2
* $Id: oval_plugins.c 140 2006-05-31 15:24:25Z tarik $
3
* Description: Launches OVAL definitions.
5
* Authors: - Michael Wiegand <michael.wiegand@intevation.de>
8
* Copyright (C) 2008 Intevation GmbH
10
* This program is free software; you can redistribute it and/or modify
11
* it under the terms of the GNU General Public License version 2 or later,
12
* as published by the Free Software Foundation
14
* This program is distributed in the hope that it will be useful,
15
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
* GNU General Public License for more details.
19
* You should have received a copy of the GNU General Public License
20
* along with this program; if not, write to the Free Software
21
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
26
* DISCLAIMER: This is just a proof-of-concept for OVAL support in OpenVAS.
27
* It currently supports only a part of the objects specified in the OVAL
28
* specification and requires a patched version of ovaldi, the OVAL definition
37
#include "pluginload.h"
38
#include "preferences.h"
39
#include "processes.h"
42
static void oval_thread(struct arglist *);
43
void ovaldi_launch(struct arglist * g_args);
45
// TODO: A better way to store the results of the XML parser would be to use the
46
// user_data pointer provided by the glib XML parser.
52
gboolean in_description = FALSE;
53
gboolean in_definition = FALSE;
54
gboolean in_title = FALSE;
55
gboolean in_results = FALSE;
56
gboolean in_results_definition = FALSE;
59
void child_setup (gpointer user_data) {
60
// This function is called by the forked child just before it is executed. We
61
// try to drop our root privileges and setuid to nobody to minimize the
62
// risk of running an untrusted ovaldi.
63
// NB: The current implementation is somewhat linux-specific and may not work
64
// on other platforms.
66
struct passwd * nobody_pw = NULL;
70
log_write("oval_plugins.c: Running as root, trying to drop privileges.\n");
71
if((nobody_pw = getpwnam("nobody")))
73
if(setgid(nobody_pw->pw_gid) == 0)
75
log_write("oval_plugins.c: Successfully dropped group privileges.\n");
79
log_write("oval_plugins.c: WARNING: Could not drop group privileges!\n");
81
if(setuid(nobody_pw->pw_uid) == 0)
83
log_write("oval_plugins.c: Successfully dropped user privileges.\n");
87
log_write("oval_plugins.c: WARNING: Could not drop group privileges!\n");
92
log_write("oval_plugins.c: WARNING: Could not drop privileges; unable to get uid and gid for user nobody!\n");
97
log_write("oval_plugins.c: WARNING: Did not attempt to drop privileges since we do not seem to be running as root.\n");
101
void start_element (GMarkupParseContext *context, const gchar *element_name,
102
const gchar **attribute_names,
103
const gchar **attribute_values, gpointer user_data,
106
const gchar **name_cursor = attribute_names;
107
const gchar **value_cursor = attribute_values;
109
if(!in_results && strcmp(element_name, "definition") == 0)
111
in_definition = TRUE;
114
if (strcmp (*name_cursor, "id") == 0)
116
id = g_strrstr(g_strdup(*value_cursor), ":") + 1;
117
// TODO: This currently assigns only IDs in the range intended for
118
// RedHat security advisories.
119
oid = g_strconcat("1.3.6.1.4.1.25623.1.2.2312.", id, NULL);
121
if (strcmp (*name_cursor, "version") == 0)
122
version = g_strdup(*value_cursor);
128
if(strcmp(element_name, "description") == 0)
129
in_description = TRUE;
131
if(strcmp(element_name, "title") == 0)
134
if(strcmp(element_name, "results") == 0)
137
if(in_results && strcmp(element_name, "definition") == 0)
139
in_results_definition = TRUE;
142
if (strcmp (*name_cursor, "result") == 0)
143
result = g_strdup(*value_cursor);
151
void text(GMarkupParseContext *context, const gchar *text, gsize text_len,
152
gpointer user_data, GError **error)
156
// NOTE: This currently cuts off descriptions longer than the maximum length
157
// specified in libopenvas/store_internal.h
158
description = g_strndup(text, 3190);
162
title = g_strndup(text, text_len);
163
g_strdelimit(title, "\n", ' ');
167
void end_element (GMarkupParseContext *context, const gchar *element_name,
168
gpointer user_data, GError **error)
170
in_description = FALSE;
171
in_definition = FALSE;
173
if(strcmp(element_name, "results") == 0)
175
if(in_results && strcmp(element_name, "definition") == 0)
176
in_results_definition = FALSE;
180
* Initialize the plugin class
182
pl_class_t* oval_plugin_init(struct arglist* prefs, struct arglist* args)
184
return &oval_plugin_class;
188
* add *one* OVAL definition to the server list
190
struct arglist * oval_plugin_add(char * folder, char * name,
191
struct arglist * plugins,
192
struct arglist * preferences)
194
char fullname[PATH_MAX+1];
195
struct arglist * args = NULL;
196
struct arglist * prev_plugin = NULL;
197
GMarkupParser parser;
198
GMarkupParseContext *context = NULL;
199
gchar *filebuffer = NULL;
202
snprintf(fullname, sizeof(fullname), "%s/%s", folder, name);
204
if ( preferences_nasl_no_signature_check(preferences) == 0
205
&& nasl_verify_signature( fullname) != 0)
207
log_write("%s: signature of nvt could not been verified/ is missing.", fullname);
211
args = store_load_plugin(folder, name, preferences);
215
char* sign_fprs = nasl_extract_signature_fprs( fullname );
216
// If server accepts signed plugins only, discard if signature file missing.
217
if(preferences_nasl_no_signature_check(preferences) == 0 && sign_fprs == NULL)
219
printf("%s: nvt is not signed and thus ignored\n", fullname);
222
else if(sign_fprs == NULL)
227
// Parse plugin properties into arglist
228
parser.start_element = start_element;
229
parser.end_element = end_element;
231
parser.passthrough = NULL;
234
if(!g_file_get_contents(fullname, &filebuffer, &length, NULL))
236
log_write("oval_plugin_add: File %s not found", fullname);
240
context = g_markup_parse_context_new(&parser, 0, NULL, NULL);
241
g_markup_parse_context_parse(context, filebuffer, length, NULL);
243
g_markup_parse_context_free(context);
245
args = emalloc(sizeof(struct arglist));
247
plug_set_oid(args, oid);
249
plug_set_version(args, version);
250
plug_set_name(args, title, NULL);
251
plug_set_description(args, description, NULL);
252
plug_set_category(args, ACT_END);
253
plug_set_family(args, "OVAL definitions", NULL);
255
plug_set_sign_key_ids(args, sign_fprs);
257
store_plugin(args, name);
258
args = store_load_plugin(folder, name, preferences);
263
prev_plugin = arg_get_value(plugins, name);
264
if(prev_plugin == NULL)
265
arg_add_value(plugins, name, ARG_ARGLIST, -1, args);
268
plugin_free(prev_plugin);
269
arg_set_value(plugins, name, -1, args);
276
* Launch an OVAL plugin
278
int oval_plugin_launch(struct arglist * globals, struct arglist * plugin,
279
struct arglist * hostinfos, struct arglist * preferences,
280
struct kb_item ** kb, char * name)
283
arg_add_value(plugin, "globals", ARG_ARGLIST, -1, globals);
284
arg_add_value(plugin, "HOSTNAME", ARG_ARGLIST, -1, hostinfos);
285
arg_add_value(plugin, "name", ARG_STRING, strlen(name), name);
286
arg_set_value(plugin, "preferences", -1, preferences);
287
arg_add_value(plugin, "key", ARG_PTR, -1, kb);
289
// TODO felix get Preferences from global context and check the signature
290
//if( nasl_verify_signature( arg_get_value(g_args, "name")) )
291
// post_log( g_args, 0, "Attempt to start signed oval plugin.");
293
module = create_process((process_func_t)oval_thread, plugin);
298
* Create a thread for the OVAL plugin
300
static void oval_thread(struct arglist * g_args)
302
struct arglist * args = arg_get_value(g_args, "args");
303
int soc = GPOINTER_TO_SIZE(arg_get_value(g_args, "SOCKET"));
304
struct arglist * globals = arg_get_value(args, "globals");
309
log_write("oval_thread: dup2() failed ! - can not launch the plugin\n");
312
arg_set_value(args, "SOCKET", sizeof(gpointer), GSIZE_TO_POINTER(soc));
313
arg_set_value(globals, "global_socket", sizeof(gpointer), GSIZE_TO_POINTER(soc));
315
setproctitle("testing %s (%s)",
316
(char*)arg_get_value(arg_get_value(args, "HOSTNAME"), "NAME"),
317
(char*)arg_get_value(g_args, "name"));
318
signal(SIGTERM, _exit);
320
ovaldi_launch(g_args);
321
internal_send(soc, NULL, INTERNAL_COMM_MSG_TYPE_CTRL | INTERNAL_COMM_CTRL_FINISHED);
325
* This function will generate an OVAL system characteristics document from the
326
* data available in the knowledge base (KB), run ovaldi and return the results
329
void ovaldi_launch(struct arglist * g_args)
332
gchar * results_filename;
337
struct arglist * args = arg_get_value(g_args, "args");
338
struct kb_item ** kb = arg_get_value(g_args, "key");
339
gchar * basename = g_strrstr(g_strdup((char*)arg_get_value(g_args, "name")), "/") + 1;
340
gchar * result_string = emalloc(256);
341
gchar * folder = g_strndup((char*)arg_get_value(g_args, "name"), strlen((char*)arg_get_value(g_args, "name")) - strlen(basename));
343
sc_filename = g_strconcat(folder, "sc-out.xml", NULL);
344
log_write("SC Filename: %s\n", sc_filename);
345
results_filename = "/tmp/results.xml";
347
sc_file = fopen(sc_filename, "w");
350
snprintf(result_string, 256, "Could not launch ovaldi for OVAL definition %s: Could not create SC file.\n\n", basename);
351
post_note(g_args, 0, result_string);
356
fprintf(sc_file, "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\" ?>\n");
357
fprintf(sc_file, "<oval_system_characteristics xmlns=\"http://oval.mitre.org/XMLSchema/oval-system-characteristics-5\" xmlns:linux-sc=\"http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux\" xmlns:oval=\"http://oval.mitre.org/XMLSchema/oval-common-5\" xmlns:oval-sc=\"http://oval.mitre.org/XMLSchema/oval-system-characteristics-5\" xmlns:unix-sc=\"http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#unix\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://oval.mitre.org/XMLSchema/oval-system-characteristics-5 oval-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#unix unix-system-characteristics-schema.xsd http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux linux-system-characteristics-schema.xsd\">\n\n");
361
strftime(timestr, sizeof(timestr), "%FT%T", tmp);
362
fprintf(sc_file, "\t<generator>\n\t\t<oval:product_name>%s</oval:product_name>\n\t\t<oval:product_version>%s</oval:product_version>\n\t\t<oval:schema_version>5.4</oval:schema_version>\n\t\t<oval:timestamp>%s</oval:timestamp>\n\t\t<vendor>The OpenVAS Project</vendor>\n\t</generator>\n\n", PROGNAME, OPENVAS_FULL_VERSION, timestr);
364
fprintf(sc_file, "\t<system_info>\n\t\t<os_name></os_name>\n\t\t<os_version></os_version>\n\t\t<architecture></architecture>\n\t\t<primary_host_name>%s</primary_host_name>\n\t\t<interfaces>\n\t\t\t<interface>\n\t\t\t\t<interface_name></interface_name>\n\t\t\t\t<ip_address></ip_address>\n\t\t\t\t<mac_address></mac_address>\n\t\t\t</interface>\n\t\t</interfaces>\n\t</system_info>\n\n", (char*)arg_get_value(arg_get_value(args, "HOSTNAME"), "NAME"));
365
fprintf(sc_file, "\t<system_data>\n");
369
// Get the open TCP ports from the KB and build <inetlisteningserver_item>
370
struct kb_item * res = kb_item_get_pattern(kb, "Ports/tcp/*");
374
fprintf(sc_file, "\t\t<inetlisteningserver_item id=\"%d\" xmlns=\"http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux\">\n", i);
375
fprintf(sc_file, "\t\t\t<protocol>tcp</protocol>\n");
376
fprintf(sc_file, "\t\t\t<local_address/>\n");
377
fprintf(sc_file, "\t\t\t<local_port>%s</local_port>\n", g_strrstr(res->name, "/") + 1);
378
fprintf(sc_file, "\t\t\t<local_full_address/>\n\t\t\t<program_name/>\n\t\t\t<foreign_address/>\n\t\t\t<foreign_port/>\n\t\t\t<foreign_full_address/>\n\t\t\t<pid/>\n\t\t\t<user_id/>\n");
379
fprintf(sc_file, "\t\t</inetlisteningserver_item>\n");
384
// Test if ssh/login/release is present in the KB; this means that an
385
// information gathering plugin has collected release and possibly package
386
// information from the remote system.
387
if(kb_item_get_str(kb, "ssh/login/release") == NULL)
389
log_write("Could not identify release, not collecting package information.\n");
390
snprintf(result_string, 256, "Could not collect remote package information for OVAL definition %s: Result may be incomplete.\n\n", basename);
391
post_note(g_args, 0, result_string);
396
// TODO: Right now, every plugin needs to parse the package data in the KB
397
// by itself and dependent on the detected release since they are not
398
// stored in a structured way by the collecting plugin.
399
if(strstr(kb_item_get_str(kb, "ssh/login/release"), "DEB") != NULL)
401
log_write("Detected Debian package information\n");
402
char * packages_str = kb_item_get_str(kb, "ssh/login/packages");
406
gchar ** package = g_strsplit(packages_str, "\n", 0);
408
while(package[j] != NULL)
410
strtok(package[j], " ");
411
fprintf(sc_file, "\t\t<dpkginfo_item id=\"%d\" xmlns=\"http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux\">\n", i);
412
fprintf(sc_file, "\t\t\t<name>%s</name>\n", strtok(NULL, " "));
413
fprintf(sc_file, "\t\t\t<arch/>\n");
414
fprintf(sc_file, "\t\t\t<epoch/>\n");
415
fprintf(sc_file, "\t\t\t<release/>\n");
416
fprintf(sc_file, "\t\t\t<version>%s</version>\n", strtok(NULL, " "));
417
fprintf(sc_file, "\t\t\t<evr/>\n");
418
fprintf(sc_file, "\t\t</dpkginfo_item>\n");
426
// NOTE: This parser should work for other RPM-based distributions as well.
427
if(strstr(kb_item_get_str(kb, "ssh/login/release"), "RH") != NULL)
429
log_write("Detected RedHat package information\n");
430
char * packages_str = kb_item_get_str(kb, "ssh/login/rpms");
434
gchar ** package = g_strsplit(packages_str, ";", 0);
438
gchar * package_name;
439
gchar * package_version;
440
gchar * package_release;
441
while(package[j] != NULL)
443
gchar * pgpsig = strncpy(keyid, package[j] + strlen(package[j]) - 16, 16);
444
g_strchug(package[j]);
445
gchar ** package_data = g_strsplit(package[j], "~", 0);
448
package_name = package_data[0];
449
package_version = package_data[1];
450
package_release = package_data[2];
451
fprintf(sc_file, "\t\t<rpminfo_item id=\"%d\" xmlns=\"http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#linux\">\n", i);
452
fprintf(sc_file, "\t\t\t<name>%s</name>\n", package_name);
453
fprintf(sc_file, "\t\t\t<arch/>\n");
454
fprintf(sc_file, "\t\t\t<epoch/>\n");
455
fprintf(sc_file, "\t\t\t<release>%s</release>\n", package_release);
456
fprintf(sc_file, "\t\t\t<version>%s</version>\n", package_version);
457
fprintf(sc_file, "\t\t\t<evr/>\n");
458
fprintf(sc_file, "\t\t\t<signature_keyid>%s</signature_keyid>\n", pgpsig);
459
fprintf(sc_file, "\t\t</rpminfo_item>\n");
463
g_strfreev(package_data);
470
fprintf(sc_file, "\t</system_data>\n\n");
471
fprintf(sc_file, "</oval_system_characteristics>\n");
476
gchar ** argv = (gchar **)g_malloc (9 * sizeof (gchar *));
477
argv[0] = g_strdup("ovaldi");
478
argv[1] = g_strdup("-m"); // Do not check OVAL MD5 signature
479
argv[2] = g_strdup("-o"); // Request the use of _this_ plugin
480
argv[3] = g_strdup((char*)arg_get_value(g_args, "name"));
481
argv[4] = g_strdup("-i"); // Request the use of the system characteristics retrieved from the KB
482
argv[5] = g_strdup(sc_filename);
483
argv[6] = g_strdup("-r"); // Store the scan results where we can parse them
484
argv[7] = g_strdup(results_filename);
486
// log_write("Launching ovaldi with: %s\n", g_strjoinv(" ", argv));
488
if(g_spawn_sync(NULL, argv, NULL, G_SPAWN_SEARCH_PATH, child_setup, NULL, NULL, NULL, NULL, NULL))
490
GMarkupParser parser;
491
GMarkupParseContext *context = NULL;
492
gchar *filebuffer = NULL;
495
parser.start_element = start_element;
496
parser.end_element = end_element;
498
parser.passthrough = NULL;
501
if(!g_file_get_contents(results_filename, &filebuffer, &length, NULL))
503
snprintf(result_string, 256,
504
"Could not return results for OVAL definition %s: Results file not found.\n\n",
506
post_note(g_args, 0, result_string);
507
log_write("Results file %s not found!\n", results_filename);
511
context = g_markup_parse_context_new(&parser, 0, NULL, NULL);
512
g_markup_parse_context_parse(context, filebuffer, length, NULL);
514
g_markup_parse_context_free(context);
515
snprintf(result_string, 256, "The OVAL definition %s returned the following result: %s\n\n", basename, result);
516
post_note(g_args, 0, result_string);
521
snprintf(result_string, 256, "Could not launch ovaldi for OVAL definition %s: Launch failed. (Is ovaldi in your PATH?)\n\n", basename);
522
post_note(g_args, 0, result_string);
523
log_write("Could not launch ovaldi!\n");
527
pl_class_t oval_plugin_class = {