1
2
3 __docformat__ = 'restructuredtext'
4 __version__ = '$Id$'
5
6 import __builtin__
7 from routerdefense.common import *
8
9 from xml import *
10
12 """Port security configuration."""
13 for i in range(0, len(ifaceCfg)):
14 if search_re_string(ifaceCfg[i].configuration, '^switchport access vlan .*$') is not None:
15 if search_re_string(ifaceCfg[i].configuration,'switchport port-security maximum .* vlan access') is None:
16 portsecurity.maximum_access['candidates'].append(ifaceCfg[i].name.strip())
17 portsecurity.maximum_access['must_report'] = True
18 if search_re_string(ifaceCfg[i].configuration, '^switchport voice vlan .*$') is not None:
19 if search_re_string(ifaceCfg[i].configuration,'switchport port-security maximum .* vlan voice') is None:
20 portsecurity.maximum_voice['candidates'].append(ifaceCfg[i].name.strip())
21 portsecurity.maximum_voice['must_report'] = True
22 for line in ifaceCfg[i].configuration:
23 if line.find('switchport mode access') != -1:
24 break
25 if line.find('switchport port-security violation') == -1:
26 if not ifaceCfg[i].name.strip() in portsecurity.violation['candidates']:
27 if not 'Vlan' or not 'Loopback' in ifaceCfg[i].name.strip():
28 portsecurity.violation['candidates'].append(ifaceCfg[i].name.strip())
29 portsecurity.violation['must_report'] = True
30 if line.find('switchport port-security mac-address sticky') == -1:
31 if not ifaceCfg[i].name.strip() in portsecurity.sticky['candidates']:
32 if not 'Vlan' or not 'Loopback' in ifaceCfg[i].name.strip():
33 portsecurity.sticky['candidates'].append(ifaceCfg[i].name.strip())
34 portsecurity.sticky['must_report'] = True
35 if re.search('^switchport port-security maximum .*$', line) is None:
36 if not ifaceCfg[i].name.strip() in portsecurity.maximum_total['candidates']:
37 if not 'Vlan' or not 'Loopback' in ifaceCfg[i].name.strip():
38 portsecurity.maximum_total['candidates'].append(ifaceCfg[i].name.strip())
39 portsecurity.maximum_total['must_report'] = True
40
41
42 if portsecurity.violation['must_report'] == True:
43 items = search_xml('portsecurityViolation')
44 cvssMetrics = str(cvss_score(items[5]))
45 portsecurity.violation = {
46 "candidates": portsecurity.violation['candidates'],
47 "must_report": True,
48 "fixImpact": (items[0]),
49 "definition": (items[1]),
50 "threatInfo": (items[2]),
51 "howtofix": (items[3].strip().replace('[%interface]', ", ".join(portsecurity.violation['candidates']), 1)),
52 "cvss": (cvssMetrics)}
53
54 if portsecurity.sticky['must_report'] == True:
55 items = search_xml('portsecuritySticky')
56 cvssMetrics = str(cvss_score(items[5]))
57 portsecurity.sticky = {
58 "candidates": portsecurity.sticky['candidates'],
59 "must_report": True,
60 "fixImpact": (items[0]),
61 "definition": (items[1]),
62 "threatInfo": (items[2]),
63 "howtofix": (items[3].strip().replace('[%interface]', ", ".join(portsecurity.violation['candidates']), 1)),
64 "cvss": (cvssMetrics)}
65
66 if portsecurity.maximum_total['must_report'] == True:
67 items = search_xml('portsecurityMaximumTotal')
68 cvssMetrics = str(cvss_score(items[5]))
69 portsecurity.maximum_total = {
70 "candidates": portsecurity.maximum_total['candidates'],
71 "must_report": True,
72 "fixImpact": (items[0]),
73 "definition": (items[1]),
74 "threatInfo": (items[2]),
75 "howtofix": (items[3].strip().replace('[%interface]', ", ".join(portsecurity.violation['candidates']), 1)),
76 "cvss": (cvssMetrics)}
77
78 if portsecurity.maximum_access['must_report'] == True:
79 items = search_xml('portsecurityMaximumAccess')
80 cvssMetrics = str(cvss_score(items[5]))
81 portsecurity.maximum_access = {
82 "candidates": portsecurity.maximum_access['candidates'],
83 "must_report": True,
84 "fixImpact": (items[0]),
85 "definition": (items[1]),
86 "threatInfo": (items[2]),
87 "howtofix": (items[3].strip().replace('[%interface]', ", ".join(portsecurity.violation['candidates']), 1)),
88 "cvss": (cvssMetrics)}
89
90 if portsecurity.maximum_voice['must_report'] == True:
91 items = search_xml('portsecurityMaximumVoice')
92 cvssMetrics = str(cvss_score(items[5]))
93 portsecurity.maximum_voice = {
94 "candidates": portsecurity.maximum_voice['candidates'],
95 "must_report": True,
96 "fixImpact": (items[0]),
97 "definition": (items[1]),
98 "threatInfo": (items[2]),
99 "howtofix": (items[3].strip().replace('[%interface]', ", ".join(portsecurity.violation['candidates']), 1)),
100 "cvss": (cvssMetrics)}
101
102 toBeReturned = ''
103 if portsecurity.sticky['must_report'] == True:
104 toBeReturned = portsecurity.sticky['definition'] + '\n' + portsecurity.sticky['threatInfo'] + '\n\n' + portsecurity.sticky['howtofix'] + '\n'
105 if portsecurity.violation['must_report'] == True:
106 toBeReturned = toBeReturned + portsecurity.violation['definition'] + '\n' + portsecurity.violation['threatInfo'] + '\n\n' + portsecurity.violation['howtofix'] + '\n'
107 if portsecurity.maximum_total['must_report'] == True:
108 toBeReturned = toBeReturned + portsecurity.maximum_total['definition'] + '\n' + portsecurity.maximum_total['threatInfo'] + '\n\n' + portsecurity.maximum_total['howtofix'] + '\n'
109 if portsecurity.maximum_access['must_report'] == True:
110 toBeReturned = toBeReturned + portsecurity.maximum_access['definition'] + '\n' + portsecurity.maximum_access['threatInfo'] + '\n\n' + portsecurity.maximum_access['howtofix'] + '\n'
111 if portsecurity.maximum_voice['must_report'] == True:
112 toBeReturned = toBeReturned + portsecurity.maximum_voice['definition'] + '\n' + portsecurity.maximum_voice['threatInfo'] + '\n\n' + portsecurity.maximum_voice['howtofix'] + '\n'
113
114 return toBeReturned
115
117 """Level 2 protocols configuration assessment: spanning-tree, dot1x, flow-control, unused ports, UDLD."""
118
119
120
121
122
123 if __builtin__.deviceType != 'router' and search_re_string(lines,'^spanning-tree portfast bpdu_guard default$') is None:
124 level2protocols.bpdu_guard['must_report'] = True
125
126 if __builtin__.deviceType == 'switch' and search_re_string(lines,'^dot1x system-auth-control$') is None:
127 level2protocols.dot1x['must_report'] = True
128
129 for i in range(0, len(ifaceCfg)):
130 if search_re_string(ifaceCfg[i].configuration, '^switchport mode (access|trunk)$') is not None:
131 if search_re_string(ifaceCfg[i].configuration,'^switchport nonegotiate$') is None:
132 level2protocols.nonegotiate['candidates'].append(ifaceCfg[i].name.strip())
133 level2protocols.nonegotiate['must_report'] = True
134 elif search_re_string(ifaceCfg[i].configuration,'^switchport access vlan 1$') is not None:
135 level2protocols.vlan_1['candidates'].append(ifaceCfg[i].name.strip())
136 level2protocols.vlan_1['must_report'] = True
137
138 if search_re_string(ifaceCfg[i].configuration, '^flowcontrol receive off$') is None:
139 if not 'Loopback' in ifaceCfg[i].name.strip() and not 'Vlan' in ifaceCfg[i].name.strip():
140 level2protocols.flowcontrol['candidates'].append(ifaceCfg[i].name.strip())
141 level2protocols.flowcontrol['must_report'] = True
142
143 if search_re_string(ifaceCfg[i].configuration, '^shutdown$') is not None:
144 if search_re_string(ifaceCfg[i].configuration,'^switchport access vlan 999$') is None:
145 if __builtin__.deviceType == 'switch':
146 level2protocols.unused_ports['candidates'].append(ifaceCfg[i].name.strip())
147 level2protocols.unused_ports['must_report'] = True
148
149 try:
150 level2protocols.udld['cmdInCfg'] = search_string(lines, 'no udld enable')
151 except AttributeError:
152 pass
153
154 if level2protocols.udld['cmdInCfg'] is None:
155 level2protocols.udld['must_report'] = True
156
157 if level2protocols.nonegotiate['must_report'] == True:
158 items = search_xml('nonegotiate')
159 cvssMetrics = str(cvss_score(items[5]))
160 level2protocols.nonegotiate = {
161 "candidates": level2protocols.nonegotiate['candidates'],
162 "must_report": True,
163 "fixImpact": (items[0]),
164 "definition": (items[1]),
165 "threatInfo": (items[2]),
166 "howtofix": (items[3]),
167 "cvss": (cvssMetrics)}
168
169 if level2protocols.flowcontrol['must_report'] == True:
170 items = search_xml('flowcontrol')
171 cvssMetrics = str(cvss_score(items[5]))
172 level2protocols.flowcontrol = {
173 "candidates": level2protocols.flowcontrol['candidates'],
174 "must_report": True,
175 "fixImpact": (items[0]),
176 "definition": (items[1]),
177 "threatInfo": (items[2]),
178 "howtofix": (items[3]),
179 "cvss": (cvssMetrics)}
180
181 if level2protocols.udld['must_report'] == True:
182 items = search_xml('udld')
183 cvssMetrics = str(cvss_score(items[5]))
184 level2protocols.udld = {
185 "must_report": True,
186 "fixImpact": (items[0]),
187 "definition": (items[1]),
188 "threatInfo": (items[2]),
189 "howtofix": (items[3]),
190 "cvss": (cvssMetrics)}
191
192 if level2protocols.vlan_1['must_report'] == True:
193 items = search_xml('vlan_1')
194 cvssMetrics = str(cvss_score(items[5]))
195 level2protocols.vlan_1 = {
196 "candidates": level2protocols.vlan_1['candidates'],
197 "must_report": True,
198 "fixImpact": (items[0]),
199 "definition": (items[1]),
200 "threatInfo": (items[2]),
201 "howtofix": (items[3]),
202 "cvss": (cvssMetrics)}
203
204 if (level2protocols.unused_ports['must_report'] == True):
205 items = search_xml('unused_ports')
206 cvssMetrics = str(cvss_score(items[5]))
207 level2protocols.unused_ports = {
208 "candidates": level2protocols.unused_ports['candidates'],
209 "must_report": True,
210 "fixImpact": (items[0]),
211 "definition": (items[1]),
212 "threatInfo": (items[2]),
213 "howtofix": (items[3]),
214 "cvss": (cvssMetrics)}
215
216 """
217 if level2protocols.vtp_secure['must_report'] == True:
218 items = search_xml('vtp_secure')
219 cvssMetrics = str(cvss_score(items[5]))
220 level2protocols.vtp_secure = {
221 "must_report": True,
222 "fixImpact": (items[0]),
223 "definition": (items[1]),
224 "threatInfo": (items[2]),
225 "howtofix": (items[3]),
226 "cvss": (cvssMetrics)}
227 """
228 if level2protocols.bpdu_guard['must_report'] == True:
229 items = search_xml('bpduguard')
230 cvssMetrics = str(cvss_score(items[5]))
231 level2protocols.bpdu_guard = {
232 "must_report": True,
233 "fixImpact": (items[0]),
234 "definition": (items[1]),
235 "threatInfo": (items[2]),
236 "howtofix": (items[3]),
237 "cvss": (cvssMetrics)}
238
239 if level2protocols.stp_root['must_report'] == True:
240 items = search_xml('stproot')
241 cvssMetrics = str(cvss_score(items[5]))
242 level2protocols.stp_root = {
243 "must_report": True,
244 "fixImpact": (items[0]),
245 "definition": (items[1]),
246 "threatInfo": (items[2]),
247 "howtofix": (items[3]),
248 "cvss": (cvssMetrics)}
249
250 if level2protocols.dot1x['must_report'] == True:
251 items = search_xml('dot1x')
252 cvssMetrics = str(cvss_score(items[5]))
253 level2protocols.dot1x = {
254 "must_report": True,
255 "fixImpact": (items[0]),
256 "definition": (items[1]),
257 "threatInfo": (items[2]),
258 "howtofix": (items[3]),
259 "cvss": (cvssMetrics)}
260
261 toBeReturned = ''
262 if level2protocols.nonegotiate['must_report'] == True:
263 toBeReturned = level2protocols.nonegotiate['definition'] + '\n' + level2protocols.nonegotiate['threatInfo'] + '\n\n' + level2protocols.nonegotiate['howtofix'] + '\n'
264 if level2protocols.flowcontrol['must_report'] == True:
265 toBeReturned = toBeReturned + level2protocols.flowcontrol['definition'] + '\n' + level2protocols.flowcontrol['threatInfo'] + '\n\n' + level2protocols.flowcontrol['howtofix'] + '\n'
266 if level2protocols.udld['must_report'] == True:
267 toBeReturned = toBeReturned + level2protocols.udld['definition'] + '\n' + level2protocols.udld['threatInfo'] + '\n\n' + level2protocols.udld['howtofix'] + '\n'
268 if level2protocols.vlan_1['must_report'] == True:
269 toBeReturned = toBeReturned + level2protocols.vlan_1['definition'] + '\n' + level2protocols.vlan_1['threatInfo'] + '\n\n' + level2protocols.vlan_1['howtofix'] + '\n'
270 if level2protocols.unused_ports['must_report'] == True:
271 toBeReturned = toBeReturned + level2protocols.unused_ports['definition'] + '\n' + level2protocols.unused_ports['threatInfo'] + '\n\n' + level2protocols.unused_ports['howtofix'] + '\n'
272 if level2protocols.vtp_secure['must_report'] == True:
273 toBeReturned = toBeReturned + level2protocols.vtp_secure['definition'] + '\n' + level2protocols.vtp_secure['threatInfo'] + '\n\n' + level2protocols.vtp_secure['howtofix'] + '\n'
274 if level2protocols.bpdu_guard['must_report'] == True:
275 toBeReturned = toBeReturned + level2protocols.bpdu_guard['definition'] + '\n' + level2protocols.bpdu_guard['threatInfo'] + '\n\n' + level2protocols.bpdu_guard['howtofix'] + '\n'
276 if level2protocols.stp_root['must_report'] == True:
277 toBeReturned = toBeReturned + level2protocols.stp_root['definition'] + '\n' + level2protocols.stp_root['threatInfo'] + '\n\n' + level2protocols.stp_root['howtofix'] + '\n'
278 if level2protocols.dot1x['must_report'] == True:
279 toBeReturned = toBeReturned + level2protocols.dot1x['definition'] + '\n' + level2protocols.dot1x['threatInfo'] + '\n\n' + level2protocols.dot1x['howtofix'] + '\n'
280
281 return toBeReturned
282
283 -def engine_cdp(cdpConfiguration, fullConfig, ifaceCfg):
284 """CDP services assessment."""
285 globalCdpFound = False
286 noCdpEnableFound = False
287 for line in fullConfig:
288 if line == 'cdp run':
289 globalCdpFound = True
290 elif line == 'no cdp run':
291 globalCdpFound = False
292 cdpConfiguration.cdp['globalCdp'] = globalCdpFound
293
294 for i in range(0, len(ifaceCfg)):
295 for line in ifaceCfg[i].configuration:
296 if line == 'no cdp enable':
297 if not 'Loopback' in ifaceCfg[i].name.strip() and not 'Vlan' in ifaceCfg[i].name.strip():
298 cdpConfiguration.cdp['disabledIfsCdp'].append(ifaceCfg[i].name.strip())
299 noCdpEnableFound = True
300 if noCdpEnableFound == False:
301 if not 'Loopback' in ifaceCfg[i].name.strip() and not 'Vlan' in ifaceCfg[i].name.strip():
302 cdpConfiguration.cdp['enabledIfsCdp'].append(ifaceCfg[i].name.strip())
303
304 if ( (cdpConfiguration.cdp['globalCdp'] == True) or (cdpConfiguration.cdp['enabledIfsCdp']) ):
305 items = search_xml('serviceCDP')
306 cvssMetrics = str(cvss_score(items[5]))
307 cdpConfiguration.cdp['must_report'] = True
308 cdpConfiguration.cdp['fixImpact'] = items[0]
309 cdpConfiguration.cdp['definition'] = items[1]
310 cdpConfiguration.cdp['threatInfo'] = items[2]
311 cdpConfiguration.cdp['howtofix'] = items[3]
312 cdpConfiguration.cdp['howtofix'] = cdpConfiguration.cdp['howtofix'].strip().replace('[%CdpifsEnabled]', ", ".join(cdpConfiguration.cdp['enabledIfsCdp']), 1)
313 cdpConfiguration.cdp['howtofix'] = cdpConfiguration.cdp['howtofix'].strip().replace('[%CdpifsDisabled]', ", ".join(cdpConfiguration.cdp['disabledIfsCdp']), 1)
314 cdpConfiguration.cdp['cvss'] = cvssMetrics
315
316 return cdpConfiguration.cdp['definition'] + '\n' + cdpConfiguration.cdp['threatInfo'] + '\n\n' + cdpConfiguration.cdp['howtofix'] + '\n'
317
318 -def engine_lldp(lldpConfiguration, fullConfig, ifaceCfg):
319 """LLDP services assessment."""
320 globalLldpFound = True
321 for line in fullConfig:
322 if line == 'lldp run global' or line == 'lldp run':
323 globalLldpFound = True
324 elif line == 'no lldp run global' or line == 'no lldp run':
325 globalLldpFound = False
326 lldpConfiguration.lldp['globalLldp'] = globalLldpFound
327 for i in range(0, len(ifaceCfg)):
328 lldpTransmit = True
329 lldpReceive = True
330 for line in ifaceCfg[i].configuration:
331 if line == 'no lldp transmit':
332 lldpTransmit = False
333 if line == 'no lldp receive':
334 lldpReceive = False
335 if lldpTransmit == True:
336 if not 'Loopback' in ifaceCfg[i].name.strip() and not 'Vlan' in ifaceCfg[i].name.strip():
337 lldpConfiguration.lldp['enabledTransmitLldp'].append(ifaceCfg[i].name.strip())
338 if lldpReceive == True:
339 if not 'Loopback' in ifaceCfg[i].name.strip() and not 'Vlan' in ifaceCfg[i].name.strip():
340 lldpConfiguration.lldp['enabledReceiveLldp'].append(ifaceCfg[i].name.strip())
341 if lldpTransmit == False and lldpReceive == False:
342 if not 'Loopback' in ifaceCfg[i].name.strip() and not 'Vlan' in ifaceCfg[i].name.strip():
343 lldpConfiguration.lldp['disabledIfsLldp'].append(ifaceCfg[i].name.strip())
344
345 ToBeReturned = 'LLDP is OK.'
346 if ( (lldpConfiguration.lldp['globalLldp'] == True) or (lldpConfiguration.lldp['enabledTransmitLldp']) or (lldpConfiguration.lldp['enabledReceiveLldp']) ):
347 if __builtin__.iosVersion >= 12.237:
348 items = search_xml('serviceLLDP')
349 cvssMetrics = str(cvss_score(items[5]))
350 lldpConfiguration.lldp['must_report'] = True
351 lldpConfiguration.lldp['fixImpact'] = items[0]
352 lldpConfiguration.lldp['definition'] = items[1]
353 lldpConfiguration.lldp['threatInfo'] = items[2]
354 lldpConfiguration.lldp['howtofix'] = items[3]
355
356 if lldpConfiguration.lldp['enabledTransmitLldp']:
357 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpEnabledTx]', ", ".join(lldpConfiguration.lldp['enabledTransmitLldp']), 1)
358 else:
359 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpEnabledTx]', "None", 1)
360 if lldpConfiguration.lldp['enabledReceiveLldp']:
361 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpEnabledRx]', ", ".join(lldpConfiguration.lldp['enabledReceiveLldp']), 1)
362 else:
363 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpEnabledRx]', "None", 1)
364 if lldpConfiguration.lldp['disabledIfsLldp']:
365 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpifsDisabled]', ", ".join(lldpConfiguration.lldp['disabledIfsLldp']), 1)
366 else:
367 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpifsDisabled]', "None", 1)
368
369 lldpConfiguration.lldp['cvss'] = cvssMetrics
370
371 ToBeReturned = lldpConfiguration.lldp['definition'] + '\n' + lldpConfiguration.lldp['threatInfo'] + '\n\n' + lldpConfiguration.lldp['howtofix'] + '\n'
372 return ToBeReturned
373 elif __builtin__.iosVersion is None:
374 items = search_xml('serviceLLDP')
375 cvssMetrics = str(cvss_score(items[5]))
376 lldpConfiguration.lldp['must_report'] = True
377 lldpConfiguration.lldp['fixImpact'] = items[0]
378 lldpConfiguration.lldp['definition'] = items[1]
379 lldpConfiguration.lldp['threatInfo'] = items[2]
380 lldpConfiguration.lldp['howtofix'] = items[3]
381
382 if lldpConfiguration.lldp['enabledTransmitLldp']:
383 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpEnabledTx]', ", ".join(lldpConfiguration.lldp['enabledTransmitLldp']), 1)
384 else:
385 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpEnabledTx]', "None", 1)
386 if lldpConfiguration.lldp['enabledReceiveLldp']:
387 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpEnabledRx]', ", ".join(lldpConfiguration.lldp['enabledReceiveLldp']), 1)
388 else:
389 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpEnabledRx]', "None", 1)
390 if lldpConfiguration.lldp['disabledIfsLldp']:
391 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpifsDisabled]', ", ".join(lldpConfiguration.lldp['disabledIfsLldp']), 1)
392 else:
393 lldpConfiguration.lldp['howtofix'] = lldpConfiguration.lldp['howtofix'].strip().replace('[%LldpifsDisabled]', "None", 1)
394
395 lldpConfiguration.lldp['cvss'] = cvssMetrics
396
397 ToBeReturned = lldpConfiguration.lldp['definition'] + '\n' + lldpConfiguration.lldp['threatInfo'] + '\n\n' + lldpConfiguration.lldp['howtofix'] + '\n'
398 return ToBeReturned
399 else:
400 return ToBeReturned
401