Permalink
Browse files

Added support for check parameters, ability to exclude checks, and th…

…e ability to dump the configuration of the scanner and each check loaded into a config file.

Added support for -c module.check:key=value parameter setting.
Added support for -e module.check to disable a check
Added support for --save path to write the configuration state of the
scanner to a file.
TODO: add support for --load!
  • Loading branch information...
1 parent 3e130b4 commit b514b2a1851d3ad0b821a09e9ae373447aee2554 Yvan Boily committed Sep 22, 2011
Showing with 205 additions and 79 deletions.
  1. +29 −0 config.txt
  2. +6 −7 corechecks.py
  3. +6 −5 djangochecks.py
  4. +31 −8 garmr.py
  5. +133 −59 scanner.py
View
@@ -0,0 +1,29 @@
+[Garmr]
+force-passives = False
+module = corechecks, djangochecks
+reporter = reporter.AntXmlReporter
+output = garmr-results.xml
+dns = True
+
+[corechecks.StsUpgradeCheck]
+enabled = True
+
+[djangochecks.AdminAvailable]
+enabled = True
+path = console
+
+[corechecks.RobotsTest]
+enabled = True
+
+[corechecks.StsHeaderPresent]
+enabled = True
+
+[corechecks.SecureAttributePresent]
+enabled = True
+
+[corechecks.HttpOnlyPresent]
+enabled = True
+
+[corechecks.XfoPresent]
+enabled = True
+
View
@@ -49,7 +49,6 @@ def analyze(self, response):
if sts == False:
result = self.result("Fail", "STS header not found.", None)
else:
-
result = self.result("Pass", "STS header present.", response.headers[stsheader])
return result
@@ -120,9 +119,9 @@ def do_test(self, url):
def configure(scanner):
if isinstance(scanner, Scanner) == False:
raise Exception("Cannot configure a non-scanner object!")
- scanner.register_test(StsHeaderPresent())
- scanner.register_test(XfoPresent())
- scanner.register_test(RobotsTest())
- scanner.register_test(StsUpgradeCheck())
- scanner.register_test(HttpOnlyPresent())
- scanner.register_test(SecureAttributePresent())
+ scanner.register_check(StsHeaderPresent())
+ scanner.register_check(XfoPresent())
+ scanner.register_check(RobotsTest())
+ scanner.register_check(StsUpgradeCheck())
+ scanner.register_check(HttpOnlyPresent())
+ scanner.register_check(SecureAttributePresent())
View
@@ -5,20 +5,21 @@
class AdminAvailable(ActiveTest):
run_passives = True
-
+ config = {"path" : "admin"}
+
def do_test(self, url):
u = urlparse(url)
- adminurl="%s://%s/admin" % (u.scheme, u.netloc)
+ adminurl="%s://%s/%s" % (u.scheme, u.netloc, self.config["path"])
response = requests.get(adminurl)
if response.status_code == 200:
- result = self.result("Pass", "Django admin page is present.", response.content)
+ result = self.result("Pass", "Django admin page is present at %s." % adminurl, response.content)
else:
- result = self.result("Fail", "Default Django admin page is not present ", None)
+ result = self.result("Fail", "Default Django admin page is not present at %s" % adminurl, None)
return (result, response);
def configure(scanner):
if isinstance(scanner, Scanner) == False:
raise Exception("Cannot configure a non-scanner object!")
- scanner.register_test(AdminAvailable())
+ scanner.register_check(AdminAvailable())
View
@@ -8,12 +8,15 @@
def main():
parser = argparse.ArgumentParser(description='Check urls for compliance with Secure Coding Guidelines')
parser.add_argument("-u", "--url", action="append", dest="targets", help="add a target to test")
- parser.add_argument("-m", "--module", action="append", dest="modules", help="load a test suite")
- parser.add_argument("-f", "--file", action="append", dest="target_files", help="File with urls to test")
+ parser.add_argument("-m", "--module", action="append", default = ["corechecks"], dest="modules", help="load a test suite")
+ parser.add_argument("-f", "--target-file", action="append", dest="target_files", help="File with urls to test")
parser.add_argument("-p", "--force-passive", action="store_true", default=False, dest="force_passives", help ="Force passives to be run for each active test")
parser.add_argument("-d", "--dns", action="store_false", default=True, dest="resolve_target", help ="Skip DNS resolution when registering a target.")
parser.add_argument("-r", "--report", action="store", default="reporter.AntXmlReporter", dest="report",help="Load a reporter, format module.class, e.g. reporter.AntXmlReporter")
parser.add_argument("-o", "--output", action="store", default="garmr-results.xml", dest="output", help="Default output is garmr-results.xml")
+ parser.add_argument("-c", "--check", action="append", dest="opts", help="Set a parameter for a check (check:opt=value)" )
+ parser.add_argument("-e", "--exclude", action="append", dest="exclusions", help="Prevent a check from being run/processed")
+ parser.add_argument("--save", action="store", dest="dump_path", help="Write out a configuration file based on parameters (won't run scan)")
#todo add option to influence DNS resolution before scanning.
args = parser.parse_args()
@@ -23,11 +26,12 @@ def main():
scanner.resolve_target = args.resolve_target
scanner.output = args.output
-
+ # Start building target list.
if args.targets != None:
for target in args.targets:
scanner.register_target(target)
+ # Add targets from files to the list.
if args.target_files != None:
for targets in args.target_files:
try:
@@ -39,18 +43,18 @@ def main():
except:
Scanner.logger.error("Unable to process the target list in: %s", targets)
- corechecks.configure(scanner)
-
+ # Configure modules.
if args.modules != None:
for module in args.modules:
try:
__import__(module)
m = sys.modules[module]
m.configure(scanner)
- except:
- Scanner.logger.fatal("Unable to load the requested module [%s]", module)
+ except Exception, e:
+ Scanner.logger.fatal("Unable to load the requested module [%s]: %s", module, e)
quit()
-
+
+ # Set up the reporter (allow it to load from modules that are configured)
try:
reporter = args.report.split('.')
if len(reporter) == 1:
@@ -63,6 +67,25 @@ def main():
except Exception, e:
Scanner.logger.fatal("Unable to use the reporter class [%s]: %s", args.report, e)
quit()
+
+ # Disable excluded checks.
+ if args.exclusions != None:
+ for exclude in args.exclusions:
+ scanner.disable_check(exclude)
+
+ # Configure checks
+ if args.opts != None:
+ for opt in args.opts:
+ try:
+ check = opt.split(":")[0]
+ key, value = opt[len(check)+1:].split("=")
+ scanner.configure_check(check, key, value)
+ except Exception, e:
+ Scanner.logger.fatal("Invalid check option: %s (%s)", opt, e)
+
+ if args.dump_path != None:
+ scanner.save_configuration(args.dump_path)
+ return
scanner.run_scan()
Oops, something went wrong.

0 comments on commit b514b2a

Please sign in to comment.