get_security.py: update stub information

rule302: better filters rule401: Only report ACE if IDENTIFIER=* and access allow DELETE or WRITE rule403: fix a bug

get_security.py: update stub information
b4e6c1c44484 · jfp · fe61049b37e4 · b4e6c1c4 · b4e6c1c4 · b4e6c1c4
Commit b4e6c1c44484 authored 2 years ago by jfp
--- a/secrules/get_security.py
+++ b/secrules/get_security.py
+from typing import Tuple, List
 from ovms import starlet
 from ovms import itemList, ossdef, ssdef
 from ovms.rtl import lib
@@ -1,9 +2,9 @@
 from ovms import starlet
 from ovms import itemList, ossdef, ssdef
 from ovms.rtl import lib
-def get_security(fn, clsnam=b'FILE'):
+def get_security(fn: bytes | str, clsnam=b'FILE') -> Tuple[bytes, bytes, List[bytes]]:
    itm = (
        itemList.itemList(code=ossdef.OSS__ACL_READ),
        itemList.itemList(
@@ -42,7 +43,7 @@
    filename = sys.argv[1]
    clsnam = sys.argv[2]
    owner, protection, acl = get_security(filename, clsnam.encode())
-    print('    Owner:', owner)
+    print('    Owner:', owner.decode())
-    print('    Protection:', protection)
+    print('    Protection:', protection.decode())
    print('    Access control list:')
    for e in acl:
@@ -47,3 +48,3 @@
    print('    Access control list:')
    for e in acl:
-        print(9 * ' ', e)
+        print(9 * ' ', e.decode())
--- a/secrules/rules03.py
+++ b/secrules/rules03.py
@@ -12,6 +12,40 @@
    signifies an unauthorized change was made to the file, and represents an area
    of vulnerability with regards to protection of critical files."""
+    fn_owner = {
+        b'SYS$SYSROOT:[000000]CML$SERVER.DIR': b'CML$SERVER',
+        b'SYS$SYSROOT:[000000]MAIL$SERVER.DIR': b'MAIL$SERVER',
+        b'SYS$SYSROOT:[000000]MIRRO$SERVER.DIR': b'MIRRO$SERVER',
+        b'SYS$SYSROOT:[000000]PHONE$SERVER.DIR': b'PHONE$SERVER',
+        b'SYS$SYSROOT:[000000]TCPIP$LPD.DIR': b'TCPIP$LPD',
+        b'SYS$SYSROOT:[000000]TCPIP$NTP.DIR': b'TCPIP$NTP',
+        b'SYS$SYSROOT:[000000]TCPIP$SMTP.DIR': b'TCPIP$SMTP',
+        b'SYS$SYSROOT:[000000]VPM$SERVER.DIR': b'VPM$SERVER',
+        b'SYS$COMMON:[000000]OMNI.DIR': b'OMNIADMIN',
+        b'SYS$COMMON:[000000]RDB$REMOTE72.DIR': b'RDB$REMOTE72',
+        b'SYS$COMMON:[000000]RDB$REMOTE73.DIR': b'RDB$REMOTE73',
+        b'SYS$COMMON:[000000]RDB$REMOTE74.DIR': b'RDB$REMOTE74',
+        b'SYS$COMMON:[000000]RDMAIJ72.DIR': b'RDMAIJ72',
+        b'SYS$COMMON:[000000]RDMAIJ73.DIR': b'RDMAIJ73',
+        b'SYS$COMMON:[000000]RDMAIJ74.DIR': b'RDMAIJ74',
+        b'SYS$COMMON:[000000]RDMSTT72.DIR': b'RDMSTT72',
+        b'SYS$COMMON:[000000]RDMSTT73.DIR': b'RDMSTT73',
+        b'SYS$COMMON:[000000]RDMSTT74.DIR': b'RDMSTT74',
+        b'SYS$COMMON:[000000.SYS$STARTUP]OMNI$STARTUP.COM': b'OMNIADMIN',
+        b'SYS$COMMON:[000000.SYS$STARTUP]OMNI$SHUTDOWN.COM': b'OMNIADMIN',
+        b'SYS$COMMON:[000000.SYS$STARTUP]OMNI$SYSTARTUP.COM': b'OMNIADMIN',
+        b'SYS$COMMON:[000000.SYSLIB]LIBAE.EXE': b'OMNIADMIN',
+        b'SYS$COMMON:[000000.SYSLIB]LIBDC.EXE': b'OMNIADMIN',
+        b'SYS$COMMON:[000000.SYSLIB]LIBDE.EXE': b'OMNIADMIN',
+        b'SYS$SYSROOT:[000000.TCPIP$ETC]MOUNTDTAB.DAT': b'TCPIP$NFS',
+    }
+    fndir_own = {
+        b'SYS$COMMON:[000000.OMNI': (b'OMNIADMIN',),
+        b'SYS$COMMON:[000000.SAMBA': (b'SAMBA$SMBD', b'SAMBA$NMBD'),
+        b'SYS$SYSROOT:[000000.TCPIP$SMTP': b'TCPIP$SMTP',
+        b'SYS$SYSROOT:[000000.TCPIP$NTP': b'TCPIP$NTP',
+        b'SYS$SYSROOT:[000000.TCPIP$LPD': b'TCPIP$LPD',
+    }
    if not fmt:
        print(file=fo)
        print('Rule 0302', file=fo)
@@ -20,10 +54,23 @@
    with FindFile(b'SYS$SYSROOT:[000000...]*.*') as fi:
        for fn in fi:  # type: ignore
            fn: bytes
-            id = get_security(fn)[0]
+            fn = fn.rsplit(b';')[0]
-            if (id != b'SYSTEM') and (id != b'[1,1]'):
+            if fn.startswith(b'SYS$SYSROOT:[000000.SYSCOMMON'):
-                if (fn != b'MOM$SYSTEM') and (id != b'[376,375]'):
+                continue
+            idf = get_security(fn)[0]
+            if fn in fn_owner and fn_owner[fn] == idf:
+                continue
+            for sfn, own in fndir_own.items():
+                if fn.startswith(sfn) and idf in own:
+                    ownok = True
+                    break
+            else:
+                ownok = False
+            if ownok:
+                continue
+            if (idf != b'SYSTEM') and (idf != b'[1,1]'):
+                if (fn != b'MOM$SYSTEM') and (idf != b'[376,375]'):
                    if fmt:
                        print('0302"2"', fn.decode(), file=fo)
                    else:
                        print(fn.decode(), file=fo)
@@ -26,8 +73,8 @@
                    if fmt:
                        print('0302"2"', fn.decode(), file=fo)
                    else:
                        print(fn.decode(), file=fo)
-                        print(' ' * 10, id.decode(), file=fo)
+                        print(' ' * 10, idf.decode(), file=fo)
 if __name__ == '__main__':

--- a/secrules/rules04.py
+++ b/secrules/rules04.py
@@ -43,7 +43,13 @@
                    )
                    acllen = int(retacl[2][ossdef.OSS__ACL_LENGTH])
                    if acllen != 0:
+                        fn_printed = False
+                        for e in get_security.get_security(fn)[2]:
+                            acc = e.split(b',')[-1]
+                            if b'IDENTIFIER=*' in e and (b'DELETE' in acc or b'WRITE' in acc):
+                                if not fn_printed:
+                                    fn_printed = True
                                    if fmt:
                                        print('0401"2"', fn.decode(), file=fo)
                                    else:
                                        print(fn.decode(), file=fo)
@@ -46,9 +52,7 @@
                                    if fmt:
                                        print('0401"2"', fn.decode(), file=fo)
                                    else:
                                        print(fn.decode(), file=fo)
-                        for e in get_security.get_security(fn)[2]:
-                            e: bytes
                                if not fmt:
                                    print(' ' * 9, e.decode(), file=fo)
                except VMSError as err:
@@ -82,7 +86,7 @@
            for fn in fi:   # type: ignore
                fn: bytes
                own = get_security.get_security(fn)[0]
-                if own not in ('SYSTEM', '[1,1]'):
+                if own not in (b'SYSTEM', b'[1,1]'):
                    if fmt:
                        print('0403"2"', fn.decode(), file=fo)
                    else:
@@ -121,7 +125,7 @@
            for fn in fi:  # type: ignore
                fn: bytes
                prot = get_security.get_security(fn)[1]
-                if not (prot == 'System: RWED, Owner: RWED, Group: RE, World'):
+                if prot != b'System: RWED, Owner: RWED, Group: RE, World':
                    if fmt:
                        print('0404"2"', fn.decode(), file=fo)
                    else: