(cvss_score(items[5])) 376 lldpConfiguration.lldp['must_report'] = True 377 lldpConfiguration.lldp['fixImpact'] = items[0] 378 lldpConfiguration.lldp['definition'] = items[1] 379 lldpConfiguration.lldp['threatInfo'] = items[2] 380 lldpConfiguration.lldp['howtofix'] = items[3] 381 382 if lldpConfiguration.lldp['enabledTransmitLldp']: 383 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpEnabledTx]', ", ".join(lldpConfiguration.lldp['enabledTransmitLldp']), 1) 384 else: 385 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpEnabledTx]', "None", 1) 386 if lldpConfiguration.lldp['enabledReceiveLldp']: 387 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpEnabledRx]', ", ".join(lldpConfiguration.lldp['enabledReceiveLldp']), 1) 388 else: 389 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpEnabledRx]', "None", 1) 390 if lldpConfiguration.lldp['disabledIfsLldp']: 391 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpifsDisabled]', ", ".join(lldpConfiguration.lldp['disabledIfsLldp']), 1) 392 else: 393 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpifsDisabled]', "None", 1) 394 395 lldpConfiguration.lldp['cvss'] = cvssMetrics 396 397 ToBeReturned = lldpConfiguration.lldp['definition'] + '\n' + lldpConfiguration.lldp['threatInfo'] + '\n\n' + lldpConfiguration.lldp['howtofix'] + '\n' 398 return ToBeReturned 399 else: 400 return ToBeReturned
401