risu 1.6.3 → 1.7.0

data/lib/risu/base/host_template_helper.rb

@@ -0,0 +1,75 @@
+# Copyright (c) 2012-2014 Arxopia LLC.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in the
+#       documentation and/or other materials provided with the distribution.
+#     * Neither the name of the Arxopia LLC nor the names of its contributors
+#     	may be used to endorse or promote products derived from this software
+#     	without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL ARXOPIA LLC BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
+# OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+
+module Risu
+	module Templates
+		module HostTemplateHelper
+
+			#
+			def unsupported_os(title, plugin_name)
+				if item_count_by_plugin_name(plugin_name) <= 0
+					return
+				end
+
+				heading2 title
+
+				headers = ["Host"]
+				data = Array.new
+
+				findings =  Item.where(:plugin_id => Plugin.where(:plugin_name => plugin_name).first.id)
+
+				findings.each do |finding|
+					host = Host.find_by_id(finding.host_id)
+
+					host_string = "#{host.name}"
+					host_string << " (#{host.fqdn})" if host.fqdn != nil
+
+					row = Array.new
+					row.push host_string
+
+					data << row
+				end
+
+				@output.table([headers] + data, :header => true, :width => output.bounds.width) do
+					row(0).style(:font_style => :bold, :background_color => 'cccccc')
+					cells.borders = [:top, :bottom, :left, :right]
+				end
+
+				text "\n"
+
+			end
+
+			#
+			def unsupported_os_appendix_section
+				unsupported_os("Unsupported Windows NT Installations", "Microsoft Windows NT 4.0 Unsupported Installation Detection")
+				unsupported_os("Unsupported Windows 2000 Installations", "Microsoft Windows 2000 Unsupported Installation Detection")
+				unsupported_os("Unsupported Windows XP Installations", "Microsoft Windows XP Unsupported Installation Detection")
+
+				text "\n"
+			end			
+		end
+	end
+end

data/lib/risu/base/malware_template_helper.rb

@@ -0,0 +1,96 @@
+# Copyright (c) 2012-2014 Arxopia LLC.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in the
+#       documentation and/or other materials provided with the distribution.
+#     * Neither the name of the Arxopia LLC nor the names of its contributors
+#     	may be used to endorse or promote products derived from this software
+#     	without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL ARXOPIA LLC BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
+# OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+
+module Risu
+	module Templates
+		module MalwareTemplateHelper
+
+			#
+			def conficker_count
+				begin
+					return Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").count
+				rescue => e
+					return 0
+				end
+			end
+
+			#
+			def conficker_appendix_section
+				if conficker_count() <= 0
+					return
+				end
+
+				heading2 "Conficker Worm Infection"
+
+				headers = ["Host"]
+				data = Array.new
+
+				findings =  Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id)
+
+				findings.each do |finding|
+					host = Host.find_by_id(finding.host_id)
+
+					host_string = "#{host.name}"
+					host_string << " (#{host.fqdn})" if host.fqdn != nil
+
+					row = Array.new
+					row.push host_string
+
+					data << row
+				end
+
+				@output.table([headers] + data, :header => true, :width => output.bounds.width) do
+					row(0).style(:font_style => :bold, :background_color => 'cccccc')
+					cells.borders = [:top, :bottom, :left, :right]
+				end
+
+				text "\n"
+			end
+
+			#
+			def conficker_section
+				if conficker_count() <= 0
+					return
+				end
+
+				conficker_count = Item.where(:plugin_id => Plugin.where(:plugin_name => "Conficker Worm Detection (uncredentialed check)").first.id).count
+				heading2 "Conficker Worm Infection"
+				@output.text "Conficker Worm infections were found on #{conficker_count} of #{Report.title}'s computer systems. Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The systems of interest are detailed in the detailed findings report with remediation steps."
+				@output.text "\n"
+			end
+
+			#
+			def malware_section
+				conficker_section
+			end
+
+			#
+			def malware_appendix_section
+				conficker_appendix_section
+			end
+		end
+	end
+end

data/lib/risu/base/post_process_base.rb

@@ -0,0 +1,210 @@
+# Copyright (c) 2010-2014 Arxopia LLC.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in the
+#       documentation and/or other materials provided with the distribution.
+#     * Neither the name of the Arxopia LLC nor the names of its contributors
+#     	may be used to endorse or promote products derived from this software
+#     	without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL ARXOPIA LLC BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
+# OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+
+module Risu
+	module Base
+
+		#
+		class PostProcessBase
+			@possible_postprocesses = Array.new
+
+			class << self
+				attr_reader :possible_postprocesses
+			end
+
+			#
+			attr_accessor :info
+
+			#
+			def self.inherited(child)
+				possible_postprocesses << child
+			end
+
+			def == (other)
+
+				if self.info == nil || self.info[:plugin_id] == nil
+					false
+				elsif other == nil || other.info == nil || other.info[:plugin_id] == nil
+					false
+				else
+					self.info[:plugin_id] == other.info[:plugin_id]
+				end
+			end
+
+			def <=> (other)
+				if self.info[:plugin_id] < other.info[:plugin_id]
+					-1
+				elsif self.info[:plugin_id] > other.info[:plugin_id]
+					1
+				else
+					0
+				end
+			end
+
+			#
+			#def initialize
+			#	@info = {}
+			#end
+
+			#NOTE:
+			#looks like its working
+			def newest_reader_plugin
+				newest = DateTime.new(0001, 01, 01)
+				newest_plugin = nil
+
+				@info[:plugin_ids].each do |id|
+					plugin = Plugin.find_by_id(id)
+
+					if plugin == nil || plugin.plugin_modification_date == nil
+						next
+					end
+
+					if plugin.plugin_modification_date >= newest
+						newest = plugin.plugin_modification_date if plugin.plugin_modification_date != nil
+						newest_plugin = plugin
+					end
+				end
+
+				return newest_plugin
+			end
+
+			# Creates a rollup plugin based on the newest Adobe Reader
+			#
+			def create_plugin
+
+				plugin = Plugin.find_by_id(@info[:plugin_id])
+
+				newest_plugin = newest_reader_plugin()
+
+				if newest_plugin == nil
+					return
+				end
+
+				if plugin == nil
+					plugin = Plugin.new
+				end
+
+				plugin.id = @info[:plugin_id]
+				plugin.plugin_name = @info[:plugin_name]
+				plugin.family_name = "Risu Rollup Plugins"
+				plugin.description = newest_plugin.description || ""
+				plugin.plugin_version = newest_plugin.plugin_version || ""
+				plugin.plugin_publication_date = newest_plugin.plugin_publication_date
+				plugin.plugin_modification_date = newest_plugin.plugin_modification_date
+				plugin.vuln_publication_date = newest_plugin.vuln_publication_date
+				plugin.cvss_vector = newest_plugin.cvss_vector || ""
+				plugin.cvss_base_score = newest_plugin.cvss_base_score
+				plugin.cvss_temporal_score = newest_plugin.cvss_temporal_score
+				plugin.cvss_temporal_vector = newest_plugin.cvss_temporal_vector
+				plugin.risk_factor = newest_plugin.risk_factor
+				plugin.solution = newest_plugin.solution
+				plugin.synopsis = newest_plugin.synopsis
+				plugin.plugin_type = "Rollup"
+				plugin.rollup = true
+
+				plugin.save
+			end
+
+			#
+			def create_item(host_id, severity)
+				item = Item.new
+
+					item.host_id = host_id
+					item.plugin_id = @info[:plugin_id]
+					item.plugin_output = nil
+					item.port = 0
+					item.severity = severity
+					item.plugin_name = @info[:item_name]
+
+				item.save
+			end
+
+			#
+			def has_reader_findings
+				@info[:plugin_ids].each do |plugin_id|
+					if Item.where(:plugin_id => plugin_id)
+						return true
+					end
+				end
+
+				return false
+			end
+
+			def has_host_reader_findings (host_id)
+				@info[:plugin_ids].each do |plugin_id|
+					if Item.where(:plugin_id => plugin_id).where(:host_id => host_id).count >= 1
+						return true
+					end
+				end
+
+				return false
+			end
+
+			#
+			def calculate_severity current_severity, severity
+				if severity >= current_severity
+					return severity
+				else
+					return current_severity
+				end
+			end
+
+			#
+			def run
+				if !has_reader_findings()
+					return
+				end
+
+				#Create the dummy plugin
+				create_plugin()
+
+				Host.all.each do |host|
+					if !has_host_reader_findings(host.id)
+						next
+					end
+
+					#puts "Found host with reader finding #{host.ip}"
+
+					finding_severity = 0
+
+					@info[:plugin_ids].each do |plugin_id|
+						Item.where(:plugin_id => plugin_id).each do |item|
+							severity = item.severity
+							item.real_severity = severity
+							item.severity = -1
+							item.save
+
+							finding_severity = calculate_severity(finding_severity, severity)
+						end
+					end
+
+					create_item(host.id, finding_severity)
+				end
+			end
+		end
+	end
+end
+

data/lib/risu/base/post_process_manager.rb

@@ -0,0 +1,120 @@
+# Copyright (c) 2010-2014 Arxopia LLC.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in the
+#       documentation and/or other materials provided with the distribution.
+#     * Neither the name of the Arxopia LLC nor the names of its contributors
+#     	may be used to endorse or promote products derived from this software
+#     	without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL ARXOPIA LLC BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
+# OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+
+module Risu
+	module Base
+
+		class PostProcessManager
+			attr_accessor :registered_postprocesses
+
+			# Creates new instance of TemplateManager
+			#
+			# @param path Path relative to the base_dir of risu
+			#
+			# @return New instance of the template manager with templates loaded.
+			def initialize (path)
+				@registered_postprocesses = Array.new
+				@postprocesses = Array.new
+
+				base_dir = __FILE__.gsub("risu/base/post_process_manager.rb", "")
+
+				load_postprocesses(base_dir + path)
+				load_postprocesses(Dir.pwd, false)
+				load_postprocesses(File.expand_path(USER_TEMPLATES_DIR)) if File.exists?(File.expand_path(USER_TEMPLATES_DIR)) && File.directory?(File.expand_path(USER_TEMPLATES_DIR))
+
+				sort
+			end
+
+			def sort
+				@postprocesses.each do |klass|
+					k = klass.new
+					@registered_postprocesses << k
+				end
+
+				@registered_postprocesses.sort! do |a,b|
+					a <=> b
+				end
+			end
+
+			# Loads templates from a specific path
+			#
+			# @param path Path to templates to load
+			def load_postprocesses(path, recursive=true)
+				begin
+
+					search_path = "#{path}/**/*.rb" if recursive == true
+					search_path = "#{path}/*.rb" if recursive == false
+
+					Dir[search_path].each do |x|
+						begin
+							require x
+						rescue => e
+							#puts e.inspect
+							#puts e.backtrace
+							next
+						end
+					end
+
+				  PostProcessBase.possible_postprocesses.each do |p|
+				    if validate(p) ==  true
+				      @postprocesses << p if @postprocesses.include?(p) == false
+				    end
+				  end
+				rescue => e
+					puts "[!] Invalid post processing path"
+					puts e.inspect
+  					puts e.backtrace
+				end
+			end
+
+			# Validates that a template is a valid template
+			#
+			# @todo look at refactoring this to valid?(template)
+			#
+			# @param template The template to validate
+			#
+			# @return [Boolean] If the template is valid
+			def validate(template)
+				t = template.new
+
+				return false if t == nil
+				return t.instance_variable_defined?("@info")
+			end
+
+			# Displays a list of all the templates to STDOUT
+			def display_postprocesses
+				puts "Available Post Processing"
+			  @registered_postprocesses.each do |p|
+			      if p.info[:plugin_id] != nil
+			      	puts "\t#{p.info[:description]} (#{p.info[:plugin_id]})\n"
+			      else
+			      	puts "\t#{p.info[:description]}"
+			      end
+			    end
+			end
+		end
+	end
+end