diff --git a/secrules/rules07.py b/secrules/rules07.py new file mode 100644 index 0000000000000000000000000000000000000000..195591629b73102ea35ee09f25950382034ec718_c2VjcnVsZXMvcnVsZXMwNy5weQ== --- /dev/null +++ b/secrules/rules07.py @@ -0,0 +1,400 @@ +# -*- coding: iso-8859-1 -*- +__version__ = '1.0' + +from common import level_rule +from vms import starlet +from vms.rtl import lib +from vms import ssdef, kgbdef, ossdef, dcdef, dvidef +from vms import itemList +from secrules import get_security +from secrules import user_exists +from DeviceScan import DeviceScan + +ids = (('BATCH',0x80000001), + ('DIALUP',0x80000002), + ('INTERACTIVE',0x80000003), + ('LOCAL',0x80000004), + ('NETWORK',0x80000005), + ('REMOTE',0x80000006)) + +@level_rule(2) +def rule0701(fo, fmt): + """ The OpenVMS system predefines fixed values for all system identifiers. +If the system identifier values are changed it implies unnecessary tampering +with system resources.""" + + if not fmt: + print>>fo + print>>fo, "RULE 0701" + print>>fo, "---------" + + for n, v in ids: + try: + s, idn, idv, ida = starlet.idtoasc(v) + if idn != n: + if fmt: + print>>fo, '0701�2�', '%s %x' % (n, v) + else: + print>>fo, '%s %x' % (n, v) + except VMSError, e: + if e.errno != ssdef.SS__NOSUCHID: + print>>fo, e + if fmt: + print>>fo, '0701�2�', '%s %x' % (n, v) + else: + print>>fo, '%s %x' % (n, v) + +@level_rule(2) +def rule0702(fo, fmt): + """ If a user is granted one of these identifiers, it may provide the user +with sufficient privileges to tamper with unauthorized resources on the system +(e.g., critical files, directories, etc.).""" + + if not fmt: + print>>fo + print>>fo, "RULE 0702" + print>>fo, "---------" + + id = 0xFFFFFFFF # do a wildcard lookup + context = 0 + cont = True + while (cont): + try: + s, idn, idv, ida, context = starlet.idtoasc(id, context) + if (idv < 0x80000000L): + continue + if idn in ('BATCH', 'DIALUP', 'INTERACTIVE', 'LOCAL', 'REMOTE', + 'NETWORK', 'DECWINDOWS'): + continue + if idn.split('$')[0] in ('NET', 'SYS', 'SECSRV', 'VMS'): + continue + try: + s, holder, attrib = starlet.find_holder(idv) + except VMSError, e: + if e.errno != ssdef.SS__NOSUCHID: + raise e + idvs = "%%X%X" % idv + if fmt: + print>>fo, '0702�2�', "id = %s idn = %s" % (idvs, idn) + else: + print>>fo, "id = %s idn = %s" % (idvs, idn) + except VMSError, e: + if e.errno != ssdef.SS__NOSUCHID: + raise e + cont = False + + starlet.finish_rdb(context) + +@level_rule(2) +def rule0703(fo, fmt): + """ This may allow vulnerabilities to exist in these tables making them +susceptible to unwanted changes. The owner of a table can freely add, modify, +and delete entries in the table.""" + + if not fmt: + print>>fo + print>>fo, 'RULE 0703' + print>>fo, '=========' + + it = [itemList.itemList(code=ossdef.OSS__OWNER, dtype=itemList.il_unsignedLong),] + + own = starlet.get_security (objnam='LNM$SYSTEM_TABLE', clsnam='LOGICAL_NAME_TABLE', + itmlst=it)[1][ossdef.OSS__OWNER] + + high_word = int(own / 65536) + low_word = int(own - (high_word *65536)) + own = "[%o,%o]" % (high_word, low_word) + if own != '[1,4]': + if fmt: + print>>fo, '0703�2�', own + else: + print>>fo, own + +@level_rule(2) +def rule0704(fo, fmt): + """ This allows any user to potentially change these system tables by +removing or adding elements to them. Such actions may allow a user to +circumvent certain system security measures or override safeguards.""" + + if not fmt: + print>>fo + print>>fo, 'RULE 0704' + print>>fo, '=========' + + it = [itemList.itemList(code=ossdef.OSS__PROTECTION, dtype=itemList.il_unsignedLong),] + prot = starlet.get_security (objnam='LNM$SYSTEM_TABLE', clsnam='LOGICAL_NAME_TABLE', + itmlst=it)[1][ossdef.OSS__PROTECTION] + + if not ((prot & 0x8000) and (prot & 0x4000) and (prot & 0x2000)): + if fmt: + print>>fo, '0704�2� LNM$SYSTEM_TABLE' + else: + print>>fo, 'LNM$SYSTEM_TABLE', lib.format_sogw_prot (prot)[1] + +@level_rule(2) +def rule0705(fo, fmt): + """ This allows any member of the owners group to potentially change these +system tables by removing or adding elements to them. Such actions may allow +a user to circumvent certain system security measures or override safeguards.""" + + if not fmt: + print>>fo + print>>fo, 'RULE 0705' + print>>fo, '=========' + + it = [itemList.itemList(code=ossdef.OSS__PROTECTION, dtype=itemList.il_unsignedLong),] + prot = starlet.get_security (objnam='LNM$SYSTEM_TABLE', clsnam='LOGICAL_NAME_TABLE', + itmlst=it)[1][ossdef.OSS__PROTECTION] + + if not ((prot & 0x800) and (prot & 0x400) and (prot & 0x200)): + if fmt: + print>>fo, '0705�2� LNM$SYSTEM_TABLE' + else: + print>>fo, 'LNM$SYSTEM_TABLE', lib.format_sogw_prot (prot)[1] + +@level_rule(2) +def rule0706(fo, fmt): + """ This may allow unauthorized access to users which have the associated +identifiers granted to them.""" + + if not fmt: + print>>fo + print>>fo, 'RULE 0706' + print>>fo, '=========' + + it = [itemList.itemList(code=ossdef.OSS__ACL_LENGTH, dtype=itemList.il_unsignedLong),] + acllen = starlet.get_security (objnam='LNM$SYSTEM_TABLE', clsnam='LOGICAL_NAME_TABLE', + itmlst=it)[1][ossdef.OSS__ACL_LENGTH] + + if (acllen != 0): + if fmt: + print>>fo, '0706�2� LNM$SYSTEM_TABLE' + else: + print>>fo, get_security.get_security('LNM$SYSTEM_TABLE', clsnam='LOGICAL_NAME_TABLE') + +@level_rule(1) +def rule0707(fo, fmt): + """ This could result in unauthorized access to the operating system files, +and compromise system integrity.""" + + if not fmt: + print>>fo + print>>fo, 'RULE 0707' + print>>fo, '=========' + + it = [itemList.itemList(code=ossdef.OSS__OWNER, dtype=itemList.il_unsignedLong),] + + ident = starlet.get_security (objnam='SYS$SYSDEVICE:', clsnam='DEVICE', + itmlst=it)[1][ossdef.OSS__OWNER] + + high_word = int(ident / 65536) + low_word = int(ident - (high_word *65536)) + own = "[%o,%o]" % (high_word, low_word) + if (own != '[1,4]') and (own != '[1,1]'): + if fmt: + print>>fo, '0707�1� SYS$SYSDEVICE:' + else: + print>>fo, 'SYS$SYSDEVICE:', own + +@level_rule(2) +def rule0708(fo, fmt): + """ A system shared disk should typically be owned by the SYSTEM account. +A privately mounted disk should be owned by a valid user in the SYSUAF.""" + + if not fmt: + print>>fo + print>>fo, 'RULE 0708' + print>>fo, '=========' + + it = [itemList.itemList(code=ossdef.OSS__OWNER, dtype=itemList.il_unsignedLong),] + + ident = starlet.get_security (objnam='SYS$SYSDEVICE:', clsnam='DEVICE', + itmlst=it)[1][ossdef.OSS__OWNER] + high_word = int(ident / 65536) + low_word = int(ident - (high_word *65536)) + own = "[%o,%o]" % (high_word, low_word) + + try: + r = starlet.idtoasc(ident) + g, m =user_exists.user_exists(r[1]) + if g is None: + if fmt: + print>>fo, '0708�2� SYS$SYSDEVICE:', r[1] + else: + print>>fo, 'SYS$SYSDEVICE:', r[1], own + except VMSError, e: + if e == ssdef.SS__NOSUCHID: + if fmt: + print>>fo, '0708�2� SYS$SYSDEVICE:' + else: + print>>fo, 'SYS$SYSDEVICE:', own + else: + raise e + +@level_rule(2) +def rule0709(fo, fmt): + """ Incorrect disk protection can yield undesirable access of sensitive +data or files to unauthorized users.""" + + if not fmt: + print>>fo + print>>fo, 'RULE 0709' + print>>fo, '=========' + + it = [itemList.itemList(code=ossdef.OSS__PROTECTION, dtype=itemList.il_unsignedLong),] + + prot = starlet.get_security (objnam='SYS$SYSDEVICE:', clsnam='DEVICE', + itmlst=it)[1][ossdef.OSS__PROTECTION] + + if not (prot & 0xFE00): + if fmt: + print>>fo, '0709�2� SYS$SYSDEVICE:' + else: + print>>fo, 'SYS$SYSDEVICE:', lib.format_sogw_prot (prot)[1] + +@level_rule(2) +def rule0710(fo, fmt): + """ Highwater marking is a feature of OpenVMS which protects users from +reading files beyond what was written to them. This also is termed disk +scavenging.""" + + if not fmt: + print>>fo + print>>fo, 'RULE 0710' + print>>fo, '=========' + + for device in DeviceScan('*', devclass=dcdef.DC__DISK): + if not (lib.getdvi (dvidef.DVI__MNT, device_name=device)[1]): + continue + if lib.getdvi (dvidef.DVI__SHDW_MEMBER, device_name=device)[1]: + continue + if lib.getdvi (dvidef.DVI__NOHIGHWATER, device_name=device)[1]: + if fmt: + print>>fo, '0710�2�', device + else: + print>>fo, device, 'NOHIGHWATER' + +@level_rule(2) +def rule0711(fo, fmt): + """ This feature writes a pattern over the disk space occupied by a file +when the file is deleted. This prevents users from scavenging old data from +the disk which might otherwise be considered reserved only for authorized +users.""" + + if not fmt: + print>>fo + print>>fo, 'RULE 0711' + print>>fo, '=========' + + for device in DeviceScan('*', devclass=dcdef.DC__DISK): + if not (lib.getdvi (dvidef.DVI__MNT, device_name=device)[1]): + continue + if lib.getdvi (dvidef.DVI__SHDW_MEMBER, device_name=device)[1]: + continue + if not lib.getdvi (dvidef.DVI__ERASE_ON_DELETE, device_name=device)[1]: + if fmt: + print>>fo, '0711�2�', device + else: + print>>fo, device, 'NO ERASE_ON_DELETE' + +@level_rule(2) +def rule0712(fo, fmt): + """ This allows the owner full access to the volume, which can present a +security risk.""" + + if not fmt: + print>>fo + print>>fo, 'RULE 0712' + print>>fo, '=========' + + it = [itemList.itemList(code=ossdef.OSS__OWNER, dtype=itemList.il_unsignedLong),] + + ident = starlet.get_security (objnam='SYS$SYSDEVICE:', clsnam='DEVICE', + itmlst=it)[1][ossdef.OSS__OWNER] + high_word = int(ident / 65536) + low_word = int(ident - (high_word *65536)) + own = "[%o,%o]" % (high_word, low_word) + + if (own != '[1,4]') and (own != '[1,1]'): + if fmt: + print>>fo, '0712�2� Device SYS$SYSDEVICE:' + else: + print>>fo, 'Device SYS$SYSDEVICE:', own + +@level_rule(2) +def rule0713(fo, fmt): + """ Owners of a volume should be defined in the SYSUAF. This could +present a security problem, if a user has privileges to define the owner into +the SYSUAF and then login to that account. This would permit the user full +privileges on the volume.""" + + if not fmt: + print>>fo + print>>fo, 'RULE 0713' + print>>fo, '=========' + + it = [itemList.itemList(code=ossdef.OSS__OWNER, dtype=itemList.il_unsignedLong),] + + ident = starlet.get_security (objnam='SYS$SYSDEVICE:', clsnam='VOLUME', + itmlst=it)[1][ossdef.OSS__OWNER] + high_word = int(ident / 65536) + low_word = int(ident - (high_word *65536)) + own = "[%o,%o]" % (high_word, low_word) + if own != '[1,1]': + try: + r = starlet.idtoasc(ident) + g, m =user_exists.user_exists(r[1]) + if g is None: + if fmt: + print>>fo, '0713�2� Volume SYS$SYSDEVICE:' + else: + print>>fo, 'SYS$SYSDEVICE:', r[1], own + except VMSError, e: + if e == ssdef.SS__NOSUCHID: + if fmt: + print>>fo, '0713�2� Volume SYS$SYSDEVICE:' + else: + print>>fo, 'SYS$SYSDEVICE:', own + else: + raise e + +@level_rule(2) +def rule0714(fo, fmt): + """ Incorrect volume protections can prevent users from accessing to the +disks. By default, all users should be granted RWCD access to the volume.""" + + if not fmt: + print>>fo + print>>fo, 'RULE 0714' + print>>fo, '=========' + + it = [itemList.itemList(code=ossdef.OSS__PROTECTION, dtype=itemList.il_unsignedLong),] + + prot = starlet.get_security (objnam='SYS$SYSDEVICE:', clsnam='VOLUME', + itmlst=it)[1][ossdef.OSS__PROTECTION] + accnam = lib.get_accnam('VOLUME')[1] + pvw = lib.format_sogw_prot (prot,access_names=accnam)[1].split(',')[3] + if pvw[8:] != 'RWCD': + if fmt: + print >>fo, '0714�2�SYS$SYSDEVICE:', pvw + else: + print >>fo, 'SYS$SYSDEVICE: bad World protection', pvw + + +if __name__ == '__main__': + import sys + fo = open(sys.argv[1], 'w') if len(sys.argv) > 1 else sys.stdout + rule0701(fo, len(sys.argv) > 2) + rule0702(fo, len(sys.argv) > 2) + rule0703(fo, len(sys.argv) > 2) + rule0704(fo, len(sys.argv) > 2) + rule0705(fo, len(sys.argv) > 2) + rule0706(fo, len(sys.argv) > 2) + rule0707(fo, len(sys.argv) > 2) + rule0708(fo, len(sys.argv) > 2) + rule0709(fo, len(sys.argv) > 2) + rule0710(fo, len(sys.argv) > 2) + rule0711(fo, len(sys.argv) > 2) + rule0712(fo, len(sys.argv) > 2) + rule0713(fo, len(sys.argv) > 2) + rule0714(fo, len(sys.argv) > 2)