Added support for check parameters, ability to exclude checks, and th…

…e ability to dump the configuration of the scanner and each check loaded into a config file. Added support for -c module.check:key=value parameter setting. Added support for -e module.check to disable a check Added support for --save path to write the configuration state of the scanner to a file. TODO: add support for --load!
AutomatedTester · Sep 22, 2011 · b514b2a · b514b2a
1 parent 3e130b4
commit b514b2a
Show file tree

Hide file tree

Showing 5 changed files with 205 additions and 79 deletions.
diff --git a/config.txt b/config.txt
@@ -0,0 +1,29 @@
+[Garmr]
+force-passives = False
+module = corechecks, djangochecks
+reporter = reporter.AntXmlReporter
+output = garmr-results.xml
+dns = True
+
+[corechecks.StsUpgradeCheck]
+enabled = True
+
+[djangochecks.AdminAvailable]
+enabled = True
+path = console
+
+[corechecks.RobotsTest]
+enabled = True
+
+[corechecks.StsHeaderPresent]
+enabled = True
+
+[corechecks.SecureAttributePresent]
+enabled = True
+
+[corechecks.HttpOnlyPresent]
+enabled = True
+
+[corechecks.XfoPresent]
+enabled = True
+
diff --git a/corechecks.py b/corechecks.py
@@ -49,7 +49,6 @@ def analyze(self, response):
         if sts == False:
             result = self.result("Fail", "STS header not found.", None)
         else:
-
             result = self.result("Pass", "STS header present.", response.headers[stsheader])
         return result
 
@@ -120,9 +119,9 @@ def do_test(self, url):
 def configure(scanner):
     if isinstance(scanner, Scanner) == False:
         raise Exception("Cannot configure a non-scanner object!")
-    scanner.register_test(StsHeaderPresent())
-    scanner.register_test(XfoPresent())
-    scanner.register_test(RobotsTest())
-    scanner.register_test(StsUpgradeCheck())
-    scanner.register_test(HttpOnlyPresent())
-    scanner.register_test(SecureAttributePresent())
+    scanner.register_check(StsHeaderPresent())
+    scanner.register_check(XfoPresent())
+    scanner.register_check(RobotsTest())
+    scanner.register_check(StsUpgradeCheck())
+    scanner.register_check(HttpOnlyPresent())
+    scanner.register_check(SecureAttributePresent())
diff --git a/djangochecks.py b/djangochecks.py
@@ -5,20 +5,21 @@
 
 class AdminAvailable(ActiveTest):
     run_passives = True
-
+    config = {"path" : "admin"}
+
     def do_test(self, url):
         u = urlparse(url)
-        adminurl="%s://%s/admin" % (u.scheme, u.netloc)
+        adminurl="%s://%s/%s" % (u.scheme, u.netloc, self.config["path"])
         response = requests.get(adminurl)
         if response.status_code == 200:
-            result = self.result("Pass", "Django admin page is present.", response.content)
+            result = self.result("Pass", "Django admin page is present at %s." % adminurl, response.content)
         else:
-            result = self.result("Fail", "Default Django admin page is not present ", None)
+            result = self.result("Fail", "Default Django admin page is not present at %s" % adminurl, None)
         return (result, response);
 
 
 def configure(scanner):
     if isinstance(scanner, Scanner) == False:
         raise Exception("Cannot configure a non-scanner object!")
-    scanner.register_test(AdminAvailable())
+    scanner.register_check(AdminAvailable())
 
diff --git a/garmr.py b/garmr.py
@@ -8,12 +8,15 @@
 def main():
     parser = argparse.ArgumentParser(description='Check urls for compliance with Secure Coding Guidelines')
     parser.add_argument("-u", "--url", action="append", dest="targets", help="add a target to test")
-    parser.add_argument("-m", "--module", action="append", dest="modules", help="load a test suite")
-    parser.add_argument("-f", "--file", action="append", dest="target_files", help="File with urls to test")
+    parser.add_argument("-m", "--module", action="append", default = ["corechecks"], dest="modules", help="load a test suite")
+    parser.add_argument("-f", "--target-file", action="append", dest="target_files", help="File with urls to test")
     parser.add_argument("-p", "--force-passive", action="store_true", default=False, dest="force_passives", help ="Force passives to be run for each active test")
     parser.add_argument("-d", "--dns", action="store_false", default=True, dest="resolve_target", help ="Skip DNS resolution when registering a target.")
     parser.add_argument("-r", "--report", action="store", default="reporter.AntXmlReporter", dest="report",help="Load a reporter, format module.class, e.g. reporter.AntXmlReporter")
     parser.add_argument("-o", "--output", action="store", default="garmr-results.xml", dest="output", help="Default output is garmr-results.xml")
+    parser.add_argument("-c", "--check", action="append", dest="opts", help="Set a parameter for a check (check:opt=value)" )
+    parser.add_argument("-e", "--exclude", action="append", dest="exclusions", help="Prevent a check from being run/processed")
+    parser.add_argument("--save", action="store", dest="dump_path", help="Write out a configuration file based on parameters (won't run scan)")
     #todo add option to influence DNS resolution before scanning.
 
     args = parser.parse_args()
@@ -23,11 +26,12 @@ def main():
     scanner.resolve_target = args.resolve_target
     scanner.output = args.output
 
-
+    # Start building target list.
     if args.targets != None:
         for target in args.targets:
             scanner.register_target(target)
 
+    # Add targets from files to the list.
     if args.target_files != None:
         for targets in args.target_files:
             try:
@@ -39,18 +43,18 @@ def main():
             except:
                 Scanner.logger.error("Unable to process the target list in: %s", targets)
 
-    corechecks.configure(scanner)
-
+    # Configure modules.
     if args.modules != None:
         for module in args.modules:
             try:
                 __import__(module)
                 m = sys.modules[module]
                 m.configure(scanner)
-            except:
-                Scanner.logger.fatal("Unable to load the requested module [%s]", module)
+            except Exception, e:
+                Scanner.logger.fatal("Unable to load the requested module [%s]: %s", module, e)
                 quit()
-
+
+    # Set up the reporter (allow it to load from modules that are configured)
     try:
         reporter = args.report.split('.')
         if len(reporter) == 1:
@@ -63,6 +67,25 @@ def main():
     except Exception, e:
         Scanner.logger.fatal("Unable to use the reporter class [%s]: %s", args.report, e)
         quit()
+
+    # Disable excluded checks.
+    if args.exclusions != None:
+        for exclude in args.exclusions:
+            scanner.disable_check(exclude)
+
+    # Configure checks
+    if args.opts != None:
+        for opt in args.opts:
+            try:
+                check = opt.split(":")[0]
+                key, value = opt[len(check)+1:].split("=")
+                scanner.configure_check(check, key, value)
+            except Exception, e:
+                Scanner.logger.fatal("Invalid check option: %s (%s)", opt, e)
+
+    if args.dump_path != None:
+        scanner.save_configuration(args.dump_path)
+        return
 
     scanner.run_scan()