0 Replies Latest reply on Jan 15, 2010 9:26 AM by mpeterson10

    How to get returned value in PDF/HTML report

      I added a snippet of our script that is trying to analyze a unix device and check a list of services against xinit and the ps command. It works using the fasl interpreter however when run on FS 6.7 it doesn't return any value to the pdf or HTML report. So in short the check works but doesn't return the affected service or process to the report. Any insight would be valuable.


      script snippet below (the services/process list has been sanitized obviously, to test insert names as they would appear in xinetd and PS command.)

      /*
      *  script: usb-ux-forbidden-services.fasl3
      *  RCSver: $Revision: $
      *
      *  purpose: Foundstone check for policy issue:
      *
      *           This check will look at:
      *           - list of active running processes (from usbUX_ActPrcs())
      *           - list of service names served by xinetd, or inetd
      *             (from usbUX_Services()).
      *           These two arrays will be searched for names that match
      *           those on the forbidden list.
      *
      */

      FASL.vulnID                             = 61107;
      FASL.attackType                         = ATTACK_NONINTRUSIVE;
      FASL.os                                 = OS_UNIX;
      FASL.protocol                           = PROTOCOL_TCP;
      FASL.filtertype                         = REGEXP_FILTER;
      FASL.filters.osVersion                  = "";

      include("usb-misc-lib.fasl3.inc");

      function faslmain (parms)
      {
        var blacklist = [
          "name1","name2",
        ];

        var sh = new Expect(parms.shell);
        var procs = usbUX_ActPrcs(sh); // Retrieve list of active processes
        var servs = usbUX_Services(sh); // Retrieve list of services handled
           //   by xinetd/inetd processes.
        var vulcnt = 0;

      /*
      *  Check list of active process names, against blacklist array.  If
      *    any match found, report it, and increment vulnerability count.
      */

        for ( var i in procs ) {
          if (usbUX_findArr(blacklist, procs[i])) {
            System.println("BlackListed process: " + procs[i]);
            Target.htmlReport += "<p>BlackListed process: " + procs[i] + "</p>";
            vulcnt++;
          }
        }

      /*
      *  Same for networks services handled by xinetd/inetd processes.  Compare
      *    against blacklist, then report it, and increment vuln count.
      */

        for ( var i in servs ) {
          if (usbUX_findArr(blacklist, servs[i])) {
            System.println("BlackListed service: " + servs[i]);
            Target.htmlReport += "<p>BlackListed service: " + servs[i] + "</p>";
            vulcnt++;
          }
        }

        if (vulcnt > 0) { return(VULYES); }

        return(VULNO);
      }

       

      Include file with usbUX_ActPrcs and Services below:


      include("ssh-misc-lib.fasl3.inc");

      //
      // Use simpler names for return codes
      //
      var NOTSURE = INDETERMINATE;
      var VULYES  = VULNERABLE;
      var VULNO  = NOTVULNERABLE;

      var OSNAME   = 'osname';
      var OSREL    = 'osrel';
      var PKGS     = 'pkgs';
      var SERVS    = 'servs';
      var ACTPRCS  = 'actprcs';

      /*
      *  usbUX_getOSName(): common function to capture Unix flavor
      *                     values: OSG_AIX, OSG_SUN, OS_HPUX, OSG_LINUX
      */
      function usbUX_getOSName(shell) {
        var rc = OSG_UNKNOWN;
        return Cache.atomic(
          OSNAME, function() {
            shell.exec(
              "uname -s", 
                [/Linux/, function () {rc = OSG_LINUX}],
                [/HP-UX/, function () {rc = OSG_HPUX}],
                [/AIX/,   function() {rc = OSG_AIX}],
                [/SunOS/, function() {rc = OSG_SUN}]
            );
            return(rc);
          }
        )
      };

      /*
      *  usbUX_getOSRel(): common function to capture particular release of
      *                    Unix flavor:
      *                    values for AIX:    4.2, 4.3, 5.1, 5.2, 5.3
      *                    values for SunOS:  5.7, 5.8, 5.9, 5.10
      *                    values for HP-UX:  11.11, 11.23
      *                    values for Linux:  RHEL AS R3, RHEL ES R3,
      *                                       RHEL AS R4, RHEL ES R4,
      *                                       SL ES 9,    SL ES 10
      *                   (not defined yet, will implement when needed)
      */
      function usbUX_getOSRel(shell) {
        return "";
      }

      /*
      *  usbUX_ActPrcs(): common function to capture list of active
      *                      running process names on Unix systems.
      *                      Only array of basename are captured (nothing else).
      */

      function usbUX_ActPrcs(shell) {
        return Cache.atomic(
          ACTPRCS, function() {
      //      var cmd   = "/bin/ps -el | awk '{print $14}' |tail +2 | " +
      //                  "cut -d \"/\" -f1 | sort -u";
            var cmd;
            switch ( usbUX_getOSName(shell) ) {
              case OSG_LINUX:
         cmd = "/bin/ps -e -o 'comm' | cut -d/ -f1 ";
                break;
              case OSG_AIX:
         cmd = "/bin/ps -e -o 'comm'";
                break;
              case OSG_HPUX:
         cmd = "/bin/ps -e | awk '{print $4}'";
                break;
              case OSG_SUN:
         cmd = "/bin/ps -e -o 'comm' | awk -F/ '{print $NF}'";
                break;
            }
            cmd += '| tail +2 | sort -u';
            return shell.exec(cmd);
          }
        )
      }

      /*
      *  usbUX_Services(): common function to capture list of service
      *                      names running on Unix systems (from inetd.conf/
      *   xinetd.d/*)
      */

      function usbUX_Services(shell) {
        return Cache.atomic(
          SERVS, function() {
            var srvlist = new Array();
            var procs = usbUX_ActPrcs(shell);
            switch ( usbUX_getOSName(shell) ) {
              case OSG_LINUX:
                if (usbUX_findArr(procs, 'xinetd')) {
                  var name = '';
           shell.exec("cat /etc/xinetd.d/* | sed -e '/^$/d' -e '/^#/d' ", [
                    [/service\s+(\w+)/, function(m) {
        if (name != '') { srvlist.push(name) };
                      name = m[1];
                    }],
                    [/disable\s*=\s*(\w+)/, function(m) {
        if (m[1] = 'yes') { name = '' };
                    }],
                  ]);
                  if (name != '') { srvlist.push(name) };
                }
                break;
              case OSG_AIX:
              case OSG_HPUX:
              case OSG_SUN:
                if (usbUX_findArr(procs, 'inetd')) {
           var cmd = "/bin/cat /etc/inetd.conf | sed -e '/^$/d' -e '/^#/d' |" +
                            "awk '{print $7}' | awk -F/ '{print $NF}'";
                  srvlist =  shell.exec(cmd);
                }
                break;
            }
            return srvlist;
          }
        )
      }

      function usbUX_findArr(arr, key) {
        var i;
        for (i=0;i < arr.length; i++) {
          if (arr[i] == key) { return true; }
        }
        return false;
      }

      /*
      *  usbUX_PackageList(): common function to capture set of software packages
      *                       on Unix system.
      *                       (HP-UX not dependable yet, otherwise works.)
      */
      function usbUX_PackageList(shell) {
        return Cache.atomic(
          PKGS, function() {
            var pkglist = new Array(0);
            switch ( usbUX_getOSName(shell) ) {
              case OSG_LINUX:
                shell.exec('/bin/rpm -qa --queryformat "%{NAME}:%{VERSION}-%{RELEASE}\n"',
                  [/^(.*):(.*)$/i, function(m) {
                    pkglist.push([m[1].toLowerCase(),m[2]])
                  }]
                );
                break;
              case OSG_AIX:
                shell.exec('/usr/bin/lslpp -Lc',
                  [/^(\w.*)$/i, function(m) {
                    var a = m[1].split(':');
                    pkglist.push([a[1].toLowerCase(),a[2]])
                  }]
                );
                break;
              case OSG_HPUX:
                break;
      //          shell.exec('/usr/sbin/swlist -l product ', function(m) {
      //     switch (m) {
      //       case /^#/:
      //       case /^\s+PH../:
      //       case /^\s*$/:
      //System.println("comment");
      //         break;
      //            };
      //          });
      //              pkglist.push([a[1].toLowerCase(),a[2]])
      //          break;
              case OSG_SUN:
                shell.exec('/usr/bin/pkginfo -x',
                  [/^(\w+).*$/i, function(m) {
                    pkglist.push([m[1].toLowerCase(),''])
                  }]
                );
                break;
            }
            return pkglist;
          }
        )
      }

       

       

      Message was edited by: Matt Peterson on 1/15/10 9:26:56 AM CST