| # |
| # ISA_kca_plugin.py - Kernel config options analyzer plugin, part of ISA FW |
| # |
| # Copyright (c) 2015 - 2016, Intel Corporation |
| # |
| # Redistribution and use in source and binary forms, with or without |
| # modification, are permitted provided that the following conditions are met: |
| # |
| # * Redistributions of source code must retain the above copyright notice, |
| # this list of conditions and the following disclaimer. |
| # * Redistributions in binary form must reproduce the above copyright |
| # notice, this list of conditions and the following disclaimer in the |
| # documentation and/or other materials provided with the distribution. |
| # * Neither the name of Intel Corporation nor the names of its contributors |
| # may be used to endorse or promote products derived from this software |
| # without specific prior written permission. |
| # |
| # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" |
| # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
| # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE |
| # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR |
| # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER |
| # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, |
| # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| |
| try: |
| from lxml import etree |
| except ImportError: |
| try: |
| import xml.etree.cElementTree as etree |
| except ImportError: |
| import xml.etree.ElementTree as etree |
| import importlib |
| |
| KCAnalyzer = None |
| |
| |
| class ISA_KernelChecker(): |
| initialized = False |
| |
| def __init__(self, ISA_config): |
| self.logfile = ISA_config.logdir + "/isafw_kcalog" |
| self.full_report_name = ISA_config.reportdir + "/kca_full_report_" + \ |
| ISA_config.machine + "_" + ISA_config.timestamp |
| self.problems_report_name = ISA_config.reportdir + \ |
| "/kca_problems_report_" + ISA_config.machine + "_" + ISA_config.timestamp |
| self.full_reports = ISA_config.full_reports |
| self.initialized = True |
| self.arch = ISA_config.arch |
| with open(self.logfile, 'w') as flog: |
| flog.write("\nPlugin ISA_KernelChecker initialized!\n") |
| |
| def append_recommendation(self, report, key, value): |
| report.write("Recommended value:\n") |
| report.write(key + ' : ' + str(value) + '\n') |
| comment = self.comments.get(key, '') |
| if comment != '': |
| report.write("Comment:\n") |
| report.write(comment + '\n') |
| |
| def process_kernel(self, ISA_kernel): |
| if (self.initialized): |
| if (ISA_kernel.img_name and ISA_kernel.path_to_config): |
| # Merging common and arch configs |
| common_config_module = importlib.import_module('isafw.isaplugins.configs.kca.{}'.format('common')) |
| arch_config_module = importlib.import_module('isafw.isaplugins.configs.kca.{}'.format(self.arch)) |
| |
| for c in ["hardening_kco", "keys_kco", "security_kco", "integrity_kco", |
| "hardening_kco_ref", "keys_kco_ref", "security_kco_ref", "integrity_kco_ref", |
| "comments"]: |
| setattr(self, c, merge_config(getattr(arch_config_module, c), getattr(common_config_module, c))) |
| with open(self.logfile, 'a') as flog: |
| flog.write("Analyzing kernel config file at: " + ISA_kernel.path_to_config + |
| " for the image: " + ISA_kernel.img_name + "\n") |
| with open(ISA_kernel.path_to_config, 'r') as fkernel_conf: |
| for line in fkernel_conf: |
| line = line.strip('\n') |
| for key in self.hardening_kco: |
| if key + '=' in line: |
| self.hardening_kco[key] = line.split('=')[1] |
| for key in self.keys_kco: |
| if key + '=' in line: |
| self.keys_kco[key] = line.split('=')[1] |
| for key in self.security_kco: |
| if key + '=' in line: |
| self.security_kco[key] = line.split('=')[1] |
| for key in self.integrity_kco: |
| if key + '=' in line: |
| self.integrity_kco[key] = line.split('=')[1] |
| with open(self.logfile, 'a') as flog: |
| flog.write("\n\nhardening_kco values: " + |
| str(self.hardening_kco)) |
| flog.write("\n\nkeys_kco values: " + str(self.keys_kco)) |
| flog.write("\n\nsecurity_kco values: " + |
| str(self.security_kco)) |
| flog.write("\n\nintegrity_kco values: " + |
| str(self.integrity_kco)) |
| self.write_full_report(ISA_kernel) |
| self.write_problems_report(ISA_kernel) |
| |
| else: |
| with open(self.logfile, 'a') as flog: |
| flog.write( |
| "Mandatory arguments such as image name and path to config are not provided!\n") |
| flog.write("Not performing the call.\n") |
| else: |
| with open(self.logfile, 'a') as flog: |
| flog.write( |
| "Plugin hasn't initialized! Not performing the call!\n") |
| |
| def write_full_report(self, ISA_kernel): |
| if self.full_reports: |
| with open(self.full_report_name + "_" + ISA_kernel.img_name, 'w') as freport: |
| freport.write("Report for image: " + |
| ISA_kernel.img_name + '\n') |
| freport.write("With the kernel conf at: " + |
| ISA_kernel.path_to_config + '\n\n') |
| freport.write("Hardening options:\n") |
| for key in sorted(self.hardening_kco): |
| freport.write( |
| key + ' : ' + str(self.hardening_kco[key]) + '\n') |
| freport.write("\nKey-related options:\n") |
| for key in sorted(self.keys_kco): |
| freport.write(key + ' : ' + str(self.keys_kco[key]) + '\n') |
| freport.write("\nSecurity options:\n") |
| for key in sorted(self.security_kco): |
| freport.write( |
| key + ' : ' + str(self.security_kco[key]) + '\n') |
| freport.write("\nIntegrity options:\n") |
| for key in sorted(self.integrity_kco): |
| freport.write( |
| key + ' : ' + str(self.integrity_kco[key]) + '\n') |
| |
| def write_problems_report(self, ISA_kernel): |
| self.write_text_problems_report(ISA_kernel) |
| self.write_xml_problems_report(ISA_kernel) |
| |
| def write_text_problems_report(self, ISA_kernel): |
| with open(self.problems_report_name + "_" + ISA_kernel.img_name, 'w') as freport: |
| freport.write("Report for image: " + ISA_kernel.img_name + '\n') |
| freport.write("With the kernel conf at: " + |
| ISA_kernel.path_to_config + '\n\n') |
| freport.write("Hardening options that need improvement:\n") |
| for key in sorted(self.hardening_kco): |
| if (self.hardening_kco[key] != self.hardening_kco_ref[key]): |
| valid = False |
| if (key == "CONFIG_CMDLINE"): |
| if (len(self.hardening_kco['CONFIG_CMDLINE']) > 0): |
| valid = True |
| if (key == "CONFIG_DEBUG_STRICT_USER_COPY_CHECKS"): |
| if (self.hardening_kco['CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS'] == 'y'): |
| valid = True |
| if (key == "CONFIG_RANDOMIZE_BASE_MAX_OFFSET"): |
| options = self.hardening_kco_ref[key].split(',') |
| for option in options: |
| if (option == self.hardening_kco[key]): |
| valid = True |
| break |
| if not valid: |
| freport.write("\nActual value:\n") |
| freport.write( |
| key + ' : ' + str(self.hardening_kco[key]) + '\n') |
| self.append_recommendation(freport, key, self.hardening_kco_ref[key]) |
| freport.write("\nKey-related options that need improvement:\n") |
| for key in sorted(self.keys_kco): |
| if (self.keys_kco[key] != self.keys_kco_ref[key]): |
| freport.write("\nActual value:\n") |
| freport.write(key + ' : ' + str(self.keys_kco[key]) + '\n') |
| self.append_recommendation(freport, key, self.keys_kco_ref[key]) |
| freport.write("\nSecurity options that need improvement:\n") |
| for key in sorted(self.security_kco): |
| if (self.security_kco[key] != self.security_kco_ref[key]): |
| valid = False |
| if (key == "CONFIG_DEFAULT_SECURITY"): |
| options = self.security_kco_ref[key].split(',') |
| for option in options: |
| if (option == self.security_kco[key]): |
| valid = True |
| break |
| if ((key == "CONFIG_SECURITY_SELINUX") or |
| (key == "CONFIG_SECURITY_SMACK") or |
| (key == "CONFIG_SECURITY_APPARMOR") or |
| (key == "CONFIG_SECURITY_TOMOYO")): |
| if ((self.security_kco['CONFIG_SECURITY_SELINUX'] == 'y') or |
| (self.security_kco['CONFIG_SECURITY_SMACK'] == 'y') or |
| (self.security_kco['CONFIG_SECURITY_APPARMOR'] == 'y') or |
| (self.security_kco['CONFIG_SECURITY_TOMOYO'] == 'y')): |
| valid = True |
| if not valid: |
| freport.write("\nActual value:\n") |
| freport.write( |
| key + ' : ' + str(self.security_kco[key]) + '\n') |
| self.append_recommendation(freport, key, self.security_kco_ref[key]) |
| freport.write("\nIntegrity options that need improvement:\n") |
| for key in sorted(self.integrity_kco): |
| if (self.integrity_kco[key] != self.integrity_kco_ref[key]): |
| valid = False |
| if ((key == "CONFIG_IMA_DEFAULT_HASH_SHA1") or |
| (key == "CONFIG_IMA_DEFAULT_HASH_SHA256") or |
| (key == "CONFIG_IMA_DEFAULT_HASH_SHA512") or |
| (key == "CONFIG_IMA_DEFAULT_HASH_WP512")): |
| if ((self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA256'] == 'y') or |
| (self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA512'] == 'y')): |
| valid = True |
| if not valid: |
| freport.write("\nActual value:\n") |
| freport.write( |
| key + ' : ' + str(self.integrity_kco[key]) + '\n') |
| self.append_recommendation(freport, key, self.integrity_kco_ref[key]) |
| |
| def write_xml_problems_report(self, ISA_kernel): |
| # write_problems_report_xml |
| num_tests = len(self.hardening_kco) + len(self.keys_kco) + \ |
| len(self.security_kco) + len(self.integrity_kco) |
| root = etree.Element( |
| 'testsuite', name='KCA_Plugin', tests=str(num_tests)) |
| for key in sorted(self.hardening_kco): |
| tcase1 = etree.SubElement( |
| root, 'testcase', classname='Hardening options', name=key) |
| if (self.hardening_kco[key] != self.hardening_kco_ref[key]): |
| valid = False |
| if (key == "CONFIG_CMDLINE"): |
| if (len(self.hardening_kco['CONFIG_CMDLINE']) > 0): |
| valid = True |
| if (key == "CONFIG_DEBUG_STRICT_USER_COPY_CHECKS"): |
| if (self.hardening_kco['CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS'] == 'y'): |
| valid = True |
| if (key == "CONFIG_RANDOMIZE_BASE_MAX_OFFSET"): |
| options = self.hardening_kco_ref[key].split(',') |
| for option in options: |
| if (option == self.hardening_kco[key]): |
| valid = True |
| break |
| if not valid: |
| msg1 = 'current=' + key + ' is ' + \ |
| str(self.hardening_kco[ |
| key]) + ', recommended=' + key + ' is ' + str(self.hardening_kco_ref[key]) |
| etree.SubElement( |
| tcase1, 'failure', message=msg1, type='violation') |
| for key in sorted(self.keys_kco): |
| tcase2 = etree.SubElement( |
| root, 'testcase', classname='Key-related options', name=key) |
| if (self.keys_kco[key] != self.keys_kco_ref[key]): |
| msg2 = 'current=' + key + ' is ' + \ |
| str(self.keys_kco[key] + ', recommended=' + |
| key + ' is ' + str(self.keys_kco_ref[key])) |
| etree.SubElement( |
| tcase2, 'failure', message=msg2, type='violation') |
| for key in sorted(self.security_kco): |
| tcase3 = etree.SubElement( |
| root, 'testcase', classname='Security options', name=key) |
| if (self.security_kco[key] != self.security_kco_ref[key]): |
| valid = False |
| if (key == "CONFIG_DEFAULT_SECURITY"): |
| options = self.security_kco_ref[key].split(',') |
| for option in options: |
| if (option == self.security_kco[key]): |
| valid = True |
| break |
| if ((key == "CONFIG_SECURITY_SELINUX") or |
| (key == "CONFIG_SECURITY_SMACK") or |
| (key == "CONFIG_SECURITY_APPARMOR") or |
| (key == "CONFIG_SECURITY_TOMOYO")): |
| if ((self.security_kco['CONFIG_SECURITY_SELINUX'] == 'y') or |
| (self.security_kco['CONFIG_SECURITY_SMACK'] == 'y') or |
| (self.security_kco['CONFIG_SECURITY_APPARMOR'] == 'y') or |
| (self.security_kco['CONFIG_SECURITY_TOMOYO'] == 'y')): |
| valid = True |
| if not valid: |
| msg3 = 'current=' + key + ' is ' + \ |
| str(self.security_kco[key]) + ', recommended=' + \ |
| key + ' is ' + str(self.security_kco_ref[key]) |
| etree.SubElement( |
| tcase3, 'failure', message=msg3, type='violation') |
| for key in sorted(self.integrity_kco): |
| tcase4 = etree.SubElement( |
| root, 'testcase', classname='Integrity options', name=key) |
| if (self.integrity_kco[key] != self.integrity_kco_ref[key]): |
| valid = False |
| if ((key == "CONFIG_IMA_DEFAULT_HASH_SHA1") or |
| (key == "CONFIG_IMA_DEFAULT_HASH_SHA256") or |
| (key == "CONFIG_IMA_DEFAULT_HASH_SHA512") or |
| (key == "CONFIG_IMA_DEFAULT_HASH_WP512")): |
| if ((self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA256'] == 'y') or |
| (self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA512'] == 'y')): |
| valid = True |
| if not valid: |
| msg4 = 'current=' + key + ' is ' + \ |
| str(self.integrity_kco[ |
| key]) + ', recommended=' + key + ' is ' + str(self.integrity_kco_ref[key]) |
| etree.SubElement( |
| tcase4, 'failure', message=msg4, type='violation') |
| tree = etree.ElementTree(root) |
| output = self.problems_report_name + "_" + ISA_kernel.img_name + '.xml' |
| try: |
| tree.write(output, encoding='UTF-8', |
| pretty_print=True, xml_declaration=True) |
| except TypeError: |
| tree.write(output, encoding='UTF-8', xml_declaration=True) |
| |
| |
| def merge_config(arch_kco, common_kco): |
| merged = arch_kco.copy() |
| merged.update(common_kco) |
| return merged |
| |
| # ======== supported callbacks from ISA ============= # |
| def init(ISA_config): |
| global KCAnalyzer |
| KCAnalyzer = ISA_KernelChecker(ISA_config) |
| |
| |
| def getPluginName(): |
| return "ISA_KernelChecker" |
| |
| |
| def process_kernel(ISA_kernel): |
| global KCAnalyzer |
| return KCAnalyzer.process_kernel(ISA_kernel) |
| # ==================================================== # |