-
-
Notifications
You must be signed in to change notification settings - Fork 598
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added snmp_security check plugin for various SNMP checks #403
Changes from 3 commits
b1ede11
6c43605
68e589a
8dd44c5
72aba32
c5b5458
fed11f4
9c2be03
8c569f4
ff06ffe
e286114
8f2e079
ebf9e5a
1f5d833
489deee
371601f
6eb2af9
78c3464
ae02ab3
2ebf402
b053aae
28c6238
178b344
83b849b
a05f455
6eca831
b530a43
5f2a6e9
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
This file was deleted.
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,84 @@ | ||||||
# -*- coding:utf-8 -*- | ||||||
# | ||||||
# Copyright (c) 2018 SolarWinds, Inc. | ||||||
# | ||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may | ||||||
# not use this file except in compliance with the License. You may obtain | ||||||
# a copy of the License at | ||||||
# | ||||||
# http://www.apache.org/licenses/LICENSE-2.0 | ||||||
# | ||||||
# Unless required by applicable law or agreed to in writing, software | ||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||||||
# License for the specific language governing permissions and limitations | ||||||
# under the License. | ||||||
import bandit | ||||||
from bandit.core import test_properties as test | ||||||
|
||||||
|
||||||
@test.checks("Call") | ||||||
@test.test_id('B508') | ||||||
def snmp_insecure_version_check(context): | ||||||
"""Checking for insecure SNMP versions | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
----------------------------- | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Remove these 3 lines. Not needed |
||||||
B508: snmp_insecure_version | ||||||
----------------------------- | ||||||
|
||||||
This test is for checking for the usage of insecure SNMP version like | ||||||
v1, v2c | ||||||
|
||||||
Using the pysnmp documentation: | ||||||
http://snmplabs.com/pysnmp/examples/hlapi/asyncore/sync/manager/cmdgen/snmp-versions.html | ||||||
|
||||||
Please update your code to use more secure versions of SNMP. | ||||||
""" | ||||||
Jed-Giblin marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
||||||
if context.call_function_name_qual == 'CommunityData': | ||||||
# We called community data. Lets check our args | ||||||
if context.check_call_arg_value("mpModel", 0) or \ | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Use |
||||||
context.check_call_arg_value("mpModel", 1): | ||||||
return bandit.Issue( | ||||||
severity=bandit.MEDIUM, | ||||||
confidence=bandit.MEDIUM, | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is the confidence not HIGH? |
||||||
text="The use of SNMPv1 and SNMPv2 is insecure. " | ||||||
"You should use SNMPv3 if able.", | ||||||
lineno=context.get_lineno_for_call_arg("CommunityData"), | ||||||
) | ||||||
|
||||||
|
||||||
@test.checks("Call") | ||||||
@test.test_id('B509') | ||||||
def snmp_crypto_check(context): | ||||||
|
||||||
ericwb marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
"""Checking for weak cryptography | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
----------------------------- | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Remove unneeded next 3 lines |
||||||
B509: snmp_weak_cryptography | ||||||
----------------------------- | ||||||
|
||||||
This test is for checking for the usage of insecure SNMP cryptography: | ||||||
v3 using noAuthNoPriv. | ||||||
|
||||||
Using the pysnmp documentation: | ||||||
http://snmplabs.com/pysnmp/examples/hlapi/asyncore/sync/manager/cmdgen/snmp-versions.html | ||||||
|
||||||
Please update your code to use more secure versions of SNMP. For example: | ||||||
|
||||||
Instead of: | ||||||
`CommunityData('public', mpModel=0)` | ||||||
|
||||||
Use (Defaults to usmHMACMD5AuthProtocol and usmDESPrivProtocol | ||||||
`UsmUserData("securityName","authName","privName")` | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
""" | ||||||
Jed-Giblin marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
||||||
if context.call_function_name_qual == 'UsmUserData': | ||||||
if context.call_args_count == 1 or context.call_args_count == 1: | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Duplicate |
||||||
return bandit.Issue( | ||||||
severity=bandit.MEDIUM, | ||||||
confidence=bandit.MEDIUM, | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is the confidence not HIGH? |
||||||
text="You should not use SNMPv3 without encryption. " | ||||||
"noAuthNoPriv is an insecure method of transport.", | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What about |
||||||
lineno=context.get_lineno_for_call_arg("UsmUserData"), | ||||||
) |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,8 @@ | ||||||
----------------------------- | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
B508: snmp_weak_cryptography | ||||||
ericwb marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
----------------------------- | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
.. automodule:: bandit.plugins.snmp_security_check | ||||||
ericwb marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
||||||
.. autofunction:: snmp_crypto_check | ||||||
ericwb marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
:noindex: |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
----------------------------- | ||
Jed-Giblin marked this conversation as resolved.
Show resolved
Hide resolved
|
||
B508: snmp_insecure_version | ||
ericwb marked this conversation as resolved.
Show resolved
Hide resolved
|
||
----------------------------- | ||
Jed-Giblin marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
.. automodule:: bandit.plugins.snmp_security_check | ||
ericwb marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
.. autofunction:: snmp_insecure_version_check | ||
ericwb marked this conversation as resolved.
Show resolved
Hide resolved
|
||
:noindex: |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
from pysnmp.hlapi import UsmUserData | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Alpha sort: UsmUserData comes after CommunityData |
||
from pysnmp.hlapi import CommunityData | ||
|
||
# SHOULD FAIL | ||
a = CommunityData('public', mpModel=0) | ||
# SHOULD FAIL | ||
insecure = UsmUserData("securityName") | ||
# SHOULD PASS | ||
less_insecure = UsmUserData("securityName","authName","privName") | ||
ericwb marked this conversation as resolved.
Show resolved
Hide resolved
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Switch to SPDX short form of the license.