def test_detect_raspberry_pi():
class mockPath():
def __init__(self, filename):
self._filename = filename
def is_file(self):
return True
def open(self):
return mock_open(self._filename)
def mock_open(filename, mode='r'):
"""
This will return either a Unicode string needed for "r" mode or bytes for "rb" mode.
The contents are still the same which is the mock sshd_config. But they are only interpreted
by audit_sshd.
"""
if filename == '/proc/device-tree/model':
content = 'Raspberry Pi 3 Model B Plus Rev 1.3\x00'
elif filename == '/proc/device-tree/serial-number':
content = '0000000060e3b222\x00'
else:
raise FileNotFoundError
file_object = mock.mock_open(read_data=content).return_value
file_object.__iter__.return_value = content.splitlines(True)
return file_object
with mock.patch('agent.rpi_helper.Path', mockPath):
metadata = detect_raspberry_pi()
assert metadata['is_raspberry_pi']
assert metadata[
'hardware_model'] == 'Raspberry Pi 3 Model B Plus Rev 1.3'
assert metadata['serial_number'] == '0000000060e3b222'
def test_detect_raspberry_pi(raspberry_cpuinfo):
with mock.patch('builtins.open',
mock.mock_open(read_data=raspberry_cpuinfo),
create=True):
metadata = detect_raspberry_pi()
assert metadata['is_raspberry_pi']
assert metadata['hardware_model'] == '900092'
assert metadata['serial_number'] == '00000000ebd5f1e8'
def send_ping(dev=False):
can_read_cert()
ping = mtls_request('get', 'ping', dev=dev, requester_name="Ping", log_on_ok=True)
if ping is None or not ping.ok:
logger.error('Ping failed.')
return
connections, ports = security_helper.netstat_scan()
payload = {
'device_operating_system_version': platform.release(),
'fqdn': socket.getfqdn(),
'ipv4_address': get_primary_ip(),
'uptime': get_uptime(),
'agent_version': str(__version__),
'confinement': CONFINEMENT.name,
'installation': detect_installation().name
}
# Things we can't do within a Snap or Docker
if CONFINEMENT not in (Confinement.SNAP, Confinement.DOCKER, Confinement.BALENA):
payload.update({
'processes': security_helper.process_scan(),
'logins': journal_helper.logins_last_hour(),
'default_password': security_helper.check_for_default_passwords(CONFIG_PATH)
})
# Things we cannot do in Docker
if CONFINEMENT not in (Confinement.DOCKER, Confinement.BALENA):
blocklist = ping.json()
iptables_helper.block(blocklist)
payload.update({
'selinux_status': security_helper.selinux_status(),
'app_armor_enabled': security_helper.is_app_armor_enabled(),
'firewall_rules': iptables_helper.dump(),
'scan_info': ports,
'netstat': connections
})
rpi_metadata = rpi_helper.detect_raspberry_pi()
if rpi_metadata['is_raspberry_pi']:
payload.update({
'device_manufacturer': 'Raspberry Pi',
'device_model': rpi_metadata['hardware_model'],
})
logger.debug("[GATHER] POST Ping: {}".format(payload))
ping = mtls_request('post', 'ping', json=payload, dev=dev, requester_name="Ping", log_on_ok=True)
if ping is None or not ping.ok:
logger.error('Ping failed.')
return
def send_ping(debug=False, dev=False):
can_read_cert()
payload = {
'device_operating_system_version': platform.release(),
'fqdn': socket.getfqdn(),
'ipv4_address': get_primary_ip(),
'uptime': get_uptime(),
'scan_info': get_open_ports(),
'netstat': security_helper.netstat_scan(),
'processes': security_helper.process_scan(),
'firewall_enabled': security_helper.is_firewall_enabled(),
'firewall_rules': security_helper.get_firewall_rules(),
'app_armor_enabled': security_helper.is_app_armor_enabled()
}
rpi_metadata = rpi_helper.detect_raspberry_pi()
if rpi_metadata['is_raspberry_pi']:
payload['device_manufacturer'] = 'Raspberry Pi'
payload['device_model'] = rpi_metadata['hardware_model']
if debug:
print("[GATHER] Ping: {}".format(payload))
ping = requests.post('{}/v0.2/ping'.format(MTLS_ENDPOINT),
cert=(CLIENT_CERT_PATH, CLIENT_KEY_PATH),
json=payload,
headers={
'SSL-CLIENT-SUBJECT-DN': 'CN=' + get_device_id(),
'SSL-CLIENT-VERIFY': 'SUCCESS'
} if dev else {})
if debug:
print("[RECEIVED] Ping: {}".format(ping.status_code))
print("[RECEIVED] Ping: {}".format(ping.content))
if not ping.ok:
print('Ping failed.')
return
pong = ping.json()
security_helper.block_ports(pong.get('block_ports', []))
security_helper.block_networks(pong.get('block_networks', []))
def send_ping():
can_read_cert()
payload = {
'device_operating_system_version': platform.release(),
'fqdn': socket.getfqdn(),
'ipv4_address': get_primary_ip(),
}
rpi_metadata = rpi_helper.detect_raspberry_pi()
if rpi_metadata['is_raspberry_pi']:
payload['device_manufacturer'] = 'Raspberry Pi'
payload['device_model'] = rpi_metadata['hardware_model']
ping = requests.post('{}/v0.2/ping'.format(MTLS_ENDPOINT),
cert=(CLIENT_CERT_PATH, CLIENT_KEY_PATH),
json=payload)
if not ping.ok:
print('Ping failed.')
def send_ping(dev=False):
can_read_cert()
ping = mtls_request('get', 'ping', dev=dev, requester_name="Ping", log_on_ok=True)
if ping is None or not ping.ok:
logger.error('Ping failed.')
return
ping = ping.json()
payload = {
'device_operating_system_version': platform.release(),
'fqdn': socket.getfqdn(),
'ipv4_address': get_primary_ip(),
'uptime': get_uptime(),
'agent_version': str(__version__),
'confinement': CONFINEMENT.name,
'installation': detect_installation().name,
'os_release': rpi_helper.get_os_release()
}
if CONFINEMENT != Confinement.SNAP:
packages = get_deb_packages()
if ping.get('deb_packages_hash') != packages['hash']:
payload['deb_packages'] = packages
if CONFINEMENT in (Confinement.NONE, Confinement.SNAP):
connections, ports = security_helper.netstat_scan()
blocklist = ping
iptables_helper.block(blocklist)
payload.update({
'processes': security_helper.process_scan(),
'logins': journal_helper.logins_last_hour(),
'firewall_rules': iptables_helper.dump(),
'scan_info': ports,
'netstat': connections,
'selinux_status': security_helper.selinux_status(),
'app_armor_enabled': security_helper.is_app_armor_enabled()
})
if CONFINEMENT == Confinement.NONE:
payload.update({
'default_password_users': security_helper.check_for_default_passwords(CONFIG_PATH),
'audit_files': security_helper.audit_config_files(),
'auto_upgrades': rpi_helper.auto_upgrades_enabled(),
'mysql_root_access': security_helper.mysql_root_access(),
'kernel_package': rpi_helper.kernel_deb_package(),
'cpu': security_helper.cpu_vulnerabilities()
})
rpi_metadata = rpi_helper.detect_raspberry_pi()
if rpi_metadata['is_raspberry_pi']:
payload.update({
'device_manufacturer': 'Raspberry Pi',
'device_model': rpi_metadata['hardware_model'],
})
logger.debug("[GATHER] POST Ping: {}".format(payload))
ping = mtls_request('post', 'ping', json=payload, dev=dev, requester_name="Ping", log_on_ok=True)
if ping is None or not ping.ok:
logger.error('Ping failed.')
return