Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added snmp_security check plugin for various SNMP checks #403

Merged
merged 28 commits into from
Jan 25, 2022
Merged
Show file tree
Hide file tree
Changes from 17 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
b1ede11
Added snmp_security check plugin for various SNMP checks
Oct 11, 2018
6c43605
Extracted each test into their own files
Oct 11, 2018
68e589a
Updates for linter
Oct 11, 2018
8dd44c5
Fixed style errors and added authNoPriv as a failure
Oct 17, 2018
72aba32
removed trailing --
Oct 17, 2018
c5b5458
more lint changes
Oct 17, 2018
fed11f4
Merge branch 'master' into BANDIT-355-snmpSecPlugin
lukehinds Jan 10, 2019
9c2be03
Merge branch 'master' into BANDIT-355-snmpSecPlugin
ericwb Jan 12, 2020
8c569f4
Merge branch 'master' into BANDIT-355-snmpSecPlugin
ericwb Jan 21, 2020
ff06ffe
Merge branch 'master' into BANDIT-355-snmpSecPlugin
ericwb Dec 12, 2020
e286114
Update README.rst
ericwb Jan 25, 2022
8f2e079
Update snmp_security_check.py
ericwb Jan 25, 2022
ebf9e5a
Update bandit/plugins/snmp_security_check.py
ericwb Jan 25, 2022
1f5d833
Update bandit/plugins/snmp_security_check.py
ericwb Jan 25, 2022
489deee
Update bandit/plugins/snmp_security_check.py
ericwb Jan 25, 2022
371601f
Update examples/snmp.py
ericwb Jan 25, 2022
6eb2af9
Update doc/source/plugins/b508_snmp_insecure_version.rst
ericwb Jan 25, 2022
78c3464
Update doc/source/plugins/b508_snmp_weak_cryptography.rst
ericwb Jan 25, 2022
ae02ab3
Update doc/source/plugins/b508_snmp_weak_cryptography.rst
ericwb Jan 25, 2022
2ebf402
Update doc/source/plugins/b508_snmp_insecure_version.rst
ericwb Jan 25, 2022
b053aae
Update doc/source/plugins/b508_snmp_insecure_version.rst
ericwb Jan 25, 2022
28c6238
Update doc/source/plugins/b508_snmp_weak_cryptography.rst
ericwb Jan 25, 2022
178b344
Update doc/source/plugins/b508_snmp_insecure_version.rst
ericwb Jan 25, 2022
83b849b
Update doc/source/plugins/b508_snmp_insecure_version.rst
ericwb Jan 25, 2022
a05f455
Update b508_snmp_weak_cryptography.rst
ericwb Jan 25, 2022
6eca831
Update snmp_security_check.py
ericwb Jan 25, 2022
b530a43
Update snmp_security_check.py
ericwb Jan 25, 2022
5f2a6e9
Merge branch 'master' into BANDIT-355-snmpSecPlugin
ericwb Jan 25, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions .coveragerc

This file was deleted.

68 changes: 68 additions & 0 deletions bandit/plugins/snmp_security_check.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
#
# Copyright (c) 2018 SolarWinds, Inc.
#
# SPDX-License-Identifier: Apache-2.0
import bandit
from bandit.core import test_properties as test


@test.checks("Call")
@test.test_id('B508')
def snmp_insecure_version_check(context):
"""**B508: Checking for insecure SNMP versions**

This test is for checking for the usage of insecure SNMP version like
v1, v2c

Using the pysnmp documentation:
http://snmplabs.com/pysnmp/examples/hlapi/asyncore/sync/manager/cmdgen/snmp-versions.html

Please update your code to use more secure versions of SNMP.

.. versionadded:: 1.7.2
"""
Jed-Giblin marked this conversation as resolved.
Show resolved Hide resolved

if context.call_function_name_qual == 'CommunityData':
# We called community data. Lets check our args
if (context.check_call_arg_value("mpModel", 0) or
context.check_call_arg_value("mpModel", 1)):
return bandit.Issue(
severity=bandit.MEDIUM,
confidence=bandit.HIGH,
text="The use of SNMPv1 and SNMPv2 is insecure. "
"You should use SNMPv3 if able.",
lineno=context.get_lineno_for_call_arg("CommunityData"),
)


@test.checks("Call")
@test.test_id('B509')
def snmp_crypto_check(context):
"""**B509: Checking for weak cryptography**

This test is for checking for the usage of insecure SNMP cryptography:
v3 using noAuthNoPriv.

Using the pysnmp documentation:
http://snmplabs.com/pysnmp/examples/hlapi/asyncore/sync/manager/cmdgen/snmp-versions.html

Please update your code to use more secure versions of SNMP. For example:

Instead of:
`CommunityData('public', mpModel=0)`

Use (Defaults to usmHMACMD5AuthProtocol and usmDESPrivProtocol
`UsmUserData("securityName", "authName", "privName")`

.. versionadded:: 1.7.2
"""
Jed-Giblin marked this conversation as resolved.
Show resolved Hide resolved

if context.call_function_name_qual == 'UsmUserData':
if context.call_args_count < 3:
return bandit.Issue(
severity=bandit.MEDIUM,
confidence=bandit.HIGH,
text="You should not use SNMPv3 without encryption. "
"noAuthNoPriv & authNoPriv is insecure",
lineno=context.get_lineno_for_call_arg("UsmUserData"),
)
8 changes: 8 additions & 0 deletions doc/source/plugins/b508_snmp_insecure_version.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
----------------------------
ericwb marked this conversation as resolved.
Show resolved Hide resolved
B508: snmp_weak_cryptography
ericwb marked this conversation as resolved.
Show resolved Hide resolved
----------------------------
ericwb marked this conversation as resolved.
Show resolved Hide resolved

.. currentmodule:: bandit.plugins.snmp_security_check

.. autofunction:: snmp_crypto_check
ericwb marked this conversation as resolved.
Show resolved Hide resolved
:noindex:
8 changes: 8 additions & 0 deletions doc/source/plugins/b508_snmp_weak_cryptography.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---------------------------
B508: snmp_insecure_version
ericwb marked this conversation as resolved.
Show resolved Hide resolved
---------------------------

.. automodule:: bandit.plugins.snmp_security_check
ericwb marked this conversation as resolved.
Show resolved Hide resolved

.. autofunction:: snmp_insecure_version_check
ericwb marked this conversation as resolved.
Show resolved Hide resolved
:noindex:
10 changes: 10 additions & 0 deletions examples/snmp.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
from pysnmp.hlapi import CommunityData, UsmUserData

# SHOULD FAIL
a = CommunityData('public', mpModel=0)
# SHOULD FAIL
insecure = UsmUserData("securityName")
# SHOULD FAIL
auth_no_priv = UsmUserData("securityName","authName")
# SHOULD PASS
less_insecure = UsmUserData("securityName","authName","privName")
4 changes: 4 additions & 0 deletions setup.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,10 @@ bandit.plugins =
# bandit/plugins/ssh_no_host_key_verification.py
ssh_no_host_key_verification = bandit.plugins.ssh_no_host_key_verification:ssh_no_host_key_verification

# bandit/plugins/snmp_security_check.py
snmp_insecure_version = bandit.plugins.snmp_security_check:snmp_insecure_version_check
snmp_weak_cryptography = bandit.plugins.snmp_security_check:snmp_crypto_check

[build_sphinx]
all_files = 1
build-dir = doc/build
Expand Down