示例#1
0
文件: time_test.py 项目: rainser/grr
    def testNtpHasMonitorDisabled(self):
        """Test for checking that monitor is disabled."""
        parser = config_file.NtpdParser()

        check_id = "TIME-NTP-REFLECTION"
        artifact_id = "NtpConfFile"
        good_config = {
            "/etc/ntp.conf": """
        disable monitor
        """
        }
        good_tricky_config = {
            "/etc/ntp.conf":
            """
        disable monitor auth
        enable kernel monitor auth
        disable kernel monitor
        """
        }
        bad_config = {"/etc/ntp.conf": """
        enable monitor
        """}
        bad_default_config = {"/etc/ntp.conf": """
        """}
        bad_tricky_config = {
            "/etc/ntp.conf":
            """
        enable kernel monitor auth
        disable monitor auth
        enable kernel monitor
        """
        }
        found = ["ntpd.conf has monitor flag set to True."]
        sym = (
            "Found: ntpd.conf is configured to allow monlist NTP reflection "
            "attacks.")

        results = self.RunChecks(
            self.GenFileData(artifact_id, good_config, parser))
        self.assertCheckUndetected(check_id, results)

        results = self.RunChecks(
            self.GenFileData(artifact_id, good_tricky_config, parser))
        self.assertCheckUndetected(check_id, results)

        results = self.RunChecks(
            self.GenFileData(artifact_id, bad_config, parser))
        self.assertCheckDetectedAnom(check_id, results, sym, found)

        results = self.RunChecks(
            self.GenFileData(artifact_id, bad_default_config, parser))
        self.assertCheckDetectedAnom(check_id, results, sym, found)

        results = self.RunChecks(
            self.GenFileData(artifact_id, bad_tricky_config, parser))
        self.assertCheckDetectedAnom(check_id, results, sym, found)
示例#2
0
文件: time_test.py 项目: rainser/grr
    def testNtpDoesntAllowOpenQueries(self):
        """Test for checking we don't allow queries by default."""
        parser = config_file.NtpdParser()

        check_id = "TIME-NTP-NO-OPEN-QUERIES"
        artifact_id = "NtpConfFile"
        good_config = {
            "/etc/ntp.conf":
            """
        restrict default nomodify noquery nopeer
        """
        }
        bad_config = {
            "/etc/ntp.conf":
            """
        restrict default nomodify nopeer
        """
        }
        bad_default_config = {"/etc/ntp.conf": """
        """}

        # A good config should pass.
        results = self.RunChecks(
            self.GenFileData("NtpConfFile", good_config, parser))
        self.assertCheckUndetected(check_id, results)

        found = ["Expected state was not found"]
        sym = (
            "Missing attribute: ntpd.conf is configured or defaults to open "
            "queries. Can allow DDoS. This configuration is an on-going "
            "recommendation following the Ntp December 2014 Vulnerability "
            "notice. (http://support.ntp.org/bin/view/Main/SecurityNotice)")
        # A bad one should detect a problem.
        results = self.RunChecks(
            self.GenFileData(artifact_id, bad_config, parser))
        self.assertCheckDetectedAnom(check_id, results, sym, found)

        # And as the default is to be queryable, check we detect an empty config.
        results = self.RunChecks(
            self.GenFileData(artifact_id, bad_default_config, parser))
        self.assertCheckDetectedAnom(check_id, results, sym, found)
示例#3
0
    def testParseNtpConfig(self):
        test_data = r"""
    # Time servers
    server 1.2.3.4 iburst
    server 4.5.6.7 iburst
    server 8.9.10.11 iburst
    server time.google.com iburst
    server 2001:1234:1234:2::f iburst

    # Drift file
    driftfile /var/lib/ntp/ntp.drift

    restrict default nomodify noquery nopeer

    # Guard against monlist NTP reflection attacks.
    disable monitor

    # Enable the creation of a peerstats file
    enable stats
    statsdir /var/log/ntpstats
    filegen peerstats file peerstats type day link enable

    # Test only.
    ttl 127 88
    broadcastdelay 0.01
"""
        conffile = StringIO.StringIO(test_data)
        parser = config_file.NtpdParser()
        results = list(parser.Parse(None, conffile, None))

        # We expect some results.
        self.assertTrue(results)
        # There should be only one result.
        self.assertEqual(1, len(results))
        # Now that we are sure, just use that single result for easy of reading.
        results = results[0]

        # Check all the expected "simple" config keywords are present.
        expected_config_keywords = set([
            "driftfile", "statsdir", "filegen", "ttl", "broadcastdelay"
        ]) | set(parser._defaults.keys())
        self.assertEqual(expected_config_keywords, set(results.config.keys()))

        # Check all the expected "keyed" config keywords are present.
        self.assertTrue(results.server)
        self.assertTrue(results.restrict)
        # And check one that isn't in the config, isn't in out result.
        self.assertFalse(results.trap)

        # Check we got all the "servers".
        servers = [
            "1.2.3.4", "4.5.6.7", "8.9.10.11", "time.google.com",
            "2001:1234:1234:2::f"
        ]
        self.assertItemsEqual(servers, [r.address for r in results.server])
        # In our test data, they all have "iburst" as an arg. Check that is found.
        for r in results.server:
            self.assertEqual("iburst", r.options)

        # Check a few values were parsed correctly.
        self.assertEqual("/var/lib/ntp/ntp.drift", results.config["driftfile"])
        self.assertEqual("/var/log/ntpstats", results.config["statsdir"])
        self.assertEqual("peerstats file peerstats type day link enable",
                         results.config["filegen"])
        self.assertEqual(1, len(results.restrict))
        self.assertEqual("default", results.restrict[0].address)
        self.assertEqual("nomodify noquery nopeer",
                         results.restrict[0].options)
        # A option that can have a list of integers.
        self.assertEqual([127, 88], results.config["ttl"])
        # An option that should only have a single float.
        self.assertEqual([0.01], results.config["broadcastdelay"])

        # Check the modified defaults.
        self.assertFalse(results.config["monitor"])
        self.assertTrue(results.config["stats"])

        # Check an unlisted defaults are unmodified.
        self.assertFalse(results.config["kernel"])
        self.assertTrue(results.config["auth"])