« back to all changes in this revision
Viewing changes to openvasd/oval_plugins.c
- browse files at revision 4
- compare with another revision
- download diff
- download tarball
- view history from revision 4
- Committer: Bazaar Package Importer
- Author(s): Javier Fernandez-Sanguino Pen~a
- Date: 2009-01-02 01:38:47 UTC
- mfrom: (1.1.1 upstream)
- Revision ID: james.westby@ubuntu.com-20090102013847-74xy2uo1e3hovqjo
Tags: 2.0.0-1
New upstream release.
- files added:
- doc/openvasd-config.1
- files removed:
- confdefs.h
- doc/ntp
- doc/otp
- files modified:
- CHANGES
added
removed
openvasd/oval_plugins.c
1
/* OpenVAS
2
* $Id: oval_plugins.c 140 2006-05-31 15:24:25Z tarik $
3
* Description: Launches OVAL definitions.
4
*
5
* Authors: - Michael Wiegand <michael.wiegand@intevation.de>
6
*
7
* Copyright:
8
* Copyright (C) 2008 Intevation GmbH
9
*
10
* This program is free software; you can redistribute it and/or modify
11
* it under the terms of the GNU General Public License version 2 or later,
12
* as published by the Free Software Foundation
13
*
14
* This program is distributed in the hope that it will be useful,
15
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
* GNU General Public License for more details.
18
*
19
* You should have received a copy of the GNU General Public License
20
* along with this program; if not, write to the Free Software
21
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
22
*
23
*/
24
25
/*
26
* DISCLAIMER: This is just a proof-of-concept for OVAL support in OpenVAS.
27
* It currently supports only a part of the objects specified in the OVAL
28
* specification and requires a patched version of ovaldi, the OVAL definition
29
* interpreter.
30
*/
31
32
#include <includes.h>
33
#include <nasl.h>
34
#include <glib.h>
35
#include "corevers.h"
36
#include "log.h"
37
#include "pluginload.h"
38
#include "preferences.h"
39
#include "processes.h"
40
41
42
static void oval_thread(struct arglist *);
43
void ovaldi_launch(struct arglist * g_args);
44
45
// TODO: A better way to store the results of the XML parser would be to use the
46
// user_data pointer provided by the glib XML parser.
47
gchar * id;
48
gchar * oid;
49
gchar * version;
50
gchar * description;
51
gchar * title;
52
gboolean in_description = FALSE;
53
gboolean in_definition = FALSE;
54
gboolean in_title = FALSE;
55
gboolean in_results = FALSE;
56
gboolean in_results_definition = FALSE;
57
gchar * result;
58
59
void child_setup (gpointer user_data) {
60
// This function is called by the forked child just before it is executed. We
61
// try to drop our root privileges and setuid to nobody to minimize the
62
// risk of running an untrusted ovaldi.
63
// NB: The current implementation is somewhat linux-specific and may not work
64
// on other platforms.
65
66
struct passwd * nobody_pw = NULL;
67
68
if(getuid() == 0)
69
{
70
log_write("oval_plugins.c: Running as root, trying to drop privileges.\n");
71
if((nobody_pw = getpwnam("nobody")))
72
{
73
if(setgid(nobody_pw->pw_gid) == 0)
74
{
75
log_write("oval_plugins.c: Successfully dropped group privileges.\n");
76
}
77
else
78
{
79
log_write("oval_plugins.c: WARNING: Could not drop group privileges!\n");
80
}
81
if(setuid(nobody_pw->pw_uid) == 0)
82
{
83
log_write("oval_plugins.c: Successfully dropped user privileges.\n");
84
}
85
else
86
{
87
log_write("oval_plugins.c: WARNING: Could not drop group privileges!\n");
88
}
89
}
90
else
91
{
92
log_write("oval_plugins.c: WARNING: Could not drop privileges; unable to get uid and gid for user nobody!\n");
93
}
94
}
95
else
96
{
97
log_write("oval_plugins.c: WARNING: Did not attempt to drop privileges since we do not seem to be running as root.\n");
98
}
99
}
100
101
void start_element (GMarkupParseContext *context, const gchar *element_name,
102
const gchar **attribute_names,
103
const gchar **attribute_values, gpointer user_data,
104
GError **error)
105
{
106
const gchar **name_cursor = attribute_names;
107
const gchar **value_cursor = attribute_values;
108
109
if(!in_results && strcmp(element_name, "definition") == 0)
110
{
111
in_definition = TRUE;
112
while(*name_cursor)
113
{
114
if (strcmp (*name_cursor, "id") == 0)
115
{
116
id = g_strrstr(g_strdup(*value_cursor), ":") + 1;
117
// TODO: This currently assigns only IDs in the range intended for
118
// RedHat security advisories.
119
oid = g_strconcat("1.3.6.1.4.1.25623.1.2.2312.", id, NULL);
120
}
121
if (strcmp (*name_cursor, "version") == 0)
122
version = g_strdup(*value_cursor);
123
name_cursor++;
124
value_cursor++;
125
}
126
}
127
128
if(strcmp(element_name, "description") == 0)
129
in_description = TRUE;
130
131
if(strcmp(element_name, "title") == 0)
132
in_title = TRUE;
133
134
if(strcmp(element_name, "results") == 0)
135
in_results = TRUE;
136
137
if(in_results && strcmp(element_name, "definition") == 0)
138
{
139
in_results_definition = TRUE;
140
while(*name_cursor)
141
{
142
if (strcmp (*name_cursor, "result") == 0)
143
result = g_strdup(*value_cursor);
144
145
name_cursor++;
146
value_cursor++;
147
}
148
}
149
}
150
151
void text(GMarkupParseContext *context, const gchar *text, gsize text_len,
152
gpointer user_data, GError **error)
153
{
154
if (in_description)
155
{
156
// NOTE: This currently cuts off descriptions longer than the maximum length
157
// specified in libopenvas/store_internal.h
158
description = g_strndup(text, 3190);
159
}
160
if (in_title)
161
{
162
title = g_strndup(text, text_len);
163
g_strdelimit(title, "\n", ' ');
164
}
165
}
166
167
void end_element (GMarkupParseContext *context, const gchar *element_name,
168
gpointer user_data, GError **error)
169
{
170
in_description = FALSE;
171
in_definition = FALSE;
172
in_title = FALSE;
173
if(strcmp(element_name, "results") == 0)
174
in_results = FALSE;
175
if(in_results && strcmp(element_name, "definition") == 0)
176
in_results_definition = FALSE;
177
}
178
179
/*
180
* Initialize the plugin class
181
*/
182
pl_class_t* oval_plugin_init(struct arglist* prefs, struct arglist* args)
183
{
184
return &oval_plugin_class;
185
}
186
187
/*
188
* add *one* OVAL definition to the server list
189
*/
190
struct arglist * oval_plugin_add(char * folder, char * name,
191
struct arglist * plugins,
192
struct arglist * preferences)
193
{
194
char fullname[PATH_MAX+1];
195
struct arglist * args = NULL;
196
struct arglist * prev_plugin = NULL;
197
GMarkupParser parser;
198
GMarkupParseContext *context = NULL;
199
gchar *filebuffer = NULL;
200
gsize length = 0;
201
202
snprintf(fullname, sizeof(fullname), "%s/%s", folder, name);
203
204
if ( preferences_nasl_no_signature_check(preferences) == 0
205
&& nasl_verify_signature( fullname) != 0)
206
{
207
log_write("%s: signature of nvt could not been verified/ is missing.", fullname);
208
return NULL;
209
}
210
211
args = store_load_plugin(folder, name, preferences);
212
213
if(args == NULL)
214
{
215
char* sign_fprs = nasl_extract_signature_fprs( fullname );
216
// If server accepts signed plugins only, discard if signature file missing.
217
if(preferences_nasl_no_signature_check(preferences) == 0 && sign_fprs == NULL)
218
{
219
printf("%s: nvt is not signed and thus ignored\n", fullname);
220
return NULL;
221
}
222
else if(sign_fprs == NULL)
223
{
224
sign_fprs = "";
225
}
226
227
// Parse plugin properties into arglist
228
parser.start_element = start_element;
229
parser.end_element = end_element;
230
parser.text = text;
231
parser.passthrough = NULL;
232
parser.error = NULL;
233
234
if(!g_file_get_contents(fullname, &filebuffer, &length, NULL))
235
{
236
log_write("oval_plugin_add: File %s not found", fullname);
237
return NULL;
238
}
239
240
context = g_markup_parse_context_new(&parser, 0, NULL, NULL);
241
g_markup_parse_context_parse(context, filebuffer, length, NULL);
242
g_free(filebuffer);
243
g_markup_parse_context_free(context);
244
245
args = emalloc(sizeof(struct arglist));
246
247
plug_set_oid(args, oid);
248
249
plug_set_version(args, version);
250
plug_set_name(args, title, NULL);
251
plug_set_description(args, description, NULL);
252
plug_set_category(args, ACT_END);
253
plug_set_family(args, "OVAL definitions", NULL);
254
255
plug_set_sign_key_ids(args, sign_fprs);
256
257
store_plugin(args, name);
258
args = store_load_plugin(folder, name, preferences);
259
}
260
261
if(args != NULL)
262
{
263
prev_plugin = arg_get_value(plugins, name);
264
if(prev_plugin == NULL)
265
arg_add_value(plugins, name, ARG_ARGLIST, -1, args);
266
else
267
{
268
plugin_free(prev_plugin);
269
arg_set_value(plugins, name, -1, args);
270
}
271
}
272
return args;
273
}
274
275
/*
276
* Launch an OVAL plugin
277
*/
278
int oval_plugin_launch(struct arglist * globals, struct arglist * plugin,
279
struct arglist * hostinfos, struct arglist * preferences,
280
struct kb_item ** kb, char * name)
281
{
282
nthread_t module;
283
arg_add_value(plugin, "globals", ARG_ARGLIST, -1, globals);
284
arg_add_value(plugin, "HOSTNAME", ARG_ARGLIST, -1, hostinfos);
285
arg_add_value(plugin, "name", ARG_STRING, strlen(name), name);
286
arg_set_value(plugin, "preferences", -1, preferences);
287
arg_add_value(plugin, "key", ARG_PTR, -1, kb);
288
289
// TODO felix get Preferences from global context and check the signature
290
//if( nasl_verify_signature( arg_get_value(g_args, "name")) )
291
// post_log( g_args, 0, "Attempt to start signed oval plugin.");
292
293
module = create_process((process_func_t)oval_thread, plugin);
294
return module;
295
}
296
297
/*
298
* Create a thread for the OVAL plugin
299
*/
300
static void oval_thread(struct arglist * g_args)
301
{
302
struct arglist * args = arg_get_value(g_args, "args");
303
int soc = GPOINTER_TO_SIZE(arg_get_value(g_args, "SOCKET"));
304
struct arglist * globals = arg_get_value(args, "globals");
305
306
soc = dup2(soc, 4);
307
if(soc < 0)
308
{
309
log_write("oval_thread: dup2() failed ! - can not launch the plugin\n");
310
return;
311
}
312
arg_set_value(args, "SOCKET", sizeof(gpointer), GSIZE_TO_POINTER(soc));
313
arg_set_value(globals, "global_socket", sizeof(gpointer), GSIZE_TO_POINTER(soc));
314
315
setproctitle("testing %s (%s)",
316
(char*)arg_get_value(arg_get_value(args, "HOSTNAME"), "NAME"),
317
(char*)arg_get_value(g_args, "name"));
318
signal(SIGTERM, _exit);
319
320
ovaldi_launch(g_args);
321
internal_send(soc, NULL, INTERNAL_COMM_MSG_TYPE_CTRL | INTERNAL_COMM_CTRL_FINISHED);
322
}
323
324
/*
325
* This function will generate an OVAL system characteristics document from the
326
* data available in the knowledge base (KB), run ovaldi and return the results
327
* to the client.
328
*/
329
void ovaldi_launch(struct arglist * g_args)
330
{
331
gchar * sc_filename;
332
gchar * results_filename;
333
FILE * sc_file;
334
time_t t;
335
struct tm *tmp;
336
char timestr[20];
337
struct arglist * args = arg_get_value(g_args, "args");
338
struct kb_item ** kb = arg_get_value(g_args, "key");
339
gchar * basename = g_strrstr(g_strdup((char*)arg_get_value(g_args, "name")), "/") + 1;
340
gchar * result_string = emalloc(256);
341
gchar * folder = g_strndup((char*)arg_get_value(g_args, "name"), strlen((char*)arg_get_value(g_args, "name")) - strlen(basename));
342
343
sc_filename = g_strconcat(folder, "sc-out.xml", NULL);
344
log_write("SC Filename: %s\n", sc_filename);
345
results_filename = "/tmp/results.xml";
346
347
sc_file = fopen(sc_filename, "w");
348
if(sc_file == NULL)
349
{
350
snprintf(result_string, 256, "Could not launch ovaldi for OVAL definition %s: Could not create SC file.\n\n", basename);
351
post_note(g_args, 0, result_string);
352
efree(&sc_filename);
353
}
354
else
355
{
356
fprintf(sc_file, "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\" ?>\n");
357
fprintf(sc_file, "<oval_system_characteristics xmlns=\"http://oval.mitre.org/XMLSchema/oval-system-characteristics-5\" xmlns:linux-sc=\"http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux\" xmlns:oval=\"http://oval.mitre.org/XMLSchema/oval-common-5\" xmlns:oval-sc=\"http://oval.mitre.org/XMLSchema/oval-system-characteristics-5\" xmlns:unix-sc=\"http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#unix\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://oval.mitre.org/XMLSchema/oval-system-characteristics-5 oval-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#unix unix-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux linux-system-characteristics-schema.xsd\">\n\n");
358
359
t = time(NULL);
360
tmp = localtime(&t);
361
strftime(timestr, sizeof(timestr), "%FT%T", tmp);
362
fprintf(sc_file, "\t<generator>\n\t\t<oval:product_name>%s</oval:product_name>\n\t\t<oval:product_version>%s</oval:product_version>\n\t\t<oval:schema_version>5.4</oval:schema_version>\n\t\t<oval:timestamp>%s</oval:timestamp>\n\t\t<vendor>The OpenVAS Project</vendor>\n\t</generator>\n\n", PROGNAME, OPENVAS_FULL_VERSION, timestr);
363
364
fprintf(sc_file, "\t<system_info>\n\t\t<os_name></os_name>\n\t\t<os_version></os_version>\n\t\t<architecture></architecture>\n\t\t<primary_host_name>%s</primary_host_name>\n\t\t<interfaces>\n\t\t\t<interface>\n\t\t\t\t<interface_name></interface_name>\n\t\t\t\t<ip_address></ip_address>\n\t\t\t\t<mac_address></mac_address>\n\t\t\t</interface>\n\t\t</interfaces>\n\t</system_info>\n\n", (char*)arg_get_value(arg_get_value(args, "HOSTNAME"), "NAME"));
365
fprintf(sc_file, "\t<system_data>\n");
366
367
int i = 1;
368
369
// Get the open TCP ports from the KB and build <inetlisteningserver_item>
370
struct kb_item * res = kb_item_get_pattern(kb, "Ports/tcp/*");
371
372
while(res)
373
{
374
fprintf(sc_file, "\t\t<inetlisteningserver_item id=\"%d\" xmlns=\"http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux\">\n", i);
375
fprintf(sc_file, "\t\t\t<protocol>tcp</protocol>\n");
376
fprintf(sc_file, "\t\t\t<local_address/>\n");
377
fprintf(sc_file, "\t\t\t<local_port>%s</local_port>\n", g_strrstr(res->name, "/") + 1);
378
fprintf(sc_file, "\t\t\t<local_full_address/>\n\t\t\t<program_name/>\n\t\t\t<foreign_address/>\n\t\t\t<foreign_port/>\n\t\t\t<foreign_full_address/>\n\t\t\t<pid/>\n\t\t\t<user_id/>\n");
379
fprintf(sc_file, "\t\t</inetlisteningserver_item>\n");
380
i++;
381
res = res->next;
382
}
383
384
// Test if ssh/login/release is present in the KB; this means that an
385
// information gathering plugin has collected release and possibly package
386
// information from the remote system.
387
if(kb_item_get_str(kb, "ssh/login/release") == NULL)
388
{
389
log_write("Could not identify release, not collecting package information.\n");
390
snprintf(result_string, 256, "Could not collect remote package information for OVAL definition %s: Result may be incomplete.\n\n", basename);
391
post_note(g_args, 0, result_string);
392
393
}
394
else
395
{
396
// TODO: Right now, every plugin needs to parse the package data in the KB
397
// by itself and dependent on the detected release since they are not
398
// stored in a structured way by the collecting plugin.
399
if(strstr(kb_item_get_str(kb, "ssh/login/release"), "DEB") != NULL)
400
{
401
log_write("Detected Debian package information\n");
402
char * packages_str = kb_item_get_str(kb, "ssh/login/packages");
403
404
if(packages_str)
405
{
406
gchar ** package = g_strsplit(packages_str, "\n", 0);
407
int j = 5;
408
while(package[j] != NULL)
409
{
410
strtok(package[j], " ");
411
fprintf(sc_file, "\t\t<dpkginfo_item id=\"%d\" xmlns=\"http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux\">\n", i);
412
fprintf(sc_file, "\t\t\t<name>%s</name>\n", strtok(NULL, " "));
413
fprintf(sc_file, "\t\t\t<arch/>\n");
414
fprintf(sc_file, "\t\t\t<epoch/>\n");
415
fprintf(sc_file, "\t\t\t<release/>\n");
416
fprintf(sc_file, "\t\t\t<version>%s</version>\n", strtok(NULL, " "));
417
fprintf(sc_file, "\t\t\t<evr/>\n");
418
fprintf(sc_file, "\t\t</dpkginfo_item>\n");
419
i++;
420
j++;
421
}
422
g_strfreev(package);
423
}
424
}
425
426
// NOTE: This parser should work for other RPM-based distributions as well.
427
if(strstr(kb_item_get_str(kb, "ssh/login/release"), "RH") != NULL)
428
{
429
log_write("Detected RedHat package information\n");
430
char * packages_str = kb_item_get_str(kb, "ssh/login/rpms");
431
432
if(packages_str)
433
{
434
gchar ** package = g_strsplit(packages_str, ";", 0);
435
int j = 1;
436
char keyid[17];
437
keyid[16] = '\0';
438
gchar * package_name;
439
gchar * package_version;
440
gchar * package_release;
441
while(package[j] != NULL)
442
{
443
gchar * pgpsig = strncpy(keyid, package[j] + strlen(package[j]) - 16, 16);
444
g_strchug(package[j]);
445
gchar ** package_data = g_strsplit(package[j], "~", 0);
446
if(package_data[0])
447
{
448
package_name = package_data[0];
449
package_version = package_data[1];
450
package_release = package_data[2];
451
fprintf(sc_file, "\t\t<rpminfo_item id=\"%d\" xmlns=\"http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux\">\n", i);
452
fprintf(sc_file, "\t\t\t<name>%s</name>\n", package_name);
453
fprintf(sc_file, "\t\t\t<arch/>\n");
454
fprintf(sc_file, "\t\t\t<epoch/>\n");
455
fprintf(sc_file, "\t\t\t<release>%s</release>\n", package_release);
456
fprintf(sc_file, "\t\t\t<version>%s</version>\n", package_version);
457
fprintf(sc_file, "\t\t\t<evr/>\n");
458
fprintf(sc_file, "\t\t\t<signature_keyid>%s</signature_keyid>\n", pgpsig);
459
fprintf(sc_file, "\t\t</rpminfo_item>\n");
460
i++;
461
}
462
j++;
463
g_strfreev(package_data);
464
}
465
g_strfreev(package);
466
}
467
}
468
}
469
470
fprintf(sc_file, "\t</system_data>\n\n");
471
fprintf(sc_file, "</oval_system_characteristics>\n");
472
}
473
if(sc_file != NULL)
474
fclose(sc_file);
475
476
gchar ** argv = (gchar **)g_malloc (9 * sizeof (gchar *));
477
argv[0] = g_strdup("ovaldi");
478
argv[1] = g_strdup("-m"); // Do not check OVAL MD5 signature
479
argv[2] = g_strdup("-o"); // Request the use of _this_ plugin
480
argv[3] = g_strdup((char*)arg_get_value(g_args, "name"));
481
argv[4] = g_strdup("-i"); // Request the use of the system characteristics retrieved from the KB
482
argv[5] = g_strdup(sc_filename);
483
argv[6] = g_strdup("-r"); // Store the scan results where we can parse them
484
argv[7] = g_strdup(results_filename);
485
argv[8] = NULL;
486
// log_write("Launching ovaldi with: %s\n", g_strjoinv(" ", argv));
487
488
if(g_spawn_sync(NULL, argv, NULL, G_SPAWN_SEARCH_PATH, child_setup, NULL, NULL, NULL, NULL, NULL))
489
{
490
GMarkupParser parser;
491
GMarkupParseContext *context = NULL;
492
gchar *filebuffer = NULL;
493
gsize length = 0;
494
495
parser.start_element = start_element;
496
parser.end_element = end_element;
497
parser.text = text;
498
parser.passthrough = NULL;
499
parser.error = NULL;
500
501
if(!g_file_get_contents(results_filename, &filebuffer, &length, NULL))
502
{
503
snprintf(result_string, 256,
504
"Could not return results for OVAL definition %s: Results file not found.\n\n",
505
basename);
506
post_note(g_args, 0, result_string);
507
log_write("Results file %s not found!\n", results_filename);
508
}
509
else
510
{
511
context = g_markup_parse_context_new(&parser, 0, NULL, NULL);
512
g_markup_parse_context_parse(context, filebuffer, length, NULL);
513
g_free(filebuffer);
514
g_markup_parse_context_free(context);
515
snprintf(result_string, 256, "The OVAL definition %s returned the following result: %s\n\n", basename, result);
516
post_note(g_args, 0, result_string);
517
}
518
}
519
else
520
{
521
snprintf(result_string, 256, "Could not launch ovaldi for OVAL definition %s: Launch failed. (Is ovaldi in your PATH?)\n\n", basename);
522
post_note(g_args, 0, result_string);
523
log_write("Could not launch ovaldi!\n");
524
}
525
}
526
527
pl_class_t oval_plugin_class = {
528
NULL,
529
".oval",
530
oval_plugin_init,
531
oval_plugin_add,
532
oval_plugin_launch,
533
};
Loggerhead is a web-based interface for Breezy
Version: 2.0.1