-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Updated the repository with a Security Policy, Audit, and Security Re…
…port. Corresponding change was made to the Software for vulnerability checking.
- Loading branch information
wravoc
committed
May 12, 2023
1 parent
d6ba9b6
commit b1265a7
Showing
5 changed files
with
390 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,189 @@ | ||
|
|
||
| <!DOCTYPE html> | ||
| <html> | ||
| <head> | ||
|
|
||
| <meta charset="UTF-8"> | ||
|
|
||
| <title> | ||
| Bandit Report | ||
| </title> | ||
|
|
||
| <style> | ||
|
|
||
| html * { | ||
| font-family: "Arial", sans-serif; | ||
| } | ||
|
|
||
| pre { | ||
| font-family: "Monaco", monospace; | ||
| } | ||
|
|
||
| .bordered-box { | ||
| border: 1px solid black; | ||
| padding-top:.5em; | ||
| padding-bottom:.5em; | ||
| padding-left:1em; | ||
| } | ||
|
|
||
| .metrics-box { | ||
| font-size: 1.1em; | ||
| line-height: 130%; | ||
| } | ||
|
|
||
| .metrics-title { | ||
| font-size: 1.5em; | ||
| font-weight: 500; | ||
| margin-bottom: .25em; | ||
| } | ||
|
|
||
| .issue-description { | ||
| font-size: 1.3em; | ||
| font-weight: 500; | ||
| } | ||
|
|
||
| .candidate-issues { | ||
| margin-left: 2em; | ||
| border-left: solid 1px; LightGray; | ||
| padding-left: 5%; | ||
| margin-top: .2em; | ||
| margin-bottom: .2em; | ||
| } | ||
|
|
||
| .issue-block { | ||
| border: 1px solid LightGray; | ||
| padding-left: .5em; | ||
| padding-top: .5em; | ||
| padding-bottom: .5em; | ||
| margin-bottom: .5em; | ||
| } | ||
|
|
||
| .issue-sev-high { | ||
| background-color: Pink; | ||
| } | ||
|
|
||
| .issue-sev-medium { | ||
| background-color: NavajoWhite; | ||
| } | ||
|
|
||
| .issue-sev-low { | ||
| background-color: LightCyan; | ||
| } | ||
|
|
||
| </style> | ||
| </head> | ||
|
|
||
| <body> | ||
|
|
||
| <div id="metrics"> | ||
| <div class="metrics-box bordered-box"> | ||
| <div class="metrics-title"> | ||
| Metrics:<br> | ||
| </div> | ||
| Total lines of code: <span id="loc">202</span><br> | ||
| Total lines skipped (#nosec): <span id="nosec">0</span> | ||
| </div> | ||
| </div> | ||
|
|
||
|
|
||
|
|
||
|
|
||
| <br> | ||
| <div id="results"> | ||
|
|
||
| <div id="issue-0"> | ||
| <div class="issue-block issue-sev-low"> | ||
| <b>blacklist: </b> Consider possible security implications associated with the subprocess module.<br> | ||
| <b>Test ID:</b> B404<br> | ||
| <b>Severity: </b>LOW<br> | ||
| <b>Confidence: </b>HIGH<br> | ||
| <b>CWE: </b><a href="https://cwe.mitre.org/data/definitions/78.html" target="_blank">CWE-78</a><br> | ||
| <b>File: </b><a href="authlog-threats.py" target="_blank">authlog-threats.py</a><br> | ||
| <b>Line number: </b>34<br> | ||
| <b>More info: </b><a href="https://bandit.readthedocs.io/en/1.7.5/blacklists/blacklist_imports.html#b404-import-subprocess" target="_blank">https://bandit.readthedocs.io/en/1.7.5/blacklists/blacklist_imports.html#b404-import-subprocess</a><br> | ||
|
|
||
| <div class="code"> | ||
| <pre> | ||
| 33 from datetime import datetime, date | ||
| 34 import os, re, time, sys, subprocess | ||
| 35 | ||
| </pre> | ||
| </div> | ||
|
|
||
|
|
||
| </div> | ||
| </div> | ||
|
|
||
| <div id="issue-1"> | ||
| <div class="issue-block issue-sev-medium"> | ||
| <b>hardcoded_bind_all_interfaces: </b> Possible binding to all interfaces.<br> | ||
| <b>Test ID:</b> B104<br> | ||
| <b>Severity: </b>MEDIUM<br> | ||
| <b>Confidence: </b>MEDIUM<br> | ||
| <b>CWE: </b><a href="https://cwe.mitre.org/data/definitions/605.html" target="_blank">CWE-605</a><br> | ||
| <b>File: </b><a href="authlog-threats.py" target="_blank">authlog-threats.py</a><br> | ||
| <b>Line number: </b>195<br> | ||
| <b>More info: </b><a href="https://bandit.readthedocs.io/en/1.7.5/plugins/b104_hardcoded_bind_all_interfaces.html" target="_blank">https://bandit.readthedocs.io/en/1.7.5/plugins/b104_hardcoded_bind_all_interfaces.html</a><br> | ||
|
|
||
| <div class="code"> | ||
| <pre> | ||
| 194 if logline is not None: | ||
| 195 if (logline.group(0) not in threat_content) and (logline.group(0) not in whitelist_content) and (logline.group(0) != "0.0.0.0"): | ||
| 196 if test_mode: | ||
| </pre> | ||
| </div> | ||
|
|
||
|
|
||
| </div> | ||
| </div> | ||
|
|
||
| <div id="issue-2"> | ||
| <div class="issue-block issue-sev-high"> | ||
| <b>subprocess_popen_with_shell_equals_true: </b> subprocess call with shell=True identified, security issue.<br> | ||
| <b>Test ID:</b> B602<br> | ||
| <b>Severity: </b>HIGH<br> | ||
| <b>Confidence: </b>HIGH<br> | ||
| <b>CWE: </b><a href="https://cwe.mitre.org/data/definitions/78.html" target="_blank">CWE-78</a><br> | ||
| <b>File: </b><a href="authlog-threats.py" target="_blank">authlog-threats.py</a><br> | ||
| <b>Line number: </b>238<br> | ||
| <b>More info: </b><a href="https://bandit.readthedocs.io/en/1.7.5/plugins/b602_subprocess_popen_with_shell_equals_true.html" target="_blank">https://bandit.readthedocs.io/en/1.7.5/plugins/b602_subprocess_popen_with_shell_equals_true.html</a><br> | ||
|
|
||
| <div class="code"> | ||
| <pre> | ||
| 237 if pf_mode: | ||
| 238 pf_reloaded = subprocess.run([pf_reload_rules_cmd], shell=True, timeout=1.7) | ||
| 239 except subprocess.CalledProcessError as e: | ||
| </pre> | ||
| </div> | ||
|
|
||
|
|
||
| </div> | ||
| </div> | ||
|
|
||
| <div id="issue-3"> | ||
| <div class="issue-block issue-sev-high"> | ||
| <b>subprocess_popen_with_shell_equals_true: </b> subprocess call with shell=True identified, security issue.<br> | ||
| <b>Test ID:</b> B602<br> | ||
| <b>Severity: </b>HIGH<br> | ||
| <b>Confidence: </b>HIGH<br> | ||
| <b>CWE: </b><a href="https://cwe.mitre.org/data/definitions/78.html" target="_blank">CWE-78</a><br> | ||
| <b>File: </b><a href="authlog-threats.py" target="_blank">authlog-threats.py</a><br> | ||
| <b>Line number: </b>268<br> | ||
| <b>More info: </b><a href="https://bandit.readthedocs.io/en/1.7.5/plugins/b602_subprocess_popen_with_shell_equals_true.html" target="_blank">https://bandit.readthedocs.io/en/1.7.5/plugins/b602_subprocess_popen_with_shell_equals_true.html</a><br> | ||
|
|
||
| <div class="code"> | ||
| <pre> | ||
| 267 print(f"\n*******************\033[38;5;75m pf reloaded \033[0;0m*********************") | ||
| 268 print(f"{subprocess.run([pf_stats_cmd], shell=True, timeout=1.7)}") | ||
| 269 print(f"*******************************************************\n") | ||
| </pre> | ||
| </div> | ||
|
|
||
|
|
||
| </div> | ||
| </div> | ||
|
|
||
| </div> | ||
|
|
||
| </body> | ||
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| # Security Policy | ||
|
|
||
|
|
||
|
|
||
| ## Report a Vulnerability | ||
|
|
||
| 1. Open a Github Private Vulnerability Report for "Wravoc" using the "Security" Tab on the home page of the repository following [best practices](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/best-practices-for-writing-repository-security-advisories). Click **Report a vulnerability** to open the advisory form. | ||
| 2. If you believe this vulnerability is severe or wish to send files please email [[email protected]](mailto:[email protected]) expecting a reply within 48 hours. | ||
|
|
||
|
|
||
|
|
||
| ## How to report a vulnerability | ||
|
|
||
| Please include: | ||
|
|
||
| * Your Operating System details including: | ||
|
|
||
| * Who was file system owner of the Software | ||
| * What were the file system permissions on the Software | ||
| * What networking processes had access to that file | ||
| * What command was used to Execute the Software | ||
| * Where the Software was located when it was Executed | ||
|
|
||
| * Your Python Environment Details including: | ||
|
|
||
| * PDB output | ||
|
|
||
| * `python3 -m pdb authlog-threats.py` | ||
|
|
||
| * What modules were loaded at the time the Software was Executed | ||
|
|
||
| * ``` | ||
| import sys | ||
| import pprint | ||
| # pretty print loaded modules | ||
| pprint.pprint(sys.modules) | ||
| ``` | ||
| * Version | ||
| * Automations | ||
| * Including automatic Python repository, pip, or relevant software updating | ||
| * Other Python scripts that had access to the Software | ||
| * What customizations you used in the Software | ||
| * Thorough details of vulnerability exploit | ||
| * What process was used to prove the exploit | ||
| * What files were touched | ||
| * Relevant shell history during the process | ||
| * Relevant sections of logs detailing this outcome | ||
| * Screenshots of all the above | ||
| * The hash and file size of the Software | ||
| ## Confidentiality | ||
| Do not publically post information on how to utilize the vulnerability or details which others may find able to utilize the vulnerablity. |
Oops, something went wrong.