greenbone /
ospd-openvas
| Total Complexity | 121 |
| Total Lines | 815 |
| Duplicated Lines | 3.31 % |
| Changes | 0 | ||
Duplicate code is one of the most pungent code smells. A rule that is often used is to re-structure code once it is duplicated in three or more places.
Common duplication problems, and corresponding solutions are:
Complex classes like ospd_openvas.preferencehandler often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes.
Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.
| 1 | # -*- coding: utf-8 -*- |
||
| 2 | # Copyright (C) 2014-2021 Greenbone Networks GmbH |
||
| 3 | # |
||
| 4 | # SPDX-License-Identifier: AGPL-3.0-or-later |
||
| 5 | # |
||
| 6 | # This program is free software: you can redistribute it and/or modify |
||
| 7 | # it under the terms of the GNU Affero General Public License as |
||
| 8 | # published by the Free Software Foundation, either version 3 of the |
||
| 9 | # License, or (at your option) any later version. |
||
| 10 | # |
||
| 11 | # This program is distributed in the hope that it will be useful, |
||
| 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
| 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
| 14 | # GNU Affero General Public License for more details. |
||
| 15 | # |
||
| 16 | # You should have received a copy of the GNU Affero General Public License |
||
| 17 | # along with this program. If not, see <http://www.gnu.org/licenses/>. |
||
| 18 | |||
| 19 | |||
| 20 | # pylint: disable=too-many-lines |
||
| 21 | |||
| 22 | """ Prepare the preferences to be used by OpenVAS. Get the data from the scan |
||
| 23 | collection and store the data in a redis KB in the right format to be used by |
||
| 24 | OpenVAS. """ |
||
| 25 | |||
| 26 | import logging |
||
| 27 | import binascii |
||
| 28 | |||
| 29 | from enum import IntEnum |
||
| 30 | from typing import Optional, Dict, List, Tuple |
||
| 31 | from base64 import b64decode |
||
| 32 | |||
| 33 | from ospd.scan import ScanCollection |
||
| 34 | from ospd.ospd import BASE_SCANNER_PARAMS |
||
| 35 | from ospd.network import valid_port_list |
||
| 36 | from ospd_openvas.openvas import Openvas |
||
| 37 | from ospd_openvas.db import KbDB |
||
| 38 | from ospd_openvas.nvticache import NVTICache |
||
| 39 | from ospd_openvas.vthelper import VtHelper |
||
| 40 | |||
| 41 | logger = logging.getLogger(__name__) |
||
| 42 | |||
| 43 | |||
| 44 | OID_SSH_AUTH = "1.3.6.1.4.1.25623.1.0.103591" |
||
| 45 | OID_SMB_AUTH = "1.3.6.1.4.1.25623.1.0.90023" |
||
| 46 | OID_ESXI_AUTH = "1.3.6.1.4.1.25623.1.0.105058" |
||
| 47 | OID_SNMP_AUTH = "1.3.6.1.4.1.25623.1.0.105076" |
||
| 48 | OID_PING_HOST = "1.3.6.1.4.1.25623.1.0.100315" |
||
| 49 | |||
| 50 | BOREAS_ALIVE_TEST = "ALIVE_TEST" |
||
| 51 | BOREAS_ALIVE_TEST_PORTS = "ALIVE_TEST_PORTS" |
||
| 52 | BOREAS_SETTING_NAME = "test_alive_hosts_only" |
||
| 53 | |||
| 54 | |||
| 55 | class AliveTest(IntEnum): |
||
| 56 | """Alive Tests.""" |
||
| 57 | |||
| 58 | ALIVE_TEST_SCAN_CONFIG_DEFAULT = 0 |
||
| 59 | ALIVE_TEST_TCP_ACK_SERVICE = 1 |
||
| 60 | ALIVE_TEST_ICMP = 2 |
||
| 61 | ALIVE_TEST_ARP = 4 |
||
| 62 | ALIVE_TEST_CONSIDER_ALIVE = 8 |
||
| 63 | ALIVE_TEST_TCP_SYN_SERVICE = 16 |
||
| 64 | |||
| 65 | |||
| 66 | def alive_test_methods_to_bit_field( |
||
| 67 | icmp: bool, tcp_syn: bool, tcp_ack: bool, arp: bool, consider_alive: bool |
||
| 68 | ) -> int: |
||
| 69 | """Internally a bit field is used as alive test. This function creates |
||
| 70 | such a bit field out of the supplied alive test methods. |
||
| 71 | """ |
||
| 72 | |||
| 73 | icmp_enum = AliveTest.ALIVE_TEST_ICMP if icmp else 0 |
||
| 74 | tcp_syn_enum = AliveTest.ALIVE_TEST_TCP_SYN_SERVICE if tcp_syn else 0 |
||
| 75 | tcp_ack_enum = AliveTest.ALIVE_TEST_TCP_ACK_SERVICE if tcp_ack else 0 |
||
| 76 | arp_enum = AliveTest.ALIVE_TEST_ARP if arp else 0 |
||
| 77 | consider_alive_enum = ( |
||
| 78 | AliveTest.ALIVE_TEST_CONSIDER_ALIVE if consider_alive else 0 |
||
| 79 | ) |
||
| 80 | |||
| 81 | bit_field = ( |
||
| 82 | icmp_enum | tcp_syn_enum | tcp_ack_enum | arp_enum | consider_alive_enum |
||
| 83 | ) |
||
| 84 | return bit_field |
||
| 85 | |||
| 86 | |||
| 87 | def _from_bool_to_str(value: int) -> str: |
||
| 88 | """The OpenVAS scanner use yes and no as boolean values, whereas ospd |
||
| 89 | uses 1 and 0.""" |
||
| 90 | return 'yes' if value == 1 else 'no' |
||
| 91 | |||
| 92 | |||
| 93 | class PreferenceHandler: |
||
| 94 | def __init__( |
||
| 95 | self, |
||
| 96 | scan_id: str, |
||
| 97 | kbdb: KbDB, |
||
| 98 | scan_collection: ScanCollection, |
||
| 99 | nvticache: NVTICache, |
||
| 100 | ): |
||
| 101 | self.scan_id = scan_id |
||
| 102 | self.kbdb = kbdb |
||
| 103 | self.scan_collection = scan_collection |
||
| 104 | |||
| 105 | self._target_options = None |
||
| 106 | self._nvts_params = None |
||
| 107 | |||
| 108 | self.nvti = nvticache |
||
| 109 | |||
| 110 | self.errors = [] |
||
| 111 | |||
| 112 | def prepare_scan_id_for_openvas(self): |
||
| 113 | """Create the openvas scan id and store it in the redis kb. |
||
| 114 | Return the openvas scan_id. |
||
| 115 | """ |
||
| 116 | self.kbdb.add_scan_id(self.scan_id) |
||
| 117 | |||
| 118 | def get_error_messages(self) -> List: |
||
| 119 | """Returns the Error List and reset it""" |
||
| 120 | ret = self.errors |
||
| 121 | self.errors = [] |
||
| 122 | return ret |
||
| 123 | |||
| 124 | @property |
||
| 125 | def target_options(self) -> Dict: |
||
| 126 | """Return target options from Scan collection""" |
||
| 127 | if self._target_options is not None: |
||
| 128 | return self._target_options |
||
| 129 | |||
| 130 | self._target_options = self.scan_collection.get_target_options( |
||
| 131 | self.scan_id |
||
| 132 | ) |
||
| 133 | return self._target_options |
||
| 134 | |||
| 135 | def _get_vts_in_groups( |
||
| 136 | self, |
||
| 137 | filters: List[str], |
||
| 138 | ) -> List[str]: |
||
| 139 | """Return a list of vts which match with the given filter. |
||
| 140 | |||
| 141 | Arguments: |
||
| 142 | filters A list of filters. Each filter has key, operator and |
||
| 143 | a value. They are separated by a space. |
||
| 144 | Supported keys: family |
||
| 145 | |||
| 146 | Returns a list of vt oids which match with the given filter. |
||
| 147 | """ |
||
| 148 | vts_list = list() |
||
| 149 | families = dict() |
||
| 150 | |||
| 151 | oids = self.nvti.get_oids() |
||
| 152 | |||
| 153 | for _, oid in oids: |
||
| 154 | family = self.nvti.get_nvt_family(oid) |
||
| 155 | if family not in families: |
||
| 156 | families[family] = list() |
||
| 157 | |||
| 158 | families[family].append(oid) |
||
| 159 | |||
| 160 | for elem in filters: |
||
| 161 | key, value = elem.split('=') |
||
| 162 | if key == 'family' and value in families: |
||
| 163 | vts_list.extend(families[value]) |
||
| 164 | |||
| 165 | return vts_list |
||
| 166 | |||
| 167 | def _get_vt_param_type(self, vt: Dict, vt_param_id: str) -> Optional[str]: |
||
| 168 | """Return the type of the vt parameter from the vts dictionary.""" |
||
| 169 | |||
| 170 | vt_params_list = vt.get("vt_params") |
||
| 171 | if vt_params_list.get(vt_param_id): |
||
| 172 | return vt_params_list[vt_param_id]["type"] |
||
| 173 | return None |
||
| 174 | |||
| 175 | def _get_vt_param_name(self, vt: Dict, vt_param_id: str) -> Optional[str]: |
||
| 176 | """Return the type of the vt parameter from the vts dictionary.""" |
||
| 177 | |||
| 178 | vt_params_list = vt.get("vt_params") |
||
| 179 | if vt_params_list.get(vt_param_id): |
||
| 180 | return vt_params_list[vt_param_id]["name"] |
||
| 181 | return None |
||
| 182 | |||
| 183 | @staticmethod |
||
| 184 | def check_param_type(vt_param_value: str, param_type: str) -> Optional[int]: |
||
| 185 | """Check if the value of a vt parameter matches with |
||
| 186 | the type founded. |
||
| 187 | """ |
||
| 188 | if ( |
||
| 189 | param_type |
||
| 190 | in [ |
||
| 191 | 'entry', |
||
| 192 | 'password', |
||
| 193 | 'radio', |
||
| 194 | 'sshlogin', |
||
| 195 | ] |
||
| 196 | and isinstance(vt_param_value, str) |
||
| 197 | ): |
||
| 198 | return None |
||
| 199 | elif param_type == 'checkbox' and ( |
||
| 200 | vt_param_value == '0' or vt_param_value == '1' |
||
| 201 | ): |
||
| 202 | return None |
||
| 203 | elif param_type == 'file': |
||
| 204 | try: |
||
| 205 | b64decode(vt_param_value.encode()) |
||
| 206 | except (binascii.Error, AttributeError, TypeError): |
||
| 207 | return 1 |
||
| 208 | return None |
||
| 209 | elif param_type == 'integer': |
||
| 210 | try: |
||
| 211 | int(vt_param_value) |
||
| 212 | except ValueError: |
||
| 213 | return 1 |
||
| 214 | return None |
||
| 215 | |||
| 216 | return 1 |
||
| 217 | |||
| 218 | def _process_vts( |
||
| 219 | self, |
||
| 220 | vts: Dict[str, Dict[str, str]], |
||
| 221 | ) -> Tuple[List[str], Dict[str, str]]: |
||
| 222 | """Add single VTs and their parameters.""" |
||
| 223 | vts_list = [] |
||
| 224 | vts_params = {} |
||
| 225 | vtgroups = vts.pop('vt_groups') |
||
| 226 | |||
| 227 | vthelper = VtHelper(self.nvti) |
||
| 228 | |||
| 229 | if vtgroups: |
||
| 230 | vts_list = self._get_vts_in_groups(vtgroups) |
||
| 231 | |||
| 232 | for vtid, vt_params in vts.items(): |
||
| 233 | vt = vthelper.get_single_vt(vtid) |
||
| 234 | if not vt: |
||
| 235 | logger.warning( |
||
| 236 | 'The VT %s was not found and it will not be added to the ' |
||
| 237 | 'plugin scheduler.', |
||
| 238 | vtid, |
||
| 239 | ) |
||
| 240 | continue |
||
| 241 | |||
| 242 | vts_list.append(vtid) |
||
| 243 | for vt_param_id, vt_param_value in vt_params.items(): |
||
| 244 | param_type = self._get_vt_param_type(vt, vt_param_id) |
||
| 245 | param_name = self._get_vt_param_name(vt, vt_param_id) |
||
| 246 | |||
| 247 | if not param_type or not param_name: |
||
| 248 | logger.debug( |
||
| 249 | 'Missing type or name for VT parameter %s of %s. ' |
||
| 250 | 'This VT parameter will not be set.', |
||
| 251 | vt_param_id, |
||
| 252 | vtid, |
||
| 253 | ) |
||
| 254 | continue |
||
| 255 | |||
| 256 | if vt_param_id == '0': |
||
| 257 | type_aux = 'integer' |
||
| 258 | else: |
||
| 259 | type_aux = param_type |
||
| 260 | |||
| 261 | if self.check_param_type(vt_param_value, type_aux): |
||
| 262 | logger.debug( |
||
| 263 | 'The VT parameter %s for %s could not be set. ' |
||
| 264 | 'Expected %s type for parameter value %s', |
||
| 265 | vt_param_id, |
||
| 266 | vtid, |
||
| 267 | type_aux, |
||
| 268 | str(vt_param_value), |
||
| 269 | ) |
||
| 270 | continue |
||
| 271 | |||
| 272 | if type_aux == 'checkbox': |
||
| 273 | vt_param_value = _from_bool_to_str(int(vt_param_value)) |
||
| 274 | |||
| 275 | vts_params[ |
||
| 276 | "{0}:{1}:{2}:{3}".format( |
||
| 277 | vtid, vt_param_id, param_type, param_name |
||
| 278 | ) |
||
| 279 | ] = str(vt_param_value) |
||
| 280 | |||
| 281 | return vts_list, vts_params |
||
| 282 | |||
| 283 | def prepare_plugins_for_openvas(self) -> bool: |
||
| 284 | """Get the plugin list and it preferences from the Scan Collection. |
||
| 285 | The plugin list is immediately stored in the kb. |
||
| 286 | """ |
||
| 287 | nvts = self.scan_collection.get_vts(self.scan_id) |
||
| 288 | if nvts: |
||
| 289 | nvts_list, self._nvts_params = self._process_vts(nvts) |
||
| 290 | # Add nvts list |
||
| 291 | separ = ';' |
||
| 292 | plugin_list = 'plugin_set|||%s' % separ.join(nvts_list) |
||
| 293 | self.kbdb.add_scan_preferences(self.scan_id, [plugin_list]) |
||
| 294 | |||
| 295 | nvts_list = None |
||
| 296 | plugin_list = None |
||
| 297 | nvts = None |
||
| 298 | |||
| 299 | return True |
||
| 300 | |||
| 301 | return False |
||
| 302 | |||
| 303 | def prepare_nvt_preferences(self): |
||
| 304 | """Prepare the vts preferences. Store the data in the kb.""" |
||
| 305 | |||
| 306 | items_list = [] |
||
| 307 | for key, val in self._nvts_params.items(): |
||
| 308 | items_list.append('%s|||%s' % (key, val)) |
||
| 309 | |||
| 310 | if items_list: |
||
| 311 | self.kbdb.add_scan_preferences(self.scan_id, items_list) |
||
| 312 | |||
| 313 | @staticmethod |
||
| 314 | def build_alive_test_opt_as_prefs( |
||
| 315 | target_options: Dict[str, str] |
||
| 316 | ) -> Dict[str, str]: |
||
| 317 | """Parse the target options dictionary. |
||
| 318 | Arguments: |
||
| 319 | target_options: Dictionary with the target options. |
||
| 320 | |||
| 321 | Return: |
||
| 322 | A dict with the target options related to alive test method |
||
| 323 | in string format to be added to the redis KB. |
||
| 324 | """ |
||
| 325 | target_opt_prefs_list = {} |
||
| 326 | alive_test = None |
||
| 327 | |||
| 328 | View Code Duplication | if target_options: |
|
|
Duplication
introduced
by
|
|||
| 329 | # Alive test specified as bit field. |
||
| 330 | alive_test = target_options.get('alive_test') |
||
| 331 | # Alive test specified as individual methods. |
||
| 332 | alive_test_methods = target_options.get('alive_test_methods') |
||
| 333 | # alive_test takes precedence over alive_test_methods |
||
| 334 | if alive_test is None and alive_test_methods: |
||
| 335 | alive_test = alive_test_methods_to_bit_field( |
||
| 336 | icmp=target_options.get('icmp') == '1', |
||
| 337 | tcp_syn=target_options.get('tcp_syn') == '1', |
||
| 338 | tcp_ack=target_options.get('tcp_ack') == '1', |
||
| 339 | arp=target_options.get('arp') == '1', |
||
| 340 | consider_alive=target_options.get('consider_alive') == '1', |
||
| 341 | ) |
||
| 342 | |||
| 343 | if target_options and alive_test: |
||
| 344 | try: |
||
| 345 | alive_test = int(alive_test) |
||
| 346 | except ValueError: |
||
| 347 | logger.debug( |
||
| 348 | 'Alive test settings not applied. ' |
||
| 349 | 'Invalid alive test value %s', |
||
| 350 | target_options.get('alive_test'), |
||
| 351 | ) |
||
| 352 | return target_opt_prefs_list |
||
| 353 | |||
| 354 | # No alive test or wrong value, uses the default |
||
| 355 | # preferences sent by the client. |
||
| 356 | if alive_test < 1 or alive_test > 31: |
||
| 357 | return target_opt_prefs_list |
||
| 358 | |||
| 359 | if ( |
||
| 360 | alive_test & AliveTest.ALIVE_TEST_TCP_ACK_SERVICE |
||
| 361 | or alive_test & AliveTest.ALIVE_TEST_TCP_SYN_SERVICE |
||
| 362 | ): |
||
| 363 | value = "yes" |
||
| 364 | else: |
||
| 365 | value = "no" |
||
| 366 | target_opt_prefs_list[ |
||
| 367 | OID_PING_HOST + ':1:checkbox:' + 'Do a TCP ping' |
||
| 368 | ] = value |
||
| 369 | |||
| 370 | if ( |
||
| 371 | alive_test & AliveTest.ALIVE_TEST_TCP_SYN_SERVICE |
||
| 372 | and alive_test & AliveTest.ALIVE_TEST_TCP_ACK_SERVICE |
||
| 373 | ): |
||
| 374 | value = "yes" |
||
| 375 | else: |
||
| 376 | value = "no" |
||
| 377 | target_opt_prefs_list[ |
||
| 378 | OID_PING_HOST |
||
| 379 | + ':2:checkbox:' |
||
| 380 | + 'TCP ping tries also TCP-SYN ping' |
||
| 381 | ] = value |
||
| 382 | |||
| 383 | if (alive_test & AliveTest.ALIVE_TEST_TCP_SYN_SERVICE) and not ( |
||
| 384 | alive_test & AliveTest.ALIVE_TEST_TCP_ACK_SERVICE |
||
| 385 | ): |
||
| 386 | value = "yes" |
||
| 387 | else: |
||
| 388 | value = "no" |
||
| 389 | target_opt_prefs_list[ |
||
| 390 | OID_PING_HOST |
||
| 391 | + ':7:checkbox:' |
||
| 392 | + 'TCP ping tries only TCP-SYN ping' |
||
| 393 | ] = value |
||
| 394 | |||
| 395 | if alive_test & AliveTest.ALIVE_TEST_ICMP: |
||
| 396 | value = "yes" |
||
| 397 | else: |
||
| 398 | value = "no" |
||
| 399 | target_opt_prefs_list[ |
||
| 400 | OID_PING_HOST + ':3:checkbox:' + 'Do an ICMP ping' |
||
| 401 | ] = value |
||
| 402 | |||
| 403 | if alive_test & AliveTest.ALIVE_TEST_ARP: |
||
| 404 | value = "yes" |
||
| 405 | else: |
||
| 406 | value = "no" |
||
| 407 | target_opt_prefs_list[ |
||
| 408 | OID_PING_HOST + ':4:checkbox:' + 'Use ARP' |
||
| 409 | ] = value |
||
| 410 | |||
| 411 | if alive_test & AliveTest.ALIVE_TEST_CONSIDER_ALIVE: |
||
| 412 | value = "no" |
||
| 413 | else: |
||
| 414 | value = "yes" |
||
| 415 | target_opt_prefs_list[ |
||
| 416 | OID_PING_HOST |
||
| 417 | + ':5:checkbox:' |
||
| 418 | + 'Mark unrechable Hosts as dead (not scanning)' |
||
| 419 | ] = value |
||
| 420 | |||
| 421 | return target_opt_prefs_list |
||
| 422 | |||
| 423 | def prepare_alive_test_option_for_openvas(self): |
||
| 424 | """Set alive test option. Overwrite the scan config settings.""" |
||
| 425 | settings = Openvas.get_settings() |
||
| 426 | if settings and ( |
||
| 427 | self.target_options.get('alive_test') |
||
| 428 | or self.target_options.get('alive_test_methods') |
||
| 429 | ): |
||
| 430 | alive_test_opt = self.build_alive_test_opt_as_prefs( |
||
| 431 | self.target_options |
||
| 432 | ) |
||
| 433 | self._nvts_params.update(alive_test_opt) |
||
| 434 | |||
| 435 | def prepare_boreas_alive_test(self): |
||
| 436 | """Set alive_test for Boreas if boreas scanner config |
||
| 437 | (BOREAS_SETTING_NAME) was set""" |
||
| 438 | settings = Openvas.get_settings() |
||
| 439 | alive_test = None |
||
| 440 | alive_test_ports = None |
||
| 441 | target_options = self.target_options |
||
| 442 | |||
| 443 | if settings: |
||
| 444 | boreas = settings.get(BOREAS_SETTING_NAME) |
||
| 445 | if not boreas: |
||
| 446 | return |
||
| 447 | else: |
||
| 448 | return |
||
| 449 | |||
| 450 | View Code Duplication | if target_options: |
|
| 451 | alive_test_ports = target_options.get('alive_test_ports') |
||
| 452 | # Alive test was specified as bit field. |
||
| 453 | alive_test = target_options.get('alive_test') |
||
| 454 | # Alive test was specified as individual methods. |
||
| 455 | alive_test_methods = target_options.get('alive_test_methods') |
||
| 456 | # <alive_test> takes precedence over <alive_test_methods> |
||
| 457 | if alive_test is None and alive_test_methods: |
||
| 458 | alive_test = alive_test_methods_to_bit_field( |
||
| 459 | icmp=target_options.get('icmp') == '1', |
||
| 460 | tcp_syn=target_options.get('tcp_syn') == '1', |
||
| 461 | tcp_ack=target_options.get('tcp_ack') == '1', |
||
| 462 | arp=target_options.get('arp') == '1', |
||
| 463 | consider_alive=target_options.get('consider_alive') == '1', |
||
| 464 | ) |
||
| 465 | |||
| 466 | if alive_test is not None: |
||
| 467 | try: |
||
| 468 | alive_test = int(alive_test) |
||
| 469 | except ValueError: |
||
| 470 | logger.debug( |
||
| 471 | 'Alive test preference for Boreas not set. ' |
||
| 472 | 'Invalid alive test value %s.', |
||
| 473 | alive_test, |
||
| 474 | ) |
||
| 475 | # Use default alive test as fall back |
||
| 476 | alive_test = AliveTest.ALIVE_TEST_SCAN_CONFIG_DEFAULT |
||
| 477 | # Use default alive test if no valid alive_test was provided |
||
| 478 | else: |
||
| 479 | alive_test = AliveTest.ALIVE_TEST_SCAN_CONFIG_DEFAULT |
||
| 480 | |||
| 481 | # If a valid alive_test was set then the bit mask |
||
| 482 | # has value between 31 (11111) and 1 (10000) |
||
| 483 | if 1 <= alive_test <= 31: |
||
| 484 | pref = "{pref_key}|||{pref_value}".format( |
||
| 485 | pref_key=BOREAS_ALIVE_TEST, pref_value=alive_test |
||
| 486 | ) |
||
| 487 | self.kbdb.add_scan_preferences(self.scan_id, [pref]) |
||
| 488 | |||
| 489 | if alive_test == AliveTest.ALIVE_TEST_SCAN_CONFIG_DEFAULT: |
||
| 490 | alive_test = AliveTest.ALIVE_TEST_ICMP |
||
| 491 | pref = "{pref_key}|||{pref_value}".format( |
||
| 492 | pref_key=BOREAS_ALIVE_TEST, pref_value=alive_test |
||
| 493 | ) |
||
| 494 | self.kbdb.add_scan_preferences(self.scan_id, [pref]) |
||
| 495 | |||
| 496 | # Add portlist if present. Validity is checked on Boreas side. |
||
| 497 | if alive_test_ports is not None: |
||
| 498 | pref = "{pref_key}|||{pref_value}".format( |
||
| 499 | pref_key=BOREAS_ALIVE_TEST_PORTS, |
||
| 500 | pref_value=alive_test_ports, |
||
| 501 | ) |
||
| 502 | self.kbdb.add_scan_preferences(self.scan_id, [pref]) |
||
| 503 | |||
| 504 | def prepare_reverse_lookup_opt_for_openvas(self): |
||
| 505 | """Set reverse lookup options in the kb""" |
||
| 506 | if self.target_options: |
||
| 507 | items = [] |
||
| 508 | _rev_lookup_only = int( |
||
| 509 | self.target_options.get('reverse_lookup_only', '0') |
||
| 510 | ) |
||
| 511 | rev_lookup_only = _from_bool_to_str(_rev_lookup_only) |
||
| 512 | items.append('reverse_lookup_only|||%s' % (rev_lookup_only)) |
||
| 513 | |||
| 514 | _rev_lookup_unify = int( |
||
| 515 | self.target_options.get('reverse_lookup_unify', '0') |
||
| 516 | ) |
||
| 517 | rev_lookup_unify = _from_bool_to_str(_rev_lookup_unify) |
||
| 518 | items.append('reverse_lookup_unify|||%s' % rev_lookup_unify) |
||
| 519 | |||
| 520 | self.kbdb.add_scan_preferences(self.scan_id, items) |
||
| 521 | |||
| 522 | def prepare_target_for_openvas(self): |
||
| 523 | """Get the target from the scan collection and set the target |
||
| 524 | in the kb""" |
||
| 525 | |||
| 526 | target = self.scan_collection.get_host_list(self.scan_id) |
||
| 527 | target_aux = 'TARGET|||%s' % target |
||
| 528 | self.kbdb.add_scan_preferences(self.scan_id, [target_aux]) |
||
| 529 | |||
| 530 | def prepare_ports_for_openvas(self) -> str: |
||
| 531 | """Get the port list from the scan collection and store the list |
||
| 532 | in the kb.""" |
||
| 533 | ports = self.scan_collection.get_ports(self.scan_id) |
||
| 534 | if not valid_port_list(ports): |
||
| 535 | return False |
||
| 536 | |||
| 537 | port_range = 'port_range|||%s' % ports |
||
| 538 | self.kbdb.add_scan_preferences(self.scan_id, [port_range]) |
||
| 539 | |||
| 540 | return ports |
||
| 541 | |||
| 542 | def prepare_host_options_for_openvas(self): |
||
| 543 | """Get the excluded and finished hosts from the scan collection and |
||
| 544 | stores the list of hosts that must not be scanned in the kb.""" |
||
| 545 | exclude_hosts = self.scan_collection.get_exclude_hosts(self.scan_id) |
||
| 546 | |||
| 547 | if exclude_hosts: |
||
| 548 | pref_val = "exclude_hosts|||" + exclude_hosts |
||
| 549 | self.kbdb.add_scan_preferences(self.scan_id, [pref_val]) |
||
| 550 | |||
| 551 | def prepare_scan_params_for_openvas(self, ospd_params: Dict[str, Dict]): |
||
| 552 | """Get the scan parameters from the scan collection and store them |
||
| 553 | in the kb. |
||
| 554 | Arguments: |
||
| 555 | ospd_params: Dictionary with the OSPD Params. |
||
| 556 | """ |
||
| 557 | # Options which were supplied via the <scanner_params> XML element. |
||
| 558 | options = self.scan_collection.get_options(self.scan_id) |
||
| 559 | prefs_val = [] |
||
| 560 | |||
| 561 | for key, value in options.items(): |
||
| 562 | item_type = '' |
||
| 563 | if key in ospd_params: |
||
| 564 | item_type = ospd_params[key].get('type') |
||
| 565 | else: |
||
| 566 | if key not in BASE_SCANNER_PARAMS: |
||
| 567 | logger.debug( |
||
| 568 | "%s is a scanner only setting and should not be set " |
||
| 569 | "by the client. Setting needs to be included in " |
||
| 570 | "OpenVAS configuration file instead.", |
||
| 571 | key, |
||
| 572 | ) |
||
| 573 | if item_type == 'boolean': |
||
| 574 | val = _from_bool_to_str(value) |
||
| 575 | else: |
||
| 576 | val = str(value) |
||
| 577 | prefs_val.append(key + "|||" + val) |
||
| 578 | |||
| 579 | if prefs_val: |
||
| 580 | self.kbdb.add_scan_preferences(self.scan_id, prefs_val) |
||
| 581 | |||
| 582 | def build_credentials_as_prefs(self, credentials: Dict) -> List[str]: |
||
| 583 | """Parse the credential dictionary. |
||
| 584 | Arguments: |
||
| 585 | credentials: Dictionary with the credentials. |
||
| 586 | |||
| 587 | Return: |
||
| 588 | A list with the credentials in string format to be |
||
| 589 | added to the redis KB. |
||
| 590 | """ |
||
| 591 | cred_prefs_list = [] |
||
| 592 | for credential in credentials.items(): |
||
| 593 | service = credential[0] |
||
| 594 | cred_params = credentials.get(service) |
||
| 595 | cred_type = cred_params.get('type', '') |
||
| 596 | username = cred_params.get('username', '') |
||
| 597 | password = cred_params.get('password', '') |
||
| 598 | |||
| 599 | # Check service ssh |
||
| 600 | if service == 'ssh': |
||
| 601 | # For ssh check the Port |
||
| 602 | port = cred_params.get('port', '22') |
||
| 603 | priv_username = cred_params.get('priv_username', '') |
||
| 604 | priv_password = cred_params.get('priv_password', '') |
||
| 605 | if not port: |
||
| 606 | port = '22' |
||
| 607 | warning = ( |
||
| 608 | "Missing port number for ssh credentials." |
||
| 609 | + " Using default port 22." |
||
| 610 | ) |
||
| 611 | logger.warning(warning) |
||
| 612 | elif not port.isnumeric(): |
||
| 613 | self.errors.append( |
||
| 614 | "Port for SSH '" + port + "' is not a valid number." |
||
| 615 | ) |
||
| 616 | continue |
||
| 617 | elif int(port) > 65535 or int(port) < 1: |
||
| 618 | self.errors.append( |
||
| 619 | "Port for SSH is out of range (1-65535): " + port |
||
| 620 | ) |
||
| 621 | continue |
||
| 622 | # For ssh check the credential type |
||
| 623 | if cred_type == 'up': |
||
| 624 | cred_prefs_list.append( |
||
| 625 | OID_SSH_AUTH |
||
| 626 | + ':3:' |
||
| 627 | + 'password:SSH password ' |
||
| 628 | + '(unsafe!):|||{0}'.format(password) |
||
| 629 | ) |
||
| 630 | elif cred_type == 'usk': |
||
| 631 | private = cred_params.get('private', '') |
||
| 632 | cred_prefs_list.append( |
||
| 633 | OID_SSH_AUTH |
||
| 634 | + ':2:' |
||
| 635 | + 'password:SSH key passphrase:|||' |
||
| 636 | + '{0}'.format(password) |
||
| 637 | ) |
||
| 638 | cred_prefs_list.append( |
||
| 639 | OID_SSH_AUTH |
||
| 640 | + ':4:' |
||
| 641 | + 'file:SSH private key:|||' |
||
| 642 | + '{0}'.format(private) |
||
| 643 | ) |
||
| 644 | elif cred_type: |
||
| 645 | self.errors.append( |
||
| 646 | "Unknown Credential Type for SSH: " |
||
| 647 | + cred_type |
||
| 648 | + ". Use 'up' for Username + Password" |
||
| 649 | + " or 'usk' for Username + SSH Key." |
||
| 650 | ) |
||
| 651 | continue |
||
| 652 | else: |
||
| 653 | self.errors.append( |
||
| 654 | "Missing Credential Type for SSH." |
||
| 655 | + " Use 'up' for Username + Password" |
||
| 656 | + " or 'usk' for Username + SSH Key." |
||
| 657 | ) |
||
| 658 | continue |
||
| 659 | cred_prefs_list.append('auth_port_ssh|||' + '{0}'.format(port)) |
||
| 660 | cred_prefs_list.append( |
||
| 661 | OID_SSH_AUTH |
||
| 662 | + ':1:' |
||
| 663 | + 'entry:SSH login ' |
||
| 664 | + 'name:|||{0}'.format(username) |
||
| 665 | ) |
||
| 666 | cred_prefs_list.append( |
||
| 667 | OID_SSH_AUTH |
||
| 668 | + ':7:' |
||
| 669 | + 'entry:SSH privilege login name:|||{0}'.format( |
||
| 670 | priv_username |
||
| 671 | ) |
||
| 672 | ) |
||
| 673 | cred_prefs_list.append( |
||
| 674 | OID_SSH_AUTH |
||
| 675 | + ':8:' |
||
| 676 | + 'password:SSH privilege password:|||{0}'.format( |
||
| 677 | priv_password |
||
| 678 | ) |
||
| 679 | ) |
||
| 680 | # Check servic smb |
||
| 681 | elif service == 'smb': |
||
| 682 | cred_prefs_list.append( |
||
| 683 | OID_SMB_AUTH |
||
| 684 | + ':1:entry' |
||
| 685 | + ':SMB login:|||{0}'.format(username) |
||
| 686 | ) |
||
| 687 | cred_prefs_list.append( |
||
| 688 | OID_SMB_AUTH |
||
| 689 | + ':2:' |
||
| 690 | + 'password:SMB password:|||' |
||
| 691 | + '{0}'.format(password) |
||
| 692 | ) |
||
| 693 | # Check service esxi |
||
| 694 | elif service == 'esxi': |
||
| 695 | cred_prefs_list.append( |
||
| 696 | OID_ESXI_AUTH |
||
| 697 | + ':1:entry:' |
||
| 698 | + 'ESXi login name:|||' |
||
| 699 | + '{0}'.format(username) |
||
| 700 | ) |
||
| 701 | cred_prefs_list.append( |
||
| 702 | OID_ESXI_AUTH |
||
| 703 | + ':2:' |
||
| 704 | + 'password:ESXi login password:|||' |
||
| 705 | + '{0}'.format(password) |
||
| 706 | ) |
||
| 707 | # Check service snmp |
||
| 708 | elif service == 'snmp': |
||
| 709 | community = cred_params.get('community', '') |
||
| 710 | auth_algorithm = cred_params.get('auth_algorithm', '') |
||
| 711 | privacy_password = cred_params.get('privacy_password', '') |
||
| 712 | privacy_algorithm = cred_params.get('privacy_algorithm', '') |
||
| 713 | |||
| 714 | if not privacy_algorithm: |
||
| 715 | if privacy_password: |
||
| 716 | self.errors.append( |
||
| 717 | "When no privacy algorithm is used, the privacy" |
||
| 718 | + " password also has to be empty." |
||
| 719 | ) |
||
| 720 | continue |
||
| 721 | elif ( |
||
| 722 | not privacy_algorithm == "aes" |
||
| 723 | and not privacy_algorithm == "des" |
||
| 724 | ): |
||
| 725 | self.errors.append( |
||
| 726 | "Unknown privacy algorithm used: " |
||
| 727 | + privacy_algorithm |
||
| 728 | + ". Use 'aes', 'des' or '' (none)." |
||
| 729 | ) |
||
| 730 | continue |
||
| 731 | |||
| 732 | if not auth_algorithm: |
||
| 733 | self.errors.append( |
||
| 734 | "Missing authentication algorithm for SNMP." |
||
| 735 | + " Use 'md5' or 'sha1'." |
||
| 736 | ) |
||
| 737 | continue |
||
| 738 | elif ( |
||
| 739 | not auth_algorithm == "md5" and not auth_algorithm == "sha1" |
||
| 740 | ): |
||
| 741 | self.errors.append( |
||
| 742 | "Unknown authentication algorithm: " |
||
| 743 | + auth_algorithm |
||
| 744 | + ". Use 'md5' or 'sha1'." |
||
| 745 | ) |
||
| 746 | continue |
||
| 747 | |||
| 748 | cred_prefs_list.append( |
||
| 749 | OID_SNMP_AUTH |
||
| 750 | + ':1:' |
||
| 751 | + 'password:SNMP Community:|||' |
||
| 752 | + '{0}'.format(community) |
||
| 753 | ) |
||
| 754 | cred_prefs_list.append( |
||
| 755 | OID_SNMP_AUTH |
||
| 756 | + ':2:' |
||
| 757 | + 'entry:SNMPv3 Username:|||' |
||
| 758 | + '{0}'.format(username) |
||
| 759 | ) |
||
| 760 | cred_prefs_list.append( |
||
| 761 | OID_SNMP_AUTH + ':3:' |
||
| 762 | 'password:SNMPv3 Password:|||' + '{0}'.format(password) |
||
| 763 | ) |
||
| 764 | cred_prefs_list.append( |
||
| 765 | OID_SNMP_AUTH |
||
| 766 | + ':4:' |
||
| 767 | + 'radio:SNMPv3 Authentication Algorithm:|||' |
||
| 768 | + '{0}'.format(auth_algorithm) |
||
| 769 | ) |
||
| 770 | cred_prefs_list.append( |
||
| 771 | OID_SNMP_AUTH |
||
| 772 | + ':5:' |
||
| 773 | + 'password:SNMPv3 Privacy Password:|||' |
||
| 774 | + '{0}'.format(privacy_password) |
||
| 775 | ) |
||
| 776 | cred_prefs_list.append( |
||
| 777 | OID_SNMP_AUTH |
||
| 778 | + ':6:' |
||
| 779 | + 'radio:SNMPv3 Privacy Algorithm:|||' |
||
| 780 | + '{0}'.format(privacy_algorithm) |
||
| 781 | ) |
||
| 782 | elif service: |
||
| 783 | self.errors.append( |
||
| 784 | "Unknown service type for credential: " + service |
||
| 785 | ) |
||
| 786 | else: |
||
| 787 | self.errors.append("Missing service type for credential.") |
||
| 788 | |||
| 789 | return cred_prefs_list |
||
| 790 | |||
| 791 | def prepare_credentials_for_openvas(self) -> bool: |
||
| 792 | """Get the credentials from the scan collection and store them |
||
| 793 | in the kb.""" |
||
| 794 | logger.debug("Looking for given Credentials...") |
||
| 795 | credentials = self.scan_collection.get_credentials(self.scan_id) |
||
| 796 | if credentials: |
||
| 797 | cred_prefs = self.build_credentials_as_prefs(credentials) |
||
| 798 | if cred_prefs: |
||
| 799 | self.kbdb.add_credentials_to_scan_preferences( |
||
| 800 | self.scan_id, cred_prefs |
||
| 801 | ) |
||
| 802 | logger.debug("Credentials added to the kb.") |
||
| 803 | else: |
||
| 804 | logger.debug("No credentials found.") |
||
| 805 | if credentials and not cred_prefs: |
||
| 806 | return False |
||
| 807 | |||
| 808 | return True |
||
| 809 | |||
| 810 | def prepare_main_kbindex_for_openvas(self): |
||
| 811 | """Store main_kbindex as global preference in the |
||
| 812 | kb, used by OpenVAS""" |
||
| 813 | ov_maindbid = 'ov_maindbid|||%d' % self.kbdb.index |
||
| 814 | self.kbdb.add_scan_preferences(self.scan_id, [ov_maindbid]) |
||
| 815 |
Loading history...
